[thirdparty/openssl.git] / test / ssl-tests / 18-dtls-renegotiate.cnf.in

# -*- mode: perl; -*-
# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


## Test Renegotiation

use strict;
use warnings;

package ssltests;
use OpenSSL::Test::Utils;

our $fips_mode;

our @tests = ();

foreach my $sctp ("No", "Yes")
{
    next if disabled("sctp") && $sctp eq "Yes";
    next if disabled("dtls1_2") && $fips_mode;

    my $suffix = ($sctp eq "No") ? "" : "-sctp";
    our @tests_basic = (
        {
            name => "renegotiate-client-no-resume".$suffix,
            server => {
                "MaxProtocol" => "DTLSv1.2",
                "CipherString" => 'DEFAULT:@SECLEVEL=0',
                "Options" => "NoResumptionOnRenegotiation"
            },
            client => {
                "CipherString" => 'DEFAULT:@SECLEVEL=0'
            },
            test => {
                "Method" => "DTLS",
                "UseSCTP" => $sctp,
                "HandshakeMode" => "RenegotiateClient",
                "ResumptionExpected" => "No",
                "ExpectedResult" => "Success"
            }
        },
        {
            name => "renegotiate-client-resume".$suffix,
            server => {
                "MaxProtocol" => "DTLSv1.2",
                "CipherString" => 'DEFAULT:@SECLEVEL=0'
            },
            client => {
                "CipherString" => 'DEFAULT:@SECLEVEL=0'
            },
            test => {
                "Method" => "DTLS",
                "UseSCTP" => $sctp,
                "HandshakeMode" => "RenegotiateClient",
                "ResumptionExpected" => "Yes",
                "ExpectedResult" => "Success"
            }
        },
        # Note: Unlike the TLS tests, we will never do resumption with server
        # initiated reneg. This is because an OpenSSL DTLS client will always do a full
        # handshake (i.e. it doesn't supply a session id) when it receives a
        # HelloRequest. This is different to the OpenSSL TLS implementation where an
        # OpenSSL client will always try an abbreviated handshake (i.e. it will supply
        # the session id). This goes all the way to commit 48ae85b6f when abbreviated
        # handshake support was first added. Neither behaviour is wrong, but the
        # discrepancy is strange. TODO: Should we harmonise the TLS and DTLS behaviour,
        # and if so, what to?
        {
            name => "renegotiate-server-resume".$suffix,
            server => {
                "MaxProtocol" => "DTLSv1.2",
                "CipherString" => 'DEFAULT:@SECLEVEL=0'
            },
            client => {
                "CipherString" => 'DEFAULT:@SECLEVEL=0'
            },
            test => {
                "Method" => "DTLS",
                "UseSCTP" => $sctp,
                "HandshakeMode" => "RenegotiateServer",
                "ResumptionExpected" => "No",
                "ExpectedResult" => "Success"
            }
        },
        {
            name => "renegotiate-client-auth-require".$suffix,
            server => {
                "MaxProtocol" => "DTLSv1.2",
                "VerifyCAFile" => test_pem("root-cert.pem"),
                "VerifyMode" => "Require",
                "CipherString" => 'DEFAULT:@SECLEVEL=0'
            },
            client => {
                "Certificate" => test_pem("ee-client-chain.pem"),
                "PrivateKey"  => test_pem("ee-key.pem"),
                "CipherString" => 'DEFAULT:@SECLEVEL=0'
            },
            test => {
                "Method" => "DTLS",
                "UseSCTP" => $sctp,
                "HandshakeMode" => "RenegotiateServer",
                "ResumptionExpected" => "No",
                "ExpectedResult" => "Success"
            }
        },
        {
            name => "renegotiate-client-auth-once".$suffix,
            server => {
                "MaxProtocol" => "DTLSv1.2",
                "VerifyCAFile" => test_pem("root-cert.pem"),
                "VerifyMode" => "Once",
                "CipherString" => 'DEFAULT:@SECLEVEL=0'
            },
            client => {
                "Certificate" => test_pem("ee-client-chain.pem"),
                "PrivateKey"  => test_pem("ee-key.pem"),
                "CipherString" => 'DEFAULT:@SECLEVEL=0'
            },
            test => {
                "Method" => "DTLS",
                "UseSCTP" => $sctp,
                "HandshakeMode" => "RenegotiateServer",
                "ResumptionExpected" => "No",
                "ExpectedResult" => "Success"
            }
        }
    );
    push @tests, @tests_basic;

    next if disabled("dtls1_2");
    our @tests_dtls1_2 = (
        {
            name => "renegotiate-aead-to-non-aead".$suffix,
            server => {
                "Options" => "NoResumptionOnRenegotiation"
            },
            client => {
                "MaxProtocol" => "DTLSv1.2",
                "CipherString" => "AES128-GCM-SHA256",
                extra => {
                    "RenegotiateCiphers" => "AES128-SHA"
                }
            },
            test => {
                "Method" => "DTLS",
                "UseSCTP" => $sctp,
                "HandshakeMode" => "RenegotiateClient",
                "ResumptionExpected" => "No",
                "ExpectedResult" => "Success"
            }
        },
        {
            name => "renegotiate-non-aead-to-aead".$suffix,
            server => {
                "Options" => "NoResumptionOnRenegotiation"
            },
            client => {
                "MaxProtocol" => "DTLSv1.2",
                "CipherString" => "AES128-SHA",
                extra => {
                    "RenegotiateCiphers" => "AES128-GCM-SHA256"
                }
            },
            test => {
                "Method" => "DTLS",
                "UseSCTP" => $sctp,
                "HandshakeMode" => "RenegotiateClient",
                "ResumptionExpected" => "No",
                "ExpectedResult" => "Success"
            }
        },
        {
            name => "renegotiate-non-aead-to-non-aead".$suffix,
            server => {
                "Options" => "NoResumptionOnRenegotiation"
            },
            client => {
                "MaxProtocol" => "DTLSv1.2",
                "CipherString" => "AES128-SHA",
                extra => {
                    "RenegotiateCiphers" => "AES256-SHA"
                }
            },
            test => {
                "Method" => "DTLS",
                "UseSCTP" => $sctp,
                "HandshakeMode" => "RenegotiateClient",
                "ResumptionExpected" => "No",
                "ExpectedResult" => "Success"
            }
        },
        {
            name => "renegotiate-aead-to-aead".$suffix,
            server => {
                "Options" => "NoResumptionOnRenegotiation"
            },
            client => {
                "MaxProtocol" => "DTLSv1.2",
                "CipherString" => "AES128-GCM-SHA256",
                extra => {
                    "RenegotiateCiphers" => "AES256-GCM-SHA384"
                }
            },
            test => {
                "Method" => "DTLS",
                "UseSCTP" => $sctp,
                "HandshakeMode" => "RenegotiateClient",
                "ResumptionExpected" => "No",
                "ExpectedResult" => "Success"
            }
        },
    );
    push @tests, @tests_dtls1_2;
}
Commit	Line	Data
	1	# -- mode: perl; --
	2	# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
	3	#
	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9
	10	## Test Renegotiation
	11
	12	use strict;
	13	use warnings;
	14
	15	package ssltests;
	16	use OpenSSL::Test::Utils;
	17
	18	our $fips_mode;
	19
	20	our @tests = ();
	21
	22	foreach my $sctp ("No", "Yes")
	23	{
	24	next if disabled("sctp") && $sctp eq "Yes";
	25	next if disabled("dtls1_2") && $fips_mode;
	26
	27	my $suffix = ($sctp eq "No") ? "" : "-sctp";
	28	our @tests_basic = (
	29	{
	30	name => "renegotiate-client-no-resume".$suffix,
	31	server => {
	32	"MaxProtocol" => "DTLSv1.2",
	33	"CipherString" => 'DEFAULT:@SECLEVEL=0',
	34	"Options" => "NoResumptionOnRenegotiation"
	35	},
	36	client => {
	37	"CipherString" => 'DEFAULT:@SECLEVEL=0'
	38	},
	39	test => {
	40	"Method" => "DTLS",
	41	"UseSCTP" => $sctp,
	42	"HandshakeMode" => "RenegotiateClient",
	43	"ResumptionExpected" => "No",
	44	"ExpectedResult" => "Success"
	45	}
	46	},
	47	{
	48	name => "renegotiate-client-resume".$suffix,
	49	server => {
	50	"MaxProtocol" => "DTLSv1.2",
	51	"CipherString" => 'DEFAULT:@SECLEVEL=0'
	52	},
	53	client => {
	54	"CipherString" => 'DEFAULT:@SECLEVEL=0'
	55	},
	56	test => {
	57	"Method" => "DTLS",
	58	"UseSCTP" => $sctp,
	59	"HandshakeMode" => "RenegotiateClient",
	60	"ResumptionExpected" => "Yes",
	61	"ExpectedResult" => "Success"
	62	}
	63	},
	64	# Note: Unlike the TLS tests, we will never do resumption with server
	65	# initiated reneg. This is because an OpenSSL DTLS client will always do a full
	66	# handshake (i.e. it doesn't supply a session id) when it receives a
	67	# HelloRequest. This is different to the OpenSSL TLS implementation where an
	68	# OpenSSL client will always try an abbreviated handshake (i.e. it will supply
	69	# the session id). This goes all the way to commit 48ae85b6f when abbreviated
	70	# handshake support was first added. Neither behaviour is wrong, but the
	71	# discrepancy is strange. TODO: Should we harmonise the TLS and DTLS behaviour,
	72	# and if so, what to?
	73	{
	74	name => "renegotiate-server-resume".$suffix,
	75	server => {
	76	"MaxProtocol" => "DTLSv1.2",
	77	"CipherString" => 'DEFAULT:@SECLEVEL=0'
	78	},
	79	client => {
	80	"CipherString" => 'DEFAULT:@SECLEVEL=0'
	81	},
	82	test => {
	83	"Method" => "DTLS",
	84	"UseSCTP" => $sctp,
	85	"HandshakeMode" => "RenegotiateServer",
	86	"ResumptionExpected" => "No",
	87	"ExpectedResult" => "Success"
	88	}
	89	},
	90	{
	91	name => "renegotiate-client-auth-require".$suffix,
	92	server => {
	93	"MaxProtocol" => "DTLSv1.2",
	94	"VerifyCAFile" => test_pem("root-cert.pem"),
	95	"VerifyMode" => "Require",
	96	"CipherString" => 'DEFAULT:@SECLEVEL=0'
	97	},
	98	client => {
	99	"Certificate" => test_pem("ee-client-chain.pem"),
	100	"PrivateKey" => test_pem("ee-key.pem"),
	101	"CipherString" => 'DEFAULT:@SECLEVEL=0'
	102	},
	103	test => {
	104	"Method" => "DTLS",
	105	"UseSCTP" => $sctp,
	106	"HandshakeMode" => "RenegotiateServer",
	107	"ResumptionExpected" => "No",
	108	"ExpectedResult" => "Success"
	109	}
	110	},
	111	{
	112	name => "renegotiate-client-auth-once".$suffix,
	113	server => {
	114	"MaxProtocol" => "DTLSv1.2",
	115	"VerifyCAFile" => test_pem("root-cert.pem"),
	116	"VerifyMode" => "Once",
	117	"CipherString" => 'DEFAULT:@SECLEVEL=0'
	118	},
	119	client => {
	120	"Certificate" => test_pem("ee-client-chain.pem"),
	121	"PrivateKey" => test_pem("ee-key.pem"),
	122	"CipherString" => 'DEFAULT:@SECLEVEL=0'
	123	},
	124	test => {
	125	"Method" => "DTLS",
	126	"UseSCTP" => $sctp,
	127	"HandshakeMode" => "RenegotiateServer",
	128	"ResumptionExpected" => "No",
	129	"ExpectedResult" => "Success"
	130	}
	131	}
	132	);
	133	push @tests, @tests_basic;
	134
	135	next if disabled("dtls1_2");
	136	our @tests_dtls1_2 = (
	137	{
	138	name => "renegotiate-aead-to-non-aead".$suffix,
	139	server => {
	140	"Options" => "NoResumptionOnRenegotiation"
	141	},
	142	client => {
	143	"MaxProtocol" => "DTLSv1.2",
	144	"CipherString" => "AES128-GCM-SHA256",
	145	extra => {
	146	"RenegotiateCiphers" => "AES128-SHA"
	147	}
	148	},
	149	test => {
	150	"Method" => "DTLS",
	151	"UseSCTP" => $sctp,
	152	"HandshakeMode" => "RenegotiateClient",
	153	"ResumptionExpected" => "No",
	154	"ExpectedResult" => "Success"
	155	}
	156	},
	157	{
	158	name => "renegotiate-non-aead-to-aead".$suffix,
	159	server => {
	160	"Options" => "NoResumptionOnRenegotiation"
	161	},
	162	client => {
	163	"MaxProtocol" => "DTLSv1.2",
	164	"CipherString" => "AES128-SHA",
	165	extra => {
	166	"RenegotiateCiphers" => "AES128-GCM-SHA256"
	167	}
	168	},
	169	test => {
	170	"Method" => "DTLS",
	171	"UseSCTP" => $sctp,
	172	"HandshakeMode" => "RenegotiateClient",
	173	"ResumptionExpected" => "No",
	174	"ExpectedResult" => "Success"
	175	}
	176	},
	177	{
	178	name => "renegotiate-non-aead-to-non-aead".$suffix,
	179	server => {
	180	"Options" => "NoResumptionOnRenegotiation"
	181	},
	182	client => {
	183	"MaxProtocol" => "DTLSv1.2",
	184	"CipherString" => "AES128-SHA",
	185	extra => {
	186	"RenegotiateCiphers" => "AES256-SHA"
	187	}
	188	},
	189	test => {
	190	"Method" => "DTLS",
	191	"UseSCTP" => $sctp,
	192	"HandshakeMode" => "RenegotiateClient",
	193	"ResumptionExpected" => "No",
	194	"ExpectedResult" => "Success"
	195	}
	196	},
	197	{
	198	name => "renegotiate-aead-to-aead".$suffix,
	199	server => {
	200	"Options" => "NoResumptionOnRenegotiation"
	201	},
	202	client => {
	203	"MaxProtocol" => "DTLSv1.2",
	204	"CipherString" => "AES128-GCM-SHA256",
	205	extra => {
	206	"RenegotiateCiphers" => "AES256-GCM-SHA384"
	207	}
	208	},
	209	test => {
	210	"Method" => "DTLS",
	211	"UseSCTP" => $sctp,
	212	"HandshakeMode" => "RenegotiateClient",
	213	"ResumptionExpected" => "No",
	214	"ExpectedResult" => "Success"
	215	}
	216	},
	217	);
	218	push @tests, @tests_dtls1_2;
	219	}