X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=test%2Fssl_test_ctx.h;h=3a21ac52d9992837eb40ca0fab4363fdf1c9662f;hp=9aaa4cea505473bb6cf65900fb831b8a6d776421;hb=fcee53948b7f9a5951d42f4ee321e706ea6b4b84;hpb=a263f320ebdb32ccc058ef02a617edbfe4a63e7f diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h index 9aaa4cea50..3a21ac52d9 100644 --- a/test/ssl_test_ctx.h +++ b/test/ssl_test_ctx.h @@ -1,11 +1,10 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL licenses, (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html - * or in the file LICENSE in the source distribution. */ #ifndef HEADER_SSL_TEST_CTX_H @@ -18,7 +17,9 @@ typedef enum { SSL_TEST_SUCCESS = 0, /* Default */ SSL_TEST_SERVER_FAIL, SSL_TEST_CLIENT_FAIL, - SSL_TEST_INTERNAL_ERROR + SSL_TEST_INTERNAL_ERROR, + /* Couldn't test resumption/renegotiation: original handshake failed. */ + SSL_TEST_FIRST_HANDSHAKE_FAILED } ssl_test_result_t; typedef enum { @@ -27,31 +28,221 @@ typedef enum { SSL_TEST_VERIFY_REJECT_ALL } ssl_verify_callback_t; -typedef struct ssl_test_ctx { - /* Test expectations. */ +typedef enum { + SSL_TEST_SERVERNAME_NONE = 0, /* Default */ + SSL_TEST_SERVERNAME_SERVER1, + SSL_TEST_SERVERNAME_SERVER2, + SSL_TEST_SERVERNAME_INVALID +} ssl_servername_t; + +typedef enum { + SSL_TEST_SERVERNAME_CB_NONE = 0, /* Default */ + SSL_TEST_SERVERNAME_IGNORE_MISMATCH, + SSL_TEST_SERVERNAME_REJECT_MISMATCH, + SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH, + SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH, + SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12 +} ssl_servername_callback_t; + +typedef enum { + SSL_TEST_SESSION_TICKET_IGNORE = 0, /* Default */ + SSL_TEST_SESSION_TICKET_YES, + SSL_TEST_SESSION_TICKET_NO, + SSL_TEST_SESSION_TICKET_BROKEN /* Special test */ +} ssl_session_ticket_t; + +typedef enum { + SSL_TEST_COMPRESSION_NO = 0, /* Default */ + SSL_TEST_COMPRESSION_YES +} ssl_compression_t; + +typedef enum { + SSL_TEST_SESSION_ID_IGNORE = 0, /* Default */ + SSL_TEST_SESSION_ID_YES, + SSL_TEST_SESSION_ID_NO +} ssl_session_id_t; + +typedef enum { + SSL_TEST_METHOD_TLS = 0, /* Default */ + SSL_TEST_METHOD_DTLS +} ssl_test_method_t; + +typedef enum { + SSL_TEST_HANDSHAKE_SIMPLE = 0, /* Default */ + SSL_TEST_HANDSHAKE_RESUME, + SSL_TEST_HANDSHAKE_RENEG_SERVER, + SSL_TEST_HANDSHAKE_RENEG_CLIENT, + SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER, + SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT, + SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH +} ssl_handshake_mode_t; + +typedef enum { + SSL_TEST_CT_VALIDATION_NONE = 0, /* Default */ + SSL_TEST_CT_VALIDATION_PERMISSIVE, + SSL_TEST_CT_VALIDATION_STRICT +} ssl_ct_validation_t; + +typedef enum { + SSL_TEST_CERT_STATUS_NONE = 0, /* Default */ + SSL_TEST_CERT_STATUS_GOOD_RESPONSE, + SSL_TEST_CERT_STATUS_BAD_RESPONSE +} ssl_cert_status_t; + +/* + * Server/client settings that aren't supported by the SSL CONF library, + * such as callbacks. + */ +typedef struct { + /* One of a number of predefined custom callbacks. */ + ssl_verify_callback_t verify_callback; + /* One of a number of predefined server names use by the client */ + ssl_servername_t servername; + /* Maximum Fragment Length extension mode */ + int max_fragment_len_mode; + /* Supported NPN and ALPN protocols. A comma-separated list. */ + char *npn_protocols; + char *alpn_protocols; + ssl_ct_validation_t ct_validation; + /* Ciphersuites to set on a renegotiation */ + char *reneg_ciphers; + char *srp_user; + char *srp_password; + /* PHA enabled */ + int enable_pha; +} SSL_TEST_CLIENT_CONF; + +typedef struct { + /* SNI callback (server-side). */ + ssl_servername_callback_t servername_callback; + /* Supported NPN and ALPN protocols. A comma-separated list. */ + char *npn_protocols; + char *alpn_protocols; + /* Whether to set a broken session ticket callback. */ + int broken_session_ticket; + /* Should we send a CertStatus message? */ + ssl_cert_status_t cert_status; + /* An SRP user known to the server. */ + char *srp_user; + char *srp_password; + /* Forced PHA */ + int force_pha; + char *session_ticket_app_data; +} SSL_TEST_SERVER_CONF; + +typedef struct { + SSL_TEST_CLIENT_CONF client; + SSL_TEST_SERVER_CONF server; + SSL_TEST_SERVER_CONF server2; +} SSL_TEST_EXTRA_CONF; + +typedef struct { + /* + * Global test configuration. Does not change between handshakes. + */ + /* Whether the server/client CTX should use DTLS or TLS. */ + ssl_test_method_t method; + /* Whether to test a resumed/renegotiated handshake. */ + ssl_handshake_mode_t handshake_mode; + /* + * How much application data to exchange (default is 256 bytes). + * Both peers will send |app_data_size| bytes interleaved. + */ + int app_data_size; + /* Maximum send fragment size. */ + int max_fragment_size; + /* KeyUpdate type */ + int key_update_type; + + /* + * Extra server/client configurations. Per-handshake. + */ + /* First handshake. */ + SSL_TEST_EXTRA_CONF extra; + /* Resumed handshake. */ + SSL_TEST_EXTRA_CONF resume_extra; + + /* + * Test expectations. These apply to the LAST handshake. + */ /* Defaults to SUCCESS. */ ssl_test_result_t expected_result; /* Alerts. 0 if no expectation. */ /* See ssl.h for alert codes. */ /* Alert sent by the client / received by the server. */ - int client_alert; + int expected_client_alert; /* Alert sent by the server / received by the client. */ - int server_alert; + int expected_server_alert; /* Negotiated protocol version. 0 if no expectation. */ /* See ssl.h for protocol versions. */ - int protocol; - /* One of a number of predefined custom callbacks. */ - ssl_verify_callback_t client_verify_callback; + int expected_protocol; + /* + * The expected SNI context to use. + * We test server-side that the server switched to the expected context. + * Set by the callback upon success, so if the callback wasn't called or + * terminated with an alert, the servername will match with + * SSL_TEST_SERVERNAME_NONE. + * Note: in the event that the servername was accepted, the client should + * also receive an empty SNI extension back but we have no way of probing + * client-side via the API that this was the case. + */ + ssl_servername_t expected_servername; + ssl_session_ticket_t session_ticket_expected; + int compression_expected; + /* The expected NPN/ALPN protocol to negotiate. */ + char *expected_npn_protocol; + char *expected_alpn_protocol; + /* Whether the second handshake is resumed or a full handshake (boolean). */ + int resumption_expected; + /* Expected temporary key type */ + int expected_tmp_key_type; + /* Expected server certificate key type */ + int expected_server_cert_type; + /* Expected server signing hash */ + int expected_server_sign_hash; + /* Expected server signature type */ + int expected_server_sign_type; + /* Expected server CA names */ + STACK_OF(X509_NAME) *expected_server_ca_names; + /* Expected client certificate key type */ + int expected_client_cert_type; + /* Expected client signing hash */ + int expected_client_sign_hash; + /* Expected client signature type */ + int expected_client_sign_type; + /* Expected CA names for client auth */ + STACK_OF(X509_NAME) *expected_client_ca_names; + /* Whether to use SCTP for the transport */ + int use_sctp; + /* Enable SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG on client side */ + int enable_client_sctp_label_bug; + /* Enable SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG on server side */ + int enable_server_sctp_label_bug; + /* Whether to expect a session id from the server */ + ssl_session_id_t session_id_expected; + char *expected_cipher; + /* Expected Session Ticket Application Data */ + char *expected_session_ticket_app_data; } SSL_TEST_CTX; const char *ssl_test_result_name(ssl_test_result_t result); const char *ssl_alert_name(int alert); const char *ssl_protocol_name(int protocol); const char *ssl_verify_callback_name(ssl_verify_callback_t verify_callback); +const char *ssl_servername_name(ssl_servername_t server); +const char *ssl_servername_callback_name(ssl_servername_callback_t + servername_callback); +const char *ssl_session_ticket_name(ssl_session_ticket_t server); +const char *ssl_session_id_name(ssl_session_id_t server); +const char *ssl_test_method_name(ssl_test_method_t method); +const char *ssl_handshake_mode_name(ssl_handshake_mode_t mode); +const char *ssl_ct_validation_name(ssl_ct_validation_t mode); +const char *ssl_certstatus_name(ssl_cert_status_t cert_status); +const char *ssl_max_fragment_len_name(int MFL_mode); /* * Load the test case context from |conf|. - * See test/README.ssl_test for details on the conf file format. + * See test/README.ssltest.md for details on the conf file format. */ SSL_TEST_CTX *SSL_TEST_CTX_create(const CONF *conf, const char *test_section);