xref: /freebsd/crypto/openssl/test/ssl-tests/03-custom_verify.cnf.in (revision e0c4386e7e71d93b0edc0c8fa156263fc4a8b0b6) 
1*e0c4386eSCy Schubert# -*- mode: perl; -*-
2*e0c4386eSCy Schubert# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3*e0c4386eSCy Schubert#
4*e0c4386eSCy Schubert# Licensed under the Apache License 2.0 (the "License").  You may not use
5*e0c4386eSCy Schubert# this file except in compliance with the License.  You can obtain a copy
6*e0c4386eSCy Schubert# in the file LICENSE in the source distribution or at
7*e0c4386eSCy Schubert# https://www.openssl.org/source/license.html
8*e0c4386eSCy Schubert
9*e0c4386eSCy Schubert
10*e0c4386eSCy Schubert## SSL test configurations
11*e0c4386eSCy Schubert
12*e0c4386eSCy Schubertpackage ssltests;
13*e0c4386eSCy Schubert
14*e0c4386eSCy Schubertour @tests = (
15*e0c4386eSCy Schubert
16*e0c4386eSCy Schubert    # Sanity-check that verification indeed succeeds without the
17*e0c4386eSCy Schubert    # restrictive callback.
18*e0c4386eSCy Schubert    {
19*e0c4386eSCy Schubert        name => "verify-success",
20*e0c4386eSCy Schubert        server => { },
21*e0c4386eSCy Schubert        client => { },
22*e0c4386eSCy Schubert        test   => { "ExpectedResult" => "Success" },
23*e0c4386eSCy Schubert    },
24*e0c4386eSCy Schubert
25*e0c4386eSCy Schubert    # Same test as above but with a custom callback that always fails.
26*e0c4386eSCy Schubert    {
27*e0c4386eSCy Schubert        name => "verify-custom-reject",
28*e0c4386eSCy Schubert        server => { },
29*e0c4386eSCy Schubert        client => {
30*e0c4386eSCy Schubert            extra => {
31*e0c4386eSCy Schubert                "VerifyCallback" => "RejectAll",
32*e0c4386eSCy Schubert            },
33*e0c4386eSCy Schubert        },
34*e0c4386eSCy Schubert        test   => {
35*e0c4386eSCy Schubert            "ExpectedResult" => "ClientFail",
36*e0c4386eSCy Schubert            "ExpectedClientAlert" => "HandshakeFailure",
37*e0c4386eSCy Schubert        },
38*e0c4386eSCy Schubert    },
39*e0c4386eSCy Schubert
40*e0c4386eSCy Schubert    # Same test as above but with a custom callback that always succeeds.
41*e0c4386eSCy Schubert    {
42*e0c4386eSCy Schubert        name => "verify-custom-allow",
43*e0c4386eSCy Schubert        server => { },
44*e0c4386eSCy Schubert        client => {
45*e0c4386eSCy Schubert            extra => {
46*e0c4386eSCy Schubert                "VerifyCallback" => "AcceptAll",
47*e0c4386eSCy Schubert            },
48*e0c4386eSCy Schubert        },
49*e0c4386eSCy Schubert        test   => {
50*e0c4386eSCy Schubert            "ExpectedResult" => "Success",
51*e0c4386eSCy Schubert        },
52*e0c4386eSCy Schubert    },
53*e0c4386eSCy Schubert
54*e0c4386eSCy Schubert    # Same test as above but with a custom callback that requests retry once.
55*e0c4386eSCy Schubert    {
56*e0c4386eSCy Schubert        name => "verify-custom-retry",
57*e0c4386eSCy Schubert        server => { },
58*e0c4386eSCy Schubert        client => {
59*e0c4386eSCy Schubert            extra => {
60*e0c4386eSCy Schubert                "VerifyCallback" => "RetryOnce",
61*e0c4386eSCy Schubert            },
62*e0c4386eSCy Schubert        },
63*e0c4386eSCy Schubert        test   => {
64*e0c4386eSCy Schubert            "ExpectedResult" => "Success",
65*e0c4386eSCy Schubert        },
66*e0c4386eSCy Schubert    },
67*e0c4386eSCy Schubert
68*e0c4386eSCy Schubert    # Sanity-check that verification indeed succeeds if peer verification
69*e0c4386eSCy Schubert    # is not requested.
70*e0c4386eSCy Schubert    {
71*e0c4386eSCy Schubert        name => "noverify-success",
72*e0c4386eSCy Schubert        server => { },
73*e0c4386eSCy Schubert        client => {
74*e0c4386eSCy Schubert            "VerifyMode" => undef,
75*e0c4386eSCy Schubert            "VerifyCAFile" => undef,
76*e0c4386eSCy Schubert        },
77*e0c4386eSCy Schubert        test   => { "ExpectedResult" => "Success" },
78*e0c4386eSCy Schubert    },
79*e0c4386eSCy Schubert
80*e0c4386eSCy Schubert    # Same test as above but with a custom callback that always fails.
81*e0c4386eSCy Schubert    # The callback return has no impact on handshake success in this mode.
82*e0c4386eSCy Schubert    {
83*e0c4386eSCy Schubert        name => "noverify-ignore-custom-reject",
84*e0c4386eSCy Schubert        server => { },
85*e0c4386eSCy Schubert        client => {
86*e0c4386eSCy Schubert            "VerifyMode" => undef,
87*e0c4386eSCy Schubert            "VerifyCAFile" => undef,
88*e0c4386eSCy Schubert            extra => {
89*e0c4386eSCy Schubert                "VerifyCallback" => "RejectAll",
90*e0c4386eSCy Schubert            },
91*e0c4386eSCy Schubert        },
92*e0c4386eSCy Schubert        test   => {
93*e0c4386eSCy Schubert            "ExpectedResult" => "Success",
94*e0c4386eSCy Schubert        },
95*e0c4386eSCy Schubert    },
96*e0c4386eSCy Schubert
97*e0c4386eSCy Schubert    # Same test as above but with a custom callback that always succeeds.
98*e0c4386eSCy Schubert    # The callback return has no impact on handshake success in this mode.
99*e0c4386eSCy Schubert    {
100*e0c4386eSCy Schubert        name => "noverify-accept-custom-allow",
101*e0c4386eSCy Schubert        server => { },
102*e0c4386eSCy Schubert        client => {
103*e0c4386eSCy Schubert            "VerifyMode" => undef,
104*e0c4386eSCy Schubert            "VerifyCAFile" => undef,
105*e0c4386eSCy Schubert            extra => {
106*e0c4386eSCy Schubert                "VerifyCallback" => "AcceptAll",
107*e0c4386eSCy Schubert            },
108*e0c4386eSCy Schubert        },
109*e0c4386eSCy Schubert        test   => {
110*e0c4386eSCy Schubert            "ExpectedResult" => "Success",
111*e0c4386eSCy Schubert        },
112*e0c4386eSCy Schubert    },
113*e0c4386eSCy Schubert
114*e0c4386eSCy Schubert    # Sanity-check that verification indeed fails without the
115*e0c4386eSCy Schubert    # permissive callback.
116*e0c4386eSCy Schubert    {
117*e0c4386eSCy Schubert        name => "verify-fail-no-root",
118*e0c4386eSCy Schubert        server => { },
119*e0c4386eSCy Schubert        client => {
120*e0c4386eSCy Schubert            # Don't set up the client root file.
121*e0c4386eSCy Schubert            "VerifyCAFile" => undef,
122*e0c4386eSCy Schubert        },
123*e0c4386eSCy Schubert        test   => {
124*e0c4386eSCy Schubert          "ExpectedResult" => "ClientFail",
125*e0c4386eSCy Schubert          "ExpectedClientAlert" => "UnknownCA",
126*e0c4386eSCy Schubert        },
127*e0c4386eSCy Schubert    },
128*e0c4386eSCy Schubert
129*e0c4386eSCy Schubert    # Same test as above but with a custom callback that always succeeds.
130*e0c4386eSCy Schubert    {
131*e0c4386eSCy Schubert        name => "verify-custom-success-no-root",
132*e0c4386eSCy Schubert        server => { },
133*e0c4386eSCy Schubert        client => {
134*e0c4386eSCy Schubert            "VerifyCAFile" => undef,
135*e0c4386eSCy Schubert            extra => {
136*e0c4386eSCy Schubert                "VerifyCallback" => "AcceptAll",
137*e0c4386eSCy Schubert            },
138*e0c4386eSCy Schubert        },
139*e0c4386eSCy Schubert        test   => {
140*e0c4386eSCy Schubert            "ExpectedResult" => "Success"
141*e0c4386eSCy Schubert        },
142*e0c4386eSCy Schubert    },
143*e0c4386eSCy Schubert
144*e0c4386eSCy Schubert    # Same test as above but with a custom callback that always fails.
145*e0c4386eSCy Schubert    {
146*e0c4386eSCy Schubert        name => "verify-custom-fail-no-root",
147*e0c4386eSCy Schubert        server => { },
148*e0c4386eSCy Schubert        client => {
149*e0c4386eSCy Schubert            "VerifyCAFile" => undef,
150*e0c4386eSCy Schubert            extra => {
151*e0c4386eSCy Schubert                "VerifyCallback" => "RejectAll",
152*e0c4386eSCy Schubert            },
153*e0c4386eSCy Schubert        },
154*e0c4386eSCy Schubert        test   => {
155*e0c4386eSCy Schubert            "ExpectedResult" => "ClientFail",
156*e0c4386eSCy Schubert            "ExpectedClientAlert" => "HandshakeFailure",
157*e0c4386eSCy Schubert        },
158*e0c4386eSCy Schubert    },
159*e0c4386eSCy Schubert);
160