Fix some TLSv1.3 alert issues
[openssl.git] / test / ssl-tests / 04-client_auth.conf.in
index e1044f9..b9c014d 100644 (file)
@@ -8,112 +8,189 @@ use strict;
 use warnings;
 
 use OpenSSL::Test;
-use OpenSSL::Test::Utils qw(anydisabled);
+use OpenSSL::Test::Utils qw(anydisabled disabled);
 setup("no_test_here");
 
 # We test version-flexible negotiation (undef) and each protocol version.
-my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
+my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
 
 my @is_disabled = (0);
-push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
+push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
 
 our @tests = ();
 
-my $dir_sep = $^O ne "VMS" ? "/" : "";
-
 sub generate_tests() {
-
     foreach (0..$#protocols) {
         my $protocol = $protocols[$_];
         my $protocol_name = $protocol || "flex";
+        my $caalert;
+        my $method;
+        my $sctpenabled = 0;
         if (!$is_disabled[$_]) {
-            # Sanity-check simple handshake.
-            push @tests, {
-                name => "server-auth-${protocol_name}",
-                server => {
-                    "MinProtocol" => $protocol,
-                    "MaxProtocol" => $protocol
-                },
-                client => {
-                    "MinProtocol" => $protocol,
-                    "MaxProtocol" => $protocol
-                },
-                test   => { "ExpectedResult" => "Success" },
-            };
+            if ($protocol_name eq "SSLv3") {
+                $caalert = "BadCertificate";
+            } else {
+                $caalert = "UnknownCA";
+            }
+            if ($protocol_name =~ m/^DTLS/) {
+                $method = "DTLS";
+                $sctpenabled = 1 if !disabled("sctp");
+            }
+            my $clihash;
+            my $clisigtype;
+            my $clisigalgs;
+            # TODO(TLS1.3) add TLSv1.3 versions
+            if ($protocol_name eq "TLSv1.2") {
+                $clihash = "SHA256";
+                $clisigtype = "RSA";
+                $clisigalgs = "SHA256+RSA";
+            }
+            for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
+                # Sanity-check simple handshake.
+                push @tests, {
+                    name => "server-auth-${protocol_name}"
+                            .($sctp ? "-sctp" : ""),
+                    server => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol
+                    },
+                    client => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol
+                    },
+                    test   => {
+                        "ExpectedResult" => "Success",
+                        "Method" => $method,
+                    },
+                };
+                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 
-            # Handshake with client cert requested but not required or received.
-            push @tests, {
-                name => "client-auth-${protocol_name}-request",
-                server => {
-                    "MinProtocol" => $protocol,
-                    "MaxProtocol" => $protocol,
-                    "VerifyMode" => "Request"
-                },
-                client => {
-                    "MinProtocol" => $protocol,
-                    "MaxProtocol" => $protocol
-                },
-                test   => { "ExpectedResult" => "Success" },
-            };
+                # Handshake with client cert requested but not required or received.
+                push @tests, {
+                    name => "client-auth-${protocol_name}-request"
+                            .($sctp ? "-sctp" : ""),
+                    server => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol,
+                        "VerifyMode" => "Request"
+                    },
+                    client => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol
+                    },
+                    test   => {
+                        "ExpectedResult" => "Success",
+                        "Method" => $method,
+                    },
+                };
+                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 
-            # Handshake with client cert required but not present.
-            push @tests, {
-                name => "client-auth-${protocol_name}-require-fail",
-                server => {
-                    "MinProtocol" => $protocol,
-                    "MaxProtocol" => $protocol,
-                    "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
-                    "VerifyMode" => "Require",
-                },
-                client => {
-                    "MinProtocol" => $protocol,
-                    "MaxProtocol" => $protocol
-                },
-                test   => {
-                    "ExpectedResult" => "ServerFail",
-                    "ServerAlert" => "HandshakeFailure",
-                },
-            };
+                # Handshake with client cert required but not present.
+                push @tests, {
+                    name => "client-auth-${protocol_name}-require-fail"
+                            .($sctp ? "-sctp" : ""),
+                    server => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol,
+                        "VerifyCAFile" => test_pem("root-cert.pem"),
+                        "VerifyMode" => "Require",
+                    },
+                    client => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol
+                    },
+                    test   => {
+                        "ExpectedResult" => "ServerFail",
+                        "ExpectedServerAlert" =>
+                        ($protocol_name eq "flex" && !disabled("tls1_3"))
+                        ? "CertificateRequired" : "HandshakeFailure",
+                        "Method" => $method,
+                    },
+                };
+                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 
-            # Successful handshake with client authentication.
-            push @tests, {
-                name => "client-auth-${protocol_name}-require",
-                server => {
-                    "MinProtocol" => $protocol,
-                    "MaxProtocol" => $protocol,
-                    "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
-                    "VerifyMode" => "Request",
-                },
-                client => {
-                    "MinProtocol" => $protocol,
-                    "MaxProtocol" => $protocol,
-                    "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
-                    "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
-                },
-                test   => { "ExpectedResult" => "Success" },
-            };
+                # Successful handshake with client authentication.
+                push @tests, {
+                    name => "client-auth-${protocol_name}-require"
+                             .($sctp ? "-sctp" : ""),
+                    server => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol,
+                        "ClientSignatureAlgorithms" => $clisigalgs,
+                        "VerifyCAFile" => test_pem("root-cert.pem"),
+                        "VerifyMode" => "Request",
+                    },
+                    client => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol,
+                        "Certificate" => test_pem("ee-client-chain.pem"),
+                        "PrivateKey"  => test_pem("ee-key.pem"),
+                    },
+                    test   => {
+                        "ExpectedResult" => "Success",
+                        "ExpectedClientCertType" => "RSA",
+                        "ExpectedClientSignType" => $clisigtype,
+                        "ExpectedClientSignHash" => $clihash,
+                        "ExpectedClientCANames" => "empty",
+                        "Method" => $method,
+                    },
+                };
+                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
 
-            # Handshake with client authentication but without the root certificate.
-            push @tests, {
-                name => "client-auth-${protocol_name}-noroot",
-                server => {
-                    "MinProtocol" => $protocol,
-                    "MaxProtocol" => $protocol,
-                    "VerifyMode" => "Require",
-                },
-                client => {
-                    "MinProtocol" => $protocol,
-                    "MaxProtocol" => $protocol,
-                    "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
-                    "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
-                },
-                test   => {
-                    "ExpectedResult" => "ServerFail",
-                    "ServerAlert" => "UnknownCA",
-                },
-            };
+                # Successful handshake with client authentication non-empty names
+                push @tests, {
+                    name => "client-auth-${protocol_name}-require-non-empty-names"
+                            .($sctp ? "-sctp" : ""),
+                    server => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol,
+                        "ClientSignatureAlgorithms" => $clisigalgs,
+                        "ClientCAFile" => test_pem("root-cert.pem"),
+                        "VerifyCAFile" => test_pem("root-cert.pem"),
+                        "VerifyMode" => "Request",
+                    },
+                    client => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol,
+                        "Certificate" => test_pem("ee-client-chain.pem"),
+                        "PrivateKey"  => test_pem("ee-key.pem"),
+                    },
+                    test   => {
+                        "ExpectedResult" => "Success",
+                        "ExpectedClientCertType" => "RSA",
+                        "ExpectedClientSignType" => $clisigtype,
+                        "ExpectedClientSignHash" => $clihash,
+                        "ExpectedClientCANames" => test_pem("root-cert.pem"),
+                        "Method" => $method,
+                    },
+                };
+                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
+
+                # Handshake with client authentication but without the root certificate.
+                push @tests, {
+                    name => "client-auth-${protocol_name}-noroot"
+                            .($sctp ? "-sctp" : ""),
+                    server => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol,
+                        "VerifyMode" => "Require",
+                    },
+                    client => {
+                        "MinProtocol" => $protocol,
+                        "MaxProtocol" => $protocol,
+                        "Certificate" => test_pem("ee-client-chain.pem"),
+                        "PrivateKey"  => test_pem("ee-key.pem"),
+                    },
+                    test   => {
+                        "ExpectedResult" => "ServerFail",
+                        "ExpectedServerAlert" => $caalert,
+                        "Method" => $method,
+                    },
+                };
+                $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
+            }
         }
     }
 }
+
 generate_tests();