1*e0c4386eSCy Schubert# -*- mode: perl; -*- 2*e0c4386eSCy Schubert 3*e0c4386eSCy Schubert## SSL test configurations 4*e0c4386eSCy Schubert 5*e0c4386eSCy Schubertpackage ssltests; 6*e0c4386eSCy Schubert 7*e0c4386eSCy Schubertuse strict; 8*e0c4386eSCy Schubertuse warnings; 9*e0c4386eSCy Schubert 10*e0c4386eSCy Schubertuse OpenSSL::Test; 11*e0c4386eSCy Schubertuse OpenSSL::Test::Utils qw(anydisabled disabled); 12*e0c4386eSCy Schubertsetup("no_test_here"); 13*e0c4386eSCy Schubert 14*e0c4386eSCy Schubertour $fips_mode; 15*e0c4386eSCy Schubert 16*e0c4386eSCy Schubertmy @protocols; 17*e0c4386eSCy Schubertmy @is_disabled = (0); 18*e0c4386eSCy Schubert 19*e0c4386eSCy Schubert# We test version-flexible negotiation (undef) and each protocol version. 20*e0c4386eSCy Schubertif ($fips_mode) { 21*e0c4386eSCy Schubert @protocols = (undef, "TLSv1.2", "DTLSv1.2"); 22*e0c4386eSCy Schubert push @is_disabled, anydisabled("tls1_2", "dtls1_2"); 23*e0c4386eSCy Schubert} else { 24*e0c4386eSCy Schubert @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); 25*e0c4386eSCy Schubert push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); 26*e0c4386eSCy Schubert} 27*e0c4386eSCy Schubert 28*e0c4386eSCy Schubertour @tests = (); 29*e0c4386eSCy Schubert 30*e0c4386eSCy Schubertsub generate_tests() { 31*e0c4386eSCy Schubert foreach (0..$#protocols) { 32*e0c4386eSCy Schubert my $protocol = $protocols[$_]; 33*e0c4386eSCy Schubert my $protocol_name = $protocol || "flex"; 34*e0c4386eSCy Schubert my $caalert; 35*e0c4386eSCy Schubert my $method; 36*e0c4386eSCy Schubert my $sctpenabled = 0; 37*e0c4386eSCy Schubert if (!$is_disabled[$_]) { 38*e0c4386eSCy Schubert if ($protocol_name eq "SSLv3") { 39*e0c4386eSCy Schubert $caalert = "BadCertificate"; 40*e0c4386eSCy Schubert } else { 41*e0c4386eSCy Schubert $caalert = "UnknownCA"; 42*e0c4386eSCy Schubert } 43*e0c4386eSCy Schubert if ($protocol_name =~ m/^DTLS/) { 44*e0c4386eSCy Schubert $method = "DTLS"; 45*e0c4386eSCy Schubert $sctpenabled = 1 if !disabled("sctp"); 46*e0c4386eSCy Schubert } 47*e0c4386eSCy Schubert my $clihash; 48*e0c4386eSCy Schubert my $clisigtype; 49*e0c4386eSCy Schubert my $clisigalgs; 50*e0c4386eSCy Schubert # TODO(TLS1.3) add TLSv1.3 versions 51*e0c4386eSCy Schubert if ($protocol_name eq "TLSv1.2") { 52*e0c4386eSCy Schubert $clihash = "SHA256"; 53*e0c4386eSCy Schubert $clisigtype = "RSA"; 54*e0c4386eSCy Schubert $clisigalgs = "SHA256+RSA"; 55*e0c4386eSCy Schubert } 56*e0c4386eSCy Schubert for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) { 57*e0c4386eSCy Schubert # Sanity-check simple handshake. 58*e0c4386eSCy Schubert push @tests, { 59*e0c4386eSCy Schubert name => "server-auth-${protocol_name}" 60*e0c4386eSCy Schubert .($sctp ? "-sctp" : ""), 61*e0c4386eSCy Schubert server => { 62*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 63*e0c4386eSCy Schubert "MinProtocol" => $protocol, 64*e0c4386eSCy Schubert "MaxProtocol" => $protocol 65*e0c4386eSCy Schubert }, 66*e0c4386eSCy Schubert client => { 67*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 68*e0c4386eSCy Schubert "MinProtocol" => $protocol, 69*e0c4386eSCy Schubert "MaxProtocol" => $protocol 70*e0c4386eSCy Schubert }, 71*e0c4386eSCy Schubert test => { 72*e0c4386eSCy Schubert "ExpectedResult" => "Success", 73*e0c4386eSCy Schubert "Method" => $method, 74*e0c4386eSCy Schubert }, 75*e0c4386eSCy Schubert }; 76*e0c4386eSCy Schubert $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 77*e0c4386eSCy Schubert 78*e0c4386eSCy Schubert # Handshake with client cert requested but not required or received. 79*e0c4386eSCy Schubert push @tests, { 80*e0c4386eSCy Schubert name => "client-auth-${protocol_name}-request" 81*e0c4386eSCy Schubert .($sctp ? "-sctp" : ""), 82*e0c4386eSCy Schubert server => { 83*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 84*e0c4386eSCy Schubert "MinProtocol" => $protocol, 85*e0c4386eSCy Schubert "MaxProtocol" => $protocol, 86*e0c4386eSCy Schubert "VerifyMode" => "Request" 87*e0c4386eSCy Schubert }, 88*e0c4386eSCy Schubert client => { 89*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 90*e0c4386eSCy Schubert "MinProtocol" => $protocol, 91*e0c4386eSCy Schubert "MaxProtocol" => $protocol 92*e0c4386eSCy Schubert }, 93*e0c4386eSCy Schubert test => { 94*e0c4386eSCy Schubert "ExpectedResult" => "Success", 95*e0c4386eSCy Schubert "Method" => $method, 96*e0c4386eSCy Schubert }, 97*e0c4386eSCy Schubert }; 98*e0c4386eSCy Schubert $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 99*e0c4386eSCy Schubert 100*e0c4386eSCy Schubert # Handshake with client cert required but not present. 101*e0c4386eSCy Schubert push @tests, { 102*e0c4386eSCy Schubert name => "client-auth-${protocol_name}-require-fail" 103*e0c4386eSCy Schubert .($sctp ? "-sctp" : ""), 104*e0c4386eSCy Schubert server => { 105*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 106*e0c4386eSCy Schubert "MinProtocol" => $protocol, 107*e0c4386eSCy Schubert "MaxProtocol" => $protocol, 108*e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-cert.pem"), 109*e0c4386eSCy Schubert "VerifyMode" => "Require", 110*e0c4386eSCy Schubert }, 111*e0c4386eSCy Schubert client => { 112*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 113*e0c4386eSCy Schubert "MinProtocol" => $protocol, 114*e0c4386eSCy Schubert "MaxProtocol" => $protocol 115*e0c4386eSCy Schubert }, 116*e0c4386eSCy Schubert test => { 117*e0c4386eSCy Schubert "ExpectedResult" => "ServerFail", 118*e0c4386eSCy Schubert "ExpectedServerAlert" => 119*e0c4386eSCy Schubert ($protocol_name eq "flex" 120*e0c4386eSCy Schubert && !disabled("tls1_3") 121*e0c4386eSCy Schubert && (!disabled("ec") || !disabled("dh"))) 122*e0c4386eSCy Schubert ? "CertificateRequired" : "HandshakeFailure", 123*e0c4386eSCy Schubert "Method" => $method, 124*e0c4386eSCy Schubert }, 125*e0c4386eSCy Schubert }; 126*e0c4386eSCy Schubert $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 127*e0c4386eSCy Schubert 128*e0c4386eSCy Schubert # Successful handshake with client authentication. 129*e0c4386eSCy Schubert push @tests, { 130*e0c4386eSCy Schubert name => "client-auth-${protocol_name}-require" 131*e0c4386eSCy Schubert .($sctp ? "-sctp" : ""), 132*e0c4386eSCy Schubert server => { 133*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 134*e0c4386eSCy Schubert "MinProtocol" => $protocol, 135*e0c4386eSCy Schubert "MaxProtocol" => $protocol, 136*e0c4386eSCy Schubert "ClientSignatureAlgorithms" => $clisigalgs, 137*e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-cert.pem"), 138*e0c4386eSCy Schubert "VerifyMode" => "Request", 139*e0c4386eSCy Schubert }, 140*e0c4386eSCy Schubert client => { 141*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 142*e0c4386eSCy Schubert "MinProtocol" => $protocol, 143*e0c4386eSCy Schubert "MaxProtocol" => $protocol, 144*e0c4386eSCy Schubert "Certificate" => test_pem("ee-client-chain.pem"), 145*e0c4386eSCy Schubert "PrivateKey" => test_pem("ee-key.pem"), 146*e0c4386eSCy Schubert }, 147*e0c4386eSCy Schubert test => { 148*e0c4386eSCy Schubert "ExpectedResult" => "Success", 149*e0c4386eSCy Schubert "ExpectedClientCertType" => "RSA", 150*e0c4386eSCy Schubert "ExpectedClientSignType" => $clisigtype, 151*e0c4386eSCy Schubert "ExpectedClientSignHash" => $clihash, 152*e0c4386eSCy Schubert "ExpectedClientCANames" => "empty", 153*e0c4386eSCy Schubert "Method" => $method, 154*e0c4386eSCy Schubert }, 155*e0c4386eSCy Schubert }; 156*e0c4386eSCy Schubert $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 157*e0c4386eSCy Schubert 158*e0c4386eSCy Schubert # Successful handshake with client authentication non-empty names 159*e0c4386eSCy Schubert push @tests, { 160*e0c4386eSCy Schubert name => "client-auth-${protocol_name}-require-non-empty-names" 161*e0c4386eSCy Schubert .($sctp ? "-sctp" : ""), 162*e0c4386eSCy Schubert server => { 163*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 164*e0c4386eSCy Schubert "MinProtocol" => $protocol, 165*e0c4386eSCy Schubert "MaxProtocol" => $protocol, 166*e0c4386eSCy Schubert "ClientSignatureAlgorithms" => $clisigalgs, 167*e0c4386eSCy Schubert "ClientCAFile" => test_pem("root-cert.pem"), 168*e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-cert.pem"), 169*e0c4386eSCy Schubert "VerifyMode" => "Request", 170*e0c4386eSCy Schubert }, 171*e0c4386eSCy Schubert client => { 172*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 173*e0c4386eSCy Schubert "MinProtocol" => $protocol, 174*e0c4386eSCy Schubert "MaxProtocol" => $protocol, 175*e0c4386eSCy Schubert "Certificate" => test_pem("ee-client-chain.pem"), 176*e0c4386eSCy Schubert "PrivateKey" => test_pem("ee-key.pem"), 177*e0c4386eSCy Schubert }, 178*e0c4386eSCy Schubert test => { 179*e0c4386eSCy Schubert "ExpectedResult" => "Success", 180*e0c4386eSCy Schubert "ExpectedClientCertType" => "RSA", 181*e0c4386eSCy Schubert "ExpectedClientSignType" => $clisigtype, 182*e0c4386eSCy Schubert "ExpectedClientSignHash" => $clihash, 183*e0c4386eSCy Schubert "ExpectedClientCANames" => test_pem("root-cert.pem"), 184*e0c4386eSCy Schubert "Method" => $method, 185*e0c4386eSCy Schubert }, 186*e0c4386eSCy Schubert }; 187*e0c4386eSCy Schubert $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 188*e0c4386eSCy Schubert 189*e0c4386eSCy Schubert # Handshake with client authentication but without the root certificate. 190*e0c4386eSCy Schubert push @tests, { 191*e0c4386eSCy Schubert name => "client-auth-${protocol_name}-noroot" 192*e0c4386eSCy Schubert .($sctp ? "-sctp" : ""), 193*e0c4386eSCy Schubert server => { 194*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 195*e0c4386eSCy Schubert "MinProtocol" => $protocol, 196*e0c4386eSCy Schubert "MaxProtocol" => $protocol, 197*e0c4386eSCy Schubert "VerifyMode" => "Require", 198*e0c4386eSCy Schubert }, 199*e0c4386eSCy Schubert client => { 200*e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 201*e0c4386eSCy Schubert "MinProtocol" => $protocol, 202*e0c4386eSCy Schubert "MaxProtocol" => $protocol, 203*e0c4386eSCy Schubert "Certificate" => test_pem("ee-client-chain.pem"), 204*e0c4386eSCy Schubert "PrivateKey" => test_pem("ee-key.pem"), 205*e0c4386eSCy Schubert }, 206*e0c4386eSCy Schubert test => { 207*e0c4386eSCy Schubert "ExpectedResult" => "ServerFail", 208*e0c4386eSCy Schubert "ExpectedServerAlert" => $caalert, 209*e0c4386eSCy Schubert "Method" => $method, 210*e0c4386eSCy Schubert }, 211*e0c4386eSCy Schubert }; 212*e0c4386eSCy Schubert $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; 213*e0c4386eSCy Schubert } 214*e0c4386eSCy Schubert } 215*e0c4386eSCy Schubert } 216*e0c4386eSCy Schubert} 217*e0c4386eSCy Schubert 218*e0c4386eSCy Schubertgenerate_tests(); 219