[thirdparty/openssl.git] / test / ssl-tests / 04-client_auth.conf.in

# -*- mode: perl; -*-

## SSL test configurations

package ssltests;

use strict;
use warnings;

use OpenSSL::Test;
use OpenSSL::Test::Utils qw(anydisabled disabled);
setup("no_test_here");

# We test version-flexible negotiation (undef) and each protocol version.
my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");

my @is_disabled = (0);
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");

our @tests = ();

sub generate_tests() {
    foreach (0..$#protocols) {
        my $protocol = $protocols[$_];
        my $protocol_name = $protocol || "flex";
        my $caalert;
        my $method;
        my $sctpenabled = 0;
        if (!$is_disabled[$_]) {
            if ($protocol_name eq "SSLv3") {
                $caalert = "BadCertificate";
            } else {
                $caalert = "UnknownCA";
            }
            if ($protocol_name =~ m/^DTLS/) {
                $method = "DTLS";
                $sctpenabled = 1 if !disabled("sctp");
            }
            my $clihash;
            my $clisigtype;
            my $clisigalgs;
            # TODO(TLS1.3) add TLSv1.3 versions
            if ($protocol_name eq "TLSv1.2") {
                $clihash = "SHA256";
                $clisigtype = "RSA";
                $clisigalgs = "SHA256+RSA";
            }
            for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
                # Sanity-check simple handshake.
                push @tests, {
                    name => "server-auth-${protocol_name}"
                            .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol
                    },
                    test   => {
                        "ExpectedResult" => "Success",
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;

                # Handshake with client cert requested but not required or received.
                push @tests, {
                    name => "client-auth-${protocol_name}-request"
                            .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "VerifyMode" => "Request"
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol
                    },
                    test   => {
                        "ExpectedResult" => "Success",
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;

                # Handshake with client cert required but not present.
                push @tests, {
                    name => "client-auth-${protocol_name}-require-fail"
                            .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "VerifyCAFile" => test_pem("root-cert.pem"),
                        "VerifyMode" => "Require",
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol
                    },
                    test   => {
                        "ExpectedResult" => "ServerFail",
                        "ExpectedServerAlert" => "HandshakeFailure",
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;

                # Successful handshake with client authentication.
                push @tests, {
                    name => "client-auth-${protocol_name}-require"
                             .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "ClientSignatureAlgorithms" => $clisigalgs,
                        "VerifyCAFile" => test_pem("root-cert.pem"),
                        "VerifyMode" => "Request",
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "Certificate" => test_pem("ee-client-chain.pem"),
                        "PrivateKey"  => test_pem("ee-key.pem"),
                    },
                    test   => {
                        "ExpectedResult" => "Success",
                        "ExpectedClientCertType" => "RSA",
                        "ExpectedClientSignType" => $clisigtype,
                        "ExpectedClientSignHash" => $clihash,
                        "ExpectedClientCANames" => "empty",
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;

                # Successful handshake with client authentication non-empty names
                push @tests, {
                    name => "client-auth-${protocol_name}-require-non-empty-names"
                            .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "ClientSignatureAlgorithms" => $clisigalgs,
                        "ClientCAFile" => test_pem("root-cert.pem"),
                        "VerifyCAFile" => test_pem("root-cert.pem"),
                        "VerifyMode" => "Request",
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "Certificate" => test_pem("ee-client-chain.pem"),
                        "PrivateKey"  => test_pem("ee-key.pem"),
                    },
                    test   => {
                        "ExpectedResult" => "Success",
                        "ExpectedClientCertType" => "RSA",
                        "ExpectedClientSignType" => $clisigtype,
                        "ExpectedClientSignHash" => $clihash,
                        "ExpectedClientCANames" => test_pem("root-cert.pem"),
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;

                # Handshake with client authentication but without the root certificate.
                push @tests, {
                    name => "client-auth-${protocol_name}-noroot"
                            .($sctp ? "-sctp" : ""),
                    server => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "VerifyMode" => "Require",
                    },
                    client => {
                        "MinProtocol" => $protocol,
                        "MaxProtocol" => $protocol,
                        "Certificate" => test_pem("ee-client-chain.pem"),
                        "PrivateKey"  => test_pem("ee-key.pem"),
                    },
                    test   => {
                        "ExpectedResult" => "ServerFail",
                        "ExpectedServerAlert" => $caalert,
                        "Method" => $method,
                    },
                };
                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
            }
        }
    }
}

generate_tests();
Commit	Line	Data
63936115 EK	1	# -- mode: perl; --
	2
	3	## SSL test configurations
	4
	5	package ssltests;
	6
	7	use strict;
	8	use warnings;
	9
	10	use OpenSSL::Test;
0f5df0f1	11	use OpenSSL::Test::Utils qw(anydisabled disabled);
63936115 EK	12	setup("no_test_here");
	13
	14	# We test version-flexible negotiation (undef) and each protocol version.
49619ab0	15	my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
63936115 EK	16
63936115 EK	17	my @is_disabled = (0);
49619ab0	18	push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
63936115 EK	19
	20	our @tests = ();
	21
63936115	22	sub generate_tests() {
63936115 EK	23	foreach (0..$#protocols) {
	24	my $protocol = $protocols[$_];
	25	my $protocol_name = $protocol \|\| "flex";
10e6d235	26	my $caalert;
49619ab0	27	my $method;
0f5df0f1	28	my $sctpenabled = 0;
63936115	29	if (!$is_disabled[$_]) {
10e6d235 MC	30	if ($protocol_name eq "SSLv3") {
	31	$caalert = "BadCertificate";
	32	} else {
	33	$caalert = "UnknownCA";
	34	}
49619ab0 EK	35	if ($protocol_name =~ m/^DTLS/) {
49619ab0 EK	36	$method = "DTLS";
0f5df0f1	37	$sctpenabled = 1 if !disabled("sctp");
49619ab0	38	}
062540cb	39	my $clihash;
a92e710b	40	my $clisigtype;
062540cb	41	my $clisigalgs;
a92e710b	42	# TODO(TLS1.3) add TLSv1.3 versions
062540cb DSH	43	if ($protocol_name eq "TLSv1.2") {
062540cb DSH	44	$clihash = "SHA256";
a92e710b	45	$clisigtype = "RSA";
062540cb DSH	46	$clisigalgs = "SHA256+RSA";
062540cb DSH	47	}
0f5df0f1 MC	48	for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
	49	# Sanity-check simple handshake.
	50	push @tests, {
	51	name => "server-auth-${protocol_name}"
	52	.($sctp ? "-sctp" : ""),
	53	server => {
	54	"MinProtocol" => $protocol,
	55	"MaxProtocol" => $protocol
	56	},
	57	client => {
	58	"MinProtocol" => $protocol,
	59	"MaxProtocol" => $protocol
	60	},
	61	test => {
	62	"ExpectedResult" => "Success",
	63	"Method" => $method,
	64	},
	65	};
	66	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
63936115	67
0f5df0f1 MC	68	# Handshake with client cert requested but not required or received.
	69	push @tests, {
	70	name => "client-auth-${protocol_name}-request"
	71	.($sctp ? "-sctp" : ""),
	72	server => {
	73	"MinProtocol" => $protocol,
	74	"MaxProtocol" => $protocol,
	75	"VerifyMode" => "Request"
	76	},
	77	client => {
	78	"MinProtocol" => $protocol,
	79	"MaxProtocol" => $protocol
	80	},
	81	test => {
	82	"ExpectedResult" => "Success",
	83	"Method" => $method,
	84	},
	85	};
	86	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
63936115	87
0f5df0f1 MC	88	# Handshake with client cert required but not present.
	89	push @tests, {
	90	name => "client-auth-${protocol_name}-require-fail"
	91	.($sctp ? "-sctp" : ""),
	92	server => {
	93	"MinProtocol" => $protocol,
	94	"MaxProtocol" => $protocol,
	95	"VerifyCAFile" => test_pem("root-cert.pem"),
	96	"VerifyMode" => "Require",
	97	},
	98	client => {
	99	"MinProtocol" => $protocol,
	100	"MaxProtocol" => $protocol
	101	},
	102	test => {
	103	"ExpectedResult" => "ServerFail",
	104	"ExpectedServerAlert" => "HandshakeFailure",
	105	"Method" => $method,
	106	},
	107	};
	108	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
63936115	109
0f5df0f1 MC	110	# Successful handshake with client authentication.
	111	push @tests, {
	112	name => "client-auth-${protocol_name}-require"
	113	.($sctp ? "-sctp" : ""),
	114	server => {
	115	"MinProtocol" => $protocol,
	116	"MaxProtocol" => $protocol,
	117	"ClientSignatureAlgorithms" => $clisigalgs,
	118	"VerifyCAFile" => test_pem("root-cert.pem"),
	119	"VerifyMode" => "Request",
	120	},
	121	client => {
	122	"MinProtocol" => $protocol,
	123	"MaxProtocol" => $protocol,
	124	"Certificate" => test_pem("ee-client-chain.pem"),
	125	"PrivateKey" => test_pem("ee-key.pem"),
	126	},
	127	test => {
	128	"ExpectedResult" => "Success",
	129	"ExpectedClientCertType" => "RSA",
	130	"ExpectedClientSignType" => $clisigtype,
	131	"ExpectedClientSignHash" => $clihash,
	132	"ExpectedClientCANames" => "empty",
	133	"Method" => $method,
	134	},
	135	};
	136	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
2c1b0f1e	137
0f5df0f1 MC	138	# Successful handshake with client authentication non-empty names
	139	push @tests, {
	140	name => "client-auth-${protocol_name}-require-non-empty-names"
	141	.($sctp ? "-sctp" : ""),
	142	server => {
	143	"MinProtocol" => $protocol,
	144	"MaxProtocol" => $protocol,
	145	"ClientSignatureAlgorithms" => $clisigalgs,
	146	"ClientCAFile" => test_pem("root-cert.pem"),
	147	"VerifyCAFile" => test_pem("root-cert.pem"),
	148	"VerifyMode" => "Request",
	149	},
	150	client => {
	151	"MinProtocol" => $protocol,
	152	"MaxProtocol" => $protocol,
	153	"Certificate" => test_pem("ee-client-chain.pem"),
	154	"PrivateKey" => test_pem("ee-key.pem"),
	155	},
	156	test => {
	157	"ExpectedResult" => "Success",
	158	"ExpectedClientCertType" => "RSA",
	159	"ExpectedClientSignType" => $clisigtype,
	160	"ExpectedClientSignHash" => $clihash,
	161	"ExpectedClientCANames" => test_pem("root-cert.pem"),
	162	"Method" => $method,
	163	},
	164	};
	165	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
63936115	166
0f5df0f1 MC	167	# Handshake with client authentication but without the root certificate.
	168	push @tests, {
	169	name => "client-auth-${protocol_name}-noroot"
	170	.($sctp ? "-sctp" : ""),
	171	server => {
	172	"MinProtocol" => $protocol,
	173	"MaxProtocol" => $protocol,
	174	"VerifyMode" => "Require",
	175	},
	176	client => {
	177	"MinProtocol" => $protocol,
	178	"MaxProtocol" => $protocol,
	179	"Certificate" => test_pem("ee-client-chain.pem"),
	180	"PrivateKey" => test_pem("ee-key.pem"),
	181	},
	182	test => {
	183	"ExpectedResult" => "ServerFail",
	184	"ExpectedServerAlert" => $caalert,
	185	"Method" => $method,
	186	},
	187	};
	188	$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
	189	}
63936115 EK	190	}
	191	}
	192	}
49619ab0	193
63936115	194	generate_tests();