2
0

04-client_auth.cnf.in 7.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203
  1. # -*- mode: perl; -*-
  2. ## SSL test configurations
  3. package ssltests;
  4. use strict;
  5. use warnings;
  6. use OpenSSL::Test;
  7. use OpenSSL::Test::Utils qw(anydisabled disabled);
  8. setup("no_test_here");
  9. our $fips_mode;
  10. my @protocols;
  11. my @is_disabled = (0);
  12. push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
  13. # We test version-flexible negotiation (undef) and each protocol version.
  14. if ($fips_mode) {
  15. @protocols = (undef, "TLSv1.2", "DTLSv1.2");
  16. } else {
  17. @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
  18. }
  19. our @tests = ();
  20. sub generate_tests() {
  21. foreach (0..$#protocols) {
  22. my $protocol = $protocols[$_];
  23. my $protocol_name = $protocol || "flex";
  24. my $caalert;
  25. my $method;
  26. my $sctpenabled = 0;
  27. if (!$is_disabled[$_]) {
  28. if ($protocol_name eq "SSLv3") {
  29. $caalert = "BadCertificate";
  30. } else {
  31. $caalert = "UnknownCA";
  32. }
  33. if ($protocol_name =~ m/^DTLS/) {
  34. $method = "DTLS";
  35. $sctpenabled = 1 if !disabled("sctp");
  36. }
  37. my $clihash;
  38. my $clisigtype;
  39. my $clisigalgs;
  40. # TODO(TLS1.3) add TLSv1.3 versions
  41. if ($protocol_name eq "TLSv1.2") {
  42. $clihash = "SHA256";
  43. $clisigtype = "RSA";
  44. $clisigalgs = "SHA256+RSA";
  45. }
  46. for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
  47. # Sanity-check simple handshake.
  48. push @tests, {
  49. name => "server-auth-${protocol_name}"
  50. .($sctp ? "-sctp" : ""),
  51. server => {
  52. "MinProtocol" => $protocol,
  53. "MaxProtocol" => $protocol
  54. },
  55. client => {
  56. "MinProtocol" => $protocol,
  57. "MaxProtocol" => $protocol
  58. },
  59. test => {
  60. "ExpectedResult" => "Success",
  61. "Method" => $method,
  62. },
  63. };
  64. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  65. # Handshake with client cert requested but not required or received.
  66. push @tests, {
  67. name => "client-auth-${protocol_name}-request"
  68. .($sctp ? "-sctp" : ""),
  69. server => {
  70. "MinProtocol" => $protocol,
  71. "MaxProtocol" => $protocol,
  72. "VerifyMode" => "Request"
  73. },
  74. client => {
  75. "MinProtocol" => $protocol,
  76. "MaxProtocol" => $protocol
  77. },
  78. test => {
  79. "ExpectedResult" => "Success",
  80. "Method" => $method,
  81. },
  82. };
  83. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  84. # Handshake with client cert required but not present.
  85. push @tests, {
  86. name => "client-auth-${protocol_name}-require-fail"
  87. .($sctp ? "-sctp" : ""),
  88. server => {
  89. "MinProtocol" => $protocol,
  90. "MaxProtocol" => $protocol,
  91. "VerifyCAFile" => test_pem("root-cert.pem"),
  92. "VerifyMode" => "Require",
  93. },
  94. client => {
  95. "MinProtocol" => $protocol,
  96. "MaxProtocol" => $protocol
  97. },
  98. test => {
  99. "ExpectedResult" => "ServerFail",
  100. "ExpectedServerAlert" =>
  101. ($protocol_name eq "flex" && !disabled("tls1_3"))
  102. ? "CertificateRequired" : "HandshakeFailure",
  103. "Method" => $method,
  104. },
  105. };
  106. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  107. # Successful handshake with client authentication.
  108. push @tests, {
  109. name => "client-auth-${protocol_name}-require"
  110. .($sctp ? "-sctp" : ""),
  111. server => {
  112. "MinProtocol" => $protocol,
  113. "MaxProtocol" => $protocol,
  114. "ClientSignatureAlgorithms" => $clisigalgs,
  115. "VerifyCAFile" => test_pem("root-cert.pem"),
  116. "VerifyMode" => "Request",
  117. },
  118. client => {
  119. "MinProtocol" => $protocol,
  120. "MaxProtocol" => $protocol,
  121. "Certificate" => test_pem("ee-client-chain.pem"),
  122. "PrivateKey" => test_pem("ee-key.pem"),
  123. },
  124. test => {
  125. "ExpectedResult" => "Success",
  126. "ExpectedClientCertType" => "RSA",
  127. "ExpectedClientSignType" => $clisigtype,
  128. "ExpectedClientSignHash" => $clihash,
  129. "ExpectedClientCANames" => "empty",
  130. "Method" => $method,
  131. },
  132. };
  133. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  134. # Successful handshake with client authentication non-empty names
  135. push @tests, {
  136. name => "client-auth-${protocol_name}-require-non-empty-names"
  137. .($sctp ? "-sctp" : ""),
  138. server => {
  139. "MinProtocol" => $protocol,
  140. "MaxProtocol" => $protocol,
  141. "ClientSignatureAlgorithms" => $clisigalgs,
  142. "ClientCAFile" => test_pem("root-cert.pem"),
  143. "VerifyCAFile" => test_pem("root-cert.pem"),
  144. "VerifyMode" => "Request",
  145. },
  146. client => {
  147. "MinProtocol" => $protocol,
  148. "MaxProtocol" => $protocol,
  149. "Certificate" => test_pem("ee-client-chain.pem"),
  150. "PrivateKey" => test_pem("ee-key.pem"),
  151. },
  152. test => {
  153. "ExpectedResult" => "Success",
  154. "ExpectedClientCertType" => "RSA",
  155. "ExpectedClientSignType" => $clisigtype,
  156. "ExpectedClientSignHash" => $clihash,
  157. "ExpectedClientCANames" => test_pem("root-cert.pem"),
  158. "Method" => $method,
  159. },
  160. };
  161. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  162. # Handshake with client authentication but without the root certificate.
  163. push @tests, {
  164. name => "client-auth-${protocol_name}-noroot"
  165. .($sctp ? "-sctp" : ""),
  166. server => {
  167. "MinProtocol" => $protocol,
  168. "MaxProtocol" => $protocol,
  169. "VerifyMode" => "Require",
  170. },
  171. client => {
  172. "MinProtocol" => $protocol,
  173. "MaxProtocol" => $protocol,
  174. "Certificate" => test_pem("ee-client-chain.pem"),
  175. "PrivateKey" => test_pem("ee-key.pem"),
  176. },
  177. test => {
  178. "ExpectedResult" => "ServerFail",
  179. "ExpectedServerAlert" => $caalert,
  180. "Method" => $method,
  181. },
  182. };
  183. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  184. }
  185. }
  186. }
  187. }
  188. generate_tests();