]> wagner.pp.ru Git - openssl-gost/engine.git/blob - tcl_tests/ssl.try
a1530671b1f4f4c1c9eb14f3dd0ac37fe7ee6569
[openssl-gost/engine.git] / tcl_tests / ssl.try
1 #!/usr/bin/tclsh
2
3 lappend auto_path [file dirname [info script]]
4 package require ossltest
5 if {$argc==2} {
6         switch -exact -- [lindex $argv 0]  {
7         -serverconf {
8                 set test::server_conf [lindex $argv 1]
9                 set test::suffix "-clt"
10         } 
11         -clientconf {
12                 set test::client_conf [lindex $argv 1]
13                 set test::suffix "-srv"
14         }
15         default {
16                 puts stderr "invalid command line"
17                 exit 1;
18         }
19         }
20 } elseif $argc {
21         puts stderr "invalid command line"
22         exit 1
23 }       
24
25 array set protos {
26         TLSv1 -tls1
27         TLSv1.1 -tls1_1
28         TLSv1.2 -tls1_2
29 }
30
31 cd $::test::dir
32
33 start_tests "Тесты на SSL-соединение между s_client и s_server"
34
35 if {[info exists env(ALG_LIST)]} {
36         set alg_list $env(ALG_LIST)
37 } else {
38         switch -exact [engine_name] {
39                 "ccore" {set alg_list {rsa:1024 gost2001:XA gost2012_256:XA gost2012_512:A}}
40                 "open" {set alg_list {rsa:1024 gost2001:XA gost2012_256:XA gost2012_512:A}}
41         }
42 }
43
44 array set suites {
45 rsa:1024 {ECDHE-RSA-AES256-SHA@SECLEVEL=0}
46 gost2001:XA {GOST2001-GOST89-GOST89 GOST2001-NULL-GOST94@SECLEVEL=0 GOST2012-GOST8912-GOST8912 GOST2012-GOST8912-IANA GOST2012-NULL-GOST12@SECLEVEL=0}
47 gost2012_256:XA {GOST2012-GOST8912-GOST8912 GOST2012-NULL-GOST12@SECLEVEL=0}
48 gost2012_512:A {GOST2012-GOST8912-GOST8912 GOST2012-NULL-GOST12@SECLEVEL=0}
49 }
50
51 #
52 # Incompatible cipher suites
53 #
54 array set badsuites {
55 gost2012_256:XA {GOST2001-GOST89-GOST89 GOST2001-NULL-GOST94@SECLEVEL=0} 
56 gost2012_512:A {GOST2001-GOST89-GOST89 GOST2001-NULL-GOST94@SECLEVEL=0}
57 }
58
59 #
60 # Default cipher suite negotiated for algorithm
61 #
62 array set defsuite {
63 rsa:1024 ECDHE-RSA-AES256-SHA
64 #gost94:XA GOST94-GOST89-GOST89
65 gost2001:XA GOST2012-GOST8912-GOST8912
66 gost2012_256:XA GOST2012-GOST8912-GOST8912
67 gost2012_512:A GOST2012-GOST8912-GOST8912
68 }
69
70 array set defsuite_12 {
71 rsa:1024 ECDHE-RSA-AES256-GCM-SHA384
72 #gost94:XA GOST94-GOST89-GOST89
73 gost2001:XA GOST2012-GOST8912-GOST8912
74 gost2012_256:XA GOST2012-MAGMA-MAGMAOMAC
75 gost2012_512:A GOST2012-MAGMA-MAGMAOMAC
76 }
77
78 set proto_list {"TLSv1" "TLSv1.1" "TLSv1.2"}
79
80 if {![file exists sslCA/cacert.pem]} {
81         makeCA sslCA rsa
82 } else {
83         set ::test::ca sslCA    
84 }
85
86 test -skip {[file exist localhost_rsa/cert.pem]} \
87         "Создаем серверный сертификат rsa" {
88         makeRegisteredUser localhost_rsa rsa:1024 CN localhost
89 } 0 1
90
91 foreach alg $alg_list {
92         set alg_fn [string map {":" "_"} $alg]
93         
94         test -skip {[file exist localhost_$alg_fn/cert.pem]} \
95                 "Создаем серверный сертификат $alg" {
96                 makeRegisteredUser localhost_$alg_fn $alg CN localhost OU $alg_fn
97         } 0 1
98
99         test -skip {[file exists ssl_user_$alg_fn/cert.pem]} \
100                 "Создаем клиентский сертификат $alg" {
101                 makeRegisteredUser ssl_user_$alg_fn $alg CN ssl_user OU $alg_fn
102         } 0 1
103 }
104
105 foreach alg {gost2001:B gost2012_256:B gost2012_512:B} {
106         set alg_fn [string map {":" "_"} $alg]
107         test -skip {[file exists ssl_user_$alg_fn/cert.pem]} \
108                 "Создаем клиентский сертификат $alg" {
109                 makeRegisteredUser ssl_user_$alg_fn $alg CN ssl_user OU $alg_fn
110         } 0 1
111 }
112
113
114 foreach proto $proto_list {
115         foreach alg $alg_list {
116                 set alg_fn [string map {":" "_"} $alg]
117
118                 if {[string match *2012* $alg]} {
119                         foreach suite $badsuites($alg) {
120
121                                 test "Incompatible suite $alg $suite $proto" {
122                                         set list [client_server [list -connect localhost:4433 \
123                                                 -CAfile $::test::ca/cacert.pem \
124                                                 -verify_return_error -verify 1 -state -cipher $suite] \
125                                                 [list -www -cert localhost_$alg_fn/cert.pem \
126                                                 -key localhost_$alg_fn/seckey.pem -cipher $suite \
127                                                 $protos($proto)] {}] 
128                                         list [lindex $list 2] [grep "^New," [lindex $list 0]]
129                                 } 0 [list 1 "New, (NONE), Cipher is (NONE)\n"]
130                         }
131                 }
132
133                 foreach suite $suites($alg) {
134                         set raw_name [lindex [split $suite @] 0]
135
136                         if {![string equal $proto "TLSv1.2"] && [string match *OMAC* $suite]} {
137                                 continue
138                         }
139
140                         if {[string equal $proto "TLSv1.2"] && [string match *OMAC* $suite]} {
141                                 set expected_proto "TLSv1.2"
142                         } else {
143                                 set expected_proto "TLSv1.0"
144                         }
145
146                         test "Запуск сервера $suite $proto" {
147                                 set f [open_server [list -cert localhost_$alg_fn/cert.pem \
148                                         -key localhost_$alg_fn/seckey.pem -cipher $suite \
149                                         $protos($proto)]]
150                                 stop_server $f
151                                 foreach {out err status} [stop $f] break        
152                                 log "SERVER OUTPUT:\n$out\n----"
153                                 log "SERVER STDERR:\n$err\n----"
154                                 log "SERVER EXIT CODE: $status"
155                                 grep "ACCEPT" $out
156                         } 0 "ACCEPT\n"
157                         log $errorInfo
158                         flush [test_log]
159
160                         test "Корректный хэндшейк $suite $proto" {
161                                 set list [client_server [list -connect localhost:4433 \
162                                         -CAfile $::test::ca/cacert.pem -verify_return_error \
163                                         -verify 1 -state -cipher $suite ] \
164                                         [list -www -cert localhost_$alg_fn/cert.pem \
165                                         -key localhost_$alg_fn/seckey.pem \
166                                         -cipher $suite $protos($proto)] {}] 
167                                 if {[regexp -lineanchor \
168                                 {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
169                                 [lindex $list 0] -> result_proto result_cipher]} {
170                                         list [lindex $list 2] $result_proto $result_cipher
171                                 } else {
172                                         lindex $list 1
173                                 }       
174                         } 0 [list 0 $proto $raw_name]
175
176
177                         test "Несовпадающий шиферсьют DHE-RSA-AES256-SHA $proto" {
178                                 set list [client_server [list -connect localhost:4433 \
179                                         -CAfile $::test::ca/cacert.pem -verify_return_error \
180                                         -verify 1 -state -cipher $suite] \
181                                         [list -www -cert localhost_$alg_fn/cert.pem \
182                                         -key localhost_$alg_fn/seckey.pem \
183                                         -cipher DHE-RSA-AES256-SHA $protos($proto)] {}] 
184                                 list [lindex $list 2] [grep ":fatal:" [lindex $list 1]]
185                         } 0 [list 1 "SSL3 alert read:fatal:handshake failure
186 "]
187
188                         test "Получение странички $suite $proto" {
189                                 set list [client_server [list -connect localhost:4433 \
190                                         -CAfile $::test::ca/cacert.pem -verify_return_error \
191                                         -verify 1 -state -cipher $suite -ign_eof] \
192                                         [list -www -cert localhost_$alg_fn/cert.pem \
193                                         -key localhost_$alg_fn/seckey.pem -cipher $suite \
194                                         $protos($proto)] "GET /\n\n"] 
195                                 grep "^New," [lindex $list 0]
196                         } 0 "New, $expected_proto, Cipher is $raw_name\nNew, $expected_proto, Cipher is $raw_name\n"
197
198                         if {![string match "*-NULL-*" $suite]} {
199
200                                 test "Сервер поддерживающий много шиферсьютов $proto" {
201                                         set list [client_server [list -connect localhost:4433 \
202                                                 -CAfile $::test::ca/cacert.pem -verify_return_error \
203                                                 -verify 1 -state -cipher $suite] \
204                                                 [list -www -cert localhost_$alg_fn/cert.pem \
205                                                 -key localhost_$alg_fn/seckey.pem $protos($proto) -cipher ALL@SECLEVEL=0] {}] 
206                                         if {[regexp -lineanchor \
207                                         {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
208                                         [lindex $list 0] -> result_proto result_cipher]} {
209                                                 list [lindex $list 2] $result_proto $result_cipher
210                                         } else {
211                                                 lindex $list 1
212                                         }       
213                                 } 0 [list 0 $proto $raw_name]
214
215
216                                 test "Сервер c несколькими алгоритмами, клиент $suite $proto" {
217                                         set list [client_server [list -connect localhost:4433 \
218                                                 -CAfile $::test::ca/cacert.pem -verify_return_error \
219                                                 -verify 1 -state -cipher $suite] \
220                                                 [list -www -cert localhost_rsa/cert.pem \
221                                                 -key localhost_rsa/seckey.pem \
222                                                 -dcert localhost_$alg_fn/cert.pem \
223                                                 -dkey localhost_$alg_fn/seckey.pem $protos($proto) -cipher ALL@SECLEVEL=0] {}] 
224                                         if {[regexp -lineanchor \
225                                         {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
226                                         [lindex $list 0] -> result_proto result_cipher]} {
227                                                 list [lindex $list 2] $result_proto $result_cipher
228                                         } else {
229                                                 lindex $list 1
230                                         }       
231                                 } 0 [list 0 $proto $raw_name]
232
233                         }
234
235                         test "Сервер c несколькими алгоритмами, клиент AES256-SHA $proto" {
236                                 set list [client_server [list -connect localhost:4433 \
237                                         -CAfile $::test::ca/cacert.pem -verify_return_error \
238                                         -verify 1 -state -cipher AES256-SHA@SECLEVEL=0] \
239                                         [list -www -cert localhost_rsa/cert.pem \
240                                         -key localhost_rsa/seckey.pem \
241                                         -dcert localhost_$alg_fn/cert.pem \
242                                         -dkey localhost_$alg_fn/seckey.pem $protos($proto) -cipher ALL@SECLEVEL=0] {}] 
243                                 if {[regexp -lineanchor \
244                                 {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
245                                 [lindex $list 0] -> result_proto result_cipher]} {
246                                         list [lindex $list 2] $result_proto $result_cipher
247                                 } else {
248                                         lindex $list 1
249                                 }       
250                         } 0 [list 0 $proto AES256-SHA]
251
252
253
254                         if {[string match *gost* $alg]} {
255                                 set alg_cli_list [list $alg gost2001:B gost2012_256:B gost2012_512:B]
256                         } else {
257                                 set alg_cli_list $alg
258                         }
259
260                         foreach alg_cli $alg_cli_list { 
261                                 set alg_cli_fn [string map {":" "_"} $alg_cli]
262
263                                 test "Сервер $alg, клиент с сертификатом $alg_cli $proto" {
264                                         set list [client_server [list -connect localhost:4433\
265                                                 -CAfile $::test::ca/cacert.pem -verify_return_error \
266                                                 -verify 1 -state -cert ssl_user_$alg_cli_fn/cert.pem \
267                                                 -key ssl_user_$alg_cli_fn/seckey.pem -cipher $suite \
268                                                 -ign_eof]\
269                                                 [list -cert localhost_$alg_fn/cert.pem \
270                                                 -key localhost_$alg_fn/seckey.pem -verify_return_error\
271                                                 -Verify 3 -www -CAfile $::test::ca/cacert.pem \
272                                                 -cipher $suite $protos($proto)] "GET /\n"]
273                                         list [lindex $list 2] [grep "^New," [lindex $list 0]]
274                                 } 0 [list 0 [string repeat "New, $expected_proto, Cipher is $raw_name\n" 2]]
275
276                         }
277
278                 }
279
280                 if {[string equal $proto "TLSv1.2"]} {
281                         set etalon $defsuite_12($alg)
282                 } else {
283                         set etalon $defsuite($alg)
284                 }
285
286                 if {[string equal $proto "TLSv1.2"] && ![string match *2001* $alg]} {
287                         set expected_proto "TLSv1.2"
288                 } else {
289                         set expected_proto "TLSv1.0"
290                 }
291 if {0} {
292                 test "Умолчательный хендшейк с ключами $alg $proto" {
293                         set list [client_server [list -connect localhost:4433\
294                                 -CAfile $::test::ca/cacert.pem -verify_return_error -verify 1\
295                                 -state -ign_eof]\
296                                 [list -www -cert localhost_$alg_fn/cert.pem\
297                                 -key localhost_$alg_fn/seckey.pem $protos($proto)] "GET /\n"]
298                         if {[regexp -lineanchor \
299                         {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
300                         [lindex $list 0] -> result_proto result_cipher]} {
301                                 list [lindex $list 2] $result_proto $result_cipher
302                         } else {
303                                 lindex $list 1
304                         }       
305                 } 0 [list 0 $proto $etalon]
306
307                 test "Умолчательный хендшейк с клиентской аутентификацией $alg $proto" {
308                         set list [client_server [list -connect localhost:4433\
309                                 -CAfile $::test::ca/cacert.pem -verify_return_error \
310                                 -verify 1 -state -cert ssl_user_$alg_fn/cert.pem \
311                                 -key ssl_user_$alg_fn/seckey.pem -ign_eof]\
312                                 [list -cert localhost_$alg_fn/cert.pem \
313                                 -key localhost_$alg_fn/seckey.pem -verify_return_error\
314                                 -Verify 3 -www -CAfile $::test::ca/cacert.pem $protos($proto)] \
315                                 "GET /\n"]
316                         list [lindex $list 2] [grep "^New," [lindex $list 0]]
317                 } 0 [list 0 [string repeat "New, $expected_proto, Cipher is $etalon\n" 2]]
318 }; # if {0}
319         }
320 }
321
322 end_tests