1#! /usr/bin/env perl
2# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9# For manually running these tests, set specific environment variables like this:
10# CTLOG_FILE=test/ct/log_list.cnf
11# TEST_CERTS_DIR=test/certs
12# For details on the environment variables needed, see test/README.ssltest.md
13
14use strict;
15use warnings;
16
17use File::Basename;
18use File::Compare qw/compare_text/;
19use OpenSSL::Glob;
20use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_file bldtop_dir/;
21use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/;
22
23BEGIN {
24setup("test_ssl_new");
25}
26
27use lib srctop_dir('Configurations');
28use lib bldtop_dir('.');
29
30my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
31
32$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
33
34my @conf_srcs =  glob(srctop_file("test", "ssl-tests", "*.cnf.in"));
35map { s/;.*// } @conf_srcs if $^O eq "VMS";
36my @conf_files = map { basename($_, ".in") } @conf_srcs;
37map { s/\^// } @conf_files if $^O eq "VMS";
38
39# We hard-code the number of tests to double-check that the globbing above
40# finds all files as expected.
41plan tests => 30;
42
43# Some test results depend on the configuration of enabled protocols. We only
44# verify generated sources in the default configuration.
45my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
46                      !disabled("tls1_1") && !disabled("tls1_2") &&
47                      !disabled("tls1_3") && (!disabled("ec") || !disabled("dh")));
48
49my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
50
51my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2");
52my $no_tls = alldisabled(available_protocols("tls"));
53my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3"));
54if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) {
55  $no_tls = 1;
56}
57my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3);
58my $no_dtls = alldisabled(available_protocols("dtls"));
59my $no_npn = disabled("nextprotoneg");
60my $no_ct = disabled("ct");
61my $no_ec = disabled("ec");
62my $no_dh = disabled("dh");
63my $no_dsa = disabled("dsa");
64my $no_ec2m = disabled("ec2m");
65my $no_ocsp = disabled("ocsp");
66
67# Add your test here if the test conf.in generates test cases and/or
68# expectations dynamically based on the OpenSSL compile-time config.
69my %conf_dependent_tests = (
70  "02-protocol-version.cnf" => !$is_default_tls,
71  "04-client_auth.cnf" => !$is_default_tls || !$is_default_dtls
72                           || !disabled("sctp"),
73  "05-sni.cnf" => disabled("tls1_1"),
74  "07-dtls-protocol-version.cnf" => !$is_default_dtls || !disabled("sctp"),
75  "10-resumption.cnf" => !$is_default_tls || $no_ec,
76  "11-dtls_resumption.cnf" => !$is_default_dtls || !disabled("sctp"),
77  "16-dtls-certstatus.cnf" => !$is_default_dtls || !disabled("sctp"),
78  "17-renegotiate.cnf" => disabled("tls1_2"),
79  "18-dtls-renegotiate.cnf" => disabled("dtls1_2") || !disabled("sctp"),
80  "19-mac-then-encrypt.cnf" => !$is_default_tls,
81  "20-cert-select.cnf" => !$is_default_tls || $no_dh || $no_dsa,
82  "22-compression.cnf" => !$is_default_tls,
83  "25-cipher.cnf" => disabled("poly1305") || disabled("chacha"),
84  "27-ticket-appdata.cnf" => !$is_default_tls,
85  "28-seclevel.cnf" => disabled("tls1_2") || $no_ec,
86  "30-extended-master-secret.cnf" => disabled("tls1_2"),
87);
88
89# Add your test here if it should be skipped for some compile-time
90# configurations. Default is $no_tls but some tests have different skip
91# conditions.
92my %skip = (
93  "06-sni-ticket.cnf" => $no_tls_below1_3,
94  "07-dtls-protocol-version.cnf" => $no_dtls,
95  "08-npn.cnf" => (disabled("tls1") && disabled("tls1_1")
96                    && disabled("tls1_2")) || $no_npn,
97  "10-resumption.cnf" => disabled("tls1_1") || disabled("tls1_2"),
98  "11-dtls_resumption.cnf" => disabled("dtls1") || disabled("dtls1_2"),
99  "12-ct.cnf" => $no_tls || $no_ct || $no_ec,
100  # We could run some of these tests without TLS 1.2 if we had a per-test
101  # disable instruction but that's a bizarre configuration not worth
102  # special-casing for.
103  # TODO(TLS 1.3): We should review this once we have TLS 1.3.
104  "13-fragmentation.cnf" => disabled("tls1_2"),
105  "14-curves.cnf" => disabled("tls1_2") || disabled("tls1_3")
106                     || $no_ec || $no_ec2m,
107  "15-certstatus.cnf" => $no_tls || $no_ocsp,
108  "16-dtls-certstatus.cnf" => $no_dtls || $no_ocsp,
109  "17-renegotiate.cnf" => $no_tls_below1_3,
110  "18-dtls-renegotiate.cnf" => $no_dtls,
111  "19-mac-then-encrypt.cnf" => $no_pre_tls1_3,
112  "20-cert-select.cnf" => disabled("tls1_2") || $no_ec,
113  "21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
114  "22-compression.cnf" => disabled("zlib") || $no_tls,
115  "23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1")
116                    && disabled("tls1_2")) || disabled("srp"),
117  "24-padding.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
118  "25-cipher.cnf" => disabled("ec") || disabled("tls1_2"),
119  "26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
120  "29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"),
121);
122
123foreach my $conf (@conf_files) {
124    subtest "Test configuration $conf" => sub {
125        plan tests => 6 + ($no_fips ? 0 : 3);
126        test_conf($conf,
127                  $conf_dependent_tests{$conf} || $^O eq "VMS" ?  0 : 1,
128                  defined($skip{$conf}) ? $skip{$conf} : $no_tls,
129                  "none");
130        test_conf($conf,
131                  0,
132                  defined($skip{$conf}) ? $skip{$conf} : $no_tls,
133                  "default");
134        test_conf($conf,
135                  0,
136                  defined($skip{$conf}) ? $skip{$conf} : $no_tls,
137                  "fips") unless $no_fips;
138    }
139}
140
141sub test_conf {
142    my ($conf, $check_source, $skip, $provider) = @_;
143
144    my $conf_file = srctop_file("test", "ssl-tests", $conf);
145    my $input_file = $conf_file . ".in";
146    my $output_file = $conf . "." . $provider;
147    my $run_test = 1;
148
149  SKIP: {
150      # "Test" 1. Generate the source.
151      skip 'failure', 2 unless
152        ok(run(perltest(["generate_ssl_tests.pl", $input_file, $provider],
153                        interpreter_args => [ "-I", srctop_dir("util", "perl")],
154                        stdout => $output_file)),
155           "Getting output from generate_ssl_tests.pl.");
156
157    SKIP: {
158        # Test 2. Compare against existing output in test/ssl-tests/
159        skip "Skipping generated source test for $conf", 1
160          if !$check_source;
161
162        $run_test = is(cmp_text($output_file, $conf_file), 0,
163                       "Comparing generated $output_file with $conf_file.");
164      }
165
166      # Test 3. Run the test.
167      skip "No tests available; skipping tests", 1 if $skip;
168      skip "Stale sources; skipping tests", 1 if !$run_test;
169
170      my $msg = "running CTLOG_FILE=test/ct/log_list.cnf". # $ENV{CTLOG_FILE}.
171          " TEST_CERTS_DIR=test/certs". # $ENV{TEST_CERTS_DIR}.
172          " test/ssl_test test/ssl-tests/$conf $provider";
173      if ($provider eq "fips") {
174          ok(run(test(["ssl_test", $output_file, $provider,
175                       srctop_file("test", "fips-and-base.cnf")])), $msg);
176      } else {
177          ok(run(test(["ssl_test", $output_file, $provider])), $msg);
178      }
179    }
180}
181
182sub cmp_text {
183    return compare_text(@_, sub {
184        $_[0] =~ s/\R//g;
185        $_[1] =~ s/\R//g;
186        return $_[0] ne $_[1];
187    });
188}
189