xref: /freebsd/crypto/openssl/test/ssl-tests/04-client_auth.cnf.in (revision a90b9d0159070121c221b966469c3e36d912bf82)
1# -*- mode: perl; -*-
2
3## SSL test configurations
4
5package ssltests;
6
7use strict;
8use warnings;
9
10use OpenSSL::Test;
11use OpenSSL::Test::Utils qw(anydisabled disabled);
12setup("no_test_here");
13
14our $fips_mode;
15
16my @protocols;
17my @is_disabled = (0);
18
19# We test version-flexible negotiation (undef) and each protocol version.
20if ($fips_mode) {
21    @protocols = (undef, "TLSv1.2", "DTLSv1.2");
22    push @is_disabled, anydisabled("tls1_2", "dtls1_2");
23} else {
24    @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
25    push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
26}
27
28our @tests = ();
29
30sub generate_tests() {
31    foreach (0..$#protocols) {
32        my $protocol = $protocols[$_];
33        my $protocol_name = $protocol || "flex";
34        my $caalert;
35        my $method;
36        my $sctpenabled = 0;
37        if (!$is_disabled[$_]) {
38            if ($protocol_name eq "SSLv3") {
39                $caalert = "BadCertificate";
40            } else {
41                $caalert = "UnknownCA";
42            }
43            if ($protocol_name =~ m/^DTLS/) {
44                $method = "DTLS";
45                $sctpenabled = 1 if !disabled("sctp");
46            }
47            my $clihash;
48            my $clisigtype;
49            my $clisigalgs;
50            # TODO(TLS1.3) add TLSv1.3 versions
51            if ($protocol_name eq "TLSv1.2") {
52                $clihash = "SHA256";
53                $clisigtype = "RSA";
54                $clisigalgs = "SHA256+RSA";
55            }
56            for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
57                # Sanity-check simple handshake.
58                push @tests, {
59                    name => "server-auth-${protocol_name}"
60                            .($sctp ? "-sctp" : ""),
61                    server => {
62                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
63                        "MinProtocol" => $protocol,
64                        "MaxProtocol" => $protocol
65                    },
66                    client => {
67                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
68                        "MinProtocol" => $protocol,
69                        "MaxProtocol" => $protocol
70                    },
71                    test   => {
72                        "ExpectedResult" => "Success",
73                        "Method" => $method,
74                    },
75                };
76                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
77
78                # Handshake with client cert requested but not required or received.
79                push @tests, {
80                    name => "client-auth-${protocol_name}-request"
81                            .($sctp ? "-sctp" : ""),
82                    server => {
83                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
84                        "MinProtocol" => $protocol,
85                        "MaxProtocol" => $protocol,
86                        "VerifyMode" => "Request"
87                    },
88                    client => {
89                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
90                        "MinProtocol" => $protocol,
91                        "MaxProtocol" => $protocol
92                    },
93                    test   => {
94                        "ExpectedResult" => "Success",
95                        "Method" => $method,
96                    },
97                };
98                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
99
100                # Handshake with client cert required but not present.
101                push @tests, {
102                    name => "client-auth-${protocol_name}-require-fail"
103                            .($sctp ? "-sctp" : ""),
104                    server => {
105                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
106                        "MinProtocol" => $protocol,
107                        "MaxProtocol" => $protocol,
108                        "VerifyCAFile" => test_pem("root-cert.pem"),
109                        "VerifyMode" => "Require",
110                    },
111                    client => {
112                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
113                        "MinProtocol" => $protocol,
114                        "MaxProtocol" => $protocol
115                    },
116                    test   => {
117                        "ExpectedResult" => "ServerFail",
118                        "ExpectedServerAlert" =>
119                        ($protocol_name eq "flex"
120                            && !disabled("tls1_3")
121                            && (!disabled("ec") || !disabled("dh")))
122                        ? "CertificateRequired" : "HandshakeFailure",
123                        "Method" => $method,
124                    },
125                };
126                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
127
128                # Successful handshake with client authentication.
129                push @tests, {
130                    name => "client-auth-${protocol_name}-require"
131                             .($sctp ? "-sctp" : ""),
132                    server => {
133                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
134                        "MinProtocol" => $protocol,
135                        "MaxProtocol" => $protocol,
136                        "ClientSignatureAlgorithms" => $clisigalgs,
137                        "VerifyCAFile" => test_pem("root-cert.pem"),
138                        "VerifyMode" => "Request",
139                    },
140                    client => {
141                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
142                        "MinProtocol" => $protocol,
143                        "MaxProtocol" => $protocol,
144                        "Certificate" => test_pem("ee-client-chain.pem"),
145                        "PrivateKey"  => test_pem("ee-key.pem"),
146                    },
147                    test   => {
148                        "ExpectedResult" => "Success",
149                        "ExpectedClientCertType" => "RSA",
150                        "ExpectedClientSignType" => $clisigtype,
151                        "ExpectedClientSignHash" => $clihash,
152                        "ExpectedClientCANames" => "empty",
153                        "Method" => $method,
154                    },
155                };
156                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
157
158                # Successful handshake with client authentication non-empty names
159                push @tests, {
160                    name => "client-auth-${protocol_name}-require-non-empty-names"
161                            .($sctp ? "-sctp" : ""),
162                    server => {
163                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
164                        "MinProtocol" => $protocol,
165                        "MaxProtocol" => $protocol,
166                        "ClientSignatureAlgorithms" => $clisigalgs,
167                        "ClientCAFile" => test_pem("root-cert.pem"),
168                        "VerifyCAFile" => test_pem("root-cert.pem"),
169                        "VerifyMode" => "Request",
170                    },
171                    client => {
172                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
173                        "MinProtocol" => $protocol,
174                        "MaxProtocol" => $protocol,
175                        "Certificate" => test_pem("ee-client-chain.pem"),
176                        "PrivateKey"  => test_pem("ee-key.pem"),
177                    },
178                    test   => {
179                        "ExpectedResult" => "Success",
180                        "ExpectedClientCertType" => "RSA",
181                        "ExpectedClientSignType" => $clisigtype,
182                        "ExpectedClientSignHash" => $clihash,
183                        "ExpectedClientCANames" => test_pem("root-cert.pem"),
184                        "Method" => $method,
185                    },
186                };
187                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
188
189                # Handshake with client authentication but without the root certificate.
190                push @tests, {
191                    name => "client-auth-${protocol_name}-noroot"
192                            .($sctp ? "-sctp" : ""),
193                    server => {
194                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
195                        "MinProtocol" => $protocol,
196                        "MaxProtocol" => $protocol,
197                        "VerifyMode" => "Require",
198                    },
199                    client => {
200                        "CipherString" => "DEFAULT:\@SECLEVEL=0",
201                        "MinProtocol" => $protocol,
202                        "MaxProtocol" => $protocol,
203                        "Certificate" => test_pem("ee-client-chain.pem"),
204                        "PrivateKey"  => test_pem("ee-key.pem"),
205                    },
206                    test   => {
207                        "ExpectedResult" => "ServerFail",
208                        "ExpectedServerAlert" => $caalert,
209                        "Method" => $method,
210                    },
211                };
212                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
213            }
214        }
215    }
216}
217
218generate_tests();
219