3 ## SSL test configurations
11 use OpenSSL::Test::Utils qw(anydisabled disabled);
12 setup("no_test_here");
17 my @is_disabled = (0);
18 push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
20 # We test version-flexible negotiation (undef) and each protocol version.
22 @protocols = (undef, "TLSv1.2", "DTLSv1.2");
24 @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
29 sub generate_tests() {
30 foreach (0..$#protocols) {
31 my $protocol = $protocols[$_];
32 my $protocol_name = $protocol || "flex";
36 if (!$is_disabled[$_]) {
37 if ($protocol_name eq "SSLv3") {
38 $caalert = "BadCertificate";
40 $caalert = "UnknownCA";
42 if ($protocol_name =~ m/^DTLS/) {
44 $sctpenabled = 1 if !disabled("sctp");
49 # TODO(TLS1.3) add TLSv1.3 versions
50 if ($protocol_name eq "TLSv1.2") {
53 $clisigalgs = "SHA256+RSA";
55 for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) {
56 # Sanity-check simple handshake.
58 name => "server-auth-${protocol_name}"
59 .($sctp ? "-sctp" : ""),
61 "CipherString" => "DEFAULT:\@SECLEVEL=0",
62 "MinProtocol" => $protocol,
63 "MaxProtocol" => $protocol
66 "CipherString" => "DEFAULT:\@SECLEVEL=0",
67 "MinProtocol" => $protocol,
68 "MaxProtocol" => $protocol
71 "ExpectedResult" => "Success",
75 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
77 # Handshake with client cert requested but not required or received.
79 name => "client-auth-${protocol_name}-request"
80 .($sctp ? "-sctp" : ""),
82 "CipherString" => "DEFAULT:\@SECLEVEL=0",
83 "MinProtocol" => $protocol,
84 "MaxProtocol" => $protocol,
85 "VerifyMode" => "Request"
88 "CipherString" => "DEFAULT:\@SECLEVEL=0",
89 "MinProtocol" => $protocol,
90 "MaxProtocol" => $protocol
93 "ExpectedResult" => "Success",
97 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
99 # Handshake with client cert required but not present.
101 name => "client-auth-${protocol_name}-require-fail"
102 .($sctp ? "-sctp" : ""),
104 "CipherString" => "DEFAULT:\@SECLEVEL=0",
105 "MinProtocol" => $protocol,
106 "MaxProtocol" => $protocol,
107 "VerifyCAFile" => test_pem("root-cert.pem"),
108 "VerifyMode" => "Require",
111 "CipherString" => "DEFAULT:\@SECLEVEL=0",
112 "MinProtocol" => $protocol,
113 "MaxProtocol" => $protocol
116 "ExpectedResult" => "ServerFail",
117 "ExpectedServerAlert" =>
118 ($protocol_name eq "flex" && !disabled("tls1_3"))
119 ? "CertificateRequired" : "HandshakeFailure",
123 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
125 # Successful handshake with client authentication.
127 name => "client-auth-${protocol_name}-require"
128 .($sctp ? "-sctp" : ""),
130 "CipherString" => "DEFAULT:\@SECLEVEL=0",
131 "MinProtocol" => $protocol,
132 "MaxProtocol" => $protocol,
133 "ClientSignatureAlgorithms" => $clisigalgs,
134 "VerifyCAFile" => test_pem("root-cert.pem"),
135 "VerifyMode" => "Request",
138 "CipherString" => "DEFAULT:\@SECLEVEL=0",
139 "MinProtocol" => $protocol,
140 "MaxProtocol" => $protocol,
141 "Certificate" => test_pem("ee-client-chain.pem"),
142 "PrivateKey" => test_pem("ee-key.pem"),
145 "ExpectedResult" => "Success",
146 "ExpectedClientCertType" => "RSA",
147 "ExpectedClientSignType" => $clisigtype,
148 "ExpectedClientSignHash" => $clihash,
149 "ExpectedClientCANames" => "empty",
153 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
155 # Successful handshake with client authentication non-empty names
157 name => "client-auth-${protocol_name}-require-non-empty-names"
158 .($sctp ? "-sctp" : ""),
160 "CipherString" => "DEFAULT:\@SECLEVEL=0",
161 "MinProtocol" => $protocol,
162 "MaxProtocol" => $protocol,
163 "ClientSignatureAlgorithms" => $clisigalgs,
164 "ClientCAFile" => test_pem("root-cert.pem"),
165 "VerifyCAFile" => test_pem("root-cert.pem"),
166 "VerifyMode" => "Request",
169 "CipherString" => "DEFAULT:\@SECLEVEL=0",
170 "MinProtocol" => $protocol,
171 "MaxProtocol" => $protocol,
172 "Certificate" => test_pem("ee-client-chain.pem"),
173 "PrivateKey" => test_pem("ee-key.pem"),
176 "ExpectedResult" => "Success",
177 "ExpectedClientCertType" => "RSA",
178 "ExpectedClientSignType" => $clisigtype,
179 "ExpectedClientSignHash" => $clihash,
180 "ExpectedClientCANames" => test_pem("root-cert.pem"),
184 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;
186 # Handshake with client authentication but without the root certificate.
188 name => "client-auth-${protocol_name}-noroot"
189 .($sctp ? "-sctp" : ""),
191 "CipherString" => "DEFAULT:\@SECLEVEL=0",
192 "MinProtocol" => $protocol,
193 "MaxProtocol" => $protocol,
194 "VerifyMode" => "Require",
197 "CipherString" => "DEFAULT:\@SECLEVEL=0",
198 "MinProtocol" => $protocol,
199 "MaxProtocol" => $protocol,
200 "Certificate" => test_pem("ee-client-chain.pem"),
201 "PrivateKey" => test_pem("ee-key.pem"),
204 "ExpectedResult" => "ServerFail",
205 "ExpectedServerAlert" => $caalert,
209 $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp;