tcl_tests/server.try

   1 #!/usr/bin/tclsh
   2 lappend auto_path [file dirname [info script]]
   3
   4
   5 package require ossltest
   6
   7 if {$argc != 1} {
   8         puts stderr "Usage $argv0 cipher-list-file"
   9         exit 1
  10 }
  11 array set protos {
  12         SSLv2 -ssl2
  13         SSLv3 -ssl3
  14         TLSv1 -tls1
  15         TLSv1.1 -tls1_1
  16         TLSv1.2 -tls1_2
  17         "default" {}
  18 }
  19 get_hosts [lindex $argv 0]
  20 cd $::test::dir
  21 start_tests "TLS-соединение с сервером [lindex $argv 0]"
  22
  23 if {[engine_name] eq "ccore"} {
  24         array unset hosts gost94*
  25 }
  26
  27 array set suite_map {
  28 CRYPTOPRO-DHGOST94-DSS-GOST89-STREAMGOST89 GOST94-GOST89-GOST89
  29 CRYPTOPRO-DHGOST94-DSS-NULL-GOST94 GOST94-NULL-GOST94
  30 CRYPTOPRO-DHGOST-DSS-GOST89-STREAMGOST89 GOST2001-GOST89-GOST89
  31 CRYPTOPRO-DHGOST-DSS-NULL-GOST94 GOST2001-NULL-GOST94
  32 }
  33
  34 set CAhost lynx.lan.cryptocom.ru
  35 set CAprefix /cgi-bin/autoca
  36
  37 foreach alg [array names hosts] {
  38         set alg2 [regsub {(gost\d+)cp} $alg {\1}]
  39         set alg_fn [string map {":" "_"} $alg2]
  40         set alg_short [regexp -inline {^[^:]+} $alg2]
  41         set alg_ca [regexp -inline {^[^:]+} $alg]
  42
  43         test -skip {[file exist ca_$alg_short.pem]} "Получить сертификат $alg_ca CA" {
  44                 getCAcert $CAhost $CAprefix $alg_ca
  45         } 0 "ca_$alg_ca.pem"
  46
  47         if {[array exists suites]} {array unset suites}
  48         array set suites $hosts($alg)
  49         foreach suite [array names suites] {
  50                 if {![regexp {(.+):(.+)} $suite => proto cs]} {
  51                         set cs $suite
  52                         set proto "default"
  53                 }
  54                 if {[info exists suite_map($cs)]} {
  55                         set mycs $suite_map($cs)
  56                 } else {
  57                         set mycs $cs
  58                 }
  59                 if {![regexp {(.+:\d+):(.*)} $suites($suite) x url servertype]} {
  60                         set servertype apache
  61                         set url $suites($suite)
  62                 }
  63                 if {$servertype eq "iis"} {
  64                         set failure "HTTP 403.7 - Forbidden: Client certificate required"
  65                         set failure_exit_code 0
  66                 } else {
  67                         set failure "ssl handshake failure"
  68                         set failure_exit_code 1
  69                 }
  70
  71                 regexp {(.+):(\d+)} $url dummy get_hostname get_port
  72
  73                 test "$suite статическая страница " {
  74                         grep "<H1>" [openssl [concat s_client $protos($proto) \
  75                                 [list -cipher $mycs -CAfile ca_$alg_ca.pem -connect $url \
  76                                 -verify_return_error -verify 1 -ign_eof \
  77                                 << "GET /ssl_test.html HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
  78                 } 0 "<H1>Test SSL static page</H1>\n"
  79
  80
  81                 test "$suite большая страница" {
  82                         grep "<H1>" [openssl [concat s_client $protos($proto) \
  83                                 [list -cipher $mycs -CAfile ca_$alg_ca.pem -connect $url \
  84                                 -verify_return_error -verify 1 -ign_eof \
  85                                 << "GET /ssl_test_big.html HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
  86                 } 0 "<H1>Big test SSL static page</H1>\n"
  87
  88
  89                 if {$servertype eq "iis"} {
  90                         test "$suite скрипт printenv.asp" {
  91                                 grep "SERVER_PORT_SECURE:" [openssl \
  92                                         [concat s_client $protos($proto) \
  93                                         [list -cipher $mycs -CAfile ca_$alg_ca.pem\
  94                                         -connect $url -verify_return_error -verify 1 -ign_eof \
  95                                         << "GET /printenv.asp HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
  96                         } 0 "SERVER_PORT_SECURE: 1\n"
  97                 } else {
  98                         test "$suite скрипт printenv" {
  99                                 grep "SSL_CIPHER=" [openssl \
 100                                         [concat s_client $protos($proto) \
 101                                         [list -cipher $mycs -CAfile ca_$alg_ca.pem \
 102                                         -connect $url -verify_return_error -verify 1 -ign_eof \
 103                                         << "GET /cgi-bin/printenv HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
 104                         } 0 "SSL_CIPHER=\"$cs\"\n"
 105                 }
 106
 107                 if {[string match *GOST2012* $suite]} {
 108                         set alg_cli_list "$alg gost2001:B gost2012_256:B gost2012_512:B"
 109                 } elseif {[string match *GOST2001* $suite]} {
 110                         set alg_cli_list "$alg gost2001:B"
 111                 } else {
 112                         set alg_cli_list $alg
 113                 }
 114
 115                 foreach alg_cli $alg_cli_list {
 116                         set alg_cli_fn [string map {":" "_"} $alg_cli]
 117                         set alg_cli_short [regexp -inline {^[^:]+} $alg_cli]
 118
 119                         test -skip {[file exist U_x_$alg_cli_fn/cert.pem]} "Получение клиентского сертификата $alg_cli" {
 120                                 getCAAlgParams  $CAhost $CAprefix $alg_cli_short
 121                                 if {![makeUser U_x_$alg_cli_fn $alg_cli CN \
 122                                 "Test engine on [info hostname]"]} {
 123                                         error "Request generation failed"
 124                                 }
 125                                 registerUserAtCA U_x_$alg_cli_fn $CAhost $CAprefix $alg_ca
 126                                 file exists U_x_$alg_cli_fn/cert.pem
 127                         } 0 1
 128
 129
 130                         test "$suite  нет сертификата, статичеcкая страница" {
 131                                 set out [openssl [concat s_client $protos($proto) \
 132                                         [list -msg -cipher $mycs -CAfile ca_$alg_ca.pem \
 133                                         -verify_return_error -verify 1 -connect $url -ign_eof \
 134                                         << "GET /ssl_auth_test.html HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
 135                                 if {[regexp $failure $out match]} {
 136                                         set match
 137                                 } else {
 138                                         set out
 139                                 }
 140                         } $failure_exit_code $failure
 141
 142
 143                         test -skip {![file exists U_x_$alg_cli_fn/cert.pem]} \
 144                         "$suite, есть сертификат, статическая страница" {
 145                                 grep "<H1>" [openssl [concat s_client $protos($proto) \
 146                                         [list -msg -cipher $mycs -cert U_x_$alg_cli_fn/cert.pem \
 147                                         -key U_x_$alg_cli_fn/seckey.pem -CAfile ca_$alg_ca.pem \
 148                                         -verify_return_error -verify 1 -connect $url -ign_eof \
 149                                         << "GET /ssl_auth_test.html HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
 150                         } 0 "<H1>Test SSL static page</H1>\n"
 151
 152
 153                         if {$servertype eq "iis"} {
 154
 155                                 test "$suite, нет сертификата, скрипт printenv_auth.asp" {
 156                                         set out [openssl [concat s_client $protos($proto) \
 157                                                 [list -msg -cipher $mycs -CAfile ca_$alg_ca.pem \
 158                                                 -verify_return_error -verify 1 -connect $url -ign_eof \
 159                                                 << "GET /printenv_auth.asp HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
 160                                         if {[regexp $failure $out match]} {
 161                                                 set match
 162                                         } else {
 163                                                 set out
 164                                         }
 165                                 } 0 $failure
 166
 167
 168                                 test  -skip {![file exists U_x_$alg_cli_fn/cert.pem]} \
 169                                 "$suite, есть сертификат, скрипт printenv_auth.asp" {
 170                                         grep CERT_FLAGS [openssl [concat s_client $protos($proto) \
 171                                                 [list -msg -cipher $mycs -cert U_x_$alg_cli_fn/cert.pem\
 172                                                 -key U_x_$alg_cli_fn/seckey.pem -CAfile ca_$alg_ca.pem \
 173                                                 -verify_return_error -verify 1 -connect $url -ign_eof \
 174                                                 << "GET /printenv_auth.asp HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
 175                                 } 0 "CERT_FLAGS: 1\n"
 176
 177                         } else {
 178
 179                                 test "$suite, нет сертификата, скрипт printenv" {
 180                                         set out [openssl [concat s_client $protos($proto) \
 181                                                 [list -cipher $mycs -CAfile ca_$alg_ca.pem \
 182                                                 -verify_return_error -verify 1 -connect $url -ign_eof \
 183                                                 << "GET /cgi-bin/printenv/auth HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
 184                                         if {[regexp "ssl handshake failure" $out match]} {
 185                                                 set match
 186                                         } else {
 187                                                 set out
 188                                         }
 189                                 } 1 "ssl handshake failure"
 190
 191                                 test  -skip {![file exists U_x_$alg_cli_fn/cert.pem]} \
 192                                 "$suite, есть сертификат, скрипт printenv" {
 193                                         grep SSL_CLIENT_VERIFY [openssl \
 194                                                 [concat s_client $protos($proto) \
 195                                                 [list -cipher $mycs -cert U_x_$alg_cli_fn/cert.pem \
 196                                                 -key U_x_$alg_cli_fn/seckey.pem -CAfile ca_$alg_ca.pem \
 197                                                 -verify_return_error -verify 1 -connect $url -ign_eof \
 198                                                 << "GET /cgi-bin/printenv/auth HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
 199                                 } 0 "SSL_CLIENT_VERIFY=\"SUCCESS\"\n"
 200                         }
 201                 }
 202         }
 203 }
 204 end_tests