2 # -*- coding: cp1251 -*-
3 lappend auto_path [file dirname [info script]]
6 package require ossltest
9 puts stderr "Usage $argv0 cipher-list-file"
20 get_hosts [lindex $argv 0]
22 start_tests "TLS-соединение с сервером [lindex $argv 0]"
24 if {[engine_name] eq "ccore"} {
25 array unset hosts gost94*
29 CRYPTOPRO-DHGOST94-DSS-GOST89-STREAMGOST89 GOST94-GOST89-GOST89
30 CRYPTOPRO-DHGOST94-DSS-NULL-GOST94 GOST94-NULL-GOST94
31 CRYPTOPRO-DHGOST-DSS-GOST89-STREAMGOST89 GOST2001-GOST89-GOST89
32 CRYPTOPRO-DHGOST-DSS-NULL-GOST94 GOST2001-NULL-GOST94
35 set CAhost lynx.lan.cryptocom.ru
36 set CAprefix /cgi-bin/autoca
38 foreach alg [array names hosts] {
39 set alg2 [regsub {(gost\d+)cp} $alg {\1}]
40 set alg_fn [string map {":" "_"} $alg2]
41 set alg_short [regexp -inline {^[^:]+} $alg2]
42 set alg_ca [regexp -inline {^[^:]+} $alg]
44 test -skip {[file exist ca_$alg_short.pem]} "Получить сертификат $alg_ca CA" {
45 getCAcert $CAhost $CAprefix $alg_ca
48 if {[array exists suites]} {array unset suites}
49 array set suites $hosts($alg)
50 foreach suite [array names suites] {
51 if {![regexp {(.+):(.+)} $suite => proto cs]} {
55 if {[info exists suite_map($cs)]} {
56 set mycs $suite_map($cs)
60 if {![regexp {(.+:\d+):(.*)} $suites($suite) x url servertype]} {
62 set url $suites($suite)
64 if {$servertype eq "iis"} {
65 set failure "HTTP 403.7 - Forbidden: Client certificate required"
66 set failure_exit_code 0
68 set failure "ssl handshake failure"
69 set failure_exit_code 1
72 regexp {(.+):(\d+)} $url dummy get_hostname get_port
74 test "$suite статическая страница " {
75 grep "<H1>" [openssl [concat s_client $protos($proto) \
76 [list -cipher $mycs -CAfile ca_$alg_ca.pem -connect $url \
77 -verify_return_error -verify 1 -ign_eof \
78 << "GET /ssl_test.html HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
79 } 0 "<H1>Test SSL static page</H1>\n"
82 test "$suite большая страница" {
83 grep "<H1>" [openssl [concat s_client $protos($proto) \
84 [list -cipher $mycs -CAfile ca_$alg_ca.pem -connect $url \
85 -verify_return_error -verify 1 -ign_eof \
86 << "GET /ssl_test_big.html HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
87 } 0 "<H1>Big test SSL static page</H1>\n"
90 if {$servertype eq "iis"} {
91 test "$suite скрипт printenv.asp" {
92 grep "SERVER_PORT_SECURE:" [openssl \
93 [concat s_client $protos($proto) \
94 [list -cipher $mycs -CAfile ca_$alg_ca.pem\
95 -connect $url -verify_return_error -verify 1 -ign_eof \
96 << "GET /printenv.asp HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
97 } 0 "SERVER_PORT_SECURE: 1\n"
99 test "$suite скрипт printenv" {
100 grep "SSL_CIPHER=" [openssl \
101 [concat s_client $protos($proto) \
102 [list -cipher $mycs -CAfile ca_$alg_ca.pem \
103 -connect $url -verify_return_error -verify 1 -ign_eof \
104 << "GET /cgi-bin/printenv HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
105 } 0 "SSL_CIPHER=\"$cs\"\n"
108 if {[string match *GOST2012* $suite]} {
109 set alg_cli_list "$alg gost2001:B gost2012_256:B gost2012_512:B"
110 } elseif {[string match *GOST2001* $suite]} {
111 set alg_cli_list "$alg gost2001:B"
113 set alg_cli_list $alg
116 foreach alg_cli $alg_cli_list {
117 set alg_cli_fn [string map {":" "_"} $alg_cli]
118 set alg_cli_short [regexp -inline {^[^:]+} $alg_cli]
120 test -skip {[file exist U_x_$alg_cli_fn/cert.pem]} "Получение клиентского сертификата $alg_cli" {
121 getCAAlgParams $CAhost $CAprefix $alg_cli_short
122 if {![makeUser U_x_$alg_cli_fn $alg_cli CN \
123 "Test engine on [info hostname]"]} {
124 error "Request generation failed"
126 registerUserAtCA U_x_$alg_cli_fn $CAhost $CAprefix $alg_ca
127 file exists U_x_$alg_cli_fn/cert.pem
131 test "$suite нет сертификата, статичеcкая страница" {
132 set out [openssl [concat s_client $protos($proto) \
133 [list -msg -cipher $mycs -CAfile ca_$alg_ca.pem \
134 -verify_return_error -verify 1 -connect $url -ign_eof \
135 << "GET /ssl_auth_test.html HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
136 if {[regexp $failure $out match]} {
141 } $failure_exit_code $failure
144 test -skip {![file exists U_x_$alg_cli_fn/cert.pem]} \
145 "$suite, есть сертификат, статическая страница" {
146 grep "<H1>" [openssl [concat s_client $protos($proto) \
147 [list -msg -cipher $mycs -cert U_x_$alg_cli_fn/cert.pem \
148 -key U_x_$alg_cli_fn/seckey.pem -CAfile ca_$alg_ca.pem \
149 -verify_return_error -verify 1 -connect $url -ign_eof \
150 << "GET /ssl_auth_test.html HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
151 } 0 "<H1>Test SSL static page</H1>\n"
154 if {$servertype eq "iis"} {
156 test "$suite, нет сертификата, скрипт printenv_auth.asp" {
157 set out [openssl [concat s_client $protos($proto) \
158 [list -msg -cipher $mycs -CAfile ca_$alg_ca.pem \
159 -verify_return_error -verify 1 -connect $url -ign_eof \
160 << "GET /printenv_auth.asp HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
161 if {[regexp $failure $out match]} {
169 test -skip {![file exists U_x_$alg_cli_fn/cert.pem]} \
170 "$suite, есть сертификат, скрипт printenv_auth.asp" {
171 grep CERT_FLAGS [openssl [concat s_client $protos($proto) \
172 [list -msg -cipher $mycs -cert U_x_$alg_cli_fn/cert.pem\
173 -key U_x_$alg_cli_fn/seckey.pem -CAfile ca_$alg_ca.pem \
174 -verify_return_error -verify 1 -connect $url -ign_eof \
175 << "GET /printenv_auth.asp HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
176 } 0 "CERT_FLAGS: 1\n"
180 test "$suite, нет сертификата, скрипт printenv" {
181 set out [openssl [concat s_client $protos($proto) \
182 [list -cipher $mycs -CAfile ca_$alg_ca.pem \
183 -verify_return_error -verify 1 -connect $url -ign_eof \
184 << "GET /cgi-bin/printenv/auth HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
185 if {[regexp "ssl handshake failure" $out match]} {
190 } 1 "ssl handshake failure"
192 test -skip {![file exists U_x_$alg_cli_fn/cert.pem]} \
193 "$suite, есть сертификат, скрипт printenv" {
194 grep SSL_CLIENT_VERIFY [openssl \
195 [concat s_client $protos($proto) \
196 [list -cipher $mycs -cert U_x_$alg_cli_fn/cert.pem \
197 -key U_x_$alg_cli_fn/seckey.pem -CAfile ca_$alg_ca.pem \
198 -verify_return_error -verify 1 -connect $url -ign_eof \
199 << "GET /cgi-bin/printenv/auth HTTP/1.1\nHost: $get_hostname\nConnection: close\n\n"]]]
200 } 0 "SSL_CLIENT_VERIFY=\"SUCCESS\"\n"