1#! /usr/bin/env perl 2# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10use strict; 11use warnings; 12 13use POSIX; 14use File::Basename; 15use File::Copy; 16use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr data_file/; 17use OpenSSL::Test::Utils; 18 19BEGIN { 20setup("test_ssl_old"); 21} 22 23use lib srctop_dir('Configurations'); 24use lib bldtop_dir('.'); 25 26my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); 27my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk, 28 $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, $no_tls1_3, 29 $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) = 30 anydisabled qw/rsa dsa dh ec psk 31 ssl3 tls1 tls1_1 tls1_2 tls1_3 32 dtls dtls1 dtls1_2 ct/; 33#If ec and dh are disabled then don't use TLSv1.3 34$no_tls1_3 = 1 if (!$no_tls1_3 && $no_ec && $no_dh); 35my $no_anytls = alldisabled(available_protocols("tls")); 36my $no_anydtls = alldisabled(available_protocols("dtls")); 37 38plan skip_all => "No SSL/TLS/DTLS protocol is support by this OpenSSL build" 39 if $no_anytls && $no_anydtls; 40 41my $digest = "-sha1"; 42my @reqcmd = ("openssl", "req"); 43my @x509cmd = ("openssl", "x509", $digest); 44my @verifycmd = ("openssl", "verify"); 45my @genpkeycmd = ("openssl", "genpkey"); 46my $dummycnf = srctop_file("apps", "openssl.cnf"); 47 48my $cnf = srctop_file("test", "ca-and-certs.cnf"); 49my $CAkey = srctop_file("test", "certs", "ca-key.pem"); # "keyCA.ss" 50my $CAcert="certCA.ss"; 51my $CAserial="certCA.srl"; 52my $CAreq="reqCA.ss"; 53my $CAreq2="req2CA.ss"; # temp 54my $Ukey = srctop_file("test", "certs", "ee-key.pem"); # "keyU.ss"; 55my $Ureq="reqU.ss"; 56my $Ucert="certU.ss"; 57my $Dkey="keyD.ss"; 58my $Dreq="reqD.ss"; 59my $Dcert="certD.ss"; 60my $Ekey="keyE.ss"; 61my $Ereq="reqE.ss"; 62my $Ecert="certE.ss"; 63 64my $proxycnf=srctop_file("test", "proxy.cnf"); 65my $P1key= srctop_file("test", "certs", "alt1-key.pem"); # "keyP1.ss"; 66my $P1req="reqP1.ss"; 67my $P1cert="certP1.ss"; 68my $P1intermediate="tmp_intP1.ss"; 69my $P2key= srctop_file("test", "certs", "alt2-key.pem"); # "keyP2.ss"; 70my $P2req="reqP2.ss"; 71my $P2cert="certP2.ss"; 72my $P2intermediate="tmp_intP2.ss"; 73 74my $server_sess="server.ss"; 75my $client_sess="client.ss"; 76 77# ssl_old_test.c is deprecated in favour of the new framework in ssl_test.c 78# If you're adding tests here, you probably want to convert them to the 79# new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. 80plan tests => 81 ($no_fips ? 0 : 6) # testssl with fips provider 82 + 1 # For testss 83 + 5 # For the testssl with default provider 84 + 1 # For security level 0 failure tests 85 ; 86 87subtest 'test_ss' => sub { 88 if (testss()) { 89 open OUT, ">", "intP1.ss"; 90 copy($CAcert, \*OUT); copy($Ucert, \*OUT); 91 close OUT; 92 93 open OUT, ">", "intP2.ss"; 94 copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT); 95 close OUT; 96 } 97}; 98 99note('test_ssl_old -- key U'); 100my $configfile = srctop_file("test","default-and-legacy.cnf"); 101if (disabled("legacy")) { 102 $configfile = srctop_file("test","default.cnf"); 103} 104 105testssl($Ukey, $Ucert, $CAcert, "default", $configfile); 106unless ($no_fips) { 107 testssl($Ukey, $Ucert, $CAcert, "fips", 108 srctop_file("test","fips-and-base.cnf")); 109} 110 111# ----------- 112# subtest functions 113sub testss { 114 my @req_dsa = ("-newkey", 115 "dsa:".data_file("dsa2048.pem")); 116 my $dsaparams = data_file("dsa2048.pem"); 117 my @req_new; 118 if ($no_rsa) { 119 @req_new = @req_dsa; 120 } else { 121 @req_new = ("-new"); 122 } 123 124 plan tests => 17; 125 126 SKIP: { 127 skip 'failure', 16 unless 128 ok(run(app([@reqcmd, "-config", $cnf, 129 "-out", $CAreq, "-key", $CAkey, 130 @req_new])), 131 'make cert request'); 132 133 skip 'failure', 15 unless 134 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", 135 "-req", "-out", $CAcert, "-signkey", $CAkey, 136 "-extfile", $cnf, "-extensions", "v3_ca"], 137 stdout => "err.ss")), 138 'convert request into self-signed cert'); 139 140 skip 'failure', 14 unless 141 ok(run(app([@x509cmd, "-in", $CAcert, 142 "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2], 143 stdout => "err.ss")), 144 'convert cert into a cert request'); 145 146 skip 'failure', 13 unless 147 ok(run(app([@reqcmd, "-config", $dummycnf, 148 "-verify", "-in", $CAreq, "-noout"])), 149 'verify request 1'); 150 151 152 skip 'failure', 12 unless 153 ok(run(app([@reqcmd, "-config", $dummycnf, 154 "-verify", "-in", $CAreq2, "-noout"])), 155 'verify request 2'); 156 157 skip 'failure', 11 unless 158 ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])), 159 'verify signature'); 160 161 skip 'failure', 10 unless 162 ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq", 163 "-out", $Ureq, "-key", $Ukey, @req_new], 164 stdout => "err.ss")), 165 'make a user cert request'); 166 167 skip 'failure', 9 unless 168 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", 169 "-req", "-out", $Ucert, 170 "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, 171 "-extfile", $cnf, "-extensions", "v3_ee"], 172 stdout => "err.ss")) 173 && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), 174 'sign user cert request'); 175 176 skip 'failure', 8 unless 177 ok(run(app([@x509cmd, 178 "-subject", "-issuer", "-startdate", "-enddate", 179 "-noout", "-in", $Ucert])), 180 'Certificate details'); 181 182 skip 'failure', 7 unless 183 subtest 'DSA certificate creation' => sub { 184 plan skip_all => "skipping DSA certificate creation" 185 if $no_dsa; 186 187 plan tests => 5; 188 189 SKIP: { 190 $ENV{CN2} = "DSA Certificate"; 191 skip 'failure', 4 unless 192 ok(run(app([@genpkeycmd, "-out", $Dkey, 193 "-paramfile", $dsaparams], 194 stdout => "err.ss")), 195 "make a DSA key"); 196 skip 'failure', 3 unless 197 ok(run(app([@reqcmd, "-new", "-config", $cnf, 198 "-section", "userreq", 199 "-out", $Dreq, "-key", $Dkey], 200 stdout => "err.ss")), 201 "make a DSA user cert request"); 202 skip 'failure', 2 unless 203 ok(run(app([@x509cmd, "-CAcreateserial", 204 "-in", $Dreq, 205 "-days", "30", 206 "-req", 207 "-out", $Dcert, 208 "-CA", $CAcert, "-CAkey", $CAkey, 209 "-CAserial", $CAserial, 210 "-extfile", $cnf, 211 "-extensions", "v3_ee_dsa"], 212 stdout => "err.ss")), 213 "sign DSA user cert request"); 214 skip 'failure', 1 unless 215 ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])), 216 "verify DSA user cert"); 217 skip 'failure', 0 unless 218 ok(run(app([@x509cmd, 219 "-subject", "-issuer", 220 "-startdate", "-enddate", "-noout", 221 "-in", $Dcert])), 222 "DSA Certificate details"); 223 } 224 }; 225 226 skip 'failure', 6 unless 227 subtest 'ECDSA/ECDH certificate creation' => sub { 228 plan skip_all => "skipping ECDSA/ECDH certificate creation" 229 if $no_ec; 230 231 plan tests => 5; 232 233 SKIP: { 234 $ENV{CN2} = "ECDSA Certificate"; 235 skip 'failure', 4 unless 236 ok(run(app(["openssl", "genpkey", "-genparam", 237 "-algorithm", "EC", 238 "-pkeyopt", "ec_paramgen_curve:P-256", 239 "-pkeyopt", "ec_param_enc:named_curve", 240 "-out", "ecp.ss"])), 241 "make EC parameters"); 242 skip 'failure', 3 unless 243 ok(run(app([@reqcmd, "-config", $cnf, 244 "-section", "userreq", 245 "-out", $Ereq, "-keyout", $Ekey, 246 "-newkey", "ec:ecp.ss"], 247 stdout => "err.ss")), 248 "make a ECDSA/ECDH user cert request"); 249 skip 'failure', 2 unless 250 ok(run(app([@x509cmd, "-CAcreateserial", 251 "-in", $Ereq, 252 "-days", "30", 253 "-req", 254 "-out", $Ecert, 255 "-CA", $CAcert, "-CAkey", $CAkey, 256 "-CAserial", $CAserial, 257 "-extfile", $cnf, 258 "-extensions", "v3_ee_ec"], 259 stdout => "err.ss")), 260 "sign ECDSA/ECDH user cert request"); 261 skip 'failure', 1 unless 262 ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])), 263 "verify ECDSA/ECDH user cert"); 264 skip 'failure', 0 unless 265 ok(run(app([@x509cmd, 266 "-subject", "-issuer", 267 "-startdate", "-enddate", "-noout", 268 "-in", $Ecert])), 269 "ECDSA Certificate details"); 270 } 271 }; 272 273 skip 'failure', 5 unless 274 ok(run(app([@reqcmd, "-config", $proxycnf, 275 "-out", $P1req, "-key", $P1key, @req_new], 276 stdout => "err.ss")), 277 'make a proxy cert request'); 278 279 280 skip 'failure', 4 unless 281 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30", 282 "-req", "-out", $P1cert, 283 "-CA", $Ucert, "-CAkey", $Ukey, 284 "-extfile", $proxycnf, "-extensions", "proxy"], 285 stdout => "err.ss")), 286 'sign proxy with user cert'); 287 288 copy($Ucert, $P1intermediate); 289 run(app([@verifycmd, "-CAfile", $CAcert, 290 "-untrusted", $P1intermediate, $P1cert])); 291 ok(run(app([@x509cmd, 292 "-subject", "-issuer", "-startdate", "-enddate", 293 "-noout", "-in", $P1cert])), 294 'Certificate details'); 295 296 skip 'failure', 2 unless 297 ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req", 298 "-out", $P2req, "-key", $P2key, 299 @req_new], 300 stdout => "err.ss")), 301 'make another proxy cert request'); 302 303 304 skip 'failure', 1 unless 305 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30", 306 "-req", "-out", $P2cert, 307 "-CA", $P1cert, "-CAkey", $P1key, 308 "-extfile", $proxycnf, "-extensions", "proxy_2"], 309 stdout => "err.ss")), 310 'sign second proxy cert request with the first proxy cert'); 311 312 313 open OUT, ">", $P2intermediate; 314 copy($Ucert, \*OUT); copy($P1cert, \*OUT); 315 close OUT; 316 run(app([@verifycmd, "-CAfile", $CAcert, 317 "-untrusted", $P2intermediate, $P2cert])); 318 ok(run(app([@x509cmd, 319 "-subject", "-issuer", "-startdate", "-enddate", 320 "-noout", "-in", $P2cert])), 321 'Certificate details'); 322 } 323} 324 325sub testssl { 326 my ($key, $cert, $CAtmp, $provider, $configfile) = @_; 327 my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs")); 328 my @providerflags = ("-provider", $provider); 329 330 if ($provider eq "default" && !disabled("legacy")) { 331 push @providerflags, "-provider", "legacy"; 332 } 333 334 my @ssltest = ("ssl_old_test", 335 "-s_key", $key, "-s_cert", $cert, 336 "-c_key", $key, "-c_cert", $cert, 337 "-config", $configfile, 338 @providerflags); 339 340 341 my $serverinfo = srctop_file("test","serverinfo.pem"); 342 343 my $dsa_cert = 0; 344 if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert, 345 "-text", "-noout"]), capture => 1)) { 346 $dsa_cert = 1; 347 } 348 349 subtest 'standard SSL tests' => sub { 350 ###################################################################### 351 plan tests => 19; 352 353 SKIP: { 354 skip "SSLv3 is not supported by this OpenSSL build", 4 355 if disabled("ssl3"); 356 357 skip "SSLv3 is not supported by the FIPS provider", 4 358 if $provider eq "fips"; 359 360 ok(run(test([@ssltest, "-bio_pair", "-ssl3"])), 361 'test sslv3 via BIO pair'); 362 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])), 363 'test sslv3 with server authentication via BIO pair'); 364 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])), 365 'test sslv3 with client authentication via BIO pair'); 366 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])), 367 'test sslv3 with both server and client authentication via BIO pair'); 368 } 369 370 SKIP: { 371 skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1 372 if $no_anytls; 373 374 ok(run(test([@ssltest, "-bio_pair"])), 375 'test sslv2/sslv3 via BIO pair'); 376 } 377 378 SKIP: { 379 skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 14 380 if $no_anytls; 381 382 SKIP: { 383 skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert; 384 385 ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])), 386 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'); 387 } 388 389 SKIP: { 390 skip "skipping dhe1024dsa test", 1 391 if ($no_dh); 392 393 ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), 394 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); 395 } 396 397 ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), 398 'test sslv2/sslv3 with server authentication'); 399 ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), 400 'test sslv2/sslv3 with client authentication via BIO pair'); 401 ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])), 402 'test sslv2/sslv3 with both client and server authentication via BIO pair'); 403 ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), 404 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); 405 406 SKIP: { 407 skip "No IPv4 available on this machine", 4 408 unless !disabled("sock") && have_IPv4(); 409 ok(run(test([@ssltest, "-ipv4"])), 410 'test TLS via IPv4'); 411 ok(run(test([@ssltest, "-ipv4", "-client_ktls"])), 412 'test TLS via IPv4 + ktls(client)'); 413 ok(run(test([@ssltest, "-ipv4", "-server_ktls"])), 414 'test TLS via IPv4 + ktls(server)'); 415 ok(run(test([@ssltest, "-ipv4", "-client_ktls", "-server_ktls"])), 416 'test TLS via IPv4 + ktls'); 417 } 418 419 SKIP: { 420 skip "No IPv6 available on this machine", 4 421 unless !disabled("sock") && have_IPv6(); 422 ok(run(test([@ssltest, "-ipv6"])), 423 'test TLS via IPv6'); 424 ok(run(test([@ssltest, "-ipv6", "-client_ktls"])), 425 'test TLS via IPv6 + ktls(client)'); 426 ok(run(test([@ssltest, "-ipv6", "-server_ktls"])), 427 'test TLS via IPv6 + ktls(client)'); 428 ok(run(test([@ssltest, "-ipv6", "-client_ktls", "-server_ktls"])), 429 'test TLS via IPv6 + ktls'); 430 } 431 } 432 }; 433 434 subtest "Testing ciphersuites" => sub { 435 436 my @exkeys = (); 437 my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; 438 439 if (!$no_dsa) { 440 push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; 441 } 442 443 if (!$no_ec) { 444 push @exkeys, "-s_cert", "certE.ss", "-s_key", $Ekey; 445 } 446 447 my @protocols = (); 448 # We only use the flags that ssl_old_test understands 449 push @protocols, "-tls1_3" unless $no_tls1_3; 450 push @protocols, "-tls1_2" unless $no_tls1_2; 451 push @protocols, "-tls1" unless $no_tls1 || $provider eq "fips"; 452 push @protocols, "-ssl3" unless $no_ssl3 || $provider eq "fips"; 453 my $protocolciphersuitecount = 0; 454 my %ciphersuites = (); 455 my %ciphersstatus = (); 456 #There's no "-config" option to the ciphers command so we set the 457 #environment variable instead 458 my $opensslconf = $ENV{OPENSSL_CONF}; 459 $ENV{OPENSSL_CONF} = $configfile; 460 foreach my $protocol (@protocols) { 461 my $ciphersstatus = undef; 462 my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol, 463 @providerflags, 464 "ALL:$ciphers"]), 465 capture => 1, statusvar => \$ciphersstatus); 466 $ciphersstatus{$protocol} = $ciphersstatus; 467 if ($ciphersstatus) { 468 $ciphersuites{$protocol} = [ map { s|\R||; split(/:/, $_) } 469 @ciphers ]; 470 $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}}; 471 } 472 } 473 $ENV{OPENSSL_CONF} = $opensslconf; 474 475 plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build" 476 if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0; 477 478 # The count of protocols is because in addition to the ciphersuites 479 # we got above, we're running a weak DH test for each protocol (except 480 # TLSv1.3) 481 my $testcount = scalar(@protocols) + $protocolciphersuitecount 482 + scalar(keys %ciphersuites); 483 $testcount-- unless $no_tls1_3; 484 plan tests => $testcount; 485 486 foreach my $protocol (@protocols) { 487 ok($ciphersstatus{$protocol}, "Getting ciphers for $protocol"); 488 } 489 490 foreach my $protocol (sort keys %ciphersuites) { 491 note "Testing ciphersuites for $protocol"; 492 # ssl_old_test doesn't know -tls1_3, but that's fine, since that's 493 # the default choice if TLSv1.3 enabled 494 my $flag = $protocol eq "-tls1_3" ? "" : $protocol; 495 my $ciphersuites = ""; 496 foreach my $cipher (@{$ciphersuites{$protocol}}) { 497 if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { 498 note "*****SKIPPING $protocol $cipher"; 499 ok(1); 500 } else { 501 if ($protocol eq "-tls1_3") { 502 $ciphersuites = $cipher; 503 $cipher = ""; 504 } else { 505 $cipher = $cipher.':@SECLEVEL=0'; 506 } 507 ok(run(test([@ssltest, @exkeys, "-cipher", 508 $cipher, 509 "-ciphersuites", $ciphersuites, 510 $flag || ()])), 511 "Testing $cipher"); 512 } 513 } 514 next if $protocol eq "-tls1_3"; 515 516 SKIP: { 517 skip "skipping dhe512 test", 1 518 if ($no_dh); 519 520 is(run(test([@ssltest, 521 "-s_cipher", "EDH", 522 "-c_cipher", 'EDH:@SECLEVEL=1', 523 "-dhe512", 524 $protocol])), 0, 525 "testing connection with weak DH, expecting failure"); 526 } 527 } 528 }; 529 530 subtest 'SSL security level failure tests' => sub { 531 ###################################################################### 532 plan tests => 3; 533 534 SKIP: { 535 skip "SSLv3 is not supported by this OpenSSL build", 1 536 if disabled("ssl3"); 537 538 skip "SSLv3 is not supported by the FIPS provider", 1 539 if $provider eq "fips"; 540 541 is(run(test([@ssltest, "-bio_pair", "-ssl3", "-cipher", '@SECLEVEL=1'])), 542 0, "test sslv3 fails at security level 1, expecting failure"); 543 } 544 545 SKIP: { 546 skip "TLSv1.0 is not supported by this OpenSSL build", 1 547 if $no_tls1; 548 549 skip "TLSv1.0 is not supported by the FIPS provider", 1 550 if $provider eq "fips"; 551 552 is(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", '@SECLEVEL=1'])), 553 0, 'test tls1 fails at security level 1, expecting failure'); 554 } 555 556 SKIP: { 557 skip "TLSv1.1 is not supported by this OpenSSL build", 1 558 if $no_tls1_1; 559 560 skip "TLSv1.1 is not supported by the FIPS provider", 1 561 if $provider eq "fips"; 562 563 is(run(test([@ssltest, "-bio_pair", "-tls1_1", "-cipher", '@SECLEVEL=1'])), 564 0, 'test tls1.1 fails at security level 1, expecting failure'); 565 } 566 }; 567 568 subtest 'RSA/(EC)DHE/PSK tests' => sub { 569 ###################################################################### 570 571 plan tests => 10; 572 573 SKIP: { 574 skip "TLSv1.0 is not supported by this OpenSSL build", 6 575 if $no_tls1 || $provider eq "fips"; 576 577 SKIP: { 578 skip "skipping anonymous DH tests", 1 579 if ($no_dh); 580 581 ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])), 582 'test tlsv1 with 1024bit anonymous DH, multiple handshakes'); 583 } 584 585 SKIP: { 586 skip "skipping RSA tests", 2 587 if $no_rsa; 588 589 ok(run(test(["ssl_old_test", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])), 590 'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes'); 591 592 skip "skipping RSA+DHE tests", 1 593 if $no_dh; 594 595 ok(run(test(["ssl_old_test", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])), 596 'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes'); 597 } 598 599 SKIP: { 600 skip "skipping PSK tests", 2 601 if ($no_psk); 602 603 ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])), 604 'test tls1 with PSK'); 605 606 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), 607 'test tls1 with PSK via BIO pair'); 608 } 609 610 SKIP: { 611 skip "skipping auto DH PSK tests", 1 612 if ($no_dh || $no_psk); 613 614 ok(run(test(['ssl_old_test', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])), 615 'test auto DH meets security strength'); 616 } 617 } 618 619 SKIP: { 620 skip "TLSv1.2 is not supported by this OpenSSL build", 4 621 if $no_tls1_2; 622 623 SKIP: { 624 skip "skipping auto DHE PSK test at SECLEVEL 3", 1 625 if ($no_dh || $no_psk); 626 627 ok(run(test(['ssl_old_test', '-tls1_2', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])), 628 'test auto DHE PSK meets security strength'); 629 } 630 631 SKIP: { 632 skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1 633 if ($no_ec || $no_psk); 634 635 ok(run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])), 636 'test auto ECDHE PSK meets security strength'); 637 } 638 639 SKIP: { 640 skip "skipping no RSA PSK at SECLEVEL 3 test", 1 641 if ($no_rsa || $no_psk); 642 643 ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])), 644 'test auto RSA PSK does not meet security level 3 requirements (PFS)'); 645 } 646 647 SKIP: { 648 skip "skipping no PSK at SECLEVEL 3 test", 1 649 if ($no_psk); 650 651 ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])), 652 'test auto PSK does not meet security level 3 requirements (PFS)'); 653 } 654 } 655 656 }; 657 658 subtest 'Custom Extension tests' => sub { 659 ###################################################################### 660 661 plan tests => 1; 662 663 SKIP: { 664 skip "TLSv1.0 is not supported by this OpenSSL build", 1 665 if $no_tls1 || $provider eq "fips"; 666 667 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])), 668 'test tls1 with custom extensions'); 669 } 670 }; 671 672 subtest 'Serverinfo tests' => sub { 673 ###################################################################### 674 675 plan tests => 5; 676 677 SKIP: { 678 skip "TLSv1.0 is not supported by this OpenSSL build", 5 679 if $no_tls1 || $provider eq "fips"; 680 681 note('echo test tls1 with serverinfo'); 682 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo]))); 683 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"]))); 684 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"]))); 685 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); 686 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); 687 } 688 }; 689} 690