[thirdparty/openssl.git] / test / ssl-tests / 04-client_auth.cnf.in

# -*- mode: perl; -*-

## SSL test configurations

package ssltests;

use strict;
use warnings;

use OpenSSL::Test;
use OpenSSL::Test::Utils qw(anydisabled disabled);
setup("no_test_here");

our $fips_mode;

my @protocols;
my @is_disabled = (0);
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");

# We test version-flexible negotiation (undef) and each protocol version.
if ($fips_mode) {
    @protocols = (undef, "TLSv1.2", "DTLSv1.2");
} else {
    @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
}

our @tests = ();

sub generate_tests() {
    foreach (0..$#protocols) {
        my $protocol = $protocols[$_];
        my $protocol_name = $protocol || "flex";
        my $caalert;
        my $method;
        my $sctpenabled = 0;
        if (!$is_disabled[$_]) {
            if ($protocol_name eq "SSLv3") {
                $caalert = "BadCertificate";
            } else {
                $caalert = "UnknownCA";
            }
            if ($protocol_name =~ m/^DTLS/) {
                $method = "DTLS";
                $sctpenabled = 1 if !disabled("sctp");
            }
            my $clihash;
            my $clisigtype;
            my $clisigalgs;
            # TODO(TLS1.3) add TLSv1.3 versions
            if ($protocol_name eq "TLSv1.2") {
                $clihash = "SHA256";
                $clisigtype = "RSA";
                $clisigalgs = "SHA256+RSA";
            }
            for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
                # Sanity-check simple handshake.
                push @tests, {
                    name => "server-auth-${protocol_name}"
                            .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol
                    },
                    test   => {
                        "ExpectedResult" => "Success",
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;

                # Handshake with client cert requested but not required or received.
                push @tests, {
                    name => "client-auth-${protocol_name}-request"
                            .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "VerifyMode" => "Request"
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol
                    },
                    test   => {
                        "ExpectedResult" => "Success",
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;

                # Handshake with client cert required but not present.
                push @tests, {
                    name => "client-auth-${protocol_name}-require-fail"
                            .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "VerifyCAFile" => test_pem("root-cert.pem"),
                        "VerifyMode" => "Require",
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol
                    },
                    test   => {
                        "ExpectedResult" => "ServerFail",
                        "ExpectedServerAlert" =>
                        ($protocol_name eq "flex" && !disabled("tls1_3"))
                        ? "CertificateRequired" : "HandshakeFailure",
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;

                # Successful handshake with client authentication.
                push @tests, {
                    name => "client-auth-${protocol_name}-require"
                             .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "ClientSignatureAlgorithms" => $clisigalgs,
                        "VerifyCAFile" => test_pem("root-cert.pem"),
                        "VerifyMode" => "Request",
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "Certificate" => test_pem("ee-client-chain.pem"),
                        "PrivateKey"  => test_pem("ee-key.pem"),
                    },
                    test   => {
                        "ExpectedResult" => "Success",
                        "ExpectedClientCertType" => "RSA",
                        "ExpectedClientSignType" => $clisigtype,
                        "ExpectedClientSignHash" => $clihash,
                        "ExpectedClientCANames" => "empty",
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;

                # Successful handshake with client authentication non-empty names
                push @tests, {
                    name => "client-auth-${protocol_name}-require-non-empty-names"
                            .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "ClientSignatureAlgorithms" => $clisigalgs,
                        "ClientCAFile" => test_pem("root-cert.pem"),
                        "VerifyCAFile" => test_pem("root-cert.pem"),
                        "VerifyMode" => "Request",
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "Certificate" => test_pem("ee-client-chain.pem"),
                        "PrivateKey"  => test_pem("ee-key.pem"),
                    },
                    test   => {
                        "ExpectedResult" => "Success",
                        "ExpectedClientCertType" => "RSA",
                        "ExpectedClientSignType" => $clisigtype,
                        "ExpectedClientSignHash" => $clihash,
                        "ExpectedClientCANames" => test_pem("root-cert.pem"),
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;

                # Handshake with client authentication but without the root certificate.
                push @tests, {
                    name => "client-auth-${protocol_name}-noroot"
                            .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "VerifyMode" => "Require",
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "Certificate" => test_pem("ee-client-chain.pem"),
                        "PrivateKey"  => test_pem("ee-key.pem"),
                    },
                    test   => {
                        "ExpectedResult" => "ServerFail",
                        "ExpectedServerAlert" => $caalert,
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
            }
        }
    }
}

generate_tests();
Commit	Line	Data
63936115 EK	1	# -- mode: perl; --
	2
	3	## SSL test configurations
	4
	5	package ssltests;
	6
	7	use strict;
	8	use warnings;
	9
	10	use OpenSSL::Test;
0f5df0f1	11	use OpenSSL::Test::Utils qw(anydisabled disabled);
63936115 EK	12	setup("no_test_here");
63936115 EK	13
682bc861	14	our $fips_mode;
63936115	15
682bc861	16	my @protocols;
63936115	17	my @is_disabled = (0);
49619ab0	18	push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
63936115	19
682bc861 MC	20	# We test version-flexible negotiation (undef) and each protocol version.
	21	if ($fips_mode) {
	22	@protocols = (undef, "TLSv1.2", "DTLSv1.2");
	23	} else {
	24	@protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
	25	}
	26
63936115 EK	27	our @tests = ();
63936115 EK	28
63936115	29	sub generate_tests() {
63936115 EK	30	foreach (0..$#protocols) {
	31	my $protocol = $protocols[$_];
	32	my $protocol_name = $protocol \|\| "flex";
10e6d235	33	my $caalert;
49619ab0	34	my $method;
0f5df0f1	35	my $sctpenabled = 0;
63936115	36	if (!$is_disabled[$_]) {
10e6d235 MC	37	if ($protocol_name eq "SSLv3") {
	38	$caalert = "BadCertificate";
	39	} else {
	40	$caalert = "UnknownCA";
	41	}
49619ab0 EK	42	if ($protocol_name =~ m/^DTLS/) {
49619ab0 EK	43	$method = "DTLS";
0f5df0f1	44	$sctpenabled = 1 if !disabled("sctp");
49619ab0	45	}
062540cb	46	my $clihash;
a92e710b	47	my $clisigtype;
062540cb	48	my $clisigalgs;
a92e710b	49	# TODO(TLS1.3) add TLSv1.3 versions
062540cb DSH	50	if ($protocol_name eq "TLSv1.2") {
062540cb DSH	51	$clihash = "SHA256";
a92e710b	52	$clisigtype = "RSA";
062540cb DSH	53	$clisigalgs = "SHA256+RSA";
062540cb DSH	54	}
0f5df0f1 MC	55	for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
	56	# Sanity-check simple handshake.
	57	push @tests, {
	58	name => "server-auth-${protocol_name}"
	59	.($sctp ? "-sctp" : ""),
	60	server => {
	61	"MinProtocol" => $protocol,
	62	"MaxProtocol" => $protocol
	63	},
	64	client => {
	65	"MinProtocol" => $protocol,
	66	"MaxProtocol" => $protocol
	67	},
	68	test => {
	69	"ExpectedResult" => "Success",
	70	"Method" => $method,
	71	},
	72	};
	73	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
63936115	74
0f5df0f1 MC	75	# Handshake with client cert requested but not required or received.
	76	push @tests, {
	77	name => "client-auth-${protocol_name}-request"
	78	.($sctp ? "-sctp" : ""),
	79	server => {
	80	"MinProtocol" => $protocol,
	81	"MaxProtocol" => $protocol,
	82	"VerifyMode" => "Request"
	83	},
	84	client => {
	85	"MinProtocol" => $protocol,
	86	"MaxProtocol" => $protocol
	87	},
	88	test => {
	89	"ExpectedResult" => "Success",
	90	"Method" => $method,
	91	},
	92	};
	93	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
63936115	94
0f5df0f1 MC	95	# Handshake with client cert required but not present.
	96	push @tests, {
	97	name => "client-auth-${protocol_name}-require-fail"
	98	.($sctp ? "-sctp" : ""),
	99	server => {
	100	"MinProtocol" => $protocol,
	101	"MaxProtocol" => $protocol,
	102	"VerifyCAFile" => test_pem("root-cert.pem"),
	103	"VerifyMode" => "Require",
	104	},
	105	client => {
	106	"MinProtocol" => $protocol,
	107	"MaxProtocol" => $protocol
	108	},
	109	test => {
	110	"ExpectedResult" => "ServerFail",
43a0f273 MC	111	"ExpectedServerAlert" =>
	112	($protocol_name eq "flex" && !disabled("tls1_3"))
	113	? "CertificateRequired" : "HandshakeFailure",
0f5df0f1 MC	114	"Method" => $method,
	115	},
	116	};
	117	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
63936115	118
0f5df0f1 MC	119	# Successful handshake with client authentication.
	120	push @tests, {
	121	name => "client-auth-${protocol_name}-require"
	122	.($sctp ? "-sctp" : ""),
	123	server => {
	124	"MinProtocol" => $protocol,
	125	"MaxProtocol" => $protocol,
	126	"ClientSignatureAlgorithms" => $clisigalgs,
	127	"VerifyCAFile" => test_pem("root-cert.pem"),
	128	"VerifyMode" => "Request",
	129	},
	130	client => {
	131	"MinProtocol" => $protocol,
	132	"MaxProtocol" => $protocol,
	133	"Certificate" => test_pem("ee-client-chain.pem"),
	134	"PrivateKey" => test_pem("ee-key.pem"),
	135	},
	136	test => {
	137	"ExpectedResult" => "Success",
	138	"ExpectedClientCertType" => "RSA",
	139	"ExpectedClientSignType" => $clisigtype,
	140	"ExpectedClientSignHash" => $clihash,
	141	"ExpectedClientCANames" => "empty",
	142	"Method" => $method,
	143	},
	144	};
	145	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
2c1b0f1e	146
0f5df0f1 MC	147	# Successful handshake with client authentication non-empty names
	148	push @tests, {
	149	name => "client-auth-${protocol_name}-require-non-empty-names"
	150	.($sctp ? "-sctp" : ""),
	151	server => {
	152	"MinProtocol" => $protocol,
	153	"MaxProtocol" => $protocol,
	154	"ClientSignatureAlgorithms" => $clisigalgs,
	155	"ClientCAFile" => test_pem("root-cert.pem"),
	156	"VerifyCAFile" => test_pem("root-cert.pem"),
	157	"VerifyMode" => "Request",
	158	},
	159	client => {
	160	"MinProtocol" => $protocol,
	161	"MaxProtocol" => $protocol,
	162	"Certificate" => test_pem("ee-client-chain.pem"),
	163	"PrivateKey" => test_pem("ee-key.pem"),
	164	},
	165	test => {
	166	"ExpectedResult" => "Success",
	167	"ExpectedClientCertType" => "RSA",
	168	"ExpectedClientSignType" => $clisigtype,
	169	"ExpectedClientSignHash" => $clihash,
	170	"ExpectedClientCANames" => test_pem("root-cert.pem"),
	171	"Method" => $method,
	172	},
	173	};
	174	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
63936115	175
0f5df0f1 MC	176	# Handshake with client authentication but without the root certificate.
	177	push @tests, {
	178	name => "client-auth-${protocol_name}-noroot"
	179	.($sctp ? "-sctp" : ""),
	180	server => {
	181	"MinProtocol" => $protocol,
	182	"MaxProtocol" => $protocol,
	183	"VerifyMode" => "Require",
	184	},
	185	client => {
	186	"MinProtocol" => $protocol,
	187	"MaxProtocol" => $protocol,
	188	"Certificate" => test_pem("ee-client-chain.pem"),
	189	"PrivateKey" => test_pem("ee-key.pem"),
	190	},
	191	test => {
	192	"ExpectedResult" => "ServerFail",
	193	"ExpectedServerAlert" => $caalert,
	194	"Method" => $method,
	195	},
	196	};
	197	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
	198	}
63936115 EK	199	}
	200	}
	201	}
49619ab0	202
63936115	203	generate_tests();