1*b0d17251Schristos# -*- mode: perl; -*- 2*b0d17251Schristos 3*b0d17251Schristos## SSL test configurations 4*b0d17251Schristos 5*b0d17251Schristospackage ssltests; 6*b0d17251Schristos 7*b0d17251Schristosuse strict; 8*b0d17251Schristosuse warnings; 9*b0d17251Schristos 10*b0d17251Schristosuse OpenSSL::Test; 11*b0d17251Schristosuse OpenSSL::Test::Utils qw(anydisabled disabled); 12*b0d17251Schristossetup("no_test_here"); 13*b0d17251Schristos 14*b0d17251Schristosour $fips_mode; 15*b0d17251Schristos 16*b0d17251Schristosmy @protocols; 17*b0d17251Schristosmy @is_disabled = (0); 18*b0d17251Schristos 19*b0d17251Schristos# We test version-flexible negotiation (undef) and each protocol version. 20*b0d17251Schristosif ($fips_mode) { 21*b0d17251Schristos @protocols = (undef, "TLSv1.2", "DTLSv1.2"); 22*b0d17251Schristos push @is_disabled, anydisabled("tls1_2", "dtls1_2"); 23*b0d17251Schristos} else { 24*b0d17251Schristos @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); 25*b0d17251Schristos push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); 26*b0d17251Schristos} 27*b0d17251Schristos 28*b0d17251Schristosour @tests = (); 29*b0d17251Schristos 30*b0d17251Schristossub generate_tests() { 31*b0d17251Schristos foreach (0..$#protocols) { 32*b0d17251Schristos my $protocol = $protocols[$_]; 33*b0d17251Schristos my $protocol_name = $protocol || "flex"; 34*b0d17251Schristos my $caalert; 35*b0d17251Schristos my $method; 36*b0d17251Schristos my $sctpenabled = 0; 37*b0d17251Schristos if (!$is_disabled[$_]) { 38*b0d17251Schristos if ($protocol_name eq "SSLv3") { 39*b0d17251Schristos $caalert = "BadCertificate"; 40*b0d17251Schristos } else { 41*b0d17251Schristos $caalert = "UnknownCA"; 42*b0d17251Schristos } 43*b0d17251Schristos if ($protocol_name =~ m/^DTLS/) { 44*b0d17251Schristos $method = "DTLS"; 45*b0d17251Schristos $sctpenabled = 1 if !disabled("sctp"); 46*b0d17251Schristos } 47*b0d17251Schristos my $clihash; 48*b0d17251Schristos my $clisigtype; 49*b0d17251Schristos my $clisigalgs; 50*b0d17251Schristos # TODO(TLS1.3) add TLSv1.3 versions 51*b0d17251Schristos if ($protocol_name eq "TLSv1.2") { 52*b0d17251Schristos $clihash = "SHA256"; 53*b0d17251Schristos $clisigtype = "RSA"; 54*b0d17251Schristos $clisigalgs = "SHA256+RSA"; 55*b0d17251Schristos } 56*b0d17251Schristos for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) { 57*b0d17251Schristos # Sanity-check simple handshake. 58*b0d17251Schristos push @tests, { 59*b0d17251Schristos name => "server-auth-${protocol_name}" 60*b0d17251Schristos .($sctp ? "-sctp" : ""), 61*b0d17251Schristos server => { 62*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 63*b0d17251Schristos "MinProtocol" => $protocol, 64*b0d17251Schristos "MaxProtocol" => $protocol 65*b0d17251Schristos }, 66*b0d17251Schristos client => { 67*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 68*b0d17251Schristos "MinProtocol" => $protocol, 69*b0d17251Schristos "MaxProtocol" => $protocol 70*b0d17251Schristos }, 71*b0d17251Schristos test => { 72*b0d17251Schristos "ExpectedResult" => "Success", 73*b0d17251Schristos "Method" => $method, 74*b0d17251Schristos }, 75*b0d17251Schristos }; 76*b0d17251Schristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 77*b0d17251Schristos 78*b0d17251Schristos # Handshake with client cert requested but not required or received. 79*b0d17251Schristos push @tests, { 80*b0d17251Schristos name => "client-auth-${protocol_name}-request" 81*b0d17251Schristos .($sctp ? "-sctp" : ""), 82*b0d17251Schristos server => { 83*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 84*b0d17251Schristos "MinProtocol" => $protocol, 85*b0d17251Schristos "MaxProtocol" => $protocol, 86*b0d17251Schristos "VerifyMode" => "Request" 87*b0d17251Schristos }, 88*b0d17251Schristos client => { 89*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 90*b0d17251Schristos "MinProtocol" => $protocol, 91*b0d17251Schristos "MaxProtocol" => $protocol 92*b0d17251Schristos }, 93*b0d17251Schristos test => { 94*b0d17251Schristos "ExpectedResult" => "Success", 95*b0d17251Schristos "Method" => $method, 96*b0d17251Schristos }, 97*b0d17251Schristos }; 98*b0d17251Schristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 99*b0d17251Schristos 100*b0d17251Schristos # Handshake with client cert required but not present. 101*b0d17251Schristos push @tests, { 102*b0d17251Schristos name => "client-auth-${protocol_name}-require-fail" 103*b0d17251Schristos .($sctp ? "-sctp" : ""), 104*b0d17251Schristos server => { 105*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 106*b0d17251Schristos "MinProtocol" => $protocol, 107*b0d17251Schristos "MaxProtocol" => $protocol, 108*b0d17251Schristos "VerifyCAFile" => test_pem("root-cert.pem"), 109*b0d17251Schristos "VerifyMode" => "Require", 110*b0d17251Schristos }, 111*b0d17251Schristos client => { 112*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 113*b0d17251Schristos "MinProtocol" => $protocol, 114*b0d17251Schristos "MaxProtocol" => $protocol 115*b0d17251Schristos }, 116*b0d17251Schristos test => { 117*b0d17251Schristos "ExpectedResult" => "ServerFail", 118*b0d17251Schristos "ExpectedServerAlert" => 119*b0d17251Schristos ($protocol_name eq "flex" 120*b0d17251Schristos && !disabled("tls1_3") 121*b0d17251Schristos && (!disabled("ec") || !disabled("dh"))) 122*b0d17251Schristos ? "CertificateRequired" : "HandshakeFailure", 123*b0d17251Schristos "Method" => $method, 124*b0d17251Schristos }, 125*b0d17251Schristos }; 126*b0d17251Schristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 127*b0d17251Schristos 128*b0d17251Schristos # Successful handshake with client authentication. 129*b0d17251Schristos push @tests, { 130*b0d17251Schristos name => "client-auth-${protocol_name}-require" 131*b0d17251Schristos .($sctp ? "-sctp" : ""), 132*b0d17251Schristos server => { 133*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 134*b0d17251Schristos "MinProtocol" => $protocol, 135*b0d17251Schristos "MaxProtocol" => $protocol, 136*b0d17251Schristos "ClientSignatureAlgorithms" => $clisigalgs, 137*b0d17251Schristos "VerifyCAFile" => test_pem("root-cert.pem"), 138*b0d17251Schristos "VerifyMode" => "Request", 139*b0d17251Schristos }, 140*b0d17251Schristos client => { 141*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 142*b0d17251Schristos "MinProtocol" => $protocol, 143*b0d17251Schristos "MaxProtocol" => $protocol, 144*b0d17251Schristos "Certificate" => test_pem("ee-client-chain.pem"), 145*b0d17251Schristos "PrivateKey" => test_pem("ee-key.pem"), 146*b0d17251Schristos }, 147*b0d17251Schristos test => { 148*b0d17251Schristos "ExpectedResult" => "Success", 149*b0d17251Schristos "ExpectedClientCertType" => "RSA", 150*b0d17251Schristos "ExpectedClientSignType" => $clisigtype, 151*b0d17251Schristos "ExpectedClientSignHash" => $clihash, 152*b0d17251Schristos "ExpectedClientCANames" => "empty", 153*b0d17251Schristos "Method" => $method, 154*b0d17251Schristos }, 155*b0d17251Schristos }; 156*b0d17251Schristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 157*b0d17251Schristos 158*b0d17251Schristos # Successful handshake with client authentication non-empty names 159*b0d17251Schristos push @tests, { 160*b0d17251Schristos name => "client-auth-${protocol_name}-require-non-empty-names" 161*b0d17251Schristos .($sctp ? "-sctp" : ""), 162*b0d17251Schristos server => { 163*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 164*b0d17251Schristos "MinProtocol" => $protocol, 165*b0d17251Schristos "MaxProtocol" => $protocol, 166*b0d17251Schristos "ClientSignatureAlgorithms" => $clisigalgs, 167*b0d17251Schristos "ClientCAFile" => test_pem("root-cert.pem"), 168*b0d17251Schristos "VerifyCAFile" => test_pem("root-cert.pem"), 169*b0d17251Schristos "VerifyMode" => "Request", 170*b0d17251Schristos }, 171*b0d17251Schristos client => { 172*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 173*b0d17251Schristos "MinProtocol" => $protocol, 174*b0d17251Schristos "MaxProtocol" => $protocol, 175*b0d17251Schristos "Certificate" => test_pem("ee-client-chain.pem"), 176*b0d17251Schristos "PrivateKey" => test_pem("ee-key.pem"), 177*b0d17251Schristos }, 178*b0d17251Schristos test => { 179*b0d17251Schristos "ExpectedResult" => "Success", 180*b0d17251Schristos "ExpectedClientCertType" => "RSA", 181*b0d17251Schristos "ExpectedClientSignType" => $clisigtype, 182*b0d17251Schristos "ExpectedClientSignHash" => $clihash, 183*b0d17251Schristos "ExpectedClientCANames" => test_pem("root-cert.pem"), 184*b0d17251Schristos "Method" => $method, 185*b0d17251Schristos }, 186*b0d17251Schristos }; 187*b0d17251Schristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 188*b0d17251Schristos 189*b0d17251Schristos # Handshake with client authentication but without the root certificate. 190*b0d17251Schristos push @tests, { 191*b0d17251Schristos name => "client-auth-${protocol_name}-noroot" 192*b0d17251Schristos .($sctp ? "-sctp" : ""), 193*b0d17251Schristos server => { 194*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 195*b0d17251Schristos "MinProtocol" => $protocol, 196*b0d17251Schristos "MaxProtocol" => $protocol, 197*b0d17251Schristos "VerifyMode" => "Require", 198*b0d17251Schristos }, 199*b0d17251Schristos client => { 200*b0d17251Schristos "CipherString" => "DEFAULT:\@SECLEVEL=0", 201*b0d17251Schristos "MinProtocol" => $protocol, 202*b0d17251Schristos "MaxProtocol" => $protocol, 203*b0d17251Schristos "Certificate" => test_pem("ee-client-chain.pem"), 204*b0d17251Schristos "PrivateKey" => test_pem("ee-key.pem"), 205*b0d17251Schristos }, 206*b0d17251Schristos test => { 207*b0d17251Schristos "ExpectedResult" => "ServerFail", 208*b0d17251Schristos "ExpectedServerAlert" => $caalert, 209*b0d17251Schristos "Method" => $method, 210*b0d17251Schristos }, 211*b0d17251Schristos }; 212*b0d17251Schristos $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 213*b0d17251Schristos } 214*b0d17251Schristos } 215*b0d17251Schristos } 216*b0d17251Schristos} 217*b0d17251Schristos 218*b0d17251Schristosgenerate_tests(); 219