From: Emilia Kasper Date: Tue, 14 Mar 2017 13:56:22 +0000 (+0100) Subject: Port remaining old DTLS tests X-Git-Tag: OpenSSL_1_1_1-pre1~2051 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49619ab008a651e49e7524c73ba6fb4b3c96f67f;p=thirdparty%2Fopenssl.git Port remaining old DTLS tests We already test DTLS protocol versions. For good measure, add some DTLS tests with client auth to the new test framework, so that we can remove the old tests without losing coverage. Reviewed-by: Richard Levitte --- diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 903dc91c529..50057948b7a 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -55,7 +55,7 @@ my $no_ocsp = disabled("ocsp"); # expectations dynamically based on the OpenSSL compile-time config. my %conf_dependent_tests = ( "02-protocol-version.conf" => !$is_default_tls, - "04-client_auth.conf" => !$is_default_tls, + "04-client_auth.conf" => !$is_default_tls || !$is_default_dtls, "05-sni.conf" => disabled("tls1_1"), "07-dtls-protocol-version.conf" => !$is_default_dtls, "10-resumption.conf" => !$is_default_tls, diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 05cc7946934..5342ede7bd7 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -331,7 +331,7 @@ sub testssl { subtest 'standard SSL tests' => sub { ###################################################################### - plan tests => 21; + plan tests => 13; SKIP: { skip "SSLv3 is not supported by this OpenSSL build", 4 @@ -355,34 +355,6 @@ sub testssl { 'test sslv2/sslv3 via BIO pair'); } - SKIP: { - skip "DTLSv1 is not supported by this OpenSSL build", 4 - if disabled("dtls1"); - - ok(run(test([@ssltest, "-dtls1"])), - 'test dtlsv1'); - ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])), - 'test dtlsv1 with server authentication'); - ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])), - 'test dtlsv1 with client authentication'); - ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])), - 'test dtlsv1 with both server and client authentication'); - } - - SKIP: { - skip "DTLSv1.2 is not supported by this OpenSSL build", 4 - if disabled("dtls1_2"); - - ok(run(test([@ssltest, "-dtls12"])), - 'test dtlsv1.2'); - ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])), - 'test dtlsv1.2 with server authentication'); - ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])), - 'test dtlsv1.2 with client authentication'); - ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])), - 'test dtlsv1.2 with both server and client authentication'); - } - SKIP: { skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8 if $no_anytls; diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf index 96024884d99..ef65d717640 100644 --- a/test/ssl-tests/04-client_auth.conf +++ b/test/ssl-tests/04-client_auth.conf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 20 +num_tests = 30 test-0 = 0-server-auth-flex test-1 = 1-client-auth-flex-request @@ -22,6 +22,16 @@ test-16 = 16-client-auth-TLSv1.2-request test-17 = 17-client-auth-TLSv1.2-require-fail test-18 = 18-client-auth-TLSv1.2-require test-19 = 19-client-auth-TLSv1.2-noroot +test-20 = 20-server-auth-DTLSv1 +test-21 = 21-client-auth-DTLSv1-request +test-22 = 22-client-auth-DTLSv1-require-fail +test-23 = 23-client-auth-DTLSv1-require +test-24 = 24-client-auth-DTLSv1-noroot +test-25 = 25-server-auth-DTLSv1.2 +test-26 = 26-client-auth-DTLSv1.2-request +test-27 = 27-client-auth-DTLSv1.2-require-fail +test-28 = 28-client-auth-DTLSv1.2-require +test-29 = 29-client-auth-DTLSv1.2-noroot # =========================================================== [0-server-auth-flex] @@ -597,3 +607,309 @@ ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA +# =========================================================== + +[20-server-auth-DTLSv1] +ssl_conf = 20-server-auth-DTLSv1-ssl + +[20-server-auth-DTLSv1-ssl] +server = 20-server-auth-DTLSv1-server +client = 20-server-auth-DTLSv1-client + +[20-server-auth-DTLSv1-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[20-server-auth-DTLSv1-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-20] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[21-client-auth-DTLSv1-request] +ssl_conf = 21-client-auth-DTLSv1-request-ssl + +[21-client-auth-DTLSv1-request-ssl] +server = 21-client-auth-DTLSv1-request-server +client = 21-client-auth-DTLSv1-request-client + +[21-client-auth-DTLSv1-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Request + +[21-client-auth-DTLSv1-request-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-21] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[22-client-auth-DTLSv1-require-fail] +ssl_conf = 22-client-auth-DTLSv1-require-fail-ssl + +[22-client-auth-DTLSv1-require-fail-ssl] +server = 22-client-auth-DTLSv1-require-fail-server +client = 22-client-auth-DTLSv1-require-fail-client + +[22-client-auth-DTLSv1-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + +[22-client-auth-DTLSv1-require-fail-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-22] +ExpectedResult = ServerFail +ExpectedServerAlert = HandshakeFailure +Method = DTLS + + +# =========================================================== + +[23-client-auth-DTLSv1-require] +ssl_conf = 23-client-auth-DTLSv1-require-ssl + +[23-client-auth-DTLSv1-require-ssl] +server = 23-client-auth-DTLSv1-require-server +client = 23-client-auth-DTLSv1-require-client + +[23-client-auth-DTLSv1-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[23-client-auth-DTLSv1-require-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-23] +ExpectedClientCertType = RSA +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[24-client-auth-DTLSv1-noroot] +ssl_conf = 24-client-auth-DTLSv1-noroot-ssl + +[24-client-auth-DTLSv1-noroot-ssl] +server = 24-client-auth-DTLSv1-noroot-server +client = 24-client-auth-DTLSv1-noroot-client + +[24-client-auth-DTLSv1-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + +[24-client-auth-DTLSv1-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-24] +ExpectedResult = ServerFail +ExpectedServerAlert = UnknownCA +Method = DTLS + + +# =========================================================== + +[25-server-auth-DTLSv1.2] +ssl_conf = 25-server-auth-DTLSv1.2-ssl + +[25-server-auth-DTLSv1.2-ssl] +server = 25-server-auth-DTLSv1.2-server +client = 25-server-auth-DTLSv1.2-client + +[25-server-auth-DTLSv1.2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[25-server-auth-DTLSv1.2-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-25] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[26-client-auth-DTLSv1.2-request] +ssl_conf = 26-client-auth-DTLSv1.2-request-ssl + +[26-client-auth-DTLSv1.2-request-ssl] +server = 26-client-auth-DTLSv1.2-request-server +client = 26-client-auth-DTLSv1.2-request-client + +[26-client-auth-DTLSv1.2-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Request + +[26-client-auth-DTLSv1.2-request-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-26] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[27-client-auth-DTLSv1.2-require-fail] +ssl_conf = 27-client-auth-DTLSv1.2-require-fail-ssl + +[27-client-auth-DTLSv1.2-require-fail-ssl] +server = 27-client-auth-DTLSv1.2-require-fail-server +client = 27-client-auth-DTLSv1.2-require-fail-client + +[27-client-auth-DTLSv1.2-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + +[27-client-auth-DTLSv1.2-require-fail-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-27] +ExpectedResult = ServerFail +ExpectedServerAlert = HandshakeFailure +Method = DTLS + + +# =========================================================== + +[28-client-auth-DTLSv1.2-require] +ssl_conf = 28-client-auth-DTLSv1.2-require-ssl + +[28-client-auth-DTLSv1.2-require-ssl] +server = 28-client-auth-DTLSv1.2-require-server +client = 28-client-auth-DTLSv1.2-require-client + +[28-client-auth-DTLSv1.2-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[28-client-auth-DTLSv1.2-require-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-28] +ExpectedClientCertType = RSA +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[29-client-auth-DTLSv1.2-noroot] +ssl_conf = 29-client-auth-DTLSv1.2-noroot-ssl + +[29-client-auth-DTLSv1.2-noroot-ssl] +server = 29-client-auth-DTLSv1.2-noroot-server +client = 29-client-auth-DTLSv1.2-noroot-client + +[29-client-auth-DTLSv1.2-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + +[29-client-auth-DTLSv1.2-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-29] +ExpectedResult = ServerFail +ExpectedServerAlert = UnknownCA +Method = DTLS + + diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in index 8b92836e69d..abe6ad43e41 100644 --- a/test/ssl-tests/04-client_auth.conf.in +++ b/test/ssl-tests/04-client_auth.conf.in @@ -12,25 +12,28 @@ use OpenSSL::Test::Utils qw(anydisabled); setup("no_test_here"); # We test version-flexible negotiation (undef) and each protocol version. -my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"); +my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); my @is_disabled = (0); -push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2"); +push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); our @tests = (); sub generate_tests() { - foreach (0..$#protocols) { my $protocol = $protocols[$_]; my $protocol_name = $protocol || "flex"; my $caalert; + my $method; if (!$is_disabled[$_]) { if ($protocol_name eq "SSLv3") { $caalert = "BadCertificate"; } else { $caalert = "UnknownCA"; } + if ($protocol_name =~ m/^DTLS/) { + $method = "DTLS"; + } my $clihash; my $clisigtype; my $clisigalgs; @@ -51,7 +54,10 @@ sub generate_tests() { "MinProtocol" => $protocol, "MaxProtocol" => $protocol }, - test => { "ExpectedResult" => "Success" }, + test => { + "ExpectedResult" => "Success", + "Method" => $method, + }, }; # Handshake with client cert requested but not required or received. @@ -66,7 +72,10 @@ sub generate_tests() { "MinProtocol" => $protocol, "MaxProtocol" => $protocol }, - test => { "ExpectedResult" => "Success" }, + test => { + "ExpectedResult" => "Success", + "Method" => $method, + }, }; # Handshake with client cert required but not present. @@ -85,6 +94,7 @@ sub generate_tests() { test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => "HandshakeFailure", + "Method" => $method, }, }; @@ -104,10 +114,12 @@ sub generate_tests() { "Certificate" => test_pem("ee-client-chain.pem"), "PrivateKey" => test_pem("ee-key.pem"), }, - test => { "ExpectedResult" => "Success", - "ExpectedClientCertType" => "RSA", - "ExpectedClientSignType" => $clisigtype, - "ExpectedClientSignHash" => $clihash, + test => { + "ExpectedResult" => "Success", + "ExpectedClientCertType" => "RSA", + "ExpectedClientSignType" => $clisigtype, + "ExpectedClientSignHash" => $clihash, + "Method" => $method, }, }; @@ -128,10 +140,11 @@ sub generate_tests() { test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => $caalert, + "Method" => $method, }, }; } } } - + generate_tests();