1#! /usr/bin/env perl 2# Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9# For manually running these tests, set specific environment variables like this: 10# CTLOG_FILE=test/ct/log_list.cnf 11# TEST_CERTS_DIR=test/certs 12# For details on the environment variables needed, see test/README.ssltest.md 13 14use strict; 15use warnings; 16 17use File::Basename; 18use File::Compare qw/compare_text/; 19use OpenSSL::Glob; 20use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_file bldtop_dir/; 21use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/; 22 23BEGIN { 24setup("test_ssl_new"); 25} 26 27use lib srctop_dir('Configurations'); 28use lib bldtop_dir('.'); 29 30my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); 31 32$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); 33 34my @conf_srcs = (); 35if (defined $ENV{SSL_TESTS}) { 36 my @conf_list = split(' ', $ENV{SSL_TESTS}); 37 foreach my $conf_file (@conf_list) { 38 push (@conf_srcs, glob(srctop_file("test", "ssl-tests", $conf_file))); 39 } 40 plan tests => scalar @conf_srcs; 41} else { 42 @conf_srcs = glob(srctop_file("test", "ssl-tests", "*.cnf.in")); 43 # We hard-code the number of tests to double-check that the globbing above 44 # finds all files as expected. 45 plan tests => 31; 46} 47map { s/;.*// } @conf_srcs if $^O eq "VMS"; 48my @conf_files = map { basename($_, ".in") } @conf_srcs; 49map { s/\^// } @conf_files if $^O eq "VMS"; 50 51# Some test results depend on the configuration of enabled protocols. We only 52# verify generated sources in the default configuration. 53my $is_default_tls = (disabled("ssl3") && !disabled("tls1") && 54 !disabled("tls1_1") && !disabled("tls1_2") && 55 !disabled("tls1_3") && (!disabled("ec") || !disabled("dh"))); 56 57my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2")); 58 59my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2"); 60my $no_tls = alldisabled(available_protocols("tls")); 61my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3")); 62if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) { 63 $no_tls = 1; 64} 65my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3); 66my $no_dtls = alldisabled(available_protocols("dtls")); 67my $no_npn = disabled("nextprotoneg"); 68my $no_ct = disabled("ct"); 69my $no_ec = disabled("ec"); 70my $no_ecx = disabled("ecx"); 71my $no_dh = disabled("dh"); 72my $no_dsa = disabled("dsa"); 73my $no_ec2m = disabled("ec2m"); 74my $no_ocsp = disabled("ocsp"); 75my $no_ml_dsa = disabled("ml-dsa"); 76 77# Add your test here if the test conf.in generates test cases and/or 78# expectations dynamically based on the OpenSSL compile-time config. 79my %conf_dependent_tests = ( 80 "02-protocol-version.cnf" => !$is_default_tls, 81 "04-client_auth.cnf" => !$is_default_tls || !$is_default_dtls 82 || !disabled("sctp"), 83 "05-sni.cnf" => disabled("tls1_1"), 84 "07-dtls-protocol-version.cnf" => !$is_default_dtls || !disabled("sctp"), 85 "10-resumption.cnf" => !$is_default_tls || $no_ec, 86 "11-dtls_resumption.cnf" => !$is_default_dtls || !disabled("sctp"), 87 "14-curves.cnf" => disabled("tls-deprecated-ec"), 88 "16-dtls-certstatus.cnf" => !$is_default_dtls || !disabled("sctp"), 89 "17-renegotiate.cnf" => disabled("tls1_2"), 90 "18-dtls-renegotiate.cnf" => disabled("dtls1_2") || !disabled("sctp"), 91 "19-mac-then-encrypt.cnf" => !$is_default_tls, 92 "20-cert-select.cnf" => !$is_default_tls || $no_dh || $no_dsa || $no_ml_dsa, 93 "22-compression.cnf" => !$is_default_tls, 94 "25-cipher.cnf" => disabled("poly1305") || disabled("chacha"), 95 "27-ticket-appdata.cnf" => !$is_default_tls, 96 "28-seclevel.cnf" => disabled("tls1_2") || $no_ecx, 97 "30-extended-master-secret.cnf" => disabled("tls1_2"), 98 "32-compressed-certificate.cnf" => disabled("comp") || disabled("tls1_3"), 99); 100 101# Add your test here if it should be skipped for some compile-time 102# configurations. Default is $no_tls but some tests have different skip 103# conditions. 104my %skip = ( 105 "06-sni-ticket.cnf" => $no_tls_below1_3, 106 "07-dtls-protocol-version.cnf" => $no_dtls, 107 "08-npn.cnf" => (disabled("tls1") && disabled("tls1_1") 108 && disabled("tls1_2")) || $no_npn, 109 "10-resumption.cnf" => disabled("tls1_1") || disabled("tls1_2"), 110 "11-dtls_resumption.cnf" => disabled("dtls1") || disabled("dtls1_2"), 111 "12-ct.cnf" => $no_tls || $no_ct || $no_ec, 112 # We could run some of these tests without TLS 1.2 if we had a per-test 113 # disable instruction but that's a bizarre configuration not worth 114 # special-casing for. 115 # TODO(TLS 1.3): We should review this once we have TLS 1.3. 116 "13-fragmentation.cnf" => disabled("tls1_2"), 117 "14-curves.cnf" => disabled("tls1_2") || disabled("tls1_3") 118 || $no_ec2m || $no_ecx || $no_dh, 119 "15-certstatus.cnf" => $no_tls || $no_ocsp, 120 "16-dtls-certstatus.cnf" => $no_dtls || $no_ocsp, 121 "17-renegotiate.cnf" => $no_tls_below1_3, 122 "18-dtls-renegotiate.cnf" => $no_dtls, 123 "19-mac-then-encrypt.cnf" => $no_pre_tls1_3, 124 "20-cert-select.cnf" => disabled("tls1_2") || $no_ecx, 125 "21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), 126 "22-compression.cnf" => disabled("zlib") || $no_tls, 127 "23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1") 128 && disabled("tls1_2")) || disabled("srp"), 129 "24-padding.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), 130 "25-cipher.cnf" => disabled("ec") || disabled("tls1_2"), 131 "26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), 132 "29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"), 133 "32-compressed-certificate.cnf" => disabled("comp") || disabled("tls1_3"), 134); 135 136foreach my $conf (@conf_files) { 137 subtest "Test configuration $conf" => sub { 138 plan tests => 6 + ($no_fips ? 0 : 3); 139 test_conf($conf, 140 $conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1, 141 defined($skip{$conf}) ? $skip{$conf} : $no_tls, 142 "none"); 143 test_conf($conf, 144 0, 145 defined($skip{$conf}) ? $skip{$conf} : $no_tls, 146 "default"); 147 test_conf($conf, 148 0, 149 defined($skip{$conf}) ? $skip{$conf} : $no_tls, 150 "fips") unless $no_fips; 151 } 152} 153 154sub test_conf { 155 my ($conf, $check_source, $skip, $provider) = @_; 156 157 my $conf_file = srctop_file("test", "ssl-tests", $conf); 158 my $input_file = $conf_file . ".in"; 159 my $output_file = $conf . "." . $provider; 160 my $run_test = 1; 161 162 SKIP: { 163 # "Test" 1. Generate the source. 164 skip 'failure', 2 unless 165 ok(run(perltest(["generate_ssl_tests.pl", $input_file, $provider], 166 interpreter_args => [ "-I", srctop_dir("util", "perl")], 167 stdout => $output_file)), 168 "Getting output from generate_ssl_tests.pl."); 169 170 SKIP: { 171 # Test 2. Compare against existing output in test/ssl-tests/ 172 skip "Skipping generated source test for $conf", 1 173 if !$check_source; 174 175 $run_test = is(cmp_text($output_file, $conf_file), 0, 176 "Comparing generated $output_file with $conf_file."); 177 } 178 179 # Test 3. Run the test. 180 skip "No tests available; skipping tests", 1 if $skip; 181 skip "Stale sources; skipping tests", 1 if !$run_test; 182 183 my $msg = "running CTLOG_FILE=test/ct/log_list.cnf". # $ENV{CTLOG_FILE}. 184 " TEST_CERTS_DIR=test/certs". # $ENV{TEST_CERTS_DIR}. 185 " test/ssl_test test/ssl-tests/$conf $provider"; 186 if ($provider eq "fips") { 187 ok(run(test(["ssl_test", $output_file, $provider, 188 srctop_file("test", "fips-and-base.cnf")])), $msg); 189 } else { 190 ok(run(test(["ssl_test", $output_file, $provider])), $msg); 191 } 192 } 193} 194 195sub cmp_text { 196 return compare_text(@_, sub { 197 $_[0] =~ s/\R//g; 198 $_[1] =~ s/\R//g; 199 return $_[0] ne $_[1]; 200 }); 201} 202