From 0f5df0f1037590de12cc11eeab26fe29bf3f16a3 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 24 Apr 2017 11:19:05 +0100 Subject: [PATCH] Add SCTP testing for 04-client_auth.conf Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/3286) --- test/recipes/80-test_ssl_new.t | 3 +- test/ssl-tests/04-client_auth.conf.in | 264 ++++++++++++++------------ 2 files changed, 142 insertions(+), 125 deletions(-) diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 1a7c2595ec..fbcb46a8fb 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -55,7 +55,8 @@ my $no_ocsp = disabled("ocsp"); # expectations dynamically based on the OpenSSL compile-time config. my %conf_dependent_tests = ( "02-protocol-version.conf" => !$is_default_tls, - "04-client_auth.conf" => !$is_default_tls || !$is_default_dtls, + "04-client_auth.conf" => !$is_default_tls || !$is_default_dtls + || !disabled("sctp"), "05-sni.conf" => disabled("tls1_1"), "07-dtls-protocol-version.conf" => !$is_default_dtls || !disabled("sctp"), "10-resumption.conf" => !$is_default_tls, diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in index 3da76a3e2a..a780e00699 100644 --- a/test/ssl-tests/04-client_auth.conf.in +++ b/test/ssl-tests/04-client_auth.conf.in @@ -8,7 +8,7 @@ use strict; use warnings; use OpenSSL::Test; -use OpenSSL::Test::Utils qw(anydisabled); +use OpenSSL::Test::Utils qw(anydisabled disabled); setup("no_test_here"); # We test version-flexible negotiation (undef) and each protocol version. @@ -25,6 +25,7 @@ sub generate_tests() { my $protocol_name = $protocol || "flex"; my $caalert; my $method; + my $sctpenabled = 0; if (!$is_disabled[$_]) { if ($protocol_name eq "SSLv3") { $caalert = "BadCertificate"; @@ -33,6 +34,7 @@ sub generate_tests() { } if ($protocol_name =~ m/^DTLS/) { $method = "DTLS"; + $sctpenabled = 1 if !disabled("sctp"); } my $clihash; my $clisigtype; @@ -43,134 +45,148 @@ sub generate_tests() { $clisigtype = "RSA"; $clisigalgs = "SHA256+RSA"; } - # Sanity-check simple handshake. - push @tests, { - name => "server-auth-${protocol_name}", - server => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol - }, - client => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol - }, - test => { - "ExpectedResult" => "Success", - "Method" => $method, - }, - }; + for (my $sctp = 0; $sctp <= $sctpenabled; $sctp++) { + # Sanity-check simple handshake. + push @tests, { + name => "server-auth-${protocol_name}" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol + }, + test => { + "ExpectedResult" => "Success", + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; - # Handshake with client cert requested but not required or received. - push @tests, { - name => "client-auth-${protocol_name}-request", - server => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "VerifyMode" => "Request" - }, - client => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol - }, - test => { - "ExpectedResult" => "Success", - "Method" => $method, - }, - }; + # Handshake with client cert requested but not required or received. + push @tests, { + name => "client-auth-${protocol_name}-request" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "VerifyMode" => "Request" + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol + }, + test => { + "ExpectedResult" => "Success", + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; - # Handshake with client cert required but not present. - push @tests, { - name => "client-auth-${protocol_name}-require-fail", - server => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "VerifyCAFile" => test_pem("root-cert.pem"), - "VerifyMode" => "Require", - }, - client => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol - }, - test => { - "ExpectedResult" => "ServerFail", - "ExpectedServerAlert" => "HandshakeFailure", - "Method" => $method, - }, - }; + # Handshake with client cert required but not present. + push @tests, { + name => "client-auth-${protocol_name}-require-fail" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Require", + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol + }, + test => { + "ExpectedResult" => "ServerFail", + "ExpectedServerAlert" => "HandshakeFailure", + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; - # Successful handshake with client authentication. - push @tests, { - name => "client-auth-${protocol_name}-require", - server => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "ClientSignatureAlgorithms" => $clisigalgs, - "VerifyCAFile" => test_pem("root-cert.pem"), - "VerifyMode" => "Request", - }, - client => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "Certificate" => test_pem("ee-client-chain.pem"), - "PrivateKey" => test_pem("ee-key.pem"), - }, - test => { - "ExpectedResult" => "Success", - "ExpectedClientCertType" => "RSA", - "ExpectedClientSignType" => $clisigtype, - "ExpectedClientSignHash" => $clihash, - "ExpectedClientCANames" => "empty", - "Method" => $method, - }, - }; + # Successful handshake with client authentication. + push @tests, { + name => "client-auth-${protocol_name}-require" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "ClientSignatureAlgorithms" => $clisigalgs, + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Request", + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "Certificate" => test_pem("ee-client-chain.pem"), + "PrivateKey" => test_pem("ee-key.pem"), + }, + test => { + "ExpectedResult" => "Success", + "ExpectedClientCertType" => "RSA", + "ExpectedClientSignType" => $clisigtype, + "ExpectedClientSignHash" => $clihash, + "ExpectedClientCANames" => "empty", + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; - # Successful handshake with client authentication non-empty names - push @tests, { - name => "client-auth-${protocol_name}-require-non-empty-names", - server => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "ClientSignatureAlgorithms" => $clisigalgs, - "ClientCAFile" => test_pem("root-cert.pem"), - "VerifyCAFile" => test_pem("root-cert.pem"), - "VerifyMode" => "Request", - }, - client => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "Certificate" => test_pem("ee-client-chain.pem"), - "PrivateKey" => test_pem("ee-key.pem"), - }, - test => { - "ExpectedResult" => "Success", - "ExpectedClientCertType" => "RSA", - "ExpectedClientSignType" => $clisigtype, - "ExpectedClientSignHash" => $clihash, - "ExpectedClientCANames" => test_pem("root-cert.pem"), - "Method" => $method, - }, - }; + # Successful handshake with client authentication non-empty names + push @tests, { + name => "client-auth-${protocol_name}-require-non-empty-names" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "ClientSignatureAlgorithms" => $clisigalgs, + "ClientCAFile" => test_pem("root-cert.pem"), + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Request", + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "Certificate" => test_pem("ee-client-chain.pem"), + "PrivateKey" => test_pem("ee-key.pem"), + }, + test => { + "ExpectedResult" => "Success", + "ExpectedClientCertType" => "RSA", + "ExpectedClientSignType" => $clisigtype, + "ExpectedClientSignHash" => $clihash, + "ExpectedClientCANames" => test_pem("root-cert.pem"), + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; - # Handshake with client authentication but without the root certificate. - push @tests, { - name => "client-auth-${protocol_name}-noroot", - server => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "VerifyMode" => "Require", - }, - client => { - "MinProtocol" => $protocol, - "MaxProtocol" => $protocol, - "Certificate" => test_pem("ee-client-chain.pem"), - "PrivateKey" => test_pem("ee-key.pem"), - }, - test => { - "ExpectedResult" => "ServerFail", - "ExpectedServerAlert" => $caalert, - "Method" => $method, - }, - }; + # Handshake with client authentication but without the root certificate. + push @tests, { + name => "client-auth-${protocol_name}-noroot" + .($sctp ? "-sctp" : ""), + server => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "VerifyMode" => "Require", + }, + client => { + "MinProtocol" => $protocol, + "MaxProtocol" => $protocol, + "Certificate" => test_pem("ee-client-chain.pem"), + "PrivateKey" => test_pem("ee-key.pem"), + }, + test => { + "ExpectedResult" => "ServerFail", + "ExpectedServerAlert" => $caalert, + "Method" => $method, + }, + }; + $tests[-1]{"test"}{"UseSCTP"} = "Yes" if $sctp; + } } } } -- 2.25.1