1# -*- mode: perl; -*- 2 3## SSL test configurations 4 5package ssltests; 6 7use strict; 8use warnings; 9 10use OpenSSL::Test; 11use OpenSSL::Test::Utils qw(anydisabled disabled); 12setup("no_test_here"); 13 14our $fips_mode; 15 16my @protocols; 17my @is_disabled = (0); 18 19# We test version-flexible negotiation (undef) and each protocol version. 20if ($fips_mode) { 21 @protocols = (undef, "TLSv1.2", "DTLSv1.2"); 22 push @is_disabled, anydisabled("tls1_2", "dtls1_2"); 23} else { 24 @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); 25 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); 26} 27 28our @tests = (); 29 30sub generate_tests() { 31 foreach (0..$#protocols) { 32 my $protocol = $protocols[$_]; 33 my $protocol_name = $protocol || "flex"; 34 my $caalert; 35 my $method; 36 my $sctpenabled = 0; 37 if (!$is_disabled[$_]) { 38 if ($protocol_name eq "SSLv3") { 39 $caalert = "BadCertificate"; 40 } else { 41 $caalert = "UnknownCA"; 42 } 43 if ($protocol_name =~ m/^DTLS/) { 44 $method = "DTLS"; 45 $sctpenabled = 1 if !disabled("sctp"); 46 } 47 my $clihash; 48 my $clisigtype; 49 my $clisigalgs; 50 # TODO(TLS1.3) add TLSv1.3 versions 51 if ($protocol_name eq "TLSv1.2") { 52 $clihash = "SHA256"; 53 $clisigtype = "RSA"; 54 $clisigalgs = "SHA256+RSA"; 55 } 56 for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) { 57 # Sanity-check simple handshake. 58 push @tests, { 59 name => "server-auth-${protocol_name}" 60 .($sctp ? "-sctp" : ""), 61 server => { 62 "CipherString" => "DEFAULT:\@SECLEVEL=0", 63 "MinProtocol" => $protocol, 64 "MaxProtocol" => $protocol 65 }, 66 client => { 67 "CipherString" => "DEFAULT:\@SECLEVEL=0", 68 "MinProtocol" => $protocol, 69 "MaxProtocol" => $protocol 70 }, 71 test => { 72 "ExpectedResult" => "Success", 73 "Method" => $method, 74 }, 75 }; 76 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 77 78 # Handshake with client cert requested but not required or received. 79 push @tests, { 80 name => "client-auth-${protocol_name}-request" 81 .($sctp ? "-sctp" : ""), 82 server => { 83 "CipherString" => "DEFAULT:\@SECLEVEL=0", 84 "MinProtocol" => $protocol, 85 "MaxProtocol" => $protocol, 86 "VerifyMode" => "Request" 87 }, 88 client => { 89 "CipherString" => "DEFAULT:\@SECLEVEL=0", 90 "MinProtocol" => $protocol, 91 "MaxProtocol" => $protocol 92 }, 93 test => { 94 "ExpectedResult" => "Success", 95 "Method" => $method, 96 }, 97 }; 98 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 99 100 # Handshake with client cert required but not present. 101 push @tests, { 102 name => "client-auth-${protocol_name}-require-fail" 103 .($sctp ? "-sctp" : ""), 104 server => { 105 "CipherString" => "DEFAULT:\@SECLEVEL=0", 106 "MinProtocol" => $protocol, 107 "MaxProtocol" => $protocol, 108 "VerifyCAFile" => test_pem("root-cert.pem"), 109 "VerifyMode" => "Require", 110 }, 111 client => { 112 "CipherString" => "DEFAULT:\@SECLEVEL=0", 113 "MinProtocol" => $protocol, 114 "MaxProtocol" => $protocol 115 }, 116 test => { 117 "ExpectedResult" => "ServerFail", 118 "ExpectedServerAlert" => 119 ($protocol_name eq "flex" 120 && !disabled("tls1_3") 121 && (!disabled("ec") || !disabled("dh"))) 122 ? "CertificateRequired" : "HandshakeFailure", 123 "Method" => $method, 124 }, 125 }; 126 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 127 128 # Successful handshake with client authentication. 129 push @tests, { 130 name => "client-auth-${protocol_name}-require" 131 .($sctp ? "-sctp" : ""), 132 server => { 133 "CipherString" => "DEFAULT:\@SECLEVEL=0", 134 "MinProtocol" => $protocol, 135 "MaxProtocol" => $protocol, 136 "ClientSignatureAlgorithms" => $clisigalgs, 137 "VerifyCAFile" => test_pem("root-cert.pem"), 138 "VerifyMode" => "Request", 139 }, 140 client => { 141 "CipherString" => "DEFAULT:\@SECLEVEL=0", 142 "MinProtocol" => $protocol, 143 "MaxProtocol" => $protocol, 144 "Certificate" => test_pem("ee-client-chain.pem"), 145 "PrivateKey" => test_pem("ee-key.pem"), 146 }, 147 test => { 148 "ExpectedResult" => "Success", 149 "ExpectedClientCertType" => "RSA", 150 "ExpectedClientSignType" => $clisigtype, 151 "ExpectedClientSignHash" => $clihash, 152 "ExpectedClientCANames" => "empty", 153 "Method" => $method, 154 }, 155 }; 156 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 157 158 # Successful handshake with client authentication non-empty names 159 push @tests, { 160 name => "client-auth-${protocol_name}-require-non-empty-names" 161 .($sctp ? "-sctp" : ""), 162 server => { 163 "CipherString" => "DEFAULT:\@SECLEVEL=0", 164 "MinProtocol" => $protocol, 165 "MaxProtocol" => $protocol, 166 "ClientSignatureAlgorithms" => $clisigalgs, 167 "ClientCAFile" => test_pem("root-cert.pem"), 168 "VerifyCAFile" => test_pem("root-cert.pem"), 169 "VerifyMode" => "Request", 170 }, 171 client => { 172 "CipherString" => "DEFAULT:\@SECLEVEL=0", 173 "MinProtocol" => $protocol, 174 "MaxProtocol" => $protocol, 175 "Certificate" => test_pem("ee-client-chain.pem"), 176 "PrivateKey" => test_pem("ee-key.pem"), 177 }, 178 test => { 179 "ExpectedResult" => "Success", 180 "ExpectedClientCertType" => "RSA", 181 "ExpectedClientSignType" => $clisigtype, 182 "ExpectedClientSignHash" => $clihash, 183 "ExpectedClientCANames" => test_pem("root-cert.pem"), 184 "Method" => $method, 185 }, 186 }; 187 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 188 189 # Handshake with client authentication but without the root certificate. 190 push @tests, { 191 name => "client-auth-${protocol_name}-noroot" 192 .($sctp ? "-sctp" : ""), 193 server => { 194 "CipherString" => "DEFAULT:\@SECLEVEL=0", 195 "MinProtocol" => $protocol, 196 "MaxProtocol" => $protocol, 197 "VerifyMode" => "Require", 198 }, 199 client => { 200 "CipherString" => "DEFAULT:\@SECLEVEL=0", 201 "MinProtocol" => $protocol, 202 "MaxProtocol" => $protocol, 203 "Certificate" => test_pem("ee-client-chain.pem"), 204 "PrivateKey" => test_pem("ee-key.pem"), 205 }, 206 test => { 207 "ExpectedResult" => "ServerFail", 208 "ExpectedServerAlert" => $caalert, 209 "Method" => $method, 210 }, 211 }; 212 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 213 } 214 } 215 } 216} 217 218generate_tests(); 219