tcl_tests/client.try


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

#!/usr/bin/tclsh
lappend auto_path [file dirname [info script]]

package require ossltest

if {$argc != 1} {
	puts stderr "Usage $argv0 cipher-list-file"
	exit 1
}	

array set protos {
	SSLv2 -ssl2
	SSLv3 -ssl3
	TLSv1 -tls1
	TLSv1.1 -tls1_1
	TLSv1.2 -tls1_2
    "default" {}
}	
get_hosts [lindex $argv 0]
cd $::test::dir 
start_tests "TLS-соединение от клиента [lindex $argv 0]"

set CAhost lynx.lan.cryptocom.ru
set CAprefix /cgi-bin/autoca


foreach alg [array names hosts] {
	set alg2 [regsub {(gost\d+)cp} $alg {\1}]
	set alg_fn [string map {":" "_"} $alg2]
	set alg_ca [regexp -inline {^[^:]+} $alg]
	log "alg_fn=$alg_fn"
	if {[string match gost2001* $alg]} {
                set alg_cli_list "gost2001_A gost2001_XA"
        } elseif {[string match gost2012* $alg]} {
                set alg_cli_list "gost2001_A gost2012_256_A gost2012_256_XA gost2012_512_A gost2012_512_B"
	} else {
		set alg_cli_list $alg_ca
	}


	test -skip {[file exist ca_$alg_ca.pem]} "Получить сертификат $alg_ca CA" {
		getCAcert $CAhost $CAprefix $alg_ca
	} 0 "ca_$alg_ca.pem"

	test -skip {[file exist srv_$alg_fn/cert.pem]} "Получить сертификат $alg для сервера" {
		getCAAlgParams $CAhost $CAprefix $alg_ca
		if {![makeUser srv_$alg_fn $alg2 CN [info hostname]]} {
			error "Request generation failed"
		}
		registerUserAtCA srv_$alg_fn $CAhost $CAprefix $alg_ca
		file exists srv_$alg_fn/cert.pem
	} 0 1

	if {[array exists suites]} {array unset suites}
	array set suites $hosts($alg)
	foreach suite [array names suites] {
		if {![regexp {(.+):(.+)} $suite => proto cs]} {
			set cs $suite
			set proto "default"
		}	
		if {[info exists suite_map($cs)]} {
			set mycs $suite_map($cs)
		} else {
			set mycs $cs
		}	
		set host [lindex [split $suites($suite) :] 0]
		set host_short [lindex [split $host .] 0]
		# We assume that CA certificates are already copied into Apache
		# cert dir
		set ca_file "/etc/apache/ssl.crt/${alg_ca}-root.crt"

		test "Корректный хэндшейк $suite" {
			remote_client $host
			set list [client_server [list -connect [info hostname]:4433 \
				-CAfile $ca_file -state -cipher $cs] \
				[concat [list -www -cert srv_$alg_fn/cert.pem \
				-key srv_$alg_fn/seckey.pem -cipher $mycs] $protos($proto)] {}]
			set cln_exit_code [lindex $list 2]
			set srv_error [string match "*error*" [lindex $list 4]]
			if {[regexp -lineanchor \
			{^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
			[lindex $list 0] -> result_proto result_cipher]} {
				if {$proto == "default"} {set result_proto "default"}
				list $cln_exit_code $srv_error $result_proto $result_cipher
			} else {
				lindex $list 1
			}	
		} 0 [list 0 0 $proto $cs]


		test "Сервер требует сертификат, сертификата нет $suite" {
			remote_client $host
			set list [client_server [list -connect [info hostname]:4433 \
				-CAfile $ca_file -state -cipher $cs] \
				[concat [list -www -cert srv_$alg_fn/cert.pem \
				-key srv_$alg_fn/seckey.pem -cipher $mycs -Verify 3 \
				-verify_return_error] $protos($proto)] {}]
			string match "*error*" [lindex $list 4]
		} 0 1 


		test "Некорректный клиентский сертфиикат $suite" {
			remote_client $host
			set list [client_server [list -connect [info hostname]:4433 \
				-cert /home/build/client-$alg_ca/cert.pem \
				-key /home/build/client-$alg_ca/seckey.pem \
				-CAfile $ca_file -state -cipher $cs] \
				[concat [list -www -cert srv_$alg_fn/cert.pem \
				-key srv_$alg_fn/seckey.pem -cipher $mycs -Verify 3 \
				-verify_return_error] $protos($proto)] {}]
			string match "*error*" [lindex $list 4]
		} 0 1


		foreach alg_cli $alg_cli_list {

			test "Клиентский сертификат $alg_cli $suite" {
				remote_client $host
				set list [client_server [list -connect [info hostname]:4433 \
					-cert /home/build/client-$alg_cli/cert.pem \
					-key /home/build/client-$alg_cli/seckey.pem \
					-CAfile $ca_file -state -cipher $cs] \
					[concat [list -www -cert srv_$alg_fn/cert.pem \
					-key srv_$alg_fn/seckey.pem -CAfile ca_$alg_ca.pem \
					-cipher $mycs -Verify 3 -verify_return_error] \
					$protos($proto)] {}]
				set cln_exit_code [lindex $list 2]
				set srv_error [string match "*error*" [lindex $list 4]]
				if {[regexp -lineanchor \
				{^\s*Protocol\s*:\s*(\S*)\s*$.*^\s*Cipher\s*:\s*(\S*)\s*$} \
				[lindex $list 0] -> result_proto result_cipher]} {
					if {$proto == "default"} {set result_proto "default"}
					list $cln_exit_code $srv_error $result_proto $result_cipher
				} else {
					lindex $list 1
				}	
			} 0 [list 0 0 $proto $cs]
		}
	}
}	
end_tests