static void test_fingerprint(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* both server & client with cert */ str_check(create_worker(&server, true, SERVER1, CA2, "verify-client=1", "peer-sha1=ssl/ca2_client2.crt.sha1", "peer-sha256=ssl/ca2_client2.crt.sha256", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", "peer-sha1=ssl/ca1_server1.crt.sha1", "peer-sha256=ssl/ca1_server1.crt.sha256", NULL), "OK"); str_check(run_case(client, server), "OK"); /* client without cert */ str_check(create_worker(&server, true, SERVER1, CA1, "verify-client=1", "peer-sha1=ssl/ca2_client2.crt.sha1", "peer-sha256=ssl/ca2_client2.crt.sha256", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_any2(run_case(client, server), "C:sslv3 alert handshake failure - S:peer did not return a certificate", "C:sslv3 alert handshake failure,C:shutdown while in init - S:peer did not return a certificate"); end:; }
static void test_fingerprint(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* both server & client with cert */ str_check(create_worker(&server, true, SERVER1, CA2, "peer-sha1=ssl/ca2_client2.crt.sha1", "peer-sha256=ssl/ca2_client2.crt.sha256", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", "peer-sha1=ssl/ca1_server1.crt.sha1", "peer-sha256=ssl/ca1_server1.crt.sha256", NULL), "OK"); str_check(run_case(client, server), "OK"); /* client without cert */ str_check(create_worker(&server, true, SERVER1, CA1, "peer-sha1=ssl/ca2_client2.crt.sha1", "peer-sha256=ssl/ca2_client2.crt.sha256", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "C:write!=3 - S:FP-sha1-fail"); end:; }
static void test_clientcert(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* ok: server checks server cert */ str_check(create_worker(&server, true, SERVER1, CA2, NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* fail: server rejects invalid cert */ str_check(create_worker(&server, true, SERVER1, CA1, NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "C:tlsv1 alert unknown ca - S:handshake failure"); /* noverifycert: server allow invalid cert */ str_check(create_worker(&server, true, SERVER1, CA1, "noverifycert=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* allow client without cert */ str_check(create_worker(&server, true, SERVER1, CA2, NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); end:; }
static void test_verify(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* default: client checks server cert, succeeds */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* default: client checks server cert, fails due to bad ca */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA2, "host=example.com", NULL), "OK"); str_check(run_case(client, server), "C:certificate verify failed - S:tlsv1 alert unknown ca"); /* default: client checks server cert, fails due to bad hostname */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=example2.com", NULL), "OK"); str_check(run_case(client, server), "C:name `example2.com' not present in server certificate"); #if 0 /* client: aggressive close */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "aggressive-close=1", "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "S:bad pkt: res=-1 err=read failed: EOF,S:close error: res=-1 err=shutdown failed: Broken pipe"); /* server: aggressive close */ str_check(create_worker(&server, true, SERVER1, "aggressive-close=1", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "C:write failed: Broken pipe,C:close error: res=-1 err=shutdown failed: Success"); #endif end:; }
static void test_cipher_nego(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* server key is EC:secp384r1 - ECDHE-ECDSA */ str_check(create_worker(&server, true, "show=ciphers", SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "ciphers=AESGCM", "host=server1.com", NULL), "OK"); str_any3(run_case(client, server), "TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=secp384r1", "TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=X25519", "TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384"); /* server key is RSA - ECDHE-RSA */ str_check(create_worker(&server, true, "show=ciphers", SERVER2, NULL), "OK"); str_check(create_worker(&client, false, CA2, "ciphers=AESGCM", "host=server2.com", NULL), "OK"); str_any3(run_case(client, server), "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384"); /* server key is RSA - DHE-RSA */ str_check(create_worker(&server, true, SERVER2, "show=ciphers", "dheparams=auto", NULL), "OK"); str_check(create_worker(&client, false, CA2, "ciphers=EDH+AESGCM", "host=server2.com", NULL), "OK"); str_check(run_case(client, server), "TLSv1.2/DHE-RSA-AES256-GCM-SHA384/DH=2048"); /* server key is RSA - ECDHE-RSA */ str_check(create_worker(&server, true, SERVER2, "show=ciphers", NULL), "OK"); str_check(create_worker(&client, false, CA2, "ciphers=EECDH+AES", "host=server2.com", NULL), "OK"); str_any3(run_case(client, server), "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519", "TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384"); end:; }
void TestSuite::run_suite( const IFilter& filter, ITestListener& test_listener, TestResult& test_suite_result, TestResult& cumulated_result) const { TestResult local_cumulated_result(cumulated_result); local_cumulated_result.merge(test_suite_result); bool has_begun_suite = false; for (size_t i = 0; i < impl->m_factories.size(); ++i) { ITestCaseFactory& factory = *impl->m_factories[i]; // Skip test cases that aren't let through by the filter. if (!filter.accepts(factory.get_name())) continue; if (!has_begun_suite) { // Tell the listener that a test suite is about to be executed. test_listener.begin_suite(*this); test_suite_result.signal_suite_execution(); has_begun_suite = true; } // Tell the listener that a test case is about to be executed. test_listener.begin_case(*this, factory.get_name()); // Instantiate and run the test case. TestResult test_case_result; run_case(factory, test_listener, test_case_result); // Accumulate the test results. test_suite_result.merge(test_case_result); local_cumulated_result.merge(test_case_result); // Tell the listener that the test case execution has ended. test_listener.end_case( *this, factory.get_name(), test_suite_result, test_case_result, local_cumulated_result); } if (has_begun_suite) { // Report a test suite failure if one or more test cases failed. if (test_suite_result.get_case_failure_count() > 0) test_suite_result.signal_suite_failure(); // Tell the listener that the test suite execution has ended. test_listener.end_suite( *this, test_suite_result, cumulated_result); } }
static void test_clientcert(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* ok: server checks client cert */ str_check(create_worker(&server, true, SERVER1, CA2, "verify-client=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* fail: server rejects invalid cert */ str_check(create_worker(&server, true, SERVER1, CA1, "verify-client=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_any3(run_case(client, server), "C:tlsv1 alert unknown ca - S:no certificate returned", "C:tlsv1 alert unknown ca,C:shutdown while in init - S:certificate verify failed", "C:tlsv1 alert unknown ca - S:certificate verify failed"); /* noverifycert: server allow invalid cert */ str_check(create_worker(&server, true, SERVER1, CA1, "noverifycert=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* verify-client: don't allow client without cert */ str_check(create_worker(&server, true, SERVER1, CA2, "verify-client=1", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_any2(run_case(client, server), "C:sslv3 alert handshake failure - S:peer did not return a certificate", "C:sslv3 alert handshake failure,C:shutdown while in init - S:peer did not return a certificate"); /* verify-client-optional: allow client without cert */ str_check(create_worker(&server, true, SERVER1, CA2, "verify-client-optional=1", NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); end:; }
static void test_cert_info(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* server shows client cert */ str_check(create_worker(&server, true, "show=peer-cert", SERVER1, CA2, "peer-sha1=ssl/ca2_client2.crt.sha1", "peer-sha256=ssl/ca2_client2.crt.sha256", "verify-client=1", NULL), "OK"); str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", "peer-sha1=ssl/ca1_server1.crt.sha1", "peer-sha256=ssl/ca1_server1.crt.sha256", NULL), "OK"); str_check(run_case(client, server), "Subject: /CN=client2/C=XX/ST=State2/L=City2/O=Org2" " Issuer: /CN=TestCA2" " Serial: 1387724136048036785122419970010419099185643835502" " NotBefore: 2010-01-01T08:05:00Z" " NotAfter: 2060-12-31T23:55:00Z"); /* client shows server cert - utf8 */ str_check(create_worker(&server, true, COMPLEX1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "show=peer-cert", "host=complex1.com", NULL), "OK"); str_check(run_case(client, server), "Subject: /CN=complex1.com/ST=様々な論争を引き起こしてきた。/L=Kõzzä" " Issuer: /CN=TestCA1/C=AA/ST=State1/L=City1/O=Org1" " Serial: 1113692385315072860785465640275941003895485612482" " NotBefore: 2010-01-01T08:05:00Z" " NotAfter: 2060-12-31T23:55:00Z"); /* client shows server cert - t61/bmp */ str_check(create_worker(&server, true, COMPLEX2, NULL), "OK"); str_check(create_worker(&client, false, CA2, "show=peer-cert", "host=complex2.com", NULL), "OK"); str_check(run_case(client, server), "Subject: /CN=complex2.com/ST=様々な論争を引き起こしてきた。/L=Kõzzä" " Issuer: /CN=TestCA2" " Serial: 344032136906054686761742495217219742691739762030" " NotBefore: 2010-01-01T08:05:00Z" " NotAfter: 2060-12-31T23:55:00Z"); end:; }
static void test_noverifyname(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* noverifyname: client checks server cert, ignore bad hostname */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=example2.com", "noverifyname=1", NULL), "OK"); str_check(run_case(client, server), "OK"); /* noverifyname: client checks server cert, ignore NULL hostname */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "noverifyname=1", NULL), "OK"); str_check(run_case(client, server), "OK"); end:; }
static void test_set_mem(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* both server & client with cert */ str_check(create_worker(&server, true, "mem=1", SERVER1, CA2, NULL), "OK"); str_check(create_worker(&client, false, "mem=1", CLIENT2, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); end:; }
static void test_noverifycert(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* noverifycert: client ignores cert */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA2, "host=server1.com", "noverifycert=1", NULL), "OK"); str_check(run_case(client, server), "OK"); /* noverifycert: client ignores cert, but checks hostname */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA2, "host=server2.com", "noverifycert=1", NULL), "OK"); str_check(run_case(client, server), "C:name `server2.com' not present in server certificate"); /* noverifycert: client ignores both cert, hostname */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA2, "host=server2.com", "noverifycert=1", "noverifyname=1", NULL), "OK"); str_check(run_case(client, server), "OK"); /* noverifycert: client ignores both cert, hostname (=NULL) */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA2, "noverifycert=1", "noverifyname=1", NULL), "OK"); str_check(run_case(client, server), "OK"); end:; }
static void test_verify(void *z) { struct Worker *server = NULL, *client = NULL; tt_assert(tls_init() == 0); /* default: client checks server cert, succeeds */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK"); str_check(run_case(client, server), "OK"); /* default: client checks server cert, fails due to bad ca */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA2, "host=example.com", NULL), "OK"); str_check(run_case(client, server), "C:certificate verify failed - S:handshake failure"); /* default: client checks server cert, fails due to bad hostname */ str_check(create_worker(&server, true, SERVER1, NULL), "OK"); str_check(create_worker(&client, false, CA1, "host=example2.com", NULL), "OK"); str_check(run_case(client, server), "C:name 'example2.com' does not match cert"); end:; }
void run() { if (!enabled_list_.empty()) { auto seq_case_list = seq_case_list_; seq_case_list_.clear(); for (auto& cpr : seq_case_list) { if (enabled_list_.find(cpr.second.name_) != enabled_list_.end()) { seq_case_list_.emplace(cpr.first, std::move(cpr.second)); } } auto case_list = case_list_; case_list_.clear(); for (auto& c : case_list) { if (enabled_list_.find(c.name_) != enabled_list_.end()) { case_list_.push_back(std::move(c)); } } auto final_case_list = final_case_list_; final_case_list_.clear(); for (auto& cpr : final_case_list) { if (enabled_list_.find(cpr.second.name_) != enabled_list_.end()) { final_case_list_.emplace(cpr.first, std::move(cpr.second)); } } } // Begin utest loop. csegv::pcall( [this]() { for (auto const& cpr : seq_case_list_) { if (run_case(cpr.second)) { std::cerr << "\n------------------------------------------" << std::endl; std::cerr << "seq case " << cpr.second.name_ << " not pass, others will not be executed!" << std::endl; std::cerr << "------------------------------------------" << std::endl; return; } } for (auto const& c : case_list_) { run_case(c); } for (auto const& cpr : final_case_list_) { run_case(cpr.second); } }); }