abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-13 16:33:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master'

Browse Source 
# Conflicts:
#	README.md
This commit is contained in:
Zhi Guan
2017-02-14 16:12:29 +08:00
parent d2254170b8
commit 43fed1108d
3503 changed files with 320546 additions and 408546 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
test/recipes/01-test_abort.t Normal file
View File

@@ -0,0 +1,16 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test;
setup("test_abort");
plan tests => 1;
is(run(test(["aborttest"])), 0, "Testing that abort is caught correctly");

12
test/recipes/01-test_sanity.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_sanity", "sanitytest");

116
test/recipes/01-test_symbol_presence.t Normal file
View File

@@ -0,0 +1,116 @@
#! /usr/bin/env perl
# -*- mode: Perl -*-
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use File::Spec::Functions qw(devnull);
use OpenSSL::Test qw(:DEFAULT srctop_file bldtop_dir bldtop_file);
use OpenSSL::Test::Utils;
setup("test_symbol_presence");
plan skip_all => "Only useful when building shared libraries"
if disabled("shared");
my @libnames = ("crypto", "ssl");
my $testcount = scalar @libnames;
plan tests => $testcount * 2;
note
"NOTE: developer test! It's possible that it won't run on your\n",
"platform, and that's perfectly fine. This is mainly for developers\n",
"on Unix to check that our shared libraries are consistent with the\n",
"ordinals (util/*.num in the source tree), something that should be\n",
"good enough a check for the other platforms as well.\n";
foreach my $libname (@libnames) {
SKIP:
{
my $shlibpath = bldtop_file("lib" . $libname . ".so");
*OSTDERR = *STDERR;
*OSTDOUT = *STDOUT;
open STDERR, ">", devnull();
open STDOUT, ">", devnull();
my @nm_lines = map { s|\R$||; $_ } `nm -Pg $shlibpath 2> /dev/null`;
close STDERR;
close STDOUT;
*STDERR = *OSTDERR;
*STDOUT = *OSTDOUT;
skip "Can't run 'nm -Pg $shlibpath' => $?... ignoring", 2
unless $? == 0;
my $bldtop = bldtop_dir();
my @def_lines;
indir $bldtop => sub {
my $mkdefpath = srctop_file("util", "mkdef.pl");
@def_lines = map { s|\R$||; $_ } `$^X $mkdefpath $libname linux 2> /dev/null`;
ok($? == 0, "running 'cd $bldtop; $^X $mkdefpath $libname linux' => $?");
}, create => 0, cleanup => 0;
note "Number of lines in \@nm_lines before massaging: ", scalar @nm_lines;
note "Number of lines in \@def_lines before massaging: ", scalar @def_lines;
# Massage the nm output to only contain defined symbols
@nm_lines = sort map { s| .*||; $_ } grep(m|.* [BCDST] .*|, @nm_lines);
# Massage the mkdef.pl output to only contain global symbols
# The output we got is in Unix .map format, which has a global
# and a local section. We're only interested in the global
# section.
my $in_global = 0;
@def_lines =
sort
map { s|;||; s|\s+||g; $_ }
grep { $in_global = 1 if m|global:|;
$in_global = 0 if m|local:|;
$in_global = 0 if m|\}|;
$in_global && m|;|; } @def_lines;
note "Number of lines in \@nm_lines after massaging: ", scalar @nm_lines;
note "Number of lines in \@def_lines after massaging: ", scalar @def_lines;
# Maintain lists of symbols that are missing in the shared library,
# or that are extra.
my @missing = ();
my @extra = ();
while (scalar @nm_lines || scalar @def_lines) {
my $nm_first = $nm_lines[0];
my $def_first = $def_lines[0];
if (!defined($nm_first)) {
push @missing, shift @def_lines;
} elsif (!defined($def_first)) {
push @extra, shift @nm_lines;
} elsif ($nm_first gt $def_first) {
push @missing, shift @def_lines;
} elsif ($nm_first lt $def_first) {
push @extra, shift @nm_lines;
} else {
shift @def_lines;
shift @nm_lines;
}
}
if (scalar @missing) {
note "The following symbols are missing in lib$libname.so:";
foreach (@missing) {
note " $_";
}
}
if (scalar @extra) {
note "The following symbols are extra in lib$libname.so:";
foreach (@extra) {
note " $_";
}
}
ok(scalar @missing == 0,
"check that there are no missing symbols in lib$libname.so");
}
}

58
test/recipes/02-test_ordinals.t Executable file
View File

@@ -0,0 +1,58 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_ordinals");
plan tests => 2;
ok(testordinals(srctop_file("util", "libcrypto.num")), "Test libcrypto.num");
ok(testordinals(srctop_file("util", "libssl.num")), "Test libssl.num");
sub testordinals
{
my $filename = shift;
my $cnt = 0;
my $ret = 1;
my $qualifier = "";
my $newqual;
my $lastfunc = "";
open(my $fh, '<', $filename);
while (my $line = <$fh>) {
my @tokens = split(/(?:\s+|\s*:\s*)/, $line);
#Check the line looks sane
if ($#tokens < 5 || $#tokens > 6) {
print STDERR "Invalid line:\n$line\n";
$ret = 0;
last;
}
if ($tokens[3] eq "NOEXIST") {
#Ignore this line
next;
}
#Some ordinals can be repeated, e.g. if one is VMS and another is !VMS
$newqual = $tokens[4];
$newqual =~ s/!//g;
if ($cnt > $tokens[1]
|| ($cnt == $tokens[1] && ($qualifier ne $newqual
|| $qualifier eq ""))) {
print STDERR "Invalid ordinal detected: ".$tokens[1]."\n";
$ret = 0;
last;
}
$cnt = $tokens[1];
$qualifier = $newqual;
$lastfunc = $tokens[0];
}
close($fh);
return $ret;
}

30
test/recipes/03-test_ui.t Normal file
View File

@@ -0,0 +1,30 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test;
setup("test_ui");
plan tests => 1;
note <<"EOF";
The best way to test the UI interface is currently by using an openssl
command that uses password_callback. The only one that does this is
'genrsa'.
Since password_callback uses a UI method derived from UI_OpenSSL(), it
ensures that one gets tested well enough as well.
EOF
my $outfile = "rsa_$$.pem";
ok(run(app(["openssl", "genrsa", "-passout", "pass:password", "-aes128",
"-out", $outfile])),
"Checking that genrsa with a password works properly");
unlink $outfile;

12
test/recipes/05-test_bf.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_bf", "bftest", "bf");

12
test/recipes/05-test_cast.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_cast", "casttest", "cast");

12
test/recipes/05-test_des.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_des", "destest", "des");

12
test/recipes/05-test_hmac.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_hmac", "hmactest");

12
test/recipes/05-test_idea.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_idea", "ideatest", "idea");

12
test/recipes/05-test_md2.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_md2", "md2test", "md2");

12
test/recipes/05-test_md4.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_md4", "md4test", "md4");

12
test/recipes/05-test_md5.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_md5", "md5test", "md5");

12
test/recipes/05-test_mdc2.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_mdc2", "mdc2test", "mdc2");

12
test/recipes/05-test_rand.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_rand", "randtest", "rand");

11
test/recipes/05-test_rc2.t Normal file
View File

@@ -0,0 +1,11 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_rc2", "rc2test", "rc2");

11
test/recipes/05-test_rc4.t Normal file
View File

@@ -0,0 +1,11 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_rc4", "rc4test", "rc4");

12
test/recipes/05-test_rc5.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_rc5", "rc5test", "rc5");

12
test/recipes/05-test_rmd.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_rmd", "rmdtest", "rmd");

12
test/recipes/05-test_sha1.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_sha1", "sha1test", "sha");

12
test/recipes/05-test_sha256.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_sha256", "sha256t", "sha");

12
test/recipes/05-test_sha512.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_sha512", "sha512t", "sha");

12
test/recipes/05-test_wp.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_wp", "wp_test", "whirlpool");

84
test/recipes/10-test_bn.t Normal file
View File

@@ -0,0 +1,84 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use Math::BigInt;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_bn");
plan tests => 3;
require_ok(srctop_file("test","recipes","bc.pl"));
my $testresults = "tmp.bntest";
my $init = ok(run(test(["bntest"], stdout => $testresults)), 'initialize');
SKIP: {
skip "Initializing failed, skipping", 1 if !$init;
subtest 'Checking the bn results' => sub {
my @lines = ();
if (open DATA, $testresults) {
@lines = <DATA>;
close DATA;
}
map { s/\R//; } @lines; # chomp(@lines);
plan tests => scalar grep(/^print /, @lines);
my $l = "";
while (scalar @lines) {
$l = shift @lines;
last if $l =~ /^print /;
}
while (1) {
$l =~ s/^print "//;
$l =~ s/\\n"//;
my $t = $l;
my @operations = ();
$l = undef;
while (scalar @lines) {
$l = shift @lines;
last if $l =~ /^print /;
push @operations, $l;
$l = undef;
}
ok(check_operations(@operations), "verify $t");
last unless $l;
}
};
}
unlink $testresults;
sub check_operations {
my $failcount = 0;
foreach my $line (@_) {
my $result = calc(split /\s+/, $line);
if ($result ne "0" && $result ne "0x0") {
$failcount++;
print STDERR "Failed! $line => $result\n";
}
}
return $failcount == 0;
}

12
test/recipes/10-test_exp.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_exp", "exptest");

12
test/recipes/15-test_dh.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_dh", "dhtest", "dh");

40
test/recipes/15-test_dsa.t Normal file
View File

@@ -0,0 +1,40 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
use OpenSSL::Test::Utils;
setup("test_dsa");
plan tests => 6;
require_ok(srctop_file('test','recipes','tconversion.pl'));
ok(run(test(["dsatest"])), "running dsatest");
ok(run(test(["dsatest", "-app2_1"])), "running dsatest -app2_1");
SKIP: {
skip "Skipping dsa conversion test", 3
if disabled("dsa");
subtest 'dsa conversions -- private key' => sub {
tconversion("dsa", srctop_file("test","testdsa.pem"));
};
subtest 'dsa conversions -- private key PKCS#8' => sub {
tconversion("dsa", srctop_file("test","testdsa.pem"), "pkey");
};
subtest 'dsa conversions -- public key' => sub {
tconversion("msb", srctop_file("test","testdsapub.pem"), "dsa",
"-pubin", "-pubout");
};
}

38
test/recipes/15-test_ec.t Normal file
View File

@@ -0,0 +1,38 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
use OpenSSL::Test::Utils;
setup("test_ec");
plan tests => 5;
require_ok(srctop_file('test','recipes','tconversion.pl'));
ok(run(test(["ectest"])), "running ectest");
SKIP: {
skip "Skipping ec conversion test", 3
if disabled("ec");
subtest 'ec conversions -- private key' => sub {
tconversion("ec", srctop_file("test","testec-p256.pem"));
};
subtest 'ec conversions -- private key PKCS#8' => sub {
tconversion("ec", srctop_file("test","testec-p256.pem"), "pkey");
};
subtest 'ec conversions -- public key' => sub {
tconversion("ec", srctop_file("test","testecpub-p256.pem"), "ec", "-pubin", "-pubout");
};
}

12
test/recipes/15-test_ecdh.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_ecdh", "ecdhtest", "ec");

12
test/recipes/15-test_ecdsa.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_ecdsa", "ecdsatest", "ec");

41
test/recipes/15-test_rsa.t Normal file
View File

@@ -0,0 +1,41 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
use OpenSSL::Test::Utils;
setup("test_rsa");
plan tests => 6;
require_ok(srctop_file('test','recipes','tconversion.pl'));
ok(run(test(["rsa_test"])), "running rsatest");
ok(run(app([ 'openssl', 'rsa', '-check', '-in', srctop_file('test', 'testrsa.pem'), '-noout'])), "rsa -check");
SKIP: {
skip "Skipping rsa conversion test", 3
if disabled("rsa");
subtest 'rsa conversions -- private key' => sub {
tconversion("rsa", srctop_file("test","testrsa.pem"));
};
subtest 'rsa conversions -- private key PKCS#8' => sub {
tconversion("rsa", srctop_file("test","testrsa.pem"), "pkey");
};
subtest 'rsa conversions -- public key' => sub {
tconversion("msb", srctop_file("test","testrsapub.pem"), "rsa",
"-pubin", "-pubout");
};
}

69
test/recipes/20-test_enc.t Normal file
View File

@@ -0,0 +1,69 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec::Functions qw/catfile/;
use File::Copy;
use File::Compare qw/compare_text/;
use File::Basename;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_enc");
# We do it this way, because setup() may have moved us around,
# so the directory portion of $0 might not be correct any more.
# However, the name hasn't changed.
my $testsrc = srctop_file("test","recipes",basename($0));
my $test = catfile(".", "p");
my $cmd = "openssl";
my @ciphers =
map { s/^\s+//; s/\s+$//; split /\s+/ }
run(app([$cmd, "list", "-cipher-commands"]), capture => 1);
plan tests => 1 + (scalar @ciphers)*2;
my $init = ok(copy($testsrc,$test));
if (!$init) {
diag("Trying to copy $testsrc to $test : $!");
}
SKIP: {
skip "Not initialized, skipping...", 11 unless $init;
foreach my $c (@ciphers) {
my %variant = ("$c" => [],
"$c base64" => [ "-a" ]);
foreach my $t (sort keys %variant) {
my $cipherfile = "$test.$c.cipher";
my $clearfile = "$test.$c.clear";
my @e = ( "$c", "-bufsize", "113", @{$variant{$t}}, "-e", "-k", "test" );
my @d = ( "$c", "-bufsize", "157", @{$variant{$t}}, "-d", "-k", "test" );
if ($c eq "cat") {
$cipherfile = "$test.cipher";
$clearfile = "$test.clear";
@e = ( "enc", @{$variant{$t}}, "-e" );
@d = ( "enc", @{$variant{$t}}, "-d" );
}
ok(run(app([$cmd, @e, "-in", $test, "-out", $cipherfile]))
&& run(app([$cmd, @d, "-in", $cipherfile, "-out", $clearfile]))
&& compare_text($test,$clearfile) == 0, $t);
unlink $cipherfile, $clearfile;
}
}
}
unlink $test;

39
test/recipes/20-test_passwd.t Normal file
View File

@@ -0,0 +1,39 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test;
use OpenSSL::Test::Utils;
setup("test_passwd");
plan tests => disabled("des") ? 4 : 6;
ok(compare1stline([qw{openssl passwd password}], '^.{13}\R$'),
'crypt password with random salt') if !disabled("des");
ok(compare1stline([qw{openssl passwd -1 password}], '^\$1\$.{8}\$.{22}\R$'),
'BSD style MD5 password with random salt');
ok(compare1stline([qw{openssl passwd -apr1 password}], '^\$apr1\$.{8}\$.{22}\R$'),
'Apache style MD5 password with random salt');
ok(compare1stline([qw{openssl passwd -salt xx password}], '^xxj31ZMTZzkVA\R$'),
'crypt password with salt xx') if !disabled("des");
ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -1 password}], '^\$1\$xxxxxxxx\$UYCIxa628\.9qXjpQCjM4a\.\R$'),
'BSD style MD5 password with salt xxxxxxxx');
ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -apr1 password}], '^\$apr1\$xxxxxxxx\$dxHfLAsjHkDRmG83UXe8K0\R$'),
'Apache style MD5 password with salt xxxxxxxx');
sub compare1stline {
my ($cmdarray, $regexp) = @_;
my @lines = run(app($cmdarray), capture => 1);
return $lines[0] =~ m|$regexp|;
}

26
test/recipes/25-test_crl.t Normal file
View File

@@ -0,0 +1,26 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_crl");
plan tests => 3;
require_ok(srctop_file('test','recipes','tconversion.pl'));
subtest 'crl conversions' => sub {
tconversion("crl", srctop_file("test","testcrl.pem"));
};
ok(run(test(['crltest'])));

93
test/recipes/25-test_d2i.t Normal file
View File

@@ -0,0 +1,93 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
use OpenSSL::Test::Utils;
setup("test_d2i");
plan tests => 14;
ok(run(test(["d2i_test", "X509", "decode",
srctop_file('test','d2i-tests','bad_cert.der')])),
"Running d2i_test bad_cert.der");
ok(run(test(["d2i_test", "GENERAL_NAME", "decode",
srctop_file('test','d2i-tests','bad_generalname.der')])),
"Running d2i_test bad_generalname.der");
ok(run(test(["d2i_test", "ASN1_ANY", "BIO",
srctop_file('test','d2i-tests','bad_bio.der')])),
"Running d2i_test bad_bio.der");
# This test checks CVE-2016-2108. The data consists of an tag 258 and
# two zero content octets. This is parsed as an ASN1_ANY type. If the
# type is incorrectly interpreted as an ASN.1 INTEGER the two zero content
# octets will be reject as invalid padding and this test will fail.
# If the type is correctly interpreted it will by treated as an ASN1_STRING
# type and the content octets copied verbatim.
ok(run(test(["d2i_test", "ASN1_ANY", "OK",
srctop_file('test','d2i-tests','high_tag.der')])),
"Running d2i_test high_tag.der");
# Above test data but interpreted as ASN.1 INTEGER: this will be rejected
# because the tag is invalid.
ok(run(test(["d2i_test", "ASN1_INTEGER", "decode",
srctop_file('test','d2i-tests','high_tag.der')])),
"Running d2i_test high_tag.der INTEGER");
# Parse valid 0, 1 and -1 ASN.1 INTEGER as INTEGER or ANY.
ok(run(test(["d2i_test", "ASN1_INTEGER", "OK",
srctop_file('test','d2i-tests','int0.der')])),
"Running d2i_test int0.der INTEGER");
ok(run(test(["d2i_test", "ASN1_INTEGER", "OK",
srctop_file('test','d2i-tests','int1.der')])),
"Running d2i_test int1.der INTEGER");
ok(run(test(["d2i_test", "ASN1_INTEGER", "OK",
srctop_file('test','d2i-tests','intminus1.der')])),
"Running d2i_test intminus1.der INTEGER");
ok(run(test(["d2i_test", "ASN1_ANY", "OK",
srctop_file('test','d2i-tests','int0.der')])),
"Running d2i_test int0.der ANY");
ok(run(test(["d2i_test", "ASN1_ANY", "OK",
srctop_file('test','d2i-tests','int1.der')])),
"Running d2i_test int1.der ANY");
ok(run(test(["d2i_test", "ASN1_ANY", "OK",
srctop_file('test','d2i-tests','intminus1.der')])),
"Running d2i_test intminus1.der ANY");
# Integers with illegal additional padding.
ok(run(test(["d2i_test", "ASN1_INTEGER", "decode",
srctop_file('test','d2i-tests','bad-int-pad0.der')])),
"Running d2i_test bad-int-pad0.der INTEGER");
ok(run(test(["d2i_test", "ASN1_INTEGER", "decode",
srctop_file('test','d2i-tests','bad-int-padminus1.der')])),
"Running d2i_test bad-int-padminus1.der INTEGER");
SKIP: {
skip "No CMS support in this configuration", 1 if disabled("cms");
# Invalid CMS structure with decode error in CHOICE value.
# Test for CVE-2016-7053
ok(run(test(["d2i_test", "CMS_ContentInfo", "decode",
srctop_file('test','d2i-tests','bad-cms.der')])),
"Running d2i_test bad-cms.der CMS ContentInfo");
}

27
test/recipes/25-test_pkcs7.t Normal file
View File

@@ -0,0 +1,27 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_pkcs7");
plan tests => 3;
require_ok(srctop_file('test','recipes','tconversion.pl'));
subtest 'pkcs7 conversions -- pkcs7' => sub {
tconversion("p7", srctop_file("test", "testp7.pem"), "pkcs7");
};
subtest 'pkcs7 conversions -- pkcs7d' => sub {
tconversion("p7d", srctop_file("test", "pkcs7-1.pem"), "pkcs7");
};

76
test/recipes/25-test_req.t Normal file
View File

@@ -0,0 +1,76 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test::Utils;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_req");
plan tests => 4;
require_ok(srctop_file('test','recipes','tconversion.pl'));
open RND, ">>", ".rnd";
print RND "string to make the random number generator think it has entropy";
close RND;
subtest "generating certificate requests" => sub {
my @req_new;
if (disabled("rsa")) {
@req_new = ("-newkey", "dsa:".srctop_file("apps", "dsa512.pem"));
} else {
@req_new = ("-new");
note("There should be a 2 sequences of .'s and some +'s.");
note("There should not be more that at most 80 per line");
}
plan tests => 2;
ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
@req_new, "-out", "testreq.pem"])),
"Generating request");
ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
"-verify", "-in", "testreq.pem", "-noout"])),
"Verifying signature on request");
};
my @openssl_args = ("req", "-config", srctop_file("apps", "openssl.cnf"));
run_conversion('req conversions',
"testreq.pem");
run_conversion('req conversions -- testreq2',
srctop_file("test", "testreq2.pem"));
unlink "testkey.pem", "testreq.pem";
sub run_conversion {
my $title = shift;
my $reqfile = shift;
subtest $title => sub {
run(app(["openssl", @openssl_args,
"-in", $reqfile, "-inform", "p",
"-noout", "-text"],
stderr => "req-check.err", stdout => undef));
open DATA, "req-check.err";
SKIP: {
plan skip_all => "skipping req conversion test for $reqfile"
if grep /Unknown Public Key/, map { s/\R//; } <DATA>;
tconversion("req", $reqfile, @openssl_args);
}
close DATA;
unlink "req-check.err";
done_testing();
};
}

24
test/recipes/25-test_sid.t Normal file
View File

@@ -0,0 +1,24 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_sid");
plan tests => 2;
require_ok(srctop_file('test','recipes','tconversion.pl'));
subtest 'sid conversions' => sub {
tconversion("sid", srctop_file("test","testsid.pem"), "sess_id");
};

330
test/recipes/25-test_verify.t Normal file
View File

@@ -0,0 +1,330 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec::Functions qw/canonpath/;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_verify");
sub verify {
my ($cert, $purpose, $trusted, $untrusted, @opts) = @_;
my @args = qw(openssl verify -auth_level 1 -purpose);
my @path = qw(test certs);
push(@args, "$purpose", @opts);
for (@$trusted) { push(@args, "-trusted", srctop_file(@path, "$_.pem")) }
for (@$untrusted) { push(@args, "-untrusted", srctop_file(@path, "$_.pem")) }
push(@args, srctop_file(@path, "$cert.pem"));
run(app([@args]));
}
plan tests => 121;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
"accept compat trust");
# Root CA variants
ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]),
"fail trusted non-ca root");
ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]),
"fail server trust non-ca root");
ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]),
"fail wildcard trust non-ca root");
ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]),
"fail wrong root key");
ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]),
"fail wrong root DN");
# Explicit trust/purpose combinations
#
ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]),
"accept server purpose");
ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]),
"fail client purpose");
ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]),
"accept server trust");
ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]),
"accept server trust with server purpose");
ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]),
"accept server trust with client purpose");
# Wildcard trust
ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]),
"accept wildcard trust");
ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]),
"accept wildcard trust with server purpose");
ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]),
"accept wildcard trust with client purpose");
# Inapplicable mistrust
ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]),
"accept client mistrust");
ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]),
"accept client mistrust with server purpose");
ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]),
"fail client mistrust with client purpose");
# Inapplicable trust
ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]),
"fail client trust");
ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]),
"fail client trust with server purpose");
ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]),
"fail client trust with client purpose");
# Server mistrust
ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]),
"fail rejected EKU");
ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]),
"fail server mistrust with server purpose");
ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]),
"fail server mistrust with client purpose");
# Wildcard mistrust
ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]),
"fail wildcard mistrust");
ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]),
"fail wildcard mistrust with server purpose");
ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]),
"fail wildcard mistrust with client purpose");
# Check that trusted-first is on by setting up paths to different roots
# depending on whether the intermediate is the trusted or untrusted one.
#
ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)],
[qw(ca-cert)]),
"accept trusted-first path");
ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)],
[qw(ca-cert)]),
"accept trusted-first path with server trust");
ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)],
[qw(ca-cert)]),
"fail trusted-first path with server mistrust");
ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)],
[qw(ca-cert)]),
"fail trusted-first path with client trust");
# CA variants
ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]),
"fail non-CA untrusted intermediate");
ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]),
"fail non-CA untrusted intermediate");
ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []),
"fail non-CA trust-store intermediate");
ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []),
"fail non-CA trust-store intermediate");
ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []),
"fail non-CA server trust intermediate");
ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []),
"fail non-CA wildcard trust intermediate");
ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]),
"fail wrong intermediate CA key");
ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]),
"fail wrong intermediate CA DN");
ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]),
"fail wrong intermediate CA issuer");
ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"),
"fail untrusted partial chain");
ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"),
"accept trusted partial chain");
ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"),
"accept partial chain with server purpose");
ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"),
"fail partial chain with client purpose");
ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"),
"accept server trust partial chain");
ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"),
"accept server trust client purpose partial chain");
ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"),
"accept client mistrust partial chain");
ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"),
"accept wildcard trust partial chain");
ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"),
"fail untrusted partial issuer with ignored server trust");
ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"),
"fail server mistrust partial chain");
ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"),
"fail client trust partial chain");
ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"),
"fail wildcard mistrust partial chain");
# We now test auxiliary trust even for intermediate trusted certs without
# -partial_chain. Note that "-trusted_first" is now always on and cannot
# be disabled.
ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]),
"accept server trust");
ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]),
"accept wildcard trust");
ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]),
"accept server purpose");
ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], [qw(ca-cert)]),
"accept server trust and purpose");
ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]),
"accept wildcard trust and server purpose");
ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], [qw(ca-cert)]),
"accept client mistrust and server purpose");
ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], [qw(ca-cert)]),
"accept server trust and client purpose");
ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]),
"accept wildcard trust and client purpose");
ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]),
"fail client purpose");
ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]),
"fail wildcard mistrust");
ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], [qw(ca-cert)]),
"fail server mistrust");
ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], [qw(ca-cert)]),
"fail client trust");
ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], [qw(ca-cert)]),
"fail client trust and server purpose");
ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], [qw(ca-cert)]),
"fail client trust and client purpose");
ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], [qw(ca-cert)]),
"fail server mistrust and client purpose");
ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], [qw(ca-cert)]),
"fail client mistrust and client purpose");
ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], [qw(ca-cert)]),
"fail server mistrust and server purpose");
ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]),
"fail wildcard mistrust and server purpose");
ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]),
"fail wildcard mistrust and client purpose");
# EE variants
ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
"accept client chain");
ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
"fail server leaf purpose");
ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]),
"fail client leaf purpose");
ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
"fail wrong intermediate CA key");
ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
"fail wrong intermediate CA DN");
ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
"fail expired leaf");
ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"),
"accept last-resort direct leaf match");
ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"),
"accept last-resort direct leaf match");
ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"),
"fail last-resort direct leaf non-match");
ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"),
"accept direct match with server trust");
ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"),
"fail direct match with server mistrust");
ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"),
"accept direct match with client trust");
ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"),
"reject direct match with client mistrust");
# Proxy certificates
ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
"fail to accept proxy cert without -allow_proxy_certs");
ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)],
"-allow_proxy_certs"),
"accept proxy cert 1");
ok(verify("pc2-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
"-allow_proxy_certs"),
"accept proxy cert 2");
ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
"-allow_proxy_certs"),
"fail proxy cert with incorrect subject");
ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
"-allow_proxy_certs"),
"fail proxy cert with incorrect pathlen");
ok(verify("pc5-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
"-allow_proxy_certs"),
"accept proxy cert missing proxy policy");
ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], [qw(pc1-cert ee-client ca-cert)],
"-allow_proxy_certs"),
"failed proxy cert where last CN was added as a multivalue RDN component");
# Security level tests
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
"accept RSA 2048 chain at auth level 2");
ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
"reject RSA 2048 root at auth level 3");
ok(verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"], "-auth_level", "0"),
"accept RSA 768 root at auth level 0");
ok(!verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"]),
"reject RSA 768 root at auth level 1");
ok(verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"], "-auth_level", "0"),
"accept RSA 768 intermediate at auth level 0");
ok(!verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"]),
"reject RSA 768 intermediate at auth level 1");
ok(verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
"accept RSA 768 leaf at auth level 0");
ok(!verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"]),
"reject RSA 768 leaf at auth level 1");
#
ok(verify("ee-cert", "sslserver", ["root-cert-md5"], ["ca-cert"], "-auth_level", "2"),
"accept md5 self-signed TA at auth level 2");
ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-auth_level", "2"),
"accept md5 intermediate TA at auth level 2");
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"], "-auth_level", "0"),
"accept md5 intermediate at auth level 0");
ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"]),
"reject md5 intermediate at auth level 1");
ok(verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"),
"accept md5 leaf at auth level 0");
ok(!verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"]),
"reject md5 leaf at auth level 1");
# Depth tests, note the depth limit bounds the number of CA certificates
# between the trust-anchor and the leaf, so, for example, with a root->ca->leaf
# chain, depth = 1 is sufficient, but depth == 0 is not.
#
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "2"),
"accept chain with verify_depth 2");
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "1"),
"accept chain with verify_depth 1");
ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "0"),
"accept chain with verify_depth 0");
ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-verify_depth", "0"),
"accept md5 intermediate TA with verify_depth 0");
# Name Constraints tests.
ok(verify("alt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
"Name Constraints everything permitted");
ok(verify("alt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ),
"Name Constraints nothing excluded");
ok(verify("alt3-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
"Name Constraints nested test all permitted");
ok(!verify("badalt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
"Name Constraints hostname not permitted");
ok(!verify("badalt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ),
"Name Constraints hostname excluded");
ok(!verify("badalt3-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
"Name Constraints email address not permitted");
ok(!verify("badalt4-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
"Name Constraints subject email address not permitted");
ok(!verify("badalt5-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
"Name Constraints IP address not permitted");
ok(!verify("badalt6-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
"Name Constraints CN hostname not permitted");
ok(!verify("badalt7-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ),
"Name Constraints CN BMPSTRING hostname not permitted");
ok(!verify("badalt8-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
"Name constaints nested DNS name not permitted 1");
ok(!verify("badalt9-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
"Name constaints nested DNS name not permitted 2");
ok(!verify("badalt10-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ),
"Name constaints nested DNS name excluded");

34
test/recipes/25-test_x509.t Normal file
View File

@@ -0,0 +1,34 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_x509");
plan tests => 5;
require_ok(srctop_file('test','recipes','tconversion.pl'));
subtest 'x509 -- x.509 v1 certificate' => sub {
tconversion("x509", srctop_file("test","testx509.pem"));
};
subtest 'x509 -- first x.509 v3 certificate' => sub {
tconversion("x509", srctop_file("test","v3-cert1.pem"));
};
subtest 'x509 -- second x.509 v3 certificate' => sub {
tconversion("x509", srctop_file("test","v3-cert2.pem"));
};
subtest 'x509 -- pathlen' => sub {
ok(run(test(["v3ext", srctop_file("test/certs", "pathlen.pem")])));
}

23
test/recipes/30-test_afalg.t Normal file
View File

@@ -0,0 +1,23 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT bldtop_dir/;
use OpenSSL::Test::Utils;
my $test_name = "test_afalg";
setup($test_name);
plan skip_all => "$test_name not supported for this build"
if disabled("afalgeng");
plan tests => 1;
$ENV{OPENSSL_ENGINES} = bldtop_dir("engines/afalg");
ok(run(test(["afalgtest"])), "running afalgtest");

18
test/recipes/30-test_engine.t Normal file
View File

@@ -0,0 +1,18 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test;
setup("test_engine");
plan tests => 1;
ok(run(test(["enginetest"])), "running enginetest");

19
test/recipes/30-test_evp.t Normal file
View File

@@ -0,0 +1,19 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_evp");
plan tests => 1;
ok(run(test(["evp_test", srctop_file("test", "evptests.txt")])),
"running evp_test evptests.txt");

18
test/recipes/30-test_evp_extra.t Normal file
View File

@@ -0,0 +1,18 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test;
setup("test_evp_extra");
plan tests => 1;
ok(run(test(["evp_extra_test"])), "running evp_extra_test");

12
test/recipes/30-test_pbelu.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_pbelu", "pbelutest");

76
test/recipes/40-test_rehash.t Normal file
View File

@@ -0,0 +1,76 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Spec::Functions;
use File::Copy;
use File::Basename;
use if $^O ne "VMS", 'File::Glob' => qw/glob/;
use OpenSSL::Test qw/:DEFAULT bldtop_file/;
setup("test_rehash");
#If "openssl rehash -help" fails it's most likely because we're on a platform
#that doesn't support the rehash command (e.g. Windows)
plan skip_all => "test_rehash is not available on this platform"
unless run(app(["openssl", "rehash", "-help"]));
plan tests => 5;
indir "rehash.$$" => sub {
prepare();
ok(run(app(["openssl", "rehash", curdir()])),
'Testing normal rehash operations');
}, create => 1, cleanup => 1;
indir "rehash.$$" => sub {
prepare(sub { chmod 400, $_ foreach (@_); });
ok(run(app(["openssl", "rehash", curdir()])),
'Testing rehash operations on readonly files');
}, create => 1, cleanup => 1;
indir "rehash.$$" => sub {
ok(run(app(["openssl", "rehash", curdir()])),
'Testing rehash operations on empty directory');
}, create => 1, cleanup => 1;
indir "rehash.$$" => sub {
prepare();
chmod 0500, curdir();
SKIP: {
if (!ok(!open(FOO, ">unwritable.txt"),
"Testing that we aren't running as a privileged user, such as root")) {
close FOO;
skip "It's pointless to run the next test as root", 1;
}
isnt(run(app(["openssl", "rehash", curdir()])), 1,
'Testing rehash operations on readonly directory');
}
chmod 0700, curdir(); # make it writable again, so cleanup works
}, create => 1, cleanup => 1;
sub prepare {
my @sourcefiles =
sort map { glob(bldtop_file('certs', 'demo', "*.$_")) } ('pem',
'crt',
'cer',
'crl');
my @destfiles = ();
foreach (@sourcefiles) {
copy($_, curdir());
push @destfiles, catfile(curdir(), basename($_));
}
foreach (@_) {
die "Internal error, argument is not CODE"
unless (ref($_) eq 'CODE');
$_->(@destfiles);
}
}

21
test/recipes/70-test_asyncio.t Normal file
View File

@@ -0,0 +1,21 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Utils;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_asyncio");
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
plan tests => 1;
ok(run(test(["asynciotest", srctop_file("apps", "server.pem"),
srctop_file("apps", "server.pem")])), "running asynciotest");

20
test/recipes/70-test_bad_dtls.t Normal file
View File

@@ -0,0 +1,20 @@
#! /usr/bin/env perl
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test;
use OpenSSL::Test::Utils;
setup("test_bad_dtls");
plan skip_all => "DTLSv1 is not supported by this OpenSSL build"
if disabled("dtls1");
plan tests => 1;
ok(run(test(["bad_dtls_test"])), "running bad_dtls_test");

20
test/recipes/70-test_clienthello.t Normal file
View File

@@ -0,0 +1,20 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test;
use OpenSSL::Test::Utils;
setup("test_clienthello");
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
plan tests => 1;
ok(run(test(["clienthellotest"])), "running clienthellotest");

12
test/recipes/70-test_packet.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_packet", "packettest");

110
test/recipes/70-test_sslcbcpadding.t Normal file
View File

@@ -0,0 +1,110 @@
#! /usr/bin/env perl
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;
my $test_name = "test_sslcbcpadding";
setup($test_name);
plan skip_all => "TLSProxy isn't usable on $^O"
if $^O =~ /^(VMS|MSWin32)$/;
plan skip_all => "$test_name needs the dynamic engine feature enabled"
if disabled("engine") || disabled("dynamic-engine");
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLSv1.2 enabled"
if disabled("tls1_2");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
\&add_maximal_padding_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
(!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);
# TODO: We could test all 256 values, but then the log file gets too large for
# CI. See https://github.com/openssl/openssl/issues/1440.
my @test_offsets = (0, 128, 254, 255);
# Test that maximally-padded records are accepted.
my $bad_padding_offset = -1;
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 1 + scalar(@test_offsets);
ok(TLSProxy::Message->success(), "Maximally-padded record test");
# Test that invalid padding is rejected.
foreach my $offset (@test_offsets) {
$proxy->clear();
$bad_padding_offset = $offset;
$proxy->start();
ok(TLSProxy::Message->fail(), "Invalid padding byte $bad_padding_offset");
}
sub add_maximal_padding_filter
{
my $proxy = shift;
if ($proxy->flight == 0) {
# Disable Encrypt-then-MAC.
foreach my $message (@{$proxy->message_list}) {
if ($message->mt != TLSProxy::Message::MT_CLIENT_HELLO) {
next;
}
$message->delete_extension(TLSProxy::Message::EXT_ENCRYPT_THEN_MAC);
$message->process_extensions();
$message->repack();
}
}
if ($proxy->flight == 3) {
# Insert a maximally-padded record. Assume a block size of 16 (AES) and
# a MAC length of 20 (SHA-1).
my $block_size = 16;
my $mac_len = 20;
# Size the plaintext so that 256 is a valid padding.
my $plaintext_len = $block_size - ($mac_len % $block_size);
my $plaintext = "A" x $plaintext_len;
my $data = "B" x $block_size; # Explicit IV.
$data .= $plaintext;
$data .= TLSProxy::Proxy::fill_known_data($mac_len); # MAC.
# Add padding.
for (my $i = 0; $i < 256; $i++) {
if ($i == $bad_padding_offset) {
$data .= "\xfe";
} else {
$data .= "\xff";
}
}
my $record = TLSProxy::Record->new(
$proxy->flight,
TLSProxy::Record::RT_APPLICATION_DATA,
TLSProxy::Record::VERS_TLS_1_2,
length($data),
0,
length($data),
$plaintext_len,
$data,
$plaintext,
);
# Send the record immediately after the server Finished.
push @{$proxy->record_list}, $record;
}
}

66
test/recipes/70-test_sslcertstatus.t Executable file
View File

@@ -0,0 +1,66 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;
my $test_name = "test_sslcertstatus";
setup($test_name);
plan skip_all => "TLSProxy isn't usable on $^O"
if $^O =~ /^(VMS|MSWin32)$/;
plan skip_all => "$test_name needs the dynamic engine feature enabled"
if disabled("engine") || disabled("dynamic-engine");
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs the ocsp feature enabled"
if disabled("ocsp");
plan skip_all => "$test_name needs TLS enabled"
if alldisabled(available_protocols("tls"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
\&certstatus_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
(!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);
#Test 1: Sending a status_request extension in both ClientHello and
#ServerHello but then omitting the CertificateStatus message is valid
$proxy->clientflags("-status");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 1;
ok(TLSProxy::Message->success, "Missing CertificateStatus message");
sub certstatus_filter
{
my $proxy = shift;
# We're only interested in the initial ServerHello
if ($proxy->flight != 1) {
return;
}
foreach my $message (@{$proxy->message_list}) {
if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
#Add the status_request to the ServerHello even though we are not
#going to send a CertificateStatus message
$message->set_extension(TLSProxy::Message::EXT_STATUS_REQUEST,
"");
$message->repack();
}
}
}

112
test/recipes/70-test_sslextension.t Executable file
View File

@@ -0,0 +1,112 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;
my $test_name = "test_sslextension";
setup($test_name);
plan skip_all => "TLSProxy isn't usable on $^O"
if $^O =~ /^(VMS|MSWin32)$/;
plan skip_all => "$test_name needs the dynamic engine feature enabled"
if disabled("engine") || disabled("dynamic-engine");
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLS enabled"
if alldisabled(available_protocols("tls"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
\&extension_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
(!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);
# Test 1: Sending a zero length extension block should pass
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 3;
ok(TLSProxy::Message->success, "Zero extension length test");
sub extension_filter
{
my $proxy = shift;
# We're only interested in the initial ClientHello
if ($proxy->flight != 0) {
return;
}
foreach my $message (@{$proxy->message_list}) {
if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
# Remove all extensions and set the extension len to zero
$message->extension_data({});
$message->extensions_len(0);
# Extensions have been removed so make sure we don't try to use them
$message->process_extensions();
$message->repack();
}
}
}
# Test 2-3: Sending a duplicate extension should fail.
sub inject_duplicate_extension
{
my ($proxy, $message_type) = @_;
foreach my $message (@{$proxy->message_list}) {
if ($message->mt == $message_type) {
my %extensions = %{$message->extension_data};
# Add a duplicate (unknown) extension.
$message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, "");
$message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, "");
$message->repack();
}
}
}
sub inject_duplicate_extension_clienthello
{
my $proxy = shift;
# We're only interested in the initial ClientHello
if ($proxy->flight != 0) {
return;
}
inject_duplicate_extension($proxy, TLSProxy::Message::MT_CLIENT_HELLO);
}
sub inject_duplicate_extension_serverhello
{
my $proxy = shift;
# We're only interested in the initial ServerHello
if ($proxy->flight != 1) {
return;
}
inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO);
}
$proxy->clear();
$proxy->filter(\&inject_duplicate_extension_clienthello);
$proxy->start();
ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension");
$proxy->clear();
$proxy->filter(\&inject_duplicate_extension_serverhello);
$proxy->start();
ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension");

147
test/recipes/70-test_sslmessages.t Executable file
View File

@@ -0,0 +1,147 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use File::Temp qw(tempfile);
use TLSProxy::Proxy;
my $test_name = "test_tls13messages";
setup($test_name);
plan skip_all => "TLSProxy isn't usable on $^O"
if $^O =~ /^(VMS|MSWin32)$/;
plan skip_all => "$test_name needs the dynamic engine feature enabled"
if disabled("engine") || disabled("dynamic-engine");
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLS enabled"
if alldisabled(available_protocols("tls"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
use constant {
DEFAULT_HANDSHAKE => 1,
OCSP_HANDSHAKE => 2,
RESUME_HANDSHAKE => 4,
CLIENT_AUTH_HANDSHAKE => 8,
RENEG_HANDSHAKE => 16,
ALL_HANDSHAKES => 31
};
my @handmessages = (
[TLSProxy::Message::MT_CLIENT_HELLO, ALL_HANDSHAKES],
[TLSProxy::Message::MT_SERVER_HELLO, ALL_HANDSHAKES],
[TLSProxy::Message::MT_CERTIFICATE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE],
[TLSProxy::Message::MT_CERTIFICATE_STATUS, OCSP_HANDSHAKE],
#ServerKeyExchange handshakes not currently supported by TLSProxy
[TLSProxy::Message::MT_CERTIFICATE_REQUEST, CLIENT_AUTH_HANDSHAKE],
[TLSProxy::Message::MT_SERVER_HELLO_DONE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE],
[TLSProxy::Message::MT_CERTIFICATE, CLIENT_AUTH_HANDSHAKE],
[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE],
[TLSProxy::Message::MT_CERTIFICATE_VERIFY, CLIENT_AUTH_HANDSHAKE],
[TLSProxy::Message::MT_FINISHED, ALL_HANDSHAKES],
[TLSProxy::Message::MT_NEW_SESSION_TICKET, ALL_HANDSHAKES & ~RESUME_HANDSHAKE],
[TLSProxy::Message::MT_FINISHED, ALL_HANDSHAKES],
[TLSProxy::Message::MT_CLIENT_HELLO, RENEG_HANDSHAKE],
[TLSProxy::Message::MT_SERVER_HELLO, RENEG_HANDSHAKE],
[TLSProxy::Message::MT_CERTIFICATE, RENEG_HANDSHAKE],
[TLSProxy::Message::MT_SERVER_HELLO_DONE, RENEG_HANDSHAKE],
[TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, RENEG_HANDSHAKE],
[TLSProxy::Message::MT_FINISHED, RENEG_HANDSHAKE],
[TLSProxy::Message::MT_NEW_SESSION_TICKET, RENEG_HANDSHAKE],
[TLSProxy::Message::MT_FINISHED, RENEG_HANDSHAKE],
[0, 0]
);
my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
(!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);
sub checkmessages($$);
#Test 1: Check we get all the right messages for a default handshake
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-sess_out ".$session);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 5;
checkmessages(DEFAULT_HANDSHAKE, "Default handshake test");
#Test 2: Resumption handshake
$proxy->clearClient();
$proxy->clientflags("-sess_in ".$session);
$proxy->clientstart();
checkmessages(RESUME_HANDSHAKE, "Resumption handshake test");
unlink $session;
#Test 3: A client auth handshake
$proxy->clear();
$proxy->clientflags("-cert ".srctop_file("apps", "server.pem"));
$proxy->serverflags("-Verify 5");
$proxy->start();
checkmessages(CLIENT_AUTH_HANDSHAKE, "Client auth handshake test");
#Test 4: A handshake with a renegotiation
$proxy->clear();
$proxy->reneg(1);
$proxy->start();
checkmessages(RENEG_HANDSHAKE, "Rengotiation handshake test");
#Test 5: A handshake with a renegotiation and client auth
$proxy->clear();
$proxy->clientflags("-cert ".srctop_file("apps", "server.pem"));
$proxy->serverflags("-Verify 5");
$proxy->reneg(1);
$proxy->start();
checkmessages(RENEG_HANDSHAKE | CLIENT_AUTH_HANDSHAKE,
"Renogitation and client auth handshake test");
sub checkmessages($$)
{
my ($handtype, $testname) = @_;
subtest $testname => sub {
my $loop = 0;
my $numtests;
#First count the number of tests
for ($numtests = 0; $handmessages[$loop][1] != 0; $loop++) {
$numtests++ if (($handmessages[$loop][1] & $handtype) != 0);
}
plan tests => $numtests;
my $nextmess = 0;
my $message = undef;
for ($loop = 0; $handmessages[$loop][1] != 0; $loop++) {
next if (($handmessages[$loop][1] & $handtype) == 0);
if (scalar @{$proxy->message_list} > $nextmess) {
$message = ${$proxy->message_list}[$nextmess];
$nextmess++;
} else {
$message = undef;
}
if (!defined $message) {
fail("Message type check. Got nothing, expected "
.$handmessages[$loop][0]);
} else {
ok($message->mt == $handmessages[$loop][0],
"Message type check. Got ".$message->mt
.", expected ".$handmessages[$loop][0]);
}
}
}
}

381
test/recipes/70-test_sslrecords.t Normal file
View File

@@ -0,0 +1,381 @@
#! /usr/bin/env perl
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;
my $test_name = "test_sslrecords";
setup($test_name);
plan skip_all => "TLSProxy isn't usable on $^O"
if $^O =~ /^(VMS|MSWin32)$/;
plan skip_all => "$test_name needs the dynamic engine feature enabled"
if disabled("engine") || disabled("dynamic-engine");
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLSv1.2 enabled"
if disabled("tls1_2");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
\&add_empty_recs_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
(!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);
#Test 1: Injecting out of context empty records should fail
my $content_type = TLSProxy::Record::RT_APPLICATION_DATA;
my $inject_recs_num = 1;
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
my $num_tests = 10;
if (!disabled("tls1_1")) {
$num_tests++;
}
plan tests => $num_tests;
ok(TLSProxy::Message->fail(), "Out of context empty records test");
#Test 2: Injecting in context empty records should succeed
$proxy->clear();
$content_type = TLSProxy::Record::RT_HANDSHAKE;
$proxy->start();
ok(TLSProxy::Message->success(), "In context empty records test");
#Test 3: Injecting too many in context empty records should fail
$proxy->clear();
#We allow 32 consecutive in context empty records
$inject_recs_num = 33;
$proxy->start();
ok(TLSProxy::Message->fail(), "Too many in context empty records test");
#Test 4: Injecting a fragmented fatal alert should fail. We actually expect no
# alerts to be sent from either side because *we* injected the fatal
# alert, i.e. this will look like a disorderly close
$proxy->clear();
$proxy->filter(\&add_frag_alert_filter);
$proxy->start();
ok(!TLSProxy::Message->end(), "Fragmented alert records test");
#Run some SSLv2 ClientHello tests
use constant {
TLSV1_2_IN_SSLV2 => 0,
SSLV2_IN_SSLV2 => 1,
FRAGMENTED_IN_TLSV1_2 => 2,
FRAGMENTED_IN_SSLV2 => 3,
ALERT_BEFORE_SSLV2 => 4
};
#Test 5: Inject an SSLv2 style record format for a TLSv1.2 ClientHello
my $sslv2testtype = TLSV1_2_IN_SSLV2;
$proxy->clear();
$proxy->filter(\&add_sslv2_filter);
$proxy->start();
ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test");
#Test 6: Inject an SSLv2 style record format for an SSLv2 ClientHello. We don't
# support this so it should fail. We actually treat it as an unknown
# protocol so we don't even send an alert in this case.
$sslv2testtype = SSLV2_IN_SSLV2;
$proxy->clear();
$proxy->start();
ok(!TLSProxy::Message->end(), "SSLv2 in SSLv2 ClientHello test");
#Test 7: Sanity check ClientHello fragmentation. This isn't really an SSLv2 test
# at all, but it gives us confidence that Test 8 fails for the right
# reasons
$sslv2testtype = FRAGMENTED_IN_TLSV1_2;
$proxy->clear();
$proxy->start();
ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test");
#Test 8: Fragment a TLSv1.2 ClientHello across a TLS1.2 record; an SSLv2
# record; and another TLS1.2 record. This isn't allowed so should fail
$sslv2testtype = FRAGMENTED_IN_SSLV2;
$proxy->clear();
$proxy->start();
ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test");
#Test 9: Send a TLS warning alert before an SSLv2 ClientHello. This should
# fail because an SSLv2 ClientHello must be the first record.
$sslv2testtype = ALERT_BEFORE_SSLV2;
$proxy->clear();
$proxy->start();
ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test");
#Unregcognised record type tests
#Test 10: Sending an unrecognised record type in TLS1.2 should fail
$proxy->clear();
$proxy->filter(\&add_unknown_record_type);
$proxy->start();
ok(TLSProxy::Message->fail(), "Unrecognised record type in TLS1.2");
#Test 11: Sending an unrecognised record type in TLS1.1 should fail
if (!disabled("tls1_1")) {
$proxy->clear();
$proxy->clientflags("-tls1_1");
$proxy->start();
ok(TLSProxy::Message->fail(), "Unrecognised record type in TLS1.1");
}
sub add_empty_recs_filter
{
my $proxy = shift;
# We're only interested in the initial ClientHello
if ($proxy->flight != 0) {
return;
}
for (my $i = 0; $i < $inject_recs_num; $i++) {
my $record = TLSProxy::Record->new(
0,
$content_type,
TLSProxy::Record::VERS_TLS_1_2,
0,
0,
0,
0,
"",
""
);
push @{$proxy->record_list}, $record;
}
}
sub add_frag_alert_filter
{
my $proxy = shift;
my $byte;
# We're only interested in the initial ClientHello
if ($proxy->flight != 0) {
return;
}
# Add a zero length fragment first
#my $record = TLSProxy::Record->new(
# 0,
# TLSProxy::Record::RT_ALERT,
# TLSProxy::Record::VERS_TLS_1_2,
# 0,
# 0,
# 0,
# "",
# ""
#);
#push @{$proxy->record_list}, $record;
# Now add the alert level (Fatal) as a separate record
$byte = pack('C', TLSProxy::Message::AL_LEVEL_FATAL);
my $record = TLSProxy::Record->new(
0,
TLSProxy::Record::RT_ALERT,
TLSProxy::Record::VERS_TLS_1_2,
1,
0,
1,
1,
$byte,
$byte
);
push @{$proxy->record_list}, $record;
# And finally the description (Unexpected message) in a third record
$byte = pack('C', TLSProxy::Message::AL_DESC_UNEXPECTED_MESSAGE);
$record = TLSProxy::Record->new(
0,
TLSProxy::Record::RT_ALERT,
TLSProxy::Record::VERS_TLS_1_2,
1,
0,
1,
1,
$byte,
$byte
);
push @{$proxy->record_list}, $record;
}
sub add_sslv2_filter
{
my $proxy = shift;
my $clienthello;
my $record;
# We're only interested in the initial ClientHello
if ($proxy->flight != 0) {
return;
}
# Ditch the real ClientHello - we're going to replace it with our own
shift @{$proxy->record_list};
if ($sslv2testtype == ALERT_BEFORE_SSLV2) {
my $alert = pack('CC', TLSProxy::Message::AL_LEVEL_FATAL,
TLSProxy::Message::AL_DESC_NO_RENEGOTIATION);
my $alertlen = length $alert;
$record = TLSProxy::Record->new(
0,
TLSProxy::Record::RT_ALERT,
TLSProxy::Record::VERS_TLS_1_2,
$alertlen,
0,
$alertlen,
$alertlen,
$alert,
$alert
);
push @{$proxy->record_list}, $record;
}
if ($sslv2testtype == ALERT_BEFORE_SSLV2
|| $sslv2testtype == TLSV1_2_IN_SSLV2
|| $sslv2testtype == SSLV2_IN_SSLV2) {
# This is an SSLv2 format ClientHello
$clienthello =
pack "C44",
0x01, # ClientHello
0x03, 0x03, #TLSv1.2
0x00, 0x03, # Ciphersuites len
0x00, 0x00, # Session id len
0x00, 0x20, # Challenge len
0x00, 0x00, 0x2f, #AES128-SHA
0x01, 0x18, 0x9F, 0x76, 0xEC, 0x57, 0xCE, 0xE5, 0xB3, 0xAB, 0x79, 0x90,
0xAD, 0xAC, 0x6E, 0xD1, 0x58, 0x35, 0x03, 0x97, 0x16, 0x10, 0x82, 0x56,
0xD8, 0x55, 0xFF, 0xE1, 0x8A, 0xA3, 0x2E, 0xF6; # Challenge
if ($sslv2testtype == SSLV2_IN_SSLV2) {
# Set the version to "real" SSLv2
vec($clienthello, 1, 8) = 0x00;
vec($clienthello, 2, 8) = 0x02;
}
my $chlen = length $clienthello;
$record = TLSProxy::Record->new(
0,
TLSProxy::Record::RT_HANDSHAKE,
TLSProxy::Record::VERS_TLS_1_2,
$chlen,
1, #SSLv2
$chlen,
$chlen,
$clienthello,
$clienthello
);
push @{$proxy->record_list}, $record;
} else {
# For this test we're using a real TLS ClientHello
$clienthello =
pack "C49",
0x01, # ClientHello
0x00, 0x00, 0x2D, # Message length
0x03, 0x03, # TLSv1.2
0x01, 0x18, 0x9F, 0x76, 0xEC, 0x57, 0xCE, 0xE5, 0xB3, 0xAB, 0x79, 0x90,
0xAD, 0xAC, 0x6E, 0xD1, 0x58, 0x35, 0x03, 0x97, 0x16, 0x10, 0x82, 0x56,
0xD8, 0x55, 0xFF, 0xE1, 0x8A, 0xA3, 0x2E, 0xF6, # Random
0x00, # Session id len
0x00, 0x04, # Ciphersuites len
0x00, 0x2f, # AES128-SHA
0x00, 0xff, # Empty reneg info SCSV
0x01, # Compression methods len
0x00, # Null compression
0x00, 0x00; # Extensions len
# Split this into 3: A TLS record; a SSLv2 record and a TLS record.
# We deliberately split the second record prior to the Challenge/Random
# and set the first byte of the random to 1. This makes the second SSLv2
# record look like an SSLv2 ClientHello
my $frag1 = substr $clienthello, 0, 6;
my $frag2 = substr $clienthello, 6, 32;
my $frag3 = substr $clienthello, 38;
my $fraglen = length $frag1;
$record = TLSProxy::Record->new(
0,
TLSProxy::Record::RT_HANDSHAKE,
TLSProxy::Record::VERS_TLS_1_2,
$fraglen,
0,
$fraglen,
$fraglen,
$frag1,
$frag1
);
push @{$proxy->record_list}, $record;
$fraglen = length $frag2;
my $recvers;
if ($sslv2testtype == FRAGMENTED_IN_SSLV2) {
$recvers = 1;
} else {
$recvers = 0;
}
$record = TLSProxy::Record->new(
0,
TLSProxy::Record::RT_HANDSHAKE,
TLSProxy::Record::VERS_TLS_1_2,
$fraglen,
$recvers,
$fraglen,
$fraglen,
$frag2,
$frag2
);
push @{$proxy->record_list}, $record;
$fraglen = length $frag3;
$record = TLSProxy::Record->new(
0,
TLSProxy::Record::RT_HANDSHAKE,
TLSProxy::Record::VERS_TLS_1_2,
$fraglen,
0,
$fraglen,
$fraglen,
$frag3,
$frag3
);
push @{$proxy->record_list}, $record;
}
}
sub add_unknown_record_type
{
my $proxy = shift;
# We'll change a record after the initial version neg has taken place
if ($proxy->flight != 2) {
return;
}
my $lastrec = ${$proxy->record_list}[-1];
my $record = TLSProxy::Record->new(
2,
TLSProxy::Record::RT_UNKNOWN,
$lastrec->version(),
1,
0,
1,
1,
"X",
"X"
);
unshift @{$proxy->record_list}, $record;
}

268
test/recipes/70-test_sslsessiontick.t Executable file
View File

@@ -0,0 +1,268 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;
use File::Temp qw(tempfile);
my $test_name = "test_sslsessiontick";
setup($test_name);
plan skip_all => "TLSProxy isn't usable on $^O"
if $^O =~ /^(VMS|MSWin32)$/;
plan skip_all => "$test_name needs the dynamic engine feature enabled"
if disabled("engine") || disabled("dynamic-engine");
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLS enabled"
if alldisabled(available_protocols("tls"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
sub checkmessages($$$$$$);
sub clearclient();
sub clearall();
my $chellotickext = 0;
my $shellotickext = 0;
my $fullhand = 0;
my $ticketseen = 0;
my $proxy = TLSProxy::Proxy->new(
undef,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
(!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);
#Test 1: By default with no existing session we should get a session ticket
#Expected result: ClientHello extension seen; ServerHello extension seen
# NewSessionTicket message seen; Full handshake
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 10;
checkmessages(1, "Default session ticket test", 1, 1, 1, 1);
#Test 2: If the server does not accept tickets we should get a normal handshake
#with no session tickets
#Expected result: ClientHello extension seen; ServerHello extension not seen
# NewSessionTicket message not seen; Full handshake
clearall();
$proxy->serverflags("-no_ticket");
$proxy->start();
checkmessages(2, "No server support session ticket test", 1, 0, 0, 1);
#Test 3: If the client does not accept tickets we should get a normal handshake
#with no session tickets
#Expected result: ClientHello extension not seen; ServerHello extension not seen
# NewSessionTicket message not seen; Full handshake
clearall();
$proxy->clientflags("-no_ticket");
$proxy->start();
checkmessages(3, "No client support session ticket test", 0, 0, 0, 1);
#Test 4: Test session resumption with session ticket
#Expected result: ClientHello extension seen; ServerHello extension not seen
# NewSessionTicket message not seen; Abbreviated handshake
clearall();
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-sess_in ".$session);
$proxy->clientstart();
checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0);
unlink $session;
#Test 5: Test session resumption with ticket capable client without a ticket
#Expected result: ClientHello extension seen; ServerHello extension seen
# NewSessionTicket message seen; Abbreviated handshake
clearall();
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-sess_out ".$session." -no_ticket");
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-sess_in ".$session);
$proxy->clientstart();
checkmessages(5, "Session resumption with ticket capable client without a "
."ticket", 1, 1, 1, 0);
unlink $session;
#Test 6: Client accepts empty ticket.
#Expected result: ClientHello extension seen; ServerHello extension seen;
# NewSessionTicket message seen; Full handshake.
clearall();
$proxy->filter(\&ticket_filter);
$proxy->start();
checkmessages(6, "Empty ticket test", 1, 1, 1, 1);
#Test 7-8: Client keeps existing ticket on empty ticket.
clearall();
(undef, $session) = tempfile();
$proxy->serverconnects(3);
$proxy->filter(undef);
$proxy->clientflags("-sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-sess_in ".$session." -sess_out ".$session);
$proxy->filter(\&inject_empty_ticket_filter);
$proxy->clientstart();
#Expected result: ClientHello extension seen; ServerHello extension seen;
# NewSessionTicket message seen; Abbreviated handshake.
checkmessages(7, "Empty ticket resumption test", 1, 1, 1, 0);
clearclient();
$proxy->clientflags("-sess_in ".$session);
$proxy->filter(undef);
$proxy->clientstart();
#Expected result: ClientHello extension seen; ServerHello extension not seen;
# NewSessionTicket message not seen; Abbreviated handshake.
checkmessages(8, "Empty ticket resumption test", 1, 0, 0, 0);
unlink $session;
#Test 9: Bad server sends the ServerHello extension but does not send a
#NewSessionTicket
#Expected result: Connection failure
clearall();
$proxy->serverflags("-no_ticket");
$proxy->filter(\&inject_ticket_extension_filter);
$proxy->start();
ok(TLSProxy::Message->fail, "Server sends ticket extension but no ticket test");
#Test10: Bad server does not send the ServerHello extension but does send a
#NewSessionTicket
#Expected result: Connection failure
clearall();
$proxy->serverflags("-no_ticket");
$proxy->filter(\&inject_empty_ticket_filter);
$proxy->start();
ok(TLSProxy::Message->fail, "No server ticket extension but ticket sent test");
sub ticket_filter
{
my $proxy = shift;
foreach my $message (@{$proxy->message_list}) {
if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
$message->ticket("");
$message->repack();
}
}
}
sub inject_empty_ticket_filter {
my $proxy = shift;
foreach my $message (@{$proxy->message_list}) {
if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
# Only inject the message first time we're called.
return;
}
}
my @new_message_list = ();
foreach my $message (@{$proxy->message_list}) {
push @new_message_list, $message;
if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
$message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, "");
$message->repack();
# Tack NewSessionTicket onto the ServerHello record.
# This only works if the ServerHello is exactly one record.
my $record = ${$message->records}[0];
my $offset = $message->startoffset + $message->encoded_length;
my $newsessionticket = TLSProxy::NewSessionTicket->new(
1, "", [$record], $offset, []);
$newsessionticket->repack();
push @new_message_list, $newsessionticket;
}
}
$proxy->message_list([@new_message_list]);
}
sub inject_ticket_extension_filter
{
my $proxy = shift;
# We're only interested in the initial ServerHello
if ($proxy->flight != 1) {
return;
}
foreach my $message (@{$proxy->message_list}) {
if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
#Add the session ticket extension to the ServerHello even though
#we are not going to send a NewSessionTicket message
$message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, "");
$message->repack();
}
}
}
sub checkmessages($$$$$$)
{
my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_;
subtest $testname => sub {
foreach my $message (@{$proxy->message_list}) {
if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
|| $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
#Get the extensions data
my %extensions = %{$message->extension_data};
if (defined
$extensions{TLSProxy::Message::EXT_SESSION_TICKET}) {
if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
$chellotickext = 1;
} else {
$shellotickext = 1;
}
}
} elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) {
#Must be doing a full handshake
$fullhand = 1;
} elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
$ticketseen = 1;
}
}
plan tests => 5;
ok(TLSProxy::Message->success, "Handshake");
ok(($testch && $chellotickext) || (!$testch && !$chellotickext),
"ClientHello extension Session Ticket check");
ok(($testsh && $shellotickext) || (!$testsh && !$shellotickext),
"ServerHello extension Session Ticket check");
ok(($testtickseen && $ticketseen) || (!$testtickseen && !$ticketseen),
"Session Ticket message presence check");
ok(($testhand && $fullhand) || (!$testhand && !$fullhand),
"Session Ticket full handshake check");
}
}
sub clearclient()
{
$chellotickext = 0;
$shellotickext = 0;
$fullhand = 0;
$ticketseen = 0;
$proxy->clearClient();
}
sub clearall()
{
clearclient();
$proxy->clear();
}

65
test/recipes/70-test_sslskewith0p.t Executable file
View File

@@ -0,0 +1,65 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;
my $test_name = "test_sslskewith0p";
setup($test_name);
plan skip_all => "TLSProxy isn't usable on $^O"
if $^O =~ /^(VMS|MSWin32)$/;
plan skip_all => "$test_name needs the dynamic engine feature enabled"
if disabled("engine") || disabled("dynamic-engine");
plan skip_all => "dh is not supported by this OpenSSL build"
if disabled("dh");
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLS enabled"
if alldisabled(available_protocols("tls"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
\&ske_0_p_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
(!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);
#We must use an anon DHE cipher for this test
$proxy->cipherc('ADH-AES128-SHA:@SECLEVEL=0');
$proxy->ciphers('ADH-AES128-SHA:@SECLEVEL=0');
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 1;
ok(TLSProxy::Message->fail, "ServerKeyExchange with 0 p");
sub ske_0_p_filter
{
my $proxy = shift;
# We're only interested in the SKE - always in flight 1
if ($proxy->flight != 1) {
return;
}
foreach my $message (@{$proxy->message_list}) {
if ($message->mt == TLSProxy::Message::MT_SERVER_KEY_EXCHANGE) {
#Set p to a value of 0
$message->p(pack('C', 0));
$message->repack();
}
}
}

67
test/recipes/70-test_sslvertol.t Executable file
View File

@@ -0,0 +1,67 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;
my $test_name = "test_sslextension";
setup($test_name);
plan skip_all => "TLSProxy isn't usable on $^O"
if $^O =~ /^(VMS|MSWin32)$/;
plan skip_all => "$test_name needs the dynamic engine feature enabled"
if disabled("engine") || disabled("dynamic-engine");
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLS enabled"
if alldisabled(available_protocols("tls"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
\&vers_tolerance_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
(!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);
#Test 1: Asking for TLS1.3 should pass
my $client_version = TLSProxy::Record::VERS_TLS_1_3;
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 2;
ok(TLSProxy::Message->success(), "Version tolerance test, TLS 1.3");
#Test 2: Testing something below SSLv3 should fail
$client_version = TLSProxy::Record::VERS_SSL_3_0 - 1;
$proxy->clear();
$proxy->start();
ok(TLSProxy::Message->fail(), "Version tolerance test, SSL < 3.0");
sub vers_tolerance_filter
{
my $proxy = shift;
# We're only interested in the initial ClientHello
if ($proxy->flight != 0) {
return;
}
foreach my $message (@{$proxy->message_list}) {
if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
#Set the client version
#Anything above the max supported version (TLS1.2) should succeed
#Anything below SSLv3 should fail
$message->client_version($client_version);
$message->repack();
}
}
}

238
test/recipes/70-test_tlsextms.t Normal file
View File

@@ -0,0 +1,238 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
use OpenSSL::Test::Utils;
use TLSProxy::Proxy;
use File::Temp qw(tempfile);
my $test_name = "test_tlsextms";
setup($test_name);
plan skip_all => "TLSProxy isn't usable on $^O"
if $^O =~ /^(VMS|MSWin32)$/;
plan skip_all => "$test_name needs the dynamic engine feature enabled"
if disabled("engine") || disabled("dynamic-engine");
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs TLS enabled"
if alldisabled(available_protocols("tls"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
sub checkmessages($$$$$);
sub setrmextms($$);
sub clearall();
my $crmextms = 0;
my $srmextms = 0;
my $cextms = 0;
my $sextms = 0;
my $fullhand = 0;
my $proxy = TLSProxy::Proxy->new(
\&extms_filter,
cmdstr(app(["openssl"]), display => 1),
srctop_file("apps", "server.pem"),
(!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
);
#Test 1: By default server and client should send extended master secret
# extension.
#Expected result: ClientHello extension seen; ServerHello extension seen
# Full handshake
setrmextms(0, 0);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 9;
checkmessages(1, "Default extended master secret test", 1, 1, 1);
#Test 2: If client omits extended master secret extension, server should too.
#Expected result: ClientHello extension not seen; ServerHello extension not seen
# Full handshake
clearall();
setrmextms(1, 0);
$proxy->start();
checkmessages(2, "No client extension extended master secret test", 0, 0, 1);
# Test 3: same as 1 but with session tickets disabled.
# Expected result: same as test 1.
clearall();
$proxy->clientflags("-no_ticket");
setrmextms(0, 0);
$proxy->start();
checkmessages(3, "No ticket extended master secret test", 1, 1, 1);
# Test 4: same as 2 but with session tickets disabled.
# Expected result: same as test 2.
clearall();
$proxy->clientflags("-no_ticket");
setrmextms(1, 0);
$proxy->start();
checkmessages(2, "No ticket, no client extension extended master secret test", 0, 0, 1);
#Test 5: Session resumption extended master secret test
#
#Expected result: ClientHello extension seen; ServerHello extension seen
# Abbreviated handshake
clearall();
setrmextms(0, 0);
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-sess_in ".$session);
$proxy->clientstart();
checkmessages(5, "Session resumption extended master secret test", 1, 1, 0);
unlink $session;
#Test 6: Session resumption extended master secret test original session
# omits extension. Server must not resume session.
#Expected result: ClientHello extension seen; ServerHello extension seen
# Full handshake
clearall();
setrmextms(1, 0);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-sess_in ".$session);
setrmextms(0, 0);
$proxy->clientstart();
checkmessages(6, "Session resumption extended master secret test", 1, 1, 1);
unlink $session;
#Test 7: Session resumption extended master secret test resumed session
# omits client extension. Server must abort connection.
#Expected result: aborted connection.
clearall();
setrmextms(0, 0);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-sess_in ".$session);
setrmextms(1, 0);
$proxy->clientstart();
ok(TLSProxy::Message->fail(), "Client inconsistent session resumption");
unlink $session;
#Test 8: Session resumption extended master secret test resumed session
# omits server extension. Client must abort connection.
#Expected result: aborted connection.
clearall();
setrmextms(0, 0);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-sess_in ".$session);
setrmextms(0, 1);
$proxy->clientstart();
ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1");
unlink $session;
#Test 9: Session resumption extended master secret test initial session
# omits server extension. Client must abort connection.
#Expected result: aborted connection.
clearall();
setrmextms(0, 1);
(undef, $session) = tempfile();
$proxy->serverconnects(2);
$proxy->clientflags("-sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->clientflags("-sess_in ".$session);
setrmextms(0, 0);
$proxy->clientstart();
ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2");
unlink $session;
sub extms_filter
{
my $proxy = shift;
foreach my $message (@{$proxy->message_list}) {
if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
$message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
$message->repack();
}
if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
$message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET);
$message->repack();
}
}
}
sub checkmessages($$$$$)
{
my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_;
subtest $testname => sub {
foreach my $message (@{$proxy->message_list}) {
if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
|| $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
#Get the extensions data
my %extensions = %{$message->extension_data};
if (defined
$extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) {
if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
$cextms = 1;
} else {
$sextms = 1;
}
}
} elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) {
#Must be doing a full handshake
$fullhand = 1;
}
}
plan tests => 4;
ok(TLSProxy::Message->success, "Handshake");
ok($testcextms == $cextms,
"ClientHello extension extended master secret check");
ok($testsextms == $sextms,
"ServerHello extension extended master secret check");
ok($testhand == $fullhand,
"Extended master secret full handshake check");
}
}
sub setrmextms($$)
{
($crmextms, $srmextms) = @_;
}
sub clearall()
{
$cextms = 0;
$sextms = 0;
$fullhand = 0;
$proxy->clear();
}

19
test/recipes/70-test_verify_extra.t Normal file
View File

@@ -0,0 +1,19 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_verify_extra");
plan tests => 1;
ok(run(test(["verify_extra_test",
srctop_file("test", "certs", "roots.pem"),
srctop_file("test", "certs", "untrusted.pem"),
srctop_file("test", "certs", "bad.pem")])));

59
test/recipes/80-test_ca.t Normal file
View File

@@ -0,0 +1,59 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use POSIX;
use File::Path 2.00 qw/rmtree/;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
setup("test_ca");
$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
my $std_openssl_cnf =
srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf");
rmtree("demoCA", { safe => 0 });
plan tests => 4;
SKIP: {
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
skip "failed creating CA structure", 3
if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
'creating CA structure');
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
skip "failed creating new certificate request", 2
if !ok(run(perlapp(["CA.pl","-newreq"])),
'creating certificate request');
$ENV{OPENSSL_CONFIG} = '-config "'.$std_openssl_cnf.'"';
skip "failed to sign certificate request", 1
if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
'signing certificate request');
ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
'verifying new certificate');
}
rmtree("demoCA", { safe => 0 });
unlink "newcert.pem", "newreq.pem", "newkey.pem";
sub yes {
my $cntr = 10;
open(PIPE, "|-", join(" ",@_));
local $SIG{PIPE} = "IGNORE";
1 while $cntr-- > 0 && print PIPE "y\n";
close PIPE;
return 0;
}

26
test/recipes/80-test_cipherlist.t Normal file
View File

@@ -0,0 +1,26 @@
#! /usr/bin/perl
#
# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test::Simple;
use OpenSSL::Test;
use OpenSSL::Test::Utils qw(alldisabled available_protocols);
setup("test_cipherlist");
my $no_anytls = alldisabled(available_protocols("tls"));
# If we have no protocols, then we also have no supported ciphers.
plan skip_all => "No SSL/TLS protocol is supported by this OpenSSL build."
if $no_anytls;
simple_test("test_cipherlist", "cipherlist_test", "cipherlist");

502
test/recipes/80-test_cms.t Normal file
View File

@@ -0,0 +1,502 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use POSIX;
use File::Spec::Functions qw/catfile/;
use File::Compare qw/compare_text/;
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
use OpenSSL::Test::Utils;
setup("test_cms");
plan skip_all => "CMS is not supported by this OpenSSL build"
if disabled("cms");
my $smdir = srctop_dir("test", "smime-certs");
my $smcont = srctop_file("test", "smcont.txt");
my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
= disabled qw/des dh dsa ec ec2m rc2 zlib/;
plan tests => 4;
my @smime_pkcs7_tests = (
[ "signed content DER format, RSA key",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-certfile", catfile($smdir, "smroot.pem"),
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed detached content DER format, RSA key",
[ "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt",
"-content", $smcont ]
],
[ "signed content test streaming BER format, RSA",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-stream",
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content DER format, DSA key",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed detached content DER format, DSA key",
[ "-sign", "-in", $smcont, "-outform", "DER",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt",
"-content", $smcont ]
],
[ "signed detached content DER format, add RSA signer (with DSA existing)",
[ "-resign", "-inform", "DER", "-in", "test.cms", "-outform", "DER",
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "test2.cms" ],
[ "-verify", "-in", "test2.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt",
"-content", $smcont ]
],
[ "signed content test streaming BER format, DSA key",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-stream",
"-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming BER format, 2 DSA and 2 RSA keys",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
[ "-sign", "-in", $smcont, "-outform", "DER", "-noattr", "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content S/MIME format, RSA key SHA1",
[ "-sign", "-in", $smcont, "-md", "sha1",
"-certfile", catfile($smdir, "smroot.pem"),
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
[ "-verify", "-in", "test.cms",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
[ "-sign", "-in", $smcont, "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
[ "-sign", "-in", $smcont,
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, DES, 3 recipients",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
catfile($smdir, "smrsa1.pem"),
catfile($smdir, "smrsa2.pem"),
catfile($smdir, "smrsa3.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
catfile($smdir, "smrsa1.pem"),
catfile($smdir, "smrsa2.pem"),
catfile($smdir, "smrsa3.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, DES, 3 recipients, key only used",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
catfile($smdir, "smrsa1.pem"),
catfile($smdir, "smrsa2.pem"),
catfile($smdir, "smrsa3.pem") ],
[ "-decrypt", "-inkey", catfile($smdir, "smrsa3.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
[ "-encrypt", "-in", $smcont,
"-aes256", "-stream", "-out", "test.cms",
catfile($smdir, "smrsa1.pem"),
catfile($smdir, "smrsa2.pem"),
catfile($smdir, "smrsa3.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
);
my @smime_cms_tests = (
[ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
[ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", "-keyid",
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
[ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"),
"-signer", catfile($smdir, "smrsa2.pem"),
"-signer", catfile($smdir, "smdsa1.pem"),
"-signer", catfile($smdir, "smdsa2.pem"),
"-stream", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "PEM",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content MIME format, RSA key, signed receipt request",
[ "-sign", "-in", $smcont, "-signer", catfile($smdir, "smrsa1.pem"), "-nodetach",
"-receipt_request_to", "test\@openssl.org", "-receipt_request_all",
"-out", "test.cms" ],
[ "-verify", "-in", "test.cms",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed receipt MIME format, RSA key",
[ "-sign_receipt", "-in", "test.cms",
"-signer", catfile($smdir, "smrsa2.pem"),
"-out", "test2.cms" ],
[ "-verify_receipt", "test2.cms", "-in", "test.cms",
"-CAfile", catfile($smdir, "smroot.pem") ]
],
[ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms", "-keyid",
catfile($smdir, "smrsa1.pem"),
catfile($smdir, "smrsa2.pem"),
catfile($smdir, "smrsa3.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming PEM format, KEK",
[ "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
"-stream", "-out", "test.cms",
"-secretkey", "000102030405060708090A0B0C0D0E0F",
"-secretkeyid", "C0FEE0" ],
[ "-decrypt", "-in", "test.cms", "-out", "smtst.txt", "-inform", "PEM",
"-secretkey", "000102030405060708090A0B0C0D0E0F",
"-secretkeyid", "C0FEE0" ]
],
[ "enveloped content test streaming PEM format, KEK, key only",
[ "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128",
"-stream", "-out", "test.cms",
"-secretkey", "000102030405060708090A0B0C0D0E0F",
"-secretkeyid", "C0FEE0" ],
[ "-decrypt", "-in", "test.cms", "-out", "smtst.txt", "-inform", "PEM",
"-secretkey", "000102030405060708090A0B0C0D0E0F" ]
],
[ "data content test streaming PEM format",
[ "-data_create", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-stream", "-out", "test.cms" ],
[ "-data_out", "-in", "test.cms", "-inform", "PEM", "-out", "smtst.txt" ]
],
[ "encrypted content test streaming PEM format, 128 bit RC2 key",
[ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F",
"-stream", "-out", "test.cms" ],
[ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM",
"-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ]
],
[ "encrypted content test streaming PEM format, 40 bit RC2 key",
[ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-rc2", "-secretkey", "0001020304",
"-stream", "-out", "test.cms" ],
[ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM",
"-secretkey", "0001020304", "-out", "smtst.txt" ]
],
[ "encrypted content test streaming PEM format, triple DES key",
[ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-stream", "-out", "test.cms" ],
[ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM",
"-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617",
"-out", "smtst.txt" ]
],
[ "encrypted content test streaming PEM format, 128 bit AES key",
[ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM",
"-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F",
"-stream", "-out", "test.cms" ],
[ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM",
"-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ]
],
);
my @smime_cms_comp_tests = (
[ "compressed content test streaming PEM format",
[ "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-stream", "-out", "test.cms" ],
[ "-uncompress", "-in", "test.cms", "-inform", "PEM", "-out", "smtst.txt" ]
]
);
my @smime_cms_param_tests = (
[ "signed content test streaming PEM format, RSA keys, PSS signature",
[ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
"-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "PEM",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
[ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr",
"-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
"-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "PEM",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1",
[ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
"-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss",
"-keyopt", "rsa_mgf1_md:sha384", "-out", "test.cms" ],
[ "-verify", "-in", "test.cms", "-inform", "PEM",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, DES, OAEP default parameters",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep" ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, DES, OAEP SHA256",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep",
"-keyopt", "rsa_oaep_md:sha256" ],
[ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, DES, ECDH",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smec1.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier",
[ "-encrypt", "-keyid", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smec1.pem") ],
[ "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smec1.pem"), "-aes128", "-keyopt", "ecdh_kdf_md:sha256" ],
[ "-decrypt", "-recip", catfile($smdir, "smec1.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smec2.pem"), "-aes128",
"-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ],
[ "-decrypt", "-recip", catfile($smdir, "smec2.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
],
[ "enveloped content test streaming S/MIME format, X9.42 DH",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms",
"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
[ "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
"-in", "test.cms", "-out", "smtst.txt" ]
]
);
subtest "CMS => PKCS#7 compatibility tests\n" => sub {
plan tests => scalar @smime_pkcs7_tests;
foreach (@smime_pkcs7_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "cms", @{$$_[1]}]))
&& run(app(["openssl", "smime", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
};
subtest "CMS <= PKCS#7 compatibility tests\n" => sub {
plan tests => scalar @smime_pkcs7_tests;
foreach (@smime_pkcs7_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "smime", @{$$_[1]}]))
&& run(app(["openssl", "cms", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
};
subtest "CMS <=> CMS consistency tests\n" => sub {
plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests);
foreach (@smime_pkcs7_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "cms", @{$$_[1]}]))
&& run(app(["openssl", "cms", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
foreach (@smime_cms_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "cms", @{$$_[1]}]))
&& run(app(["openssl", "cms", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
};
subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub {
plan tests =>
(scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests);
foreach (@smime_cms_param_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "cms", @{$$_[1]}]))
&& run(app(["openssl", "cms", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
SKIP: {
skip("Zlib not supported: compression tests skipped",
scalar @smime_cms_comp_tests)
if $no_zlib;
foreach (@smime_cms_comp_tests) {
SKIP: {
my $skip_reason = check_availability($$_[0]);
skip $skip_reason, 1 if $skip_reason;
ok(run(app(["openssl", "cms", @{$$_[1]}]))
&& run(app(["openssl", "cms", @{$$_[2]}]))
&& compare_text($smcont, "smtst.txt") == 0,
$$_[0]);
}
}
}
};
unlink "test.cms";
unlink "test2.cms";
unlink "smtst.txt";
sub check_availability {
my $tnam = shift;
return "$tnam: skipped, EC disabled\n"
if ($no_ec && $tnam =~ /ECDH/);
return "$tnam: skipped, ECDH disabled\n"
if ($no_ec && $tnam =~ /ECDH/);
return "$tnam: skipped, EC2M disabled\n"
if ($no_ec2m && $tnam =~ /K-283/);
return "$tnam: skipped, DH disabled\n"
if ($no_dh && $tnam =~ /X9\.42/);
return "$tnam: skipped, RC2 disabled\n"
if ($no_rc2 && $tnam =~ /RC2/);
return "$tnam: skipped, DES disabled\n"
if ($no_des && $tnam =~ /DES/);
return "$tnam: skipped, DSA disabled\n"
if ($no_dsa && $tnam =~ / DSA/);
return "";
}

17
test/recipes/80-test_ct.t Normal file
View File

@@ -0,0 +1,17 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir/;
use OpenSSL::Test::Simple;
setup("test_ct");
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
$ENV{CT_DIR} = srctop_dir("test", "ct");
$ENV{CERTS_DIR} = srctop_dir("test", "certs");
simple_test("test_ct", "ct_test", "ct", "ec");

24
test/recipes/80-test_dane.t Normal file
View File

@@ -0,0 +1,24 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
use OpenSSL::Test::Utils;
setup("test_dane");
plan skip_all => "test_dane uses ec which is not supported by this OpenSSL build"
if disabled("ec");
plan tests => 1; # The number of tests being performed
ok(run(test(["danetest", "example.com",
srctop_file("test", "danetest.pem"),
srctop_file("test", "danetest.in")])), "dane tests");

20
test/recipes/80-test_dtls.t Normal file
View File

@@ -0,0 +1,20 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Utils;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_dtls");
plan skip_all => "No DTLS protocols are supported by this OpenSSL build"
if alldisabled(available_protocols("dtls"));
plan tests => 1;
ok(run(test(["dtlstest", srctop_file("apps", "server.pem"),
srctop_file("apps", "server.pem")])), "running dtlstest");

12
test/recipes/80-test_dtlsv1listen.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_dtlsv1listen", "dtlsv1listentest", "dh");

206
test/recipes/80-test_ocsp.t Normal file
View File

@@ -0,0 +1,206 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use POSIX;
use File::Spec::Functions qw/devnull catfile/;
use File::Copy;
use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir/;
use OpenSSL::Test::Utils;
setup("test_ocsp");
plan skip_all => "OCSP is not supported by this OpenSSL build"
if disabled("ocsp");
my $ocspdir=srctop_dir("test", "ocsp-tests");
# 17 December 2012 so we don't get certificate expiry errors.
my @check_time=("-attime", "1355875200");
sub test_ocsp {
my $title = shift;
my $inputfile = shift;
my $CAfile = shift;
my $expected_exit = shift;
run(app(["openssl", "base64", "-d",
"-in", catfile($ocspdir,$inputfile),
"-out", "ocsp-resp-fff.dat"]));
with({ exit_checker => sub { return shift == $expected_exit; } },
sub { ok(run(app(["openssl", "ocsp", "-respin", "ocsp-resp-fff.dat",
"-partial_chain", @check_time,
"-CAfile", catfile($ocspdir, $CAfile),
"-verify_other", catfile($ocspdir, $CAfile),
"-no-CApath"])),
$title); });
unlink "ocsp-resp-fff.dat";
}
plan tests => 10;
subtest "=== VALID OCSP RESPONSES ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"ND1.ors", "ND1_Issuer_ICA.pem", 0);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"ND2.ors", "ND2_Issuer_Root.pem", 0);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"ND3.ors", "ND3_Issuer_Root.pem", 0);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"D1.ors", "D1_Issuer_ICA.pem", 0);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"D2.ors", "D2_Issuer_Root.pem", 0);
test_ocsp("DELEGATED; Root CA -> EE",
"D3.ors", "D3_Issuer_Root.pem", 0);
};
subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"ISOP_ND1.ors", "ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"ISOP_ND2.ors", "ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"ISOP_ND3.ors", "ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"ISOP_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"ISOP_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"ISOP_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"WRID_ND1.ors", "ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"WRID_ND2.ors", "ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"WRID_ND3.ors", "ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"WRID_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"WRID_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"WRID_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"WINH_ND1.ors", "ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"WINH_ND2.ors", "ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"WINH_ND3.ors", "ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"WINH_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"WINH_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"WINH_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"WIKH_ND1.ors", "ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"WIKH_ND2.ors", "ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"WIKH_ND3.ors", "ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"WIKH_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"WIKH_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"WIKH_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
plan tests => 3;
test_ocsp("DELEGATED; Intermediate CA -> EE",
"WKDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"WKDOSC_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"WKDOSC_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub {
plan tests => 3;
test_ocsp("DELEGATED; Intermediate CA -> EE",
"ISDOSC_D1.ors", "D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"ISDOSC_D2.ors", "D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"ISDOSC_D3.ors", "D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"ND2.ors", "WSNIC_ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"ND3.ors", "WSNIC_ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"D1.ors", "WSNIC_D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"D2.ors", "WSNIC_D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"D3.ors", "WSNIC_D3_Issuer_Root.pem", 1);
};
subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub {
plan tests => 6;
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"ND1.ors", "WKIC_ND1_Issuer_ICA.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"ND2.ors", "WKIC_ND2_Issuer_Root.pem", 1);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"ND3.ors", "WKIC_ND3_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"D1.ors", "WKIC_D1_Issuer_ICA.pem", 1);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"D2.ors", "WKIC_D2_Issuer_Root.pem", 1);
test_ocsp("DELEGATED; Root CA -> EE",
"D3.ors", "WKIC_D3_Issuer_Root.pem", 1);
};
subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
plan tests => 6;
# Expect success, because we're explicitly trusting the issuer certificate.
test_ocsp("NON-DELEGATED; Intermediate CA -> EE",
"ND1.ors", "ISIC_ND1_Issuer_ICA.pem", 0);
test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA",
"ND2.ors", "ISIC_ND2_Issuer_Root.pem", 0);
test_ocsp("NON-DELEGATED; Root CA -> EE",
"ND3.ors", "ISIC_ND3_Issuer_Root.pem", 0);
test_ocsp("DELEGATED; Intermediate CA -> EE",
"D1.ors", "ISIC_D1_Issuer_ICA.pem", 0);
test_ocsp("DELEGATED; Root CA -> Intermediate CA",
"D2.ors", "ISIC_D2_Issuer_Root.pem", 0);
test_ocsp("DELEGATED; Root CA -> EE",
"D3.ors", "ISIC_D3_Issuer_Root.pem", 0);
};

66
test/recipes/80-test_pkcs12.t Normal file
View File

@@ -0,0 +1,66 @@
#! /usr/bin/env perl
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
use OpenSSL::Test::Utils;
use Encode;
setup("test_pkcs12");
plan skip_all => "The PKCS12 command line utility is not supported by this OpenSSL build"
if disabled("des");
my $pass = "σύνθημα γνώρισμα";
my $savedcp;
if (eval { require Win32::API; 1; }) {
# Trouble is that Win32 perl uses CreateProcessA, which
# makes it problematic to pass non-ASCII arguments, from perl[!]
# that is. This is because CreateProcessA is just a wrapper for
# CreateProcessW and will call MultiByteToWideChar and use
# system default locale. Since we attempt Greek pass-phrase
# conversion can be done only with Greek locale.
Win32::API->Import("kernel32","UINT GetSystemDefaultLCID()");
if (GetSystemDefaultLCID() != 0x408) {
plan skip_all => "Non-Greek system locale";
} else {
# Ensure correct code page so that VERBOSE output is right.
Win32::API->Import("kernel32","UINT GetConsoleOutputCP()");
Win32::API->Import("kernel32","BOOL SetConsoleOutputCP(UINT cp)");
$savedcp = GetConsoleOutputCP();
SetConsoleOutputCP(1253);
$pass = Encode::encode("cp1253",Encode::decode("utf-8",$pass));
}
} else {
# Running MinGW tests transparenly under Wine apparently requires
# UTF-8 locale...
foreach(`locale -a`) {
s/\R$//;
if ($_ =~ m/^C\.UTF\-?8/i) {
$ENV{LC_ALL} = $_;
last;
}
}
}
$ENV{OPENSSL_WIN32_UTF8}=1;
plan tests => 1;
# just see that we can read shibboleth.pfx protected with $pass
ok(run(app(["openssl", "pkcs12", "-noout",
"-password", "pass:$pass",
"-in", srctop_file("test", "shibboleth.pfx")])),
"test_pkcs12");
SetConsoleOutputCP($savedcp) if (defined($savedcp));

131
test/recipes/80-test_ssl_new.t Normal file
View File

@@ -0,0 +1,131 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Basename;
use File::Compare qw/compare_text/;
use if $^O ne "VMS", 'File::Glob' => qw/glob/;
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/;
setup("test_ssl_new");
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
my @conf_srcs = glob(srctop_file("test", "ssl-tests", "*.conf.in"));
map { s/;.*// } @conf_srcs if $^O eq "VMS";
my @conf_files = map { basename($_) } @conf_srcs;
map { s/\.in// } @conf_files;
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
plan tests => 18; # = scalar @conf_srcs
# Some test results depend on the configuration of enabled protocols. We only
# verify generated sources in the default configuration.
my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
!disabled("tls1_1") && !disabled("tls1_2"));
my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
my $no_tls = alldisabled(available_protocols("tls"));
my $no_dtls = alldisabled(available_protocols("dtls"));
my $no_npn = disabled("nextprotoneg");
my $no_ct = disabled("ct");
my $no_ec = disabled("ec");
my $no_ec2m = disabled("ec2m");
my $no_ocsp = disabled("ocsp");
# Add your test here if the test conf.in generates test cases and/or
# expectations dynamically based on the OpenSSL compile-time config.
my %conf_dependent_tests = (
"02-protocol-version.conf" => !$is_default_tls,
"04-client_auth.conf" => !$is_default_tls,
"07-dtls-protocol-version.conf" => !$is_default_dtls,
"10-resumption.conf" => !$is_default_tls,
"11-dtls_resumption.conf" => !$is_default_dtls,
);
# Add your test here if it should be skipped for some compile-time
# configurations. Default is $no_tls but some tests have different skip
# conditions.
my %skip = (
"07-dtls-protocol-version.conf" => $no_dtls,
"08-npn.conf" => $no_tls || $no_npn,
"10-resumption.conf" => disabled("tls1_1") || disabled("tls1_2"),
"11-dtls_resumption.conf" => disabled("dtls1") || disabled("dtls1_2"),
"12-ct.conf" => $no_tls || $no_ct || $no_ec,
# We could run some of these tests without TLS 1.2 if we had a per-test
# disable instruction but that's a bizarre configuration not worth
# special-casing for.
# We should review this once we have TLS 1.3.
"13-fragmentation.conf" => disabled("tls1_2"),
"14-curves.conf" => disabled("tls1_2") || $no_ec || $no_ec2m,
"15-certstatus.conf" => $no_tls || $no_ocsp,
"16-dtls-certstatus.conf" => $no_dtls || $no_ocsp,
"18-dtls-renegotiate.conf" => $no_dtls,
);
foreach my $conf (@conf_files) {
subtest "Test configuration $conf" => sub {
test_conf($conf,
$conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1,
defined($skip{$conf}) ? $skip{$conf} : $no_tls);
}
}
sub test_conf {
plan tests => 3;
my ($conf, $check_source, $skip) = @_;
my $conf_file = srctop_file("test", "ssl-tests", $conf);
my $tmp_file = "${conf}.$$.tmp";
my $run_test = 1;
SKIP: {
# "Test" 1. Generate the source.
my $input_file = $conf_file . ".in";
skip 'failure', 2 unless
ok(run(perltest(["generate_ssl_tests.pl", $input_file],
interpreter_args => [ "-I", srctop_dir("test", "testlib")],
stdout => $tmp_file)),
"Getting output from generate_ssl_tests.pl.");
SKIP: {
# Test 2. Compare against existing output in test/ssl_tests.conf.
skip "Skipping generated source test for $conf", 1
if !$check_source;
$run_test = is(cmp_text($tmp_file, $conf_file), 0,
"Comparing generated sources.");
}
# Test 3. Run the test.
skip "No tests available; skipping tests", 1 if $skip;
skip "Stale sources; skipping tests", 1 if !$run_test;
ok(run(test(["ssl_test", $tmp_file])), "running ssl_test $conf");
}
unlink glob $tmp_file;
}
sub cmp_text {
return compare_text(@_, sub {
$_[0] =~ s/\R//g;
$_[1] =~ s/\R//g;
return $_[0] ne $_[1];
});
}

625
test/recipes/80-test_ssl_old.t Normal file
View File

@@ -0,0 +1,625 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use POSIX;
use File::Basename;
use File::Copy;
use OpenSSL::Test qw/:DEFAULT with bldtop_file srctop_file cmdstr/;
use OpenSSL::Test::Utils;
setup("test_ssl");
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk,
$no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2,
$no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) =
anydisabled qw/rsa dsa dh ec srp psk
ssl3 tls1 tls1_1 tls1_2
dtls dtls1 dtls1_2 ct/;
my $no_anytls = alldisabled(available_protocols("tls"));
my $no_anydtls = alldisabled(available_protocols("dtls"));
plan skip_all => "No SSL/TLS/DTLS protocol is support by this OpenSSL build"
if $no_anytls && $no_anydtls;
my $digest = "-sha1";
my @reqcmd = ("openssl", "req");
my @x509cmd = ("openssl", "x509", $digest);
my @verifycmd = ("openssl", "verify");
my @gendsacmd = ("openssl", "gendsa");
my $dummycnf = srctop_file("apps", "openssl.cnf");
my $CAkey = "keyCA.ss";
my $CAcert="certCA.ss";
my $CAserial="certCA.srl";
my $CAreq="reqCA.ss";
my $CAconf=srctop_file("test","CAss.cnf");
my $CAreq2="req2CA.ss"; # temp
my $Uconf=srctop_file("test","Uss.cnf");
my $Ukey="keyU.ss";
my $Ureq="reqU.ss";
my $Ucert="certU.ss";
my $Dkey="keyD.ss";
my $Dreq="reqD.ss";
my $Dcert="certD.ss";
my $Ekey="keyE.ss";
my $Ereq="reqE.ss";
my $Ecert="certE.ss";
my $P1conf=srctop_file("test","P1ss.cnf");
my $P1key="keyP1.ss";
my $P1req="reqP1.ss";
my $P1cert="certP1.ss";
my $P1intermediate="tmp_intP1.ss";
my $P2conf=srctop_file("test","P2ss.cnf");
my $P2key="keyP2.ss";
my $P2req="reqP2.ss";
my $P2cert="certP2.ss";
my $P2intermediate="tmp_intP2.ss";
my $server_sess="server.ss";
my $client_sess="client.ss";
# ssltest_old.c is deprecated in favour of the new framework in ssl_test.c
# If you're adding tests here, you probably want to convert them to the
# new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead.
plan tests =>
1 # For testss
+6 # For the first testssl
;
subtest 'test_ss' => sub {
if (testss()) {
open OUT, ">", "intP1.ss";
copy($CAcert, \*OUT); copy($Ucert, \*OUT);
close OUT;
open OUT, ">", "intP2.ss";
copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT);
close OUT;
}
};
note('test_ssl -- key U');
testssl("keyU.ss", $Ucert, $CAcert);
# -----------
# subtest functions
sub testss {
open RND, ">>", ".rnd";
print RND "string to make the random number generator think it has entropy";
close RND;
my @req_dsa = ("-newkey",
"dsa:".srctop_file("apps", "dsa1024.pem"));
my $dsaparams = srctop_file("apps", "dsa1024.pem");
my @req_new;
if ($no_rsa) {
@req_new = @req_dsa;
} else {
@req_new = ("-new");
}
plan tests => 17;
SKIP: {
skip 'failure', 16 unless
ok(run(app([@reqcmd, "-config", $CAconf,
"-out", $CAreq, "-keyout", $CAkey,
@req_new])),
'make cert request');
skip 'failure', 15 unless
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
"-req", "-out", $CAcert, "-signkey", $CAkey,
"-extfile", $CAconf, "-extensions", "v3_ca"],
stdout => "err.ss")),
'convert request into self-signed cert');
skip 'failure', 14 unless
ok(run(app([@x509cmd, "-in", $CAcert,
"-x509toreq", "-signkey", $CAkey, "-out", $CAreq2],
stdout => "err.ss")),
'convert cert into a cert request');
skip 'failure', 13 unless
ok(run(app([@reqcmd, "-config", $dummycnf,
"-verify", "-in", $CAreq, "-noout"])),
'verify request 1');
skip 'failure', 12 unless
ok(run(app([@reqcmd, "-config", $dummycnf,
"-verify", "-in", $CAreq2, "-noout"])),
'verify request 2');
skip 'failure', 11 unless
ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])),
'verify signature');
skip 'failure', 10 unless
ok(run(app([@reqcmd, "-config", $Uconf,
"-out", $Ureq, "-keyout", $Ukey, @req_new],
stdout => "err.ss")),
'make a user cert request');
skip 'failure', 9 unless
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
"-req", "-out", $Ucert,
"-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
"-extfile", $Uconf, "-extensions", "v3_ee"],
stdout => "err.ss"))
&& run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
'sign user cert request');
skip 'failure', 8 unless
ok(run(app([@x509cmd,
"-subject", "-issuer", "-startdate", "-enddate",
"-noout", "-in", $Ucert])),
'Certificate details');
skip 'failure', 7 unless
subtest 'DSA certificate creation' => sub {
plan skip_all => "skipping DSA certificate creation"
if $no_dsa;
plan tests => 5;
SKIP: {
$ENV{CN2} = "DSA Certificate";
skip 'failure', 4 unless
ok(run(app([@gendsacmd, "-out", $Dkey,
$dsaparams],
stdout => "err.ss")),
"make a DSA key");
skip 'failure', 3 unless
ok(run(app([@reqcmd, "-new", "-config", $Uconf,
"-out", $Dreq, "-key", $Dkey],
stdout => "err.ss")),
"make a DSA user cert request");
skip 'failure', 2 unless
ok(run(app([@x509cmd, "-CAcreateserial",
"-in", $Dreq,
"-days", "30",
"-req",
"-out", $Dcert,
"-CA", $CAcert, "-CAkey", $CAkey,
"-CAserial", $CAserial,
"-extfile", $Uconf,
"-extensions", "v3_ee_dsa"],
stdout => "err.ss")),
"sign DSA user cert request");
skip 'failure', 1 unless
ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])),
"verify DSA user cert");
skip 'failure', 0 unless
ok(run(app([@x509cmd,
"-subject", "-issuer",
"-startdate", "-enddate", "-noout",
"-in", $Dcert])),
"DSA Certificate details");
}
};
skip 'failure', 6 unless
subtest 'ECDSA/ECDH certificate creation' => sub {
plan skip_all => "skipping ECDSA/ECDH certificate creation"
if $no_ec;
plan tests => 5;
SKIP: {
$ENV{CN2} = "ECDSA Certificate";
skip 'failure', 4 unless
ok(run(app(["openssl", "ecparam", "-name", "P-256",
"-out", "ecp.ss"])),
"make EC parameters");
skip 'failure', 3 unless
ok(run(app([@reqcmd, "-config", $Uconf,
"-out", $Ereq, "-keyout", $Ekey,
"-newkey", "ec:ecp.ss"],
stdout => "err.ss")),
"make a ECDSA/ECDH user cert request");
skip 'failure', 2 unless
ok(run(app([@x509cmd, "-CAcreateserial",
"-in", $Ereq,
"-days", "30",
"-req",
"-out", $Ecert,
"-CA", $CAcert, "-CAkey", $CAkey,
"-CAserial", $CAserial,
"-extfile", $Uconf,
"-extensions", "v3_ee_ec"],
stdout => "err.ss")),
"sign ECDSA/ECDH user cert request");
skip 'failure', 1 unless
ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])),
"verify ECDSA/ECDH user cert");
skip 'failure', 0 unless
ok(run(app([@x509cmd,
"-subject", "-issuer",
"-startdate", "-enddate", "-noout",
"-in", $Ecert])),
"ECDSA Certificate details");
}
};
skip 'failure', 5 unless
ok(run(app([@reqcmd, "-config", $P1conf,
"-out", $P1req, "-keyout", $P1key, @req_new],
stdout => "err.ss")),
'make a proxy cert request');
skip 'failure', 4 unless
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
"-req", "-out", $P1cert,
"-CA", $Ucert, "-CAkey", $Ukey,
"-extfile", $P1conf, "-extensions", "v3_proxy"],
stdout => "err.ss")),
'sign proxy with user cert');
copy($Ucert, $P1intermediate);
run(app([@verifycmd, "-CAfile", $CAcert,
"-untrusted", $P1intermediate, $P1cert]));
ok(run(app([@x509cmd,
"-subject", "-issuer", "-startdate", "-enddate",
"-noout", "-in", $P1cert])),
'Certificate details');
skip 'failure', 2 unless
ok(run(app([@reqcmd, "-config", $P2conf,
"-out", $P2req, "-keyout", $P2key,
@req_new],
stdout => "err.ss")),
'make another proxy cert request');
skip 'failure', 1 unless
ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
"-req", "-out", $P2cert,
"-CA", $P1cert, "-CAkey", $P1key,
"-extfile", $P2conf, "-extensions", "v3_proxy"],
stdout => "err.ss")),
'sign second proxy cert request with the first proxy cert');
open OUT, ">", $P2intermediate;
copy($Ucert, \*OUT); copy($P1cert, \*OUT);
close OUT;
run(app([@verifycmd, "-CAfile", $CAcert,
"-untrusted", $P2intermediate, $P2cert]));
ok(run(app([@x509cmd,
"-subject", "-issuer", "-startdate", "-enddate",
"-noout", "-in", $P2cert])),
'Certificate details');
}
}
sub testssl {
my ($key, $cert, $CAtmp) = @_;
my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs"));
my @ssltest = ("ssltest_old",
"-s_key", $key, "-s_cert", $cert,
"-c_key", $key, "-c_cert", $cert);
my $serverinfo = srctop_file("test","serverinfo.pem");
my $dsa_cert = 0;
if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert,
"-text", "-noout"]), capture => 1)) {
$dsa_cert = 1;
}
# plan tests => 11;
subtest 'standard SSL tests' => sub {
######################################################################
plan tests => 21;
SKIP: {
skip "SSLv3 is not supported by this OpenSSL build", 4
if disabled("ssl3");
ok(run(test([@ssltest, "-bio_pair", "-ssl3"])),
'test sslv3 via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])),
'test sslv3 with server authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])),
'test sslv3 with client authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])),
'test sslv3 with both server and client authentication via BIO pair');
}
SKIP: {
skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1
if $no_anytls;
ok(run(test([@ssltest, "-bio_pair"])),
'test sslv2/sslv3 via BIO pair');
}
SKIP: {
skip "DTLSv1 is not supported by this OpenSSL build", 4
if disabled("dtls1");
ok(run(test([@ssltest, "-dtls1"])),
'test dtlsv1');
ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])),
'test dtlsv1 with server authentication');
ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])),
'test dtlsv1 with client authentication');
ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])),
'test dtlsv1 with both server and client authentication');
}
SKIP: {
skip "DTLSv1.2 is not supported by this OpenSSL build", 4
if disabled("dtls1_2");
ok(run(test([@ssltest, "-dtls12"])),
'test dtlsv1.2');
ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])),
'test dtlsv1.2 with server authentication');
ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])),
'test dtlsv1.2 with client authentication');
ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])),
'test dtlsv1.2 with both server and client authentication');
}
SKIP: {
skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8
if $no_anytls;
SKIP: {
skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;
ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])),
'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
}
ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
'test sslv2/sslv3 with server authentication');
ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
'test sslv2/sslv3 with client authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])),
'test sslv2/sslv3 with both client and server authentication via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
SKIP: {
skip "No IPv4 available on this machine", 1
unless !disabled("sock") && have_IPv4();
ok(run(test([@ssltest, "-ipv4"])),
'test TLS via IPv4');
}
SKIP: {
skip "No IPv6 available on this machine", 1
unless !disabled("sock") && have_IPv6();
ok(run(test([@ssltest, "-ipv6"])),
'test TLS via IPv6');
}
}
};
subtest "Testing ciphersuites" => sub {
my @exkeys = ();
my $ciphers = "-EXP:-PSK:-SRP:-kDH:-kECDHe";
if ($no_dh) {
note "skipping DHE tests\n";
$ciphers .= ":-kDHE";
}
if ($no_dsa) {
note "skipping DSA tests\n";
$ciphers .= ":-aDSA";
} else {
push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss";
}
if ($no_ec) {
note "skipping EC tests\n";
$ciphers .= ":!aECDSA:!kECDH";
} else {
push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss";
}
my @protocols = ();
# FIXME: I feel unsure about the following line, is that really just TLSv1.2, or is it all of the SSLv3/TLS protocols?
push(@protocols, "TLSv1.2") unless $no_tls1_2;
push(@protocols, "SSLv3") unless $no_ssl3;
my $protocolciphersuitcount = 0;
my %ciphersuites =
map { my @c =
map { split(/:/, $_) }
run(app(["openssl", "ciphers", "${_}:$ciphers"]),
capture => 1);
map { s/\R//; } @c; # chomp @c;
$protocolciphersuitcount += scalar @c;
$_ => [ @c ] } @protocols;
plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build"
if $protocolciphersuitcount + scalar(@protocols) == 0;
# The count of protocols is because in addition to the ciphersuits
# we got above, we're running a weak DH test for each protocol
plan tests => $protocolciphersuitcount + scalar(@protocols);
foreach my $protocol (@protocols) {
note "Testing ciphersuites for $protocol";
foreach my $cipher (@{$ciphersuites{$protocol}}) {
if ($protocol eq "SSLv3" && $cipher =~ /ECDH/ ) {
note "*****SKIPPING $protocol $cipher";
ok(1);
} else {
ok(run(test([@ssltest, @exkeys, "-cipher", $cipher,
$protocol eq "SSLv3" ? ("-ssl3") : ()])),
"Testing $cipher");
}
}
is(run(test([@ssltest,
"-s_cipher", "EDH",
"-c_cipher", 'EDH:@SECLEVEL=1',
"-dhe512",
$protocol eq "SSLv3" ? ("-ssl3") : ()])), 0,
"testing connection with weak DH, expecting failure");
}
};
subtest 'RSA/(EC)DHE/PSK tests' => sub {
######################################################################
plan tests => 5;
SKIP: {
skip "TLSv1.0 is not supported by this OpenSSL build", 5
if $no_tls1;
SKIP: {
skip "skipping anonymous DH tests", 1
if ($no_dh);
ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])),
'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
}
SKIP: {
skip "skipping RSA tests", 2
if $no_rsa;
ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])),
'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');
skip "skipping RSA+DHE tests", 1
if $no_dh;
ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])),
'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
}
SKIP: {
skip "skipping PSK tests", 2
if ($no_psk);
ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
'test tls1 with PSK');
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
'test tls1 with PSK via BIO pair');
}
}
};
subtest 'Custom Extension tests' => sub {
######################################################################
plan tests => 1;
SKIP: {
skip "TLSv1.0 is not supported by this OpenSSL build", 1
if $no_tls1;
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])),
'test tls1 with custom extensions');
}
};
subtest 'Serverinfo tests' => sub {
######################################################################
plan tests => 5;
SKIP: {
skip "TLSv1.0 is not supported by this OpenSSL build", 5
if $no_tls1;
note('echo test tls1 with serverinfo');
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
}
};
subtest 'SRP tests' => sub {
plan tests => 4;
SKIP: {
skip "skipping SRP tests", 4
if $no_srp || alldisabled(grep !/^ssl3/, available_protocols("tls"));
ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
'test tls1 with SRP');
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
'test tls1 with SRP via BIO pair');
ok(run(test([@ssltest, "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
'test tls1 with SRP auth');
ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
'test tls1 with SRP auth via BIO pair');
}
};
}
unlink $CAkey;
unlink $CAcert;
unlink $CAserial;
unlink $CAreq;
unlink $CAreq2;
unlink $Ukey;
unlink $Ureq;
unlink $Ucert;
unlink basename($Ucert, '.ss').'.srl';
unlink $Dkey;
unlink $Dreq;
unlink $Dcert;
unlink $Ekey;
unlink $Ereq;
unlink $Ecert;
unlink $P1key;
unlink $P1req;
unlink $P1cert;
unlink basename($P1cert, '.ss').'.srl';
unlink $P1intermediate;
unlink "intP1.ss";
unlink $P2key;
unlink $P2req;
unlink $P2cert;
unlink $P2intermediate;
unlink "intP2.ss";
unlink "ecp.ss";
unlink "err.ss";
unlink $server_sess;
unlink $client_sess;

19
test/recipes/80-test_ssl_test_ctx.t Normal file
View File

@@ -0,0 +1,19 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_ssl_test_ctx");
plan tests => 1;
ok(run(test(["ssl_test_ctx_test", srctop_file("test", "ssl_test_ctx_test.conf")])),
"running ssl_test_ctx_test ssl_test_ctx_test.conf");

20
test/recipes/80-test_sslcorrupt.t Normal file
View File

@@ -0,0 +1,20 @@
#! /usr/bin/env perl
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Utils;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_sslcorrupt");
plan skip_all => "No TLS protocols are supported by this OpenSSL build"
if alldisabled(available_protocols("tls"));
plan tests => 1;
ok(run(test(["sslcorrupttest", srctop_file("apps", "server.pem"),
srctop_file("apps", "server.pem")])), "running sslcorrupttest");

203
test/recipes/80-test_tsa.t Normal file
View File

@@ -0,0 +1,203 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use POSIX;
use File::Spec::Functions qw/splitdir curdir catfile/;
use File::Compare;
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
use OpenSSL::Test::Utils;
setup("test_tsa");
plan skip_all => "TS is not supported by this OpenSSL build"
if disabled("ts");
# All these are modified inside indir further down. They need to exist
# here, however, to be available in all subroutines.
my $testtsa;
my $CAtsa;
my @RUN = ("openssl", "ts");
sub create_tsa_cert {
my $INDEX = shift;
my $EXT = shift;
my $r = 1;
$ENV{TSDNSECT} = "ts_cert_dn";
ok(run(app(["openssl", "req", "-new",
"-out", "tsa_req${INDEX}.pem",
"-keyout", "tsa_key${INDEX}.pem"])));
note "using extension $EXT";
ok(run(app(["openssl", "x509", "-req",
"-in", "tsa_req${INDEX}.pem",
"-out", "tsa_cert${INDEX}.pem",
"-CA", "tsaca.pem", "-CAkey", "tsacakey.pem",
"-CAcreateserial",
"-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT])));
}
sub create_time_stamp_response {
my $queryfile = shift;
my $outputfile = shift;
my $datafile = shift;
ok(run(app([@RUN, "-reply", "-section", "$datafile",
"-queryfile", "$queryfile", "-out", "$outputfile"])));
}
sub verify_time_stamp_response {
my $queryfile = shift;
my $inputfile = shift;
my $datafile = shift;
ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile",
"-in", "$inputfile", "-CAfile", "tsaca.pem",
"-untrusted", "tsa_cert1.pem"])));
ok(run(app([@RUN, "-verify", "-data", "$datafile",
"-in", "$inputfile", "-CAfile", "tsaca.pem",
"-untrusted", "tsa_cert1.pem"])));
}
sub verify_time_stamp_response_fail {
my $queryfile = shift;
my $inputfile = shift;
ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile",
"-in", "$inputfile", "-CAfile", "tsaca.pem",
"-untrusted", "tsa_cert1.pem"])));
}
# main functions
plan tests => 20;
note "setting up TSA test directory";
indir "tsa" => sub
{
$ENV{OPENSSL_CONF} = srctop_file("test", "CAtsa.cnf");
# Because that's what ../apps/CA.pl really looks at
$ENV{OPENSSL_CONFIG} = "-config ".$ENV{OPENSSL_CONF};
$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);
$testtsa = srctop_file("test", "recipes", "80-test_tsa.t");
$CAtsa = srctop_file("test", "CAtsa.cnf");
SKIP: {
$ENV{TSDNSECT} = "ts_ca_dn";
skip "failed", 19
unless ok(run(app(["openssl", "req", "-new", "-x509", "-nodes",
"-out", "tsaca.pem", "-keyout", "tsacakey.pem"])),
'creating a new CA for the TSA tests');
skip "failed", 18
unless subtest 'creating tsa_cert1.pem TSA server cert' => sub {
create_tsa_cert("1", "tsa_cert")
};
skip "failed", 17
unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub {
create_tsa_cert("2", "non_tsa_cert")
};
skip "failed", 16
unless ok(run(app([@RUN, "-query", "-data", $testtsa,
"-tspolicy", "tsa_policy1", "-cert",
"-out", "req1.tsq"])),
'creating req1.req time stamp request for file testtsa');
ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])),
'printing req1.req');
subtest 'generating valid response for req1.req' => sub {
create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1")
};
ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])),
'printing response');
subtest 'verifying valid response' => sub {
verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa)
};
skip "failed", 11
unless subtest 'verifying valid token' => sub {
ok(run(app([@RUN, "-reply", "-in", "resp1.tsr",
"-out", "resp1.tsr.token", "-token_out"])));
ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq",
"-in", "resp1.tsr.token", "-token_in",
"-CAfile", "tsaca.pem",
"-untrusted", "tsa_cert1.pem"])));
ok(run(app([@RUN, "-verify", "-data", $testtsa,
"-in", "resp1.tsr.token", "-token_in",
"-CAfile", "tsaca.pem",
"-untrusted", "tsa_cert1.pem"])));
};
skip "failed", 10
unless ok(run(app([@RUN, "-query", "-data", $testtsa,
"-tspolicy", "tsa_policy2", "-no_nonce",
"-out", "req2.tsq"])),
'creating req2.req time stamp request for file testtsa');
ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])),
'printing req2.req');
skip "failed", 8
unless subtest 'generating valid response for req2.req' => sub {
create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1")
};
skip "failed", 7
unless subtest 'checking -token_in and -token_out options with -reply' => sub {
my $RESPONSE2="resp2.tsr.copy.tsr";
my $TOKEN_DER="resp2.tsr.token.der";
ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
"-out", "$TOKEN_DER", "-token_out"])));
ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
"-token_in", "-out", "$RESPONSE2"])));
is(compare($RESPONSE2, "resp2.tsr"), 0);
ok(run(app([@RUN, "-reply", "-in", "resp2.tsr",
"-text", "-token_out"])));
ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER",
"-token_in", "-text", "-token_out"])));
ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq",
"-text", "-token_out"])));
};
ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])),
'printing response');
subtest 'verifying valid response' => sub {
verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa)
};
subtest 'verifying response against wrong request, it should fail' => sub {
verify_time_stamp_response_fail("req1.tsq", "resp2.tsr")
};
subtest 'verifying response against wrong request, it should fail' => sub {
verify_time_stamp_response_fail("req2.tsq", "resp1.tsr")
};
skip "failure", 2
unless ok(run(app([@RUN, "-query", "-data", $CAtsa,
"-no_nonce", "-out", "req3.tsq"])),
"creating req3.req time stamp request for file CAtsa.cnf");
ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])),
'printing req3.req');
subtest 'verifying response against wrong request, it should fail' => sub {
verify_time_stamp_response_fail("req3.tsq", "resp1.tsr")
};
}
}, create => 1, cleanup => 1

27
test/recipes/80-test_x509aux.t Normal file
View File

@@ -0,0 +1,27 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
use OpenSSL::Test::Utils;
setup("test_x509aux");
plan skip_all => "test_dane uses ec which is not supported by this OpenSSL build"
if disabled("ec");
plan tests => 1; # The number of tests being performed
ok(run(test(["x509aux",
srctop_file("test", "certs", "roots.pem"),
srctop_file("test", "certs", "root+anyEKU.pem"),
srctop_file("test", "certs", "root-anyEKU.pem"),
srctop_file("test", "certs", "root-cert.pem")]
)), "x509aux tests");

12
test/recipes/90-test_async.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_async", "asynctest", "async");

12
test/recipes/90-test_bio_enc.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_bio_enc", "bio_enc_test", "bio_enc");

12
test/recipes/90-test_bioprint.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_bioprint", "bioprinttest");

12
test/recipes/90-test_constant_time.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_constant_time", "constant_time_test");

40
test/recipes/90-test_fuzz.t Executable file
View File

@@ -0,0 +1,40 @@
#!/usr/bin/env perl
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use if $^O ne "VMS", 'File::Glob' => qw/glob/;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
use OpenSSL::Test::Utils;
setup("test_fuzz");
my @fuzzers = ('asn1', 'asn1parse', 'bignum', 'bndiv', 'conf', 'crl', 'server', 'x509');
if (!disabled("cms")) {
push @fuzzers, 'cms';
}
if (!disabled("ct")) {
push @fuzzers, 'ct';
}
plan tests => scalar @fuzzers;
foreach my $f (@fuzzers) {
subtest "Fuzzing $f" => sub {
my @files = glob(srctop_file('fuzz', 'corpora', $f, '*'));
push @files, glob(srctop_file('fuzz', 'corpora', "$f-*", '*'));
plan skip_all => "No corpora for $f-test" unless @files;
plan tests => scalar @files;
foreach (@files) {
ok(run(fuzz(["$f-test", $_])));
}
}
}

12
test/recipes/90-test_gmdiff.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_gmdiff", "gmdifftest");

12
test/recipes/90-test_heartbeat.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_heartbeat", "heartbeat_test", "heartbeats");

12
test/recipes/90-test_ige.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_ige", "igetest");

15
test/recipes/90-test_memleak.t Normal file
View File

@@ -0,0 +1,15 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test;
setup("test_memleak");
plan tests => 2;
ok(run(test(["memleaktest"])), "running leak test");
ok(run(test(["memleaktest", "freeit"])), "running no leak test");

12
test/recipes/90-test_p5_crpt2.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_p5_crpt2", "p5_crpt2_test");

12
test/recipes/90-test_secmem.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_secmem", "secmemtest");

36
test/recipes/90-test_shlibload.t Normal file
View File

@@ -0,0 +1,36 @@
#! /usr/bin/env perl
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test qw/:DEFAULT bldtop_dir/;
use OpenSSL::Test::Utils;
#Load configdata.pm
BEGIN {
setup("test_shlibload");
}
use lib bldtop_dir('.');
use configdata;
plan skip_all => "Test only supported in a shared build" if disabled("shared");
plan tests => 3;
my $libcrypto =
$unified_info{sharednames}->{libcrypto}.$target{shared_extension_simple};
my $libssl =
$unified_info{sharednames}->{libssl}.$target{shared_extension_simple};
ok(run(test(["shlibloadtest", "-crypto_first", $libcrypto, $libssl])),
"running shlibloadtest -crypto_first");
ok(run(test(["shlibloadtest", "-ssl_first", $libcrypto, $libssl])),
"running shlibloadtest -ssl_first");
ok(run(test(["shlibloadtest", "-just_crypto", $libcrypto, $libssl])),
"running shlibloadtest -just_crypto");

12
test/recipes/90-test_srp.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_srp", "srptest", "srp");

21
test/recipes/90-test_sslapi.t Normal file
View File

@@ -0,0 +1,21 @@
#! /usr/bin/env perl
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Utils;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_sslapi");
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
plan tests => 1;
ok(run(test(["sslapitest", srctop_file("apps", "server.pem"),
srctop_file("apps", "server.pem")])), "running sslapitest");

12
test/recipes/90-test_threads.t Executable file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_threads", "threadstest");

12
test/recipes/90-test_v3name.t Normal file
View File

@@ -0,0 +1,12 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Simple;
simple_test("test_v3name", "v3nametest");

113
test/recipes/bc.pl Normal file
View File

@@ -0,0 +1,113 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use Math::BigInt;
sub calc {
@_ = __adder(@_);
if (scalar @_ != 1) { return "NaN"; }
return shift;
}
sub __canonhex {
my ($sign, $hex) = (shift =~ /^([+\-]?)(.*)$/);
$hex = "0x".$hex if $hex !~ /^0x/;
return $sign.$hex;
}
sub __adder {
@_ = __multiplier(@_);
while (scalar @_ > 1 && $_[1] =~ /^[\+\-]$/) {
my $operand1 = Math::BigInt->from_hex(__canonhex(shift));
my $operator = shift;
@_ = __multiplier(@_);
my $operand2 = Math::BigInt->from_hex(__canonhex(shift));
if ($operator eq "+") {
$operand1->badd($operand2);
} elsif ($operator eq "-") {
$operand1->bsub($operand2);
} else {
die "SOMETHING WENT AWFULLY WRONG";
}
unshift @_, $operand1->as_hex();
}
return @_;
}
sub __multiplier {
@_ = __power(@_);
while (scalar @_ > 1 && $_[1] =~ /^[\*\/%]$/) {
my $operand1 = Math::BigInt->from_hex(__canonhex(shift));
my $operator = shift;
@_ = __power(@_);
my $operand2 = Math::BigInt->from_hex(__canonhex(shift));
if ($operator eq "*") {
$operand1->bmul($operand2);
} elsif ($operator eq "/") {
# Math::BigInt->bdiv() is documented to do floored division,
# i.e. 1 / -4 = -1, while bc and OpenSSL BN_div do truncated
# division, i.e. 1 / -4 = 0. We need to make the operation
# work like OpenSSL's BN_div to be able to verify.
my $neg = ($operand1->is_neg()
? !$operand2->is_neg() : $operand2->is_neg());
$operand1->babs();
$operand2->babs();
$operand1->bdiv($operand2);
if ($neg) { $operand1->bneg(); }
} elsif ($operator eq "%") {
# Here's a bit of a quirk...
# With OpenSSL's BN, as well as bc, the result of -10 % 3 is -1
# while Math::BigInt, the result is 2.
# The latter is mathematically more correct, but...
my $o1isneg = $operand1->is_neg();
$operand1->babs();
# Math::BigInt does something different with a negative modulus,
# while OpenSSL's BN and bc treat it like a positive number...
$operand2->babs();
$operand1->bmod($operand2);
if ($o1isneg) { $operand1->bneg(); }
} else {
die "SOMETHING WENT AWFULLY WRONG";
}
unshift @_, $operand1->as_hex();
}
return @_;
}
sub __power {
@_ = __paren(@_);
while (scalar @_ > 1 && $_[1] eq "^") {
my $operand1 = Math::BigInt->from_hex(__canonhex(shift));
shift;
@_ = __paren(@_);
my $operand2 = Math::BigInt->from_hex(__canonhex(shift));
$operand1->bpow($operand2);
unshift @_, $operand1->as_hex();
}
return @_;
}
# returns array ( $result, @remaining )
sub __paren {
if (scalar @_ > 0 && $_[0] eq "(") {
shift;
my @result = __adder(@_);
if (scalar @_ == 0 || $_[0] ne ")") {
return ("NaN");
}
shift;
return @result;
}
return @_;
}
1;

106
test/recipes/tconversion.pl Normal file
View File

@@ -0,0 +1,106 @@
#! /usr/bin/env perl
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Compare qw/compare_text/;
use File::Copy;
use lib 'testlib';
use OpenSSL::Test qw/:DEFAULT/;
my %conversionforms = (
# Default conversion forms. Other series may be added with
# specific test types as key.
"*" => [ "d", "p" ],
"msb" => [ "d", "p", "msblob" ],
);
sub tconversion {
my $testtype = shift;
my $t = shift;
my @conversionforms =
defined($conversionforms{$testtype}) ?
@{$conversionforms{$testtype}} :
@{$conversionforms{"*"}};
my @openssl_args = @_;
if (!@openssl_args) { @openssl_args = ($testtype); }
my $n = scalar @conversionforms;
my $totaltests =
1 # for initializing
+ $n # initial conversions from p to all forms (A)
+ $n*$n # conversion from result of A to all forms (B)
+ 1 # comparing original test file to p form of A
+ $n*($n-1); # comparing first conversion to each fom in A with B
$totaltests-- if ($testtype eq "p7d"); # no comparison of original test file
plan tests => $totaltests;
my @cmd = ("openssl", @openssl_args);
my $init;
if (scalar @openssl_args > 0 && $openssl_args[0] eq "pkey") {
$init = ok(run(app([@cmd, "-in", $t, "-out", "$testtype-fff.p"])),
'initializing');
} else {
$init = ok(copy($t, "$testtype-fff.p"), 'initializing');
}
if (!$init) {
diag("Trying to copy $t to $testtype-fff.p : $!");
}
SKIP: {
skip "Not initialized, skipping...", 22 unless $init;
foreach my $to (@conversionforms) {
ok(run(app([@cmd,
"-in", "$testtype-fff.p",
"-inform", "p",
"-out", "$testtype-f.$to",
"-outform", $to])),
"p -> $to");
}
foreach my $to (@conversionforms) {
foreach my $from (@conversionforms) {
ok(run(app([@cmd,
"-in", "$testtype-f.$from",
"-inform", $from,
"-out", "$testtype-ff.$from$to",
"-outform", $to])),
"$from -> $to");
}
}
if ($testtype ne "p7d") {
is(cmp_text("$testtype-fff.p", "$testtype-f.p"), 0,
'comparing orig to p');
}
foreach my $to (@conversionforms) {
next if $to eq "d";
foreach my $from (@conversionforms) {
is(cmp_text("$testtype-f.$to", "$testtype-ff.$from$to"), 0,
"comparing $to to $from$to");
}
}
}
unlink glob "$testtype-f.*";
unlink glob "$testtype-ff.*";
unlink glob "$testtype-fff.*";
}
sub cmp_text {
return compare_text(@_, sub {
$_[0] =~ s/\R//g;
$_[1] =~ s/\R//g;
return $_[0] ne $_[1];
});
}
1;