static void test_fingerprint(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* both server & client with cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"verify-client=1",
"peer-sha1=ssl/ca2_client2.crt.sha1",
"peer-sha256=ssl/ca2_client2.crt.sha256",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1,
"host=server1.com",
"peer-sha1=ssl/ca1_server1.crt.sha1",
"peer-sha256=ssl/ca1_server1.crt.sha256",
NULL), "OK");
str_check(run_case(client, server), "OK");
/* client without cert */
str_check(create_worker(&server, true, SERVER1, CA1,
"verify-client=1",
"peer-sha1=ssl/ca2_client2.crt.sha1",
"peer-sha256=ssl/ca2_client2.crt.sha256",
NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_any2(run_case(client, server),
"C:sslv3 alert handshake failure - S:peer did not return a certificate",
"C:sslv3 alert handshake failure,C:shutdown while in init - S:peer did not return a certificate");
end:;
}
static void test_fingerprint(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* both server & client with cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"peer-sha1=ssl/ca2_client2.crt.sha1",
"peer-sha256=ssl/ca2_client2.crt.sha256",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1,
"host=server1.com",
"peer-sha1=ssl/ca1_server1.crt.sha1",
"peer-sha256=ssl/ca1_server1.crt.sha256",
NULL), "OK");
str_check(run_case(client, server), "OK");
/* client without cert */
str_check(create_worker(&server, true, SERVER1, CA1,
"peer-sha1=ssl/ca2_client2.crt.sha1",
"peer-sha256=ssl/ca2_client2.crt.sha256",
NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "C:write!=3 - S:FP-sha1-fail");
end:;
}
static void test_clientcert(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* ok: server checks server cert */
str_check(create_worker(&server, true, SERVER1, CA2, NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* fail: server rejects invalid cert */
str_check(create_worker(&server, true, SERVER1, CA1, NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "C:tlsv1 alert unknown ca - S:handshake failure");
/* noverifycert: server allow invalid cert */
str_check(create_worker(&server, true, SERVER1, CA1, "noverifycert=1", NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* allow client without cert */
str_check(create_worker(&server, true, SERVER1, CA2, NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
end:;
}
static void test_verify(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* default: client checks server cert, succeeds */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* default: client checks server cert, fails due to bad ca */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA2, "host=example.com", NULL), "OK");
str_check(run_case(client, server), "C:certificate verify failed - S:tlsv1 alert unknown ca");
/* default: client checks server cert, fails due to bad hostname */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=example2.com", NULL), "OK");
str_check(run_case(client, server), "C:name `example2.com' not present in server certificate");
#if 0
/* client: aggressive close */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "aggressive-close=1", "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "S:bad pkt: res=-1 err=read failed: EOF,S:close error: res=-1 err=shutdown failed: Broken pipe");
/* server: aggressive close */
str_check(create_worker(&server, true, SERVER1, "aggressive-close=1", NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "C:write failed: Broken pipe,C:close error: res=-1 err=shutdown failed: Success");
#endif
end:;
}
static void test_cipher_nego(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* server key is EC:secp384r1 - ECDHE-ECDSA */
str_check(create_worker(&server, true, "show=ciphers", SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1,
"ciphers=AESGCM",
"host=server1.com",
NULL), "OK");
str_any3(run_case(client, server),
"TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=secp384r1",
"TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384/ECDH=X25519",
"TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384");
/* server key is RSA - ECDHE-RSA */
str_check(create_worker(&server, true, "show=ciphers", SERVER2, NULL), "OK");
str_check(create_worker(&client, false, CA2,
"ciphers=AESGCM",
"host=server2.com",
NULL), "OK");
str_any3(run_case(client, server),
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384");
/* server key is RSA - DHE-RSA */
str_check(create_worker(&server, true, SERVER2,
"show=ciphers",
"dheparams=auto",
NULL), "OK");
str_check(create_worker(&client, false, CA2,
"ciphers=EDH+AESGCM",
"host=server2.com",
NULL), "OK");
str_check(run_case(client, server), "TLSv1.2/DHE-RSA-AES256-GCM-SHA384/DH=2048");
/* server key is RSA - ECDHE-RSA */
str_check(create_worker(&server, true, SERVER2,
"show=ciphers",
NULL), "OK");
str_check(create_worker(&client, false, CA2,
"ciphers=EECDH+AES",
"host=server2.com",
NULL), "OK");
str_any3(run_case(client, server),
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=prime256v1",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/ECDH=X25519",
"TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384");
end:;
}
void TestSuite::run_suite(
const IFilter& filter,
ITestListener& test_listener,
TestResult& test_suite_result,
TestResult& cumulated_result) const
{
TestResult local_cumulated_result(cumulated_result);
local_cumulated_result.merge(test_suite_result);
bool has_begun_suite = false;
for (size_t i = 0; i < impl->m_factories.size(); ++i)
{
ITestCaseFactory& factory = *impl->m_factories[i];
// Skip test cases that aren't let through by the filter.
if (!filter.accepts(factory.get_name()))
continue;
if (!has_begun_suite)
{
// Tell the listener that a test suite is about to be executed.
test_listener.begin_suite(*this);
test_suite_result.signal_suite_execution();
has_begun_suite = true;
}
// Tell the listener that a test case is about to be executed.
test_listener.begin_case(*this, factory.get_name());
// Instantiate and run the test case.
TestResult test_case_result;
run_case(factory, test_listener, test_case_result);
// Accumulate the test results.
test_suite_result.merge(test_case_result);
local_cumulated_result.merge(test_case_result);
// Tell the listener that the test case execution has ended.
test_listener.end_case(
*this,
factory.get_name(),
test_suite_result,
test_case_result,
local_cumulated_result);
}
if (has_begun_suite)
{
// Report a test suite failure if one or more test cases failed.
if (test_suite_result.get_case_failure_count() > 0)
test_suite_result.signal_suite_failure();
// Tell the listener that the test suite execution has ended.
test_listener.end_suite(
*this,
test_suite_result,
cumulated_result);
}
}
static void test_clientcert(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* ok: server checks client cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"verify-client=1",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* fail: server rejects invalid cert */
str_check(create_worker(&server, true, SERVER1, CA1,
"verify-client=1",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_any3(run_case(client, server),
"C:tlsv1 alert unknown ca - S:no certificate returned",
"C:tlsv1 alert unknown ca,C:shutdown while in init - S:certificate verify failed",
"C:tlsv1 alert unknown ca - S:certificate verify failed");
/* noverifycert: server allow invalid cert */
str_check(create_worker(&server, true, SERVER1, CA1,
"noverifycert=1",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* verify-client: don't allow client without cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"verify-client=1",
NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_any2(run_case(client, server),
"C:sslv3 alert handshake failure - S:peer did not return a certificate",
"C:sslv3 alert handshake failure,C:shutdown while in init - S:peer did not return a certificate");
/* verify-client-optional: allow client without cert */
str_check(create_worker(&server, true, SERVER1, CA2,
"verify-client-optional=1",
NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
end:;
}
static void test_cert_info(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* server shows client cert */
str_check(create_worker(&server, true, "show=peer-cert", SERVER1, CA2,
"peer-sha1=ssl/ca2_client2.crt.sha1",
"peer-sha256=ssl/ca2_client2.crt.sha256",
"verify-client=1",
NULL), "OK");
str_check(create_worker(&client, false, CLIENT2, CA1,
"host=server1.com",
"peer-sha1=ssl/ca1_server1.crt.sha1",
"peer-sha256=ssl/ca1_server1.crt.sha256",
NULL), "OK");
str_check(run_case(client, server),
"Subject: /CN=client2/C=XX/ST=State2/L=City2/O=Org2"
" Issuer: /CN=TestCA2"
" Serial: 1387724136048036785122419970010419099185643835502"
" NotBefore: 2010-01-01T08:05:00Z"
" NotAfter: 2060-12-31T23:55:00Z");
/* client shows server cert - utf8 */
str_check(create_worker(&server, true, COMPLEX1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "show=peer-cert", "host=complex1.com", NULL), "OK");
str_check(run_case(client, server),
"Subject: /CN=complex1.com/ST=様々な論争を引き起こしてきた。/L=Kõzzä"
" Issuer: /CN=TestCA1/C=AA/ST=State1/L=City1/O=Org1"
" Serial: 1113692385315072860785465640275941003895485612482"
" NotBefore: 2010-01-01T08:05:00Z"
" NotAfter: 2060-12-31T23:55:00Z");
/* client shows server cert - t61/bmp */
str_check(create_worker(&server, true, COMPLEX2, NULL), "OK");
str_check(create_worker(&client, false, CA2, "show=peer-cert", "host=complex2.com", NULL), "OK");
str_check(run_case(client, server),
"Subject: /CN=complex2.com/ST=様々な論争を引き起こしてきた。/L=Kõzzä"
" Issuer: /CN=TestCA2"
" Serial: 344032136906054686761742495217219742691739762030"
" NotBefore: 2010-01-01T08:05:00Z"
" NotAfter: 2060-12-31T23:55:00Z");
end:;
}
static void test_noverifyname(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* noverifyname: client checks server cert, ignore bad hostname */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=example2.com",
"noverifyname=1",
NULL), "OK");
str_check(run_case(client, server), "OK");
/* noverifyname: client checks server cert, ignore NULL hostname */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "noverifyname=1", NULL), "OK");
str_check(run_case(client, server), "OK");
end:;
}
static void test_set_mem(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* both server & client with cert */
str_check(create_worker(&server, true, "mem=1", SERVER1, CA2, NULL), "OK");
str_check(create_worker(&client, false, "mem=1", CLIENT2, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
end:;
}
static void test_noverifycert(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* noverifycert: client ignores cert */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA2,
"host=server1.com",
"noverifycert=1",
NULL), "OK");
str_check(run_case(client, server), "OK");
/* noverifycert: client ignores cert, but checks hostname */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA2,
"host=server2.com",
"noverifycert=1",
NULL), "OK");
str_check(run_case(client, server), "C:name `server2.com' not present in server certificate");
/* noverifycert: client ignores both cert, hostname */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA2,
"host=server2.com",
"noverifycert=1",
"noverifyname=1",
NULL), "OK");
str_check(run_case(client, server), "OK");
/* noverifycert: client ignores both cert, hostname (=NULL) */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA2,
"noverifycert=1",
"noverifyname=1",
NULL), "OK");
str_check(run_case(client, server), "OK");
end:;
}
static void test_verify(void *z)
{
struct Worker *server = NULL, *client = NULL;
tt_assert(tls_init() == 0);
/* default: client checks server cert, succeeds */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=server1.com", NULL), "OK");
str_check(run_case(client, server), "OK");
/* default: client checks server cert, fails due to bad ca */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA2, "host=example.com", NULL), "OK");
str_check(run_case(client, server), "C:certificate verify failed - S:handshake failure");
/* default: client checks server cert, fails due to bad hostname */
str_check(create_worker(&server, true, SERVER1, NULL), "OK");
str_check(create_worker(&client, false, CA1, "host=example2.com", NULL), "OK");
str_check(run_case(client, server), "C:name 'example2.com' does not match cert");
end:;
}
void run()
{
if (!enabled_list_.empty())
{
auto seq_case_list = seq_case_list_;
seq_case_list_.clear();
for (auto& cpr : seq_case_list)
{
if (enabled_list_.find(cpr.second.name_) != enabled_list_.end())
{
seq_case_list_.emplace(cpr.first, std::move(cpr.second));
}
}
auto case_list = case_list_;
case_list_.clear();
for (auto& c : case_list)
{
if (enabled_list_.find(c.name_) != enabled_list_.end())
{
case_list_.push_back(std::move(c));
}
}
auto final_case_list = final_case_list_;
final_case_list_.clear();
for (auto& cpr : final_case_list)
{
if (enabled_list_.find(cpr.second.name_) != enabled_list_.end())
{
final_case_list_.emplace(cpr.first, std::move(cpr.second));
}
}
}
// Begin utest loop.
csegv::pcall(
[this]()
{
for (auto const& cpr : seq_case_list_)
{
if (run_case(cpr.second))
{
std::cerr << "\n------------------------------------------" << std::endl;
std::cerr << "seq case " << cpr.second.name_ << " not pass, others will not be executed!" << std::endl;
std::cerr << "------------------------------------------" << std::endl;
return;
}
}
for (auto const& c : case_list_)
{
run_case(c);
}
for (auto const& cpr : final_case_list_)
{
run_case(cpr.second);
}
});
}
