]>
Commit | Line | Data |
---|---|---|
63936115 EK |
1 | # -*- mode: perl; -*- |
2 | ||
3 | ## SSL test configurations | |
4 | ||
5 | package ssltests; | |
6 | ||
7 | use strict; | |
8 | use warnings; | |
9 | ||
10 | use OpenSSL::Test; | |
0f5df0f1 | 11 | use OpenSSL::Test::Utils qw(anydisabled disabled); |
63936115 EK |
12 | setup("no_test_here"); |
13 | ||
14 | # We test version-flexible negotiation (undef) and each protocol version. | |
49619ab0 | 15 | my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); |
63936115 EK |
16 | |
17 | my @is_disabled = (0); | |
49619ab0 | 18 | push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); |
63936115 EK |
19 | |
20 | our @tests = (); | |
21 | ||
63936115 | 22 | sub generate_tests() { |
63936115 EK |
23 | foreach (0..$#protocols) { |
24 | my $protocol = $protocols[$_]; | |
25 | my $protocol_name = $protocol || "flex"; | |
10e6d235 | 26 | my $caalert; |
49619ab0 | 27 | my $method; |
0f5df0f1 | 28 | my $sctpenabled = 0; |
63936115 | 29 | if (!$is_disabled[$_]) { |
10e6d235 MC |
30 | if ($protocol_name eq "SSLv3") { |
31 | $caalert = "BadCertificate"; | |
32 | } else { | |
33 | $caalert = "UnknownCA"; | |
34 | } | |
49619ab0 EK |
35 | if ($protocol_name =~ m/^DTLS/) { |
36 | $method = "DTLS"; | |
0f5df0f1 | 37 | $sctpenabled = 1 if !disabled("sctp"); |
49619ab0 | 38 | } |
062540cb | 39 | my $clihash; |
a92e710b | 40 | my $clisigtype; |
062540cb | 41 | my $clisigalgs; |
a92e710b | 42 | # TODO(TLS1.3) add TLSv1.3 versions |
062540cb DSH |
43 | if ($protocol_name eq "TLSv1.2") { |
44 | $clihash = "SHA256"; | |
a92e710b | 45 | $clisigtype = "RSA"; |
062540cb DSH |
46 | $clisigalgs = "SHA256+RSA"; |
47 | } | |
0f5df0f1 MC |
48 | for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) { |
49 | # Sanity-check simple handshake. | |
50 | push @tests, { | |
51 | name => "server-auth-${protocol_name}" | |
52 | .($sctp ? "-sctp" : ""), | |
53 | server => { | |
54 | "MinProtocol" => $protocol, | |
55 | "MaxProtocol" => $protocol | |
56 | }, | |
57 | client => { | |
58 | "MinProtocol" => $protocol, | |
59 | "MaxProtocol" => $protocol | |
60 | }, | |
61 | test => { | |
62 | "ExpectedResult" => "Success", | |
63 | "Method" => $method, | |
64 | }, | |
65 | }; | |
66 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
63936115 | 67 | |
0f5df0f1 MC |
68 | # Handshake with client cert requested but not required or received. |
69 | push @tests, { | |
70 | name => "client-auth-${protocol_name}-request" | |
71 | .($sctp ? "-sctp" : ""), | |
72 | server => { | |
73 | "MinProtocol" => $protocol, | |
74 | "MaxProtocol" => $protocol, | |
75 | "VerifyMode" => "Request" | |
76 | }, | |
77 | client => { | |
78 | "MinProtocol" => $protocol, | |
79 | "MaxProtocol" => $protocol | |
80 | }, | |
81 | test => { | |
82 | "ExpectedResult" => "Success", | |
83 | "Method" => $method, | |
84 | }, | |
85 | }; | |
86 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
63936115 | 87 | |
0f5df0f1 MC |
88 | # Handshake with client cert required but not present. |
89 | push @tests, { | |
90 | name => "client-auth-${protocol_name}-require-fail" | |
91 | .($sctp ? "-sctp" : ""), | |
92 | server => { | |
93 | "MinProtocol" => $protocol, | |
94 | "MaxProtocol" => $protocol, | |
95 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
96 | "VerifyMode" => "Require", | |
97 | }, | |
98 | client => { | |
99 | "MinProtocol" => $protocol, | |
100 | "MaxProtocol" => $protocol | |
101 | }, | |
102 | test => { | |
103 | "ExpectedResult" => "ServerFail", | |
104 | "ExpectedServerAlert" => "HandshakeFailure", | |
105 | "Method" => $method, | |
106 | }, | |
107 | }; | |
108 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
63936115 | 109 | |
0f5df0f1 MC |
110 | # Successful handshake with client authentication. |
111 | push @tests, { | |
112 | name => "client-auth-${protocol_name}-require" | |
113 | .($sctp ? "-sctp" : ""), | |
114 | server => { | |
115 | "MinProtocol" => $protocol, | |
116 | "MaxProtocol" => $protocol, | |
117 | "ClientSignatureAlgorithms" => $clisigalgs, | |
118 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
119 | "VerifyMode" => "Request", | |
120 | }, | |
121 | client => { | |
122 | "MinProtocol" => $protocol, | |
123 | "MaxProtocol" => $protocol, | |
124 | "Certificate" => test_pem("ee-client-chain.pem"), | |
125 | "PrivateKey" => test_pem("ee-key.pem"), | |
126 | }, | |
127 | test => { | |
128 | "ExpectedResult" => "Success", | |
129 | "ExpectedClientCertType" => "RSA", | |
130 | "ExpectedClientSignType" => $clisigtype, | |
131 | "ExpectedClientSignHash" => $clihash, | |
132 | "ExpectedClientCANames" => "empty", | |
133 | "Method" => $method, | |
134 | }, | |
135 | }; | |
136 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
2c1b0f1e | 137 | |
0f5df0f1 MC |
138 | # Successful handshake with client authentication non-empty names |
139 | push @tests, { | |
140 | name => "client-auth-${protocol_name}-require-non-empty-names" | |
141 | .($sctp ? "-sctp" : ""), | |
142 | server => { | |
143 | "MinProtocol" => $protocol, | |
144 | "MaxProtocol" => $protocol, | |
145 | "ClientSignatureAlgorithms" => $clisigalgs, | |
146 | "ClientCAFile" => test_pem("root-cert.pem"), | |
147 | "VerifyCAFile" => test_pem("root-cert.pem"), | |
148 | "VerifyMode" => "Request", | |
149 | }, | |
150 | client => { | |
151 | "MinProtocol" => $protocol, | |
152 | "MaxProtocol" => $protocol, | |
153 | "Certificate" => test_pem("ee-client-chain.pem"), | |
154 | "PrivateKey" => test_pem("ee-key.pem"), | |
155 | }, | |
156 | test => { | |
157 | "ExpectedResult" => "Success", | |
158 | "ExpectedClientCertType" => "RSA", | |
159 | "ExpectedClientSignType" => $clisigtype, | |
160 | "ExpectedClientSignHash" => $clihash, | |
161 | "ExpectedClientCANames" => test_pem("root-cert.pem"), | |
162 | "Method" => $method, | |
163 | }, | |
164 | }; | |
165 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
63936115 | 166 | |
0f5df0f1 MC |
167 | # Handshake with client authentication but without the root certificate. |
168 | push @tests, { | |
169 | name => "client-auth-${protocol_name}-noroot" | |
170 | .($sctp ? "-sctp" : ""), | |
171 | server => { | |
172 | "MinProtocol" => $protocol, | |
173 | "MaxProtocol" => $protocol, | |
174 | "VerifyMode" => "Require", | |
175 | }, | |
176 | client => { | |
177 | "MinProtocol" => $protocol, | |
178 | "MaxProtocol" => $protocol, | |
179 | "Certificate" => test_pem("ee-client-chain.pem"), | |
180 | "PrivateKey" => test_pem("ee-key.pem"), | |
181 | }, | |
182 | test => { | |
183 | "ExpectedResult" => "ServerFail", | |
184 | "ExpectedServerAlert" => $caalert, | |
185 | "Method" => $method, | |
186 | }, | |
187 | }; | |
188 | $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; | |
189 | } | |
63936115 EK |
190 | } |
191 | } | |
192 | } | |
49619ab0 | 193 | |
63936115 | 194 | generate_tests(); |