1# -*- mode: perl; -*- 2 3## SSL test configurations 4 5package ssltests; 6 7use strict; 8use warnings; 9 10use OpenSSL::Test; 11use OpenSSL::Test::Utils qw(anydisabled disabled); 12setup("no_test_here"); 13 14# We test version-flexible negotiation (undef) and each protocol version. 15my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); 16 17my @is_disabled = (0); 18push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); 19 20our @tests = (); 21 22sub generate_tests() { 23 foreach (0..$#protocols) { 24 my $protocol = $protocols[$_]; 25 my $protocol_name = $protocol || "flex"; 26 my $caalert; 27 my $method; 28 my $sctpenabled = 0; 29 if (!$is_disabled[$_]) { 30 if ($protocol_name eq "SSLv3") { 31 $caalert = "BadCertificate"; 32 } else { 33 $caalert = "UnknownCA"; 34 } 35 if ($protocol_name =~ m/^DTLS/) { 36 $method = "DTLS"; 37 $sctpenabled = 1 if !disabled("sctp"); 38 } 39 my $clihash; 40 my $clisigtype; 41 my $clisigalgs; 42 # TODO(TLS1.3) add TLSv1.3 versions 43 if ($protocol_name eq "TLSv1.2") { 44 $clihash = "SHA256"; 45 $clisigtype = "RSA"; 46 $clisigalgs = "SHA256+RSA"; 47 } 48 for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) { 49 # Sanity-check simple handshake. 50 push @tests, { 51 name => "server-auth-${protocol_name}" 52 .($sctp ? "-sctp" : ""), 53 server => { 54 "MinProtocol" => $protocol, 55 "MaxProtocol" => $protocol 56 }, 57 client => { 58 "MinProtocol" => $protocol, 59 "MaxProtocol" => $protocol 60 }, 61 test => { 62 "ExpectedResult" => "Success", 63 "Method" => $method, 64 }, 65 }; 66 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 67 68 # Handshake with client cert requested but not required or received. 69 push @tests, { 70 name => "client-auth-${protocol_name}-request" 71 .($sctp ? "-sctp" : ""), 72 server => { 73 "MinProtocol" => $protocol, 74 "MaxProtocol" => $protocol, 75 "VerifyMode" => "Request" 76 }, 77 client => { 78 "MinProtocol" => $protocol, 79 "MaxProtocol" => $protocol 80 }, 81 test => { 82 "ExpectedResult" => "Success", 83 "Method" => $method, 84 }, 85 }; 86 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 87 88 # Handshake with client cert required but not present. 89 push @tests, { 90 name => "client-auth-${protocol_name}-require-fail" 91 .($sctp ? "-sctp" : ""), 92 server => { 93 "MinProtocol" => $protocol, 94 "MaxProtocol" => $protocol, 95 "VerifyCAFile" => test_pem("root-cert.pem"), 96 "VerifyMode" => "Require", 97 }, 98 client => { 99 "MinProtocol" => $protocol, 100 "MaxProtocol" => $protocol 101 }, 102 test => { 103 "ExpectedResult" => "ServerFail", 104 "ExpectedServerAlert" => 105 ($protocol_name eq "flex" && !disabled("tls1_3")) 106 ? "CertificateRequired" : "HandshakeFailure", 107 "Method" => $method, 108 }, 109 }; 110 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 111 112 # Successful handshake with client authentication. 113 push @tests, { 114 name => "client-auth-${protocol_name}-require" 115 .($sctp ? "-sctp" : ""), 116 server => { 117 "MinProtocol" => $protocol, 118 "MaxProtocol" => $protocol, 119 "ClientSignatureAlgorithms" => $clisigalgs, 120 "VerifyCAFile" => test_pem("root-cert.pem"), 121 "VerifyMode" => "Request", 122 }, 123 client => { 124 "MinProtocol" => $protocol, 125 "MaxProtocol" => $protocol, 126 "Certificate" => test_pem("ee-client-chain.pem"), 127 "PrivateKey" => test_pem("ee-key.pem"), 128 }, 129 test => { 130 "ExpectedResult" => "Success", 131 "ExpectedClientCertType" => "RSA", 132 "ExpectedClientSignType" => $clisigtype, 133 "ExpectedClientSignHash" => $clihash, 134 "ExpectedClientCANames" => "empty", 135 "Method" => $method, 136 }, 137 }; 138 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 139 140 # Successful handshake with client authentication non-empty names 141 push @tests, { 142 name => "client-auth-${protocol_name}-require-non-empty-names" 143 .($sctp ? "-sctp" : ""), 144 server => { 145 "MinProtocol" => $protocol, 146 "MaxProtocol" => $protocol, 147 "ClientSignatureAlgorithms" => $clisigalgs, 148 "ClientCAFile" => test_pem("root-cert.pem"), 149 "VerifyCAFile" => test_pem("root-cert.pem"), 150 "VerifyMode" => "Request", 151 }, 152 client => { 153 "MinProtocol" => $protocol, 154 "MaxProtocol" => $protocol, 155 "Certificate" => test_pem("ee-client-chain.pem"), 156 "PrivateKey" => test_pem("ee-key.pem"), 157 }, 158 test => { 159 "ExpectedResult" => "Success", 160 "ExpectedClientCertType" => "RSA", 161 "ExpectedClientSignType" => $clisigtype, 162 "ExpectedClientSignHash" => $clihash, 163 "ExpectedClientCANames" => test_pem("root-cert.pem"), 164 "Method" => $method, 165 }, 166 }; 167 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 168 169 # Handshake with client authentication but without the root certificate. 170 push @tests, { 171 name => "client-auth-${protocol_name}-noroot" 172 .($sctp ? "-sctp" : ""), 173 server => { 174 "MinProtocol" => $protocol, 175 "MaxProtocol" => $protocol, 176 "VerifyMode" => "Require", 177 }, 178 client => { 179 "MinProtocol" => $protocol, 180 "MaxProtocol" => $protocol, 181 "Certificate" => test_pem("ee-client-chain.pem"), 182 "PrivateKey" => test_pem("ee-key.pem"), 183 }, 184 test => { 185 "ExpectedResult" => "ServerFail", 186 "ExpectedServerAlert" => $caalert, 187 "Method" => $method, 188 }, 189 }; 190 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 191 } 192 } 193 } 194} 195 196generate_tests(); 197