1*4724848cSchristos# -*- mode: perl; -*- 2*4724848cSchristos 3*4724848cSchristos## SSL test configurations 4*4724848cSchristos 5*4724848cSchristospackage ssltests; 6*4724848cSchristos 7*4724848cSchristosuse strict; 8*4724848cSchristosuse warnings; 9*4724848cSchristos 10*4724848cSchristosuse OpenSSL::Test; 11*4724848cSchristosuse OpenSSL::Test::Utils qw(anydisabled disabled); 12*4724848cSchristossetup("no_test_here"); 13*4724848cSchristos 14*4724848cSchristos# We test version-flexible negotiation (undef) and each protocol version. 15*4724848cSchristosmy @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); 16*4724848cSchristos 17*4724848cSchristosmy @is_disabled = (0); 18*4724848cSchristospush @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); 19*4724848cSchristos 20*4724848cSchristosour @tests = (); 21*4724848cSchristos 22*4724848cSchristossub generate_tests() { 23*4724848cSchristos foreach (0..$#protocols) { 24*4724848cSchristos my $protocol = $protocols[$_]; 25*4724848cSchristos my $protocol_name = $protocol || "flex"; 26*4724848cSchristos my $caalert; 27*4724848cSchristos my $method; 28*4724848cSchristos my $sctpenabled = 0; 29*4724848cSchristos if (!$is_disabled[$_]) { 30*4724848cSchristos if ($protocol_name eq "SSLv3") { 31*4724848cSchristos $caalert = "BadCertificate"; 32*4724848cSchristos } else { 33*4724848cSchristos $caalert = "UnknownCA"; 34*4724848cSchristos } 35*4724848cSchristos if ($protocol_name =~ m/^DTLS/) { 36*4724848cSchristos $method = "DTLS"; 37*4724848cSchristos $sctpenabled = 1 if !disabled("sctp"); 38*4724848cSchristos } 39*4724848cSchristos my $clihash; 40*4724848cSchristos my $clisigtype; 41*4724848cSchristos my $clisigalgs; 42*4724848cSchristos # TODO(TLS1.3) add TLSv1.3 versions 43*4724848cSchristos if ($protocol_name eq "TLSv1.2") { 44*4724848cSchristos $clihash = "SHA256"; 45*4724848cSchristos $clisigtype = "RSA"; 46*4724848cSchristos $clisigalgs = "SHA256+RSA"; 47*4724848cSchristos } 48*4724848cSchristos for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) { 49*4724848cSchristos # Sanity-check simple handshake. 50*4724848cSchristos push @tests, { 51*4724848cSchristos name => "server-auth-${protocol_name}" 52*4724848cSchristos .($sctp ? "-sctp" : ""), 53*4724848cSchristos server => { 54*4724848cSchristos "MinProtocol" => $protocol, 55*4724848cSchristos "MaxProtocol" => $protocol 56*4724848cSchristos }, 57*4724848cSchristos client => { 58*4724848cSchristos "MinProtocol" => $protocol, 59*4724848cSchristos "MaxProtocol" => $protocol 60*4724848cSchristos }, 61*4724848cSchristos test => { 62*4724848cSchristos "ExpectedResult" => "Success", 63*4724848cSchristos "Method" => $method, 64*4724848cSchristos }, 65*4724848cSchristos }; 66*4724848cSchristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 67*4724848cSchristos 68*4724848cSchristos # Handshake with client cert requested but not required or received. 69*4724848cSchristos push @tests, { 70*4724848cSchristos name => "client-auth-${protocol_name}-request" 71*4724848cSchristos .($sctp ? "-sctp" : ""), 72*4724848cSchristos server => { 73*4724848cSchristos "MinProtocol" => $protocol, 74*4724848cSchristos "MaxProtocol" => $protocol, 75*4724848cSchristos "VerifyMode" => "Request" 76*4724848cSchristos }, 77*4724848cSchristos client => { 78*4724848cSchristos "MinProtocol" => $protocol, 79*4724848cSchristos "MaxProtocol" => $protocol 80*4724848cSchristos }, 81*4724848cSchristos test => { 82*4724848cSchristos "ExpectedResult" => "Success", 83*4724848cSchristos "Method" => $method, 84*4724848cSchristos }, 85*4724848cSchristos }; 86*4724848cSchristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 87*4724848cSchristos 88*4724848cSchristos # Handshake with client cert required but not present. 89*4724848cSchristos push @tests, { 90*4724848cSchristos name => "client-auth-${protocol_name}-require-fail" 91*4724848cSchristos .($sctp ? "-sctp" : ""), 92*4724848cSchristos server => { 93*4724848cSchristos "MinProtocol" => $protocol, 94*4724848cSchristos "MaxProtocol" => $protocol, 95*4724848cSchristos "VerifyCAFile" => test_pem("root-cert.pem"), 96*4724848cSchristos "VerifyMode" => "Require", 97*4724848cSchristos }, 98*4724848cSchristos client => { 99*4724848cSchristos "MinProtocol" => $protocol, 100*4724848cSchristos "MaxProtocol" => $protocol 101*4724848cSchristos }, 102*4724848cSchristos test => { 103*4724848cSchristos "ExpectedResult" => "ServerFail", 104*4724848cSchristos "ExpectedServerAlert" => 105*4724848cSchristos ($protocol_name eq "flex" && !disabled("tls1_3")) 106*4724848cSchristos ? "CertificateRequired" : "HandshakeFailure", 107*4724848cSchristos "Method" => $method, 108*4724848cSchristos }, 109*4724848cSchristos }; 110*4724848cSchristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 111*4724848cSchristos 112*4724848cSchristos # Successful handshake with client authentication. 113*4724848cSchristos push @tests, { 114*4724848cSchristos name => "client-auth-${protocol_name}-require" 115*4724848cSchristos .($sctp ? "-sctp" : ""), 116*4724848cSchristos server => { 117*4724848cSchristos "MinProtocol" => $protocol, 118*4724848cSchristos "MaxProtocol" => $protocol, 119*4724848cSchristos "ClientSignatureAlgorithms" => $clisigalgs, 120*4724848cSchristos "VerifyCAFile" => test_pem("root-cert.pem"), 121*4724848cSchristos "VerifyMode" => "Request", 122*4724848cSchristos }, 123*4724848cSchristos client => { 124*4724848cSchristos "MinProtocol" => $protocol, 125*4724848cSchristos "MaxProtocol" => $protocol, 126*4724848cSchristos "Certificate" => test_pem("ee-client-chain.pem"), 127*4724848cSchristos "PrivateKey" => test_pem("ee-key.pem"), 128*4724848cSchristos }, 129*4724848cSchristos test => { 130*4724848cSchristos "ExpectedResult" => "Success", 131*4724848cSchristos "ExpectedClientCertType" => "RSA", 132*4724848cSchristos "ExpectedClientSignType" => $clisigtype, 133*4724848cSchristos "ExpectedClientSignHash" => $clihash, 134*4724848cSchristos "ExpectedClientCANames" => "empty", 135*4724848cSchristos "Method" => $method, 136*4724848cSchristos }, 137*4724848cSchristos }; 138*4724848cSchristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 139*4724848cSchristos 140*4724848cSchristos # Successful handshake with client authentication non-empty names 141*4724848cSchristos push @tests, { 142*4724848cSchristos name => "client-auth-${protocol_name}-require-non-empty-names" 143*4724848cSchristos .($sctp ? "-sctp" : ""), 144*4724848cSchristos server => { 145*4724848cSchristos "MinProtocol" => $protocol, 146*4724848cSchristos "MaxProtocol" => $protocol, 147*4724848cSchristos "ClientSignatureAlgorithms" => $clisigalgs, 148*4724848cSchristos "ClientCAFile" => test_pem("root-cert.pem"), 149*4724848cSchristos "VerifyCAFile" => test_pem("root-cert.pem"), 150*4724848cSchristos "VerifyMode" => "Request", 151*4724848cSchristos }, 152*4724848cSchristos client => { 153*4724848cSchristos "MinProtocol" => $protocol, 154*4724848cSchristos "MaxProtocol" => $protocol, 155*4724848cSchristos "Certificate" => test_pem("ee-client-chain.pem"), 156*4724848cSchristos "PrivateKey" => test_pem("ee-key.pem"), 157*4724848cSchristos }, 158*4724848cSchristos test => { 159*4724848cSchristos "ExpectedResult" => "Success", 160*4724848cSchristos "ExpectedClientCertType" => "RSA", 161*4724848cSchristos "ExpectedClientSignType" => $clisigtype, 162*4724848cSchristos "ExpectedClientSignHash" => $clihash, 163*4724848cSchristos "ExpectedClientCANames" => test_pem("root-cert.pem"), 164*4724848cSchristos "Method" => $method, 165*4724848cSchristos }, 166*4724848cSchristos }; 167*4724848cSchristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 168*4724848cSchristos 169*4724848cSchristos # Handshake with client authentication but without the root certificate. 170*4724848cSchristos push @tests, { 171*4724848cSchristos name => "client-auth-${protocol_name}-noroot" 172*4724848cSchristos .($sctp ? "-sctp" : ""), 173*4724848cSchristos server => { 174*4724848cSchristos "MinProtocol" => $protocol, 175*4724848cSchristos "MaxProtocol" => $protocol, 176*4724848cSchristos "VerifyMode" => "Require", 177*4724848cSchristos }, 178*4724848cSchristos client => { 179*4724848cSchristos "MinProtocol" => $protocol, 180*4724848cSchristos "MaxProtocol" => $protocol, 181*4724848cSchristos "Certificate" => test_pem("ee-client-chain.pem"), 182*4724848cSchristos "PrivateKey" => test_pem("ee-key.pem"), 183*4724848cSchristos }, 184*4724848cSchristos test => { 185*4724848cSchristos "ExpectedResult" => "ServerFail", 186*4724848cSchristos "ExpectedServerAlert" => $caalert, 187*4724848cSchristos "Method" => $method, 188*4724848cSchristos }, 189*4724848cSchristos }; 190*4724848cSchristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 191*4724848cSchristos } 192*4724848cSchristos } 193*4724848cSchristos } 194*4724848cSchristos} 195*4724848cSchristos 196*4724848cSchristosgenerate_tests(); 197