# -*- mode: perl; -*- ## SSL test configurations package ssltests; use strict; use warnings; use OpenSSL::Test; use OpenSSL::Test::Utils qw(anydisabled); setup("no_test_here"); # We test version-flexible negotiation (undef) and each protocol version. my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"); my @is_disabled = (0); push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2"); our @tests = (); sub generate_tests() { foreach (0..$#protocols) { my $protocol = $protocols[$_]; my $protocol_name = $protocol || "flex"; my $caalert; if (!$is_disabled[$_]) { if ($protocol_name eq "SSLv3") { $caalert = "BadCertificate"; } else { $caalert = "UnknownCA"; } my $clihash; my $clisigtype; my $clisigalgs; # TODO(TLS1.3) add TLSv1.3 versions if ($protocol_name eq "TLSv1.2") { $clihash = "SHA256"; $clisigtype = "RSA"; $clisigalgs = "SHA256+RSA"; } # Sanity-check simple handshake. push @tests, { name => "server-auth-${protocol_name}", server => { "MinProtocol" => $protocol, "MaxProtocol" => $protocol }, client => { "MinProtocol" => $protocol, "MaxProtocol" => $protocol }, test => { "ExpectedResult" => "Success" }, }; # Handshake with client cert requested but not required or received. push @tests, { name => "client-auth-${protocol_name}-request", server => { "MinProtocol" => $protocol, "MaxProtocol" => $protocol, "VerifyMode" => "Request" }, client => { "MinProtocol" => $protocol, "MaxProtocol" => $protocol }, test => { "ExpectedResult" => "Success" }, }; # Handshake with client cert required but not present. push @tests, { name => "client-auth-${protocol_name}-require-fail", server => { "MinProtocol" => $protocol, "MaxProtocol" => $protocol, "VerifyCAFile" => test_pem("root-cert.pem"), "VerifyMode" => "Require", }, client => { "MinProtocol" => $protocol, "MaxProtocol" => $protocol }, test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => "HandshakeFailure", }, }; # Successful handshake with client authentication. push @tests, { name => "client-auth-${protocol_name}-require", server => { "MinProtocol" => $protocol, "MaxProtocol" => $protocol, "ClientSignatureAlgorithms" => $clisigalgs, "VerifyCAFile" => test_pem("root-cert.pem"), "VerifyMode" => "Request", }, client => { "MinProtocol" => $protocol, "MaxProtocol" => $protocol, "Certificate" => test_pem("ee-client-chain.pem"), "PrivateKey" => test_pem("ee-key.pem"), }, test => { "ExpectedResult" => "Success", "ExpectedClientCertType" => "RSA", "ExpectedClientSignType" => $clisigtype, "ExpectedClientSignHash" => $clihash, }, }; # Handshake with client authentication but without the root certificate. push @tests, { name => "client-auth-${protocol_name}-noroot", server => { "MinProtocol" => $protocol, "MaxProtocol" => $protocol, "VerifyMode" => "Require", }, client => { "MinProtocol" => $protocol, "MaxProtocol" => $protocol, "Certificate" => test_pem("ee-client-chain.pem"), "PrivateKey" => test_pem("ee-key.pem"), }, test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => $caalert, }, }; } } } generate_tests();