test/ssl-tests/04-client_auth.cnf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5 package ssltests;
   6
   7 use strict;
   8 use warnings;
   9
  10 use OpenSSL::Test;
  11 use OpenSSL::Test::Utils qw(anydisabled disabled);
  12 setup("no_test_here");
  13
  14 our $fips_mode;
  15
  16 my @protocols;
  17 my @is_disabled = (0);
  18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
  19
  20 # We test version-flexible negotiation (undef) and each protocol version.
  21 if ($fips_mode) {
  22     @protocols = (undef, "TLSv1.2", "DTLSv1.2");
  23 } else {
  24     @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
  25 }
  26
  27 our @tests = ();
  28
  29 sub generate_tests() {
  30     foreach (0..$#protocols) {
  31         my $protocol = $protocols[$_];
  32         my $protocol_name = $protocol || "flex";
  33         my $caalert;
  34         my $method;
  35         my $sctpenabled = 0;
  36         if (!$is_disabled[$_]) {
  37             if ($protocol_name eq "SSLv3") {
  38                 $caalert = "BadCertificate";
  39             } else {
  40                 $caalert = "UnknownCA";
  41             }
  42             if ($protocol_name =~ m/^DTLS/) {
  43                 $method = "DTLS";
  44                 $sctpenabled = 1 if !disabled("sctp");
  45             }
  46             my $clihash;
  47             my $clisigtype;
  48             my $clisigalgs;
  49             # TODO(TLS1.3) add TLSv1.3 versions
  50             if ($protocol_name eq "TLSv1.2") {
  51                 $clihash = "SHA256";
  52                 $clisigtype = "RSA";
  53                 $clisigalgs = "SHA256+RSA";
  54             }
  55             for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
  56                 # Sanity-check simple handshake.
  57                 push @tests, {
  58                     name => "server-auth-${protocol_name}"
  59                             .($sctp ? "-sctp" : ""),
  60                     server => {
  61                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
  62                         "MinProtocol" => $protocol,
  63                         "MaxProtocol" => $protocol
  64                     },
  65                     client => {
  66                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
  67                         "MinProtocol" => $protocol,
  68                         "MaxProtocol" => $protocol
  69                     },
  70                     test   => {
  71                         "ExpectedResult" => "Success",
  72                         "Method" => $method,
  73                     },
  74                 };
  75                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  76
  77                 # Handshake with client cert requested but not required or received.
  78                 push @tests, {
  79                     name => "client-auth-${protocol_name}-request"
  80                             .($sctp ? "-sctp" : ""),
  81                     server => {
  82                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
  83                         "MinProtocol" => $protocol,
  84                         "MaxProtocol" => $protocol,
  85                         "VerifyMode" => "Request"
  86                     },
  87                     client => {
  88                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
  89                         "MinProtocol" => $protocol,
  90                         "MaxProtocol" => $protocol
  91                     },
  92                     test   => {
  93                         "ExpectedResult" => "Success",
  94                         "Method" => $method,
  95                     },
  96                 };
  97                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
  98
  99                 # Handshake with client cert required but not present.
 100                 push @tests, {
 101                     name => "client-auth-${protocol_name}-require-fail"
 102                             .($sctp ? "-sctp" : ""),
 103                     server => {
 104                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 105                         "MinProtocol" => $protocol,
 106                         "MaxProtocol" => $protocol,
 107                         "VerifyCAFile" => test_pem("root-cert.pem"),
 108                         "VerifyMode" => "Require",
 109                     },
 110                     client => {
 111                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 112                         "MinProtocol" => $protocol,
 113                         "MaxProtocol" => $protocol
 114                     },
 115                     test   => {
 116                         "ExpectedResult" => "ServerFail",
 117                         "ExpectedServerAlert" =>
 118                         ($protocol_name eq "flex" && !disabled("tls1_3"))
 119                         ? "CertificateRequired" : "HandshakeFailure",
 120                         "Method" => $method,
 121                     },
 122                 };
 123                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 124
 125                 # Successful handshake with client authentication.
 126                 push @tests, {
 127                     name => "client-auth-${protocol_name}-require"
 128                              .($sctp ? "-sctp" : ""),
 129                     server => {
 130                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 131                         "MinProtocol" => $protocol,
 132                         "MaxProtocol" => $protocol,
 133                         "ClientSignatureAlgorithms" => $clisigalgs,
 134                         "VerifyCAFile" => test_pem("root-cert.pem"),
 135                         "VerifyMode" => "Request",
 136                     },
 137                     client => {
 138                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 139                         "MinProtocol" => $protocol,
 140                         "MaxProtocol" => $protocol,
 141                         "Certificate" => test_pem("ee-client-chain.pem"),
 142                         "PrivateKey"  => test_pem("ee-key.pem"),
 143                     },
 144                     test   => {
 145                         "ExpectedResult" => "Success",
 146                         "ExpectedClientCertType" => "RSA",
 147                         "ExpectedClientSignType" => $clisigtype,
 148                         "ExpectedClientSignHash" => $clihash,
 149                         "ExpectedClientCANames" => "empty",
 150                         "Method" => $method,
 151                     },
 152                 };
 153                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 154
 155                 # Successful handshake with client authentication non-empty names
 156                 push @tests, {
 157                     name => "client-auth-${protocol_name}-require-non-empty-names"
 158                             .($sctp ? "-sctp" : ""),
 159                     server => {
 160                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 161                         "MinProtocol" => $protocol,
 162                         "MaxProtocol" => $protocol,
 163                         "ClientSignatureAlgorithms" => $clisigalgs,
 164                         "ClientCAFile" => test_pem("root-cert.pem"),
 165                         "VerifyCAFile" => test_pem("root-cert.pem"),
 166                         "VerifyMode" => "Request",
 167                     },
 168                     client => {
 169                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 170                         "MinProtocol" => $protocol,
 171                         "MaxProtocol" => $protocol,
 172                         "Certificate" => test_pem("ee-client-chain.pem"),
 173                         "PrivateKey"  => test_pem("ee-key.pem"),
 174                     },
 175                     test   => {
 176                         "ExpectedResult" => "Success",
 177                         "ExpectedClientCertType" => "RSA",
 178                         "ExpectedClientSignType" => $clisigtype,
 179                         "ExpectedClientSignHash" => $clihash,
 180                         "ExpectedClientCANames" => test_pem("root-cert.pem"),
 181                         "Method" => $method,
 182                     },
 183                 };
 184                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 185
 186                 # Handshake with client authentication but without the root certificate.
 187                 push @tests, {
 188                     name => "client-auth-${protocol_name}-noroot"
 189                             .($sctp ? "-sctp" : ""),
 190                     server => {
 191                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 192                         "MinProtocol" => $protocol,
 193                         "MaxProtocol" => $protocol,
 194                         "VerifyMode" => "Require",
 195                     },
 196                     client => {
 197                         "CipherString" => "DEFAULT:\@SECLEVEL=0",
 198                         "MinProtocol" => $protocol,
 199                         "MaxProtocol" => $protocol,
 200                         "Certificate" => test_pem("ee-client-chain.pem"),
 201                         "PrivateKey"  => test_pem("ee-key.pem"),
 202                     },
 203                     test   => {
 204                         "ExpectedResult" => "ServerFail",
 205                         "ExpectedServerAlert" => $caalert,
 206                         "Method" => $method,
 207                     },
 208                 };
 209                 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 210             }
 211         }
 212     }
 213 }
 214
 215 generate_tests();