2016-05-31 22:42:58 +08:00
|
|
|
# -*- mode: perl; -*-
|
|
|
|
|
|
|
|
## SSL test configurations
|
|
|
|
|
|
|
|
package ssltests;
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
use warnings;
|
|
|
|
|
|
|
|
use OpenSSL::Test;
|
2017-04-24 18:19:05 +08:00
|
|
|
use OpenSSL::Test::Utils qw(anydisabled disabled);
|
2016-05-31 22:42:58 +08:00
|
|
|
setup("no_test_here");
|
|
|
|
|
2020-04-08 00:03:19 +08:00
|
|
|
our $fips_mode;
|
2016-05-31 22:42:58 +08:00
|
|
|
|
2020-04-08 00:03:19 +08:00
|
|
|
my @protocols;
|
2016-05-31 22:42:58 +08:00
|
|
|
my @is_disabled = (0);
|
|
|
|
|
2020-04-08 00:03:19 +08:00
|
|
|
# We test version-flexible negotiation (undef) and each protocol version.
|
|
|
|
if ($fips_mode) {
|
|
|
|
@protocols = (undef, "TLSv1.2", "DTLSv1.2");
|
2020-12-01 23:34:24 +08:00
|
|
|
push @is_disabled, anydisabled("tls1_2", "dtls1_2");
|
2020-04-08 00:03:19 +08:00
|
|
|
} else {
|
|
|
|
@protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
|
2020-12-01 23:34:24 +08:00
|
|
|
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
|
2020-04-08 00:03:19 +08:00
|
|
|
}
|
|
|
|
|
2016-05-31 22:42:58 +08:00
|
|
|
our @tests = ();
|
|
|
|
|
|
|
|
sub generate_tests() {
|
|
|
|
foreach (0..$#protocols) {
|
|
|
|
my $protocol = $protocols[$_];
|
|
|
|
my $protocol_name = $protocol || "flex";
|
2016-06-23 02:41:03 +08:00
|
|
|
my $caalert;
|
2017-03-14 21:56:22 +08:00
|
|
|
my $method;
|
2017-04-24 18:19:05 +08:00
|
|
|
my $sctpenabled = 0;
|
2016-05-31 22:42:58 +08:00
|
|
|
if (!$is_disabled[$_]) {
|
2016-06-23 02:41:03 +08:00
|
|
|
if ($protocol_name eq "SSLv3") {
|
|
|
|
$caalert = "BadCertificate";
|
|
|
|
} else {
|
|
|
|
$caalert = "UnknownCA";
|
|
|
|
}
|
2017-03-14 21:56:22 +08:00
|
|
|
if ($protocol_name =~ m/^DTLS/) {
|
|
|
|
$method = "DTLS";
|
2017-04-24 18:19:05 +08:00
|
|
|
$sctpenabled = 1 if !disabled("sctp");
|
2017-03-14 21:56:22 +08:00
|
|
|
}
|
2017-01-15 23:59:48 +08:00
|
|
|
my $clihash;
|
2017-01-27 23:56:47 +08:00
|
|
|
my $clisigtype;
|
2017-01-15 23:59:48 +08:00
|
|
|
my $clisigalgs;
|
2017-01-27 23:56:47 +08:00
|
|
|
# TODO(TLS1.3) add TLSv1.3 versions
|
2017-01-15 23:59:48 +08:00
|
|
|
if ($protocol_name eq "TLSv1.2") {
|
|
|
|
$clihash = "SHA256";
|
2017-01-27 23:56:47 +08:00
|
|
|
$clisigtype = "RSA";
|
2017-01-15 23:59:48 +08:00
|
|
|
$clisigalgs = "SHA256+RSA";
|
|
|
|
}
|
2017-04-24 18:19:05 +08:00
|
|
|
for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
|
|
|
|
# Sanity-check simple handshake.
|
|
|
|
push @tests, {
|
|
|
|
name => "server-auth-${protocol_name}"
|
|
|
|
.($sctp ? "-sctp" : ""),
|
|
|
|
server => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol
|
|
|
|
},
|
|
|
|
client => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol
|
|
|
|
},
|
|
|
|
test => {
|
|
|
|
"ExpectedResult" => "Success",
|
|
|
|
"Method" => $method,
|
|
|
|
},
|
|
|
|
};
|
|
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
2016-05-31 22:42:58 +08:00
|
|
|
|
2017-04-24 18:19:05 +08:00
|
|
|
# Handshake with client cert requested but not required or received.
|
|
|
|
push @tests, {
|
|
|
|
name => "client-auth-${protocol_name}-request"
|
|
|
|
.($sctp ? "-sctp" : ""),
|
|
|
|
server => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"VerifyMode" => "Request"
|
|
|
|
},
|
|
|
|
client => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol
|
|
|
|
},
|
|
|
|
test => {
|
|
|
|
"ExpectedResult" => "Success",
|
|
|
|
"Method" => $method,
|
|
|
|
},
|
|
|
|
};
|
|
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
2016-05-31 22:42:58 +08:00
|
|
|
|
2017-04-24 18:19:05 +08:00
|
|
|
# Handshake with client cert required but not present.
|
|
|
|
push @tests, {
|
|
|
|
name => "client-auth-${protocol_name}-require-fail"
|
|
|
|
.($sctp ? "-sctp" : ""),
|
|
|
|
server => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"VerifyCAFile" => test_pem("root-cert.pem"),
|
|
|
|
"VerifyMode" => "Require",
|
|
|
|
},
|
|
|
|
client => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol
|
|
|
|
},
|
|
|
|
test => {
|
|
|
|
"ExpectedResult" => "ServerFail",
|
2018-07-30 16:13:14 +08:00
|
|
|
"ExpectedServerAlert" =>
|
2021-01-14 23:50:20 +08:00
|
|
|
($protocol_name eq "flex"
|
|
|
|
&& !disabled("tls1_3")
|
|
|
|
&& (!disabled("ec") || !disabled("dh")))
|
2018-07-30 16:13:14 +08:00
|
|
|
? "CertificateRequired" : "HandshakeFailure",
|
2017-04-24 18:19:05 +08:00
|
|
|
"Method" => $method,
|
|
|
|
},
|
|
|
|
};
|
|
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
2016-05-31 22:42:58 +08:00
|
|
|
|
2017-04-24 18:19:05 +08:00
|
|
|
# Successful handshake with client authentication.
|
|
|
|
push @tests, {
|
|
|
|
name => "client-auth-${protocol_name}-require"
|
|
|
|
.($sctp ? "-sctp" : ""),
|
|
|
|
server => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"ClientSignatureAlgorithms" => $clisigalgs,
|
|
|
|
"VerifyCAFile" => test_pem("root-cert.pem"),
|
|
|
|
"VerifyMode" => "Request",
|
|
|
|
},
|
|
|
|
client => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"Certificate" => test_pem("ee-client-chain.pem"),
|
|
|
|
"PrivateKey" => test_pem("ee-key.pem"),
|
|
|
|
},
|
|
|
|
test => {
|
|
|
|
"ExpectedResult" => "Success",
|
|
|
|
"ExpectedClientCertType" => "RSA",
|
|
|
|
"ExpectedClientSignType" => $clisigtype,
|
|
|
|
"ExpectedClientSignHash" => $clihash,
|
|
|
|
"ExpectedClientCANames" => "empty",
|
|
|
|
"Method" => $method,
|
|
|
|
},
|
|
|
|
};
|
|
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
2017-03-16 01:26:05 +08:00
|
|
|
|
2022-03-25 22:26:13 +08:00
|
|
|
# Successful handshake with client RSA-PSS cert, StrictCertCheck
|
|
|
|
push @tests, {
|
|
|
|
name => "client-auth-${protocol_name}-rsa-pss"
|
|
|
|
.($sctp ? "-sctp" : ""),
|
|
|
|
server => {
|
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"ClientCAFile" => test_pem("rootcert.pem"),
|
|
|
|
"VerifyCAFile" => test_pem("rootcert.pem"),
|
|
|
|
"VerifyMode" => "Require",
|
|
|
|
},
|
|
|
|
client => {
|
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"Certificate" => test_pem("client-pss-restrict-cert.pem"),
|
|
|
|
"PrivateKey" => test_pem("client-pss-restrict-key.pem"),
|
|
|
|
"Options" => "StrictCertCheck",
|
|
|
|
},
|
|
|
|
test => {
|
|
|
|
"ExpectedResult" => "Success",
|
|
|
|
"ExpectedClientCertType" => "RSA-PSS",
|
|
|
|
"ExpectedClientCANames" => test_pem("rootcert.pem"),
|
|
|
|
"Method" => $method,
|
|
|
|
},
|
|
|
|
} if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex";
|
|
|
|
|
|
|
|
# Failed handshake with client RSA-PSS cert, StrictCertCheck, bad CA
|
|
|
|
push @tests, {
|
|
|
|
name => "client-auth-${protocol_name}-rsa-pss-bad"
|
|
|
|
.($sctp ? "-sctp" : ""),
|
|
|
|
server => {
|
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"ClientCAFile" => test_pem("rootCA.pem"),
|
|
|
|
"VerifyCAFile" => test_pem("rootCA.pem"),
|
|
|
|
"VerifyMode" => "Require",
|
|
|
|
},
|
|
|
|
client => {
|
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"Certificate" => test_pem("client-pss-restrict-cert.pem"),
|
|
|
|
"PrivateKey" => test_pem("client-pss-restrict-key.pem"),
|
|
|
|
"Options" => "StrictCertCheck",
|
|
|
|
},
|
|
|
|
test => {
|
|
|
|
"ExpectedResult" => "ServerFail",
|
|
|
|
"ExpectedServerAlert" =>
|
|
|
|
($protocol_name eq "flex"
|
|
|
|
&& !disabled("tls1_3")
|
|
|
|
&& (!disabled("ec") || !disabled("dh")))
|
|
|
|
? "CertificateRequired" : "HandshakeFailure",
|
|
|
|
"Method" => $method,
|
|
|
|
},
|
|
|
|
} if $protocol_name eq "TLSv1.2" || $protocol_name eq "flex";
|
|
|
|
|
2017-04-24 18:19:05 +08:00
|
|
|
# Successful handshake with client authentication non-empty names
|
|
|
|
push @tests, {
|
|
|
|
name => "client-auth-${protocol_name}-require-non-empty-names"
|
|
|
|
.($sctp ? "-sctp" : ""),
|
|
|
|
server => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"ClientSignatureAlgorithms" => $clisigalgs,
|
|
|
|
"ClientCAFile" => test_pem("root-cert.pem"),
|
|
|
|
"VerifyCAFile" => test_pem("root-cert.pem"),
|
|
|
|
"VerifyMode" => "Request",
|
|
|
|
},
|
|
|
|
client => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"Certificate" => test_pem("ee-client-chain.pem"),
|
|
|
|
"PrivateKey" => test_pem("ee-key.pem"),
|
|
|
|
},
|
|
|
|
test => {
|
|
|
|
"ExpectedResult" => "Success",
|
|
|
|
"ExpectedClientCertType" => "RSA",
|
|
|
|
"ExpectedClientSignType" => $clisigtype,
|
|
|
|
"ExpectedClientSignHash" => $clihash,
|
|
|
|
"ExpectedClientCANames" => test_pem("root-cert.pem"),
|
|
|
|
"Method" => $method,
|
|
|
|
},
|
|
|
|
};
|
|
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
2016-05-31 22:42:58 +08:00
|
|
|
|
2017-04-24 18:19:05 +08:00
|
|
|
# Handshake with client authentication but without the root certificate.
|
|
|
|
push @tests, {
|
|
|
|
name => "client-auth-${protocol_name}-noroot"
|
|
|
|
.($sctp ? "-sctp" : ""),
|
|
|
|
server => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"VerifyMode" => "Require",
|
|
|
|
},
|
|
|
|
client => {
|
2020-01-03 06:25:27 +08:00
|
|
|
"CipherString" => "DEFAULT:\@SECLEVEL=0",
|
2017-04-24 18:19:05 +08:00
|
|
|
"MinProtocol" => $protocol,
|
|
|
|
"MaxProtocol" => $protocol,
|
|
|
|
"Certificate" => test_pem("ee-client-chain.pem"),
|
|
|
|
"PrivateKey" => test_pem("ee-key.pem"),
|
|
|
|
},
|
|
|
|
test => {
|
|
|
|
"ExpectedResult" => "ServerFail",
|
|
|
|
"ExpectedServerAlert" => $caalert,
|
|
|
|
"Method" => $method,
|
|
|
|
},
|
|
|
|
};
|
|
|
|
$tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
|
|
|
|
}
|
2016-05-31 22:42:58 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2017-03-14 21:56:22 +08:00
|
|
|
|
2016-05-31 22:42:58 +08:00
|
|
|
generate_tests();
|