X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=test%2Fssl-tests%2F04-client_auth.conf.in;h=b9c014d2c0d9f2135362ea1797543804af90e34e;hp=cd3d42f41628fa30e1be3d1416fed386fec2737f;hb=43a0f2733a943799060ea275516fcce00d89eb38;hpb=9f48bbacd8cac8d08dff146db438ab3e19908a7a diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in index cd3d42f416..b9c014d2c0 100644 --- a/test/ssl-tests/04-client_auth.conf.in +++ b/test/ssl-tests/04-client_auth.conf.in @@ -8,118 +8,189 @@ use strict; use warnings; use OpenSSL::Test; -use OpenSSL::Test::Utils qw(anydisabled); +use OpenSSL::Test::Utils qw(anydisabled disabled); setup("no_test_here"); # We test version-flexible negotiation (undef) and each protocol version. -my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"); +my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); my @is_disabled = (0); -push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2"); +push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); our @tests = (); -my $dir_sep = $^O ne "VMS" ? "/" : ""; - sub generate_tests() { - foreach (0..$#protocols) { my $protocol = $protocols[$_]; my $protocol_name = $protocol || "flex"; my $caalert; + my $method; + my $sctpenabled = 0; if (!$is_disabled[$_]) { if ($protocol_name eq "SSLv3") { $caalert = "BadCertificate"; } else { $caalert = "UnknownCA"; } - # Sanity-check simple handshake. - push @tests, { - name => "server-auth-${protocol_name}", - server => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol - }, - client => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol - }, - test => { "ExpectedResult" => "Success" }, - }; + if ($protocol_name =~ m/^DTLS/) { + $method = "DTLS"; + $sctpenabled = 1 if !disabled("sctp"); + } + my $clihash; + my $clisigtype; + my $clisigalgs; + # TODO(TLS1.3) add TLSv1.3 versions + if ($protocol_name eq "TLSv1.2") { + $clihash = "SHA256"; + $clisigtype = "RSA"; + $clisigalgs = "SHA256+RSA"; + } + for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) { + # Sanity-check simple handshake. + push @tests, { + name => "server-auth-${protocol_name}" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol + }, + test => { + "ExpectedResult" => "Success", + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; - # Handshake with client cert requested but not required or received. - push @tests, { - name => "client-auth-${protocol_name}-request", - server => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "VerifyMode" => "Request" - }, - client => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol - }, - test => { "ExpectedResult" => "Success" }, - }; + # Handshake with client cert requested but not required or received. + push @tests, { + name => "client-auth-${protocol_name}-request" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "VerifyMode" => "Request" + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol + }, + test => { + "ExpectedResult" => "Success", + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; - # Handshake with client cert required but not present. - push @tests, { - name => "client-auth-${protocol_name}-require-fail", - server => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem", - "VerifyMode" => "Require", - }, - client => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol - }, - test => { - "ExpectedResult" => "ServerFail", - "ExpectedServerAlert" => "HandshakeFailure", - }, - }; + # Handshake with client cert required but not present. + push @tests, { + name => "client-auth-${protocol_name}-require-fail" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Require", + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol + }, + test => { + "ExpectedResult" => "ServerFail", + "ExpectedServerAlert" => + ($protocol_name eq "flex" && !disabled("tls1_3")) + ? "CertificateRequired" : "HandshakeFailure", + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; - # Successful handshake with client authentication. - push @tests, { - name => "client-auth-${protocol_name}-require", - server => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem", - "VerifyMode" => "Request", - }, - client => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem", - "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem", - }, - test => { "ExpectedResult" => "Success" }, - }; + # Successful handshake with client authentication. + push @tests, { + name => "client-auth-${protocol_name}-require" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "ClientSignatureAlgorithms" => $clisigalgs, + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Request", + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "Certificate" => test_pem("ee-client-chain.pem"), + "PrivateKey" => test_pem("ee-key.pem"), + }, + test => { + "ExpectedResult" => "Success", + "ExpectedClientCertType" => "RSA", + "ExpectedClientSignType" => $clisigtype, + "ExpectedClientSignHash" => $clihash, + "ExpectedClientCANames" => "empty", + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; - # Handshake with client authentication but without the root certificate. - push @tests, { - name => "client-auth-${protocol_name}-noroot", - server => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "VerifyMode" => "Require", - }, - client => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem", - "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem", - }, - test => { - "ExpectedResult" => "ServerFail", - "ExpectedServerAlert" => $caalert, - }, - }; + # Successful handshake with client authentication non-empty names + push @tests, { + name => "client-auth-${protocol_name}-require-non-empty-names" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "ClientSignatureAlgorithms" => $clisigalgs, + "ClientCAFile" => test_pem("root-cert.pem"), + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Request", + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "Certificate" => test_pem("ee-client-chain.pem"), + "PrivateKey" => test_pem("ee-key.pem"), + }, + test => { + "ExpectedResult" => "Success", + "ExpectedClientCertType" => "RSA", + "ExpectedClientSignType" => $clisigtype, + "ExpectedClientSignHash" => $clihash, + "ExpectedClientCANames" => test_pem("root-cert.pem"), + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; + + # Handshake with client authentication but without the root certificate. + push @tests, { + name => "client-auth-${protocol_name}-noroot" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "VerifyMode" => "Require", + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "Certificate" => test_pem("ee-client-chain.pem"), + "PrivateKey" => test_pem("ee-key.pem"), + }, + test => { + "ExpectedResult" => "ServerFail", + "ExpectedServerAlert" => $caalert, + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; + } } } } - + generate_tests();