2
0

04-client_auth.conf.in 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196
  1. # -*- mode: perl; -*-
  2. ## SSL test configurations
  3. package ssltests;
  4. use strict;
  5. use warnings;
  6. use OpenSSL::Test;
  7. use OpenSSL::Test::Utils qw(anydisabled disabled);
  8. setup("no_test_here");
  9. # We test version-flexible negotiation (undef) and each protocol version.
  10. my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
  11. my @is_disabled = (0);
  12. push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
  13. our @tests = ();
  14. sub generate_tests() {
  15. foreach (0..$#protocols) {
  16. my $protocol = $protocols[$_];
  17. my $protocol_name = $protocol || "flex";
  18. my $caalert;
  19. my $method;
  20. my $sctpenabled = 0;
  21. if (!$is_disabled[$_]) {
  22. if ($protocol_name eq "SSLv3") {
  23. $caalert = "BadCertificate";
  24. } else {
  25. $caalert = "UnknownCA";
  26. }
  27. if ($protocol_name =~ m/^DTLS/) {
  28. $method = "DTLS";
  29. $sctpenabled = 1 if !disabled("sctp");
  30. }
  31. my $clihash;
  32. my $clisigtype;
  33. my $clisigalgs;
  34. # TODO(TLS1.3) add TLSv1.3 versions
  35. if ($protocol_name eq "TLSv1.2") {
  36. $clihash = "SHA256";
  37. $clisigtype = "RSA";
  38. $clisigalgs = "SHA256+RSA";
  39. }
  40. for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
  41. # Sanity-check simple handshake.
  42. push @tests, {
  43. name => "server-auth-${protocol_name}"
  44. .($sctp ? "-sctp" : ""),
  45. server => {
  46. "MinProtocol" => $protocol,
  47. "MaxProtocol" => $protocol
  48. },
  49. client => {
  50. "MinProtocol" => $protocol,
  51. "MaxProtocol" => $protocol
  52. },
  53. test => {
  54. "ExpectedResult" => "Success",
  55. "Method" => $method,
  56. },
  57. };
  58. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  59. # Handshake with client cert requested but not required or received.
  60. push @tests, {
  61. name => "client-auth-${protocol_name}-request"
  62. .($sctp ? "-sctp" : ""),
  63. server => {
  64. "MinProtocol" => $protocol,
  65. "MaxProtocol" => $protocol,
  66. "VerifyMode" => "Request"
  67. },
  68. client => {
  69. "MinProtocol" => $protocol,
  70. "MaxProtocol" => $protocol
  71. },
  72. test => {
  73. "ExpectedResult" => "Success",
  74. "Method" => $method,
  75. },
  76. };
  77. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  78. # Handshake with client cert required but not present.
  79. push @tests, {
  80. name => "client-auth-${protocol_name}-require-fail"
  81. .($sctp ? "-sctp" : ""),
  82. server => {
  83. "MinProtocol" => $protocol,
  84. "MaxProtocol" => $protocol,
  85. "VerifyCAFile" => test_pem("root-cert.pem"),
  86. "VerifyMode" => "Require",
  87. },
  88. client => {
  89. "MinProtocol" => $protocol,
  90. "MaxProtocol" => $protocol
  91. },
  92. test => {
  93. "ExpectedResult" => "ServerFail",
  94. "ExpectedServerAlert" =>
  95. ($protocol_name eq "flex" && !disabled("tls1_3"))
  96. ? "CertificateRequired" : "HandshakeFailure",
  97. "Method" => $method,
  98. },
  99. };
  100. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  101. # Successful handshake with client authentication.
  102. push @tests, {
  103. name => "client-auth-${protocol_name}-require"
  104. .($sctp ? "-sctp" : ""),
  105. server => {
  106. "MinProtocol" => $protocol,
  107. "MaxProtocol" => $protocol,
  108. "ClientSignatureAlgorithms" => $clisigalgs,
  109. "VerifyCAFile" => test_pem("root-cert.pem"),
  110. "VerifyMode" => "Request",
  111. },
  112. client => {
  113. "MinProtocol" => $protocol,
  114. "MaxProtocol" => $protocol,
  115. "Certificate" => test_pem("ee-client-chain.pem"),
  116. "PrivateKey" => test_pem("ee-key.pem"),
  117. },
  118. test => {
  119. "ExpectedResult" => "Success",
  120. "ExpectedClientCertType" => "RSA",
  121. "ExpectedClientSignType" => $clisigtype,
  122. "ExpectedClientSignHash" => $clihash,
  123. "ExpectedClientCANames" => "empty",
  124. "Method" => $method,
  125. },
  126. };
  127. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  128. # Successful handshake with client authentication non-empty names
  129. push @tests, {
  130. name => "client-auth-${protocol_name}-require-non-empty-names"
  131. .($sctp ? "-sctp" : ""),
  132. server => {
  133. "MinProtocol" => $protocol,
  134. "MaxProtocol" => $protocol,
  135. "ClientSignatureAlgorithms" => $clisigalgs,
  136. "ClientCAFile" => test_pem("root-cert.pem"),
  137. "VerifyCAFile" => test_pem("root-cert.pem"),
  138. "VerifyMode" => "Request",
  139. },
  140. client => {
  141. "MinProtocol" => $protocol,
  142. "MaxProtocol" => $protocol,
  143. "Certificate" => test_pem("ee-client-chain.pem"),
  144. "PrivateKey" => test_pem("ee-key.pem"),
  145. },
  146. test => {
  147. "ExpectedResult" => "Success",
  148. "ExpectedClientCertType" => "RSA",
  149. "ExpectedClientSignType" => $clisigtype,
  150. "ExpectedClientSignHash" => $clihash,
  151. "ExpectedClientCANames" => test_pem("root-cert.pem"),
  152. "Method" => $method,
  153. },
  154. };
  155. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  156. # Handshake with client authentication but without the root certificate.
  157. push @tests, {
  158. name => "client-auth-${protocol_name}-noroot"
  159. .($sctp ? "-sctp" : ""),
  160. server => {
  161. "MinProtocol" => $protocol,
  162. "MaxProtocol" => $protocol,
  163. "VerifyMode" => "Require",
  164. },
  165. client => {
  166. "MinProtocol" => $protocol,
  167. "MaxProtocol" => $protocol,
  168. "Certificate" => test_pem("ee-client-chain.pem"),
  169. "PrivateKey" => test_pem("ee-key.pem"),
  170. },
  171. test => {
  172. "ExpectedResult" => "ServerFail",
  173. "ExpectedServerAlert" => $caalert,
  174. "Method" => $method,
  175. },
  176. };
  177. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  178. }
  179. }
  180. }
  181. }
  182. generate_tests();