openssl/test/recipes/80-test_ssl_new.t

190 lines
7.1 KiB
Perl
Raw Normal View History

#! /usr/bin/env perl
# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use File::Basename;
use File::Compare qw/compare_text/;
use OpenSSL::Glob;
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_file bldtop_dir/;
use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/;
BEGIN {
setup("test_ssl_new");
}
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
my $infile = bldtop_file('providers', platform->dso('fips'));
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
my @conf_srcs = glob(srctop_file("test", "ssl-tests", "*.cnf.in"));
map { s/;.*// } @conf_srcs if $^O eq "VMS";
my @conf_files = map { basename($_, ".in") } @conf_srcs;
map { s/\^// } @conf_files if $^O eq "VMS";
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
plan tests => 30 # = scalar @conf_srcs
+ ($no_fips ? 0 : 1); # fipsinstall
# Some test results depend on the configuration of enabled protocols. We only
# verify generated sources in the default configuration.
my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
!disabled("tls1_1") && !disabled("tls1_2") &&
!disabled("tls1_3"));
my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2");
my $no_tls = alldisabled(available_protocols("tls"));
my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3"));
my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3);
my $no_dtls = alldisabled(available_protocols("dtls"));
my $no_npn = disabled("nextprotoneg");
my $no_ct = disabled("ct");
my $no_ec = disabled("ec");
my $no_dh = disabled("dh");
my $no_dsa = disabled("dsa");
my $no_ec2m = disabled("ec2m");
my $no_ocsp = disabled("ocsp");
# Add your test here if the test conf.in generates test cases and/or
# expectations dynamically based on the OpenSSL compile-time config.
my %conf_dependent_tests = (
"02-protocol-version.cnf" => !$is_default_tls,
"04-client_auth.cnf" => !$is_default_tls || !$is_default_dtls
|| !disabled("sctp"),
"05-sni.cnf" => disabled("tls1_1"),
"07-dtls-protocol-version.cnf" => !$is_default_dtls || !disabled("sctp"),
"10-resumption.cnf" => !$is_default_tls || $no_ec,
"11-dtls_resumption.cnf" => !$is_default_dtls || !disabled("sctp"),
"16-dtls-certstatus.cnf" => !$is_default_dtls || !disabled("sctp"),
"17-renegotiate.cnf" => disabled("tls1_2"),
"18-dtls-renegotiate.cnf" => disabled("dtls1_2") || !disabled("sctp"),
"19-mac-then-encrypt.cnf" => !$is_default_tls,
"20-cert-select.cnf" => !$is_default_tls || $no_dh || $no_dsa,
"22-compression.cnf" => !$is_default_tls,
"25-cipher.cnf" => disabled("poly1305") || disabled("chacha"),
"27-ticket-appdata.cnf" => !$is_default_tls,
"28-seclevel.cnf" => disabled("tls1_2") || $no_ec,
"30-extended-master-secret.cnf" => disabled("tls1_2"),
);
# Add your test here if it should be skipped for some compile-time
# configurations. Default is $no_tls but some tests have different skip
# conditions.
my %skip = (
"06-sni-ticket.cnf" => $no_tls_below1_3,
"07-dtls-protocol-version.cnf" => $no_dtls,
"08-npn.cnf" => (disabled("tls1") && disabled("tls1_1")
&& disabled("tls1_2")) || $no_npn,
"10-resumption.cnf" => disabled("tls1_1") || disabled("tls1_2"),
"11-dtls_resumption.cnf" => disabled("dtls1") || disabled("dtls1_2"),
"12-ct.cnf" => $no_tls || $no_ct || $no_ec,
# We could run some of these tests without TLS 1.2 if we had a per-test
# disable instruction but that's a bizarre configuration not worth
# special-casing for.
# TODO(TLS 1.3): We should review this once we have TLS 1.3.
"13-fragmentation.cnf" => disabled("tls1_2"),
"14-curves.cnf" => disabled("tls1_2") || $no_ec || $no_ec2m,
"15-certstatus.cnf" => $no_tls || $no_ocsp,
"16-dtls-certstatus.cnf" => $no_dtls || $no_ocsp,
"17-renegotiate.cnf" => $no_tls_below1_3,
"18-dtls-renegotiate.cnf" => $no_dtls,
"19-mac-then-encrypt.cnf" => $no_pre_tls1_3,
"20-cert-select.cnf" => disabled("tls1_2") || $no_ec,
"21-key-update.cnf" => disabled("tls1_3"),
"22-compression.cnf" => disabled("zlib") || $no_tls,
"23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1")
&& disabled("tls1_2")) || disabled("srp"),
"24-padding.cnf" => disabled("tls1_3"),
"25-cipher.cnf" => disabled("ec") || disabled("tls1_2"),
"26-tls13_client_auth.cnf" => disabled("tls1_3"),
"29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"),
);
unless ($no_fips) {
ok(run(app(['openssl', 'fipsinstall',
'-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', $infile])),
"fipsinstall");
}
foreach my $conf (@conf_files) {
subtest "Test configuration $conf" => sub {
plan tests => 6 + ($no_fips ? 0 : 3);
test_conf($conf,
$conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1,
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
"none");
test_conf($conf,
0,
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
"default");
test_conf($conf,
0,
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
"fips") unless $no_fips;
}
}
sub test_conf {
my ($conf, $check_source, $skip, $provider) = @_;
my $conf_file = srctop_file("test", "ssl-tests", $conf);
my $input_file = $conf_file . ".in";
my $output_file = $conf . "." . $provider;
my $run_test = 1;
SKIP: {
# "Test" 1. Generate the source.
skip 'failure', 2 unless
ok(run(perltest(["generate_ssl_tests.pl", $input_file, $provider],
interpreter_args => [ "-I", srctop_dir("util", "perl")],
stdout => $output_file)),
"Getting output from generate_ssl_tests.pl.");
SKIP: {
TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY The client-side cert verification callback function may not only return as usual for success or 0 for failure, but also -1, typically on failure verifying the server certificate. This makes the handshake suspend and return control to the calling application with SSL_ERROR_WANT_RETRY_VERIFY. The app can for instance fetch further certificates or cert status information needed for the verification. Calling SSL_connect() again resumes the connection attempt by retrying the server certificate verification step. This process may even be repeated if need be. The core implementation of the feature is in ssl/statem/statem_clnt.c, splitting tls_process_server_certificate() into a preparation step that just copies the certificates received from the server to s->session->peer_chain (rather than having them in a local variable at first) and returns to the state machine, and a post-processing step in tls_post_process_server_certificate() that can be repeated: Try verifying the current contents of s->session->peer_chain basically as before, but give the verification callback function the chance to pause connecting and make the TLS state machine later call tls_post_process_server_certificate() again. Otherwise processing continues as usual. The documentation of the new feature is added to SSL_CTX_set_cert_verify_callback.pod and SSL_want.pod. This adds two tests: * A generic test in test/helpers/handshake.c on the usability of the new server cert verification retry feature. It is triggered via test/ssl-tests/03-custom_verify.cnf.in (while the bulky auto- generated changes to test/ssl-tests/03-custom_verify.cnf can be basically ignored). * A test in test/sslapitest.c that demonstrates the effectiveness of the approach for augmenting the cert chain provided by the server in between SSL_connect() calls. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13906)
2021-01-17 03:43:00 +08:00
# Test 2. Compare against existing output in test/ssl-tests/
skip "Skipping generated source test for $conf", 1
if !$check_source;
$run_test = is(cmp_text($output_file, $conf_file), 0,
TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY The client-side cert verification callback function may not only return as usual for success or 0 for failure, but also -1, typically on failure verifying the server certificate. This makes the handshake suspend and return control to the calling application with SSL_ERROR_WANT_RETRY_VERIFY. The app can for instance fetch further certificates or cert status information needed for the verification. Calling SSL_connect() again resumes the connection attempt by retrying the server certificate verification step. This process may even be repeated if need be. The core implementation of the feature is in ssl/statem/statem_clnt.c, splitting tls_process_server_certificate() into a preparation step that just copies the certificates received from the server to s->session->peer_chain (rather than having them in a local variable at first) and returns to the state machine, and a post-processing step in tls_post_process_server_certificate() that can be repeated: Try verifying the current contents of s->session->peer_chain basically as before, but give the verification callback function the chance to pause connecting and make the TLS state machine later call tls_post_process_server_certificate() again. Otherwise processing continues as usual. The documentation of the new feature is added to SSL_CTX_set_cert_verify_callback.pod and SSL_want.pod. This adds two tests: * A generic test in test/helpers/handshake.c on the usability of the new server cert verification retry feature. It is triggered via test/ssl-tests/03-custom_verify.cnf.in (while the bulky auto- generated changes to test/ssl-tests/03-custom_verify.cnf can be basically ignored). * A test in test/sslapitest.c that demonstrates the effectiveness of the approach for augmenting the cert chain provided by the server in between SSL_connect() calls. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13906)
2021-01-17 03:43:00 +08:00
"Comparing generated $output_file with $conf_file.");
}
# Test 3. Run the test.
skip "No tests available; skipping tests", 1 if $skip;
skip "Stale sources; skipping tests", 1 if !$run_test;
if ($provider eq "fips") {
ok(run(test(["ssl_test", $output_file, $provider,
srctop_file("test", "fips-and-base.cnf")])),
"running ssl_test $conf");
} else {
ok(run(test(["ssl_test", $output_file, $provider])),
"running ssl_test $conf");
}
}
}
sub cmp_text {
return compare_text(@_, sub {
$_[0] =~ s/\R//g;
$_[1] =~ s/\R//g;
return $_[0] ne $_[1];
});
}