3 lappend auto_path [file dirname [info script]]
4 package require ossltest
6 switch -exact -- [lindex $argv 0] {
8 set test::server_conf [lindex $argv 1]
9 set test::suffix "-clt"
12 set test::client_conf [lindex $argv 1]
13 set test::suffix "-srv"
16 puts stderr "invalid command line"
21 puts stderr "invalid command line"
33 start_tests "Тесты на SSL-соединение между s_client и s_server"
35 if {[info exists env(ALG_LIST)]} {
36 set alg_list $env(ALG_LIST)
38 switch -exact [engine_name] {
39 "ccore" {set alg_list {rsa:1024 gost2001:XA gost2012_256:XA gost2012_512:A}}
40 "open" {set alg_list {rsa:1024 gost2001:XA gost2012_256:XA gost2012_512:A}}
45 rsa:1024 {ECDHE-RSA-AES256-SHA}
46 gost2001:XA {GOST2001-GOST89-GOST89 GOST2001-NULL-GOST94@SECLEVEL=0 GOST2012-GOST8912-GOST8912 GOST2012-NULL-GOST12@SECLEVEL=0}
47 gost2012_256:XA {GOST2012-GOST8912-GOST8912 GOST2012-NULL-GOST12@SECLEVEL=0}
48 gost2012_512:A {GOST2012-GOST8912-GOST8912 GOST2012-NULL-GOST12@SECLEVEL=0}
52 # Incompatible cipher suites
55 gost2012_256:XA {GOST2001-GOST89-GOST89 GOST2001-NULL-GOST94@SECLEVEL=0}
56 gost2012_512:A {GOST2001-GOST89-GOST89 GOST2001-NULL-GOST94@SECLEVEL=0}
60 # Default cipher suite negotiated for algorithm
63 rsa:1024 ECDHE-RSA-AES256-SHA
64 #gost94:XA GOST94-GOST89-GOST89
65 gost2001:XA GOST2012-GOST8912-GOST8912
66 gost2012_256:XA GOST2012-GOST8912-GOST8912
67 gost2012_512:A GOST2012-GOST8912-GOST8912
70 array set defsuite_12 {
71 rsa:1024 ECDHE-RSA-AES256-GCM-SHA384
72 #gost94:XA GOST94-GOST89-GOST89
73 gost2001:XA GOST2012-GOST8912-GOST8912
74 gost2012_256:XA GOST2012-MAGMA-MAGMAOMAC
75 gost2012_512:A GOST2012-MAGMA-MAGMAOMAC
78 set proto_list {"TLSv1" "TLSv1.1" "TLSv1.2"}
80 if {![file exists sslCA/cacert.pem]} {
86 test -skip {[file exist localhost_rsa/cert.pem]} \
87 "Создаем серверный сертификат rsa" {
88 makeRegisteredUser localhost_rsa rsa:1024 CN localhost
91 foreach alg $alg_list {
92 set alg_fn [string map {":" "_"} $alg]
94 test -skip {[file exist localhost_$alg_fn/cert.pem]} \
95 "Создаем серверный сертификат $alg" {
96 makeRegisteredUser localhost_$alg_fn $alg CN localhost OU $alg_fn
99 test -skip {[file exists ssl_user_$alg_fn/cert.pem]} \
100 "Создаем клиентский сертификат $alg" {
101 makeRegisteredUser ssl_user_$alg_fn $alg CN ssl_user OU $alg_fn
105 foreach alg {gost2001:B gost2012_256:B gost2012_512:B} {
106 set alg_fn [string map {":" "_"} $alg]
107 test -skip {[file exists ssl_user_$alg_fn/cert.pem]} \
108 "Создаем клиентский сертификат $alg" {
109 makeRegisteredUser ssl_user_$alg_fn $alg CN ssl_user OU $alg_fn
114 foreach proto $proto_list {
115 foreach alg $alg_list {
116 set alg_fn [string map {":" "_"} $alg]
118 if {[string match *2012* $alg]} {
119 foreach suite $badsuites($alg) {
121 test "Incompatible suite $alg $suite $proto" {
122 set list [client_server [list -connect localhost:4433 \
123 -CAfile $::test::ca/cacert.pem \
124 -verify_return_error -verify 1 -state -cipher $suite] \
125 [list -www -cert localhost_$alg_fn/cert.pem \
126 -key localhost_$alg_fn/seckey.pem -cipher $suite \
128 list [lindex $list 2] [grep "^New," [lindex $list 0]]
129 } 0 [list 1 "New, (NONE), Cipher is (NONE)\n"]
133 foreach suite $suites($alg) {
134 set raw_name [lindex [split $suite @] 0]
136 if {![string equal $proto "TLSv1.2"] && [string match *OMAC* $suite]} {
140 if {[string equal $proto "TLSv1.2"] && [string match *OMAC* $suite]} {
141 set expected_proto "TLSv1.2"
143 set expected_proto "TLSv1.0"
146 test "Запуск сервера $suite $proto" {
147 set f [open_server [list -cert localhost_$alg_fn/cert.pem \
148 -key localhost_$alg_fn/seckey.pem -cipher $suite \
151 foreach {out err status} [stop $f] break
152 log "SERVER OUTPUT:\n$out\n----"
153 log "SERVER STDERR:\n$err\n----"
154 log "SERVER EXIT CODE: $status"
160 test "Корректный хэндшейк $suite $proto" {
161 set list [client_server [list -connect localhost:4433 \
162 -CAfile $::test::ca/cacert.pem -verify_return_error \
163 -verify 1 -state -cipher $suite ] \
164 [list -www -cert localhost_$alg_fn/cert.pem \
165 -key localhost_$alg_fn/seckey.pem \
166 -cipher $suite $protos($proto)] {}]
167 if {[regexp -lineanchor \
168 {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
169 [lindex $list 0] -> result_proto result_cipher]} {
170 list [lindex $list 2] $result_proto $result_cipher
174 } 0 [list 0 $proto $raw_name]
177 test "Несовпадающий шиферсьют DHE-RSA-AES256-SHA $proto" {
178 set list [client_server [list -connect localhost:4433 \
179 -CAfile $::test::ca/cacert.pem -verify_return_error \
180 -verify 1 -state -cipher $suite] \
181 [list -www -cert localhost_$alg_fn/cert.pem \
182 -key localhost_$alg_fn/seckey.pem \
183 -cipher DHE-RSA-AES256-SHA $protos($proto)] {}]
184 list [lindex $list 2] [grep ":fatal:" [lindex $list 1]]
185 } 0 [list 1 "SSL3 alert read:fatal:handshake failure
188 test "Получение странички $suite $proto" {
189 set list [client_server [list -connect localhost:4433 \
190 -CAfile $::test::ca/cacert.pem -verify_return_error \
191 -verify 1 -state -cipher $suite -ign_eof] \
192 [list -www -cert localhost_$alg_fn/cert.pem \
193 -key localhost_$alg_fn/seckey.pem -cipher $suite \
194 $protos($proto)] "GET /\n\n"]
195 grep "^New," [lindex $list 0]
196 } 0 "New, $expected_proto, Cipher is $raw_name\nNew, $expected_proto, Cipher is $raw_name\n"
198 if {![string match "*-NULL-*" $suite]} {
200 test "Сервер поддерживающий много шиферсьютов $proto" {
201 set list [client_server [list -connect localhost:4433 \
202 -CAfile $::test::ca/cacert.pem -verify_return_error \
203 -verify 1 -state -cipher $suite] \
204 [list -www -cert localhost_$alg_fn/cert.pem \
205 -key localhost_$alg_fn/seckey.pem $protos($proto)] {}]
206 if {[regexp -lineanchor \
207 {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
208 [lindex $list 0] -> result_proto result_cipher]} {
209 list [lindex $list 2] $result_proto $result_cipher
213 } 0 [list 0 $proto $suite]
216 test "Сервер c несколькими алгоритмами, клиент $suite $proto" {
217 set list [client_server [list -connect localhost:4433 \
218 -CAfile $::test::ca/cacert.pem -verify_return_error \
219 -verify 1 -state -cipher $suite] \
220 [list -www -cert localhost_rsa/cert.pem \
221 -key localhost_rsa/seckey.pem \
222 -dcert localhost_$alg_fn/cert.pem \
223 -dkey localhost_$alg_fn/seckey.pem $protos($proto)] {}]
224 if {[regexp -lineanchor \
225 {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
226 [lindex $list 0] -> result_proto result_cipher]} {
227 list [lindex $list 2] $result_proto $result_cipher
231 } 0 [list 0 $proto $suite]
235 test "Сервер c несколькими алгоритмами, клиент AES256-SHA $proto" {
236 set list [client_server [list -connect localhost:4433 \
237 -CAfile $::test::ca/cacert.pem -verify_return_error \
238 -verify 1 -state -cipher AES256-SHA] \
239 [list -www -cert localhost_rsa/cert.pem \
240 -key localhost_rsa/seckey.pem \
241 -dcert localhost_$alg_fn/cert.pem \
242 -dkey localhost_$alg_fn/seckey.pem $protos($proto)] {}]
243 if {[regexp -lineanchor \
244 {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
245 [lindex $list 0] -> result_proto result_cipher]} {
246 list [lindex $list 2] $result_proto $result_cipher
250 } 0 [list 0 $proto AES256-SHA]
254 if {[string match *gost* $alg]} {
255 set alg_cli_list [list $alg gost2001:B gost2012_256:B gost2012_512:B]
257 set alg_cli_list $alg
260 foreach alg_cli $alg_cli_list {
261 set alg_cli_fn [string map {":" "_"} $alg_cli]
263 test "Сервер $alg, клиент с сертификатом $alg_cli $proto" {
264 set list [client_server [list -connect localhost:4433\
265 -CAfile $::test::ca/cacert.pem -verify_return_error \
266 -verify 1 -state -cert ssl_user_$alg_cli_fn/cert.pem \
267 -key ssl_user_$alg_cli_fn/seckey.pem -cipher $suite \
269 [list -cert localhost_$alg_fn/cert.pem \
270 -key localhost_$alg_fn/seckey.pem -verify_return_error\
271 -Verify 3 -www -CAfile $::test::ca/cacert.pem \
272 -cipher $suite $protos($proto)] "GET /\n"]
273 list [lindex $list 2] [grep "^New," [lindex $list 0]]
274 } 0 [list 0 [string repeat "New, $expected_proto, Cipher is $raw_name\n" 2]]
280 if {[string equal $proto "TLSv1.2"]} {
281 set etalon $defsuite_12($alg)
283 set etalon $defsuite($alg)
286 if {[string equal $proto "TLSv1.2"] && ![string match *2001* $alg]} {
287 set expected_proto "TLSv1.2"
289 set expected_proto "TLSv1.0"
292 test "Умолчательный хендшейк с ключами $alg $proto" {
293 set list [client_server [list -connect localhost:4433\
294 -CAfile $::test::ca/cacert.pem -verify_return_error -verify 1\
296 [list -www -cert localhost_$alg_fn/cert.pem\
297 -key localhost_$alg_fn/seckey.pem $protos($proto)] "GET /\n"]
298 if {[regexp -lineanchor \
299 {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
300 [lindex $list 0] -> result_proto result_cipher]} {
301 list [lindex $list 2] $result_proto $result_cipher
305 } 0 [list 0 $proto $etalon]
307 test "Умолчательный хендшейк с клиентской аутентификацией $alg $proto" {
308 set list [client_server [list -connect localhost:4433\
309 -CAfile $::test::ca/cacert.pem -verify_return_error \
310 -verify 1 -state -cert ssl_user_$alg_fn/cert.pem \
311 -key ssl_user_$alg_fn/seckey.pem -ign_eof]\
312 [list -cert localhost_$alg_fn/cert.pem \
313 -key localhost_$alg_fn/seckey.pem -verify_return_error\
314 -Verify 3 -www -CAfile $::test::ca/cacert.pem $protos($proto)] \
316 list [lindex $list 2] [grep "^New," [lindex $list 0]]
317 } 0 [list 0 [string repeat "New, $expected_proto, Cipher is $etalon\n" 2]]