1*1dcdf01fSchristos /* 2*1dcdf01fSchristos * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. 3*1dcdf01fSchristos * 4*1dcdf01fSchristos * Licensed under the OpenSSL license (the "License"). You may not use 5*1dcdf01fSchristos * this file except in compliance with the License. You can obtain a copy 6*1dcdf01fSchristos * in the file LICENSE in the source distribution or at 7*1dcdf01fSchristos * https://www.openssl.org/source/license.html 8*1dcdf01fSchristos */ 9*1dcdf01fSchristos 10*1dcdf01fSchristos #ifndef OSSL_TEST_SSL_TEST_CTX_H 11*1dcdf01fSchristos #define OSSL_TEST_SSL_TEST_CTX_H 12*1dcdf01fSchristos 13*1dcdf01fSchristos #include <openssl/conf.h> 14*1dcdf01fSchristos #include <openssl/ssl.h> 15*1dcdf01fSchristos 16*1dcdf01fSchristos typedef enum { 17*1dcdf01fSchristos SSL_TEST_SUCCESS = 0, /* Default */ 18*1dcdf01fSchristos SSL_TEST_SERVER_FAIL, 19*1dcdf01fSchristos SSL_TEST_CLIENT_FAIL, 20*1dcdf01fSchristos SSL_TEST_INTERNAL_ERROR, 21*1dcdf01fSchristos /* Couldn't test resumption/renegotiation: original handshake failed. */ 22*1dcdf01fSchristos SSL_TEST_FIRST_HANDSHAKE_FAILED 23*1dcdf01fSchristos } ssl_test_result_t; 24*1dcdf01fSchristos 25*1dcdf01fSchristos typedef enum { 26*1dcdf01fSchristos SSL_TEST_VERIFY_NONE = 0, /* Default */ 27*1dcdf01fSchristos SSL_TEST_VERIFY_ACCEPT_ALL, 28*1dcdf01fSchristos SSL_TEST_VERIFY_REJECT_ALL 29*1dcdf01fSchristos } ssl_verify_callback_t; 30*1dcdf01fSchristos 31*1dcdf01fSchristos typedef enum { 32*1dcdf01fSchristos SSL_TEST_SERVERNAME_NONE = 0, /* Default */ 33*1dcdf01fSchristos SSL_TEST_SERVERNAME_SERVER1, 34*1dcdf01fSchristos SSL_TEST_SERVERNAME_SERVER2, 35*1dcdf01fSchristos SSL_TEST_SERVERNAME_INVALID 36*1dcdf01fSchristos } ssl_servername_t; 37*1dcdf01fSchristos 38*1dcdf01fSchristos typedef enum { 39*1dcdf01fSchristos SSL_TEST_SERVERNAME_CB_NONE = 0, /* Default */ 40*1dcdf01fSchristos SSL_TEST_SERVERNAME_IGNORE_MISMATCH, 41*1dcdf01fSchristos SSL_TEST_SERVERNAME_REJECT_MISMATCH, 42*1dcdf01fSchristos SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH, 43*1dcdf01fSchristos SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH, 44*1dcdf01fSchristos SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12 45*1dcdf01fSchristos } ssl_servername_callback_t; 46*1dcdf01fSchristos 47*1dcdf01fSchristos typedef enum { 48*1dcdf01fSchristos SSL_TEST_SESSION_TICKET_IGNORE = 0, /* Default */ 49*1dcdf01fSchristos SSL_TEST_SESSION_TICKET_YES, 50*1dcdf01fSchristos SSL_TEST_SESSION_TICKET_NO, 51*1dcdf01fSchristos SSL_TEST_SESSION_TICKET_BROKEN /* Special test */ 52*1dcdf01fSchristos } ssl_session_ticket_t; 53*1dcdf01fSchristos 54*1dcdf01fSchristos typedef enum { 55*1dcdf01fSchristos SSL_TEST_COMPRESSION_NO = 0, /* Default */ 56*1dcdf01fSchristos SSL_TEST_COMPRESSION_YES 57*1dcdf01fSchristos } ssl_compression_t; 58*1dcdf01fSchristos 59*1dcdf01fSchristos typedef enum { 60*1dcdf01fSchristos SSL_TEST_SESSION_ID_IGNORE = 0, /* Default */ 61*1dcdf01fSchristos SSL_TEST_SESSION_ID_YES, 62*1dcdf01fSchristos SSL_TEST_SESSION_ID_NO 63*1dcdf01fSchristos } ssl_session_id_t; 64*1dcdf01fSchristos 65*1dcdf01fSchristos typedef enum { 66*1dcdf01fSchristos SSL_TEST_METHOD_TLS = 0, /* Default */ 67*1dcdf01fSchristos SSL_TEST_METHOD_DTLS 68*1dcdf01fSchristos } ssl_test_method_t; 69*1dcdf01fSchristos 70*1dcdf01fSchristos typedef enum { 71*1dcdf01fSchristos SSL_TEST_HANDSHAKE_SIMPLE = 0, /* Default */ 72*1dcdf01fSchristos SSL_TEST_HANDSHAKE_RESUME, 73*1dcdf01fSchristos SSL_TEST_HANDSHAKE_RENEG_SERVER, 74*1dcdf01fSchristos SSL_TEST_HANDSHAKE_RENEG_CLIENT, 75*1dcdf01fSchristos SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER, 76*1dcdf01fSchristos SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT, 77*1dcdf01fSchristos SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH 78*1dcdf01fSchristos } ssl_handshake_mode_t; 79*1dcdf01fSchristos 80*1dcdf01fSchristos typedef enum { 81*1dcdf01fSchristos SSL_TEST_CT_VALIDATION_NONE = 0, /* Default */ 82*1dcdf01fSchristos SSL_TEST_CT_VALIDATION_PERMISSIVE, 83*1dcdf01fSchristos SSL_TEST_CT_VALIDATION_STRICT 84*1dcdf01fSchristos } ssl_ct_validation_t; 85*1dcdf01fSchristos 86*1dcdf01fSchristos typedef enum { 87*1dcdf01fSchristos SSL_TEST_CERT_STATUS_NONE = 0, /* Default */ 88*1dcdf01fSchristos SSL_TEST_CERT_STATUS_GOOD_RESPONSE, 89*1dcdf01fSchristos SSL_TEST_CERT_STATUS_BAD_RESPONSE 90*1dcdf01fSchristos } ssl_cert_status_t; 91*1dcdf01fSchristos 92*1dcdf01fSchristos /* 93*1dcdf01fSchristos * Server/client settings that aren't supported by the SSL CONF library, 94*1dcdf01fSchristos * such as callbacks. 95*1dcdf01fSchristos */ 96*1dcdf01fSchristos typedef struct { 97*1dcdf01fSchristos /* One of a number of predefined custom callbacks. */ 98*1dcdf01fSchristos ssl_verify_callback_t verify_callback; 99*1dcdf01fSchristos /* One of a number of predefined server names use by the client */ 100*1dcdf01fSchristos ssl_servername_t servername; 101*1dcdf01fSchristos /* Maximum Fragment Length extension mode */ 102*1dcdf01fSchristos int max_fragment_len_mode; 103*1dcdf01fSchristos /* Supported NPN and ALPN protocols. A comma-separated list. */ 104*1dcdf01fSchristos char *npn_protocols; 105*1dcdf01fSchristos char *alpn_protocols; 106*1dcdf01fSchristos ssl_ct_validation_t ct_validation; 107*1dcdf01fSchristos /* Ciphersuites to set on a renegotiation */ 108*1dcdf01fSchristos char *reneg_ciphers; 109*1dcdf01fSchristos char *srp_user; 110*1dcdf01fSchristos char *srp_password; 111*1dcdf01fSchristos /* PHA enabled */ 112*1dcdf01fSchristos int enable_pha; 113*1dcdf01fSchristos } SSL_TEST_CLIENT_CONF; 114*1dcdf01fSchristos 115*1dcdf01fSchristos typedef struct { 116*1dcdf01fSchristos /* SNI callback (server-side). */ 117*1dcdf01fSchristos ssl_servername_callback_t servername_callback; 118*1dcdf01fSchristos /* Supported NPN and ALPN protocols. A comma-separated list. */ 119*1dcdf01fSchristos char *npn_protocols; 120*1dcdf01fSchristos char *alpn_protocols; 121*1dcdf01fSchristos /* Whether to set a broken session ticket callback. */ 122*1dcdf01fSchristos int broken_session_ticket; 123*1dcdf01fSchristos /* Should we send a CertStatus message? */ 124*1dcdf01fSchristos ssl_cert_status_t cert_status; 125*1dcdf01fSchristos /* An SRP user known to the server. */ 126*1dcdf01fSchristos char *srp_user; 127*1dcdf01fSchristos char *srp_password; 128*1dcdf01fSchristos /* Forced PHA */ 129*1dcdf01fSchristos int force_pha; 130*1dcdf01fSchristos char *session_ticket_app_data; 131*1dcdf01fSchristos } SSL_TEST_SERVER_CONF; 132*1dcdf01fSchristos 133*1dcdf01fSchristos typedef struct { 134*1dcdf01fSchristos SSL_TEST_CLIENT_CONF client; 135*1dcdf01fSchristos SSL_TEST_SERVER_CONF server; 136*1dcdf01fSchristos SSL_TEST_SERVER_CONF server2; 137*1dcdf01fSchristos } SSL_TEST_EXTRA_CONF; 138*1dcdf01fSchristos 139*1dcdf01fSchristos typedef struct { 140*1dcdf01fSchristos /* 141*1dcdf01fSchristos * Global test configuration. Does not change between handshakes. 142*1dcdf01fSchristos */ 143*1dcdf01fSchristos /* Whether the server/client CTX should use DTLS or TLS. */ 144*1dcdf01fSchristos ssl_test_method_t method; 145*1dcdf01fSchristos /* Whether to test a resumed/renegotiated handshake. */ 146*1dcdf01fSchristos ssl_handshake_mode_t handshake_mode; 147*1dcdf01fSchristos /* 148*1dcdf01fSchristos * How much application data to exchange (default is 256 bytes). 149*1dcdf01fSchristos * Both peers will send |app_data_size| bytes interleaved. 150*1dcdf01fSchristos */ 151*1dcdf01fSchristos int app_data_size; 152*1dcdf01fSchristos /* Maximum send fragment size. */ 153*1dcdf01fSchristos int max_fragment_size; 154*1dcdf01fSchristos /* KeyUpdate type */ 155*1dcdf01fSchristos int key_update_type; 156*1dcdf01fSchristos 157*1dcdf01fSchristos /* 158*1dcdf01fSchristos * Extra server/client configurations. Per-handshake. 159*1dcdf01fSchristos */ 160*1dcdf01fSchristos /* First handshake. */ 161*1dcdf01fSchristos SSL_TEST_EXTRA_CONF extra; 162*1dcdf01fSchristos /* Resumed handshake. */ 163*1dcdf01fSchristos SSL_TEST_EXTRA_CONF resume_extra; 164*1dcdf01fSchristos 165*1dcdf01fSchristos /* 166*1dcdf01fSchristos * Test expectations. These apply to the LAST handshake. 167*1dcdf01fSchristos */ 168*1dcdf01fSchristos /* Defaults to SUCCESS. */ 169*1dcdf01fSchristos ssl_test_result_t expected_result; 170*1dcdf01fSchristos /* Alerts. 0 if no expectation. */ 171*1dcdf01fSchristos /* See ssl.h for alert codes. */ 172*1dcdf01fSchristos /* Alert sent by the client / received by the server. */ 173*1dcdf01fSchristos int expected_client_alert; 174*1dcdf01fSchristos /* Alert sent by the server / received by the client. */ 175*1dcdf01fSchristos int expected_server_alert; 176*1dcdf01fSchristos /* Negotiated protocol version. 0 if no expectation. */ 177*1dcdf01fSchristos /* See ssl.h for protocol versions. */ 178*1dcdf01fSchristos int expected_protocol; 179*1dcdf01fSchristos /* 180*1dcdf01fSchristos * The expected SNI context to use. 181*1dcdf01fSchristos * We test server-side that the server switched to the expected context. 182*1dcdf01fSchristos * Set by the callback upon success, so if the callback wasn't called or 183*1dcdf01fSchristos * terminated with an alert, the servername will match with 184*1dcdf01fSchristos * SSL_TEST_SERVERNAME_NONE. 185*1dcdf01fSchristos * Note: in the event that the servername was accepted, the client should 186*1dcdf01fSchristos * also receive an empty SNI extension back but we have no way of probing 187*1dcdf01fSchristos * client-side via the API that this was the case. 188*1dcdf01fSchristos */ 189*1dcdf01fSchristos ssl_servername_t expected_servername; 190*1dcdf01fSchristos ssl_session_ticket_t session_ticket_expected; 191*1dcdf01fSchristos int compression_expected; 192*1dcdf01fSchristos /* The expected NPN/ALPN protocol to negotiate. */ 193*1dcdf01fSchristos char *expected_npn_protocol; 194*1dcdf01fSchristos char *expected_alpn_protocol; 195*1dcdf01fSchristos /* Whether the second handshake is resumed or a full handshake (boolean). */ 196*1dcdf01fSchristos int resumption_expected; 197*1dcdf01fSchristos /* Expected temporary key type */ 198*1dcdf01fSchristos int expected_tmp_key_type; 199*1dcdf01fSchristos /* Expected server certificate key type */ 200*1dcdf01fSchristos int expected_server_cert_type; 201*1dcdf01fSchristos /* Expected server signing hash */ 202*1dcdf01fSchristos int expected_server_sign_hash; 203*1dcdf01fSchristos /* Expected server signature type */ 204*1dcdf01fSchristos int expected_server_sign_type; 205*1dcdf01fSchristos /* Expected server CA names */ 206*1dcdf01fSchristos STACK_OF(X509_NAME) *expected_server_ca_names; 207*1dcdf01fSchristos /* Expected client certificate key type */ 208*1dcdf01fSchristos int expected_client_cert_type; 209*1dcdf01fSchristos /* Expected client signing hash */ 210*1dcdf01fSchristos int expected_client_sign_hash; 211*1dcdf01fSchristos /* Expected client signature type */ 212*1dcdf01fSchristos int expected_client_sign_type; 213*1dcdf01fSchristos /* Expected CA names for client auth */ 214*1dcdf01fSchristos STACK_OF(X509_NAME) *expected_client_ca_names; 215*1dcdf01fSchristos /* Whether to use SCTP for the transport */ 216*1dcdf01fSchristos int use_sctp; 217*1dcdf01fSchristos /* Enable SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG on client side */ 218*1dcdf01fSchristos int enable_client_sctp_label_bug; 219*1dcdf01fSchristos /* Enable SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG on server side */ 220*1dcdf01fSchristos int enable_server_sctp_label_bug; 221*1dcdf01fSchristos /* Whether to expect a session id from the server */ 222*1dcdf01fSchristos ssl_session_id_t session_id_expected; 223*1dcdf01fSchristos char *expected_cipher; 224*1dcdf01fSchristos /* Expected Session Ticket Application Data */ 225*1dcdf01fSchristos char *expected_session_ticket_app_data; 226*1dcdf01fSchristos } SSL_TEST_CTX; 227*1dcdf01fSchristos 228*1dcdf01fSchristos const char *ssl_test_result_name(ssl_test_result_t result); 229*1dcdf01fSchristos const char *ssl_alert_name(int alert); 230*1dcdf01fSchristos const char *ssl_protocol_name(int protocol); 231*1dcdf01fSchristos const char *ssl_verify_callback_name(ssl_verify_callback_t verify_callback); 232*1dcdf01fSchristos const char *ssl_servername_name(ssl_servername_t server); 233*1dcdf01fSchristos const char *ssl_servername_callback_name(ssl_servername_callback_t 234*1dcdf01fSchristos servername_callback); 235*1dcdf01fSchristos const char *ssl_session_ticket_name(ssl_session_ticket_t server); 236*1dcdf01fSchristos const char *ssl_session_id_name(ssl_session_id_t server); 237*1dcdf01fSchristos const char *ssl_test_method_name(ssl_test_method_t method); 238*1dcdf01fSchristos const char *ssl_handshake_mode_name(ssl_handshake_mode_t mode); 239*1dcdf01fSchristos const char *ssl_ct_validation_name(ssl_ct_validation_t mode); 240*1dcdf01fSchristos const char *ssl_certstatus_name(ssl_cert_status_t cert_status); 241*1dcdf01fSchristos const char *ssl_max_fragment_len_name(int MFL_mode); 242*1dcdf01fSchristos 243*1dcdf01fSchristos /* 244*1dcdf01fSchristos * Load the test case context from |conf|. 245*1dcdf01fSchristos * See test/README.ssltest.md for details on the conf file format. 246*1dcdf01fSchristos */ 247*1dcdf01fSchristos SSL_TEST_CTX *SSL_TEST_CTX_create(const CONF *conf, const char *test_section); 248*1dcdf01fSchristos 249*1dcdf01fSchristos SSL_TEST_CTX *SSL_TEST_CTX_new(void); 250*1dcdf01fSchristos 251*1dcdf01fSchristos void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx); 252*1dcdf01fSchristos 253*1dcdf01fSchristos #endif /* OSSL_TEST_SSL_TEST_CTX_H */ 254