diff options
Diffstat (limited to 'CryptoPkg/Library/OpensslLib/openssl/test/recipes')
100 files changed, 5948 insertions, 0 deletions
diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/01-test_abort.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/01-test_abort.t new file mode 100644 index 00000000..2f121e25 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/01-test_abort.t @@ -0,0 +1,16 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test; + +setup("test_abort"); + +plan tests => 1; + +is(run(test(["aborttest"])), 0, "Testing that abort is caught correctly"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/01-test_sanity.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/01-test_sanity.t new file mode 100644 index 00000000..f01466d8 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/01-test_sanity.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_sanity", "sanitytest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/01-test_symbol_presence.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/01-test_symbol_presence.t new file mode 100644 index 00000000..7f2a2d75 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/01-test_symbol_presence.t @@ -0,0 +1,116 @@ +#! /usr/bin/env perl +# -*- mode: Perl -*- +# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use File::Spec::Functions qw(devnull); +use OpenSSL::Test qw(:DEFAULT srctop_file bldtop_dir bldtop_file); +use OpenSSL::Test::Utils; + +setup("test_symbol_presence"); + +plan skip_all => "Only useful when building shared libraries" + if disabled("shared"); + +my @libnames = ("crypto", "ssl"); +my $testcount = scalar @libnames; + +plan tests => $testcount * 2; + +note + "NOTE: developer test! It's possible that it won't run on your\n", + "platform, and that's perfectly fine. This is mainly for developers\n", + "on Unix to check that our shared libraries are consistent with the\n", + "ordinals (util/*.num in the source tree), something that should be\n", + "good enough a check for the other platforms as well.\n"; + +foreach my $libname (@libnames) { + SKIP: + { + my $shlibpath = bldtop_file("lib" . $libname . ".so"); + *OSTDERR = *STDERR; + *OSTDOUT = *STDOUT; + open STDERR, ">", devnull(); + open STDOUT, ">", devnull(); + my @nm_lines = map { s|\R$||; $_ } `nm -Pg $shlibpath 2> /dev/null`; + close STDERR; + close STDOUT; + *STDERR = *OSTDERR; + *STDOUT = *OSTDOUT; + skip "Can't run 'nm -Pg $shlibpath' => $?... ignoring", 2 + unless $? == 0; + + my $bldtop = bldtop_dir(); + my @def_lines; + indir $bldtop => sub { + my $mkdefpath = srctop_file("util", "mkdef.pl"); + @def_lines = map { s|\R$||; $_ } `$^X $mkdefpath $libname linux 2> /dev/null`; + ok($? == 0, "running 'cd $bldtop; $^X $mkdefpath $libname linux' => $?"); + }, create => 0, cleanup => 0; + + note "Number of lines in \@nm_lines before massaging: ", scalar @nm_lines; + note "Number of lines in \@def_lines before massaging: ", scalar @def_lines; + + # Massage the nm output to only contain defined symbols + @nm_lines = sort map { s| .*||; $_ } grep(m|.* [BCDST] .*|, @nm_lines); + + # Massage the mkdef.pl output to only contain global symbols + # The output we got is in Unix .map format, which has a global + # and a local section. We're only interested in the global + # section. + my $in_global = 0; + @def_lines = + sort + map { s|;||; s|\s+||g; $_ } + grep { $in_global = 1 if m|global:|; + $in_global = 0 if m|local:|; + $in_global = 0 if m|\}|; + $in_global && m|;|; } @def_lines; + + note "Number of lines in \@nm_lines after massaging: ", scalar @nm_lines; + note "Number of lines in \@def_lines after massaging: ", scalar @def_lines; + + # Maintain lists of symbols that are missing in the shared library, + # or that are extra. + my @missing = (); + my @extra = (); + + while (scalar @nm_lines || scalar @def_lines) { + my $nm_first = $nm_lines[0]; + my $def_first = $def_lines[0]; + + if (!defined($nm_first)) { + push @missing, shift @def_lines; + } elsif (!defined($def_first)) { + push @extra, shift @nm_lines; + } elsif ($nm_first gt $def_first) { + push @missing, shift @def_lines; + } elsif ($nm_first lt $def_first) { + push @extra, shift @nm_lines; + } else { + shift @def_lines; + shift @nm_lines; + } + } + + if (scalar @missing) { + note "The following symbols are missing in lib$libname.so:"; + foreach (@missing) { + note " $_"; + } + } + if (scalar @extra) { + note "The following symbols are extra in lib$libname.so:"; + foreach (@extra) { + note " $_"; + } + } + ok(scalar @missing == 0, + "check that there are no missing symbols in lib$libname.so"); + } +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/02-test_ordinals.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/02-test_ordinals.t new file mode 100644 index 00000000..473d05b0 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/02-test_ordinals.t @@ -0,0 +1,58 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_ordinals"); + +plan tests => 2; + +ok(testordinals(srctop_file("util", "libcrypto.num")), "Test libcrypto.num"); +ok(testordinals(srctop_file("util", "libssl.num")), "Test libssl.num"); + +sub testordinals +{ + my $filename = shift; + my $cnt = 0; + my $ret = 1; + my $qualifier = ""; + my $newqual; + my $lastfunc = ""; + + open(my $fh, '<', $filename); + while (my $line = <$fh>) { + my @tokens = split(/(?:\s+|\s*:\s*)/, $line); + #Check the line looks sane + if ($#tokens < 5 || $#tokens > 6) { + print STDERR "Invalid line:\n$line\n"; + $ret = 0; + last; + } + if ($tokens[3] eq "NOEXIST") { + #Ignore this line + next; + } + #Some ordinals can be repeated, e.g. if one is VMS and another is !VMS + $newqual = $tokens[4]; + $newqual =~ s/!//g; + if ($cnt > $tokens[1] + || ($cnt == $tokens[1] && ($qualifier ne $newqual + || $qualifier eq ""))) { + print STDERR "Invalid ordinal detected: ".$tokens[1]."\n"; + $ret = 0; + last; + } + $cnt = $tokens[1]; + $qualifier = $newqual; + $lastfunc = $tokens[0]; + } + close($fh); + + return $ret; +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/03-test_exdata.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/03-test_exdata.t new file mode 100644 index 00000000..da66f959 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/03-test_exdata.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_exdata", "exdatatest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/03-test_ui.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/03-test_ui.t new file mode 100644 index 00000000..b1065d1b --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/03-test_ui.t @@ -0,0 +1,30 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; +use OpenSSL::Test; + +setup("test_ui"); + +plan tests => 1; + +note <<"EOF"; +The best way to test the UI interface is currently by using an openssl +command that uses password_callback. The only one that does this is +'genrsa'. +Since password_callback uses a UI method derived from UI_OpenSSL(), it +ensures that one gets tested well enough as well. +EOF + +my $outfile = "rsa_$$.pem"; +ok(run(app(["openssl", "genrsa", "-passout", "pass:password", "-aes128", + "-out", $outfile])), + "Checking that genrsa with a password works properly"); + +unlink $outfile; diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/04-test_pem.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/04-test_pem.t new file mode 100644 index 00000000..48f62ff8 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/04-test_pem.t @@ -0,0 +1,106 @@ +#! /usr/bin/env perl +# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +# ====================================================================== + + +use strict; +use warnings; + +use File::Compare qw/compare_text/; +use File::Basename; +use OpenSSL::Test qw/:DEFAULT srctop_file data_file/; +use OpenSSL::Test::Utils; + +setup("test_pem_reading"); + +my $testsrc = srctop_file("test", "recipes", basename($0)); + +my $cmd = "openssl"; + +# map input PEM file to 1 if it should be accepted; 0 when should be rejected +my %cert_expected = ( + "cert-1023line.pem" => 1, + "cert-1024line.pem" => 1, + "cert-1025line.pem" => 1, + "cert-255line.pem" => 1, + "cert-256line.pem" => 1, + "cert-257line.pem" => 1, + "cert-blankline.pem" => 0, + "cert-comment.pem" => 0, + "cert-earlypad.pem" => 0, + "cert-extrapad.pem" => 0, + "cert-infixwhitespace.pem" => 1, + "cert-junk.pem" => 0, + "cert-leadingwhitespace.pem" => 1, + "cert-longline.pem" => 1, + "cert-misalignedpad.pem" => 0, + "cert-onecolumn.pem" => 1, + "cert-oneline.pem" => 1, + "cert-shortandlongline.pem" => 1, + "cert-shortline.pem" => 1, + "cert-threecolumn.pem" => 1, + "cert-trailingwhitespace.pem" => 1, + "cert.pem" => 1 +); +my %dsa_expected = ( + "dsa-1023line.pem" => 0, + "dsa-1024line.pem" => 0, + "dsa-1025line.pem" => 0, + "dsa-255line.pem" => 0, + "dsa-256line.pem" => 0, + "dsa-257line.pem" => 0, + "dsa-blankline.pem" => 0, + "dsa-comment.pem" => 0, + "dsa-corruptedheader.pem" => 0, + "dsa-corruptiv.pem" => 0, + "dsa-earlypad.pem" => 0, + "dsa-extrapad.pem" => 0, + "dsa-infixwhitespace.pem" => 0, + "dsa-junk.pem" => 0, + "dsa-leadingwhitespace.pem" => 0, + "dsa-longline.pem" => 0, + "dsa-misalignedpad.pem" => 0, + "dsa-onecolumn.pem" => 0, + "dsa-oneline.pem" => 0, + "dsa-onelineheader.pem" => 0, + "dsa-shortandlongline.pem" => 0, + "dsa-shortline.pem" => 0, + "dsa-threecolumn.pem" => 0, + "dsa-trailingwhitespace.pem" => 1, + "dsa.pem" => 1 +); + +plan tests => scalar keys(%cert_expected) + scalar keys(%dsa_expected) + 1; + +foreach my $input (keys %cert_expected) { + my @common = ($cmd, "x509", "-text", "-noout", "-inform", "PEM", "-in"); + my @data = run(app([@common, data_file($input)], stderr => undef), capture => 1); + my @match = grep /The Great State of Long-Winded Certificate Field Names Whereby to Increase the Output Size/, @data; + is((scalar @match > 0 ? 1 : 0), $cert_expected{$input}); +} +SKIP: { + skip "DSA support disabled, skipping...", (scalar keys %dsa_expected) unless !disabled("dsa"); + foreach my $input (keys %dsa_expected) { + my @common = ($cmd, "pkey", "-inform", "PEM", "-passin", "file:" . data_file("wellknown"), "-noout", "-text", "-in"); + my @data; + { + local $ENV{MSYS2_ARG_CONV_EXCL} = "file:"; + @data = run(app([@common, data_file($input)], stderr => undef), capture => 1); + } + my @match = grep /68:42:02:16:63:54:16:eb:06:5c:ab:06:72:3b:78:/, @data; + is((scalar @match > 0 ? 1 : 0), $dsa_expected{$input}); + } +} +SKIP: { + skip "RSA support disabled, skipping...", 1 unless !disabled("rsa"); + my @common = ($cmd, "pkey", "-inform", "PEM", "-noout", "-text", "-in"); + my @data = run(app([@common, data_file("beermug.pem")], stderr => undef), capture => 1); + my @match = grep /00:a0:3a:21:14:5d:cd:b6:d5:a0:3e:49:23:c1:3a:/, @data; + ok(scalar @match > 0 ? 1 : 0); +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/04-test_pem_data/NOTES b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/04-test_pem_data/NOTES new file mode 100644 index 00000000..baafd156 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/04-test_pem_data/NOTES @@ -0,0 +1,3 @@ +The cert-*.pem and dsa-*.pem files are generated as manipulation of the +ASCII text of cert.pem and dsa.pem, respectively -- they should decode to the +same data. diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/04-test_pem_data/wellknown b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/04-test_pem_data/wellknown new file mode 100644 index 00000000..632e28f3 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/04-test_pem_data/wellknown @@ -0,0 +1 @@ +wellknown diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_bf.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_bf.t new file mode 100644 index 00000000..64c96095 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_bf.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_bf", "bftest", "bf"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_cast.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_cast.t new file mode 100644 index 00000000..46c61dac --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_cast.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_cast", "casttest", "cast"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_des.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_des.t new file mode 100644 index 00000000..2e6a32ba --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_des.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_des", "destest", "des"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_hmac.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_hmac.t new file mode 100644 index 00000000..2059bcc8 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_hmac.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_hmac", "hmactest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_idea.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_idea.t new file mode 100644 index 00000000..ca2b7675 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_idea.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_idea", "ideatest", "idea"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_md2.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_md2.t new file mode 100644 index 00000000..8781af0e --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_md2.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_md2", "md2test", "md2"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_md4.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_md4.t new file mode 100644 index 00000000..59a815bd --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_md4.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_md4", "md4test", "md4"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_md5.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_md5.t new file mode 100644 index 00000000..3af4d550 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_md5.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_md5", "md5test", "md5"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_mdc2.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_mdc2.t new file mode 100644 index 00000000..181c90f1 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_mdc2.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_mdc2", "mdc2test", "mdc2"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rand.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rand.t new file mode 100644 index 00000000..3b175fac --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rand.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_rand", "randtest", "rand"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rc2.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rc2.t new file mode 100644 index 00000000..77d93829 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rc2.t @@ -0,0 +1,11 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use OpenSSL::Test::Simple; + +simple_test("test_rc2", "rc2test", "rc2"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rc4.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rc4.t new file mode 100644 index 00000000..a26c9b8e --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rc4.t @@ -0,0 +1,11 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use OpenSSL::Test::Simple; + +simple_test("test_rc4", "rc4test", "rc4"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rc5.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rc5.t new file mode 100644 index 00000000..fda0cd2e --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rc5.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_rc5", "rc5test", "rc5"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rmd.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rmd.t new file mode 100644 index 00000000..b1112e13 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_rmd.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_rmd", "rmdtest", "rmd"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_sha1.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_sha1.t new file mode 100644 index 00000000..21bb74ed --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_sha1.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_sha1", "sha1test", "sha"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_sha256.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_sha256.t new file mode 100644 index 00000000..071a45c6 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_sha256.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_sha256", "sha256t", "sha"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_sha512.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_sha512.t new file mode 100644 index 00000000..4ce585ce --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_sha512.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_sha512", "sha512t", "sha"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_wp.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_wp.t new file mode 100644 index 00000000..a042898f --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/05-test_wp.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_wp", "wp_test", "whirlpool"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/10-test_bn.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/10-test_bn.t new file mode 100644 index 00000000..13f278e7 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/10-test_bn.t @@ -0,0 +1,84 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use Math::BigInt; + +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_bn"); + +plan tests => 3; + +require_ok(srctop_file("test","recipes","bc.pl")); + +my $testresults = "tmp.bntest"; +my $init = ok(run(test(["bntest"], stdout => $testresults)), 'initialize'); + + SKIP: { + skip "Initializing failed, skipping", 1 if !$init; + + subtest 'Checking the bn results' => sub { + my @lines = (); + if (open DATA, $testresults) { + @lines = <DATA>; + close DATA; + } + map { s/\R//; } @lines; # chomp(@lines); + + plan tests => scalar grep(/^print /, @lines); + + my $l = ""; + + while (scalar @lines) { + $l = shift @lines; + + last if $l =~ /^print /; + } + + while (1) { + $l =~ s/^print "//; + $l =~ s/\\n"//; + my $t = $l; + my @operations = (); + + $l = undef; + while (scalar @lines) { + $l = shift @lines; + + last if $l =~ /^print /; + push @operations, $l; + $l = undef; + } + + ok(check_operations(@operations), "verify $t"); + + last unless $l; + } + }; + } + +unlink $testresults; + +sub check_operations { + my $failcount = 0; + + foreach my $line (@_) { + my $result = calc(split /\s+/, $line); + + if ($result ne "0" && $result ne "0x0") { + $failcount++; + print STDERR "Failed! $line => $result\n"; + } + } + + return $failcount == 0; +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/10-test_exp.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/10-test_exp.t new file mode 100644 index 00000000..7e999c4a --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/10-test_exp.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_exp", "exptest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dh.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dh.t new file mode 100644 index 00000000..60cb54c0 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dh.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_dh", "dhtest", "dh"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dsa.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dsa.t new file mode 100644 index 00000000..2fd236e8 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_dsa.t @@ -0,0 +1,40 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_dsa"); + +plan tests => 6; + +require_ok(srctop_file('test','recipes','tconversion.pl')); + +ok(run(test(["dsatest"])), "running dsatest"); +ok(run(test(["dsatest", "-app2_1"])), "running dsatest -app2_1"); + + SKIP: { + skip "Skipping dsa conversion test", 3 + if disabled("dsa"); + + subtest 'dsa conversions -- private key' => sub { + tconversion("dsa", srctop_file("test","testdsa.pem")); + }; + subtest 'dsa conversions -- private key PKCS#8' => sub { + tconversion("dsa", srctop_file("test","testdsa.pem"), "pkey"); + }; + subtest 'dsa conversions -- public key' => sub { + tconversion("msb", srctop_file("test","testdsapub.pem"), "dsa", + "-pubin", "-pubout"); + }; +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_ec.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_ec.t new file mode 100644 index 00000000..a1c704a3 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_ec.t @@ -0,0 +1,38 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_ec"); + +plan tests => 5; + +require_ok(srctop_file('test','recipes','tconversion.pl')); + +ok(run(test(["ectest"])), "running ectest"); + + SKIP: { + skip "Skipping ec conversion test", 3 + if disabled("ec"); + + subtest 'ec conversions -- private key' => sub { + tconversion("ec", srctop_file("test","testec-p256.pem")); + }; + subtest 'ec conversions -- private key PKCS#8' => sub { + tconversion("ec", srctop_file("test","testec-p256.pem"), "pkey"); + }; + subtest 'ec conversions -- public key' => sub { + tconversion("ec", srctop_file("test","testecpub-p256.pem"), "ec", "-pubin", "-pubout"); + }; +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_ecdsa.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_ecdsa.t new file mode 100644 index 00000000..82a85594 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_ecdsa.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_ecdsa", "ecdsatest", "ec"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_genrsa.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_genrsa.t new file mode 100644 index 00000000..cc74e303 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_genrsa.t @@ -0,0 +1,26 @@ +#! /usr/bin/env perl +# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_genrsa"); + +plan tests => 5; + +is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8"); +ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '16'])), "genrsa -3 16"); +ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout'])), "rsa -check"); +ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', '16'])), "genrsa -f4 16"); +ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout'])), "rsa -check"); +unlink 'genrsatest.pem'; diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_rsa.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_rsa.t new file mode 100644 index 00000000..59888217 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_rsa.t @@ -0,0 +1,47 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_rsa"); + +plan tests => 6; + +require_ok(srctop_file('test','recipes','tconversion.pl')); + +ok(run(test(["rsa_test"])), "running rsatest"); + +ok(run(app([ 'openssl', 'rsa', '-check', '-in', srctop_file('test', 'testrsa.pem'), '-noout'])), "rsa -check"); + + SKIP: { + skip "Skipping rsa conversion test", 3 + if disabled("rsa"); + + subtest 'rsa conversions -- private key' => sub { + tconversion("rsa", srctop_file("test","testrsa.pem")); + }; + subtest 'rsa conversions -- private key PKCS#8' => sub { + tconversion("rsa", srctop_file("test","testrsa.pem"), "pkey"); + }; +} + + SKIP: { + skip "Skipping msblob conversion test", 1 + if disabled("rsa") || disabled("dsa"); + + subtest 'rsa conversions -- public key' => sub { + tconversion("msb", srctop_file("test","testrsapub.pem"), "rsa", + "-pubin", "-pubout"); + }; +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_rsapss.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_rsapss.t new file mode 100644 index 00000000..34accaa2 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/15-test_rsapss.t @@ -0,0 +1,49 @@ +#! /usr/bin/env perl +# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT with srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_rsapss"); + +plan tests => 5; + +#using test/testrsa.pem which happens to be a 512 bit RSA +ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1', + '-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:-2', + '-sigopt', 'rsa_mgf1_md:sha512', '-out', 'testrsapss.sig', + srctop_file('test', 'testrsa.pem')])), + "openssl dgst -sign"); + +with({ exit_checker => sub { return shift == 1; } }, + sub { ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha512', + '-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:-2', + '-sigopt', 'rsa_mgf1_md:sha512', srctop_file('test', 'testrsa.pem')])), + "openssl dgst -sign, expect to fail gracefully"); + ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha512', + '-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:2147483647', + '-sigopt', 'rsa_mgf1_md:sha1', srctop_file('test', 'testrsa.pem')])), + "openssl dgst -sign, expect to fail gracefully"); + ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), '-sha512', + '-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:-2', + '-sigopt', 'rsa_mgf1_md:sha512', '-signature', 'testrsapss.sig', + srctop_file('test', 'testrsa.pem')])), + "openssl dgst -prverify, expect to fail gracefully"); + }); + +ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), '-sha1', + '-sigopt', 'rsa_padding_mode:pss', '-sigopt', 'rsa_pss_saltlen:-2', + '-sigopt', 'rsa_mgf1_md:sha512', '-signature', 'testrsapss.sig', + srctop_file('test', 'testrsa.pem')])), + "openssl dgst -prverify"); +unlink 'testrsapss.sig'; diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/20-test_enc.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/20-test_enc.t new file mode 100644 index 00000000..88a58904 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/20-test_enc.t @@ -0,0 +1,69 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec::Functions qw/catfile/; +use File::Copy; +use File::Compare qw/compare_text/; +use File::Basename; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_enc"); + +# We do it this way, because setup() may have moved us around, +# so the directory portion of $0 might not be correct any more. +# However, the name hasn't changed. +my $testsrc = srctop_file("test","recipes",basename($0)); + +my $test = catfile(".", "p"); + +my $cmd = "openssl"; + +my @ciphers = + map { s/^\s+//; s/\s+$//; split /\s+/ } + run(app([$cmd, "list", "-cipher-commands"]), capture => 1); + +plan tests => 1 + (scalar @ciphers)*2; + +my $init = ok(copy($testsrc,$test)); + +if (!$init) { + diag("Trying to copy $testsrc to $test : $!"); +} + + SKIP: { + skip "Not initialized, skipping...", 11 unless $init; + + foreach my $c (@ciphers) { + my %variant = ("$c" => [], + "$c base64" => [ "-a" ]); + + foreach my $t (sort keys %variant) { + my $cipherfile = "$test.$c.cipher"; + my $clearfile = "$test.$c.clear"; + my @e = ( "$c", "-bufsize", "113", @{$variant{$t}}, "-e", "-k", "test" ); + my @d = ( "$c", "-bufsize", "157", @{$variant{$t}}, "-d", "-k", "test" ); + if ($c eq "cat") { + $cipherfile = "$test.cipher"; + $clearfile = "$test.clear"; + @e = ( "enc", @{$variant{$t}}, "-e" ); + @d = ( "enc", @{$variant{$t}}, "-d" ); + } + + ok(run(app([$cmd, @e, "-in", $test, "-out", $cipherfile])) + && run(app([$cmd, @d, "-in", $cipherfile, "-out", $clearfile])) + && compare_text($test,$clearfile) == 0, $t); + unlink $cipherfile, $clearfile; + } + } +} + +unlink $test; diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/20-test_passwd.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/20-test_passwd.t new file mode 100644 index 00000000..cf9c2cc8 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/20-test_passwd.t @@ -0,0 +1,39 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use OpenSSL::Test; +use OpenSSL::Test::Utils; + +setup("test_passwd"); + +plan tests => disabled("des") ? 4 : 6; + +ok(compare1stline([qw{openssl passwd password}], '^.{13}\R$'), + 'crypt password with random salt') if !disabled("des"); +ok(compare1stline([qw{openssl passwd -1 password}], '^\$1\$.{8}\$.{22}\R$'), + 'BSD style MD5 password with random salt'); +ok(compare1stline([qw{openssl passwd -apr1 password}], '^\$apr1\$.{8}\$.{22}\R$'), + 'Apache style MD5 password with random salt'); +ok(compare1stline([qw{openssl passwd -salt xx password}], '^xxj31ZMTZzkVA\R$'), + 'crypt password with salt xx') if !disabled("des"); +ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -1 password}], '^\$1\$xxxxxxxx\$UYCIxa628\.9qXjpQCjM4a\.\R$'), + 'BSD style MD5 password with salt xxxxxxxx'); +ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -apr1 password}], '^\$apr1\$xxxxxxxx\$dxHfLAsjHkDRmG83UXe8K0\R$'), + 'Apache style MD5 password with salt xxxxxxxx'); + + +sub compare1stline { + my ($cmdarray, $regexp) = @_; + my @lines = run(app($cmdarray), capture => 1); + + return $lines[0] =~ m|$regexp|; +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_crl.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_crl.t new file mode 100644 index 00000000..e8ce5f85 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_crl.t @@ -0,0 +1,43 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_crl"); + +plan tests => 5; + +require_ok(srctop_file('test','recipes','tconversion.pl')); + +subtest 'crl conversions' => sub { + tconversion("crl", srctop_file("test","testcrl.pem")); +}; + +ok(run(test(['crltest']))); + +ok(compare1stline([qw{openssl crl -noout -fingerprint -in}, + srctop_file('test', 'testcrl.pem')], + 'SHA1 Fingerprint=BA:F4:1B:AD:7A:9B:2F:09:16:BC:60:A7:0E:CE:79:2E:36:00:E7:B2')); +ok(compare1stline([qw{openssl crl -noout -fingerprint -sha256 -in}, + srctop_file('test', 'testcrl.pem')], + 'SHA256 Fingerprint=B3:A9:FD:A7:2E:8C:3D:DF:D0:F1:C3:1A:96:60:B5:FD:B0:99:7C:7F:0E:E4:34:F5:DB:87:62:36:BC:F1:BC:1B')); + +sub compare1stline { + my ($cmdarray, $str) = @_; + my @lines = run(app($cmdarray), capture => 1); + + return 1 if $lines[0] =~ m|^\Q${str}\E\R$|; + note "Got ", $lines[0]; + note "Expected ", $str; + return 0; +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_d2i.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_d2i.t new file mode 100644 index 00000000..688c8ed7 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_d2i.t @@ -0,0 +1,93 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_d2i"); + +plan tests => 14; + +ok(run(test(["d2i_test", "X509", "decode", + srctop_file('test','d2i-tests','bad_cert.der')])), + "Running d2i_test bad_cert.der"); + +ok(run(test(["d2i_test", "GENERAL_NAME", "decode", + srctop_file('test','d2i-tests','bad_generalname.der')])), + "Running d2i_test bad_generalname.der"); + +ok(run(test(["d2i_test", "ASN1_ANY", "BIO", + srctop_file('test','d2i-tests','bad_bio.der')])), + "Running d2i_test bad_bio.der"); +# This test checks CVE-2016-2108. The data consists of an tag 258 and +# two zero content octets. This is parsed as an ASN1_ANY type. If the +# type is incorrectly interpreted as an ASN.1 INTEGER the two zero content +# octets will be reject as invalid padding and this test will fail. +# If the type is correctly interpreted it will by treated as an ASN1_STRING +# type and the content octets copied verbatim. +ok(run(test(["d2i_test", "ASN1_ANY", "OK", + srctop_file('test','d2i-tests','high_tag.der')])), + "Running d2i_test high_tag.der"); + +# Above test data but interpreted as ASN.1 INTEGER: this will be rejected +# because the tag is invalid. +ok(run(test(["d2i_test", "ASN1_INTEGER", "decode", + srctop_file('test','d2i-tests','high_tag.der')])), + "Running d2i_test high_tag.der INTEGER"); + +# Parse valid 0, 1 and -1 ASN.1 INTEGER as INTEGER or ANY. + +ok(run(test(["d2i_test", "ASN1_INTEGER", "OK", + srctop_file('test','d2i-tests','int0.der')])), + "Running d2i_test int0.der INTEGER"); + +ok(run(test(["d2i_test", "ASN1_INTEGER", "OK", + srctop_file('test','d2i-tests','int1.der')])), + "Running d2i_test int1.der INTEGER"); + +ok(run(test(["d2i_test", "ASN1_INTEGER", "OK", + srctop_file('test','d2i-tests','intminus1.der')])), + "Running d2i_test intminus1.der INTEGER"); + +ok(run(test(["d2i_test", "ASN1_ANY", "OK", + srctop_file('test','d2i-tests','int0.der')])), + "Running d2i_test int0.der ANY"); + +ok(run(test(["d2i_test", "ASN1_ANY", "OK", + srctop_file('test','d2i-tests','int1.der')])), + "Running d2i_test int1.der ANY"); + +ok(run(test(["d2i_test", "ASN1_ANY", "OK", + srctop_file('test','d2i-tests','intminus1.der')])), + "Running d2i_test intminus1.der ANY"); + +# Integers with illegal additional padding. + +ok(run(test(["d2i_test", "ASN1_INTEGER", "decode", + srctop_file('test','d2i-tests','bad-int-pad0.der')])), + "Running d2i_test bad-int-pad0.der INTEGER"); + +ok(run(test(["d2i_test", "ASN1_INTEGER", "decode", + srctop_file('test','d2i-tests','bad-int-padminus1.der')])), + "Running d2i_test bad-int-padminus1.der INTEGER"); + +SKIP: { + skip "No CMS support in this configuration", 1 if disabled("cms"); + + # Invalid CMS structure with decode error in CHOICE value. + # Test for CVE-2016-7053 + + ok(run(test(["d2i_test", "CMS_ContentInfo", "decode", + srctop_file('test','d2i-tests','bad-cms.der')])), + "Running d2i_test bad-cms.der CMS ContentInfo"); +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_pkcs7.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_pkcs7.t new file mode 100644 index 00000000..724326ba --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_pkcs7.t @@ -0,0 +1,27 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_pkcs7"); + +plan tests => 3; + +require_ok(srctop_file('test','recipes','tconversion.pl')); + +subtest 'pkcs7 conversions -- pkcs7' => sub { + tconversion("p7", srctop_file("test", "testp7.pem"), "pkcs7"); +}; +subtest 'pkcs7 conversions -- pkcs7d' => sub { + tconversion("p7d", srctop_file("test", "pkcs7-1.pem"), "pkcs7"); +}; diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_req.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_req.t new file mode 100644 index 00000000..bcc10257 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_req.t @@ -0,0 +1,76 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_req"); + +plan tests => 4; + +require_ok(srctop_file('test','recipes','tconversion.pl')); + +open RND, ">>", ".rnd"; +print RND "string to make the random number generator think it has entropy"; +close RND; +subtest "generating certificate requests" => sub { + my @req_new; + if (disabled("rsa")) { + @req_new = ("-newkey", "dsa:".srctop_file("apps", "dsa512.pem")); + } else { + @req_new = ("-new"); + note("There should be a 2 sequences of .'s and some +'s."); + note("There should not be more that at most 80 per line"); + } + + plan tests => 2; + + ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), + @req_new, "-out", "testreq.pem"])), + "Generating request"); + + ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), + "-verify", "-in", "testreq.pem", "-noout"])), + "Verifying signature on request"); +}; + +my @openssl_args = ("req", "-config", srctop_file("apps", "openssl.cnf")); + +run_conversion('req conversions', + "testreq.pem"); +run_conversion('req conversions -- testreq2', + srctop_file("test", "testreq2.pem")); + +unlink "testkey.pem", "testreq.pem"; + +sub run_conversion { + my $title = shift; + my $reqfile = shift; + + subtest $title => sub { + run(app(["openssl", @openssl_args, + "-in", $reqfile, "-inform", "p", + "-noout", "-text"], + stderr => "req-check.err", stdout => undef)); + open DATA, "req-check.err"; + SKIP: { + plan skip_all => "skipping req conversion test for $reqfile" + if grep /Unknown Public Key/, map { s/\R//; } <DATA>; + + tconversion("req", $reqfile, @openssl_args); + } + close DATA; + unlink "req-check.err"; + + done_testing(); + }; +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_sid.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_sid.t new file mode 100644 index 00000000..b13cb5c2 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_sid.t @@ -0,0 +1,24 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_sid"); + +plan tests => 2; + +require_ok(srctop_file('test','recipes','tconversion.pl')); + +subtest 'sid conversions' => sub { + tconversion("sid", srctop_file("test","testsid.pem"), "sess_id"); +}; diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_verify.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_verify.t new file mode 100644 index 00000000..11bd4309 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_verify.t @@ -0,0 +1,380 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec::Functions qw/canonpath/; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_verify"); + +sub verify { + my ($cert, $purpose, $trusted, $untrusted, @opts) = @_; + my @args = qw(openssl verify -auth_level 1 -purpose); + my @path = qw(test certs); + push(@args, "$purpose", @opts); + for (@$trusted) { + push(@args, "-trusted", srctop_file(@path, "$_.pem")) + } + for (@$untrusted) { + push(@args, "-untrusted", srctop_file(@path, "$_.pem")) + } + push(@args, srctop_file(@path, "$cert.pem")); + run(app([@args])); +} + +plan tests => 127; + +# Canonical success +ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), + "accept compat trust"); + +# Root CA variants +ok(!verify("ee-cert", "sslserver", [qw(root-nonca)], [qw(ca-cert)]), + "fail trusted non-ca root"); +ok(!verify("ee-cert", "sslserver", [qw(nroot+serverAuth)], [qw(ca-cert)]), + "fail server trust non-ca root"); +ok(!verify("ee-cert", "sslserver", [qw(nroot+anyEKU)], [qw(ca-cert)]), + "fail wildcard trust non-ca root"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert2)], [qw(ca-cert)]), + "fail wrong root key"); +ok(!verify("ee-cert", "sslserver", [qw(root-name2)], [qw(ca-cert)]), + "fail wrong root DN"); + +# Explicit trust/purpose combinations +# +ok(verify("ee-cert", "sslserver", [qw(sroot-cert)], [qw(ca-cert)]), + "accept server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(croot-cert)], [qw(ca-cert)]), + "fail client purpose"); +ok(verify("ee-cert", "sslserver", [qw(root+serverAuth)], [qw(ca-cert)]), + "accept server trust"); +ok(verify("ee-cert", "sslserver", [qw(sroot+serverAuth)], [qw(ca-cert)]), + "accept server trust with server purpose"); +ok(verify("ee-cert", "sslserver", [qw(croot+serverAuth)], [qw(ca-cert)]), + "accept server trust with client purpose"); +# Wildcard trust +ok(verify("ee-cert", "sslserver", [qw(root+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust"); +ok(verify("ee-cert", "sslserver", [qw(sroot+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust with server purpose"); +ok(verify("ee-cert", "sslserver", [qw(croot+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust with client purpose"); +# Inapplicable mistrust +ok(verify("ee-cert", "sslserver", [qw(root-clientAuth)], [qw(ca-cert)]), + "accept client mistrust"); +ok(verify("ee-cert", "sslserver", [qw(sroot-clientAuth)], [qw(ca-cert)]), + "accept client mistrust with server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(croot-clientAuth)], [qw(ca-cert)]), + "fail client mistrust with client purpose"); +# Inapplicable trust +ok(!verify("ee-cert", "sslserver", [qw(root+clientAuth)], [qw(ca-cert)]), + "fail client trust"); +ok(!verify("ee-cert", "sslserver", [qw(sroot+clientAuth)], [qw(ca-cert)]), + "fail client trust with server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(croot+clientAuth)], [qw(ca-cert)]), + "fail client trust with client purpose"); +# Server mistrust +ok(!verify("ee-cert", "sslserver", [qw(root-serverAuth)], [qw(ca-cert)]), + "fail rejected EKU"); +ok(!verify("ee-cert", "sslserver", [qw(sroot-serverAuth)], [qw(ca-cert)]), + "fail server mistrust with server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(croot-serverAuth)], [qw(ca-cert)]), + "fail server mistrust with client purpose"); +# Wildcard mistrust +ok(!verify("ee-cert", "sslserver", [qw(root-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust"); +ok(!verify("ee-cert", "sslserver", [qw(sroot-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust with server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(croot-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust with client purpose"); + +# Check that trusted-first is on by setting up paths to different roots +# depending on whether the intermediate is the trusted or untrusted one. +# +ok(verify("ee-cert", "sslserver", [qw(root-serverAuth root-cert2 ca-root2)], + [qw(ca-cert)]), + "accept trusted-first path"); +ok(verify("ee-cert", "sslserver", [qw(root-cert root2+serverAuth ca-root2)], + [qw(ca-cert)]), + "accept trusted-first path with server trust"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert root2-serverAuth ca-root2)], + [qw(ca-cert)]), + "fail trusted-first path with server mistrust"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert root2+clientAuth ca-root2)], + [qw(ca-cert)]), + "fail trusted-first path with client trust"); + +# CA variants +ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonca)]), + "fail non-CA untrusted intermediate"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-nonbc)]), + "fail non-CA untrusted intermediate"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonca)], []), + "fail non-CA trust-store intermediate"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-nonbc)], []), + "fail non-CA trust-store intermediate"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+serverAuth)], []), + "fail non-CA server trust intermediate"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert nca+anyEKU)], []), + "fail non-CA wildcard trust intermediate"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-cert2)]), + "fail wrong intermediate CA key"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-name2)]), + "fail wrong intermediate CA DN"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert)], [qw(ca-root2)]), + "fail wrong intermediate CA issuer"); +ok(!verify("ee-cert", "sslserver", [], [qw(ca-cert)], "-partial_chain"), + "fail untrusted partial chain"); +ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"), + "accept trusted partial chain"); +ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"), + "accept partial chain with server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"), + "fail partial chain with client purpose"); +ok(verify("ee-cert", "sslserver", [qw(ca+serverAuth)], [], "-partial_chain"), + "accept server trust partial chain"); +ok(verify("ee-cert", "sslserver", [qw(cca+serverAuth)], [], "-partial_chain"), + "accept server trust client purpose partial chain"); +ok(verify("ee-cert", "sslserver", [qw(ca-clientAuth)], [], "-partial_chain"), + "accept client mistrust partial chain"); +ok(verify("ee-cert", "sslserver", [qw(ca+anyEKU)], [], "-partial_chain"), + "accept wildcard trust partial chain"); +ok(!verify("ee-cert", "sslserver", [], [qw(ca+serverAuth)], "-partial_chain"), + "fail untrusted partial issuer with ignored server trust"); +ok(!verify("ee-cert", "sslserver", [qw(ca-serverAuth)], [], "-partial_chain"), + "fail server mistrust partial chain"); +ok(!verify("ee-cert", "sslserver", [qw(ca+clientAuth)], [], "-partial_chain"), + "fail client trust partial chain"); +ok(!verify("ee-cert", "sslserver", [qw(ca-anyEKU)], [], "-partial_chain"), + "fail wildcard mistrust partial chain"); + +# We now test auxiliary trust even for intermediate trusted certs without +# -partial_chain. Note that "-trusted_first" is now always on and cannot +# be disabled. +ok(verify("ee-cert", "sslserver", [qw(root-cert ca+serverAuth)], [qw(ca-cert)]), + "accept server trust"); +ok(verify("ee-cert", "sslserver", [qw(root-cert ca+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust"); +ok(verify("ee-cert", "sslserver", [qw(root-cert sca-cert)], [qw(ca-cert)]), + "accept server purpose"); +ok(verify("ee-cert", "sslserver", [qw(root-cert sca+serverAuth)], + [qw(ca-cert)]), + "accept server trust and purpose"); +ok(verify("ee-cert", "sslserver", [qw(root-cert sca+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust and server purpose"); +ok(verify("ee-cert", "sslserver", [qw(root-cert sca-clientAuth)], + [qw(ca-cert)]), + "accept client mistrust and server purpose"); +ok(verify("ee-cert", "sslserver", [qw(root-cert cca+serverAuth)], + [qw(ca-cert)]), + "accept server trust and client purpose"); +ok(verify("ee-cert", "sslserver", [qw(root-cert cca+anyEKU)], [qw(ca-cert)]), + "accept wildcard trust and client purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-cert)], [qw(ca-cert)]), + "fail client purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert ca-serverAuth)], + [qw(ca-cert)]), + "fail server mistrust"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert ca+clientAuth)], + [qw(ca-cert)]), + "fail client trust"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert sca+clientAuth)], + [qw(ca-cert)]), + "fail client trust and server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert cca+clientAuth)], + [qw(ca-cert)]), + "fail client trust and client purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-serverAuth)], + [qw(ca-cert)]), + "fail server mistrust and client purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-clientAuth)], + [qw(ca-cert)]), + "fail client mistrust and client purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-serverAuth)], + [qw(ca-cert)]), + "fail server mistrust and server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert sca-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust and server purpose"); +ok(!verify("ee-cert", "sslserver", [qw(root-cert cca-anyEKU)], [qw(ca-cert)]), + "fail wildcard mistrust and client purpose"); + +# EE variants +ok(verify("ee-client", "sslclient", [qw(root-cert)], [qw(ca-cert)]), + "accept client chain"); +ok(!verify("ee-client", "sslserver", [qw(root-cert)], [qw(ca-cert)]), + "fail server leaf purpose"); +ok(!verify("ee-cert", "sslclient", [qw(root-cert)], [qw(ca-cert)]), + "fail client leaf purpose"); +ok(!verify("ee-cert2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), + "fail wrong intermediate CA key"); +ok(!verify("ee-name2", "sslserver", [qw(root-cert)], [qw(ca-cert)]), + "fail wrong intermediate CA DN"); +ok(!verify("ee-expired", "sslserver", [qw(root-cert)], [qw(ca-cert)]), + "fail expired leaf"); +ok(verify("ee-cert", "sslserver", [qw(ee-cert)], [], "-partial_chain"), + "accept last-resort direct leaf match"); +ok(verify("ee-client", "sslclient", [qw(ee-client)], [], "-partial_chain"), + "accept last-resort direct leaf match"); +ok(!verify("ee-cert", "sslserver", [qw(ee-client)], [], "-partial_chain"), + "fail last-resort direct leaf non-match"); +ok(verify("ee-cert", "sslserver", [qw(ee+serverAuth)], [], "-partial_chain"), + "accept direct match with server trust"); +ok(!verify("ee-cert", "sslserver", [qw(ee-serverAuth)], [], "-partial_chain"), + "fail direct match with server mistrust"); +ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), + "accept direct match with client trust"); +ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), + "reject direct match with client mistrust"); + +# Proxy certificates +ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]), + "fail to accept proxy cert without -allow_proxy_certs"); +ok(verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)], + "-allow_proxy_certs"), + "accept proxy cert 1"); +ok(verify("pc2-cert", "sslclient", [qw(root-cert)], + [qw(pc1-cert ee-client ca-cert)], "-allow_proxy_certs"), + "accept proxy cert 2"); +ok(!verify("bad-pc3-cert", "sslclient", [qw(root-cert)], + [qw(pc1-cert ee-client ca-cert)], "-allow_proxy_certs"), + "fail proxy cert with incorrect subject"); +ok(!verify("bad-pc4-cert", "sslclient", [qw(root-cert)], + [qw(pc1-cert ee-client ca-cert)], "-allow_proxy_certs"), + "fail proxy cert with incorrect pathlen"); +ok(verify("pc5-cert", "sslclient", [qw(root-cert)], + [qw(pc1-cert ee-client ca-cert)], "-allow_proxy_certs"), + "accept proxy cert missing proxy policy"); +ok(!verify("pc6-cert", "sslclient", [qw(root-cert)], + [qw(pc1-cert ee-client ca-cert)], "-allow_proxy_certs"), + "failed proxy cert where last CN was added as a multivalue RDN component"); + +# Security level tests +ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], + "-auth_level", "2"), + "accept RSA 2048 chain at auth level 2"); +ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], + "-auth_level", "3"), + "reject RSA 2048 root at auth level 3"); +ok(verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"], + "-auth_level", "0"), + "accept RSA 768 root at auth level 0"); +ok(!verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"]), + "reject RSA 768 root at auth level 1"); +ok(verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"], + "-auth_level", "0"), + "accept RSA 768 intermediate at auth level 0"); +ok(!verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"]), + "reject RSA 768 intermediate at auth level 1"); +ok(verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"], + "-auth_level", "0"), + "accept RSA 768 leaf at auth level 0"); +ok(!verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"]), + "reject RSA 768 leaf at auth level 1"); +# +ok(verify("ee-cert", "sslserver", ["root-cert-md5"], ["ca-cert"], + "-auth_level", "2"), + "accept md5 self-signed TA at auth level 2"); +ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], + "-auth_level", "2"), + "accept md5 intermediate TA at auth level 2"); +ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"], + "-auth_level", "0"), + "accept md5 intermediate at auth level 0"); +ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"]), + "reject md5 intermediate at auth level 1"); +ok(verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"], + "-auth_level", "0"), + "accept md5 leaf at auth level 0"); +ok(!verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"]), + "reject md5 leaf at auth level 1"); + +# Depth tests, note the depth limit bounds the number of CA certificates +# between the trust-anchor and the leaf, so, for example, with a root->ca->leaf +# chain, depth = 1 is sufficient, but depth == 0 is not. +# +ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], + "-verify_depth", "2"), + "accept chain with verify_depth 2"); +ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], + "-verify_depth", "1"), + "accept chain with verify_depth 1"); +ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], + "-verify_depth", "0"), + "accept chain with verify_depth 0"); +ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], + "-verify_depth", "0"), + "accept md5 intermediate TA with verify_depth 0"); + +# Name Constraints tests. + +ok(verify("alt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints everything permitted"); + +ok(verify("alt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ), + "Name Constraints nothing excluded"); + +ok(verify("alt3-cert", "sslserver", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), + "Name Constraints nested test all permitted"); + +ok(!verify("badalt1-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints hostname not permitted"); + +ok(!verify("badalt2-cert", "sslserver", ["root-cert"], ["ncca2-cert"], ), + "Name Constraints hostname excluded"); + +ok(!verify("badalt3-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints email address not permitted"); + +ok(!verify("badalt4-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints subject email address not permitted"); + +ok(!verify("badalt5-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints IP address not permitted"); + +ok(!verify("badalt6-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints CN hostname not permitted"); + +ok(!verify("badalt7-cert", "sslserver", ["root-cert"], ["ncca1-cert"], ), + "Name Constraints CN BMPSTRING hostname not permitted"); + +ok(!verify("badalt8-cert", "sslserver", ["root-cert"], + ["ncca1-cert", "ncca3-cert"], ), + "Name constaints nested DNS name not permitted 1"); + +ok(!verify("badalt9-cert", "sslserver", ["root-cert"], + ["ncca1-cert", "ncca3-cert"], ), + "Name constaints nested DNS name not permitted 2"); + +ok(!verify("badalt10-cert", "sslserver", ["root-cert"], + ["ncca1-cert", "ncca3-cert"], ), + "Name constaints nested DNS name excluded"); + +ok(!verify("many-names1", "sslserver", ["many-constraints"], + ["many-constraints"], ), + "Too many names and constraints to check (1)"); +ok(!verify("many-names2", "sslserver", ["many-constraints"], + ["many-constraints"], ), + "Too many names and constraints to check (2)"); +ok(!verify("many-names3", "sslserver", ["many-constraints"], + ["many-constraints"], ), + "Too many names and constraints to check (3)"); + +ok(verify("some-names1", "sslserver", ["many-constraints"], + ["many-constraints"], ), + "Not too many names and constraints to check (1)"); +ok(verify("some-names2", "sslserver", ["many-constraints"], + ["many-constraints"], ), + "Not too many names and constraints to check (2)"); +ok(verify("some-names2", "sslserver", ["many-constraints"], + ["many-constraints"], ), + "Not too many names and constraints to check (3)"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_x509.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_x509.t new file mode 100644 index 00000000..98a8d324 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/25-test_x509.t @@ -0,0 +1,34 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_x509"); + +plan tests => 5; + +require_ok(srctop_file('test','recipes','tconversion.pl')); + +subtest 'x509 -- x.509 v1 certificate' => sub { + tconversion("x509", srctop_file("test","testx509.pem")); +}; +subtest 'x509 -- first x.509 v3 certificate' => sub { + tconversion("x509", srctop_file("test","v3-cert1.pem")); +}; +subtest 'x509 -- second x.509 v3 certificate' => sub { + tconversion("x509", srctop_file("test","v3-cert2.pem")); +}; + +subtest 'x509 -- pathlen' => sub { + ok(run(test(["v3ext", srctop_file("test/certs", "pathlen.pem")]))); +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_afalg.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_afalg.t new file mode 100644 index 00000000..c8cb67b7 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_afalg.t @@ -0,0 +1,23 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT bldtop_dir/; +use OpenSSL::Test::Utils; + +my $test_name = "test_afalg"; +setup($test_name); + +plan skip_all => "$test_name not supported for this build" + if disabled("afalgeng"); + +plan tests => 1; + +$ENV{OPENSSL_ENGINES} = bldtop_dir("engines/afalg"); + +ok(run(test(["afalgtest"])), "running afalgtest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_engine.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_engine.t new file mode 100644 index 00000000..03c96cde --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_engine.t @@ -0,0 +1,18 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use OpenSSL::Test; + +setup("test_engine"); + +plan tests => 1; +ok(run(test(["enginetest"])), "running enginetest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_evp.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_evp.t new file mode 100644 index 00000000..c277fcdf --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_evp.t @@ -0,0 +1,19 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_evp"); + +plan tests => 1; +ok(run(test(["evp_test", srctop_file("test", "evptests.txt")])), + "running evp_test evptests.txt"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_evp_extra.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_evp_extra.t new file mode 100644 index 00000000..9a656b0b --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_evp_extra.t @@ -0,0 +1,18 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use OpenSSL::Test; + +setup("test_evp_extra"); + +plan tests => 1; +ok(run(test(["evp_extra_test"])), "running evp_extra_test"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_pbelu.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_pbelu.t new file mode 100644 index 00000000..38b2d483 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/30-test_pbelu.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_pbelu", "pbelutest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/40-test_rehash.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/40-test_rehash.t new file mode 100644 index 00000000..191897e8 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/40-test_rehash.t @@ -0,0 +1,98 @@ +#! /usr/bin/env perl +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Spec::Functions; +use File::Copy; +use File::Basename; +use OpenSSL::Glob; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_rehash"); + +#If "openssl rehash -help" fails it's most likely because we're on a platform +#that doesn't support the rehash command (e.g. Windows) +plan skip_all => "test_rehash is not available on this platform" + unless run(app(["openssl", "rehash", "-help"])); + +plan tests => 4; + +indir "rehash.$$" => sub { + prepare(); + ok(run(app(["openssl", "rehash", curdir()])), + 'Testing normal rehash operations'); +}, create => 1, cleanup => 1; + +indir "rehash.$$" => sub { + prepare(sub { chmod 400, $_ foreach (@_); }); + ok(run(app(["openssl", "rehash", curdir()])), + 'Testing rehash operations on readonly files'); +}, create => 1, cleanup => 1; + +indir "rehash.$$" => sub { + ok(run(app(["openssl", "rehash", curdir()])), + 'Testing rehash operations on empty directory'); +}, create => 1, cleanup => 1; + +indir "rehash.$$" => sub { + prepare(); + chmod 0500, curdir(); + SKIP: { + if (open(FOO, ">unwritable.txt")) { + close FOO; + skip "It's pointless to run the next test as root", 1; + } + isnt(run(app(["openssl", "rehash", curdir()])), 1, + 'Testing rehash operations on readonly directory'); + } + chmod 0700, curdir(); # make it writable again, so cleanup works +}, create => 1, cleanup => 1; + +sub prepare { + my @pemsourcefiles = sort glob(srctop_file('test', "*.pem")); + my @destfiles = (); + + die "There are no source files\n" if scalar @pemsourcefiles == 0; + + my $cnt = 0; + foreach (@pemsourcefiles) { + my $basename = basename($_, ".pem"); + my $writing = 0; + + open PEM, $_ or die "Can't read $_: $!\n"; + while (my $line = <PEM>) { + if ($line =~ m{^-----BEGIN (?:CERTIFICATE|X509 CRL)-----}) { + die "New start in a PEM blob?\n" if $writing; + $cnt++; + my $destfile = + catfile(curdir(), + $basename . sprintf("-%02d", $cnt) . ".pem"); + push @destfiles, $destfile; + open OUT, '>', $destfile + or die "Can't write $destfile\n"; + $writing = 1; + } + print OUT $line if $writing; + if ($line =~ m|^-----END |) { + close OUT if $writing; + $writing = 0; + } + } + die "No end marker in $basename\n" if $writing; + } + die "No test PEM files produced\n" if $cnt == 0; + + foreach (@_) { + die "Internal error, argument is not CODE" + unless (ref($_) eq 'CODE'); + $_->(@destfiles); + } +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/60-test_x509_store.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/60-test_x509_store.t new file mode 100644 index 00000000..041aa097 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/60-test_x509_store.t @@ -0,0 +1,53 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Copy; +use File::Spec::Functions qw/:DEFAULT canonpath/; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_x509_store"); + +#If "openssl rehash -help" fails it's most likely because we're on a platform +#that doesn't support the rehash command (e.g. Windows) +plan skip_all => "test_rehash is not available on this platform" + unless run(app(["openssl", "rehash", "-help"])); + +# We use 'openssl verify' for these tests, as it contains everything +# we need to conduct these tests. The tests here are a subset of the +# ones found in 25-test_verify.t + +sub verify { + my ($cert, $purpose, $trustedpath, $untrusted, @opts) = @_; + my @args = qw(openssl verify -auth_level 1 -purpose); + my @path = qw(test certs); + push(@args, "$purpose", @opts); + push(@args, "-CApath", $trustedpath); + for (@$untrusted) { push(@args, "-untrusted", srctop_file(@path, "$_.pem")) } + push(@args, srctop_file(@path, "$cert.pem")); + run(app([@args])); +} + +plan tests => 3; + +indir "60-test_x509_store" => sub { + for (("root-cert")) { + copy(srctop_file("test", "certs", "$_.pem"), curdir()); + } + ok(run(app([qw(openssl rehash), curdir()])), "Rehashing"); + + # Canonical success + ok(verify("ee-cert", "sslserver", curdir(), ["ca-cert"], "-show_chain"), + "verify ee-cert"); + + # Failure because root cert not present in CApath + ok(!verify("ca-root2", "any", curdir(), [], "-show_chain")); +}, create => 1, cleanup => 1; diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_asyncio.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_asyncio.t new file mode 100644 index 00000000..3c15c3d7 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_asyncio.t @@ -0,0 +1,21 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_asyncio"); + +plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" + if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); + +plan tests => 1; + +ok(run(test(["asynciotest", srctop_file("apps", "server.pem"), + srctop_file("apps", "server.pem")])), "running asynciotest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_bad_dtls.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_bad_dtls.t new file mode 100644 index 00000000..a20db77a --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_bad_dtls.t @@ -0,0 +1,20 @@ +#! /usr/bin/env perl +# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test; +use OpenSSL::Test::Utils; + +setup("test_bad_dtls"); + +plan skip_all => "DTLSv1 is not supported by this OpenSSL build" + if disabled("dtls1"); + +plan tests => 1; + +ok(run(test(["bad_dtls_test"])), "running bad_dtls_test"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_clienthello.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_clienthello.t new file mode 100644 index 00000000..ef0868f0 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_clienthello.t @@ -0,0 +1,20 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test; +use OpenSSL::Test::Utils; + +setup("test_clienthello"); + +plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" + if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); + +plan tests => 1; + +ok(run(test(["clienthellotest"])), "running clienthellotest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_packet.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_packet.t new file mode 100644 index 00000000..9bc6515e --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_packet.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_packet", "packettest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslcbcpadding.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslcbcpadding.t new file mode 100644 index 00000000..6d296db0 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslcbcpadding.t @@ -0,0 +1,110 @@ +#! /usr/bin/env perl +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; + +my $test_name = "test_sslcbcpadding"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs TLSv1.2 enabled" + if disabled("tls1_2"); + +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; +my $proxy = TLSProxy::Proxy->new( + \&add_maximal_padding_filter, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +# TODO: We could test all 256 values, but then the log file gets too large for +# CI. See https://github.com/openssl/openssl/issues/1440. +my @test_offsets = (0, 128, 254, 255); + +# Test that maximally-padded records are accepted. +my $bad_padding_offset = -1; +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 1 + scalar(@test_offsets); +ok(TLSProxy::Message->success(), "Maximally-padded record test"); + +# Test that invalid padding is rejected. +foreach my $offset (@test_offsets) { + $proxy->clear(); + $bad_padding_offset = $offset; + $proxy->start(); + ok(TLSProxy::Message->fail(), "Invalid padding byte $bad_padding_offset"); +} + +sub add_maximal_padding_filter +{ + my $proxy = shift; + + if ($proxy->flight == 0) { + # Disable Encrypt-then-MAC. + foreach my $message (@{$proxy->message_list}) { + if ($message->mt != TLSProxy::Message::MT_CLIENT_HELLO) { + next; + } + + $message->delete_extension(TLSProxy::Message::EXT_ENCRYPT_THEN_MAC); + $message->process_extensions(); + $message->repack(); + } + } + + if ($proxy->flight == 3) { + # Insert a maximally-padded record. Assume a block size of 16 (AES) and + # a MAC length of 20 (SHA-1). + my $block_size = 16; + my $mac_len = 20; + + # Size the plaintext so that 256 is a valid padding. + my $plaintext_len = $block_size - ($mac_len % $block_size); + my $plaintext = "A" x $plaintext_len; + + my $data = "B" x $block_size; # Explicit IV. + $data .= $plaintext; + $data .= TLSProxy::Proxy::fill_known_data($mac_len); # MAC. + + # Add padding. + for (my $i = 0; $i < 256; $i++) { + if ($i == $bad_padding_offset) { + $data .= "\xfe"; + } else { + $data .= "\xff"; + } + } + + my $record = TLSProxy::Record->new( + $proxy->flight, + TLSProxy::Record::RT_APPLICATION_DATA, + TLSProxy::Record::VERS_TLS_1_2, + length($data), + 0, + length($data), + $plaintext_len, + $data, + $plaintext, + ); + + # Send the record immediately after the server Finished. + push @{$proxy->record_list}, $record; + } +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslcertstatus.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslcertstatus.t new file mode 100644 index 00000000..104ee9c3 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslcertstatus.t @@ -0,0 +1,66 @@ +#! /usr/bin/env perl +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; + +my $test_name = "test_sslcertstatus"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs the ocsp feature enabled" + if disabled("ocsp"); + +plan skip_all => "$test_name needs TLS enabled" + if alldisabled(available_protocols("tls")); + +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; +my $proxy = TLSProxy::Proxy->new( + \&certstatus_filter, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +#Test 1: Sending a status_request extension in both ClientHello and +#ServerHello but then omitting the CertificateStatus message is valid +$proxy->clientflags("-status"); +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 1; +ok(TLSProxy::Message->success, "Missing CertificateStatus message"); + +sub certstatus_filter +{ + my $proxy = shift; + + # We're only interested in the initial ServerHello + if ($proxy->flight != 1) { + return; + } + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) { + #Add the status_request to the ServerHello even though we are not + #going to send a CertificateStatus message + $message->set_extension(TLSProxy::Message::EXT_STATUS_REQUEST, + ""); + + $message->repack(); + } + } +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslextension.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslextension.t new file mode 100644 index 00000000..8d6ccc6a --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslextension.t @@ -0,0 +1,112 @@ +#! /usr/bin/env perl +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; + +my $test_name = "test_sslextension"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs TLS enabled" + if alldisabled(available_protocols("tls")); + +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; +my $proxy = TLSProxy::Proxy->new( + \&extension_filter, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +# Test 1: Sending a zero length extension block should pass +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 3; +ok(TLSProxy::Message->success, "Zero extension length test"); + +sub extension_filter +{ + my $proxy = shift; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + return; + } + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + # Remove all extensions and set the extension len to zero + $message->extension_data({}); + $message->extensions_len(0); + # Extensions have been removed so make sure we don't try to use them + $message->process_extensions(); + + $message->repack(); + } + } +} + +# Test 2-3: Sending a duplicate extension should fail. +sub inject_duplicate_extension +{ + my ($proxy, $message_type) = @_; + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == $message_type) { + my %extensions = %{$message->extension_data}; + # Add a duplicate (unknown) extension. + $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, ""); + $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, ""); + $message->repack(); + } + } +} + +sub inject_duplicate_extension_clienthello +{ + my $proxy = shift; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + return; + } + + inject_duplicate_extension($proxy, TLSProxy::Message::MT_CLIENT_HELLO); +} + +sub inject_duplicate_extension_serverhello +{ + my $proxy = shift; + + # We're only interested in the initial ServerHello + if ($proxy->flight != 1) { + return; + } + + inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO); +} + +$proxy->clear(); +$proxy->filter(\&inject_duplicate_extension_clienthello); +$proxy->start(); +ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension"); + +$proxy->clear(); +$proxy->filter(\&inject_duplicate_extension_serverhello); +$proxy->start(); +ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslmessages.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslmessages.t new file mode 100644 index 00000000..b4631ea3 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslmessages.t @@ -0,0 +1,147 @@ +#! /usr/bin/env perl +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use File::Temp qw(tempfile); +use TLSProxy::Proxy; +my $test_name = "test_tls13messages"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs TLS enabled" + if alldisabled(available_protocols("tls")); + +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; + +use constant { + DEFAULT_HANDSHAKE => 1, + OCSP_HANDSHAKE => 2, + RESUME_HANDSHAKE => 4, + CLIENT_AUTH_HANDSHAKE => 8, + RENEG_HANDSHAKE => 16, + + ALL_HANDSHAKES => 31 +}; + +my @handmessages = ( + [TLSProxy::Message::MT_CLIENT_HELLO, ALL_HANDSHAKES], + [TLSProxy::Message::MT_SERVER_HELLO, ALL_HANDSHAKES], + [TLSProxy::Message::MT_CERTIFICATE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE], + [TLSProxy::Message::MT_CERTIFICATE_STATUS, OCSP_HANDSHAKE], + #ServerKeyExchange handshakes not currently supported by TLSProxy + [TLSProxy::Message::MT_CERTIFICATE_REQUEST, CLIENT_AUTH_HANDSHAKE], + [TLSProxy::Message::MT_SERVER_HELLO_DONE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE], + [TLSProxy::Message::MT_CERTIFICATE, CLIENT_AUTH_HANDSHAKE], + [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE], + [TLSProxy::Message::MT_CERTIFICATE_VERIFY, CLIENT_AUTH_HANDSHAKE], + [TLSProxy::Message::MT_FINISHED, ALL_HANDSHAKES], + [TLSProxy::Message::MT_NEW_SESSION_TICKET, ALL_HANDSHAKES & ~RESUME_HANDSHAKE], + [TLSProxy::Message::MT_FINISHED, ALL_HANDSHAKES], + [TLSProxy::Message::MT_CLIENT_HELLO, RENEG_HANDSHAKE], + [TLSProxy::Message::MT_SERVER_HELLO, RENEG_HANDSHAKE], + [TLSProxy::Message::MT_CERTIFICATE, RENEG_HANDSHAKE], + [TLSProxy::Message::MT_SERVER_HELLO_DONE, RENEG_HANDSHAKE], + [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, RENEG_HANDSHAKE], + [TLSProxy::Message::MT_FINISHED, RENEG_HANDSHAKE], + [TLSProxy::Message::MT_NEW_SESSION_TICKET, RENEG_HANDSHAKE], + [TLSProxy::Message::MT_FINISHED, RENEG_HANDSHAKE], + [0, 0] +); + +my $proxy = TLSProxy::Proxy->new( + undef, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +sub checkmessages($$); + +#Test 1: Check we get all the right messages for a default handshake +(undef, my $session) = tempfile(); +$proxy->serverconnects(2); +$proxy->clientflags("-sess_out ".$session); +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 5; +checkmessages(DEFAULT_HANDSHAKE, "Default handshake test"); + +#Test 2: Resumption handshake +$proxy->clearClient(); +$proxy->clientflags("-sess_in ".$session); +$proxy->clientstart(); +checkmessages(RESUME_HANDSHAKE, "Resumption handshake test"); +unlink $session; + +#Test 3: A client auth handshake +$proxy->clear(); +$proxy->clientflags("-cert ".srctop_file("apps", "server.pem")); +$proxy->serverflags("-Verify 5"); +$proxy->start(); +checkmessages(CLIENT_AUTH_HANDSHAKE, "Client auth handshake test"); + +#Test 4: A handshake with a renegotiation +$proxy->clear(); +$proxy->reneg(1); +$proxy->start(); +checkmessages(RENEG_HANDSHAKE, "Renegotiation handshake test"); + +#Test 5: A handshake with a renegotiation and client auth +$proxy->clear(); +$proxy->clientflags("-cert ".srctop_file("apps", "server.pem")); +$proxy->serverflags("-Verify 5"); +$proxy->reneg(1); +$proxy->start(); +checkmessages(RENEG_HANDSHAKE | CLIENT_AUTH_HANDSHAKE, + "Renogitation and client auth handshake test"); + +sub checkmessages($$) +{ + my ($handtype, $testname) = @_; + + subtest $testname => sub { + my $loop = 0; + my $numtests; + + #First count the number of tests + for ($numtests = 0; $handmessages[$loop][1] != 0; $loop++) { + $numtests++ if (($handmessages[$loop][1] & $handtype) != 0); + } + + plan tests => $numtests; + + my $nextmess = 0; + my $message = undef; + for ($loop = 0; $handmessages[$loop][1] != 0; $loop++) { + next if (($handmessages[$loop][1] & $handtype) == 0); + if (scalar @{$proxy->message_list} > $nextmess) { + $message = ${$proxy->message_list}[$nextmess]; + $nextmess++; + } else { + $message = undef; + } + if (!defined $message) { + fail("Message type check. Got nothing, expected " + .$handmessages[$loop][0]); + } else { + ok($message->mt == $handmessages[$loop][0], + "Message type check. Got ".$message->mt + .", expected ".$handmessages[$loop][0]); + } + } + } +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslrecords.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslrecords.t new file mode 100644 index 00000000..ef3f5098 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslrecords.t @@ -0,0 +1,381 @@ +#! /usr/bin/env perl +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; + +my $test_name = "test_sslrecords"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs TLSv1.2 enabled" + if disabled("tls1_2"); + +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; +my $proxy = TLSProxy::Proxy->new( + \&add_empty_recs_filter, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +#Test 1: Injecting out of context empty records should fail +my $content_type = TLSProxy::Record::RT_APPLICATION_DATA; +my $inject_recs_num = 1; +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +my $num_tests = 10; +if (!disabled("tls1_1")) { + $num_tests++; +} +plan tests => $num_tests; +ok(TLSProxy::Message->fail(), "Out of context empty records test"); + +#Test 2: Injecting in context empty records should succeed +$proxy->clear(); +$content_type = TLSProxy::Record::RT_HANDSHAKE; +$proxy->start(); +ok(TLSProxy::Message->success(), "In context empty records test"); + +#Test 3: Injecting too many in context empty records should fail +$proxy->clear(); +#We allow 32 consecutive in context empty records +$inject_recs_num = 33; +$proxy->start(); +ok(TLSProxy::Message->fail(), "Too many in context empty records test"); + +#Test 4: Injecting a fragmented fatal alert should fail. We actually expect no +# alerts to be sent from either side because *we* injected the fatal +# alert, i.e. this will look like a disorderly close +$proxy->clear(); +$proxy->filter(\&add_frag_alert_filter); +$proxy->start(); +ok(!TLSProxy::Message->end(), "Fragmented alert records test"); + +#Run some SSLv2 ClientHello tests + +use constant { + TLSV1_2_IN_SSLV2 => 0, + SSLV2_IN_SSLV2 => 1, + FRAGMENTED_IN_TLSV1_2 => 2, + FRAGMENTED_IN_SSLV2 => 3, + ALERT_BEFORE_SSLV2 => 4 +}; +#Test 5: Inject an SSLv2 style record format for a TLSv1.2 ClientHello +my $sslv2testtype = TLSV1_2_IN_SSLV2; +$proxy->clear(); +$proxy->filter(\&add_sslv2_filter); +$proxy->start(); +ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test"); + +#Test 6: Inject an SSLv2 style record format for an SSLv2 ClientHello. We don't +# support this so it should fail. We actually treat it as an unknown +# protocol so we don't even send an alert in this case. +$sslv2testtype = SSLV2_IN_SSLV2; +$proxy->clear(); +$proxy->start(); +ok(!TLSProxy::Message->end(), "SSLv2 in SSLv2 ClientHello test"); + +#Test 7: Sanity check ClientHello fragmentation. This isn't really an SSLv2 test +# at all, but it gives us confidence that Test 8 fails for the right +# reasons +$sslv2testtype = FRAGMENTED_IN_TLSV1_2; +$proxy->clear(); +$proxy->start(); +ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test"); + +#Test 8: Fragment a TLSv1.2 ClientHello across a TLS1.2 record; an SSLv2 +# record; and another TLS1.2 record. This isn't allowed so should fail +$sslv2testtype = FRAGMENTED_IN_SSLV2; +$proxy->clear(); +$proxy->start(); +ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test"); + +#Test 9: Send a TLS warning alert before an SSLv2 ClientHello. This should +# fail because an SSLv2 ClientHello must be the first record. +$sslv2testtype = ALERT_BEFORE_SSLV2; +$proxy->clear(); +$proxy->start(); +ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test"); + +#Unrecognised record type tests + +#Test 10: Sending an unrecognised record type in TLS1.2 should fail +$proxy->clear(); +$proxy->filter(\&add_unknown_record_type); +$proxy->start(); +ok(TLSProxy::Message->fail(), "Unrecognised record type in TLS1.2"); + +#Test 11: Sending an unrecognised record type in TLS1.1 should fail +if (!disabled("tls1_1")) { + $proxy->clear(); + $proxy->clientflags("-tls1_1"); + $proxy->start(); + ok(TLSProxy::Message->fail(), "Unrecognised record type in TLS1.1"); +} + +sub add_empty_recs_filter +{ + my $proxy = shift; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + return; + } + + for (my $i = 0; $i < $inject_recs_num; $i++) { + my $record = TLSProxy::Record->new( + 0, + $content_type, + TLSProxy::Record::VERS_TLS_1_2, + 0, + 0, + 0, + 0, + "", + "" + ); + + push @{$proxy->record_list}, $record; + } +} + +sub add_frag_alert_filter +{ + my $proxy = shift; + my $byte; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + return; + } + + # Add a zero length fragment first + #my $record = TLSProxy::Record->new( + # 0, + # TLSProxy::Record::RT_ALERT, + # TLSProxy::Record::VERS_TLS_1_2, + # 0, + # 0, + # 0, + # "", + # "" + #); + #push @{$proxy->record_list}, $record; + + # Now add the alert level (Fatal) as a separate record + $byte = pack('C', TLSProxy::Message::AL_LEVEL_FATAL); + my $record = TLSProxy::Record->new( + 0, + TLSProxy::Record::RT_ALERT, + TLSProxy::Record::VERS_TLS_1_2, + 1, + 0, + 1, + 1, + $byte, + $byte + ); + push @{$proxy->record_list}, $record; + + # And finally the description (Unexpected message) in a third record + $byte = pack('C', TLSProxy::Message::AL_DESC_UNEXPECTED_MESSAGE); + $record = TLSProxy::Record->new( + 0, + TLSProxy::Record::RT_ALERT, + TLSProxy::Record::VERS_TLS_1_2, + 1, + 0, + 1, + 1, + $byte, + $byte + ); + push @{$proxy->record_list}, $record; +} + +sub add_sslv2_filter +{ + my $proxy = shift; + my $clienthello; + my $record; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + return; + } + + # Ditch the real ClientHello - we're going to replace it with our own + shift @{$proxy->record_list}; + + if ($sslv2testtype == ALERT_BEFORE_SSLV2) { + my $alert = pack('CC', TLSProxy::Message::AL_LEVEL_FATAL, + TLSProxy::Message::AL_DESC_NO_RENEGOTIATION); + my $alertlen = length $alert; + $record = TLSProxy::Record->new( + 0, + TLSProxy::Record::RT_ALERT, + TLSProxy::Record::VERS_TLS_1_2, + $alertlen, + 0, + $alertlen, + $alertlen, + $alert, + $alert + ); + + push @{$proxy->record_list}, $record; + } + + if ($sslv2testtype == ALERT_BEFORE_SSLV2 + || $sslv2testtype == TLSV1_2_IN_SSLV2 + || $sslv2testtype == SSLV2_IN_SSLV2) { + # This is an SSLv2 format ClientHello + $clienthello = + pack "C44", + 0x01, # ClientHello + 0x03, 0x03, #TLSv1.2 + 0x00, 0x03, # Ciphersuites len + 0x00, 0x00, # Session id len + 0x00, 0x20, # Challenge len + 0x00, 0x00, 0x2f, #AES128-SHA + 0x01, 0x18, 0x9F, 0x76, 0xEC, 0x57, 0xCE, 0xE5, 0xB3, 0xAB, 0x79, 0x90, + 0xAD, 0xAC, 0x6E, 0xD1, 0x58, 0x35, 0x03, 0x97, 0x16, 0x10, 0x82, 0x56, + 0xD8, 0x55, 0xFF, 0xE1, 0x8A, 0xA3, 0x2E, 0xF6; # Challenge + + if ($sslv2testtype == SSLV2_IN_SSLV2) { + # Set the version to "real" SSLv2 + vec($clienthello, 1, 8) = 0x00; + vec($clienthello, 2, 8) = 0x02; + } + + my $chlen = length $clienthello; + + $record = TLSProxy::Record->new( + 0, + TLSProxy::Record::RT_HANDSHAKE, + TLSProxy::Record::VERS_TLS_1_2, + $chlen, + 1, #SSLv2 + $chlen, + $chlen, + $clienthello, + $clienthello + ); + + push @{$proxy->record_list}, $record; + } else { + # For this test we're using a real TLS ClientHello + $clienthello = + pack "C49", + 0x01, # ClientHello + 0x00, 0x00, 0x2D, # Message length + 0x03, 0x03, # TLSv1.2 + 0x01, 0x18, 0x9F, 0x76, 0xEC, 0x57, 0xCE, 0xE5, 0xB3, 0xAB, 0x79, 0x90, + 0xAD, 0xAC, 0x6E, 0xD1, 0x58, 0x35, 0x03, 0x97, 0x16, 0x10, 0x82, 0x56, + 0xD8, 0x55, 0xFF, 0xE1, 0x8A, 0xA3, 0x2E, 0xF6, # Random + 0x00, # Session id len + 0x00, 0x04, # Ciphersuites len + 0x00, 0x2f, # AES128-SHA + 0x00, 0xff, # Empty reneg info SCSV + 0x01, # Compression methods len + 0x00, # Null compression + 0x00, 0x00; # Extensions len + + # Split this into 3: A TLS record; a SSLv2 record and a TLS record. + # We deliberately split the second record prior to the Challenge/Random + # and set the first byte of the random to 1. This makes the second SSLv2 + # record look like an SSLv2 ClientHello + my $frag1 = substr $clienthello, 0, 6; + my $frag2 = substr $clienthello, 6, 32; + my $frag3 = substr $clienthello, 38; + + my $fraglen = length $frag1; + $record = TLSProxy::Record->new( + 0, + TLSProxy::Record::RT_HANDSHAKE, + TLSProxy::Record::VERS_TLS_1_2, + $fraglen, + 0, + $fraglen, + $fraglen, + $frag1, + $frag1 + ); + push @{$proxy->record_list}, $record; + + $fraglen = length $frag2; + my $recvers; + if ($sslv2testtype == FRAGMENTED_IN_SSLV2) { + $recvers = 1; + } else { + $recvers = 0; + } + $record = TLSProxy::Record->new( + 0, + TLSProxy::Record::RT_HANDSHAKE, + TLSProxy::Record::VERS_TLS_1_2, + $fraglen, + $recvers, + $fraglen, + $fraglen, + $frag2, + $frag2 + ); + push @{$proxy->record_list}, $record; + + $fraglen = length $frag3; + $record = TLSProxy::Record->new( + 0, + TLSProxy::Record::RT_HANDSHAKE, + TLSProxy::Record::VERS_TLS_1_2, + $fraglen, + 0, + $fraglen, + $fraglen, + $frag3, + $frag3 + ); + push @{$proxy->record_list}, $record; + } + +} + +sub add_unknown_record_type +{ + my $proxy = shift; + + # We'll change a record after the initial version neg has taken place + if ($proxy->flight != 2) { + return; + } + + my $lastrec = ${$proxy->record_list}[-1]; + my $record = TLSProxy::Record->new( + 2, + TLSProxy::Record::RT_UNKNOWN, + $lastrec->version(), + 1, + 0, + 1, + 1, + "X", + "X" + ); + + unshift @{$proxy->record_list}, $record; +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslsessiontick.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslsessiontick.t new file mode 100644 index 00000000..4a8636ec --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslsessiontick.t @@ -0,0 +1,268 @@ +#! /usr/bin/env perl +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; +use File::Temp qw(tempfile); + +my $test_name = "test_sslsessiontick"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs TLS enabled" + if alldisabled(available_protocols("tls")); + +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; + +sub checkmessages($$$$$$); +sub clearclient(); +sub clearall(); + +my $chellotickext = 0; +my $shellotickext = 0; +my $fullhand = 0; +my $ticketseen = 0; + +my $proxy = TLSProxy::Proxy->new( + undef, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +#Test 1: By default with no existing session we should get a session ticket +#Expected result: ClientHello extension seen; ServerHello extension seen +# NewSessionTicket message seen; Full handshake +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 10; +checkmessages(1, "Default session ticket test", 1, 1, 1, 1); + +#Test 2: If the server does not accept tickets we should get a normal handshake +#with no session tickets +#Expected result: ClientHello extension seen; ServerHello extension not seen +# NewSessionTicket message not seen; Full handshake +clearall(); +$proxy->serverflags("-no_ticket"); +$proxy->start(); +checkmessages(2, "No server support session ticket test", 1, 0, 0, 1); + +#Test 3: If the client does not accept tickets we should get a normal handshake +#with no session tickets +#Expected result: ClientHello extension not seen; ServerHello extension not seen +# NewSessionTicket message not seen; Full handshake +clearall(); +$proxy->clientflags("-no_ticket"); +$proxy->start(); +checkmessages(3, "No client support session ticket test", 0, 0, 0, 1); + +#Test 4: Test session resumption with session ticket +#Expected result: ClientHello extension seen; ServerHello extension not seen +# NewSessionTicket message not seen; Abbreviated handshake +clearall(); +(undef, my $session) = tempfile(); +$proxy->serverconnects(2); +$proxy->clientflags("-sess_out ".$session); +$proxy->start(); +$proxy->clearClient(); +$proxy->clientflags("-sess_in ".$session); +$proxy->clientstart(); +checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0); +unlink $session; + +#Test 5: Test session resumption with ticket capable client without a ticket +#Expected result: ClientHello extension seen; ServerHello extension seen +# NewSessionTicket message seen; Abbreviated handshake +clearall(); +(undef, $session) = tempfile(); +$proxy->serverconnects(2); +$proxy->clientflags("-sess_out ".$session." -no_ticket"); +$proxy->start(); +$proxy->clearClient(); +$proxy->clientflags("-sess_in ".$session); +$proxy->clientstart(); +checkmessages(5, "Session resumption with ticket capable client without a " + ."ticket", 1, 1, 1, 0); +unlink $session; + +#Test 6: Client accepts empty ticket. +#Expected result: ClientHello extension seen; ServerHello extension seen; +# NewSessionTicket message seen; Full handshake. +clearall(); +$proxy->filter(\&ticket_filter); +$proxy->start(); +checkmessages(6, "Empty ticket test", 1, 1, 1, 1); + +#Test 7-8: Client keeps existing ticket on empty ticket. +clearall(); +(undef, $session) = tempfile(); +$proxy->serverconnects(3); +$proxy->filter(undef); +$proxy->clientflags("-sess_out ".$session); +$proxy->start(); +$proxy->clearClient(); +$proxy->clientflags("-sess_in ".$session." -sess_out ".$session); +$proxy->filter(\&inject_empty_ticket_filter); +$proxy->clientstart(); +#Expected result: ClientHello extension seen; ServerHello extension seen; +# NewSessionTicket message seen; Abbreviated handshake. +checkmessages(7, "Empty ticket resumption test", 1, 1, 1, 0); +clearclient(); +$proxy->clientflags("-sess_in ".$session); +$proxy->filter(undef); +$proxy->clientstart(); +#Expected result: ClientHello extension seen; ServerHello extension not seen; +# NewSessionTicket message not seen; Abbreviated handshake. +checkmessages(8, "Empty ticket resumption test", 1, 0, 0, 0); +unlink $session; + +#Test 9: Bad server sends the ServerHello extension but does not send a +#NewSessionTicket +#Expected result: Connection failure +clearall(); +$proxy->serverflags("-no_ticket"); +$proxy->filter(\&inject_ticket_extension_filter); +$proxy->start(); +ok(TLSProxy::Message->fail, "Server sends ticket extension but no ticket test"); + +#Test10: Bad server does not send the ServerHello extension but does send a +#NewSessionTicket +#Expected result: Connection failure +clearall(); +$proxy->serverflags("-no_ticket"); +$proxy->filter(\&inject_empty_ticket_filter); +$proxy->start(); +ok(TLSProxy::Message->fail, "No server ticket extension but ticket sent test"); + +sub ticket_filter +{ + my $proxy = shift; + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) { + $message->ticket(""); + $message->repack(); + } + } +} + +sub inject_empty_ticket_filter { + my $proxy = shift; + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) { + # Only inject the message first time we're called. + return; + } + } + + my @new_message_list = (); + foreach my $message (@{$proxy->message_list}) { + push @new_message_list, $message; + if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) { + $message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, ""); + $message->repack(); + # Tack NewSessionTicket onto the ServerHello record. + # This only works if the ServerHello is exactly one record. + my $record = ${$message->records}[0]; + + my $offset = $message->startoffset + $message->encoded_length; + my $newsessionticket = TLSProxy::NewSessionTicket->new( + 1, "", [$record], $offset, []); + $newsessionticket->repack(); + push @new_message_list, $newsessionticket; + } + } + $proxy->message_list([@new_message_list]); +} + +sub inject_ticket_extension_filter +{ + my $proxy = shift; + + # We're only interested in the initial ServerHello + if ($proxy->flight != 1) { + return; + } + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) { + #Add the session ticket extension to the ServerHello even though + #we are not going to send a NewSessionTicket message + $message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, ""); + + $message->repack(); + } + } +} + +sub checkmessages($$$$$$) +{ + my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_; + + subtest $testname => sub { + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO + || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { + #Get the extensions data + my %extensions = %{$message->extension_data}; + if (defined + $extensions{TLSProxy::Message::EXT_SESSION_TICKET}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + $chellotickext = 1; + } else { + $shellotickext = 1; + } + } + } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) { + #Must be doing a full handshake + $fullhand = 1; + } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) { + $ticketseen = 1; + } + } + + plan tests => 5; + + ok(TLSProxy::Message->success, "Handshake"); + ok(($testch && $chellotickext) || (!$testch && !$chellotickext), + "ClientHello extension Session Ticket check"); + ok(($testsh && $shellotickext) || (!$testsh && !$shellotickext), + "ServerHello extension Session Ticket check"); + ok(($testtickseen && $ticketseen) || (!$testtickseen && !$ticketseen), + "Session Ticket message presence check"); + ok(($testhand && $fullhand) || (!$testhand && !$fullhand), + "Session Ticket full handshake check"); + } +} + + +sub clearclient() +{ + $chellotickext = 0; + $shellotickext = 0; + $fullhand = 0; + $ticketseen = 0; + $proxy->clearClient(); +} + +sub clearall() +{ + clearclient(); + $proxy->clear(); +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslskewith0p.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslskewith0p.t new file mode 100644 index 00000000..af87739a --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslskewith0p.t @@ -0,0 +1,65 @@ +#! /usr/bin/env perl +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; + +my $test_name = "test_sslskewith0p"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "dh is not supported by this OpenSSL build" + if disabled("dh"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs TLS enabled" + if alldisabled(available_protocols("tls")); + +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; +my $proxy = TLSProxy::Proxy->new( + \&ske_0_p_filter, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +#We must use an anon DHE cipher for this test +$proxy->cipherc('ADH-AES128-SHA:@SECLEVEL=0'); +$proxy->ciphers('ADH-AES128-SHA:@SECLEVEL=0'); + +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 1; +ok(TLSProxy::Message->fail, "ServerKeyExchange with 0 p"); + +sub ske_0_p_filter +{ + my $proxy = shift; + + # We're only interested in the SKE - always in flight 1 + if ($proxy->flight != 1) { + return; + } + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_SERVER_KEY_EXCHANGE) { + #Set p to a value of 0 + $message->p(pack('C', 0)); + + $message->repack(); + } + } +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslvertol.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslvertol.t new file mode 100644 index 00000000..59c2cddc --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_sslvertol.t @@ -0,0 +1,67 @@ +#! /usr/bin/env perl +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; + +my $test_name = "test_sslextension"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs TLS enabled" + if alldisabled(available_protocols("tls")); + +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; +my $proxy = TLSProxy::Proxy->new( + \&vers_tolerance_filter, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +#Test 1: Asking for TLS1.3 should pass +my $client_version = TLSProxy::Record::VERS_TLS_1_3; +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 2; +ok(TLSProxy::Message->success(), "Version tolerance test, TLS 1.3"); + +#Test 2: Testing something below SSLv3 should fail +$client_version = TLSProxy::Record::VERS_SSL_3_0 - 1; +$proxy->clear(); +$proxy->start(); +ok(TLSProxy::Message->fail(), "Version tolerance test, SSL < 3.0"); + +sub vers_tolerance_filter +{ + my $proxy = shift; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + return; + } + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + #Set the client version + #Anything above the max supported version (TLS1.2) should succeed + #Anything below SSLv3 should fail + $message->client_version($client_version); + $message->repack(); + } + } +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_tlsextms.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_tlsextms.t new file mode 100644 index 00000000..d39acf42 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_tlsextms.t @@ -0,0 +1,238 @@ +#! /usr/bin/env perl +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; +use OpenSSL::Test::Utils; +use TLSProxy::Proxy; +use File::Temp qw(tempfile); + +my $test_name = "test_tlsextms"; +setup($test_name); + +plan skip_all => "TLSProxy isn't usable on $^O" + if $^O =~ /^(VMS)$/; + +plan skip_all => "$test_name needs the dynamic engine feature enabled" + if disabled("engine") || disabled("dynamic-engine"); + +plan skip_all => "$test_name needs the sock feature enabled" + if disabled("sock"); + +plan skip_all => "$test_name needs TLS enabled" + if alldisabled(available_protocols("tls")); + +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; + +sub checkmessages($$$$$); +sub setrmextms($$); +sub clearall(); + +my $crmextms = 0; +my $srmextms = 0; +my $cextms = 0; +my $sextms = 0; +my $fullhand = 0; + +my $proxy = TLSProxy::Proxy->new( + \&extms_filter, + cmdstr(app(["openssl"]), display => 1), + srctop_file("apps", "server.pem"), + (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) +); + +#Test 1: By default server and client should send extended master secret +# extension. +#Expected result: ClientHello extension seen; ServerHello extension seen +# Full handshake + +setrmextms(0, 0); +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 9; +checkmessages(1, "Default extended master secret test", 1, 1, 1); + +#Test 2: If client omits extended master secret extension, server should too. +#Expected result: ClientHello extension not seen; ServerHello extension not seen +# Full handshake + +clearall(); +setrmextms(1, 0); +$proxy->start(); +checkmessages(2, "No client extension extended master secret test", 0, 0, 1); + +# Test 3: same as 1 but with session tickets disabled. +# Expected result: same as test 1. + +clearall(); +$proxy->clientflags("-no_ticket"); +setrmextms(0, 0); +$proxy->start(); +checkmessages(3, "No ticket extended master secret test", 1, 1, 1); + +# Test 4: same as 2 but with session tickets disabled. +# Expected result: same as test 2. + +clearall(); +$proxy->clientflags("-no_ticket"); +setrmextms(1, 0); +$proxy->start(); +checkmessages(2, "No ticket, no client extension extended master secret test", 0, 0, 1); + +#Test 5: Session resumption extended master secret test +# +#Expected result: ClientHello extension seen; ServerHello extension seen +# Abbreviated handshake + +clearall(); +setrmextms(0, 0); +(undef, my $session) = tempfile(); +$proxy->serverconnects(2); +$proxy->clientflags("-sess_out ".$session); +$proxy->start(); +$proxy->clearClient(); +$proxy->clientflags("-sess_in ".$session); +$proxy->clientstart(); +checkmessages(5, "Session resumption extended master secret test", 1, 1, 0); +unlink $session; + +#Test 6: Session resumption extended master secret test original session +# omits extension. Server must not resume session. +#Expected result: ClientHello extension seen; ServerHello extension seen +# Full handshake + +clearall(); +setrmextms(1, 0); +(undef, $session) = tempfile(); +$proxy->serverconnects(2); +$proxy->clientflags("-sess_out ".$session); +$proxy->start(); +$proxy->clearClient(); +$proxy->clientflags("-sess_in ".$session); +setrmextms(0, 0); +$proxy->clientstart(); +checkmessages(6, "Session resumption extended master secret test", 1, 1, 1); +unlink $session; + +#Test 7: Session resumption extended master secret test resumed session +# omits client extension. Server must abort connection. +#Expected result: aborted connection. + +clearall(); +setrmextms(0, 0); +(undef, $session) = tempfile(); +$proxy->serverconnects(2); +$proxy->clientflags("-sess_out ".$session); +$proxy->start(); +$proxy->clearClient(); +$proxy->clientflags("-sess_in ".$session); +setrmextms(1, 0); +$proxy->clientstart(); +ok(TLSProxy::Message->fail(), "Client inconsistent session resumption"); +unlink $session; + +#Test 8: Session resumption extended master secret test resumed session +# omits server extension. Client must abort connection. +#Expected result: aborted connection. + +clearall(); +setrmextms(0, 0); +(undef, $session) = tempfile(); +$proxy->serverconnects(2); +$proxy->clientflags("-sess_out ".$session); +$proxy->start(); +$proxy->clearClient(); +$proxy->clientflags("-sess_in ".$session); +setrmextms(0, 1); +$proxy->clientstart(); +ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 1"); +unlink $session; + +#Test 9: Session resumption extended master secret test initial session +# omits server extension. Client must abort connection. +#Expected result: aborted connection. + +clearall(); +setrmextms(0, 1); +(undef, $session) = tempfile(); +$proxy->serverconnects(2); +$proxy->clientflags("-sess_out ".$session); +$proxy->start(); +$proxy->clearClient(); +$proxy->clientflags("-sess_in ".$session); +setrmextms(0, 0); +$proxy->clientstart(); +ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2"); +unlink $session; + +sub extms_filter +{ + my $proxy = shift; + + foreach my $message (@{$proxy->message_list}) { + if ($crmextms && $message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); + $message->repack(); + } + if ($srmextms && $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { + $message->delete_extension(TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET); + $message->repack(); + } + } +} + +sub checkmessages($$$$$) +{ + my ($testno, $testname, $testcextms, $testsextms, $testhand) = @_; + + subtest $testname => sub { + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO + || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { + #Get the extensions data + my %extensions = %{$message->extension_data}; + if (defined + $extensions{TLSProxy::Message::EXT_EXTENDED_MASTER_SECRET}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + $cextms = 1; + } else { + $sextms = 1; + } + } + } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) { + #Must be doing a full handshake + $fullhand = 1; + } + } + + plan tests => 4; + + ok(TLSProxy::Message->success, "Handshake"); + + ok($testcextms == $cextms, + "ClientHello extension extended master secret check"); + ok($testsextms == $sextms, + "ServerHello extension extended master secret check"); + ok($testhand == $fullhand, + "Extended master secret full handshake check"); + + } +} + +sub setrmextms($$) +{ + ($crmextms, $srmextms) = @_; +} + +sub clearall() +{ + $cextms = 0; + $sextms = 0; + $fullhand = 0; + $proxy->clear(); +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_verify_extra.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_verify_extra.t new file mode 100644 index 00000000..79a33cd0 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/70-test_verify_extra.t @@ -0,0 +1,19 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_verify_extra"); + +plan tests => 1; + +ok(run(test(["verify_extra_test", + srctop_file("test", "certs", "roots.pem"), + srctop_file("test", "certs", "untrusted.pem"), + srctop_file("test", "certs", "bad.pem")]))); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ca.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ca.t new file mode 100644 index 00000000..28a090ea --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ca.t @@ -0,0 +1,59 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use POSIX; +use File::Path 2.00 qw/rmtree/; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/; + +setup("test_ca"); + +$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); +my $std_openssl_cnf = + srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf"); + +rmtree("demoCA", { safe => 0 }); + +plan tests => 4; + SKIP: { + $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"'; + skip "failed creating CA structure", 3 + if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)), + 'creating CA structure'); + + $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"'; + skip "failed creating new certificate request", 2 + if !ok(run(perlapp(["CA.pl","-newreq"])), + 'creating certificate request'); + + $ENV{OPENSSL_CONFIG} = '-config "'.$std_openssl_cnf.'"'; + skip "failed to sign certificate request", 1 + if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0, + 'signing certificate request'); + + ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])), + 'verifying new certificate'); +} + + +rmtree("demoCA", { safe => 0 }); +unlink "newcert.pem", "newreq.pem", "newkey.pem"; + + +sub yes { + my $cntr = 10; + open(PIPE, "|-", join(" ",@_)); + local $SIG{PIPE} = "IGNORE"; + 1 while $cntr-- > 0 && print PIPE "y\n"; + close PIPE; + return 0; +} + diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cipherlist.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cipherlist.t new file mode 100644 index 00000000..98d537e5 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cipherlist.t @@ -0,0 +1,26 @@ +#! /usr/bin/perl +# +# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use OpenSSL::Test::Simple; +use OpenSSL::Test; +use OpenSSL::Test::Utils qw(alldisabled available_protocols); + +setup("test_cipherlist"); + +my $no_anytls = alldisabled(available_protocols("tls")); + +# If we have no protocols, then we also have no supported ciphers. +plan skip_all => "No SSL/TLS protocol is supported by this OpenSSL build." + if $no_anytls; + +simple_test("test_cipherlist", "cipherlist_test", "cipherlist"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t new file mode 100644 index 00000000..f038bea3 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_cms.t @@ -0,0 +1,511 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use POSIX; +use File::Spec::Functions qw/catfile/; +use File::Compare qw/compare_text/; +use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_cms"); + +plan skip_all => "CMS is not supported by this OpenSSL build" + if disabled("cms"); + +my $smdir = srctop_dir("test", "smime-certs"); +my $smcont = srctop_file("test", "smcont.txt"); +my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) + = disabled qw/des dh dsa ec ec2m rc2 zlib/; + +plan tests => 4; + +my @smime_pkcs7_tests = ( + + [ "signed content DER format, RSA key", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-certfile", catfile($smdir, "smroot.pem"), + "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed detached content DER format, RSA key", + [ "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt", + "-content", $smcont ] + ], + + [ "signed content test streaming BER format, RSA", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-stream", + "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content DER format, DSA key", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed detached content DER format, DSA key", + [ "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt", + "-content", $smcont ] + ], + + [ "signed detached content DER format, add RSA signer (with DSA existing)", + [ "-resign", "-inform", "DER", "-in", "test.cms", "-outform", "DER", + "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test2.cms" ], + [ "-verify", "-in", "test2.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt", + "-content", $smcont ] + ], + + [ "signed content test streaming BER format, DSA key", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-stream", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", + [ "-sign", "-in", $smcont, "-outform", "DER", "-noattr", "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content S/MIME format, RSA key SHA1", + [ "-sign", "-in", $smcont, "-md", "sha1", + "-certfile", catfile($smdir, "smroot.pem"), + "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", + [ "-sign", "-in", $smcont, "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", + [ "-sign", "-in", $smcont, + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, DES, 3 recipients", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + catfile($smdir, "smrsa1.pem"), + catfile($smdir, "smrsa2.pem"), + catfile($smdir, "smrsa3.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, DES, 3 recipients, 3rd used", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + catfile($smdir, "smrsa1.pem"), + catfile($smdir, "smrsa2.pem"), + catfile($smdir, "smrsa3.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, DES, 3 recipients, key only used", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + catfile($smdir, "smrsa1.pem"), + catfile($smdir, "smrsa2.pem"), + catfile($smdir, "smrsa3.pem") ], + [ "-decrypt", "-inkey", catfile($smdir, "smrsa3.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", + [ "-encrypt", "-in", $smcont, + "-aes256", "-stream", "-out", "test.cms", + catfile($smdir, "smrsa1.pem"), + catfile($smdir, "smrsa2.pem"), + catfile($smdir, "smrsa3.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + +); + +my @smime_cms_tests = ( + + [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", "-keyid", + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", + [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "PEM", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content MIME format, RSA key, signed receipt request", + [ "-sign", "-in", $smcont, "-signer", catfile($smdir, "smrsa1.pem"), "-nodetach", + "-receipt_request_to", "test\@openssl.org", "-receipt_request_all", + "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed receipt MIME format, RSA key", + [ "-sign_receipt", "-in", "test.cms", + "-signer", catfile($smdir, "smrsa2.pem"), + "-out", "test2.cms" ], + [ "-verify_receipt", "test2.cms", "-in", "test.cms", + "-CAfile", catfile($smdir, "smroot.pem") ] + ], + + [ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", "-keyid", + catfile($smdir, "smrsa1.pem"), + catfile($smdir, "smrsa2.pem"), + catfile($smdir, "smrsa3.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming PEM format, KEK", + [ "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128", + "-stream", "-out", "test.cms", + "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-secretkeyid", "C0FEE0" ], + [ "-decrypt", "-in", "test.cms", "-out", "smtst.txt", "-inform", "PEM", + "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-secretkeyid", "C0FEE0" ] + ], + + [ "enveloped content test streaming PEM format, KEK, key only", + [ "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128", + "-stream", "-out", "test.cms", + "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-secretkeyid", "C0FEE0" ], + [ "-decrypt", "-in", "test.cms", "-out", "smtst.txt", "-inform", "PEM", + "-secretkey", "000102030405060708090A0B0C0D0E0F" ] + ], + + [ "data content test streaming PEM format", + [ "-data_create", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-stream", "-out", "test.cms" ], + [ "-data_out", "-in", "test.cms", "-inform", "PEM", "-out", "smtst.txt" ] + ], + + [ "encrypted content test streaming PEM format, 128 bit RC2 key", + [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-stream", "-out", "test.cms" ], + [ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM", + "-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ] + ], + + [ "encrypted content test streaming PEM format, 40 bit RC2 key", + [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-rc2", "-secretkey", "0001020304", + "-stream", "-out", "test.cms" ], + [ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM", + "-secretkey", "0001020304", "-out", "smtst.txt" ] + ], + + [ "encrypted content test streaming PEM format, triple DES key", + [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-stream", "-out", "test.cms" ], + [ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM", + "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-out", "smtst.txt" ] + ], + + [ "encrypted content test streaming PEM format, 128 bit AES key", + [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-stream", "-out", "test.cms" ], + [ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM", + "-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ] + ], + +); + +my @smime_cms_comp_tests = ( + + [ "compressed content test streaming PEM format", + [ "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-stream", "-out", "test.cms" ], + [ "-uncompress", "-in", "test.cms", "-inform", "PEM", "-out", "smtst.txt" ] + ] + +); + +my @smime_cms_param_tests = ( + [ "signed content test streaming PEM format, RSA keys, PSS signature", + [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", + "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "PEM", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes", + [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr", + "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", + "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "PEM", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1", + [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", + "-keyopt", "rsa_mgf1_md:sha384", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "PEM", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, DES, OAEP default parameters", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep" ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, DES, OAEP SHA256", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep", + "-keyopt", "rsa_oaep_md:sha256" ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, DES, ECDH", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smec1.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smec1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, DES, ECDH, 2 recipients, key only used", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + catfile($smdir, "smec1.pem"), + catfile($smdir, "smec3.pem") ], + [ "-decrypt", "-inkey", catfile($smdir, "smec3.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, ECDH, DES, key identifier", + [ "-encrypt", "-keyid", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smec1.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smec1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smec1.pem"), "-aes128", "-keyopt", "ecdh_kdf_md:sha256" ], + [ "-decrypt", "-recip", catfile($smdir, "smec1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smec2.pem"), "-aes128", + "-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ], + [ "-decrypt", "-recip", catfile($smdir, "smec2.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, X9.42 DH", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], + [ "-decrypt", "-recip", catfile($smdir, "smdh.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ] + ); + +subtest "CMS => PKCS#7 compatibility tests\n" => sub { + plan tests => scalar @smime_pkcs7_tests; + + foreach (@smime_pkcs7_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "cms", @{$$_[1]}])) + && run(app(["openssl", "smime", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } +}; +subtest "CMS <= PKCS#7 compatibility tests\n" => sub { + plan tests => scalar @smime_pkcs7_tests; + + foreach (@smime_pkcs7_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "smime", @{$$_[1]}])) + && run(app(["openssl", "cms", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } +}; + +subtest "CMS <=> CMS consistency tests\n" => sub { + plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests); + + foreach (@smime_pkcs7_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "cms", @{$$_[1]}])) + && run(app(["openssl", "cms", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } + foreach (@smime_cms_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "cms", @{$$_[1]}])) + && run(app(["openssl", "cms", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } +}; + +subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub { + plan tests => + (scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests); + + foreach (@smime_cms_param_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "cms", @{$$_[1]}])) + && run(app(["openssl", "cms", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } + + SKIP: { + skip("Zlib not supported: compression tests skipped", + scalar @smime_cms_comp_tests) + if $no_zlib; + + foreach (@smime_cms_comp_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "cms", @{$$_[1]}])) + && run(app(["openssl", "cms", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } + } +}; + +unlink "test.cms"; +unlink "test2.cms"; +unlink "smtst.txt"; + +sub check_availability { + my $tnam = shift; + + return "$tnam: skipped, EC disabled\n" + if ($no_ec && $tnam =~ /ECDH/); + return "$tnam: skipped, ECDH disabled\n" + if ($no_ec && $tnam =~ /ECDH/); + return "$tnam: skipped, EC2M disabled\n" + if ($no_ec2m && $tnam =~ /K-283/); + return "$tnam: skipped, DH disabled\n" + if ($no_dh && $tnam =~ /X9\.42/); + return "$tnam: skipped, RC2 disabled\n" + if ($no_rc2 && $tnam =~ /RC2/); + return "$tnam: skipped, DES disabled\n" + if ($no_des && $tnam =~ /DES/); + return "$tnam: skipped, DSA disabled\n" + if ($no_dsa && $tnam =~ / DSA/); + + return ""; +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ct.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ct.t new file mode 100644 index 00000000..9c717b2e --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ct.t @@ -0,0 +1,17 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir/; +use OpenSSL::Test::Simple; + +setup("test_ct"); +$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); +$ENV{CT_DIR} = srctop_dir("test", "ct"); +$ENV{CERTS_DIR} = srctop_dir("test", "certs"); +simple_test("test_ct", "ct_test", "ct", "ec"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_dane.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_dane.t new file mode 100644 index 00000000..527e6634 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_dane.t @@ -0,0 +1,24 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_dane"); + +plan skip_all => "test_dane uses ec which is not supported by this OpenSSL build" + if disabled("ec"); + +plan tests => 1; # The number of tests being performed + +ok(run(test(["danetest", "example.com", + srctop_file("test", "danetest.pem"), + srctop_file("test", "danetest.in")])), "dane tests"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_dtls.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_dtls.t new file mode 100644 index 00000000..f4a2dc03 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_dtls.t @@ -0,0 +1,20 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_dtls"); + +plan skip_all => "No DTLS protocols are supported by this OpenSSL build" + if alldisabled(available_protocols("dtls")); + +plan tests => 1; + +ok(run(test(["dtlstest", srctop_file("apps", "server.pem"), + srctop_file("apps", "server.pem")])), "running dtlstest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_dtlsv1listen.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_dtlsv1listen.t new file mode 100644 index 00000000..dd1bb35b --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_dtlsv1listen.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_dtlsv1listen", "dtlsv1listentest", "dh"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ocsp.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ocsp.t new file mode 100644 index 00000000..e9ed7b4d --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ocsp.t @@ -0,0 +1,219 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use POSIX; +use File::Spec::Functions qw/devnull catfile/; +use File::Copy; +use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/; +use OpenSSL::Test::Utils; + +setup("test_ocsp"); + +plan skip_all => "OCSP is not supported by this OpenSSL build" + if disabled("ocsp"); + +my $ocspdir=srctop_dir("test", "ocsp-tests"); +# 17 December 2012 so we don't get certificate expiry errors. +my @check_time=("-attime", "1355875200"); + +sub test_ocsp { + my $title = shift; + my $inputfile = shift; + my $CAfile = shift; + my $untrusted = shift; + if ($untrusted eq "") { + $untrusted = $CAfile; + } + my $expected_exit = shift; + + run(app(["openssl", "base64", "-d", + "-in", catfile($ocspdir,$inputfile), + "-out", "ocsp-resp-fff.dat"])); + with({ exit_checker => sub { return shift == $expected_exit; } }, + sub { ok(run(app(["openssl", "ocsp", "-respin", "ocsp-resp-fff.dat", + "-partial_chain", @check_time, + "-CAfile", catfile($ocspdir, $CAfile), + "-verify_other", catfile($ocspdir, $untrusted), + "-no-CApath"])), + $title); }); + unlink "ocsp-resp-fff.dat"; +} + +plan tests => 11; + +subtest "=== VALID OCSP RESPONSES ===" => sub { + plan tests => 7; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "ND1.ors", "ND1_Issuer_ICA.pem", "", 0); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "ND2.ors", "ND2_Issuer_Root.pem", "", 0); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "ND3.ors", "ND3_Issuer_Root.pem", "", 0); + test_ocsp("NON-DELEGATED; 3-level CA hierarchy", + "ND1.ors", "ND1_Cross_Root.pem", "ND1_Issuer_ICA-Cross.pem", 0); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "D1.ors", "D1_Issuer_ICA.pem", "", 0); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "D2.ors", "D2_Issuer_Root.pem", "", 0); + test_ocsp("DELEGATED; Root CA -> EE", + "D3.ors", "D3_Issuer_Root.pem", "", 0); +}; + +subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "ISOP_ND2.ors", "ND2_Issuer_Root.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "ISOP_ND3.ors", "ND3_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "ISOP_D1.ors", "D1_Issuer_ICA.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "ISOP_D2.ors", "D2_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "ISOP_D3.ors", "D3_Issuer_Root.pem", "", 1); +}; + +subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "WRID_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "WRID_ND2.ors", "ND2_Issuer_Root.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "WRID_ND3.ors", "ND3_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "WRID_D1.ors", "D1_Issuer_ICA.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "WRID_D2.ors", "D2_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "WRID_D3.ors", "D3_Issuer_Root.pem", "", 1); +}; + +subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "WINH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "WINH_ND2.ors", "ND2_Issuer_Root.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "WINH_ND3.ors", "ND3_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "WINH_D1.ors", "D1_Issuer_ICA.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "WINH_D2.ors", "D2_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "WINH_D3.ors", "D3_Issuer_Root.pem", "", 1); +}; + +subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "WIKH_ND2.ors", "ND2_Issuer_Root.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "WIKH_ND3.ors", "ND3_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "WIKH_D1.ors", "D1_Issuer_ICA.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "WIKH_D2.ors", "D2_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "WIKH_D3.ors", "D3_Issuer_Root.pem", "", 1); +}; + +subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { + plan tests => 3; + + test_ocsp("DELEGATED; Intermediate CA -> EE", + "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "WKDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "WKDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1); +}; + +subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { + plan tests => 3; + + test_ocsp("DELEGATED; Intermediate CA -> EE", + "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "ISDOSC_D2.ors", "D2_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "ISDOSC_D3.ors", "D3_Issuer_Root.pem", "", 1); +}; + +subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "D1.ors", "WSNIC_D1_Issuer_ICA.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "D2.ors", "WSNIC_D2_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "D3.ors", "WSNIC_D3_Issuer_Root.pem", "", 1); +}; + +subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "ND2.ors", "WKIC_ND2_Issuer_Root.pem", "", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "ND3.ors", "WKIC_ND3_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "D1.ors", "WKIC_D1_Issuer_ICA.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "D2.ors", "WKIC_D2_Issuer_Root.pem", "", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "D3.ors", "WKIC_D3_Issuer_Root.pem", "", 1); +}; + +subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { + plan tests => 6; + + # Expect success, because we're explicitly trusting the issuer certificate. + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", "", 0); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "ND2.ors", "ISIC_ND2_Issuer_Root.pem", "", 0); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "ND3.ors", "ISIC_ND3_Issuer_Root.pem", "", 0); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "D1.ors", "ISIC_D1_Issuer_ICA.pem", "", 0); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "D2.ors", "ISIC_D2_Issuer_Root.pem", "", 0); + test_ocsp("DELEGATED; Root CA -> EE", + "D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0); +}; + +subtest "=== OCSP API TESTS===" => sub { + plan tests => 1; + + ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])), + "running ocspapitest"); +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_pkcs12.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_pkcs12.t new file mode 100644 index 00000000..430df670 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_pkcs12.t @@ -0,0 +1,68 @@ +#! /usr/bin/env perl +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test::Utils; + +use Encode; + +setup("test_pkcs12"); + +plan skip_all => "The PKCS12 command line utility is not supported by this OpenSSL build" + if disabled("des"); + +my $pass = "σύνθημα γνώρισμα"; + +my $savedcp; +if (eval { require Win32::API; 1; }) { + # Trouble is that Win32 perl uses CreateProcessA, which + # makes it problematic to pass non-ASCII arguments, from perl[!] + # that is. This is because CreateProcessA is just a wrapper for + # CreateProcessW and will call MultiByteToWideChar and use + # system default locale. Since we attempt Greek pass-phrase + # conversion can be done only with Greek locale. + + Win32::API->Import("kernel32","UINT GetSystemDefaultLCID()"); + if (GetSystemDefaultLCID() != 0x408) { + plan skip_all => "Non-Greek system locale"; + } else { + # Ensure correct code page so that VERBOSE output is right. + Win32::API->Import("kernel32","UINT GetConsoleOutputCP()"); + Win32::API->Import("kernel32","BOOL SetConsoleOutputCP(UINT cp)"); + $savedcp = GetConsoleOutputCP(); + SetConsoleOutputCP(1253); + $pass = Encode::encode("cp1253",Encode::decode("utf-8",$pass)); + } +} elsif ($^O eq "MSWin32") { + plan skip_all => "Win32::API unavailable"; +} else { + # Running MinGW tests transparently under Wine apparently requires + # UTF-8 locale... + + foreach(`locale -a`) { + s/\R$//; + if ($_ =~ m/^C\.UTF\-?8/i) { + $ENV{LC_ALL} = $_; + last; + } + } +} +$ENV{OPENSSL_WIN32_UTF8}=1; + +plan tests => 1; + +# just see that we can read shibboleth.pfx protected with $pass +ok(run(app(["openssl", "pkcs12", "-noout", + "-password", "pass:$pass", + "-in", srctop_file("test", "shibboleth.pfx")])), + "test_pkcs12"); + +SetConsoleOutputCP($savedcp) if (defined($savedcp)); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ssl_new.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ssl_new.t new file mode 100644 index 00000000..287defe5 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ssl_new.t @@ -0,0 +1,133 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Basename; +use File::Compare qw/compare_text/; +use OpenSSL::Glob; +use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; +use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/; + +setup("test_ssl_new"); + +$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); +$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); + +my @conf_srcs = glob(srctop_file("test", "ssl-tests", "*.conf.in")); +map { s/;.*// } @conf_srcs if $^O eq "VMS"; +my @conf_files = map { basename($_, ".in") } @conf_srcs; +map { s/\^// } @conf_files if $^O eq "VMS"; + +# We hard-code the number of tests to double-check that the globbing above +# finds all files as expected. +plan tests => 19; # = scalar @conf_srcs + +# Some test results depend on the configuration of enabled protocols. We only +# verify generated sources in the default configuration. +my $is_default_tls = (disabled("ssl3") && !disabled("tls1") && + !disabled("tls1_1") && !disabled("tls1_2")); + +my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2")); + +my $no_tls = alldisabled(available_protocols("tls")); +my $no_dtls = alldisabled(available_protocols("dtls")); +my $no_npn = disabled("nextprotoneg"); +my $no_ct = disabled("ct"); +my $no_ec = disabled("ec"); +my $no_ec2m = disabled("ec2m"); +my $no_ocsp = disabled("ocsp"); + +# Add your test here if the test conf.in generates test cases and/or +# expectations dynamically based on the OpenSSL compile-time config. +my %conf_dependent_tests = ( + "02-protocol-version.conf" => !$is_default_tls, + "04-client_auth.conf" => !$is_default_tls, + "07-dtls-protocol-version.conf" => !$is_default_dtls, + "10-resumption.conf" => !$is_default_tls, + "11-dtls_resumption.conf" => !$is_default_dtls, + "17-renegotiate.conf" => disabled("tls1_2"), + "18-dtls-renegotiate.conf" => disabled("dtls1_2"), +); + +# Add your test here if it should be skipped for some compile-time +# configurations. Default is $no_tls but some tests have different skip +# conditions. +my %skip = ( + "07-dtls-protocol-version.conf" => $no_dtls, + "08-npn.conf" => $no_tls || $no_npn, + "10-resumption.conf" => disabled("tls1_1") || disabled("tls1_2"), + "11-dtls_resumption.conf" => disabled("dtls1") || disabled("dtls1_2"), + "12-ct.conf" => $no_tls || $no_ct || $no_ec, + # We could run some of these tests without TLS 1.2 if we had a per-test + # disable instruction but that's a bizarre configuration not worth + # special-casing for. + # We should review this once we have TLS 1.3. + "13-fragmentation.conf" => disabled("tls1_2"), + "14-curves.conf" => disabled("tls1_2") || $no_ec || $no_ec2m, + "15-certstatus.conf" => $no_tls || $no_ocsp, + "16-dtls-certstatus.conf" => $no_dtls || $no_ocsp, + "18-dtls-renegotiate.conf" => $no_dtls, + "19-mac-then-encrypt.conf" => disabled("tls1_2"), +); + +foreach my $conf (@conf_files) { + subtest "Test configuration $conf" => sub { + test_conf($conf, + $conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1, + defined($skip{$conf}) ? $skip{$conf} : $no_tls); + } +} + +sub test_conf { + plan tests => 3; + + my ($conf, $check_source, $skip) = @_; + + my $conf_file = srctop_file("test", "ssl-tests", $conf); + my $tmp_file = "${conf}.$$.tmp"; + my $run_test = 1; + + SKIP: { + # "Test" 1. Generate the source. + my $input_file = $conf_file . ".in"; + + skip 'failure', 2 unless + ok(run(perltest(["generate_ssl_tests.pl", $input_file], + interpreter_args => [ "-I", srctop_dir("util", "perl")], + stdout => $tmp_file)), + "Getting output from generate_ssl_tests.pl."); + + SKIP: { + # Test 2. Compare against existing output in test/ssl_tests.conf. + skip "Skipping generated source test for $conf", 1 + if !$check_source; + + $run_test = is(cmp_text($tmp_file, $conf_file), 0, + "Comparing generated sources."); + } + + # Test 3. Run the test. + skip "No tests available; skipping tests", 1 if $skip; + skip "Stale sources; skipping tests", 1 if !$run_test; + + ok(run(test(["ssl_test", $tmp_file])), "running ssl_test $conf"); + } + + unlink glob $tmp_file; +} + +sub cmp_text { + return compare_text(@_, sub { + $_[0] =~ s/\R//g; + $_[1] =~ s/\R//g; + return $_[0] ne $_[1]; + }); +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ssl_old.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ssl_old.t new file mode 100644 index 00000000..6468bd65 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ssl_old.t @@ -0,0 +1,629 @@ +#! /usr/bin/env perl +# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use POSIX; +use File::Basename; +use File::Copy; +use OpenSSL::Test qw/:DEFAULT with bldtop_file srctop_file cmdstr/; +use OpenSSL::Test::Utils; + +setup("test_ssl"); + +$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); + +my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk, + $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, + $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) = + anydisabled qw/rsa dsa dh ec srp psk + ssl3 tls1 tls1_1 tls1_2 + dtls dtls1 dtls1_2 ct/; +my $no_anytls = alldisabled(available_protocols("tls")); +my $no_anydtls = alldisabled(available_protocols("dtls")); + +plan skip_all => "No SSL/TLS/DTLS protocol is support by this OpenSSL build" + if $no_anytls && $no_anydtls; + +my $digest = "-sha1"; +my @reqcmd = ("openssl", "req"); +my @x509cmd = ("openssl", "x509", $digest); +my @verifycmd = ("openssl", "verify"); +my @gendsacmd = ("openssl", "gendsa"); +my $dummycnf = srctop_file("apps", "openssl.cnf"); + +my $CAkey = "keyCA.ss"; +my $CAcert="certCA.ss"; +my $CAserial="certCA.srl"; +my $CAreq="reqCA.ss"; +my $CAconf=srctop_file("test","CAss.cnf"); +my $CAreq2="req2CA.ss"; # temp + +my $Uconf=srctop_file("test","Uss.cnf"); +my $Ukey="keyU.ss"; +my $Ureq="reqU.ss"; +my $Ucert="certU.ss"; + +my $Dkey="keyD.ss"; +my $Dreq="reqD.ss"; +my $Dcert="certD.ss"; + +my $Ekey="keyE.ss"; +my $Ereq="reqE.ss"; +my $Ecert="certE.ss"; + +my $P1conf=srctop_file("test","P1ss.cnf"); +my $P1key="keyP1.ss"; +my $P1req="reqP1.ss"; +my $P1cert="certP1.ss"; +my $P1intermediate="tmp_intP1.ss"; + +my $P2conf=srctop_file("test","P2ss.cnf"); +my $P2key="keyP2.ss"; +my $P2req="reqP2.ss"; +my $P2cert="certP2.ss"; +my $P2intermediate="tmp_intP2.ss"; + +my $server_sess="server.ss"; +my $client_sess="client.ss"; + +# ssltest_old.c is deprecated in favour of the new framework in ssl_test.c +# If you're adding tests here, you probably want to convert them to the +# new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. +plan tests => + 1 # For testss + +6 # For the first testssl + ; + +subtest 'test_ss' => sub { + if (testss()) { + open OUT, ">", "intP1.ss"; + copy($CAcert, \*OUT); copy($Ucert, \*OUT); + close OUT; + + open OUT, ">", "intP2.ss"; + copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT); + close OUT; + } +}; + +note('test_ssl -- key U'); +testssl("keyU.ss", $Ucert, $CAcert); + +# ----------- +# subtest functions +sub testss { + open RND, ">>", ".rnd"; + print RND "string to make the random number generator think it has entropy"; + close RND; + + my @req_dsa = ("-newkey", + "dsa:".srctop_file("apps", "dsa1024.pem")); + my $dsaparams = srctop_file("apps", "dsa1024.pem"); + my @req_new; + if ($no_rsa) { + @req_new = @req_dsa; + } else { + @req_new = ("-new"); + } + + plan tests => 17; + + SKIP: { + skip 'failure', 16 unless + ok(run(app([@reqcmd, "-config", $CAconf, + "-out", $CAreq, "-keyout", $CAkey, + @req_new])), + 'make cert request'); + + skip 'failure', 15 unless + ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", + "-req", "-out", $CAcert, "-signkey", $CAkey, + "-extfile", $CAconf, "-extensions", "v3_ca"], + stdout => "err.ss")), + 'convert request into self-signed cert'); + + skip 'failure', 14 unless + ok(run(app([@x509cmd, "-in", $CAcert, + "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2], + stdout => "err.ss")), + 'convert cert into a cert request'); + + skip 'failure', 13 unless + ok(run(app([@reqcmd, "-config", $dummycnf, + "-verify", "-in", $CAreq, "-noout"])), + 'verify request 1'); + + + skip 'failure', 12 unless + ok(run(app([@reqcmd, "-config", $dummycnf, + "-verify", "-in", $CAreq2, "-noout"])), + 'verify request 2'); + + skip 'failure', 11 unless + ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])), + 'verify signature'); + + skip 'failure', 10 unless + ok(run(app([@reqcmd, "-config", $Uconf, + "-out", $Ureq, "-keyout", $Ukey, @req_new], + stdout => "err.ss")), + 'make a user cert request'); + + skip 'failure', 9 unless + ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", + "-req", "-out", $Ucert, + "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, + "-extfile", $Uconf, "-extensions", "v3_ee"], + stdout => "err.ss")) + && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), + 'sign user cert request'); + + skip 'failure', 8 unless + ok(run(app([@x509cmd, + "-subject", "-issuer", "-startdate", "-enddate", + "-noout", "-in", $Ucert])), + 'Certificate details'); + + skip 'failure', 7 unless + subtest 'DSA certificate creation' => sub { + plan skip_all => "skipping DSA certificate creation" + if $no_dsa; + + plan tests => 5; + + SKIP: { + $ENV{CN2} = "DSA Certificate"; + skip 'failure', 4 unless + ok(run(app([@gendsacmd, "-out", $Dkey, + $dsaparams], + stdout => "err.ss")), + "make a DSA key"); + skip 'failure', 3 unless + ok(run(app([@reqcmd, "-new", "-config", $Uconf, + "-out", $Dreq, "-key", $Dkey], + stdout => "err.ss")), + "make a DSA user cert request"); + skip 'failure', 2 unless + ok(run(app([@x509cmd, "-CAcreateserial", + "-in", $Dreq, + "-days", "30", + "-req", + "-out", $Dcert, + "-CA", $CAcert, "-CAkey", $CAkey, + "-CAserial", $CAserial, + "-extfile", $Uconf, + "-extensions", "v3_ee_dsa"], + stdout => "err.ss")), + "sign DSA user cert request"); + skip 'failure', 1 unless + ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])), + "verify DSA user cert"); + skip 'failure', 0 unless + ok(run(app([@x509cmd, + "-subject", "-issuer", + "-startdate", "-enddate", "-noout", + "-in", $Dcert])), + "DSA Certificate details"); + } + }; + + skip 'failure', 6 unless + subtest 'ECDSA/ECDH certificate creation' => sub { + plan skip_all => "skipping ECDSA/ECDH certificate creation" + if $no_ec; + + plan tests => 5; + + SKIP: { + $ENV{CN2} = "ECDSA Certificate"; + skip 'failure', 4 unless + ok(run(app(["openssl", "ecparam", "-name", "P-256", + "-out", "ecp.ss"])), + "make EC parameters"); + skip 'failure', 3 unless + ok(run(app([@reqcmd, "-config", $Uconf, + "-out", $Ereq, "-keyout", $Ekey, + "-newkey", "ec:ecp.ss"], + stdout => "err.ss")), + "make a ECDSA/ECDH user cert request"); + skip 'failure', 2 unless + ok(run(app([@x509cmd, "-CAcreateserial", + "-in", $Ereq, + "-days", "30", + "-req", + "-out", $Ecert, + "-CA", $CAcert, "-CAkey", $CAkey, + "-CAserial", $CAserial, + "-extfile", $Uconf, + "-extensions", "v3_ee_ec"], + stdout => "err.ss")), + "sign ECDSA/ECDH user cert request"); + skip 'failure', 1 unless + ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])), + "verify ECDSA/ECDH user cert"); + skip 'failure', 0 unless + ok(run(app([@x509cmd, + "-subject", "-issuer", + "-startdate", "-enddate", "-noout", + "-in", $Ecert])), + "ECDSA Certificate details"); + } + }; + + skip 'failure', 5 unless + ok(run(app([@reqcmd, "-config", $P1conf, + "-out", $P1req, "-keyout", $P1key, @req_new], + stdout => "err.ss")), + 'make a proxy cert request'); + + + skip 'failure', 4 unless + ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30", + "-req", "-out", $P1cert, + "-CA", $Ucert, "-CAkey", $Ukey, + "-extfile", $P1conf, "-extensions", "v3_proxy"], + stdout => "err.ss")), + 'sign proxy with user cert'); + + copy($Ucert, $P1intermediate); + run(app([@verifycmd, "-CAfile", $CAcert, + "-untrusted", $P1intermediate, $P1cert])); + ok(run(app([@x509cmd, + "-subject", "-issuer", "-startdate", "-enddate", + "-noout", "-in", $P1cert])), + 'Certificate details'); + + skip 'failure', 2 unless + ok(run(app([@reqcmd, "-config", $P2conf, + "-out", $P2req, "-keyout", $P2key, + @req_new], + stdout => "err.ss")), + 'make another proxy cert request'); + + + skip 'failure', 1 unless + ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30", + "-req", "-out", $P2cert, + "-CA", $P1cert, "-CAkey", $P1key, + "-extfile", $P2conf, "-extensions", "v3_proxy"], + stdout => "err.ss")), + 'sign second proxy cert request with the first proxy cert'); + + + open OUT, ">", $P2intermediate; + copy($Ucert, \*OUT); copy($P1cert, \*OUT); + close OUT; + run(app([@verifycmd, "-CAfile", $CAcert, + "-untrusted", $P2intermediate, $P2cert])); + ok(run(app([@x509cmd, + "-subject", "-issuer", "-startdate", "-enddate", + "-noout", "-in", $P2cert])), + 'Certificate details'); + } +} + +sub testssl { + my ($key, $cert, $CAtmp) = @_; + my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs")); + + my @ssltest = ("ssltest_old", + "-s_key", $key, "-s_cert", $cert, + "-c_key", $key, "-c_cert", $cert); + + my $serverinfo = srctop_file("test","serverinfo.pem"); + + my $dsa_cert = 0; + if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert, + "-text", "-noout"]), capture => 1)) { + $dsa_cert = 1; + } + + + # plan tests => 11; + + subtest 'standard SSL tests' => sub { + ###################################################################### + plan tests => 21; + + SKIP: { + skip "SSLv3 is not supported by this OpenSSL build", 4 + if disabled("ssl3"); + + ok(run(test([@ssltest, "-bio_pair", "-ssl3"])), + 'test sslv3 via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])), + 'test sslv3 with server authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])), + 'test sslv3 with client authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])), + 'test sslv3 with both server and client authentication via BIO pair'); + } + + SKIP: { + skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1 + if $no_anytls; + + ok(run(test([@ssltest, "-bio_pair"])), + 'test sslv2/sslv3 via BIO pair'); + } + + SKIP: { + skip "DTLSv1 is not supported by this OpenSSL build", 4 + if disabled("dtls1"); + + ok(run(test([@ssltest, "-dtls1"])), + 'test dtlsv1'); + ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])), + 'test dtlsv1 with server authentication'); + ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])), + 'test dtlsv1 with client authentication'); + ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])), + 'test dtlsv1 with both server and client authentication'); + } + + SKIP: { + skip "DTLSv1.2 is not supported by this OpenSSL build", 4 + if disabled("dtls1_2"); + + ok(run(test([@ssltest, "-dtls12"])), + 'test dtlsv1.2'); + ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])), + 'test dtlsv1.2 with server authentication'); + ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])), + 'test dtlsv1.2 with client authentication'); + ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])), + 'test dtlsv1.2 with both server and client authentication'); + } + + SKIP: { + skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8 + if $no_anytls; + + SKIP: { + skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert; + + ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])), + 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'); + } + + ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), + 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), + 'test sslv2/sslv3 with server authentication'); + ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), + 'test sslv2/sslv3 with client authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])), + 'test sslv2/sslv3 with both client and server authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), + 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); + + SKIP: { + skip "No IPv4 available on this machine", 1 + unless !disabled("sock") && have_IPv4(); + ok(run(test([@ssltest, "-ipv4"])), + 'test TLS via IPv4'); + } + + SKIP: { + skip "No IPv6 available on this machine", 1 + unless !disabled("sock") && have_IPv6(); + ok(run(test([@ssltest, "-ipv6"])), + 'test TLS via IPv6'); + } + } + }; + + subtest "Testing ciphersuites" => sub { + + my @exkeys = (); + my $ciphers = "-PSK:-SRP"; + + if ($no_dh) { + note "skipping DHE tests\n"; + $ciphers .= ":-kDHE"; + } + if ($no_dsa) { + note "skipping DSA tests\n"; + $ciphers .= ":-aDSA"; + } else { + push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss"; + } + + if ($no_ec) { + note "skipping EC tests\n"; + $ciphers .= ":!aECDSA:!kECDH"; + } else { + push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss"; + } + + my @protocols = (); + # We only use the flags that ssltest_old understands + push @protocols, "-tls1_2" unless $no_tls1_2; + push @protocols, "-tls1" unless $no_tls1; + push @protocols, "-ssl3" unless $no_ssl3; + my $protocolciphersuitecount = 0; + my %ciphersuites = (); + foreach my $protocol (@protocols) { + $ciphersuites{$protocol} = + [ map { s|\R||; split(/:/, $_) } + run(app(["openssl", "ciphers", "-s", $protocol, + "ALL:$ciphers"]), capture => 1) ]; + $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}}; + } + + plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build" + if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0; + + # The count of protocols is because in addition to the ciphersuits + # we got above, we're running a weak DH test for each protocol + plan tests => $protocolciphersuitecount + scalar(keys %ciphersuites); + + foreach my $protocol (sort keys %ciphersuites) { + note "Testing ciphersuites for $protocol"; + # ssltest_old doesn't know -tls1_2, but that's fine, since that's + # the default choice if TLSv1.2 enabled + my $flag = $protocol eq "-tls1_2" ? "" : $protocol; + foreach my $cipher (@{$ciphersuites{$protocol}}) { + if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { + note "*****SKIPPING $protocol $cipher"; + ok(1); + } else { + ok(run(test([@ssltest, @exkeys, "-cipher", $cipher, + $flag || ()])), + "Testing $cipher"); + } + } + is(run(test([@ssltest, + "-s_cipher", "EDH", + "-c_cipher", 'EDH:@SECLEVEL=1', + "-dhe512", + $protocol eq "SSLv3" ? ("-ssl3") : ()])), 0, + "testing connection with weak DH, expecting failure"); + } + }; + + subtest 'RSA/(EC)DHE/PSK tests' => sub { + ###################################################################### + + plan tests => 5; + + SKIP: { + skip "TLSv1.0 is not supported by this OpenSSL build", 5 + if $no_tls1; + + SKIP: { + skip "skipping anonymous DH tests", 1 + if ($no_dh); + + ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])), + 'test tlsv1 with 1024bit anonymous DH, multiple handshakes'); + } + + SKIP: { + skip "skipping RSA tests", 2 + if $no_rsa; + + ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])), + 'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes'); + + skip "skipping RSA+DHE tests", 1 + if $no_dh; + + ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])), + 'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes'); + } + + SKIP: { + skip "skipping PSK tests", 2 + if ($no_psk); + + ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])), + 'test tls1 with PSK'); + + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), + 'test tls1 with PSK via BIO pair'); + } + } + + }; + + subtest 'Custom Extension tests' => sub { + ###################################################################### + + plan tests => 1; + + SKIP: { + skip "TLSv1.0 is not supported by this OpenSSL build", 1 + if $no_tls1; + + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])), + 'test tls1 with custom extensions'); + } + }; + + subtest 'Serverinfo tests' => sub { + ###################################################################### + + plan tests => 5; + + SKIP: { + skip "TLSv1.0 is not supported by this OpenSSL build", 5 + if $no_tls1; + + note('echo test tls1 with serverinfo'); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); + } + }; + + subtest 'SRP tests' => sub { + + plan tests => 4; + + SKIP: { + skip "skipping SRP tests", 4 + if $no_srp || alldisabled(grep !/^ssl3/, available_protocols("tls")); + + ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])), + 'test tls1 with SRP'); + + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])), + 'test tls1 with SRP via BIO pair'); + + ok(run(test([@ssltest, "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])), + 'test tls1 with SRP auth'); + + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])), + 'test tls1 with SRP auth via BIO pair'); + } + }; +} + +unlink $CAkey; +unlink $CAcert; +unlink $CAserial; +unlink $CAreq; +unlink $CAreq2; + +unlink $Ukey; +unlink $Ureq; +unlink $Ucert; +unlink basename($Ucert, '.ss').'.srl'; + +unlink $Dkey; +unlink $Dreq; +unlink $Dcert; + +unlink $Ekey; +unlink $Ereq; +unlink $Ecert; + +unlink $P1key; +unlink $P1req; +unlink $P1cert; +unlink basename($P1cert, '.ss').'.srl'; +unlink $P1intermediate; +unlink "intP1.ss"; + +unlink $P2key; +unlink $P2req; +unlink $P2cert; +unlink $P2intermediate; +unlink "intP2.ss"; + +unlink "ecp.ss"; +unlink "err.ss"; + +unlink $server_sess; +unlink $client_sess; diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ssl_test_ctx.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ssl_test_ctx.t new file mode 100644 index 00000000..c5934910 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_ssl_test_ctx.t @@ -0,0 +1,19 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_ssl_test_ctx"); + +plan tests => 1; +ok(run(test(["ssl_test_ctx_test", srctop_file("test", "ssl_test_ctx_test.conf")])), + "running ssl_test_ctx_test ssl_test_ctx_test.conf"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_sslcorrupt.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_sslcorrupt.t new file mode 100644 index 00000000..53f8a822 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_sslcorrupt.t @@ -0,0 +1,20 @@ +#! /usr/bin/env perl +# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_sslcorrupt"); + +plan skip_all => "No TLS protocols are supported by this OpenSSL build" + if alldisabled(available_protocols("tls")); + +plan tests => 1; + +ok(run(test(["sslcorrupttest", srctop_file("apps", "server.pem"), + srctop_file("apps", "server.pem")])), "running sslcorrupttest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_tsa.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_tsa.t new file mode 100644 index 00000000..3ba14d46 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_tsa.t @@ -0,0 +1,207 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use POSIX; +use File::Spec::Functions qw/splitdir curdir catfile/; +use File::Compare; +use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_tsa"); + +plan skip_all => "TS is not supported by this OpenSSL build" + if disabled("ts"); + +# All these are modified inside indir further down. They need to exist +# here, however, to be available in all subroutines. +my $openssl_conf; +my $testtsa; +my $CAtsa; +my @RUN; + +sub create_tsa_cert { + my $INDEX = shift; + my $EXT = shift; + my $r = 1; + $ENV{TSDNSECT} = "ts_cert_dn"; + + ok(run(app(["openssl", "req", "-config", $openssl_conf, "-new", + "-out", "tsa_req${INDEX}.pem", + "-keyout", "tsa_key${INDEX}.pem"]))); + note "using extension $EXT"; + ok(run(app(["openssl", "x509", "-req", + "-in", "tsa_req${INDEX}.pem", + "-out", "tsa_cert${INDEX}.pem", + "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem", + "-CAcreateserial", + "-extfile", $openssl_conf, "-extensions", $EXT]))); +} + +sub create_time_stamp_response { + my $queryfile = shift; + my $outputfile = shift; + my $datafile = shift; + + ok(run(app([@RUN, "-reply", "-section", "$datafile", + "-queryfile", "$queryfile", "-out", "$outputfile"]))); +} + +sub verify_time_stamp_response { + my $queryfile = shift; + my $inputfile = shift; + my $datafile = shift; + + ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile", + "-in", "$inputfile", "-CAfile", "tsaca.pem", + "-untrusted", "tsa_cert1.pem"]))); + ok(run(app([@RUN, "-verify", "-data", "$datafile", + "-in", "$inputfile", "-CAfile", "tsaca.pem", + "-untrusted", "tsa_cert1.pem"]))); +} + +sub verify_time_stamp_response_fail { + my $queryfile = shift; + my $inputfile = shift; + + ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile", + "-in", "$inputfile", "-CAfile", "tsaca.pem", + "-untrusted", "tsa_cert1.pem"]))); +} + +# main functions + +plan tests => 20; + +note "setting up TSA test directory"; +indir "tsa" => sub +{ + $openssl_conf = srctop_file("test", "CAtsa.cnf"); + $testtsa = srctop_file("test", "recipes", "80-test_tsa.t"); + $CAtsa = srctop_file("test", "CAtsa.cnf"); + @RUN = ("openssl", "ts", "-config", $openssl_conf); + + # ../apps/CA.pl needs these + $ENV{OPENSSL_CONFIG} = "-config $openssl_conf"; + $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); + + SKIP: { + $ENV{TSDNSECT} = "ts_ca_dn"; + skip "failed", 19 + unless ok(run(app(["openssl", "req", "-config", $openssl_conf, + "-new", "-x509", "-nodes", + "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), + 'creating a new CA for the TSA tests'); + + skip "failed", 18 + unless subtest 'creating tsa_cert1.pem TSA server cert' => sub { + create_tsa_cert("1", "tsa_cert") + }; + + skip "failed", 17 + unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub { + create_tsa_cert("2", "non_tsa_cert") + }; + + skip "failed", 16 + unless ok(run(app([@RUN, "-query", "-data", $testtsa, + "-tspolicy", "tsa_policy1", "-cert", + "-out", "req1.tsq"])), + 'creating req1.req time stamp request for file testtsa'); + + ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])), + 'printing req1.req'); + + subtest 'generating valid response for req1.req' => sub { + create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1") + }; + + ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])), + 'printing response'); + + subtest 'verifying valid response' => sub { + verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa) + }; + + skip "failed", 11 + unless subtest 'verifying valid token' => sub { + ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", + "-out", "resp1.tsr.token", "-token_out"]))); + ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq", + "-in", "resp1.tsr.token", "-token_in", + "-CAfile", "tsaca.pem", + "-untrusted", "tsa_cert1.pem"]))); + ok(run(app([@RUN, "-verify", "-data", $testtsa, + "-in", "resp1.tsr.token", "-token_in", + "-CAfile", "tsaca.pem", + "-untrusted", "tsa_cert1.pem"]))); + }; + + skip "failed", 10 + unless ok(run(app([@RUN, "-query", "-data", $testtsa, + "-tspolicy", "tsa_policy2", "-no_nonce", + "-out", "req2.tsq"])), + 'creating req2.req time stamp request for file testtsa'); + + ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])), + 'printing req2.req'); + + skip "failed", 8 + unless subtest 'generating valid response for req2.req' => sub { + create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1") + }; + + skip "failed", 7 + unless subtest 'checking -token_in and -token_out options with -reply' => sub { + my $RESPONSE2="resp2.tsr.copy.tsr"; + my $TOKEN_DER="resp2.tsr.token.der"; + + ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", + "-out", "$TOKEN_DER", "-token_out"]))); + ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", + "-token_in", "-out", "$RESPONSE2"]))); + is(compare($RESPONSE2, "resp2.tsr"), 0); + ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", + "-text", "-token_out"]))); + ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", + "-token_in", "-text", "-token_out"]))); + ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq", + "-text", "-token_out"]))); + }; + + ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])), + 'printing response'); + + subtest 'verifying valid response' => sub { + verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa) + }; + + subtest 'verifying response against wrong request, it should fail' => sub { + verify_time_stamp_response_fail("req1.tsq", "resp2.tsr") + }; + + subtest 'verifying response against wrong request, it should fail' => sub { + verify_time_stamp_response_fail("req2.tsq", "resp1.tsr") + }; + + skip "failure", 2 + unless ok(run(app([@RUN, "-query", "-data", $CAtsa, + "-no_nonce", "-out", "req3.tsq"])), + "creating req3.req time stamp request for file CAtsa.cnf"); + + ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])), + 'printing req3.req'); + + subtest 'verifying response against wrong request, it should fail' => sub { + verify_time_stamp_response_fail("req3.tsq", "resp1.tsr") + }; + } +}, create => 1, cleanup => 1 diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_x509aux.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_x509aux.t new file mode 100644 index 00000000..65ba5fcf --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/80-test_x509aux.t @@ -0,0 +1,27 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_x509aux"); + +plan skip_all => "test_dane uses ec which is not supported by this OpenSSL build" + if disabled("ec"); + +plan tests => 1; # The number of tests being performed + +ok(run(test(["x509aux", + srctop_file("test", "certs", "roots.pem"), + srctop_file("test", "certs", "root+anyEKU.pem"), + srctop_file("test", "certs", "root-anyEKU.pem"), + srctop_file("test", "certs", "root-cert.pem")] + )), "x509aux tests"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_async.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_async.t new file mode 100644 index 00000000..e0f18706 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_async.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_async", "asynctest", "async"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_bio_enc.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_bio_enc.t new file mode 100644 index 00000000..aa7e42a8 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_bio_enc.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_bio_enc", "bio_enc_test", "bio_enc"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_bioprint.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_bioprint.t new file mode 100644 index 00000000..b86e828f --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_bioprint.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_bioprint", "bioprinttest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_constant_time.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_constant_time.t new file mode 100644 index 00000000..6fa73bf1 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_constant_time.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_constant_time", "constant_time_test"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_fatalerr.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_fatalerr.t new file mode 100644 index 00000000..361bc1f3 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_fatalerr.t @@ -0,0 +1,21 @@ +#! /usr/bin/env perl +# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_fatalerr"); + +plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" + if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); + +plan tests => 1; + +ok(run(test(["fatalerrtest", srctop_file("apps", "server.pem"), + srctop_file("apps", "server.pem")])), "running fatalerrtest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_fuzz.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_fuzz.t new file mode 100644 index 00000000..d1529257 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_fuzz.t @@ -0,0 +1,40 @@ +#!/usr/bin/env perl +# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +use if $^O ne "VMS", 'File::Glob' => qw/glob/; +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use OpenSSL::Test::Utils; + +setup("test_fuzz"); + +my @fuzzers = ('asn1', 'asn1parse', 'bignum', 'bndiv', 'conf', 'crl', 'server', 'x509'); +if (!disabled("cms")) { + push @fuzzers, 'cms'; +} +if (!disabled("ct")) { + push @fuzzers, 'ct'; +} +plan tests => scalar @fuzzers; + +foreach my $f (@fuzzers) { + subtest "Fuzzing $f" => sub { + my @files = glob(srctop_file('fuzz', 'corpora', $f, '*')); + push @files, glob(srctop_file('fuzz', 'corpora', "$f-*", '*')); + + plan skip_all => "No corpora for $f-test" unless @files; + + plan tests => scalar @files; + + foreach (@files) { + ok(run(fuzz(["$f-test", $_]))); + } + } +} diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_gmdiff.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_gmdiff.t new file mode 100644 index 00000000..f2cce41a --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_gmdiff.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_gmdiff", "gmdifftest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_heartbeat.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_heartbeat.t new file mode 100644 index 00000000..90d6a67b --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_heartbeat.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_heartbeat", "heartbeat_test", "heartbeats"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_ige.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_ige.t new file mode 100644 index 00000000..2ab4bd25 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_ige.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_ige", "igetest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_memleak.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_memleak.t new file mode 100644 index 00000000..52357c74 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_memleak.t @@ -0,0 +1,15 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test; + +setup("test_memleak"); +plan tests => 2; +ok(run(test(["memleaktest"])), "running leak test"); +ok(run(test(["memleaktest", "freeit"])), "running no leak test"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_p5_crpt2.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_p5_crpt2.t new file mode 100644 index 00000000..710dc8ba --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_p5_crpt2.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_p5_crpt2", "p5_crpt2_test"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_secmem.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_secmem.t new file mode 100644 index 00000000..d197c48a --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_secmem.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_secmem", "secmemtest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_shlibload.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_shlibload.t new file mode 100644 index 00000000..aa8d98de --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_shlibload.t @@ -0,0 +1,38 @@ +#! /usr/bin/env perl +# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test qw/:DEFAULT bldtop_dir/; +use OpenSSL::Test::Utils; + +#Load configdata.pm + +BEGIN { + setup("test_shlibload"); +} +use lib bldtop_dir('.'); +use configdata; + +plan skip_all => "Test only supported in a shared build" if disabled("shared"); + +plan tests => 3; + +my $libcrypto_idx = $unified_info{rename}->{libcrypto} // "libcrypto"; +my $libssl_idx = $unified_info{rename}->{libssl} // "libssl"; +my $libcrypto = + $unified_info{sharednames}->{$libcrypto_idx}.$target{shared_extension_simple}; +my $libssl = + $unified_info{sharednames}->{$libssl_idx}.$target{shared_extension_simple}; + +ok(run(test(["shlibloadtest", "-crypto_first", $libcrypto, $libssl])), + "running shlibloadtest -crypto_first"); +ok(run(test(["shlibloadtest", "-ssl_first", $libcrypto, $libssl])), + "running shlibloadtest -ssl_first"); +ok(run(test(["shlibloadtest", "-just_crypto", $libcrypto, $libssl])), + "running shlibloadtest -just_crypto"); + diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_srp.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_srp.t new file mode 100644 index 00000000..7026c358 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_srp.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_srp", "srptest", "srp"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_sslapi.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_sslapi.t new file mode 100644 index 00000000..efaae3b7 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_sslapi.t @@ -0,0 +1,21 @@ +#! /usr/bin/env perl +# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_sslapi"); + +plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" + if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); + +plan tests => 1; + +ok(run(test(["sslapitest", srctop_file("apps", "server.pem"), + srctop_file("apps", "server.pem")])), "running sslapitest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_threads.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_threads.t new file mode 100644 index 00000000..56d53386 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_threads.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_threads", "threadstest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_v3name.t b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_v3name.t new file mode 100644 index 00000000..2e144e5a --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/90-test_v3name.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_v3name", "v3nametest"); diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/bc.pl b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/bc.pl new file mode 100644 index 00000000..dbb5842b --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/bc.pl @@ -0,0 +1,113 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use Math::BigInt; + +sub calc { + @_ = __adder(@_); + if (scalar @_ != 1) { return "NaN"; } + return shift; +} + +sub __canonhex { + my ($sign, $hex) = (shift =~ /^([+\-]?)(.*)$/); + $hex = "0x".$hex if $hex !~ /^0x/; + return $sign.$hex; +} + +sub __adder { + @_ = __multiplier(@_); + while (scalar @_ > 1 && $_[1] =~ /^[\+\-]$/) { + my $operand1 = Math::BigInt->from_hex(__canonhex(shift)); + my $operator = shift; + @_ = __multiplier(@_); + my $operand2 = Math::BigInt->from_hex(__canonhex(shift)); + if ($operator eq "+") { + $operand1->badd($operand2); + } elsif ($operator eq "-") { + $operand1->bsub($operand2); + } else { + die "SOMETHING WENT AWFULLY WRONG"; + } + unshift @_, $operand1->as_hex(); + } + return @_; +} + +sub __multiplier { + @_ = __power(@_); + while (scalar @_ > 1 && $_[1] =~ /^[\*\/%]$/) { + my $operand1 = Math::BigInt->from_hex(__canonhex(shift)); + my $operator = shift; + @_ = __power(@_); + my $operand2 = Math::BigInt->from_hex(__canonhex(shift)); + if ($operator eq "*") { + $operand1->bmul($operand2); + } elsif ($operator eq "/") { + # Math::BigInt->bdiv() is documented to do floored division, + # i.e. 1 / -4 = -1, while bc and OpenSSL BN_div do truncated + # division, i.e. 1 / -4 = 0. We need to make the operation + # work like OpenSSL's BN_div to be able to verify. + my $neg = ($operand1->is_neg() + ? !$operand2->is_neg() : $operand2->is_neg()); + $operand1->babs(); + $operand2->babs(); + $operand1->bdiv($operand2); + if ($neg) { $operand1->bneg(); } + } elsif ($operator eq "%") { + # Here's a bit of a quirk... + # With OpenSSL's BN, as well as bc, the result of -10 % 3 is -1 + # while Math::BigInt, the result is 2. + # The latter is mathematically more correct, but... + my $o1isneg = $operand1->is_neg(); + $operand1->babs(); + # Math::BigInt does something different with a negative modulus, + # while OpenSSL's BN and bc treat it like a positive number... + $operand2->babs(); + $operand1->bmod($operand2); + if ($o1isneg) { $operand1->bneg(); } + } else { + die "SOMETHING WENT AWFULLY WRONG"; + } + unshift @_, $operand1->as_hex(); + } + return @_; +} + +sub __power { + @_ = __paren(@_); + while (scalar @_ > 1 && $_[1] eq "^") { + my $operand1 = Math::BigInt->from_hex(__canonhex(shift)); + shift; + @_ = __paren(@_); + my $operand2 = Math::BigInt->from_hex(__canonhex(shift)); + $operand1->bpow($operand2); + unshift @_, $operand1->as_hex(); + } + return @_; +} + +# returns array ( $result, @remaining ) +sub __paren { + if (scalar @_ > 0 && $_[0] eq "(") { + shift; + my @result = __adder(@_); + if (scalar @_ == 0 || $_[0] ne ")") { + return ("NaN"); + } + shift; + return @result; + } + return @_; +} + +1; diff --git a/CryptoPkg/Library/OpensslLib/openssl/test/recipes/tconversion.pl b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/tconversion.pl new file mode 100644 index 00000000..1cf68dc0 --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/openssl/test/recipes/tconversion.pl @@ -0,0 +1,105 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use warnings; + +use File::Compare qw/compare_text/; +use File::Copy; +use OpenSSL::Test qw/:DEFAULT/; + +my %conversionforms = ( + # Default conversion forms. Other series may be added with + # specific test types as key. + "*" => [ "d", "p" ], + "msb" => [ "d", "p", "msblob" ], + ); +sub tconversion { + my $testtype = shift; + my $t = shift; + my @conversionforms = + defined($conversionforms{$testtype}) ? + @{$conversionforms{$testtype}} : + @{$conversionforms{"*"}}; + my @openssl_args = @_; + if (!@openssl_args) { @openssl_args = ($testtype); } + + my $n = scalar @conversionforms; + my $totaltests = + 1 # for initializing + + $n # initial conversions from p to all forms (A) + + $n*$n # conversion from result of A to all forms (B) + + 1 # comparing original test file to p form of A + + $n*($n-1); # comparing first conversion to each form in A with B + $totaltests-- if ($testtype eq "p7d"); # no comparison of original test file + plan tests => $totaltests; + + my @cmd = ("openssl", @openssl_args); + + my $init; + if (scalar @openssl_args > 0 && $openssl_args[0] eq "pkey") { + $init = ok(run(app([@cmd, "-in", $t, "-out", "$testtype-fff.p"])), + 'initializing'); + } else { + $init = ok(copy($t, "$testtype-fff.p"), 'initializing'); + } + if (!$init) { + diag("Trying to copy $t to $testtype-fff.p : $!"); + } + + SKIP: { + skip "Not initialized, skipping...", 22 unless $init; + + foreach my $to (@conversionforms) { + ok(run(app([@cmd, + "-in", "$testtype-fff.p", + "-inform", "p", + "-out", "$testtype-f.$to", + "-outform", $to])), + "p -> $to"); + } + + foreach my $to (@conversionforms) { + foreach my $from (@conversionforms) { + ok(run(app([@cmd, + "-in", "$testtype-f.$from", + "-inform", $from, + "-out", "$testtype-ff.$from$to", + "-outform", $to])), + "$from -> $to"); + } + } + + if ($testtype ne "p7d") { + is(cmp_text("$testtype-fff.p", "$testtype-f.p"), 0, + 'comparing orig to p'); + } + + foreach my $to (@conversionforms) { + next if $to eq "d"; + foreach my $from (@conversionforms) { + is(cmp_text("$testtype-f.$to", "$testtype-ff.$from$to"), 0, + "comparing $to to $from$to"); + } + } + } + unlink glob "$testtype-f.*"; + unlink glob "$testtype-ff.*"; + unlink glob "$testtype-fff.*"; +} + +sub cmp_text { + return compare_text(@_, sub { + $_[0] =~ s/\R//g; + $_[1] =~ s/\R//g; + return $_[0] ne $_[1]; + }); +} + +1; |