#!/usr/bin/tclsh # -*- coding: cp1251 -*- lappend auto_path [file dirname [info script]] package require ossltest array set protos { TLSv1.3 -tls1_3 } array set groups { GC256A gost2012_256 GC512A gost2012_512 } cd $::test::dir start_tests "TLS 1.3 tests" if {[info exists env(ALG_LIST)]} { set alg_list $env(ALG_LIST) } else { switch -exact [engine_name] { "open" {set alg_list {gost2012_256:XA gost2012_256:TCA gost2012_512:A gost2012_512:C}} "other" {set alg_list {rsa:1024 gost2001:XA gost2012_256:XA gost2012_512:A}} } } array set suites { gost2012_256:XA {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S} gost2012_256:TCA {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S} gost2012_512:A {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S} gost2012_512:C {TLS_GOSTR341112_256_WITH_MAGMA_MGM_L TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L TLS_GOSTR341112_256_WITH_MAGMA_MGM_S TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S} } set proto_list {"TLSv1.3"} set expected_proto "TLSv1.3" if {![file exists sslCA/cacert.pem]} { makeCA sslCA gost2012_256:A } else { set ::test::ca sslCA } foreach alg $alg_list { set alg_fn [string map {":" "_"} $alg] test -skip {[file exist localhost_$alg_fn/cert.pem]} \ "Создаем серверный сертификат $alg" { makeRegisteredUser localhost_$alg_fn $alg CN localhost OU $alg_fn } 0 1 test -skip {[file exists ssl_user_$alg_fn/cert.pem]} \ "Создаем клиентский сертификат $alg" { makeRegisteredUser ssl_user_$alg_fn $alg CN ssl_user OU $alg_fn } 0 1 } foreach alg {gost2012_256:B gost2012_512:B} { set alg_fn [string map {":" "_"} $alg] test -skip {[file exists ssl_user_$alg_fn/cert.pem]} \ "Создаем клиентский сертификат $alg" { makeRegisteredUser ssl_user_$alg_fn $alg CN ssl_user OU $alg_fn } 0 1 } foreach proto $proto_list { foreach group [array names groups] { foreach alg $alg_list { set alg_fn [string map {":" "_"} $alg] foreach suite $suites($alg) { set raw_name [lindex [split $suite @] 0] test "Handshake $group $suite $proto" { set list [client_server [list -connect localhost:4433 \ -CAfile $::test::ca/cacert.pem -verify_return_error \ -verify 1 -state -ciphersuites $suite -curves $group] \ [list -www -cert localhost_$alg_fn/cert.pem \ -key localhost_$alg_fn/seckey.pem \ -ciphersuites $suite $protos($proto)] {}] if {[regexp -lineanchor \ {^Server Temp Key: (\S+),.*^\s*New,\s+(\S+),\s+Cipher\s+is\s+(\S+)\s*$} \ [lindex $list 0] -> group_name result_proto result_cipher]} { list [lindex $list 2] $group_name $result_proto $result_cipher } else { lindex $list 1 } } 0 [list 0 $groups($group) $proto $raw_name] # test "Несовпадающий шиферсьют DHE-RSA-AES256-SHA $proto" { # set list [client_server [list -connect localhost:4433 \ # -CAfile $::test::ca/cacert.pem -verify_return_error \ # -verify 1 -state -ciphersuites $suite] \ # [list -www -cert localhost_$alg_fn/cert.pem \ # -key localhost_$alg_fn/seckey.pem \ # -ciphersuites DHE-RSA-AES256-SHA $protos($proto)] {}] # list [lindex $list 2] [grep ":fatal:" [lindex $list 1]] # } 0 [list 1 "SSL3 alert read:fatal:handshake failure #"] # test "Get page $group $suite $proto" { set list [client_server [list -connect localhost:4433 \ -CAfile $::test::ca/cacert.pem -verify_return_error \ -verify 1 -state -ciphersuites $suite -ign_eof -curves $group] \ [list -www -cert localhost_$alg_fn/cert.pem \ -key localhost_$alg_fn/seckey.pem -ciphersuites $suite \ $protos($proto)] "GET /\n\n"] grep "^New," [lindex $list 0] } 0 "New, $expected_proto, Cipher is $raw_name\nNew, $expected_proto, Cipher is $raw_name\n" test "Multi-ciphersuites server $proto, $group client" { set list [client_server [list -connect localhost:4433 \ -CAfile $::test::ca/cacert.pem -verify_return_error \ -verify 1 -state -ciphersuites $suite -curves $group] \ [list -www -cert localhost_$alg_fn/cert.pem \ -key localhost_$alg_fn/seckey.pem -ciphersuites $suite:TLS_AES_256_GCM_SHA384] {}] if {[regexp -lineanchor \ {^Server Temp Key: (\S+),.*^\s*New,\s+(\S+),\s+Cipher\s+is\s+(\S+)\s*$} \ [lindex $list 0] -> group_name result_proto result_cipher]} { list [lindex $list 2] $group_name $result_proto $result_cipher } else { lindex $list 1 } } 0 [list 0 $groups($group) $proto $suite] # test "Сервер c несколькими алгоритмами, клиент $suite $proto" { # set list [client_server [list -connect localhost:4433 \ # -CAfile $::test::ca/cacert.pem -verify_return_error \ # -verify 1 -state -ciphersuites $suite] \ # [list -www # -dcert localhost_$alg_fn/cert.pem \ # -dkey localhost_$alg_fn/seckey.pem $protos($proto)] {}] # if {[regexp -lineanchor \ # {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \ # [lindex $list 0] -> result_proto result_cipher]} { # list [lindex $list 2] $result_proto $result_cipher # } else { # lindex $list 1 # } # } 0 [list 0 $proto $suite] # test "Сервер c несколькими алгоритмами, клиент AES256-SHA $proto" { # set list [client_server [list -connect localhost:4433 \ # -CAfile $::test::ca/cacert.pem -verify_return_error \ # -verify 1 -state -ciphersuites AES256-SHA] \ # [list -www -cert localhost_rsa/cert.pem \ # -key localhost_rsa/seckey.pem \ # -dcert localhost_$alg_fn/cert.pem \ # -dkey localhost_$alg_fn/seckey.pem $protos($proto)] {}] # if {[regexp -lineanchor \ # {^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \ # [lindex $list 0] -> result_proto result_cipher]} { # list [lindex $list 2] $result_proto $result_cipher # } else { # lindex $list 1 # } # } 0 [list 0 $proto AES256-SHA] if {[string match *gost* $alg]} { set alg_cli_list [list $alg gost2012_256:B gost2012_512:B] } else { set alg_cli_list $alg } foreach alg_cli $alg_cli_list { set alg_cli_fn [string map {":" "_"} $alg_cli] test "Server $alg, client certificate $alg_cli $proto $group" { set list [client_server [list -connect localhost:4433\ -CAfile $::test::ca/cacert.pem -verify_return_error \ -verify 1 -state -cert ssl_user_$alg_cli_fn/cert.pem \ -key ssl_user_$alg_cli_fn/seckey.pem -ciphersuites $suite \ -ign_eof -curves $group]\ [list -cert localhost_$alg_fn/cert.pem \ -key localhost_$alg_fn/seckey.pem -verify_return_error\ -Verify 3 -www -CAfile $::test::ca/cacert.pem \ -ciphersuites $suite $protos($proto)] "GET /\n"] list [lindex $list 2] [grep "^New," [lindex $list 0]] } 0 [list 0 [string repeat "New, $expected_proto, Cipher is $raw_name\n" 2]] } } #set etalon $defsuite($alg) # set etalon "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" #Эти тесты закомментированы, так как нет связки между ключами и шифронаборами для TLS 1.3 # test "Умолчательный хендшейк с ключами $alg $proto" { # set list [client_server [list -connect localhost:4433\ # -CAfile $::test::ca/cacert.pem -verify_return_error -verify 1\ # -state -ign_eof]\ # [list -www -cert localhost_$alg_fn/cert.pem\ # -key localhost_$alg_fn/seckey.pem $protos($proto)] "GET /\n"] # if {[regexp -lineanchor \ # {^\s*New,\s+(\S+),\s+Cipher\s+is\s+(\S+)\s*$} \ # [lindex $list 0] -> result_proto result_cipher]} { # list [lindex $list 2] $result_proto $result_cipher # } else { # lindex $list 1 # } # } 0 [list 0 $proto $etalon] # # test "Умолчательный хендшейк с клиентской аутентификацией $alg $proto" { # set list [client_server [list -connect localhost:4433\ # -CAfile $::test::ca/cacert.pem -verify_return_error \ # -verify 1 -state -cert ssl_user_$alg_fn/cert.pem \ # -key ssl_user_$alg_fn/seckey.pem -ign_eof]\ # [list -cert localhost_$alg_fn/cert.pem \ # -key localhost_$alg_fn/seckey.pem -verify_return_error\ # -Verify 3 -www -CAfile $::test::ca/cacert.pem $protos($proto)] \ # "GET /\n"] # list [lindex $list 2] [grep "^New," [lindex $list 0]] # } 0 [list 0 [string repeat "New, $expected_proto, Cipher is $etalon\n" 2]] } } } end_tests