3 ## SSL test configurations
11 use OpenSSL::Test::Utils qw(anydisabled disabled);
12 setup("no_test_here");
17 my @is_disabled = (0);
18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
20 # We test version-flexible negotiation (undef) and each protocol version.
22 @protocols = (undef, "TLSv1.2", "DTLSv1.2");
24 @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
29 sub generate_tests() {
30 foreach (0..$#protocols) {
31 my $protocol = $protocols[$_];
32 my $protocol_name = $protocol || "flex";
36 if (!$is_disabled[$_]) {
37 if ($protocol_name eq "SSLv3") {
38 $caalert = "BadCertificate";
40 $caalert = "UnknownCA";
42 if ($protocol_name =~ m/^DTLS/) {
44 $sctpenabled = 1 if !disabled("sctp");
49 # TODO(TLS1.3) add TLSv1.3 versions
50 if ($protocol_name eq "TLSv1.2") {
53 $clisigalgs = "SHA256+RSA";
55 for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
56 # Sanity-check simple handshake.
58 name => "server-auth-${protocol_name}"
59 .($sctp ? "-sctp" : ""),
61 "MinProtocol" => $protocol,
62 "MaxProtocol" => $protocol
65 "MinProtocol" => $protocol,
66 "MaxProtocol" => $protocol
69 "ExpectedResult" => "Success",
73 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
75 # Handshake with client cert requested but not required or received.
77 name => "client-auth-${protocol_name}-request"
78 .($sctp ? "-sctp" : ""),
80 "MinProtocol" => $protocol,
81 "MaxProtocol" => $protocol,
82 "VerifyMode" => "Request"
85 "MinProtocol" => $protocol,
86 "MaxProtocol" => $protocol
89 "ExpectedResult" => "Success",
93 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
95 # Handshake with client cert required but not present.
97 name => "client-auth-${protocol_name}-require-fail"
98 .($sctp ? "-sctp" : ""),
100 "MinProtocol" => $protocol,
101 "MaxProtocol" => $protocol,
102 "VerifyCAFile" => test_pem("root-cert.pem"),
103 "VerifyMode" => "Require",
106 "MinProtocol" => $protocol,
107 "MaxProtocol" => $protocol
110 "ExpectedResult" => "ServerFail",
111 "ExpectedServerAlert" =>
112 ($protocol_name eq "flex" && !disabled("tls1_3"))
113 ? "CertificateRequired" : "HandshakeFailure",
117 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
119 # Successful handshake with client authentication.
121 name => "client-auth-${protocol_name}-require"
122 .($sctp ? "-sctp" : ""),
124 "MinProtocol" => $protocol,
125 "MaxProtocol" => $protocol,
126 "ClientSignatureAlgorithms" => $clisigalgs,
127 "VerifyCAFile" => test_pem("root-cert.pem"),
128 "VerifyMode" => "Request",
131 "MinProtocol" => $protocol,
132 "MaxProtocol" => $protocol,
133 "Certificate" => test_pem("ee-client-chain.pem"),
134 "PrivateKey" => test_pem("ee-key.pem"),
137 "ExpectedResult" => "Success",
138 "ExpectedClientCertType" => "RSA",
139 "ExpectedClientSignType" => $clisigtype,
140 "ExpectedClientSignHash" => $clihash,
141 "ExpectedClientCANames" => "empty",
145 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
147 # Successful handshake with client authentication non-empty names
149 name => "client-auth-${protocol_name}-require-non-empty-names"
150 .($sctp ? "-sctp" : ""),
152 "MinProtocol" => $protocol,
153 "MaxProtocol" => $protocol,
154 "ClientSignatureAlgorithms" => $clisigalgs,
155 "ClientCAFile" => test_pem("root-cert.pem"),
156 "VerifyCAFile" => test_pem("root-cert.pem"),
157 "VerifyMode" => "Request",
160 "MinProtocol" => $protocol,
161 "MaxProtocol" => $protocol,
162 "Certificate" => test_pem("ee-client-chain.pem"),
163 "PrivateKey" => test_pem("ee-key.pem"),
166 "ExpectedResult" => "Success",
167 "ExpectedClientCertType" => "RSA",
168 "ExpectedClientSignType" => $clisigtype,
169 "ExpectedClientSignHash" => $clihash,
170 "ExpectedClientCANames" => test_pem("root-cert.pem"),
174 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
176 # Handshake with client authentication but without the root certificate.
178 name => "client-auth-${protocol_name}-noroot"
179 .($sctp ? "-sctp" : ""),
181 "MinProtocol" => $protocol,
182 "MaxProtocol" => $protocol,
183 "VerifyMode" => "Require",
186 "MinProtocol" => $protocol,
187 "MaxProtocol" => $protocol,
188 "Certificate" => test_pem("ee-client-chain.pem"),
189 "PrivateKey" => test_pem("ee-key.pem"),
192 "ExpectedResult" => "ServerFail",
193 "ExpectedServerAlert" => $caalert,
197 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;