From 49b147f85b96482be3931abda306afdf84d75d17 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 3 Sep 2015 20:54:01 +0200 Subject: [PATCH] Remake the testsslproxy tests The testsslproxy tests turned out to be useless as they were. They were really just for show and the results were ignore. Now they are changed into a more veerifiable test Reviewed-by: Rich Salz --- test/recipes/80-test_ssl.t | 83 +++++++++++++++++++++++++++++--------- 1 file changed, 65 insertions(+), 18 deletions(-) diff --git a/test/recipes/80-test_ssl.t b/test/recipes/80-test_ssl.t index 5b410ee854..409e68f282 100644 --- a/test/recipes/80-test_ssl.t +++ b/test/recipes/80-test_ssl.t @@ -52,8 +52,8 @@ plan tests => 1 # For testss + 1 # For ssltest -test_cipherlist + 8 # For the first testssl - + 8 * 4 * 4 # For the first testsslproxy (16 times testssl) - + 8 * 4 * 4 # For the second testsslproxy (16 times testssl) + + 16 # For the first testsslproxy + + 16 # For the second testsslproxy ; subtest 'test_ss' => sub { @@ -78,10 +78,10 @@ my $check = ok(run(test(["ssltest","-test_cipherlist"])), "running ssltest"); testssl("keyU.ss", $Ucert, $CAcert); note('test_ssl -- key P1'); - testsslproxy("keyP1.ss", "certP1.ss", "intP1.ss"); + testsslproxy("keyP1.ss", "certP1.ss", "intP1.ss", "AB"); note('test_ssl -- key P2'); - testsslproxy("keyP2.ss", "certP2.ss", "intP2.ss"); + testsslproxy("keyP2.ss", "certP2.ss", "intP2.ss", "BC"); } # ----------- @@ -558,23 +558,70 @@ sub testssl { } sub testsslproxy { - my ($a1, $a2, $a3, @rest) = @_; + my $key = shift || top_file("apps","server.pem"); + my $cert = shift || top_file("apps","server.pem"); + my $CAtmp = shift; + my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", top_dir("certs")); + my @extra = @_; + + my @ssltest = ("ssltest", + "-s_key", $key, "-s_cert", $cert, + "-c_key", $key, "-c_cert", $cert); # plan tests => 16; note('Testing a lot of proxy conditions.'); - note('Some of them may turn out being invalid, which is fine.'); - foreach my $auth (('A', 'B', 'C', 'BC')) { - foreach my $cond (('A', 'B', 'C', 'A|B&!C')) { - # Exit code 3 is when ssltest couldn't parse the condition - with({ exit_checker => sub { my $x = shift; - return - ($x == 1 || $x == 3) ? 0 : 1; } }, - sub { - testssl($a1, $a2, $a3, - "-proxy", "-proxy_auth", $auth, - "-proxy_cond", $cond); - }); - } + + # We happen to know that certP1.ss has policy letters "AB" and + # certP2.ss has policy letters "BC". However, because certP2.ss + # has certP1.ss as issuer, when it's used, both their policy + # letters get combined into just "B". + # The policy letter(s) then get filtered with the given auth letter + # in the table below, and the result gets tested with the given + # condition. For details, read ssltest.c + # + # certfilename => [ [ auth, cond, expected result ] ... ] + my %expected = ( "certP1.ss" => [ [ [ 'A', 'A' ], 1 ], + [ [ 'A', 'B' ], 0 ], + [ [ 'A', 'C' ], 0 ], + [ [ 'A', 'A|B&!C' ], 1 ], + [ [ 'B', 'A' ], 0 ], + [ [ 'B', 'B' ], 1 ], + [ [ 'B', 'C' ], 0 ], + [ [ 'B', 'A|B&!C' ], 1 ], + [ [ 'C', 'A' ], 0 ], + [ [ 'C', 'B' ], 0 ], + [ [ 'C', 'C' ], 0 ], + [ [ 'C', 'A|B&!C' ], 0 ], + [ [ 'BC', 'A' ], 0 ], + [ [ 'BC', 'B' ], 1 ], + [ [ 'BC', 'C' ], 0 ], + [ [ 'BC', 'A|B&!C' ], 1 ] ], + "certP2.ss" => [ [ [ 'A', 'A' ], 0 ], + [ [ 'A', 'B' ], 0 ], + [ [ 'A', 'C' ], 0 ], + [ [ 'A', 'A|B&!C' ], 0 ], + [ [ 'B', 'A' ], 0 ], + [ [ 'B', 'B' ], 1 ], + [ [ 'B', 'C' ], 0 ], + [ [ 'B', 'A|B&!C' ], 1 ], + [ [ 'C', 'A' ], 0 ], + [ [ 'C', 'B' ], 0 ], + [ [ 'C', 'C' ], 0 ], + [ [ 'C', 'A|B&!C' ], 0 ], + [ [ 'BC', 'A' ], 0 ], + [ [ 'BC', 'B' ], 1 ], + [ [ 'BC', 'C' ], 0 ], + [ [ 'BC', 'A|B&!C' ], 1 ] ] ); + + foreach (@{$expected{$cert}}) { + my $auth = $_->[0]->[0]; + my $cond = $_->[0]->[1]; + my $res = $_->[1]; + is(run(test([@ssltest, "-ssl3", "-server_auth", @CA, + "-proxy", "-proxy_auth", $auth, + "-proxy_cond", $cond])), $res, + "test tlsv1, server auth, proxy auth $auth and cond $cond (expect " + .($res ? "success" : "failure").")"); } } -- 2.25.1