04-client_auth.cnf.in 8.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215
  1. # -*- mode: perl; -*-
  2. ## SSL test configurations
  3. package ssltests;
  4. use strict;
  5. use warnings;
  6. use OpenSSL::Test;
  7. use OpenSSL::Test::Utils qw(anydisabled disabled);
  8. setup("no_test_here");
  9. our $fips_mode;
  10. my @protocols;
  11. my @is_disabled = (0);
  12. push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
  13. # We test version-flexible negotiation (undef) and each protocol version.
  14. if ($fips_mode) {
  15. @protocols = (undef, "TLSv1.2", "DTLSv1.2");
  16. } else {
  17. @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
  18. }
  19. our @tests = ();
  20. sub generate_tests() {
  21. foreach (0..$#protocols) {
  22. my $protocol = $protocols[$_];
  23. my $protocol_name = $protocol || "flex";
  24. my $caalert;
  25. my $method;
  26. my $sctpenabled = 0;
  27. if (!$is_disabled[$_]) {
  28. if ($protocol_name eq "SSLv3") {
  29. $caalert = "BadCertificate";
  30. } else {
  31. $caalert = "UnknownCA";
  32. }
  33. if ($protocol_name =~ m/^DTLS/) {
  34. $method = "DTLS";
  35. $sctpenabled = 1 if !disabled("sctp");
  36. }
  37. my $clihash;
  38. my $clisigtype;
  39. my $clisigalgs;
  40. # TODO(TLS1.3) add TLSv1.3 versions
  41. if ($protocol_name eq "TLSv1.2") {
  42. $clihash = "SHA256";
  43. $clisigtype = "RSA";
  44. $clisigalgs = "SHA256+RSA";
  45. }
  46. for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
  47. # Sanity-check simple handshake.
  48. push @tests, {
  49. name => "server-auth-${protocol_name}"
  50. .($sctp ? "-sctp" : ""),
  51. server => {
  52. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  53. "MinProtocol" => $protocol,
  54. "MaxProtocol" => $protocol
  55. },
  56. client => {
  57. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  58. "MinProtocol" => $protocol,
  59. "MaxProtocol" => $protocol
  60. },
  61. test => {
  62. "ExpectedResult" => "Success",
  63. "Method" => $method,
  64. },
  65. };
  66. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  67. # Handshake with client cert requested but not required or received.
  68. push @tests, {
  69. name => "client-auth-${protocol_name}-request"
  70. .($sctp ? "-sctp" : ""),
  71. server => {
  72. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  73. "MinProtocol" => $protocol,
  74. "MaxProtocol" => $protocol,
  75. "VerifyMode" => "Request"
  76. },
  77. client => {
  78. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  79. "MinProtocol" => $protocol,
  80. "MaxProtocol" => $protocol
  81. },
  82. test => {
  83. "ExpectedResult" => "Success",
  84. "Method" => $method,
  85. },
  86. };
  87. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  88. # Handshake with client cert required but not present.
  89. push @tests, {
  90. name => "client-auth-${protocol_name}-require-fail"
  91. .($sctp ? "-sctp" : ""),
  92. server => {
  93. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  94. "MinProtocol" => $protocol,
  95. "MaxProtocol" => $protocol,
  96. "VerifyCAFile" => test_pem("root-cert.pem"),
  97. "VerifyMode" => "Require",
  98. },
  99. client => {
  100. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  101. "MinProtocol" => $protocol,
  102. "MaxProtocol" => $protocol
  103. },
  104. test => {
  105. "ExpectedResult" => "ServerFail",
  106. "ExpectedServerAlert" =>
  107. ($protocol_name eq "flex" && !disabled("tls1_3"))
  108. ? "CertificateRequired" : "HandshakeFailure",
  109. "Method" => $method,
  110. },
  111. };
  112. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  113. # Successful handshake with client authentication.
  114. push @tests, {
  115. name => "client-auth-${protocol_name}-require"
  116. .($sctp ? "-sctp" : ""),
  117. server => {
  118. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  119. "MinProtocol" => $protocol,
  120. "MaxProtocol" => $protocol,
  121. "ClientSignatureAlgorithms" => $clisigalgs,
  122. "VerifyCAFile" => test_pem("root-cert.pem"),
  123. "VerifyMode" => "Request",
  124. },
  125. client => {
  126. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  127. "MinProtocol" => $protocol,
  128. "MaxProtocol" => $protocol,
  129. "Certificate" => test_pem("ee-client-chain.pem"),
  130. "PrivateKey" => test_pem("ee-key.pem"),
  131. },
  132. test => {
  133. "ExpectedResult" => "Success",
  134. "ExpectedClientCertType" => "RSA",
  135. "ExpectedClientSignType" => $clisigtype,
  136. "ExpectedClientSignHash" => $clihash,
  137. "ExpectedClientCANames" => "empty",
  138. "Method" => $method,
  139. },
  140. };
  141. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  142. # Successful handshake with client authentication non-empty names
  143. push @tests, {
  144. name => "client-auth-${protocol_name}-require-non-empty-names"
  145. .($sctp ? "-sctp" : ""),
  146. server => {
  147. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  148. "MinProtocol" => $protocol,
  149. "MaxProtocol" => $protocol,
  150. "ClientSignatureAlgorithms" => $clisigalgs,
  151. "ClientCAFile" => test_pem("root-cert.pem"),
  152. "VerifyCAFile" => test_pem("root-cert.pem"),
  153. "VerifyMode" => "Request",
  154. },
  155. client => {
  156. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  157. "MinProtocol" => $protocol,
  158. "MaxProtocol" => $protocol,
  159. "Certificate" => test_pem("ee-client-chain.pem"),
  160. "PrivateKey" => test_pem("ee-key.pem"),
  161. },
  162. test => {
  163. "ExpectedResult" => "Success",
  164. "ExpectedClientCertType" => "RSA",
  165. "ExpectedClientSignType" => $clisigtype,
  166. "ExpectedClientSignHash" => $clihash,
  167. "ExpectedClientCANames" => test_pem("root-cert.pem"),
  168. "Method" => $method,
  169. },
  170. };
  171. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  172. # Handshake with client authentication but without the root certificate.
  173. push @tests, {
  174. name => "client-auth-${protocol_name}-noroot"
  175. .($sctp ? "-sctp" : ""),
  176. server => {
  177. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  178. "MinProtocol" => $protocol,
  179. "MaxProtocol" => $protocol,
  180. "VerifyMode" => "Require",
  181. },
  182. client => {
  183. "CipherString" => "DEFAULT:\@SECLEVEL=0",
  184. "MinProtocol" => $protocol,
  185. "MaxProtocol" => $protocol,
  186. "Certificate" => test_pem("ee-client-chain.pem"),
  187. "PrivateKey" => test_pem("ee-key.pem"),
  188. },
  189. test => {
  190. "ExpectedResult" => "ServerFail",
  191. "ExpectedServerAlert" => $caalert,
  192. "Method" => $method,
  193. },
  194. };
  195. $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  196. }
  197. }
  198. }
  199. }
  200. generate_tests();