1# -*- mode: perl; -*- 2 3## SSL test configurations 4 5package ssltests; 6 7use strict; 8use warnings; 9 10use OpenSSL::Test; 11use OpenSSL::Test::Utils qw(anydisabled disabled); 12setup("no_test_here"); 13 14our $fips_mode; 15 16my @protocols; 17my @is_disabled = (0); 18 19# We test version-flexible negotiation (undef) and each protocol version. 20if ($fips_mode) { 21 @protocols = (undef, "TLSv1.2", "DTLSv1.2"); 22 push @is_disabled, anydisabled("tls1_2", "dtls1_2"); 23} else { 24 @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); 25 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); 26} 27 28our @tests = (); 29 30sub generate_tests() { 31 foreach (0..$#protocols) { 32 my $protocol = $protocols[$_]; 33 my $protocol_name = $protocol || "flex"; 34 my $caalert; 35 my $method; 36 my $sctpenabled = 0; 37 if (!$is_disabled[$_]) { 38 if ($protocol_name eq "SSLv3") { 39 $caalert = "BadCertificate"; 40 } else { 41 $caalert = "UnknownCA"; 42 } 43 if ($protocol_name =~ m/^DTLS/) { 44 $method = "DTLS"; 45 $sctpenabled = 1 if !disabled("sctp"); 46 } 47 my $clihash; 48 my $clisigtype; 49 my $clisigalgs; 50 # TODO(TLS1.3) add TLSv1.3 versions 51 if ($protocol_name eq "TLSv1.2") { 52 $clihash = "SHA256"; 53 $clisigtype = "RSA"; 54 $clisigalgs = "SHA256+RSA"; 55 } 56 for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) { 57 # Sanity-check simple handshake. 58 push @tests, { 59 name => "server-auth-${protocol_name}" 60 .($sctp ? "-sctp" : ""), 61 server => { 62 "CipherString" => "DEFAULT:\@SECLEVEL=0", 63 "MinProtocol" => $protocol, 64 "MaxProtocol" => $protocol 65 }, 66 client => { 67 "CipherString" => "DEFAULT:\@SECLEVEL=0", 68 "MinProtocol" => $protocol, 69 "MaxProtocol" => $protocol 70 }, 71 test => { 72 "ExpectedResult" => "Success", 73 "Method" => $method, 74 }, 75 }; 76 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 77 78 # Handshake with client cert requested but not required or received. 79 push @tests, { 80 name => "client-auth-${protocol_name}-request" 81 .($sctp ? "-sctp" : ""), 82 server => { 83 "CipherString" => "DEFAULT:\@SECLEVEL=0", 84 "MinProtocol" => $protocol, 85 "MaxProtocol" => $protocol, 86 "VerifyMode" => "Request" 87 }, 88 client => { 89 "CipherString" => "DEFAULT:\@SECLEVEL=0", 90 "MinProtocol" => $protocol, 91 "MaxProtocol" => $protocol 92 }, 93 test => { 94 "ExpectedResult" => "Success", 95 "Method" => $method, 96 }, 97 }; 98 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 99 100 # Handshake with client cert required but not present. 101 push @tests, { 102 name => "client-auth-${protocol_name}-require-fail" 103 .($sctp ? "-sctp" : ""), 104 server => { 105 "CipherString" => "DEFAULT:\@SECLEVEL=0", 106 "MinProtocol" => $protocol, 107 "MaxProtocol" => $protocol, 108 "VerifyCAFile" => test_pem("root-cert.pem"), 109 "VerifyMode" => "Require", 110 }, 111 client => { 112 "CipherString" => "DEFAULT:\@SECLEVEL=0", 113 "MinProtocol" => $protocol, 114 "MaxProtocol" => $protocol 115 }, 116 test => { 117 "ExpectedResult" => "ServerFail", 118 "ExpectedServerAlert" => 119 ($protocol_name eq "flex" 120 && !disabled("tls1_3") 121 && (!disabled("ec") || !disabled("dh"))) 122 ? "CertificateRequired" : "HandshakeFailure", 123 "Method" => $method, 124 }, 125 }; 126 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 127 128 # Successful handshake with client authentication. 129 push @tests, { 130 name => "client-auth-${protocol_name}-require" 131 .($sctp ? "-sctp" : ""), 132 server => { 133 "CipherString" => "DEFAULT:\@SECLEVEL=0", 134 "MinProtocol" => $protocol, 135 "MaxProtocol" => $protocol, 136 "ClientSignatureAlgorithms" => $clisigalgs, 137 "VerifyCAFile" => test_pem("root-cert.pem"), 138 "VerifyMode" => "Request", 139 }, 140 client => { 141 "CipherString" => "DEFAULT:\@SECLEVEL=0", 142 "MinProtocol" => $protocol, 143 "MaxProtocol" => $protocol, 144 "Certificate" => test_pem("ee-client-chain.pem"), 145 "PrivateKey" => test_pem("ee-key.pem"), 146 }, 147 test => { 148 "ExpectedResult" => "Success", 149 "ExpectedClientCertType" => "RSA", 150 "ExpectedClientSignType" => $clisigtype, 151 "ExpectedClientSignHash" => $clihash, 152 "ExpectedClientCANames" => "empty", 153 "Method" => $method, 154 }, 155 }; 156 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 157 158 # Successful handshake with client RSA-PSS cert, StrictCertCheck 159 push @tests, { 160 name => "client-auth-${protocol_name}-rsa-pss" 161 .($sctp ? "-sctp" : ""), 162 server => { 163 "CipherString" => "DEFAULT:\@SECLEVEL=0", 164 "MinProtocol" => $protocol, 165 "MaxProtocol" => $protocol, 166 "ClientCAFile" => test_pem("rootcert.pem"), 167 "VerifyCAFile" => test_pem("rootcert.pem"), 168 "VerifyMode" => "Require", 169 }, 170 client => { 171 "CipherString" => "DEFAULT:\@SECLEVEL=0", 172 "MinProtocol" => $protocol, 173 "MaxProtocol" => $protocol, 174 "Certificate" => test_pem("client-pss-restrict-cert.pem"), 175 "PrivateKey" => test_pem("client-pss-restrict-key.pem"), 176 "Options" => "StrictCertCheck", 177 }, 178 test => { 179 "ExpectedResult" => "Success", 180 "ExpectedClientCertType" => "RSA-PSS", 181 "ExpectedClientCANames" => test_pem("rootcert.pem"), 182 "Method" => $method, 183 }, 184 } if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex"; 185 186 # Failed handshake with client RSA-PSS cert, StrictCertCheck, bad CA 187 push @tests, { 188 name => "client-auth-${protocol_name}-rsa-pss-bad" 189 .($sctp ? "-sctp" : ""), 190 server => { 191 "CipherString" => "DEFAULT:\@SECLEVEL=0", 192 "MinProtocol" => $protocol, 193 "MaxProtocol" => $protocol, 194 "ClientCAFile" => test_pem("rootCA.pem"), 195 "VerifyCAFile" => test_pem("rootCA.pem"), 196 "VerifyMode" => "Require", 197 }, 198 client => { 199 "CipherString" => "DEFAULT:\@SECLEVEL=0", 200 "MinProtocol" => $protocol, 201 "MaxProtocol" => $protocol, 202 "Certificate" => test_pem("client-pss-restrict-cert.pem"), 203 "PrivateKey" => test_pem("client-pss-restrict-key.pem"), 204 "Options" => "StrictCertCheck", 205 }, 206 test => { 207 "ExpectedResult" => "ServerFail", 208 "ExpectedServerAlert" => 209 ($protocol_name eq "flex" 210 && !disabled("tls1_3") 211 && (!disabled("ec") || !disabled("dh"))) 212 ? "CertificateRequired" : "HandshakeFailure", 213 "Method" => $method, 214 }, 215 } if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex"; 216 217 # Successful handshake with client authentication non-empty names 218 push @tests, { 219 name => "client-auth-${protocol_name}-require-non-empty-names" 220 .($sctp ? "-sctp" : ""), 221 server => { 222 "CipherString" => "DEFAULT:\@SECLEVEL=0", 223 "MinProtocol" => $protocol, 224 "MaxProtocol" => $protocol, 225 "ClientSignatureAlgorithms" => $clisigalgs, 226 "ClientCAFile" => test_pem("root-cert.pem"), 227 "VerifyCAFile" => test_pem("root-cert.pem"), 228 "VerifyMode" => "Request", 229 }, 230 client => { 231 "CipherString" => "DEFAULT:\@SECLEVEL=0", 232 "MinProtocol" => $protocol, 233 "MaxProtocol" => $protocol, 234 "Certificate" => test_pem("ee-client-chain.pem"), 235 "PrivateKey" => test_pem("ee-key.pem"), 236 }, 237 test => { 238 "ExpectedResult" => "Success", 239 "ExpectedClientCertType" => "RSA", 240 "ExpectedClientSignType" => $clisigtype, 241 "ExpectedClientSignHash" => $clihash, 242 "ExpectedClientCANames" => test_pem("root-cert.pem"), 243 "Method" => $method, 244 }, 245 }; 246 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 247 248 # Handshake with client authentication but without the root certificate. 249 push @tests, { 250 name => "client-auth-${protocol_name}-noroot" 251 .($sctp ? "-sctp" : ""), 252 server => { 253 "CipherString" => "DEFAULT:\@SECLEVEL=0", 254 "MinProtocol" => $protocol, 255 "MaxProtocol" => $protocol, 256 "VerifyMode" => "Require", 257 }, 258 client => { 259 "CipherString" => "DEFAULT:\@SECLEVEL=0", 260 "MinProtocol" => $protocol, 261 "MaxProtocol" => $protocol, 262 "Certificate" => test_pem("ee-client-chain.pem"), 263 "PrivateKey" => test_pem("ee-key.pem"), 264 }, 265 test => { 266 "ExpectedResult" => "ServerFail", 267 "ExpectedServerAlert" => $caalert, 268 "Method" => $method, 269 }, 270 }; 271 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 272 } 273 } 274 } 275} 276 277generate_tests(); 278
