openssl/test/ssl-tests/04-client_auth.conf.in

# -*- mode: perl; -*-

## SSL test configurations

package ssltests;

use strict;
use warnings;

use OpenSSL::Test;
use OpenSSL::Test::Utils qw(anydisabled);
setup("no_test_here");

# We test version-flexible negotiation (undef) and each protocol version.
my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");

my @is_disabled = (0);
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");

our @tests = ();

my $dir_sep = $^O ne "VMS" ? "/" : "";

sub generate_tests() {

    foreach (0..$#protocols) {
        my $protocol = $protocols[$_];
        my $protocol_name = $protocol || "flex";
        my $caalert;
        if (!$is_disabled[$_]) {
            if ($protocol_name eq "SSLv3") {
                $caalert = "BadCertificate";
            } else {
                $caalert = "UnknownCA";
            }
            # Sanity-check simple handshake.
            push @tests, {
                name => "server-auth-${protocol_name}",
                server => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol
                },
                client => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol
                },
                test   => { "ExpectedResult" => "Success" },
            };

            # Handshake with client cert requested but not required or received.
            push @tests, {
                name => "client-auth-${protocol_name}-request",
                server => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "VerifyMode" => "Request"
                },
                client => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol
                },
                test   => { "ExpectedResult" => "Success" },
            };

            # Handshake with client cert required but not present.
            push @tests, {
                name => "client-auth-${protocol_name}-require-fail",
                server => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
                    "VerifyMode" => "Require",
                },
                client => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol
                },
                test   => {
                    "ExpectedResult" => "ServerFail",
                    "ExpectedServerAlert" => "HandshakeFailure",
                },
            };

            # Successful handshake with client authentication.
            push @tests, {
                name => "client-auth-${protocol_name}-require",
                server => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
                    "VerifyMode" => "Request",
                },
                client => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
                    "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
                },
                test   => { "ExpectedResult" => "Success",
                            "ExpectedClientCertType" => "RSA",
                },
            };

            # Handshake with client authentication but without the root certificate.
            push @tests, {
                name => "client-auth-${protocol_name}-noroot",
                server => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "VerifyMode" => "Require",
                },
                client => {
                    "MinProtocol" => $protocol,
                    "MaxProtocol" => $protocol,
                    "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
                    "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
                },
                test   => {
                    "ExpectedResult" => "ServerFail",
                    "ExpectedServerAlert" => $caalert,
                },
            };
        }
    }
}
 
generate_tests();
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`# -- mode: perl; --`

			`## SSL test configurations`

			`package ssltests;`

			`use strict;`
			`use warnings;`

			`use OpenSSL::Test;`
			`use OpenSSL::Test::Utils qw(anydisabled);`
			`setup("no_test_here");`

			`# We test version-flexible negotiation (undef) and each protocol version.`
			`my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");`

			`my @is_disabled = (0);`
			`push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");`

			`our @tests = ();`

			`my $dir_sep = $^O ne "VMS" ? "/" : "";`

			`sub generate_tests() {`

			`foreach (0..$#protocols) {`
			`my $protocol = $protocols[$_];`
			`my $protocol_name = $protocol \|\| "flex";`
Fix SSLv3 ClientAuth alert checking In TLS during ClientAuth if the CA is not recognised you should get an UnknownCA alert. In SSLv3 this does not exist and you should get a BadCertificate alert. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 18:41:03 +00:00			`my $caalert;`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`if (!$is_disabled[$_]) {`
Fix SSLv3 ClientAuth alert checking In TLS during ClientAuth if the CA is not recognised you should get an UnknownCA alert. In SSLv3 this does not exist and you should get a BadCertificate alert. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 18:41:03 +00:00			`if ($protocol_name eq "SSLv3") {`
			`$caalert = "BadCertificate";`
			`} else {`
			`$caalert = "UnknownCA";`
			`}`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`# Sanity-check simple handshake.`
			`push @tests, {`
			`name => "server-auth-${protocol_name}",`
			`server => {`
Fix Client Auth tests The Client Auth tests were not correctly setting the Protocol, so that this aspect had no effect. It was testing the same thing lots of times for TLSv1.2 every time. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 15:34:26 +00:00			`"MinProtocol" => $protocol,`
			`"MaxProtocol" => $protocol`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`},`
			`client => {`
Fix Client Auth tests The Client Auth tests were not correctly setting the Protocol, so that this aspect had no effect. It was testing the same thing lots of times for TLSv1.2 every time. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 15:34:26 +00:00			`"MinProtocol" => $protocol,`
			`"MaxProtocol" => $protocol`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`},`
			`test => { "ExpectedResult" => "Success" },`
			`};`

			`# Handshake with client cert requested but not required or received.`
			`push @tests, {`
			`name => "client-auth-${protocol_name}-request",`
			`server => {`
Fix Client Auth tests The Client Auth tests were not correctly setting the Protocol, so that this aspect had no effect. It was testing the same thing lots of times for TLSv1.2 every time. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 15:34:26 +00:00			`"MinProtocol" => $protocol,`
			`"MaxProtocol" => $protocol,`
			`"VerifyMode" => "Request"`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`},`
			`client => {`
Fix Client Auth tests The Client Auth tests were not correctly setting the Protocol, so that this aspect had no effect. It was testing the same thing lots of times for TLSv1.2 every time. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 15:34:26 +00:00			`"MinProtocol" => $protocol,`
			`"MaxProtocol" => $protocol`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`},`
			`test => { "ExpectedResult" => "Success" },`
			`};`

			`# Handshake with client cert required but not present.`
			`push @tests, {`
			`name => "client-auth-${protocol_name}-require-fail",`
			`server => {`
Fix Client Auth tests The Client Auth tests were not correctly setting the Protocol, so that this aspect had no effect. It was testing the same thing lots of times for TLSv1.2 every time. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 15:34:26 +00:00			`"MinProtocol" => $protocol,`
			`"MaxProtocol" => $protocol,`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",`
			`"VerifyMode" => "Require",`
			`},`
			`client => {`
Fix Client Auth tests The Client Auth tests were not correctly setting the Protocol, so that this aspect had no effect. It was testing the same thing lots of times for TLSv1.2 every time. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 15:34:26 +00:00			`"MinProtocol" => $protocol,`
			`"MaxProtocol" => $protocol`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`},`
			`test => {`
			`"ExpectedResult" => "ServerFail",`
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-21 14:29:48 +00:00			`"ExpectedServerAlert" => "HandshakeFailure",`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`},`
			`};`

			`# Successful handshake with client authentication.`
			`push @tests, {`
			`name => "client-auth-${protocol_name}-require",`
			`server => {`
Fix Client Auth tests The Client Auth tests were not correctly setting the Protocol, so that this aspect had no effect. It was testing the same thing lots of times for TLSv1.2 every time. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 15:34:26 +00:00			`"MinProtocol" => $protocol,`
			`"MaxProtocol" => $protocol,`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`"VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",`
			`"VerifyMode" => "Request",`
			`},`
			`client => {`
Fix Client Auth tests The Client Auth tests were not correctly setting the Protocol, so that this aspect had no effect. It was testing the same thing lots of times for TLSv1.2 every time. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 15:34:26 +00:00			`"MinProtocol" => $protocol,`
			`"MaxProtocol" => $protocol,`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",`
			`"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",`
			`},`
Add client cert type tests Reviewed-by: Emilia Käsper <emilia@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2224) 2017-01-13 17:41:48 +00:00			`test => { "ExpectedResult" => "Success",`
			`"ExpectedClientCertType" => "RSA",`
			`},`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`};`

			`# Handshake with client authentication but without the root certificate.`
			`push @tests, {`
			`name => "client-auth-${protocol_name}-noroot",`
			`server => {`
Fix Client Auth tests The Client Auth tests were not correctly setting the Protocol, so that this aspect had no effect. It was testing the same thing lots of times for TLSv1.2 every time. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 15:34:26 +00:00			`"MinProtocol" => $protocol,`
			`"MaxProtocol" => $protocol,`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`"VerifyMode" => "Require",`
			`},`
			`client => {`
Fix Client Auth tests The Client Auth tests were not correctly setting the Protocol, so that this aspect had no effect. It was testing the same thing lots of times for TLSv1.2 every time. Reviewed-by: Emilia Käsper <emilia@openssl.org> 2016-06-22 15:34:26 +00:00			`"MinProtocol" => $protocol,`
			`"MaxProtocol" => $protocol,`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`"Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",`
			`"PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",`
			`},`
			`test => {`
			`"ExpectedResult" => "ServerFail",`
Reorganize SSL test structures Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-21 14:29:48 +00:00			`"ExpectedServerAlert" => $caalert,`
Update client authentication tests Port client auth tests to the new framework, add coverage. The old tests were only testing success, and only for some protocol versions; the new tests add all protocol versions and various failure modes. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-05-31 14:42:58 +00:00			`},`
			`};`
			`}`
			`}`
			`}`

			`generate_tests();`