1#! /usr/bin/env perl 2# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the OpenSSL license (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10use strict; 11use warnings; 12 13use POSIX; 14use File::Basename; 15use File::Copy; 16use OpenSSL::Test qw/:DEFAULT with bldtop_file srctop_file cmdstr/; 17use OpenSSL::Test::Utils; 18 19setup("test_ssl"); 20 21$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); 22 23my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk, 24 $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, 25 $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) = 26 anydisabled qw/rsa dsa dh ec srp psk 27 ssl3 tls1 tls1_1 tls1_2 28 dtls dtls1 dtls1_2 ct/; 29my $no_anytls = alldisabled(available_protocols("tls")); 30my $no_anydtls = alldisabled(available_protocols("dtls")); 31 32plan skip_all => "No SSL/TLS/DTLS protocol is support by this OpenSSL build" 33 if $no_anytls && $no_anydtls; 34 35my $digest = "-sha1"; 36my @reqcmd = ("openssl", "req"); 37my @x509cmd = ("openssl", "x509", $digest); 38my @verifycmd = ("openssl", "verify"); 39my @gendsacmd = ("openssl", "gendsa"); 40my $dummycnf = srctop_file("apps", "openssl.cnf"); 41 42my $CAkey = "keyCA.ss"; 43my $CAcert="certCA.ss"; 44my $CAserial="certCA.srl"; 45my $CAreq="reqCA.ss"; 46my $CAconf=srctop_file("test","CAss.cnf"); 47my $CAreq2="req2CA.ss"; # temp 48 49my $Uconf=srctop_file("test","Uss.cnf"); 50my $Ukey="keyU.ss"; 51my $Ureq="reqU.ss"; 52my $Ucert="certU.ss"; 53 54my $Dkey="keyD.ss"; 55my $Dreq="reqD.ss"; 56my $Dcert="certD.ss"; 57 58my $Ekey="keyE.ss"; 59my $Ereq="reqE.ss"; 60my $Ecert="certE.ss"; 61 62my $P1conf=srctop_file("test","P1ss.cnf"); 63my $P1key="keyP1.ss"; 64my $P1req="reqP1.ss"; 65my $P1cert="certP1.ss"; 66my $P1intermediate="tmp_intP1.ss"; 67 68my $P2conf=srctop_file("test","P2ss.cnf"); 69my $P2key="keyP2.ss"; 70my $P2req="reqP2.ss"; 71my $P2cert="certP2.ss"; 72my $P2intermediate="tmp_intP2.ss"; 73 74my $server_sess="server.ss"; 75my $client_sess="client.ss"; 76 77# ssltest_old.c is deprecated in favour of the new framework in ssl_test.c 78# If you're adding tests here, you probably want to convert them to the 79# new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. 80plan tests => 81 1 # For testss 82 +6 # For the first testssl 83 ; 84 85subtest 'test_ss' => sub { 86 if (testss()) { 87 open OUT, ">", "intP1.ss"; 88 copy($CAcert, \*OUT); copy($Ucert, \*OUT); 89 close OUT; 90 91 open OUT, ">", "intP2.ss"; 92 copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT); 93 close OUT; 94 } 95}; 96 97note('test_ssl -- key U'); 98testssl("keyU.ss", $Ucert, $CAcert); 99 100# ----------- 101# subtest functions 102sub testss { 103 open RND, ">>", ".rnd"; 104 print RND "string to make the random number generator think it has entropy"; 105 close RND; 106 107 my @req_dsa = ("-newkey", 108 "dsa:".srctop_file("apps", "dsa1024.pem")); 109 my $dsaparams = srctop_file("apps", "dsa1024.pem"); 110 my @req_new; 111 if ($no_rsa) { 112 @req_new = @req_dsa; 113 } else { 114 @req_new = ("-new"); 115 } 116 117 plan tests => 17; 118 119 SKIP: { 120 skip 'failure', 16 unless 121 ok(run(app([@reqcmd, "-config", $CAconf, 122 "-out", $CAreq, "-keyout", $CAkey, 123 @req_new])), 124 'make cert request'); 125 126 skip 'failure', 15 unless 127 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", 128 "-req", "-out", $CAcert, "-signkey", $CAkey, 129 "-extfile", $CAconf, "-extensions", "v3_ca"], 130 stdout => "err.ss")), 131 'convert request into self-signed cert'); 132 133 skip 'failure', 14 unless 134 ok(run(app([@x509cmd, "-in", $CAcert, 135 "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2], 136 stdout => "err.ss")), 137 'convert cert into a cert request'); 138 139 skip 'failure', 13 unless 140 ok(run(app([@reqcmd, "-config", $dummycnf, 141 "-verify", "-in", $CAreq, "-noout"])), 142 'verify request 1'); 143 144 145 skip 'failure', 12 unless 146 ok(run(app([@reqcmd, "-config", $dummycnf, 147 "-verify", "-in", $CAreq2, "-noout"])), 148 'verify request 2'); 149 150 skip 'failure', 11 unless 151 ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])), 152 'verify signature'); 153 154 skip 'failure', 10 unless 155 ok(run(app([@reqcmd, "-config", $Uconf, 156 "-out", $Ureq, "-keyout", $Ukey, @req_new], 157 stdout => "err.ss")), 158 'make a user cert request'); 159 160 skip 'failure', 9 unless 161 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", 162 "-req", "-out", $Ucert, 163 "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, 164 "-extfile", $Uconf, "-extensions", "v3_ee"], 165 stdout => "err.ss")) 166 && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), 167 'sign user cert request'); 168 169 skip 'failure', 8 unless 170 ok(run(app([@x509cmd, 171 "-subject", "-issuer", "-startdate", "-enddate", 172 "-noout", "-in", $Ucert])), 173 'Certificate details'); 174 175 skip 'failure', 7 unless 176 subtest 'DSA certificate creation' => sub { 177 plan skip_all => "skipping DSA certificate creation" 178 if $no_dsa; 179 180 plan tests => 5; 181 182 SKIP: { 183 $ENV{CN2} = "DSA Certificate"; 184 skip 'failure', 4 unless 185 ok(run(app([@gendsacmd, "-out", $Dkey, 186 $dsaparams], 187 stdout => "err.ss")), 188 "make a DSA key"); 189 skip 'failure', 3 unless 190 ok(run(app([@reqcmd, "-new", "-config", $Uconf, 191 "-out", $Dreq, "-key", $Dkey], 192 stdout => "err.ss")), 193 "make a DSA user cert request"); 194 skip 'failure', 2 unless 195 ok(run(app([@x509cmd, "-CAcreateserial", 196 "-in", $Dreq, 197 "-days", "30", 198 "-req", 199 "-out", $Dcert, 200 "-CA", $CAcert, "-CAkey", $CAkey, 201 "-CAserial", $CAserial, 202 "-extfile", $Uconf, 203 "-extensions", "v3_ee_dsa"], 204 stdout => "err.ss")), 205 "sign DSA user cert request"); 206 skip 'failure', 1 unless 207 ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])), 208 "verify DSA user cert"); 209 skip 'failure', 0 unless 210 ok(run(app([@x509cmd, 211 "-subject", "-issuer", 212 "-startdate", "-enddate", "-noout", 213 "-in", $Dcert])), 214 "DSA Certificate details"); 215 } 216 }; 217 218 skip 'failure', 6 unless 219 subtest 'ECDSA/ECDH certificate creation' => sub { 220 plan skip_all => "skipping ECDSA/ECDH certificate creation" 221 if $no_ec; 222 223 plan tests => 5; 224 225 SKIP: { 226 $ENV{CN2} = "ECDSA Certificate"; 227 skip 'failure', 4 unless 228 ok(run(app(["openssl", "ecparam", "-name", "P-256", 229 "-out", "ecp.ss"])), 230 "make EC parameters"); 231 skip 'failure', 3 unless 232 ok(run(app([@reqcmd, "-config", $Uconf, 233 "-out", $Ereq, "-keyout", $Ekey, 234 "-newkey", "ec:ecp.ss"], 235 stdout => "err.ss")), 236 "make a ECDSA/ECDH user cert request"); 237 skip 'failure', 2 unless 238 ok(run(app([@x509cmd, "-CAcreateserial", 239 "-in", $Ereq, 240 "-days", "30", 241 "-req", 242 "-out", $Ecert, 243 "-CA", $CAcert, "-CAkey", $CAkey, 244 "-CAserial", $CAserial, 245 "-extfile", $Uconf, 246 "-extensions", "v3_ee_ec"], 247 stdout => "err.ss")), 248 "sign ECDSA/ECDH user cert request"); 249 skip 'failure', 1 unless 250 ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])), 251 "verify ECDSA/ECDH user cert"); 252 skip 'failure', 0 unless 253 ok(run(app([@x509cmd, 254 "-subject", "-issuer", 255 "-startdate", "-enddate", "-noout", 256 "-in", $Ecert])), 257 "ECDSA Certificate details"); 258 } 259 }; 260 261 skip 'failure', 5 unless 262 ok(run(app([@reqcmd, "-config", $P1conf, 263 "-out", $P1req, "-keyout", $P1key, @req_new], 264 stdout => "err.ss")), 265 'make a proxy cert request'); 266 267 268 skip 'failure', 4 unless 269 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30", 270 "-req", "-out", $P1cert, 271 "-CA", $Ucert, "-CAkey", $Ukey, 272 "-extfile", $P1conf, "-extensions", "v3_proxy"], 273 stdout => "err.ss")), 274 'sign proxy with user cert'); 275 276 copy($Ucert, $P1intermediate); 277 run(app([@verifycmd, "-CAfile", $CAcert, 278 "-untrusted", $P1intermediate, $P1cert])); 279 ok(run(app([@x509cmd, 280 "-subject", "-issuer", "-startdate", "-enddate", 281 "-noout", "-in", $P1cert])), 282 'Certificate details'); 283 284 skip 'failure', 2 unless 285 ok(run(app([@reqcmd, "-config", $P2conf, 286 "-out", $P2req, "-keyout", $P2key, 287 @req_new], 288 stdout => "err.ss")), 289 'make another proxy cert request'); 290 291 292 skip 'failure', 1 unless 293 ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30", 294 "-req", "-out", $P2cert, 295 "-CA", $P1cert, "-CAkey", $P1key, 296 "-extfile", $P2conf, "-extensions", "v3_proxy"], 297 stdout => "err.ss")), 298 'sign second proxy cert request with the first proxy cert'); 299 300 301 open OUT, ">", $P2intermediate; 302 copy($Ucert, \*OUT); copy($P1cert, \*OUT); 303 close OUT; 304 run(app([@verifycmd, "-CAfile", $CAcert, 305 "-untrusted", $P2intermediate, $P2cert])); 306 ok(run(app([@x509cmd, 307 "-subject", "-issuer", "-startdate", "-enddate", 308 "-noout", "-in", $P2cert])), 309 'Certificate details'); 310 } 311} 312 313sub testssl { 314 my ($key, $cert, $CAtmp) = @_; 315 my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs")); 316 317 my @ssltest = ("ssltest_old", 318 "-s_key", $key, "-s_cert", $cert, 319 "-c_key", $key, "-c_cert", $cert); 320 321 my $serverinfo = srctop_file("test","serverinfo.pem"); 322 323 my $dsa_cert = 0; 324 if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert, 325 "-text", "-noout"]), capture => 1)) { 326 $dsa_cert = 1; 327 } 328 329 330 # plan tests => 11; 331 332 subtest 'standard SSL tests' => sub { 333 ###################################################################### 334 plan tests => 21; 335 336 SKIP: { 337 skip "SSLv3 is not supported by this OpenSSL build", 4 338 if disabled("ssl3"); 339 340 ok(run(test([@ssltest, "-bio_pair", "-ssl3"])), 341 'test sslv3 via BIO pair'); 342 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])), 343 'test sslv3 with server authentication via BIO pair'); 344 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])), 345 'test sslv3 with client authentication via BIO pair'); 346 ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])), 347 'test sslv3 with both server and client authentication via BIO pair'); 348 } 349 350 SKIP: { 351 skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1 352 if $no_anytls; 353 354 ok(run(test([@ssltest, "-bio_pair"])), 355 'test sslv2/sslv3 via BIO pair'); 356 } 357 358 SKIP: { 359 skip "DTLSv1 is not supported by this OpenSSL build", 4 360 if disabled("dtls1"); 361 362 ok(run(test([@ssltest, "-dtls1"])), 363 'test dtlsv1'); 364 ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])), 365 'test dtlsv1 with server authentication'); 366 ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])), 367 'test dtlsv1 with client authentication'); 368 ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])), 369 'test dtlsv1 with both server and client authentication'); 370 } 371 372 SKIP: { 373 skip "DTLSv1.2 is not supported by this OpenSSL build", 4 374 if disabled("dtls1_2"); 375 376 ok(run(test([@ssltest, "-dtls12"])), 377 'test dtlsv1.2'); 378 ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])), 379 'test dtlsv1.2 with server authentication'); 380 ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])), 381 'test dtlsv1.2 with client authentication'); 382 ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])), 383 'test dtlsv1.2 with both server and client authentication'); 384 } 385 386 SKIP: { 387 skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8 388 if $no_anytls; 389 390 SKIP: { 391 skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert; 392 393 ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])), 394 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'); 395 } 396 397 ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), 398 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); 399 ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), 400 'test sslv2/sslv3 with server authentication'); 401 ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), 402 'test sslv2/sslv3 with client authentication via BIO pair'); 403 ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])), 404 'test sslv2/sslv3 with both client and server authentication via BIO pair'); 405 ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), 406 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); 407 408 SKIP: { 409 skip "No IPv4 available on this machine", 1 410 unless !disabled("sock") && have_IPv4(); 411 ok(run(test([@ssltest, "-ipv4"])), 412 'test TLS via IPv4'); 413 } 414 415 SKIP: { 416 skip "No IPv6 available on this machine", 1 417 unless !disabled("sock") && have_IPv6(); 418 ok(run(test([@ssltest, "-ipv6"])), 419 'test TLS via IPv6'); 420 } 421 } 422 }; 423 424 subtest "Testing ciphersuites" => sub { 425 426 my @exkeys = (); 427 my $ciphers = "-PSK:-SRP"; 428 429 if ($no_dh) { 430 note "skipping DHE tests\n"; 431 $ciphers .= ":-kDHE"; 432 } 433 if ($no_dsa) { 434 note "skipping DSA tests\n"; 435 $ciphers .= ":-aDSA"; 436 } else { 437 push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss"; 438 } 439 440 if ($no_ec) { 441 note "skipping EC tests\n"; 442 $ciphers .= ":!aECDSA:!kECDH"; 443 } else { 444 push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss"; 445 } 446 447 my @protocols = (); 448 # We only use the flags that ssltest_old understands 449 push @protocols, "-tls1_2" unless $no_tls1_2; 450 push @protocols, "-tls1" unless $no_tls1; 451 push @protocols, "-ssl3" unless $no_ssl3; 452 my $protocolciphersuitecount = 0; 453 my %ciphersuites = (); 454 foreach my $protocol (@protocols) { 455 $ciphersuites{$protocol} = 456 [ map { s|\R||; split(/:/, $_) } 457 run(app(["openssl", "ciphers", "-s", $protocol, 458 "ALL:$ciphers"]), capture => 1) ]; 459 $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}}; 460 } 461 462 plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build" 463 if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0; 464 465 # The count of protocols is because in addition to the ciphersuits 466 # we got above, we're running a weak DH test for each protocol 467 plan tests => $protocolciphersuitecount + scalar(keys %ciphersuites); 468 469 foreach my $protocol (sort keys %ciphersuites) { 470 note "Testing ciphersuites for $protocol"; 471 # ssltest_old doesn't know -tls1_2, but that's fine, since that's 472 # the default choice if TLSv1.2 enabled 473 my $flag = $protocol eq "-tls1_2" ? "" : $protocol; 474 foreach my $cipher (@{$ciphersuites{$protocol}}) { 475 if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { 476 note "*****SKIPPING $protocol $cipher"; 477 ok(1); 478 } else { 479 ok(run(test([@ssltest, @exkeys, "-cipher", $cipher, 480 $flag || ()])), 481 "Testing $cipher"); 482 } 483 } 484 is(run(test([@ssltest, 485 "-s_cipher", "EDH", 486 "-c_cipher", 'EDH:@SECLEVEL=1', 487 "-dhe512", 488 $protocol eq "SSLv3" ? ("-ssl3") : ()])), 0, 489 "testing connection with weak DH, expecting failure"); 490 } 491 }; 492 493 subtest 'RSA/(EC)DHE/PSK tests' => sub { 494 ###################################################################### 495 496 plan tests => 5; 497 498 SKIP: { 499 skip "TLSv1.0 is not supported by this OpenSSL build", 5 500 if $no_tls1; 501 502 SKIP: { 503 skip "skipping anonymous DH tests", 1 504 if ($no_dh); 505 506 ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])), 507 'test tlsv1 with 1024bit anonymous DH, multiple handshakes'); 508 } 509 510 SKIP: { 511 skip "skipping RSA tests", 2 512 if $no_rsa; 513 514 ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])), 515 'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes'); 516 517 skip "skipping RSA+DHE tests", 1 518 if $no_dh; 519 520 ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])), 521 'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes'); 522 } 523 524 SKIP: { 525 skip "skipping PSK tests", 2 526 if ($no_psk); 527 528 ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])), 529 'test tls1 with PSK'); 530 531 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), 532 'test tls1 with PSK via BIO pair'); 533 } 534 } 535 536 }; 537 538 subtest 'Custom Extension tests' => sub { 539 ###################################################################### 540 541 plan tests => 1; 542 543 SKIP: { 544 skip "TLSv1.0 is not supported by this OpenSSL build", 1 545 if $no_tls1; 546 547 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])), 548 'test tls1 with custom extensions'); 549 } 550 }; 551 552 subtest 'Serverinfo tests' => sub { 553 ###################################################################### 554 555 plan tests => 5; 556 557 SKIP: { 558 skip "TLSv1.0 is not supported by this OpenSSL build", 5 559 if $no_tls1; 560 561 note('echo test tls1 with serverinfo'); 562 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo]))); 563 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"]))); 564 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"]))); 565 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); 566 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); 567 } 568 }; 569 570 subtest 'SRP tests' => sub { 571 572 plan tests => 4; 573 574 SKIP: { 575 skip "skipping SRP tests", 4 576 if $no_srp || alldisabled(grep !/^ssl3/, available_protocols("tls")); 577 578 ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])), 579 'test tls1 with SRP'); 580 581 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])), 582 'test tls1 with SRP via BIO pair'); 583 584 ok(run(test([@ssltest, "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])), 585 'test tls1 with SRP auth'); 586 587 ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])), 588 'test tls1 with SRP auth via BIO pair'); 589 } 590 }; 591} 592 593unlink $CAkey; 594unlink $CAcert; 595unlink $CAserial; 596unlink $CAreq; 597unlink $CAreq2; 598 599unlink $Ukey; 600unlink $Ureq; 601unlink $Ucert; 602unlink basename($Ucert, '.ss').'.srl'; 603 604unlink $Dkey; 605unlink $Dreq; 606unlink $Dcert; 607 608unlink $Ekey; 609unlink $Ereq; 610unlink $Ecert; 611 612unlink $P1key; 613unlink $P1req; 614unlink $P1cert; 615unlink basename($P1cert, '.ss').'.srl'; 616unlink $P1intermediate; 617unlink "intP1.ss"; 618 619unlink $P2key; 620unlink $P2req; 621unlink $P2cert; 622unlink $P2intermediate; 623unlink "intP2.ss"; 624 625unlink "ecp.ss"; 626unlink "err.ss"; 627 628unlink $server_sess; 629unlink $client_sess; 630