3 ## SSL test configurations
11 use OpenSSL::Test::Utils qw(anydisabled disabled);
12 setup("no_test_here");
17 my @is_disabled = (0);
19 # We test version-flexible negotiation (undef) and each protocol version.
21 @protocols = (undef, "TLSv1.2", "DTLSv1.2");
22 push @is_disabled, anydisabled("tls1_2", "dtls1_2");
24 @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
25 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
30 sub generate_tests() {
31 foreach (0..$#protocols) {
32 my $protocol = $protocols[$_];
33 my $protocol_name = $protocol || "flex";
37 if (!$is_disabled[$_]) {
38 if ($protocol_name eq "SSLv3") {
39 $caalert = "BadCertificate";
41 $caalert = "UnknownCA";
43 if ($protocol_name =~ m/^DTLS/) {
45 $sctpenabled = 1 if !disabled("sctp");
50 # TODO(TLS1.3) add TLSv1.3 versions
51 if ($protocol_name eq "TLSv1.2") {
54 $clisigalgs = "SHA256+RSA";
56 for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
57 # Sanity-check simple handshake.
59 name => "server-auth-${protocol_name}"
60 .($sctp ? "-sctp" : ""),
62 "CipherString" => "DEFAULT:\@SECLEVEL=0",
63 "MinProtocol" => $protocol,
64 "MaxProtocol" => $protocol
67 "CipherString" => "DEFAULT:\@SECLEVEL=0",
68 "MinProtocol" => $protocol,
69 "MaxProtocol" => $protocol
72 "ExpectedResult" => "Success",
76 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
78 # Handshake with client cert requested but not required or received.
80 name => "client-auth-${protocol_name}-request"
81 .($sctp ? "-sctp" : ""),
83 "CipherString" => "DEFAULT:\@SECLEVEL=0",
84 "MinProtocol" => $protocol,
85 "MaxProtocol" => $protocol,
86 "VerifyMode" => "Request"
89 "CipherString" => "DEFAULT:\@SECLEVEL=0",
90 "MinProtocol" => $protocol,
91 "MaxProtocol" => $protocol
94 "ExpectedResult" => "Success",
98 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
100 # Handshake with client cert required but not present.
102 name => "client-auth-${protocol_name}-require-fail"
103 .($sctp ? "-sctp" : ""),
105 "CipherString" => "DEFAULT:\@SECLEVEL=0",
106 "MinProtocol" => $protocol,
107 "MaxProtocol" => $protocol,
108 "VerifyCAFile" => test_pem("root-cert.pem"),
109 "VerifyMode" => "Require",
112 "CipherString" => "DEFAULT:\@SECLEVEL=0",
113 "MinProtocol" => $protocol,
114 "MaxProtocol" => $protocol
117 "ExpectedResult" => "ServerFail",
118 "ExpectedServerAlert" =>
119 ($protocol_name eq "flex"
120 && !disabled("tls1_3")
121 && (!disabled("ec") || !disabled("dh")))
122 ? "CertificateRequired" : "HandshakeFailure",
126 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
128 # Successful handshake with client authentication.
130 name => "client-auth-${protocol_name}-require"
131 .($sctp ? "-sctp" : ""),
133 "CipherString" => "DEFAULT:\@SECLEVEL=0",
134 "MinProtocol" => $protocol,
135 "MaxProtocol" => $protocol,
136 "ClientSignatureAlgorithms" => $clisigalgs,
137 "VerifyCAFile" => test_pem("root-cert.pem"),
138 "VerifyMode" => "Request",
141 "CipherString" => "DEFAULT:\@SECLEVEL=0",
142 "MinProtocol" => $protocol,
143 "MaxProtocol" => $protocol,
144 "Certificate" => test_pem("ee-client-chain.pem"),
145 "PrivateKey" => test_pem("ee-key.pem"),
148 "ExpectedResult" => "Success",
149 "ExpectedClientCertType" => "RSA",
150 "ExpectedClientSignType" => $clisigtype,
151 "ExpectedClientSignHash" => $clihash,
152 "ExpectedClientCANames" => "empty",
156 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
158 # Successful handshake with client RSA-PSS cert, StrictCertCheck
160 name => "client-auth-${protocol_name}-rsa-pss"
161 .($sctp ? "-sctp" : ""),
163 "CipherString" => "DEFAULT:\@SECLEVEL=0",
164 "MinProtocol" => $protocol,
165 "MaxProtocol" => $protocol,
166 "ClientCAFile" => test_pem("rootcert.pem"),
167 "VerifyCAFile" => test_pem("rootcert.pem"),
168 "VerifyMode" => "Require",
171 "CipherString" => "DEFAULT:\@SECLEVEL=0",
172 "MinProtocol" => $protocol,
173 "MaxProtocol" => $protocol,
174 "Certificate" => test_pem("client-pss-restrict-cert.pem"),
175 "PrivateKey" => test_pem("client-pss-restrict-key.pem"),
176 "Options" => "StrictCertCheck",
179 "ExpectedResult" => "Success",
180 "ExpectedClientCertType" => "RSA-PSS",
181 "ExpectedClientCANames" => test_pem("rootcert.pem"),
184 } if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex";
186 # Failed handshake with client RSA-PSS cert, StrictCertCheck, bad CA
188 name => "client-auth-${protocol_name}-rsa-pss-bad"
189 .($sctp ? "-sctp" : ""),
191 "CipherString" => "DEFAULT:\@SECLEVEL=0",
192 "MinProtocol" => $protocol,
193 "MaxProtocol" => $protocol,
194 "ClientCAFile" => test_pem("rootCA.pem"),
195 "VerifyCAFile" => test_pem("rootCA.pem"),
196 "VerifyMode" => "Require",
199 "CipherString" => "DEFAULT:\@SECLEVEL=0",
200 "MinProtocol" => $protocol,
201 "MaxProtocol" => $protocol,
202 "Certificate" => test_pem("client-pss-restrict-cert.pem"),
203 "PrivateKey" => test_pem("client-pss-restrict-key.pem"),
204 "Options" => "StrictCertCheck",
207 "ExpectedResult" => "ServerFail",
208 "ExpectedServerAlert" =>
209 ($protocol_name eq "flex"
210 && !disabled("tls1_3")
211 && (!disabled("ec") || !disabled("dh")))
212 ? "CertificateRequired" : "HandshakeFailure",
215 } if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex";
217 # Successful handshake with client authentication non-empty names
219 name => "client-auth-${protocol_name}-require-non-empty-names"
220 .($sctp ? "-sctp" : ""),
222 "CipherString" => "DEFAULT:\@SECLEVEL=0",
223 "MinProtocol" => $protocol,
224 "MaxProtocol" => $protocol,
225 "ClientSignatureAlgorithms" => $clisigalgs,
226 "ClientCAFile" => test_pem("root-cert.pem"),
227 "VerifyCAFile" => test_pem("root-cert.pem"),
228 "VerifyMode" => "Request",
231 "CipherString" => "DEFAULT:\@SECLEVEL=0",
232 "MinProtocol" => $protocol,
233 "MaxProtocol" => $protocol,
234 "Certificate" => test_pem("ee-client-chain.pem"),
235 "PrivateKey" => test_pem("ee-key.pem"),
238 "ExpectedResult" => "Success",
239 "ExpectedClientCertType" => "RSA",
240 "ExpectedClientSignType" => $clisigtype,
241 "ExpectedClientSignHash" => $clihash,
242 "ExpectedClientCANames" => test_pem("root-cert.pem"),
246 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
248 # Handshake with client authentication but without the root certificate.
250 name => "client-auth-${protocol_name}-noroot"
251 .($sctp ? "-sctp" : ""),
253 "CipherString" => "DEFAULT:\@SECLEVEL=0",
254 "MinProtocol" => $protocol,
255 "MaxProtocol" => $protocol,
256 "VerifyMode" => "Require",
259 "CipherString" => "DEFAULT:\@SECLEVEL=0",
260 "MinProtocol" => $protocol,
261 "MaxProtocol" => $protocol,
262 "Certificate" => test_pem("ee-client-chain.pem"),
263 "PrivateKey" => test_pem("ee-key.pem"),
266 "ExpectedResult" => "ServerFail",
267 "ExpectedServerAlert" => $caalert,
271 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;