test/ssl-tests/18-dtls-renegotiate.cnf.in

   1 # -*- mode: perl; -*-
   2 # Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the Apache License 2.0 (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9
  10 ## Test Renegotiation
  11
  12 use strict;
  13 use warnings;
  14
  15 package ssltests;
  16 use OpenSSL::Test::Utils;
  17
  18 our $fips_mode;
  19
  20 our @tests = ();
  21
  22 foreach my $sctp ("No", "Yes")
  23 {
  24     next if disabled("sctp") && $sctp eq "Yes";
  25     next if disabled("dtls1_2") && $fips_mode;
  26
  27     my $suffix = ($sctp eq "No") ? "" : "-sctp";
  28     our @tests_basic = (
  29         {
  30             name => "renegotiate-client-no-resume".$suffix,
  31             server => {
  32                 "MaxProtocol" => "DTLSv1.2",
  33                 "CipherString" => 'DEFAULT:@SECLEVEL=0',
  34                 "Options" => "NoResumptionOnRenegotiation"
  35             },
  36             client => {
  37                 "CipherString" => 'DEFAULT:@SECLEVEL=0'
  38             },
  39             test => {
  40                 "Method" => "DTLS",
  41                 "UseSCTP" => $sctp,
  42                 "HandshakeMode" => "RenegotiateClient",
  43                 "ResumptionExpected" => "No",
  44                 "ExpectedResult" => "Success"
  45             }
  46         },
  47         {
  48             name => "renegotiate-client-resume".$suffix,
  49             server => {
  50                 "MaxProtocol" => "DTLSv1.2",
  51                 "CipherString" => 'DEFAULT:@SECLEVEL=0'
  52             },
  53             client => {
  54                 "CipherString" => 'DEFAULT:@SECLEVEL=0'
  55             },
  56             test => {
  57                 "Method" => "DTLS",
  58                 "UseSCTP" => $sctp,
  59                 "HandshakeMode" => "RenegotiateClient",
  60                 "ResumptionExpected" => "Yes",
  61                 "ExpectedResult" => "Success"
  62             }
  63         },
  64         # Note: Unlike the TLS tests, we will never do resumption with server
  65         # initiated reneg. This is because an OpenSSL DTLS client will always do a full
  66         # handshake (i.e. it doesn't supply a session id) when it receives a
  67         # HelloRequest. This is different to the OpenSSL TLS implementation where an
  68         # OpenSSL client will always try an abbreviated handshake (i.e. it will supply
  69         # the session id). This goes all the way to commit 48ae85b6f when abbreviated
  70         # handshake support was first added. Neither behaviour is wrong, but the
  71         # discrepancy is strange. TODO: Should we harmonise the TLS and DTLS behaviour,
  72         # and if so, what to?
  73         {
  74             name => "renegotiate-server-resume".$suffix,
  75             server => {
  76                 "MaxProtocol" => "DTLSv1.2",
  77                 "CipherString" => 'DEFAULT:@SECLEVEL=0'
  78             },
  79             client => {
  80                 "CipherString" => 'DEFAULT:@SECLEVEL=0'
  81             },
  82             test => {
  83                 "Method" => "DTLS",
  84                 "UseSCTP" => $sctp,
  85                 "HandshakeMode" => "RenegotiateServer",
  86                 "ResumptionExpected" => "No",
  87                 "ExpectedResult" => "Success"
  88             }
  89         },
  90         {
  91             name => "renegotiate-client-auth-require".$suffix,
  92             server => {
  93                 "MaxProtocol" => "DTLSv1.2",
  94                 "VerifyCAFile" => test_pem("root-cert.pem"),
  95                 "VerifyMode" => "Require",
  96                 "CipherString" => 'DEFAULT:@SECLEVEL=0'
  97             },
  98             client => {
  99                 "Certificate" => test_pem("ee-client-chain.pem"),
 100                 "PrivateKey"  => test_pem("ee-key.pem"),
 101                 "CipherString" => 'DEFAULT:@SECLEVEL=0'
 102             },
 103             test => {
 104                 "Method" => "DTLS",
 105                 "UseSCTP" => $sctp,
 106                 "HandshakeMode" => "RenegotiateServer",
 107                 "ResumptionExpected" => "No",
 108                 "ExpectedResult" => "Success"
 109             }
 110         },
 111         {
 112             name => "renegotiate-client-auth-once".$suffix,
 113             server => {
 114                 "MaxProtocol" => "DTLSv1.2",
 115                 "VerifyCAFile" => test_pem("root-cert.pem"),
 116                 "VerifyMode" => "Once",
 117                 "CipherString" => 'DEFAULT:@SECLEVEL=0'
 118             },
 119             client => {
 120                 "Certificate" => test_pem("ee-client-chain.pem"),
 121                 "PrivateKey"  => test_pem("ee-key.pem"),
 122                 "CipherString" => 'DEFAULT:@SECLEVEL=0'
 123             },
 124             test => {
 125                 "Method" => "DTLS",
 126                 "UseSCTP" => $sctp,
 127                 "HandshakeMode" => "RenegotiateServer",
 128                 "ResumptionExpected" => "No",
 129                 "ExpectedResult" => "Success"
 130             }
 131         }
 132     );
 133     push @tests, @tests_basic;
 134
 135     next if disabled("dtls1_2");
 136     our @tests_dtls1_2 = (
 137         {
 138             name => "renegotiate-aead-to-non-aead".$suffix,
 139             server => {
 140                 "Options" => "NoResumptionOnRenegotiation"
 141             },
 142             client => {
 143                 "MaxProtocol" => "DTLSv1.2",
 144                 "CipherString" => "AES128-GCM-SHA256",
 145                 extra => {
 146                     "RenegotiateCiphers" => "AES128-SHA"
 147                 }
 148             },
 149             test => {
 150                 "Method" => "DTLS",
 151                 "UseSCTP" => $sctp,
 152                 "HandshakeMode" => "RenegotiateClient",
 153                 "ResumptionExpected" => "No",
 154                 "ExpectedResult" => "Success"
 155             }
 156         },
 157         {
 158             name => "renegotiate-non-aead-to-aead".$suffix,
 159             server => {
 160                 "Options" => "NoResumptionOnRenegotiation"
 161             },
 162             client => {
 163                 "MaxProtocol" => "DTLSv1.2",
 164                 "CipherString" => "AES128-SHA",
 165                 extra => {
 166                     "RenegotiateCiphers" => "AES128-GCM-SHA256"
 167                 }
 168             },
 169             test => {
 170                 "Method" => "DTLS",
 171                 "UseSCTP" => $sctp,
 172                 "HandshakeMode" => "RenegotiateClient",
 173                 "ResumptionExpected" => "No",
 174                 "ExpectedResult" => "Success"
 175             }
 176         },
 177         {
 178             name => "renegotiate-non-aead-to-non-aead".$suffix,
 179             server => {
 180                 "Options" => "NoResumptionOnRenegotiation"
 181             },
 182             client => {
 183                 "MaxProtocol" => "DTLSv1.2",
 184                 "CipherString" => "AES128-SHA",
 185                 extra => {
 186                     "RenegotiateCiphers" => "AES256-SHA"
 187                 }
 188             },
 189             test => {
 190                 "Method" => "DTLS",
 191                 "UseSCTP" => $sctp,
 192                 "HandshakeMode" => "RenegotiateClient",
 193                 "ResumptionExpected" => "No",
 194                 "ExpectedResult" => "Success"
 195             }
 196         },
 197         {
 198             name => "renegotiate-aead-to-aead".$suffix,
 199             server => {
 200                 "Options" => "NoResumptionOnRenegotiation"
 201             },
 202             client => {
 203                 "MaxProtocol" => "DTLSv1.2",
 204                 "CipherString" => "AES128-GCM-SHA256",
 205                 extra => {
 206                     "RenegotiateCiphers" => "AES256-GCM-SHA384"
 207                 }
 208             },
 209             test => {
 210                 "Method" => "DTLS",
 211                 "UseSCTP" => $sctp,
 212                 "HandshakeMode" => "RenegotiateClient",
 213                 "ResumptionExpected" => "No",
 214                 "ExpectedResult" => "Success"
 215             }
 216         },
 217     );
 218     push @tests, @tests_dtls1_2;
 219 }