openssl/test/ssl-tests/03-custom_verify.cnf.in

# -*- mode: perl; -*-
# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


## SSL test configurations

package ssltests;

our @tests = (

    # Sanity-check that verification indeed succeeds without the
    # restrictive callback.
    {
        name => "verify-success",
        server => { },
        client => { },
        test   => { "ExpectedResult" => "Success" },
    },

    # Same test as above but with a custom callback that always fails.
    {
        name => "verify-custom-reject",
        server => { },
        client => {
            extra => {
                "VerifyCallback" => "RejectAll",
            },
        },
        test   => {
            "ExpectedResult" => "ClientFail",
            "ExpectedClientAlert" => "HandshakeFailure",
        },
    },

    # Same test as above but with a custom callback that always succeeds.
    {
        name => "verify-custom-allow",
        server => { },
        client => {
            extra => {
                "VerifyCallback" => "AcceptAll",
            },
        },
        test   => {
            "ExpectedResult" => "Success",
        },
    },

    # Same test as above but with a custom callback that requests retry once.
    {
        name => "verify-custom-retry",
        server => { },
        client => {
            extra => {
                "VerifyCallback" => "RetryOnce",
            },
        },
        test   => {
            "ExpectedResult" => "Success",
        },
    },

    # Sanity-check that verification indeed succeeds if peer verification
    # is not requested.
    {
        name => "noverify-success",
        server => { },
        client => {
            "VerifyMode" => undef,
            "VerifyCAFile" => undef,
        },
        test   => { "ExpectedResult" => "Success" },
    },

    # Same test as above but with a custom callback that always fails.
    # The callback return has no impact on handshake success in this mode.
    {
        name => "noverify-ignore-custom-reject",
        server => { },
        client => {
            "VerifyMode" => undef,
            "VerifyCAFile" => undef,
            extra => {
                "VerifyCallback" => "RejectAll",
            },
        },
        test   => {
            "ExpectedResult" => "Success",
        },
    },

    # Same test as above but with a custom callback that always succeeds.
    # The callback return has no impact on handshake success in this mode.
    {
        name => "noverify-accept-custom-allow",
        server => { },
        client => {
            "VerifyMode" => undef,
            "VerifyCAFile" => undef,
            extra => {
                "VerifyCallback" => "AcceptAll",
            },
        },
        test   => {
            "ExpectedResult" => "Success",
        },
    },

    # Sanity-check that verification indeed fails without the
    # permissive callback.
    {
        name => "verify-fail-no-root",
        server => { },
        client => {
            # Don't set up the client root file.
            "VerifyCAFile" => undef,
        },
        test   => {
          "ExpectedResult" => "ClientFail",
          "ExpectedClientAlert" => "UnknownCA",
        },
    },

    # Same test as above but with a custom callback that always succeeds.
    {
        name => "verify-custom-success-no-root",
        server => { },
        client => {
            "VerifyCAFile" => undef,
            extra => {
                "VerifyCallback" => "AcceptAll",
            },
        },
        test   => {
            "ExpectedResult" => "Success"
        },
    },

    # Same test as above but with a custom callback that always fails.
    {
        name => "verify-custom-fail-no-root",
        server => { },
        client => {
            "VerifyCAFile" => undef,
            extra => {
                "VerifyCallback" => "RejectAll",
            },
        },
        test   => {
            "ExpectedResult" => "ClientFail",
            "ExpectedClientAlert" => "HandshakeFailure",
        },
    },
);
Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00			`# -- mode: perl; --`
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999) 2021-01-28 20:54:57 +08:00			`# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.`
Add final(?) set of copyrights. Add copyright to missing assembler files. Add copyrights to missing test/* files. Add copyrights Various source and misc files. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-06-01 23:26:40 +08:00			`#`
Following the license change, modify the boilerplates in test/ Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7767) 2018-12-06 20:05:25 +08:00			`# Licensed under the Apache License 2.0 (the "License"). You may not use`
Add final(?) set of copyrights. Add copyright to missing assembler files. Add copyrights to missing test/* files. Add copyrights Various source and misc files. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-06-01 23:26:40 +08:00			`# this file except in compliance with the License. You can obtain a copy`
			`# in the file LICENSE in the source distribution or at`
			`# https://www.openssl.org/source/license.html`

Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00
			`## SSL test configurations`

			`package ssltests;`

			`our @tests = (`

			`# Sanity-check that verification indeed succeeds without the`
			`# restrictive callback.`
			`{`
			`name => "verify-success",`
			`server => { },`
			`client => { },`
			`test => { "ExpectedResult" => "Success" },`
			`},`

			`# Same test as above but with a custom callback that always fails.`
			`{`
			`name => "verify-custom-reject",`
			`server => { },`
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-21 22:29:48 +08:00			`client => {`
			`extra => {`
			`"VerifyCallback" => "RejectAll",`
			`},`
			`},`
Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00			`test => {`
			`"ExpectedResult" => "ClientFail",`
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-21 22:29:48 +08:00			`"ExpectedClientAlert" => "HandshakeFailure",`
Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00			`},`
			`},`

			`# Same test as above but with a custom callback that always succeeds.`
			`{`
			`name => "verify-custom-allow",`
			`server => { },`
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-21 22:29:48 +08:00			`client => {`
			`extra => {`
			`"VerifyCallback" => "AcceptAll",`
			`},`
			`},`
Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00			`test => {`
			`"ExpectedResult" => "Success",`
			`},`
			`},`

TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY The client-side cert verification callback function may not only return as usual for success or 0 for failure, but also -1, typically on failure verifying the server certificate. This makes the handshake suspend and return control to the calling application with SSL_ERROR_WANT_RETRY_VERIFY. The app can for instance fetch further certificates or cert status information needed for the verification. Calling SSL_connect() again resumes the connection attempt by retrying the server certificate verification step. This process may even be repeated if need be. The core implementation of the feature is in ssl/statem/statem_clnt.c, splitting tls_process_server_certificate() into a preparation step that just copies the certificates received from the server to s->session->peer_chain (rather than having them in a local variable at first) and returns to the state machine, and a post-processing step in tls_post_process_server_certificate() that can be repeated: Try verifying the current contents of s->session->peer_chain basically as before, but give the verification callback function the chance to pause connecting and make the TLS state machine later call tls_post_process_server_certificate() again. Otherwise processing continues as usual. The documentation of the new feature is added to SSL_CTX_set_cert_verify_callback.pod and SSL_want.pod. This adds two tests: * A generic test in test/helpers/handshake.c on the usability of the new server cert verification retry feature. It is triggered via test/ssl-tests/03-custom_verify.cnf.in (while the bulky auto- generated changes to test/ssl-tests/03-custom_verify.cnf can be basically ignored). * A test in test/sslapitest.c that demonstrates the effectiveness of the approach for augmenting the cert chain provided by the server in between SSL_connect() calls. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13906) 2021-01-17 03:43:00 +08:00			`# Same test as above but with a custom callback that requests retry once.`
			`{`
			`name => "verify-custom-retry",`
			`server => { },`
			`client => {`
			`extra => {`
			`"VerifyCallback" => "RetryOnce",`
			`},`
			`},`
			`test => {`
			`"ExpectedResult" => "Success",`
			`},`
			`},`

Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00			`# Sanity-check that verification indeed succeeds if peer verification`
			`# is not requested.`
			`{`
			`name => "noverify-success",`
			`server => { },`
			`client => {`
			`"VerifyMode" => undef,`
			`"VerifyCAFile" => undef,`
			`},`
			`test => { "ExpectedResult" => "Success" },`
			`},`

			`# Same test as above but with a custom callback that always fails.`
			`# The callback return has no impact on handshake success in this mode.`
			`{`
			`name => "noverify-ignore-custom-reject",`
			`server => { },`
			`client => {`
			`"VerifyMode" => undef,`
			`"VerifyCAFile" => undef,`
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-21 22:29:48 +08:00			`extra => {`
			`"VerifyCallback" => "RejectAll",`
			`},`
Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00			`},`
			`test => {`
			`"ExpectedResult" => "Success",`
			`},`
			`},`

			`# Same test as above but with a custom callback that always succeeds.`
			`# The callback return has no impact on handshake success in this mode.`
			`{`
			`name => "noverify-accept-custom-allow",`
			`server => { },`
			`client => {`
			`"VerifyMode" => undef,`
			`"VerifyCAFile" => undef,`
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-21 22:29:48 +08:00			`extra => {`
			`"VerifyCallback" => "AcceptAll",`
			`},`
Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00			`},`
			`test => {`
			`"ExpectedResult" => "Success",`
			`},`
			`},`

			`# Sanity-check that verification indeed fails without the`
			`# permissive callback.`
			`{`
			`name => "verify-fail-no-root",`
			`server => { },`
			`client => {`
			`# Don't set up the client root file.`
			`"VerifyCAFile" => undef,`
			`},`
			`test => {`
			`"ExpectedResult" => "ClientFail",`
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-21 22:29:48 +08:00			`"ExpectedClientAlert" => "UnknownCA",`
Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00			`},`
			`},`

			`# Same test as above but with a custom callback that always succeeds.`
			`{`
			`name => "verify-custom-success-no-root",`
			`server => { },`
			`client => {`
			`"VerifyCAFile" => undef,`
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-21 22:29:48 +08:00			`extra => {`
			`"VerifyCallback" => "AcceptAll",`
			`},`
Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00			`},`
			`test => {`
			`"ExpectedResult" => "Success"`
			`},`
			`},`

			`# Same test as above but with a custom callback that always fails.`
			`{`
			`name => "verify-custom-fail-no-root",`
			`server => { },`
			`client => {`
			`"VerifyCAFile" => undef,`
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-21 22:29:48 +08:00			`extra => {`
			`"VerifyCallback" => "RejectAll",`
			`},`
Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00			`},`
			`test => {`
			`"ExpectedResult" => "ClientFail",`
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-21 22:29:48 +08:00			`"ExpectedClientAlert" => "HandshakeFailure",`
Remove proxy tests. Add verify callback tests. The old proxy tests test the implementation of an application proxy policy callback defined in the test itself, which is not particularly useful. It is, however, useful to test cert verify overrides in general. Therefore, replace these tests with tests for cert verify callback behaviour. Also glob the ssl test inputs on the .in files to catch missing generated files. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-04-08 01:07:50 +08:00			`},`
			`},`
			`);`