]>
Commit | Line | Data |
---|---|---|
63936115 EK |
1 | # -*- mode: perl; -*- |
2 | ||
3 | ## SSL test configurations | |
4 | ||
5 | package ssltests; | |
6 | ||
7 | use strict; | |
8 | use warnings; | |
9 | ||
10 | use OpenSSL::Test; | |
0f5df0f1 | 11 | use OpenSSL::Test::Utils qw(anydisabled disabled); |
63936115 EK |
12 | setup("no_test_here"); |
13 | ||
682bc861 | 14 | our $fips_mode; |
63936115 | 15 | |
682bc861 | 16 | my @protocols; |
63936115 | 17 | my @is_disabled = (0); |
49619ab0 | 18 | push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); |
63936115 | 19 | |
682bc861 MC |
20 | # We test version-flexible negotiation (undef) and each protocol version. |
21 | if ($fips_mode) { | |
22 | @protocols = (undef, "TLSv1.2", "DTLSv1.2"); | |
23 | } else { | |
24 | @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); | |
25 | } | |
26 | ||
63936115 EK |
27 | our @tests = (); |
28 | ||
63936115 | 29 | sub generate_tests() { |
63936115 EK |
30 | foreach (0..$#protocols) { |
31 | my $protocol = $protocols[$_]; | |
32 | my $protocol_name = $protocol || "flex"; | |
10e6d235 | 33 | my $caalert; |
49619ab0 | 34 | my $method; |
0f5df0f1 | 35 | my $sctpenabled = 0; |
63936115 | 36 | if (!$is_disabled[$_]) { |
10e6d235 MC |
37 | if ($protocol_name eq "SSLv3") { |
38 | $caalert = "BadCertificate"; | |
39 | } else { | |
40 | $caalert = "UnknownCA"; | |
41 | } | |
49619ab0 EK |
42 | if ($protocol_name =~ m/^DTLS/) { |
43 | $method = "DTLS"; | |
0f5df0f1 | 44 | $sctpenabled = 1 if !disabled("sctp"); |
49619ab0 | 45 | } |
062540cb | 46 | my $clihash; |
a92e710b | 47 | my $clisigtype; |
062540cb | 48 | my $clisigalgs; |
a92e710b | 49 | # TODO(TLS1.3) add TLSv1.3 versions |
062540cb DSH |
50 | if ($protocol_name eq "TLSv1.2") { |
51 | $clihash = "SHA256"; | |
a92e710b | 52 | $clisigtype = "RSA"; |
062540cb DSH |
53 | $clisigalgs = "SHA256+RSA"; |
54 | } | |
0f5df0f1 MC |
55 | for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) { |
56 | # Sanity-check simple handshake. | |
57 | push @tests, { | |
58 | name => "server-auth-${protocol_name}" | |
59 | .($sctp ? "-sctp" : ""), | |
60 | server => { | |
61 | "MinProtocol" => $protocol, | |
62 | "MaxProtocol" => $protocol | |
63 | }, | |
64 | client => { | |
65 | "MinProtocol" => $protocol, | |
66 | "MaxProtocol" => $protocol | |
67 | }, | |
68 | test => { | |
69 | "ExpectedResult" => "Success", | |
70 | "Method" => $method, | |
71 | }, | |
72 | }; | |
73 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
63936115 | 74 | |
0f5df0f1 MC |
75 | # Handshake with client cert requested but not required or received. |
76 | push @tests, { | |
77 | name => "client-auth-${protocol_name}-request" | |
78 | .($sctp ? "-sctp" : ""), | |
79 | server => { | |
80 | "MinProtocol" => $protocol, | |
81 | "MaxProtocol" => $protocol, | |
82 | "VerifyMode" => "Request" | |
83 | }, | |
84 | client => { | |
85 | "MinProtocol" => $protocol, | |
86 | "MaxProtocol" => $protocol | |
87 | }, | |
88 | test => { | |
89 | "ExpectedResult" => "Success", | |
90 | "Method" => $method, | |
91 | }, | |
92 | }; | |
93 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
63936115 | 94 | |
0f5df0f1 MC |
95 | # Handshake with client cert required but not present. |
96 | push @tests, { | |
97 | name => "client-auth-${protocol_name}-require-fail" | |
98 | .($sctp ? "-sctp" : ""), | |
99 | server => { | |
100 | "MinProtocol" => $protocol, | |
101 | "MaxProtocol" => $protocol, | |
102 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
103 | "VerifyMode" => "Require", | |
104 | }, | |
105 | client => { | |
106 | "MinProtocol" => $protocol, | |
107 | "MaxProtocol" => $protocol | |
108 | }, | |
109 | test => { | |
110 | "ExpectedResult" => "ServerFail", | |
43a0f273 MC |
111 | "ExpectedServerAlert" => |
112 | ($protocol_name eq "flex" && !disabled("tls1_3")) | |
113 | ? "CertificateRequired" : "HandshakeFailure", | |
0f5df0f1 MC |
114 | "Method" => $method, |
115 | }, | |
116 | }; | |
117 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
63936115 | 118 | |
0f5df0f1 MC |
119 | # Successful handshake with client authentication. |
120 | push @tests, { | |
121 | name => "client-auth-${protocol_name}-require" | |
122 | .($sctp ? "-sctp" : ""), | |
123 | server => { | |
124 | "MinProtocol" => $protocol, | |
125 | "MaxProtocol" => $protocol, | |
126 | "ClientSignatureAlgorithms" => $clisigalgs, | |
127 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
128 | "VerifyMode" => "Request", | |
129 | }, | |
130 | client => { | |
131 | "MinProtocol" => $protocol, | |
132 | "MaxProtocol" => $protocol, | |
133 | "Certificate" => test_pem("ee-client-chain.pem"), | |
134 | "PrivateKey" => test_pem("ee-key.pem"), | |
135 | }, | |
136 | test => { | |
137 | "ExpectedResult" => "Success", | |
138 | "ExpectedClientCertType" => "RSA", | |
139 | "ExpectedClientSignType" => $clisigtype, | |
140 | "ExpectedClientSignHash" => $clihash, | |
141 | "ExpectedClientCANames" => "empty", | |
142 | "Method" => $method, | |
143 | }, | |
144 | }; | |
145 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
2c1b0f1e | 146 | |
0f5df0f1 MC |
147 | # Successful handshake with client authentication non-empty names |
148 | push @tests, { | |
149 | name => "client-auth-${protocol_name}-require-non-empty-names" | |
150 | .($sctp ? "-sctp" : ""), | |
151 | server => { | |
152 | "MinProtocol" => $protocol, | |
153 | "MaxProtocol" => $protocol, | |
154 | "ClientSignatureAlgorithms" => $clisigalgs, | |
155 | "ClientCAFile" => test_pem("root-cert.pem"), | |
156 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
157 | "VerifyMode" => "Request", | |
158 | }, | |
159 | client => { | |
160 | "MinProtocol" => $protocol, | |
161 | "MaxProtocol" => $protocol, | |
162 | "Certificate" => test_pem("ee-client-chain.pem"), | |
163 | "PrivateKey" => test_pem("ee-key.pem"), | |
164 | }, | |
165 | test => { | |
166 | "ExpectedResult" => "Success", | |
167 | "ExpectedClientCertType" => "RSA", | |
168 | "ExpectedClientSignType" => $clisigtype, | |
169 | "ExpectedClientSignHash" => $clihash, | |
170 | "ExpectedClientCANames" => test_pem("root-cert.pem"), | |
171 | "Method" => $method, | |
172 | }, | |
173 | }; | |
174 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
63936115 | 175 | |
0f5df0f1 MC |
176 | # Handshake with client authentication but without the root certificate. |
177 | push @tests, { | |
178 | name => "client-auth-${protocol_name}-noroot" | |
179 | .($sctp ? "-sctp" : ""), | |
180 | server => { | |
181 | "MinProtocol" => $protocol, | |
182 | "MaxProtocol" => $protocol, | |
183 | "VerifyMode" => "Require", | |
184 | }, | |
185 | client => { | |
186 | "MinProtocol" => $protocol, | |
187 | "MaxProtocol" => $protocol, | |
188 | "Certificate" => test_pem("ee-client-chain.pem"), | |
189 | "PrivateKey" => test_pem("ee-key.pem"), | |
190 | }, | |
191 | test => { | |
192 | "ExpectedResult" => "ServerFail", | |
193 | "ExpectedServerAlert" => $caalert, | |
194 | "Method" => $method, | |
195 | }, | |
196 | }; | |
197 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
198 | } | |
63936115 EK |
199 | } |
200 | } | |
201 | } | |
49619ab0 | 202 | |
63936115 | 203 | generate_tests(); |