2 # -*- coding: cp1251 -*-
3 lappend auto_path [file dirname [info script]]
4 package require ossltest
17 start_tests "TLS 1.3 tests"
19 if {[info exists env(ALG_LIST)]} {
20 set alg_list $env(ALG_LIST)
22 switch -exact [engine_name] {
23 "open" {set alg_list {gost2012_256:XA gost2012_256:TCA gost2012_512:A gost2012_512:C}}
24 "other" {set alg_list {rsa:1024 gost2001:XA gost2012_256:XA gost2012_512:A}}
29 gost2012_256:XA {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S}
30 gost2012_256:TCA {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S}
31 gost2012_512:A {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S}
32 gost2012_512:C {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S}
35 set proto_list {"TLSv1.3"}
36 set expected_proto "TLSv1.3"
38 if {![file exists sslCA/cacert.pem]} {
39 makeCA sslCA gost2012_256:A
44 foreach alg $alg_list {
45 set alg_fn [string map {":" "_"} $alg]
47 test -skip {[file exist localhost_$alg_fn/cert.pem]} \
48 "Создаем серверный сертификат $alg" {
49 makeRegisteredUser localhost_$alg_fn $alg CN localhost OU $alg_fn
52 test -skip {[file exists ssl_user_$alg_fn/cert.pem]} \
53 "Создаем клиентский сертификат $alg" {
54 makeRegisteredUser ssl_user_$alg_fn $alg CN ssl_user OU $alg_fn
58 foreach alg {gost2012_256:B gost2012_512:B} {
59 set alg_fn [string map {":" "_"} $alg]
60 test -skip {[file exists ssl_user_$alg_fn/cert.pem]} \
61 "Создаем клиентский сертификат $alg" {
62 makeRegisteredUser ssl_user_$alg_fn $alg CN ssl_user OU $alg_fn
67 foreach proto $proto_list {
68 foreach group [array names groups] {
69 foreach alg $alg_list {
70 set alg_fn [string map {":" "_"} $alg]
72 foreach suite $suites($alg) {
73 set raw_name [lindex [split $suite @] 0]
75 test "Handshake $group $suite $proto" {
76 set list [client_server [list -connect localhost:4433 \
77 -CAfile $::test::ca/cacert.pem -verify_return_error \
78 -verify 1 -state -ciphersuites $suite -curves $group] \
79 [list -www -cert localhost_$alg_fn/cert.pem \
80 -key localhost_$alg_fn/seckey.pem \
81 -ciphersuites $suite $protos($proto)] {}]
82 if {[regexp -lineanchor \
83 {^Server Temp Key: (\S+),.*^\s*New,\s+(\S+),\s+Cipher\s+is\s+(\S+)\s*$} \
84 [lindex $list 0] -> group_name result_proto result_cipher]} {
85 list [lindex $list 2] $group_name $result_proto $result_cipher
89 } 0 [list 0 $groups($group) $proto $raw_name]
92 # test "Несовпадающий шиферсьют DHE-RSA-AES256-SHA $proto" {
93 # set list [client_server [list -connect localhost:4433 \
94 # -CAfile $::test::ca/cacert.pem -verify_return_error \
95 # -verify 1 -state -ciphersuites $suite] \
96 # [list -www -cert localhost_$alg_fn/cert.pem \
97 # -key localhost_$alg_fn/seckey.pem \
98 # -ciphersuites DHE-RSA-AES256-SHA $protos($proto)] {}]
99 # list [lindex $list 2] [grep ":fatal:" [lindex $list 1]]
100 # } 0 [list 1 "SSL3 alert read:fatal:handshake failure
103 test "Get page $group $suite $proto" {
104 set list [client_server [list -connect localhost:4433 \
105 -CAfile $::test::ca/cacert.pem -verify_return_error \
106 -verify 1 -state -ciphersuites $suite -ign_eof -curves $group] \
107 [list -www -cert localhost_$alg_fn/cert.pem \
108 -key localhost_$alg_fn/seckey.pem -ciphersuites $suite \
109 $protos($proto)] "GET /\n\n"]
110 grep "^New," [lindex $list 0]
111 } 0 "New, $expected_proto, Cipher is $raw_name\nNew, $expected_proto, Cipher is $raw_name\n"
113 test "Multi-ciphersuites server $proto, $group client" {
114 set list [client_server [list -connect localhost:4433 \
115 -CAfile $::test::ca/cacert.pem -verify_return_error \
116 -verify 1 -state -ciphersuites $suite -curves $group] \
117 [list -www -cert localhost_$alg_fn/cert.pem \
118 -key localhost_$alg_fn/seckey.pem -ciphersuites $suite:TLS_AES_256_GCM_SHA384] {}]
119 if {[regexp -lineanchor \
120 {^Server Temp Key: (\S+),.*^\s*New,\s+(\S+),\s+Cipher\s+is\s+(\S+)\s*$} \
121 [lindex $list 0] -> group_name result_proto result_cipher]} {
122 list [lindex $list 2] $group_name $result_proto $result_cipher
126 } 0 [list 0 $groups($group) $proto $suite]
129 # test "Сервер c несколькими алгоритмами, клиент $suite $proto" {
130 # set list [client_server [list -connect localhost:4433 \
131 # -CAfile $::test::ca/cacert.pem -verify_return_error \
132 # -verify 1 -state -ciphersuites $suite] \
134 # -dcert localhost_$alg_fn/cert.pem \
135 # -dkey localhost_$alg_fn/seckey.pem $protos($proto)] {}]
136 # if {[regexp -lineanchor \
137 # {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
138 # [lindex $list 0] -> result_proto result_cipher]} {
139 # list [lindex $list 2] $result_proto $result_cipher
143 # } 0 [list 0 $proto $suite]
145 # test "Сервер c несколькими алгоритмами, клиент AES256-SHA $proto" {
146 # set list [client_server [list -connect localhost:4433 \
147 # -CAfile $::test::ca/cacert.pem -verify_return_error \
148 # -verify 1 -state -ciphersuites AES256-SHA] \
149 # [list -www -cert localhost_rsa/cert.pem \
150 # -key localhost_rsa/seckey.pem \
151 # -dcert localhost_$alg_fn/cert.pem \
152 # -dkey localhost_$alg_fn/seckey.pem $protos($proto)] {}]
153 # if {[regexp -lineanchor \
154 # {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
155 # [lindex $list 0] -> result_proto result_cipher]} {
156 # list [lindex $list 2] $result_proto $result_cipher
160 # } 0 [list 0 $proto AES256-SHA]
164 if {[string match *gost* $alg]} {
165 set alg_cli_list [list $alg gost2012_256:B gost2012_512:B]
167 set alg_cli_list $alg
170 foreach alg_cli $alg_cli_list {
171 set alg_cli_fn [string map {":" "_"} $alg_cli]
173 test "Server $alg, client certificate $alg_cli $proto $group" {
174 set list [client_server [list -connect localhost:4433\
175 -CAfile $::test::ca/cacert.pem -verify_return_error \
176 -verify 1 -state -cert ssl_user_$alg_cli_fn/cert.pem \
177 -key ssl_user_$alg_cli_fn/seckey.pem -ciphersuites $suite \
178 -ign_eof -curves $group]\
179 [list -cert localhost_$alg_fn/cert.pem \
180 -key localhost_$alg_fn/seckey.pem -verify_return_error\
181 -Verify 3 -www -CAfile $::test::ca/cacert.pem \
182 -ciphersuites $suite $protos($proto)] "GET /\n"]
183 list [lindex $list 2] [grep "^New," [lindex $list 0]]
184 } 0 [list 0 [string repeat "New, $expected_proto, Cipher is $raw_name\n" 2]]
190 #set etalon $defsuite($alg)
191 # set etalon "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L"
193 #Эти тесты закомментированы, так как нет связки между ключами и шифронаборами для TLS 1.3
194 # test "Умолчательный хендшейк с ключами $alg $proto" {
195 # set list [client_server [list -connect localhost:4433\
196 # -CAfile $::test::ca/cacert.pem -verify_return_error -verify 1\
198 # [list -www -cert localhost_$alg_fn/cert.pem\
199 # -key localhost_$alg_fn/seckey.pem $protos($proto)] "GET /\n"]
200 # if {[regexp -lineanchor \
201 # {^\s*New,\s+(\S+),\s+Cipher\s+is\s+(\S+)\s*$} \
202 # [lindex $list 0] -> result_proto result_cipher]} {
203 # list [lindex $list 2] $result_proto $result_cipher
207 # } 0 [list 0 $proto $etalon]
209 # test "Умолчательный хендшейк с клиентской аутентификацией $alg $proto" {
210 # set list [client_server [list -connect localhost:4433\
211 # -CAfile $::test::ca/cacert.pem -verify_return_error \
212 # -verify 1 -state -cert ssl_user_$alg_fn/cert.pem \
213 # -key ssl_user_$alg_fn/seckey.pem -ign_eof]\
214 # [list -cert localhost_$alg_fn/cert.pem \
215 # -key localhost_$alg_fn/seckey.pem -verify_return_error\
216 # -Verify 3 -www -CAfile $::test::ca/cacert.pem $protos($proto)] \
218 # list [lindex $list 2] [grep "^New," [lindex $list 0]]
219 # } 0 [list 0 [string repeat "New, $expected_proto, Cipher is $etalon\n" 2]]