From: igrkir Date: Fri, 19 Nov 2021 02:36:18 +0000 (+0300) Subject: add tcl tests for TLS1.3 X-Git-Url: http://wagner.pp.ru/gitweb/?a=commitdiff_plain;h=9ce100a9fc0a9b4774faf6d593162f269c18ade1;p=openssl-gost%2Fengine.git add tcl tests for TLS1.3 --- diff --git a/tcl_tests/runtest.sh b/tcl_tests/runtest.sh index 9ad744b..5a341d3 100644 --- a/tcl_tests/runtest.sh +++ b/tcl_tests/runtest.sh @@ -95,7 +95,7 @@ case "$ENGINE_NAME" in OTHER_DIR=`echo $TESTDIR |sed 's/cryptocom/gost/'` ;; gost) - BASE_TESTS="engine dgst mac pkcs8 enc req-genpkey req-newkey ca smime smime2 smimeenc cms cms2 cmstc262019 cmsenc pkcs12 nopath ocsp ts ssl smime_io cms_io smimeenc_io cmsenc_io" + BASE_TESTS="engine dgst mac pkcs8 enc req-genpkey req-newkey ca smime smime2 smimeenc cms cms2 cmstc262019 cmsenc pkcs12 nopath ocsp ts ssl tls13 smime_io cms_io smimeenc_io cmsenc_io" OTHER_DIR=`echo $TESTDIR |sed 's/gost/cryptocom/'` ;; *) diff --git a/tcl_tests/tls13.try b/tcl_tests/tls13.try new file mode 100644 index 0000000..358b480 --- /dev/null +++ b/tcl_tests/tls13.try @@ -0,0 +1,225 @@ +#!/usr/bin/tclsh +# -*- coding: cp1251 -*- +lappend auto_path [file dirname [info script]] +package require ossltest + +array set protos { + TLSv1.3 -tls1_3 +} + +array set groups { +GC256A gost2012_256 +GC512A gost2012_512 +} + +cd $::test::dir + +start_tests "TLS 1.3 tests" + +if {[info exists env(ALG_LIST)]} { + set alg_list $env(ALG_LIST) +} else { + switch -exact [engine_name] { + "open" {set alg_list {gost2012_256:XA gost2012_256:TCA gost2012_512:A gost2012_512:C}} + "other" {set alg_list {rsa:1024 gost2001:XA gost2012_256:XA gost2012_512:A}} + } +} + +array set suites { +gost2012_256:XA {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S} +gost2012_256:TCA {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S} +gost2012_512:A {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S} +gost2012_512:C {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S} +} + +set proto_list {"TLSv1.3"} +set expected_proto "TLSv1.3" + +if {![file exists sslCA/cacert.pem]} { + makeCA sslCA gost2012_256:A +} else { + set ::test::ca sslCA +} + +foreach alg $alg_list { + set alg_fn [string map {":" "_"} $alg] + + test -skip {[file exist localhost_$alg_fn/cert.pem]} \ + "Создаем серверный сертификат $alg" { + makeRegisteredUser localhost_$alg_fn $alg CN localhost OU $alg_fn + } 0 1 + + test -skip {[file exists ssl_user_$alg_fn/cert.pem]} \ + "Создаем клиентский сертификат $alg" { + makeRegisteredUser ssl_user_$alg_fn $alg CN ssl_user OU $alg_fn + } 0 1 +} + +foreach alg {gost2012_256:B gost2012_512:B} { + set alg_fn [string map {":" "_"} $alg] + test -skip {[file exists ssl_user_$alg_fn/cert.pem]} \ + "Создаем клиентский сертификат $alg" { + makeRegisteredUser ssl_user_$alg_fn $alg CN ssl_user OU $alg_fn + } 0 1 +} + + +foreach proto $proto_list { + foreach group [array names groups] { + foreach alg $alg_list { + set alg_fn [string map {":" "_"} $alg] + + foreach suite $suites($alg) { + set raw_name [lindex [split $suite @] 0] + + test "Handshake $group $suite $proto" { + set list [client_server [list -connect localhost:4433 \ + -CAfile $::test::ca/cacert.pem -verify_return_error \ + -verify 1 -state -ciphersuites $suite -curves $group] \ + [list -www -cert localhost_$alg_fn/cert.pem \ + -key localhost_$alg_fn/seckey.pem \ + -ciphersuites $suite $protos($proto)] {}] + if {[regexp -lineanchor \ + {^Server Temp Key: (\S+),.*^\s*New,\s+(\S+),\s+Cipher\s+is\s+(\S+)\s*$} \ + [lindex $list 0] -> group_name result_proto result_cipher]} { + list [lindex $list 2] $group_name $result_proto $result_cipher + } else { + lindex $list 1 + } + } 0 [list 0 $groups($group) $proto $raw_name] + + +# test "Несовпадающий шиферсьют DHE-RSA-AES256-SHA $proto" { +# set list [client_server [list -connect localhost:4433 \ +# -CAfile $::test::ca/cacert.pem -verify_return_error \ +# -verify 1 -state -ciphersuites $suite] \ +# [list -www -cert localhost_$alg_fn/cert.pem \ +# -key localhost_$alg_fn/seckey.pem \ +# -ciphersuites DHE-RSA-AES256-SHA $protos($proto)] {}] +# list [lindex $list 2] [grep ":fatal:" [lindex $list 1]] +# } 0 [list 1 "SSL3 alert read:fatal:handshake failure +#"] +# + test "Get page $group $suite $proto" { + set list [client_server [list -connect localhost:4433 \ + -CAfile $::test::ca/cacert.pem -verify_return_error \ + -verify 1 -state -ciphersuites $suite -ign_eof -curves $group] \ + [list -www -cert localhost_$alg_fn/cert.pem \ + -key localhost_$alg_fn/seckey.pem -ciphersuites $suite \ + $protos($proto)] "GET /\n\n"] + grep "^New," [lindex $list 0] + } 0 "New, $expected_proto, Cipher is $raw_name\nNew, $expected_proto, Cipher is $raw_name\n" + + test "Multi-ciphersuites server $proto, $group client" { + set list [client_server [list -connect localhost:4433 \ + -CAfile $::test::ca/cacert.pem -verify_return_error \ + -verify 1 -state -ciphersuites $suite -curves $group] \ + [list -www -cert localhost_$alg_fn/cert.pem \ + -key localhost_$alg_fn/seckey.pem -ciphersuites $suite:TLS_AES_256_GCM_SHA384] {}] + if {[regexp -lineanchor \ + {^Server Temp Key: (\S+),.*^\s*New,\s+(\S+),\s+Cipher\s+is\s+(\S+)\s*$} \ + [lindex $list 0] -> group_name result_proto result_cipher]} { + list [lindex $list 2] $group_name $result_proto $result_cipher + } else { + lindex $list 1 + } + } 0 [list 0 $groups($group) $proto $suite] + + +# test "Сервер c несколькими алгоритмами, клиент $suite $proto" { +# set list [client_server [list -connect localhost:4433 \ +# -CAfile $::test::ca/cacert.pem -verify_return_error \ +# -verify 1 -state -ciphersuites $suite] \ +# [list -www +# -dcert localhost_$alg_fn/cert.pem \ +# -dkey localhost_$alg_fn/seckey.pem $protos($proto)] {}] +# if {[regexp -lineanchor \ +# {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \ +# [lindex $list 0] -> result_proto result_cipher]} { +# list [lindex $list 2] $result_proto $result_cipher +# } else { +# lindex $list 1 +# } +# } 0 [list 0 $proto $suite] + +# test "Сервер c несколькими алгоритмами, клиент AES256-SHA $proto" { +# set list [client_server [list -connect localhost:4433 \ +# -CAfile $::test::ca/cacert.pem -verify_return_error \ +# -verify 1 -state -ciphersuites AES256-SHA] \ +# [list -www -cert localhost_rsa/cert.pem \ +# -key localhost_rsa/seckey.pem \ +# -dcert localhost_$alg_fn/cert.pem \ +# -dkey localhost_$alg_fn/seckey.pem $protos($proto)] {}] +# if {[regexp -lineanchor \ +# {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \ +# [lindex $list 0] -> result_proto result_cipher]} { +# list [lindex $list 2] $result_proto $result_cipher +# } else { +# lindex $list 1 +# } +# } 0 [list 0 $proto AES256-SHA] + + + + if {[string match *gost* $alg]} { + set alg_cli_list [list $alg gost2012_256:B gost2012_512:B] + } else { + set alg_cli_list $alg + } + + foreach alg_cli $alg_cli_list { + set alg_cli_fn [string map {":" "_"} $alg_cli] + + test "Server $alg, client certificate $alg_cli $proto $group" { + set list [client_server [list -connect localhost:4433\ + -CAfile $::test::ca/cacert.pem -verify_return_error \ + -verify 1 -state -cert ssl_user_$alg_cli_fn/cert.pem \ + -key ssl_user_$alg_cli_fn/seckey.pem -ciphersuites $suite \ + -ign_eof -curves $group]\ + [list -cert localhost_$alg_fn/cert.pem \ + -key localhost_$alg_fn/seckey.pem -verify_return_error\ + -Verify 3 -www -CAfile $::test::ca/cacert.pem \ + -ciphersuites $suite $protos($proto)] "GET /\n"] + list [lindex $list 2] [grep "^New," [lindex $list 0]] + } 0 [list 0 [string repeat "New, $expected_proto, Cipher is $raw_name\n" 2]] + + } + + } + + #set etalon $defsuite($alg) +# set etalon "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" + +#Эти тесты закомментированы, так как нет связки между ключами и шифронаборами для TLS 1.3 +# test "Умолчательный хендшейк с ключами $alg $proto" { +# set list [client_server [list -connect localhost:4433\ +# -CAfile $::test::ca/cacert.pem -verify_return_error -verify 1\ +# -state -ign_eof]\ +# [list -www -cert localhost_$alg_fn/cert.pem\ +# -key localhost_$alg_fn/seckey.pem $protos($proto)] "GET /\n"] +# if {[regexp -lineanchor \ +# {^\s*New,\s+(\S+),\s+Cipher\s+is\s+(\S+)\s*$} \ +# [lindex $list 0] -> result_proto result_cipher]} { +# list [lindex $list 2] $result_proto $result_cipher +# } else { +# lindex $list 1 +# } +# } 0 [list 0 $proto $etalon] +# +# test "Умолчательный хендшейк с клиентской аутентификацией $alg $proto" { +# set list [client_server [list -connect localhost:4433\ +# -CAfile $::test::ca/cacert.pem -verify_return_error \ +# -verify 1 -state -cert ssl_user_$alg_fn/cert.pem \ +# -key ssl_user_$alg_fn/seckey.pem -ign_eof]\ +# [list -cert localhost_$alg_fn/cert.pem \ +# -key localhost_$alg_fn/seckey.pem -verify_return_error\ +# -Verify 3 -www -CAfile $::test::ca/cacert.pem $protos($proto)] \ +# "GET /\n"] +# list [lindex $list 2] [grep "^New," [lindex $list 0]] +# } 0 [list 0 [string repeat "New, $expected_proto, Cipher is $etalon\n" 2]] + + } + } +} + +end_tests