2
0

04-client_auth.cnf.in 8.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216
  1. # -*- mode: perl; -*-
  2. ## SSL test configurations
  3. package ssltests;
  4. use strict;
  5. use warnings;
  6. use OpenSSL::Test;
  7. use OpenSSL::Test::Utils qw(anydisabled disabled);
  8. setup("no_test_here");
  9. our $fips_mode;
  10. my @protocols;
  11. my @is_disabled = (0);
  12. # We test version-flexible negotiation (undef) and each protocol version.
  13. if ($fips_mode) {
  14. @protocols = (undef, "TLSv1.2", "DTLSv1.2");
  15. push @is_disabled, anydisabled("tls1_2", "dtls1_2");
  16. } else {
  17. @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
  18. push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
  19. }
  20. our @tests = ();
  21. sub generate_tests() {
  22. foreach (0..$#protocols) {
  23. my $protocol = $protocols[$_];
  24. my $protocol_name = $protocol || "flex";
  25. my $caalert;
  26. my $method;
  27. my $sctpenabled = 0;
  28. if (!$is_disabled[$_]) {
  29. if ($protocol_name eq "SSLv3") {
  30. $caalert = "BadCertificate";
  31. } else {
  32. $caalert = "UnknownCA";
  33. }
  34. if ($protocol_name =~ m/^DTLS/) {
  35. $method = "DTLS";
  36. $sctpenabled = 1 if !disabled("sctp");
  37. }
  38. my $clihash;
  39. my $clisigtype;
  40. my $clisigalgs;
  41. # TODO(TLS1.3) add TLSv1.3 versions
  42. if ($protocol_name eq "TLSv1.2") {
  43. $clihash = "SHA256";
  44. $clisigtype = "RSA";
  45. $clisigalgs = "SHA256+RSA";
  46. }
  47. for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
  48. # Sanity-check simple handshake.
  49. push @tests, {
  50. name => "server-auth-${protocol_name}"
  51. .($sctp ? "-sctp" : ""),
  52. server => {
  53. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  54. "MinProtocol" => $protocol,
  55. "MaxProtocol" => $protocol
  56. },
  57. client => {
  58. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  59. "MinProtocol" => $protocol,
  60. "MaxProtocol" => $protocol
  61. },
  62. test => {
  63. "ExpectedResult" => "Success",
  64. "Method" => $method,
  65. },
  66. };
  67. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  68. # Handshake with client cert requested but not required or received.
  69. push @tests, {
  70. name => "client-auth-${protocol_name}-request"
  71. .($sctp ? "-sctp" : ""),
  72. server => {
  73. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  74. "MinProtocol" => $protocol,
  75. "MaxProtocol" => $protocol,
  76. "VerifyMode" => "Request"
  77. },
  78. client => {
  79. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  80. "MinProtocol" => $protocol,
  81. "MaxProtocol" => $protocol
  82. },
  83. test => {
  84. "ExpectedResult" => "Success",
  85. "Method" => $method,
  86. },
  87. };
  88. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  89. # Handshake with client cert required but not present.
  90. push @tests, {
  91. name => "client-auth-${protocol_name}-require-fail"
  92. .($sctp ? "-sctp" : ""),
  93. server => {
  94. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  95. "MinProtocol" => $protocol,
  96. "MaxProtocol" => $protocol,
  97. "VerifyCAFile" => test_pem("root-cert.pem"),
  98. "VerifyMode" => "Require",
  99. },
  100. client => {
  101. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  102. "MinProtocol" => $protocol,
  103. "MaxProtocol" => $protocol
  104. },
  105. test => {
  106. "ExpectedResult" => "ServerFail",
  107. "ExpectedServerAlert" =>
  108. ($protocol_name eq "flex" && !disabled("tls1_3"))
  109. ? "CertificateRequired" : "HandshakeFailure",
  110. "Method" => $method,
  111. },
  112. };
  113. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  114. # Successful handshake with client authentication.
  115. push @tests, {
  116. name => "client-auth-${protocol_name}-require"
  117. .($sctp ? "-sctp" : ""),
  118. server => {
  119. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  120. "MinProtocol" => $protocol,
  121. "MaxProtocol" => $protocol,
  122. "ClientSignatureAlgorithms" => $clisigalgs,
  123. "VerifyCAFile" => test_pem("root-cert.pem"),
  124. "VerifyMode" => "Request",
  125. },
  126. client => {
  127. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  128. "MinProtocol" => $protocol,
  129. "MaxProtocol" => $protocol,
  130. "Certificate" => test_pem("ee-client-chain.pem"),
  131. "PrivateKey" => test_pem("ee-key.pem"),
  132. },
  133. test => {
  134. "ExpectedResult" => "Success",
  135. "ExpectedClientCertType" => "RSA",
  136. "ExpectedClientSignType" => $clisigtype,
  137. "ExpectedClientSignHash" => $clihash,
  138. "ExpectedClientCANames" => "empty",
  139. "Method" => $method,
  140. },
  141. };
  142. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  143. # Successful handshake with client authentication non-empty names
  144. push @tests, {
  145. name => "client-auth-${protocol_name}-require-non-empty-names"
  146. .($sctp ? "-sctp" : ""),
  147. server => {
  148. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  149. "MinProtocol" => $protocol,
  150. "MaxProtocol" => $protocol,
  151. "ClientSignatureAlgorithms" => $clisigalgs,
  152. "ClientCAFile" => test_pem("root-cert.pem"),
  153. "VerifyCAFile" => test_pem("root-cert.pem"),
  154. "VerifyMode" => "Request",
  155. },
  156. client => {
  157. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  158. "MinProtocol" => $protocol,
  159. "MaxProtocol" => $protocol,
  160. "Certificate" => test_pem("ee-client-chain.pem"),
  161. "PrivateKey" => test_pem("ee-key.pem"),
  162. },
  163. test => {
  164. "ExpectedResult" => "Success",
  165. "ExpectedClientCertType" => "RSA",
  166. "ExpectedClientSignType" => $clisigtype,
  167. "ExpectedClientSignHash" => $clihash,
  168. "ExpectedClientCANames" => test_pem("root-cert.pem"),
  169. "Method" => $method,
  170. },
  171. };
  172. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  173. # Handshake with client authentication but without the root certificate.
  174. push @tests, {
  175. name => "client-auth-${protocol_name}-noroot"
  176. .($sctp ? "-sctp" : ""),
  177. server => {
  178. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  179. "MinProtocol" => $protocol,
  180. "MaxProtocol" => $protocol,
  181. "VerifyMode" => "Require",
  182. },
  183. client => {
  184. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  185. "MinProtocol" => $protocol,
  186. "MaxProtocol" => $protocol,
  187. "Certificate" => test_pem("ee-client-chain.pem"),
  188. "PrivateKey" => test_pem("ee-key.pem"),
  189. },
  190. test => {
  191. "ExpectedResult" => "ServerFail",
  192. "ExpectedServerAlert" => $caalert,
  193. "Method" => $method,
  194. },
  195. };
  196. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  197. }
  198. }
  199. }
  200. }
  201. generate_tests();