123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203 |
- # -*- mode: perl; -*-
- ## SSL test configurations
- package ssltests;
- use strict;
- use warnings;
- use OpenSSL::Test;
- use OpenSSL::Test::Utils qw(anydisabled disabled);
- setup("no_test_here");
- our $fips_mode;
- my @protocols;
- my @is_disabled = (0);
- push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
- # We test version-flexible negotiation (undef) and each protocol version.
- if ($fips_mode) {
- @protocols = (undef, "TLSv1.2", "DTLSv1.2");
- } else {
- @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
- }
- our @tests = ();
- sub generate_tests() {
- foreach (0..$#protocols) {
- my $protocol = $protocols[$_];
- my $protocol_name = $protocol || "flex";
- my $caalert;
- my $method;
- my $sctpenabled = 0;
- if (!$is_disabled[$_]) {
- if ($protocol_name eq "SSLv3") {
- $caalert = "BadCertificate";
- } else {
- $caalert = "UnknownCA";
- }
- if ($protocol_name =~ m/^DTLS/) {
- $method = "DTLS";
- $sctpenabled = 1 if !disabled("sctp");
- }
- my $clihash;
- my $clisigtype;
- my $clisigalgs;
- # TODO(TLS1.3) add TLSv1.3 versions
- if ($protocol_name eq "TLSv1.2") {
- $clihash = "SHA256";
- $clisigtype = "RSA";
- $clisigalgs = "SHA256+RSA";
- }
- for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
- # Sanity-check simple handshake.
- push @tests, {
- name => "server-auth-${protocol_name}"
- .($sctp ? "-sctp" : ""),
- server => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol
- },
- client => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol
- },
- test => {
- "ExpectedResult" => "Success",
- "Method" => $method,
- },
- };
- $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
- # Handshake with client cert requested but not required or received.
- push @tests, {
- name => "client-auth-${protocol_name}-request"
- .($sctp ? "-sctp" : ""),
- server => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol,
- "VerifyMode" => "Request"
- },
- client => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol
- },
- test => {
- "ExpectedResult" => "Success",
- "Method" => $method,
- },
- };
- $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
- # Handshake with client cert required but not present.
- push @tests, {
- name => "client-auth-${protocol_name}-require-fail"
- .($sctp ? "-sctp" : ""),
- server => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol,
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require",
- },
- client => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol
- },
- test => {
- "ExpectedResult" => "ServerFail",
- "ExpectedServerAlert" =>
- ($protocol_name eq "flex" && !disabled("tls1_3"))
- ? "CertificateRequired" : "HandshakeFailure",
- "Method" => $method,
- },
- };
- $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
- # Successful handshake with client authentication.
- push @tests, {
- name => "client-auth-${protocol_name}-require"
- .($sctp ? "-sctp" : ""),
- server => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol,
- "ClientSignatureAlgorithms" => $clisigalgs,
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Request",
- },
- client => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol,
- "Certificate" => test_pem("ee-client-chain.pem"),
- "PrivateKey" => test_pem("ee-key.pem"),
- },
- test => {
- "ExpectedResult" => "Success",
- "ExpectedClientCertType" => "RSA",
- "ExpectedClientSignType" => $clisigtype,
- "ExpectedClientSignHash" => $clihash,
- "ExpectedClientCANames" => "empty",
- "Method" => $method,
- },
- };
- $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
- # Successful handshake with client authentication non-empty names
- push @tests, {
- name => "client-auth-${protocol_name}-require-non-empty-names"
- .($sctp ? "-sctp" : ""),
- server => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol,
- "ClientSignatureAlgorithms" => $clisigalgs,
- "ClientCAFile" => test_pem("root-cert.pem"),
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Request",
- },
- client => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol,
- "Certificate" => test_pem("ee-client-chain.pem"),
- "PrivateKey" => test_pem("ee-key.pem"),
- },
- test => {
- "ExpectedResult" => "Success",
- "ExpectedClientCertType" => "RSA",
- "ExpectedClientSignType" => $clisigtype,
- "ExpectedClientSignHash" => $clihash,
- "ExpectedClientCANames" => test_pem("root-cert.pem"),
- "Method" => $method,
- },
- };
- $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
- # Handshake with client authentication but without the root certificate.
- push @tests, {
- name => "client-auth-${protocol_name}-noroot"
- .($sctp ? "-sctp" : ""),
- server => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol,
- "VerifyMode" => "Require",
- },
- client => {
- "MinProtocol" => $protocol,
- "MaxProtocol" => $protocol,
- "Certificate" => test_pem("ee-client-chain.pem"),
- "PrivateKey" => test_pem("ee-key.pem"),
- },
- test => {
- "ExpectedResult" => "ServerFail",
- "ExpectedServerAlert" => $caalert,
- "Method" => $method,
- },
- };
- $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
- }
- }
- }
- }
- generate_tests();
|