Lines Matching +full:eq +full:- +full:level
2 # Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
42 my $digest = "-sha1";
49 my $cnf = srctop_file("test", "ca-and-certs.cnf");
50 my $CAkey = srctop_file("test", "certs", "ca-key.pem"); # "keyCA.ss"
55 my $Ukey = srctop_file("test", "certs", "ee-key.pem"); # "keyU.ss";
66 my $P1key= srctop_file("test", "certs", "alt1-key.pem"); # "keyP1.ss";
70 my $P2key= srctop_file("test", "certs", "alt2-key.pem"); # "keyP2.ss";
80 # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead.
85 + 1 # For security level 0 failure tests
100 note('test_ssl_old -- key U');
101 my $configfile = srctop_file("test","default-and-legacy.cnf");
136 if ($value eq "") {
158 my $provconf = srctop_file("test", "fips-and-base.cnf");
159 my $provconfnew = result_file("fips-and-base-temp.cnf");
164 'rsa-pkcs15-pad-disabled', '0',
173 # -----------
176 my @req_dsa = ("-newkey",
183 @req_new = ("-new");
190 ok(run(app([@reqcmd, "-config", $cnf,
191 "-out", $CAreq, "-key", $CAkey,
196 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30",
197 "-req", "-out", $CAcert, "-signkey", $CAkey,
198 "-extfile", $cnf, "-extensions", "v3_ca"],
200 'convert request into self-signed cert');
203 ok(run(app([@x509cmd, "-in", $CAcert,
204 "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2],
209 ok(run(app([@reqcmd, "-config", $dummycnf,
210 "-verify", "-in", $CAreq, "-noout"])),
215 ok(run(app([@reqcmd, "-config", $dummycnf,
216 "-verify", "-in", $CAreq2, "-noout"])),
220 ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])),
224 ok(run(app([@reqcmd, "-config", $cnf, "-section", "userreq",
225 "-out", $Ureq, "-key", $Ukey, @req_new],
230 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30",
231 "-req", "-out", $Ucert,
232 "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial,
233 "-extfile", $cnf, "-extensions", "v3_ee"],
235 && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])),
240 "-subject", "-issuer", "-startdate", "-enddate",
241 "-noout", "-in", $Ucert])),
254 ok(run(app([@genpkeycmd, "-out", $Dkey,
255 "-paramfile", $dsaparams],
259 ok(run(app([@reqcmd, "-new", "-config", $cnf,
260 "-section", "userreq",
261 "-out", $Dreq, "-key", $Dkey],
265 ok(run(app([@x509cmd, "-CAcreateserial",
266 "-in", $Dreq,
267 "-days", "30",
268 "-req",
269 "-out", $Dcert,
270 "-CA", $CAcert, "-CAkey", $CAkey,
271 "-CAserial", $CAserial,
272 "-extfile", $cnf,
273 "-extensions", "v3_ee_dsa"],
277 ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])),
281 "-subject", "-issuer",
282 "-startdate", "-enddate", "-noout",
283 "-in", $Dcert])),
298 ok(run(app(["openssl", "genpkey", "-genparam",
299 "-algorithm", "EC",
300 "-pkeyopt", "ec_paramgen_curve:P-256",
301 "-pkeyopt", "ec_param_enc:named_curve",
302 "-out", "ecp.ss"])),
305 ok(run(app([@reqcmd, "-config", $cnf,
306 "-section", "userreq",
307 "-out", $Ereq, "-keyout", $Ekey,
308 "-newkey", "ec:ecp.ss"],
312 ok(run(app([@x509cmd, "-CAcreateserial",
313 "-in", $Ereq,
314 "-days", "30",
315 "-req",
316 "-out", $Ecert,
317 "-CA", $CAcert, "-CAkey", $CAkey,
318 "-CAserial", $CAserial,
319 "-extfile", $cnf,
320 "-extensions", "v3_ee_ec"],
324 ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])),
328 "-subject", "-issuer",
329 "-startdate", "-enddate", "-noout",
330 "-in", $Ecert])),
336 ok(run(app([@reqcmd, "-config", $proxycnf,
337 "-out", $P1req, "-key", $P1key, @req_new],
343 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30",
344 "-req", "-out", $P1cert,
345 "-CA", $Ucert, "-CAkey", $Ukey,
346 "-extfile", $proxycnf, "-extensions", "proxy"],
351 run(app([@verifycmd, "-CAfile", $CAcert,
352 "-untrusted", $P1intermediate, $P1cert]));
354 "-subject", "-issuer", "-startdate", "-enddate",
355 "-noout", "-in", $P1cert])),
359 ok(run(app([@reqcmd, "-config", $proxycnf, "-section", "proxy2_req",
360 "-out", $P2req, "-key", $P2key,
367 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30",
368 "-req", "-out", $P2cert,
369 "-CA", $P1cert, "-CAkey", $P1key,
370 "-extfile", $proxycnf, "-extensions", "proxy_2"],
378 run(app([@verifycmd, "-CAfile", $CAcert,
379 "-untrusted", $P2intermediate, $P2cert]));
381 "-subject", "-issuer", "-startdate", "-enddate",
382 "-noout", "-in", $P2cert])),
389 my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs"));
390 my @providerflags = ("-provider", $provider);
392 if ($provider eq "default" && !disabled("legacy")) {
393 push @providerflags, "-provider", "legacy";
397 if ($provider eq "fips") {
398 run(test(["fips_version_test", "-config", $configfile, "<3.4.0"]),
403 "-s_key", $key, "-s_cert", $cert,
404 "-c_key", $key, "-c_cert", $cert,
405 "-config", $configfile,
412 if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert,
413 "-text", "-noout"]), capture => 1)) {
426 if $provider eq "fips";
428 ok(run(test([@ssltest, "-bio_pair", "-ssl3"])),
430 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])),
432 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])),
434 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])),
442 ok(run(test([@ssltest, "-bio_pair"])),
453 ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])),
461 ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
465 ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
467 ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
469 ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])),
471 ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
477 ok(run(test([@ssltest, "-ipv4"])),
479 ok(run(test([@ssltest, "-ipv4", "-client_ktls"])),
481 ok(run(test([@ssltest, "-ipv4", "-server_ktls"])),
483 ok(run(test([@ssltest, "-ipv4", "-client_ktls", "-server_ktls"])),
490 ok(run(test([@ssltest, "-ipv6"])),
492 ok(run(test([@ssltest, "-ipv6", "-client_ktls"])),
494 ok(run(test([@ssltest, "-ipv6", "-server_ktls"])),
496 ok(run(test([@ssltest, "-ipv6", "-client_ktls", "-server_ktls"])),
505 my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
508 push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey;
512 push @exkeys, "-s_cert", "certE.ss", "-s_key", $Ekey;
517 push @protocols, "-tls1_3" unless $no_tls1_3;
518 push @protocols, "-tls1_2" unless $no_tls1_2;
519 push @protocols, "-tls1" unless $no_tls1 || $provider eq "fips";
520 push @protocols, "-ssl3" unless $no_ssl3 || $provider eq "fips";
524 #There's no "-config" option to the ciphers command so we set the
530 my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol,
551 $testcount-- unless $no_tls1_3;
560 # ssl_old_test doesn't know -tls1_3, but that's fine, since that's
562 my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
565 if ($dsaallow == '0' && index($cipher, "DSS") != -1) {
566 # DSA is not allowed in FIPS 140-3
569 } elsif ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
573 if ($protocol eq "-tls1_3") {
579 ok(run(test([@ssltest, @exkeys, "-cipher",
581 "-ciphersuites", $ciphersuites,
586 next if $protocol eq "-tls1_3";
593 "-s_cipher", "EDH",
594 "-c_cipher", 'EDH:@SECLEVEL=1',
595 "-dhe512",
602 subtest 'SSL security level failure tests' => sub {
611 if $provider eq "fips";
613 is(run(test([@ssltest, "-bio_pair", "-ssl3", "-cipher", '@SECLEVEL=1'])),
614 0, "test sslv3 fails at security level 1, expecting failure");
622 if $provider eq "fips";
624 is(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", '@SECLEVEL=1'])),
625 0, 'test tls1 fails at security level 1, expecting failure');
633 if $provider eq "fips";
635 is(run(test([@ssltest, "-bio_pair", "-tls1_1", "-cipher", '@SECLEVEL=1'])),
636 0, 'test tls1.1 fails at security level 1, expecting failure');
647 if $no_tls1 || $provider eq "fips";
653 …ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", …
661 …t", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem…
667 …_test", "-provider", "default", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2…
675 ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
678 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
686 … ok(run(test(['ssl_old_test', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])),
699 …ok(run(test(['ssl_old_test', '-tls1_2', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:…
707 …ok(run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:E…
715 …ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:…
716 'test auto RSA PSK does not meet security level 3 requirements (PFS)');
723 …ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:…
724 'test auto PSK does not meet security level 3 requirements (PFS)');
737 if $no_tls1 || $provider eq "fips";
739 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])),
751 if $no_tls1 || $provider eq "fips";
754 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo])));
755 …ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"]))…
756 …ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"])…
757 …ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "…
758 …ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-ser…