wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Reorganize SSL test structures

Browse source 
Move custom server and client options from the test dictionary to an
"extra" section of each server/client. Rename test expectations to say
"Expected".

This is a big but straightforward change. Primarily, this allows us to
specify multiple server and client contexts without redefining the
custom options for each of them. For example, instead of
"ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols",
we now have, "NPNProtocols".

This simplifies writing resumption and SNI tests. The first application
will be resumption tests for NPN and ALPN.

Regrouping the options also makes it clearer which options apply to the
server, which apply to the client, which configure the test, and which
are test expectations.

Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Emilia Kasper 2016-07-21 16:29:48 +02:00
parent a4a18b2f89
commit 9f48bbacd8
28 changed files with 1702 additions and 917 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

103
test/README.ssltest.md
View file

@ -45,7 +45,22 @@ An example test input looks like this:
}
```
The test section supports the following options:
The test section supports the following options
### Test mode
* Method - the method to test. One of DTLS or TLS.
* HandshakeMode - which handshake flavour to test:
- Simple - plain handshake (default)
- Resume - test resumption
- (Renegotiate - test renegotiation, not yet implemented)
When HandshakeMode is Resume or Renegotiate, the original handshake is expected
to succeed. All configured test expectations are verified against the second
handshake.
### Test expectations
* ExpectedResult - expected handshake outcome. One of
- Success - handshake success
@ -53,54 +68,22 @@ The test section supports the following options:
- ClientFail - clientside handshake failure
- InternalError - some other error
* ClientAlert, ServerAlert - expected alert. See `ssl_test_ctx.c` for known
values.
* ExpectedClientAlert, ExpectedServerAlert - expected alert. See
`ssl_test_ctx.c` for known values.
* Protocol - expected negotiated protocol. One of
* ExpectedProtocol - expected negotiated protocol. One of
SSLv3, TLSv1, TLSv1.1, TLSv1.2.
* ClientVerifyCallback - the client's custom certificate verify callback.
Used to test callback behaviour. One of
- None - no custom callback (default)
- AcceptAll - accepts all certificates.
- RejectAll - rejects all certificates.
* Method - the method to test. One of DTLS or TLS.
* ServerName - the server the client should attempt to connect to. One of
- None - do not use SNI (default)
- server1 - the initial context
- server2 - the secondary context
- invalid - an unknown context
* ServerNameCallback - the SNI switching callback to use
- None - no callback (default)
- IgnoreMismatch - continue the handshake on SNI mismatch
- RejectMismatch - abort the handshake on SNI mismatch
* SessionTicketExpected - whether or not a session ticket is expected
- Ignore - do not check for a session ticket (default)
- Yes - a session ticket is expected
- No - a session ticket is not expected
- Broken - a special test case where the session ticket callback does not
initialize crypto
* HandshakeMode - which handshake flavour to test:
- Simple - plain handshake (default)
- Resume - test resumption
- (Renegotiate - test renegotiation, not yet implemented)
* ResumptionExpected - whether or not resumption is expected (Resume mode only)
- Yes - resumed handshake
- No - full handshake (default)
When HandshakeMode is Resume or Renegotiate, the original handshake is expected
to succeed. All configured test expectations are verified against the second handshake.
* ServerNPNProtocols, Server2NPNProtocols, ClientNPNProtocols, ExpectedNPNProtocol,
ServerALPNProtocols, Server2ALPNProtocols, ClientALPNProtocols, ExpectedALPNProtocol -
NPN and ALPN settings. Server and client protocols can be specified as a comma-separated list,
and a callback with the recommended behaviour will be installed automatically.
* ExpectedNPNProtocol, ExpectedALPNProtocol - NPN and ALPN expectations.
## Configuring the client and server
@ -132,6 +115,52 @@ The following sections may optionally be defined:
whenever HandshakeMode is Resume. If the resume_client section is not present,
then the configuration matches client.
### Configuring callbacks and additional options
Additional handshake settings can be configured in the `extra` section of each
client and server:
```
client => {
"CipherString" => "DEFAULT",
extra => {
"ServerName" => "server2",
}
}
```
#### Supported client-side options
* ClientVerifyCallback - the client's custom certificate verify callback.
Used to test callback behaviour. One of
- None - no custom callback (default)
- AcceptAll - accepts all certificates.
- RejectAll - rejects all certificates.
* ServerName - the server the client should attempt to connect to. One of
- None - do not use SNI (default)
- server1 - the initial context
- server2 - the secondary context
- invalid - an unknown context
#### Supported server-side options
* ServerNameCallback - the SNI switching callback to use
- None - no callback (default)
- IgnoreMismatch - continue the handshake on SNI mismatch
- RejectMismatch - abort the handshake on SNI mismatch
* BrokenSessionTicket - a special test case where the session ticket callback
does not initialize crypto.
- No (default)
- Yes
#### Mutually supported options
* NPNProtocols, ALPNProtocols - NPN and ALPN settings. Server and client
protocols can be specified as a comma-separated list, and a callback with the
recommended behaviour will be installed automatically.
### Default server and client configurations
The default server certificate and CA files are added to the configurations

3
test/generate_ssl_tests.pl
View file

@ -46,7 +46,8 @@ sub print_templates {
if (defined $test->{"server2"}) {
$test->{"server2"} = { (%ssltests::base_server, %{$test->{"server2"}}) };
} else {
if (defined $test->{"test"}->{"ServerNameCallback"}) {
if ($test->{"server"}->{"extra"} &&
defined $test->{"server"}->{"extra"}->{"ServerNameCallback"}) {
# Default is the same as server.
$test->{"reuse_server2"} = 1;
}

48
test/handshake_helper.c
View file

@ -269,7 +269,7 @@ static int server_alpn_cb(SSL *s, const unsigned char **out,
*/
static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
SSL_CTX *client_ctx,
const SSL_TEST_CTX *test_ctx,
const SSL_TEST_EXTRA_CONF *extra,
CTX_DATA *server_ctx_data,
CTX_DATA *server2_ctx_data,
CTX_DATA *client_ctx_data)
@ -277,7 +277,7 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
unsigned char *ticket_keys;
size_t ticket_key_len;
switch (test_ctx->client_verify_callback) {
switch (extra->client.verify_callback) {
case SSL_TEST_VERIFY_ACCEPT_ALL:
SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_cb,
NULL);
@ -291,7 +291,7 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
}
/* link the two contexts for SNI purposes */
switch (test_ctx->servername_callback) {
switch (extra->server.servername_callback) {
case SSL_TEST_SERVERNAME_IGNORE_MISMATCH:
SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_ignore_cb);
SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx);
@ -313,49 +313,49 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
SSL_CTX_set_tlsext_ticket_key_cb(server2_ctx,
do_not_call_session_ticket_cb);
if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_BROKEN) {
if (extra->server.broken_session_ticket) {
SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, broken_session_ticket_cb);
}
#ifndef OPENSSL_NO_NEXTPROTONEG
if (test_ctx->server_npn_protocols != NULL) {
parse_protos(test_ctx->server_npn_protocols,
if (extra->server.npn_protocols != NULL) {
parse_protos(extra->server.npn_protocols,
&server_ctx_data->npn_protocols,
&server_ctx_data->npn_protocols_len);
SSL_CTX_set_next_protos_advertised_cb(server_ctx, server_npn_cb,
server_ctx_data);
}
if (test_ctx->server2_npn_protocols != NULL) {
parse_protos(test_ctx->server2_npn_protocols,
if (extra->server2.npn_protocols != NULL) {
parse_protos(extra->server2.npn_protocols,
&server2_ctx_data->npn_protocols,
&server2_ctx_data->npn_protocols_len);
OPENSSL_assert(server2_ctx != NULL);
SSL_CTX_set_next_protos_advertised_cb(server2_ctx, server_npn_cb,
server2_ctx_data);
}
if (test_ctx->client_npn_protocols != NULL) {
parse_protos(test_ctx->client_npn_protocols,
if (extra->client.npn_protocols != NULL) {
parse_protos(extra->client.npn_protocols,
&client_ctx_data->npn_protocols,
&client_ctx_data->npn_protocols_len);
SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb,
client_ctx_data);
}
if (test_ctx->server_alpn_protocols != NULL) {
parse_protos(test_ctx->server_alpn_protocols,
if (extra->server.alpn_protocols != NULL) {
parse_protos(extra->server.alpn_protocols,
&server_ctx_data->alpn_protocols,
&server_ctx_data->alpn_protocols_len);
SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data);
}
if (test_ctx->server2_alpn_protocols != NULL) {
if (extra->server2.alpn_protocols != NULL) {
OPENSSL_assert(server2_ctx != NULL);
parse_protos(test_ctx->server2_alpn_protocols,
parse_protos(extra->server2.alpn_protocols,
&server2_ctx_data->alpn_protocols,
&server2_ctx_data->alpn_protocols_len);
SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, server2_ctx_data);
}
if (test_ctx->client_alpn_protocols != NULL) {
if (extra->client.alpn_protocols != NULL) {
unsigned char *alpn_protos = NULL;
size_t alpn_protos_len;
parse_protos(test_ctx->client_alpn_protocols,
parse_protos(extra->client.alpn_protocols,
&alpn_protos, &alpn_protos_len);
/* Reversed return value convention... */
OPENSSL_assert(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos,
@ -377,11 +377,11 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
/* Configure per-SSL callbacks and other properties. */
static void configure_handshake_ssl(SSL *server, SSL *client,
const SSL_TEST_CTX *test_ctx)
const SSL_TEST_EXTRA_CONF *extra)
{
if (test_ctx->servername != SSL_TEST_SERVERNAME_NONE)
if (extra->client.servername != SSL_TEST_SERVERNAME_NONE)
SSL_set_tlsext_host_name(client,
ssl_servername_name(test_ctx->servername));
ssl_servername_name(extra->client.servername));
}
@ -518,7 +518,7 @@ static char *dup_str(const unsigned char *in, size_t len)
static HANDSHAKE_RESULT *do_handshake_internal(
SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx,
const SSL_TEST_CTX *test_ctx, SSL_SESSION *session_in,
const SSL_TEST_EXTRA_CONF *extra, SSL_SESSION *session_in,
SSL_SESSION **session_out)
{
SSL *server, *client;
@ -542,14 +542,14 @@ static HANDSHAKE_RESULT *do_handshake_internal(
memset(&server2_ctx_data, 0, sizeof(server2_ctx_data));
memset(&client_ctx_data, 0, sizeof(client_ctx_data));
configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, test_ctx,
configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, extra,
&server_ctx_data, &server2_ctx_data, &client_ctx_data);
server = SSL_new(server_ctx);
client = SSL_new(client_ctx);
OPENSSL_assert(server != NULL && client != NULL);
configure_handshake_ssl(server, client, test_ctx);
configure_handshake_ssl(server, client, extra);
if (session_in != NULL) {
/* In case we're testing resumption without tickets. */
OPENSSL_assert(SSL_CTX_add_session(server_ctx, session_in));
@ -689,7 +689,7 @@ HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
SSL_SESSION *session = NULL;
result = do_handshake_internal(server_ctx, server2_ctx, client_ctx,
test_ctx, NULL, &session);
&test_ctx->extra, NULL, &session);
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_SIMPLE)
goto end;
@ -703,7 +703,7 @@ HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
HANDSHAKE_RESULT_free(result);
/* We don't support SNI on second handshake yet, so server2_ctx is NULL. */
result = do_handshake_internal(resume_server_ctx, NULL, resume_client_ctx,
test_ctx, session, NULL);
&test_ctx->resume_extra, session, NULL);
end:
SSL_SESSION_free(session);
return result;

2
test/ssl-tests/01-simple.conf
View file

@ -46,7 +46,7 @@ CipherString = DEFAULT
VerifyMode = Peer
[test-1]
ClientAlert = UnknownCA
ExpectedClientAlert = UnknownCA
ExpectedResult = ClientFail

2
test/ssl-tests/01-simple.conf.in
View file

@ -28,7 +28,7 @@ our @tests = (
},
test => {
"ExpectedResult" => "ClientFail",
"ClientAlert" => "UnknownCA",
"ExpectedClientAlert" => "UnknownCA",
},
},
);

486
test/ssl-tests/02-protocol-version.conf
View file

File diff suppressed because it is too large Load diff

36
test/ssl-tests/03-custom_verify.conf
View file

@ -54,9 +54,12 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-1]
ClientAlert = HandshakeFailure
ClientVerifyCallback = RejectAll
ExpectedClientAlert = HandshakeFailure
ExpectedResult = ClientFail
client = 1-verify-custom-reject-client-extra
[1-verify-custom-reject-client-extra]
VerifyCallback = RejectAll
# ===========================================================
@ -79,8 +82,11 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-2]
ClientVerifyCallback = AcceptAll
ExpectedResult = Success
client = 2-verify-custom-allow-client-extra
[2-verify-custom-allow-client-extra]
VerifyCallback = AcceptAll
# ===========================================================
@ -122,8 +128,11 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
CipherString = DEFAULT
[test-4]
ClientVerifyCallback = RejectAll
ExpectedResult = Success
client = 4-noverify-ignore-custom-reject-client-extra
[4-noverify-ignore-custom-reject-client-extra]
VerifyCallback = RejectAll
# ===========================================================
@ -144,8 +153,11 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
CipherString = DEFAULT
[test-5]
ClientVerifyCallback = AcceptAll
ExpectedResult = Success
client = 5-noverify-accept-custom-allow-client-extra
[5-noverify-accept-custom-allow-client-extra]
VerifyCallback = AcceptAll
# ===========================================================
@ -167,7 +179,7 @@ CipherString = DEFAULT
VerifyMode = Peer
[test-6]
ClientAlert = UnknownCA
ExpectedClientAlert = UnknownCA
ExpectedResult = ClientFail
@ -190,8 +202,11 @@ CipherString = DEFAULT
VerifyMode = Peer
[test-7]
ClientVerifyCallback = AcceptAll
ExpectedResult = Success
client = 7-verify-custom-success-no-root-client-extra
[7-verify-custom-success-no-root-client-extra]
VerifyCallback = AcceptAll
# ===========================================================
@ -213,8 +228,11 @@ CipherString = DEFAULT
VerifyMode = Peer
[test-8]
ClientAlert = HandshakeFailure
ClientVerifyCallback = RejectAll
ExpectedClientAlert = HandshakeFailure
ExpectedResult = ClientFail
client = 8-verify-custom-fail-no-root-client-extra
[8-verify-custom-fail-no-root-client-extra]
VerifyCallback = RejectAll

39
test/ssl-tests/03-custom_verify.conf.in
View file

@ -26,11 +26,14 @@ our @tests = (
{
name => "verify-custom-reject",
server => { },
client => { },
client => {
extra => {
"VerifyCallback" => "RejectAll",
},
},
test => {
"ClientVerifyCallback" => "RejectAll",
"ExpectedResult" => "ClientFail",
"ClientAlert" => "HandshakeFailure",
"ExpectedClientAlert" => "HandshakeFailure",
},
},
@ -38,9 +41,12 @@ our @tests = (
{
name => "verify-custom-allow",
server => { },
client => { },
client => {
extra => {
"VerifyCallback" => "AcceptAll",
},
},
test => {
"ClientVerifyCallback" => "AcceptAll",
"ExpectedResult" => "Success",
},
},
@ -65,9 +71,11 @@ our @tests = (
client => {
"VerifyMode" => undef,
"VerifyCAFile" => undef,
extra => {
"VerifyCallback" => "RejectAll",
},
},
test => {
"ClientVerifyCallback" => "RejectAll",
"ExpectedResult" => "Success",
},
},
@ -80,9 +88,11 @@ our @tests = (
client => {
"VerifyMode" => undef,
"VerifyCAFile" => undef,
extra => {
"VerifyCallback" => "AcceptAll",
},
},
test => {
"ClientVerifyCallback" => "AcceptAll",
"ExpectedResult" => "Success",
},
},
@ -98,7 +108,7 @@ our @tests = (
},
test => {
"ExpectedResult" => "ClientFail",
"ClientAlert" => "UnknownCA",
"ExpectedClientAlert" => "UnknownCA",
},
},
@ -108,9 +118,11 @@ our @tests = (
server => { },
client => {
"VerifyCAFile" => undef,
extra => {
"VerifyCallback" => "AcceptAll",
},
},
test => {
"ClientVerifyCallback" => "AcceptAll",
"ExpectedResult" => "Success"
},
},
@ -121,14 +133,13 @@ our @tests = (
server => { },
client => {
"VerifyCAFile" => undef,
extra => {
"VerifyCallback" => "RejectAll",
},
},
test => {
"ClientVerifyCallback" => "RejectAll",
"ExpectedResult" => "ClientFail",
"ClientAlert" => "HandshakeFailure",
"ExpectedClientAlert" => "HandshakeFailure",
},
},
);

16
test/ssl-tests/04-client_auth.conf
View file

@ -92,7 +92,7 @@ VerifyMode = Peer
[test-2]
ExpectedResult = ServerFail
ServerAlert = HandshakeFailure
ExpectedServerAlert = HandshakeFailure
# ===========================================================
@ -146,7 +146,7 @@ VerifyMode = Peer
[test-4]
ExpectedResult = ServerFail
ServerAlert = UnknownCA
ExpectedServerAlert = UnknownCA
# ===========================================================
@ -231,7 +231,7 @@ VerifyMode = Peer
[test-7]
ExpectedResult = ServerFail
ServerAlert = HandshakeFailure
ExpectedServerAlert = HandshakeFailure
# ===========================================================
@ -293,7 +293,7 @@ VerifyMode = Peer
[test-9]
ExpectedResult = ServerFail
ServerAlert = UnknownCA
ExpectedServerAlert = UnknownCA
# ===========================================================
@ -378,7 +378,7 @@ VerifyMode = Peer
[test-12]
ExpectedResult = ServerFail
ServerAlert = HandshakeFailure
ExpectedServerAlert = HandshakeFailure
# ===========================================================
@ -440,7 +440,7 @@ VerifyMode = Peer
[test-14]
ExpectedResult = ServerFail
ServerAlert = UnknownCA
ExpectedServerAlert = UnknownCA
# ===========================================================
@ -525,7 +525,7 @@ VerifyMode = Peer
[test-17]
ExpectedResult = ServerFail
ServerAlert = HandshakeFailure
ExpectedServerAlert = HandshakeFailure
# ===========================================================
@ -587,6 +587,6 @@ VerifyMode = Peer
[test-19]
ExpectedResult = ServerFail
ServerAlert = UnknownCA
ExpectedServerAlert = UnknownCA

4
test/ssl-tests/04-client_auth.conf.in
View file

@ -77,7 +77,7 @@ sub generate_tests() {
},
test => {
"ExpectedResult" => "ServerFail",
"ServerAlert" => "HandshakeFailure",
"ExpectedServerAlert" => "HandshakeFailure",
},
};
@ -115,7 +115,7 @@ sub generate_tests() {
},
test => {
"ExpectedResult" => "ServerFail",
"ServerAlert" => $caalert,
"ExpectedServerAlert" => $caalert,
},
};
}

45
test/ssl-tests/05-sni.conf
View file

@ -31,9 +31,16 @@ VerifyMode = Peer
[test-0]
ExpectedResult = Success
ExpectedServerName = server2
ServerName = server2
server = 0-SNI-switch-context-server-extra
server2 = 0-SNI-switch-context-server-extra
client = 0-SNI-switch-context-client-extra
[0-SNI-switch-context-server-extra]
ServerNameCallback = IgnoreMismatch
[0-SNI-switch-context-client-extra]
ServerName = server2
# ===========================================================
@ -58,9 +65,16 @@ VerifyMode = Peer
[test-1]
ExpectedResult = Success
ExpectedServerName = server1
ServerName = server1
server = 1-SNI-keep-context-server-extra
server2 = 1-SNI-keep-context-server-extra
client = 1-SNI-keep-context-client-extra
[1-SNI-keep-context-server-extra]
ServerNameCallback = IgnoreMismatch
[1-SNI-keep-context-client-extra]
ServerName = server1
# ===========================================================
@ -83,6 +97,9 @@ VerifyMode = Peer
[test-2]
ExpectedResult = Success
client = 2-SNI-no-server-support-client-extra
[2-SNI-no-server-support-client-extra]
ServerName = server1
@ -109,6 +126,10 @@ VerifyMode = Peer
[test-3]
ExpectedResult = Success
ExpectedServerName = server1
server = 3-SNI-no-client-support-server-extra
server2 = 3-SNI-no-client-support-server-extra
[3-SNI-no-client-support-server-extra]
ServerNameCallback = IgnoreMismatch
@ -135,9 +156,16 @@ VerifyMode = Peer
[test-4]
ExpectedResult = Success
ExpectedServerName = server1
ServerName = invalid
server = 4-SNI-bad-sni-ignore-mismatch-server-extra
server2 = 4-SNI-bad-sni-ignore-mismatch-server-extra
client = 4-SNI-bad-sni-ignore-mismatch-client-extra
[4-SNI-bad-sni-ignore-mismatch-server-extra]
ServerNameCallback = IgnoreMismatch
[4-SNI-bad-sni-ignore-mismatch-client-extra]
ServerName = invalid
# ===========================================================
@ -161,8 +189,15 @@ VerifyMode = Peer
[test-5]
ExpectedResult = ServerFail
ServerAlert = UnrecognizedName
ServerName = invalid
ExpectedServerAlert = UnrecognizedName
server = 5-SNI-bad-sni-reject-mismatch-server-extra
server2 = 5-SNI-bad-sni-reject-mismatch-server-extra
client = 5-SNI-bad-sni-reject-mismatch-client-extra
[5-SNI-bad-sni-reject-mismatch-server-extra]
ServerNameCallback = RejectMismatch
[5-SNI-bad-sni-reject-mismatch-client-extra]
ServerName = invalid

96
test/ssl-tests/05-sni.conf.in
View file

@ -17,58 +17,96 @@ package ssltests;
our @tests = (
{
name => "SNI-switch-context",
server => { },
client => { },
test => { "ServerName" => "server2",
"ExpectedServerName" => "server2",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedResult" => "Success" },
server => {
extra => {
"ServerNameCallback" => "IgnoreMismatch",
},
},
client => {
extra => {
"ServerName" => "server2",
},
},
test => {
"ExpectedServerName" => "server2",
"ExpectedResult" => "Success"
},
},
{
name => "SNI-keep-context",
server => { },
client => { },
test => { "ServerName" => "server1",
"ExpectedServerName" => "server1",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedResult" => "Success" },
server => {
extra => {
"ServerNameCallback" => "IgnoreMismatch",
},
},
client => {
extra => {
"ServerName" => "server1",
},
},
test => {
"ExpectedServerName" => "server1",
"ExpectedResult" => "Success"
},
},
{
name => "SNI-no-server-support",
server => { },
client => { },
test => { "ServerName" => "server1",
"ExpectedResult" => "Success" },
client => {
extra => {
"ServerName" => "server1",
},
},
test => { "ExpectedResult" => "Success" },
},
{
name => "SNI-no-client-support",
server => { },
server => {
extra => {
"ServerNameCallback" => "IgnoreMismatch",
},
},
client => { },
test => {
# We expect that the callback is still called
# to let the application decide whether they tolerate
# missing SNI (as our test callback does).
"ExpectedServerName" => "server1",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedResult" => "Success"
},
},
{
name => "SNI-bad-sni-ignore-mismatch",
server => { },
client => { },
test => { "ServerName" => "invalid",
"ExpectedServerName" => "server1",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedResult" => "Success" },
server => {
extra => {
"ServerNameCallback" => "IgnoreMismatch",
},
},
client => {
extra => {
"ServerName" => "invalid",
},
},
test => {
"ExpectedServerName" => "server1",
"ExpectedResult" => "Success"
},
},
{
name => "SNI-bad-sni-reject-mismatch",
server => { },
client => { },
test => { "ServerName" => "invalid",
"ServerNameCallback" => "RejectMismatch",
"ExpectedResult" => "ServerFail",
"ServerAlert" => "UnrecognizedName"},
server => {
extra => {
"ServerNameCallback" => "RejectMismatch",
},
},
client => {
extra => {
"ServerName" => "invalid",
},
},
test => {
"ExpectedResult" => "ServerFail",
"ExpectedServerAlert" => "UnrecognizedName"
},
},
);

169
test/ssl-tests/06-sni-ticket.conf
View file

@ -49,8 +49,15 @@ VerifyMode = Peer
[test-0]
ExpectedResult = Success
SessionTicketExpected = No
server = 0-sni-session-ticket-server-extra
client = 0-sni-session-ticket-client-extra
[0-sni-session-ticket-server-extra]
BrokenSessionTicket = Yes
[0-sni-session-ticket-client-extra]
ServerName = server1
SessionTicketExpected = Broken
# ===========================================================
@ -84,9 +91,15 @@ VerifyMode = Peer
[test-1]
ExpectedResult = Success
ExpectedServerName = server1
ServerName = server1
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = Yes
server = 1-sni-session-ticket-server-extra
client = 1-sni-session-ticket-client-extra
[1-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[1-sni-session-ticket-client-extra]
ServerName = server1
# ===========================================================
@ -120,9 +133,15 @@ VerifyMode = Peer
[test-2]
ExpectedResult = Success
ExpectedServerName = server2
ServerName = server2
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = Yes
server = 2-sni-session-ticket-server-extra
client = 2-sni-session-ticket-client-extra
[2-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[2-sni-session-ticket-client-extra]
ServerName = server2
# ===========================================================
@ -156,9 +175,15 @@ VerifyMode = Peer
[test-3]
ExpectedResult = Success
ExpectedServerName = server1
ServerName = server1
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = Yes
server = 3-sni-session-ticket-server-extra
client = 3-sni-session-ticket-client-extra
[3-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[3-sni-session-ticket-client-extra]
ServerName = server1
# ===========================================================
@ -192,9 +217,15 @@ VerifyMode = Peer
[test-4]
ExpectedResult = Success
ExpectedServerName = server2
ServerName = server2
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 4-sni-session-ticket-server-extra
client = 4-sni-session-ticket-client-extra
[4-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[4-sni-session-ticket-client-extra]
ServerName = server2
# ===========================================================
@ -228,9 +259,15 @@ VerifyMode = Peer
[test-5]
ExpectedResult = Success
ExpectedServerName = server1
ServerName = server1
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 5-sni-session-ticket-server-extra
client = 5-sni-session-ticket-client-extra
[5-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[5-sni-session-ticket-client-extra]
ServerName = server1
# ===========================================================
@ -264,9 +301,15 @@ VerifyMode = Peer
[test-6]
ExpectedResult = Success
ExpectedServerName = server2
ServerName = server2
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 6-sni-session-ticket-server-extra
client = 6-sni-session-ticket-client-extra
[6-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[6-sni-session-ticket-client-extra]
ServerName = server2
# ===========================================================
@ -300,9 +343,15 @@ VerifyMode = Peer
[test-7]
ExpectedResult = Success
ExpectedServerName = server1
ServerName = server1
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 7-sni-session-ticket-server-extra
client = 7-sni-session-ticket-client-extra
[7-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[7-sni-session-ticket-client-extra]
ServerName = server1
# ===========================================================
@ -336,9 +385,15 @@ VerifyMode = Peer
[test-8]
ExpectedResult = Success
ExpectedServerName = server2
ServerName = server2
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 8-sni-session-ticket-server-extra
client = 8-sni-session-ticket-client-extra
[8-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[8-sni-session-ticket-client-extra]
ServerName = server2
# ===========================================================
@ -372,9 +427,15 @@ VerifyMode = Peer
[test-9]
ExpectedResult = Success
ExpectedServerName = server1
ServerName = server1
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 9-sni-session-ticket-server-extra
client = 9-sni-session-ticket-client-extra
[9-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[9-sni-session-ticket-client-extra]
ServerName = server1
# ===========================================================
@ -408,9 +469,15 @@ VerifyMode = Peer
[test-10]
ExpectedResult = Success
ExpectedServerName = server2
ServerName = server2
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 10-sni-session-ticket-server-extra
client = 10-sni-session-ticket-client-extra
[10-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[10-sni-session-ticket-client-extra]
ServerName = server2
# ===========================================================
@ -444,9 +511,15 @@ VerifyMode = Peer
[test-11]
ExpectedResult = Success
ExpectedServerName = server1
ServerName = server1
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 11-sni-session-ticket-server-extra
client = 11-sni-session-ticket-client-extra
[11-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[11-sni-session-ticket-client-extra]
ServerName = server1
# ===========================================================
@ -480,9 +553,15 @@ VerifyMode = Peer
[test-12]
ExpectedResult = Success
ExpectedServerName = server2
ServerName = server2
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 12-sni-session-ticket-server-extra
client = 12-sni-session-ticket-client-extra
[12-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[12-sni-session-ticket-client-extra]
ServerName = server2
# ===========================================================
@ -516,9 +595,15 @@ VerifyMode = Peer
[test-13]
ExpectedResult = Success
ExpectedServerName = server1
ServerName = server1
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 13-sni-session-ticket-server-extra
client = 13-sni-session-ticket-client-extra
[13-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[13-sni-session-ticket-client-extra]
ServerName = server1
# ===========================================================
@ -552,9 +637,15 @@ VerifyMode = Peer
[test-14]
ExpectedResult = Success
ExpectedServerName = server2
ServerName = server2
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 14-sni-session-ticket-server-extra
client = 14-sni-session-ticket-client-extra
[14-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[14-sni-session-ticket-client-extra]
ServerName = server2
# ===========================================================
@ -588,9 +679,15 @@ VerifyMode = Peer
[test-15]
ExpectedResult = Success
ExpectedServerName = server1
ServerName = server1
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 15-sni-session-ticket-server-extra
client = 15-sni-session-ticket-client-extra
[15-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[15-sni-session-ticket-client-extra]
ServerName = server1
# ===========================================================
@ -624,8 +721,14 @@ VerifyMode = Peer
[test-16]
ExpectedResult = Success
ExpectedServerName = server2
ServerName = server2
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = No
server = 16-sni-session-ticket-server-extra
client = 16-sni-session-ticket-client-extra
[16-sni-session-ticket-server-extra]
ServerNameCallback = IgnoreMismatch
[16-sni-session-ticket-client-extra]
ServerName = server2

19
test/ssl-tests/06-sni-ticket.conf.in
View file

@ -27,18 +27,22 @@ sub generate_tests() {
"name" => "sni-session-ticket",
"client" => {
"Options" => $c,
"extra" => {
"ServerName" => $n,
},
},
"server" => {
"Options" => $s1,
"extra" => {
# We don't test mismatch here.
"ServerNameCallback" => "IgnoreMismatch",
},
},
"server2" => {
"Options" => $s2,
},
"test" => {
"ServerName" => $n,
"ExpectedServerName" => $n,
# We don't test mismatch here.
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedResult" => "Success",
"SessionTicketExpected" => $result,
}
@ -69,17 +73,22 @@ push @tests, {
"name" => "sni-session-ticket",
"client" => {
"Options" => "SessionTicket",
"extra" => {
"ServerName" => "server1",
}
},
"server" => {
"Options" => "SessionTicket",
"extra" => {
"BrokenSessionTicket" => "Yes",
},
},
"server2" => {
"Options" => "SessionTicket",
},
"test" => {
"ServerName" => "server1",
"ExpectedResult" => "Success",
"SessionTicketExpected" => "Broken",
"SessionTicketExpected" => "No",
}
};

112
test/ssl-tests/07-dtls-protocol-version.conf
View file

@ -88,9 +88,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-0]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -115,9 +115,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-1]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -141,9 +141,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-2]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -169,9 +169,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-3]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -197,9 +197,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-4]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -224,9 +224,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-5]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -304,9 +304,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-8]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -331,9 +331,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-9]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -357,9 +357,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-10]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -385,9 +385,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-11]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -413,9 +413,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-12]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -440,9 +440,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-13]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -468,9 +468,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-14]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -495,9 +495,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-15]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -521,9 +521,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-16]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -547,9 +547,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-17]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -572,9 +572,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-18]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -599,9 +599,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-19]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -626,9 +626,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-20]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -652,9 +652,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-21]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -679,9 +679,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-22]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -705,9 +705,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-23]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -733,9 +733,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-24]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -761,9 +761,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-25]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -788,9 +788,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-26]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -817,9 +817,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-27]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -846,9 +846,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-28]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -874,9 +874,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-29]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -957,9 +957,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-32]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -985,9 +985,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-33]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1012,9 +1012,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-34]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1041,9 +1041,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-35]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -1070,9 +1070,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-36]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1098,9 +1098,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-37]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1127,9 +1127,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-38]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1155,9 +1155,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-39]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1182,9 +1182,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-40]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -1209,9 +1209,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-41]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1235,9 +1235,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-42]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1263,9 +1263,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-43]
ExpectedProtocol = DTLSv1
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1
# ===========================================================
@ -1291,9 +1291,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-44]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1318,9 +1318,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-45]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1346,9 +1346,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-46]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1373,9 +1373,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-47]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1428,9 +1428,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-49]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1455,9 +1455,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-50]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1512,9 +1512,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-52]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1540,9 +1540,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-53]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1569,9 +1569,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-54]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1597,9 +1597,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-55]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1650,9 +1650,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-57]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1676,9 +1676,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-58]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1731,9 +1731,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-60]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1758,9 +1758,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-61]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1786,9 +1786,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-62]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2
# ===========================================================
@ -1813,8 +1813,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-63]
ExpectedProtocol = DTLSv1.2
ExpectedResult = Success
Method = DTLS
Protocol = DTLSv1.2

144
test/ssl-tests/08-npn.conf
View file

@ -34,9 +34,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-0]
ClientNPNProtocols = foo
ExpectedNPNProtocol = foo
ServerNPNProtocols = foo
server = 0-npn-simple-server-extra
client = 0-npn-simple-client-extra
[0-npn-simple-server-extra]
NPNProtocols = foo
[0-npn-simple-client-extra]
NPNProtocols = foo
# ===========================================================
@ -59,9 +65,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-1]
ClientNPNProtocols = foo,bar
ExpectedNPNProtocol = bar
ServerNPNProtocols = baz,bar
server = 1-npn-client-finds-match-server-extra
client = 1-npn-client-finds-match-client-extra
[1-npn-client-finds-match-server-extra]
NPNProtocols = baz,bar
[1-npn-client-finds-match-client-extra]
NPNProtocols = foo,bar
# ===========================================================
@ -84,9 +96,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-2]
ClientNPNProtocols = foo,bar
ExpectedNPNProtocol = bar
ServerNPNProtocols = bar,foo
server = 2-npn-client-honours-server-pref-server-extra
client = 2-npn-client-honours-server-pref-client-extra
[2-npn-client-honours-server-pref-server-extra]
NPNProtocols = bar,foo
[2-npn-client-honours-server-pref-client-extra]
NPNProtocols = foo,bar
# ===========================================================
@ -109,9 +127,15 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-3]
ClientNPNProtocols = foo,bar
ExpectedNPNProtocol = foo
ServerNPNProtocols = baz
server = 3-npn-client-first-pref-on-mismatch-server-extra
client = 3-npn-client-first-pref-on-mismatch-client-extra
[3-npn-client-first-pref-on-mismatch-server-extra]
NPNProtocols = baz
[3-npn-client-first-pref-on-mismatch-client-extra]
NPNProtocols = foo,bar
# ===========================================================
@ -134,7 +158,10 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-4]
ClientNPNProtocols = foo
client = 4-npn-no-server-support-client-extra
[4-npn-no-server-support-client-extra]
NPNProtocols = foo
# ===========================================================
@ -157,7 +184,10 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-5]
ServerNPNProtocols = foo
server = 5-npn-no-client-support-server-extra
[5-npn-no-client-support-server-extra]
NPNProtocols = foo
# ===========================================================
@ -186,14 +216,23 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-6]
ClientNPNProtocols = foo,bar
ExpectedNPNProtocol = foo
ExpectedServerName = server1
Server2NPNProtocols = bar
ServerNPNProtocols = foo
ServerName = server1
server = 6-npn-with-sni-no-context-switch-server-extra
server2 = 6-npn-with-sni-no-context-switch-server2-extra
client = 6-npn-with-sni-no-context-switch-client-extra
[6-npn-with-sni-no-context-switch-server-extra]
NPNProtocols = foo
ServerNameCallback = IgnoreMismatch
[6-npn-with-sni-no-context-switch-server2-extra]
NPNProtocols = bar
[6-npn-with-sni-no-context-switch-client-extra]
NPNProtocols = foo,bar
ServerName = server1
# ===========================================================
@ -221,14 +260,23 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-7]
ClientNPNProtocols = foo,bar
ExpectedNPNProtocol = bar
ExpectedServerName = server2
Server2NPNProtocols = bar
ServerNPNProtocols = foo
ServerName = server2
server = 7-npn-with-sni-context-switch-server-extra
server2 = 7-npn-with-sni-context-switch-server2-extra
client = 7-npn-with-sni-context-switch-client-extra
[7-npn-with-sni-context-switch-server-extra]
NPNProtocols = foo
ServerNameCallback = IgnoreMismatch
[7-npn-with-sni-context-switch-server2-extra]
NPNProtocols = bar
[7-npn-with-sni-context-switch-client-extra]
NPNProtocols = foo,bar
ServerName = server2
# ===========================================================
@ -256,13 +304,22 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-8]
ClientNPNProtocols = foo,bar
ExpectedNPNProtocol = bar
ExpectedServerName = server2
Server2NPNProtocols = bar
ServerName = server2
server = 8-npn-selected-sni-server-supports-npn-server-extra
server2 = 8-npn-selected-sni-server-supports-npn-server2-extra
client = 8-npn-selected-sni-server-supports-npn-client-extra
[8-npn-selected-sni-server-supports-npn-server-extra]
ServerNameCallback = IgnoreMismatch
[8-npn-selected-sni-server-supports-npn-server2-extra]
NPNProtocols = bar
[8-npn-selected-sni-server-supports-npn-client-extra]
NPNProtocols = foo,bar
ServerName = server2
# ===========================================================
@ -290,12 +347,18 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-9]
ClientNPNProtocols = foo,bar
ExpectedServerName = server2
ServerNPNProtocols = foo
ServerName = server2
server = 9-npn-selected-sni-server-does-not-support-npn-server-extra
client = 9-npn-selected-sni-server-does-not-support-npn-client-extra
[9-npn-selected-sni-server-does-not-support-npn-server-extra]
NPNProtocols = bar
ServerNameCallback = IgnoreMismatch
[9-npn-selected-sni-server-does-not-support-npn-client-extra]
NPNProtocols = foo,bar
ServerName = server2
# ===========================================================
@ -317,11 +380,17 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-10]
ClientALPNProtocols = foo
ClientNPNProtocols = bar
ExpectedALPNProtocol = foo
ServerALPNProtocols = foo
ServerNPNProtocols = bar
server = 10-alpn-preferred-over-npn-server-extra
client = 10-alpn-preferred-over-npn-client-extra
[10-alpn-preferred-over-npn-server-extra]
ALPNProtocols = foo
NPNProtocols = bar
[10-alpn-preferred-over-npn-client-extra]
ALPNProtocols = foo
NPNProtocols = bar
# ===========================================================
@ -350,13 +419,22 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-11]
ClientALPNProtocols = foo
ClientNPNProtocols = bar
ExpectedNPNProtocol = bar
ExpectedServerName = server2
Server2NPNProtocols = bar
ServerALPNProtocols = foo
ServerName = server2
server = 11-sni-npn-preferred-over-alpn-server-extra
server2 = 11-sni-npn-preferred-over-alpn-server2-extra
client = 11-sni-npn-preferred-over-alpn-client-extra
[11-sni-npn-preferred-over-alpn-server-extra]
ALPNProtocols = foo
ServerNameCallback = IgnoreMismatch
[11-sni-npn-preferred-over-alpn-server2-extra]
NPNProtocols = bar
[11-sni-npn-preferred-over-alpn-client-extra]
ALPNProtocols = foo
NPNProtocols = bar
ServerName = server2

208
test/ssl-tests/08-npn.conf.in
View file

@ -18,148 +18,226 @@ package ssltests;
our @tests = (
{
name => "npn-simple",
server => { },
client => { },
server => {
extra => {
"NPNProtocols" => "foo",
},
},
client => {
extra => {
"NPNProtocols" => "foo",
},
},
test => {
"ClientNPNProtocols" => "foo",
"ServerNPNProtocols" => "foo",
"ExpectedNPNProtocol" => "foo",
},
},
{
name => "npn-client-finds-match",
server => { },
client => { },
server => {
extra => {
"NPNProtocols" => "baz,bar",
},
},
client => {
extra => {
"NPNProtocols" => "foo,bar",
},
},
test => {
"ClientNPNProtocols" => "foo,bar",
"ServerNPNProtocols" => "baz,bar",
"ExpectedNPNProtocol" => "bar",
},
},
{
name => "npn-client-honours-server-pref",
server => { },
client => { },
server => {
extra => {
"NPNProtocols" => "bar,foo",
},
},
client => {
extra => {
"NPNProtocols" => "foo,bar",
},
},
test => {
"ClientNPNProtocols" => "foo,bar",
"ServerNPNProtocols" => "bar,foo",
"ExpectedNPNProtocol" => "bar",
},
},
{
name => "npn-client-first-pref-on-mismatch",
server => { },
client => { },
server => {
extra => {
"NPNProtocols" => "baz",
},
},
client => {
extra => {
"NPNProtocols" => "foo,bar",
},
},
test => {
"ClientNPNProtocols" => "foo,bar",
"ServerNPNProtocols" => "baz",
"ExpectedNPNProtocol" => "foo",
},
},
{
name => "npn-no-server-support",
server => { },
client => { },
client => {
extra => {
"NPNProtocols" => "foo",
},
},
test => {
"ClientNPNProtocols" => "foo",
"ExpectedNPNProtocol" => undef,
},
},
{
name => "npn-no-client-support",
server => { },
server => {
extra => {
"NPNProtocols" => "foo",
},
},
client => { },
test => {
"ServerNPNProtocols" => "foo",
"ExpectedNPNProtocol" => undef,
},
},
{
name => "npn-with-sni-no-context-switch",
server => { },
server2 => { },
client => { },
server => {
extra => {
"NPNProtocols" => "foo",
"ServerNameCallback" => "IgnoreMismatch",
},
},
server2 => {
extra => {
"NPNProtocols" => "bar",
},
},
client => {
extra => {
"NPNProtocols" => "foo,bar",
"ServerName" => "server1",
},
},
test => {
"ClientNPNProtocols" => "foo,bar",
"ServerNPNProtocols" => "foo",
"Server2NPNProtocols" => "bar",
"ServerName" => "server1",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedServerName" => "server1",
"ExpectedNPNProtocol" => "foo",
},
},
{
name => "npn-with-sni-context-switch",
server => { },
server2 => { },
client => { },
server => {
extra => {
"NPNProtocols" => "foo",
"ServerNameCallback" => "IgnoreMismatch",
},
},
server2 => {
extra => {
"NPNProtocols" => "bar",
},
},
client => {
extra => {
"NPNProtocols" => "foo,bar",
"ServerName" => "server2",
},
},
test => {
"ClientNPNProtocols" => "foo,bar",
"ServerNPNProtocols" => "foo",
"Server2NPNProtocols" => "bar",
"ServerName" => "server2",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedServerName" => "server2",
"ExpectedNPNProtocol" => "bar",
},
},
{
name => "npn-selected-sni-server-supports-npn",
server => { },
server2 => { },
client => { },
server => {
extra => {
"ServerNameCallback" => "IgnoreMismatch",
},
},
server2 => {
extra => {
"NPNProtocols" => "bar",
},
},
client => {
extra => {
"NPNProtocols" => "foo,bar",
"ServerName" => "server2",
},
},
test => {
"ClientNPNProtocols" => "foo,bar",
"Server2NPNProtocols" => "bar",
"ServerName" => "server2",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedServerName" => "server2",
"ExpectedNPNProtocol" => "bar",
},
},
{
name => "npn-selected-sni-server-does-not-support-npn",
server => { },
server => {
extra => {
"NPNProtocols" => "bar",
"ServerNameCallback" => "IgnoreMismatch",
},
},
server2 => { },
client => { },
client => {
extra => {
"NPNProtocols" => "foo,bar",
"ServerName" => "server2",
},
},
test => {
"ClientNPNProtocols" => "foo,bar",
"ServerNPNProtocols" => "foo",
"ServerName" => "server2",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedServerName" => "server2",
"ExpectedNPNProtocol" => undef,
},
},
{
name => "alpn-preferred-over-npn",
server => { },
client => { },
server => {
extra => {
"ALPNProtocols" => "foo",
"NPNProtocols" => "bar",
},
},
client => {
extra => {
"ALPNProtocols" => "foo",
"NPNProtocols" => "bar",
},
},
test => {
"ClientALPNProtocols" => "foo",
"ClientNPNProtocols" => "bar",
"ServerALPNProtocols" => "foo",
"ServerNPNProtocols" => "bar",
"ExpectedALPNProtocol" => "foo",
"ExpectedNPNProtocol" => undef,
},
},
{
name => "sni-npn-preferred-over-alpn",
server => { },
server2 => { },
client => { },
server => {
extra => {
"ServerNameCallback" => "IgnoreMismatch",
"ALPNProtocols" => "foo",
},
},
server2 => {
extra => {
"NPNProtocols" => "bar",
},
},
client => {
extra => {
"ServerName" => "server2",
"ALPNProtocols" => "foo",
"NPNProtocols" => "bar",
},
},
test => {
"ClientALPNProtocols" => "foo",
"ClientNPNProtocols" => "bar",
"ServerALPNProtocols" => "foo",
"Server2NPNProtocols" => "bar",
"ServerName" => "server2",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedServerName" => "server2",
"ExpectedALPNProtocol" => undef,
"ExpectedNPNProtocol" => "bar",
"ExpectedServerName" => "server2",
},
},
);

145
test/ssl-tests/09-alpn.conf
View file

@ -3,8 +3,8 @@
num_tests = 10
test-0 = 0-alpn-simple
test-1 = 1-alpn-client-finds-match
test-2 = 2-alpn-client-honours-server-pref
test-1 = 1-alpn-server-finds-match
test-2 = 2-alpn-server-honours-server-pref
test-3 = 3-alpn-alert-on-mismatch
test-4 = 4-alpn-no-server-support
test-5 = 5-alpn-no-client-support
@ -32,59 +32,77 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-0]
ClientALPNProtocols = foo
ExpectedALPNProtocol = foo
ServerALPNProtocols = foo
server = 0-alpn-simple-server-extra
client = 0-alpn-simple-client-extra
[0-alpn-simple-server-extra]
ALPNProtocols = foo
[0-alpn-simple-client-extra]
ALPNProtocols = foo
# ===========================================================
[1-alpn-client-finds-match]
ssl_conf = 1-alpn-client-finds-match-ssl
[1-alpn-server-finds-match]
ssl_conf = 1-alpn-server-finds-match-ssl
[1-alpn-client-finds-match-ssl]
server = 1-alpn-client-finds-match-server
client = 1-alpn-client-finds-match-client
[1-alpn-server-finds-match-ssl]
server = 1-alpn-server-finds-match-server
client = 1-alpn-server-finds-match-client
[1-alpn-client-finds-match-server]
[1-alpn-server-finds-match-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-alpn-client-finds-match-client]
[1-alpn-server-finds-match-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-1]
ClientALPNProtocols = foo,bar
ExpectedALPNProtocol = bar
ServerALPNProtocols = baz,bar
server = 1-alpn-server-finds-match-server-extra
client = 1-alpn-server-finds-match-client-extra
[1-alpn-server-finds-match-server-extra]
ALPNProtocols = baz,bar
[1-alpn-server-finds-match-client-extra]
ALPNProtocols = foo,bar
# ===========================================================
[2-alpn-client-honours-server-pref]
ssl_conf = 2-alpn-client-honours-server-pref-ssl
[2-alpn-server-honours-server-pref]
ssl_conf = 2-alpn-server-honours-server-pref-ssl
[2-alpn-client-honours-server-pref-ssl]
server = 2-alpn-client-honours-server-pref-server
client = 2-alpn-client-honours-server-pref-client
[2-alpn-server-honours-server-pref-ssl]
server = 2-alpn-server-honours-server-pref-server
client = 2-alpn-server-honours-server-pref-client
[2-alpn-client-honours-server-pref-server]
[2-alpn-server-honours-server-pref-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-alpn-client-honours-server-pref-client]
[2-alpn-server-honours-server-pref-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-2]
ClientALPNProtocols = foo,bar
ExpectedALPNProtocol = bar
ServerALPNProtocols = bar,foo
server = 2-alpn-server-honours-server-pref-server-extra
client = 2-alpn-server-honours-server-pref-client-extra
[2-alpn-server-honours-server-pref-server-extra]
ALPNProtocols = bar,foo
[2-alpn-server-honours-server-pref-client-extra]
ALPNProtocols = foo,bar
# ===========================================================
@ -107,10 +125,16 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-3]
ClientALPNProtocols = foo,bar
ExpectedResult = ServerFail
ServerALPNProtocols = baz
ServerAlert = NoApplicationProtocol
ExpectedServerAlert = NoApplicationProtocol
server = 3-alpn-alert-on-mismatch-server-extra
client = 3-alpn-alert-on-mismatch-client-extra
[3-alpn-alert-on-mismatch-server-extra]
ALPNProtocols = baz
[3-alpn-alert-on-mismatch-client-extra]
ALPNProtocols = foo,bar
# ===========================================================
@ -133,7 +157,10 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-4]
ClientALPNProtocols = foo
client = 4-alpn-no-server-support-client-extra
[4-alpn-no-server-support-client-extra]
ALPNProtocols = foo
# ===========================================================
@ -156,7 +183,10 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-5]
ServerALPNProtocols = foo
server = 5-alpn-no-client-support-server-extra
[5-alpn-no-client-support-server-extra]
ALPNProtocols = foo
# ===========================================================
@ -185,14 +215,23 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-6]
ClientALPNProtocols = foo,bar
ExpectedALPNProtocol = foo
ExpectedServerName = server1
Server2ALPNProtocols = bar
ServerALPNProtocols = foo
ServerName = server1
server = 6-alpn-with-sni-no-context-switch-server-extra
server2 = 6-alpn-with-sni-no-context-switch-server2-extra
client = 6-alpn-with-sni-no-context-switch-client-extra
[6-alpn-with-sni-no-context-switch-server-extra]
ALPNProtocols = foo
ServerNameCallback = IgnoreMismatch
[6-alpn-with-sni-no-context-switch-server2-extra]
ALPNProtocols = bar
[6-alpn-with-sni-no-context-switch-client-extra]
ALPNProtocols = foo,bar
ServerName = server1
# ===========================================================
@ -220,14 +259,23 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-7]
ClientALPNProtocols = foo,bar
ExpectedALPNProtocol = bar
ExpectedServerName = server2
Server2ALPNProtocols = bar
ServerALPNProtocols = foo
ServerName = server2
server = 7-alpn-with-sni-context-switch-server-extra
server2 = 7-alpn-with-sni-context-switch-server2-extra
client = 7-alpn-with-sni-context-switch-client-extra
[7-alpn-with-sni-context-switch-server-extra]
ALPNProtocols = foo
ServerNameCallback = IgnoreMismatch
[7-alpn-with-sni-context-switch-server2-extra]
ALPNProtocols = bar
[7-alpn-with-sni-context-switch-client-extra]
ALPNProtocols = foo,bar
ServerName = server2
# ===========================================================
@ -255,13 +303,22 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-8]
ClientALPNProtocols = foo,bar
ExpectedALPNProtocol = bar
ExpectedServerName = server2
Server2ALPNProtocols = bar
ServerName = server2
server = 8-alpn-selected-sni-server-supports-alpn-server-extra
server2 = 8-alpn-selected-sni-server-supports-alpn-server2-extra
client = 8-alpn-selected-sni-server-supports-alpn-client-extra
[8-alpn-selected-sni-server-supports-alpn-server-extra]
ServerNameCallback = IgnoreMismatch
[8-alpn-selected-sni-server-supports-alpn-server2-extra]
ALPNProtocols = bar
[8-alpn-selected-sni-server-supports-alpn-client-extra]
ALPNProtocols = foo,bar
ServerName = server2
# ===========================================================
@ -289,10 +346,16 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-9]
ClientALPNProtocols = foo,bar
ExpectedServerName = server2
ServerALPNProtocols = foo
ServerName = server2
server = 9-alpn-selected-sni-server-does-not-support-alpn-server-extra
client = 9-alpn-selected-sni-server-does-not-support-alpn-client-extra
[9-alpn-selected-sni-server-does-not-support-alpn-server-extra]
ALPNProtocols = bar
ServerNameCallback = IgnoreMismatch
[9-alpn-selected-sni-server-does-not-support-alpn-client-extra]
ALPNProtocols = foo,bar
ServerName = server2

167
test/ssl-tests/09-alpn.conf.in
View file

@ -18,117 +18,180 @@ package ssltests;
our @tests = (
{
name => "alpn-simple",
server => { },
client => { },
server => {
extra => {
"ALPNProtocols" => "foo",
},
},
client => {
extra => {
"ALPNProtocols" => "foo",
},
},
test => {
"ClientALPNProtocols" => "foo",
"ServerALPNProtocols" => "foo",
"ExpectedALPNProtocol" => "foo",
},
},
{
name => "alpn-client-finds-match",
server => { },
client => { },
name => "alpn-server-finds-match",
server => {
extra => {
"ALPNProtocols" => "baz,bar",
},
},
client => {
extra => {
"ALPNProtocols" => "foo,bar",
},
},
test => {
"ClientALPNProtocols" => "foo,bar",
"ServerALPNProtocols" => "baz,bar",
"ExpectedALPNProtocol" => "bar",
},
},
{
name => "alpn-client-honours-server-pref",
server => { },
client => { },
name => "alpn-server-honours-server-pref",
server => {
extra => {
"ALPNProtocols" => "bar,foo",
},
},
client => {
extra => {
"ALPNProtocols" => "foo,bar",
},
},
test => {
"ClientALPNProtocols" => "foo,bar",
"ServerALPNProtocols" => "bar,foo",
"ExpectedALPNProtocol" => "bar",
},
},
{
name => "alpn-alert-on-mismatch",
server => { },
client => { },
server => {
extra => {
"ALPNProtocols" => "baz",
},
},
client => {
extra => {
"ALPNProtocols" => "foo,bar",
},
},
test => {
"ClientALPNProtocols" => "foo,bar",
"ServerALPNProtocols" => "baz",
"ExpectedResult" => "ServerFail",
"ServerAlert" => "NoApplicationProtocol",
"ExpectedServerAlert" => "NoApplicationProtocol",
},
},
{
name => "alpn-no-server-support",
server => { },
client => { },
client => {
extra => {
"ALPNProtocols" => "foo",
},
},
test => {
"ClientALPNProtocols" => "foo",
"ExpectedALPNProtocol" => undef,
},
},
{
name => "alpn-no-client-support",
server => { },
server => {
extra => {
"ALPNProtocols" => "foo",
},
},
client => { },
test => {
"ServerALPNProtocols" => "foo",
"ExpectedALPNProtocol" => undef,
},
},
{
name => "alpn-with-sni-no-context-switch",
server => { },
server2 => { },
client => { },
server => {
extra => {
"ALPNProtocols" => "foo",
"ServerNameCallback" => "IgnoreMismatch",
},
},
server2 => {
extra => {
"ALPNProtocols" => "bar",
},
},
client => {
extra => {
"ALPNProtocols" => "foo,bar",
"ServerName" => "server1",
},
},
test => {
"ClientALPNProtocols" => "foo,bar",
"ServerALPNProtocols" => "foo",
"Server2ALPNProtocols" => "bar",
"ServerName" => "server1",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedServerName" => "server1",
"ExpectedALPNProtocol" => "foo",
},
},
{
name => "alpn-with-sni-context-switch",
server => { },
server2 => { },
client => { },
server => {
extra => {
"ALPNProtocols" => "foo",
"ServerNameCallback" => "IgnoreMismatch",
},
},
server2 => {
extra => {
"ALPNProtocols" => "bar",
},
},
client => {
extra => {
"ALPNProtocols" => "foo,bar",
"ServerName" => "server2",
},
},
test => {
"ClientALPNProtocols" => "foo,bar",
"ServerALPNProtocols" => "foo",
"Server2ALPNProtocols" => "bar",
"ServerName" => "server2",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedServerName" => "server2",
"ExpectedALPNProtocol" => "bar",
},
},
{
name => "alpn-selected-sni-server-supports-alpn",
server => { },
server2 => { },
client => { },
server => {
extra => {
"ServerNameCallback" => "IgnoreMismatch",
},
},
server2 => {
extra => {
"ALPNProtocols" => "bar",
},
},
client => {
extra => {
"ALPNProtocols" => "foo,bar",
"ServerName" => "server2",
},
},
test => {
"ClientALPNProtocols" => "foo,bar",
"Server2ALPNProtocols" => "bar",
"ServerName" => "server2",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedServerName" => "server2",
"ExpectedALPNProtocol" => "bar",
},
},
{
name => "alpn-selected-sni-server-does-not-support-alpn",
server => { },
server => {
extra => {
"ALPNProtocols" => "bar",
"ServerNameCallback" => "IgnoreMismatch",
},
},
server2 => { },
client => { },
client => {
extra => {
"ALPNProtocols" => "foo,bar",
"ServerName" => "server2",
},
},
test => {
"ClientALPNProtocols" => "foo,bar",
"ServerALPNProtocols" => "foo",
"ServerName" => "server2",
"ServerNameCallback" => "IgnoreMismatch",
"ExpectedServerName" => "server2",
"ExpectedALPNProtocol" => undef,
},

72
test/ssl-tests/10-resumption.conf
View file

@ -69,8 +69,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-0]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = Yes
@ -105,8 +105,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-1]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = Yes
@ -141,8 +141,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-2]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = No
@ -177,8 +177,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-3]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = No
@ -213,8 +213,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-4]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = No
@ -249,8 +249,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-5]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = No
@ -285,8 +285,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-6]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = No
@ -321,8 +321,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-7]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = No
@ -357,8 +357,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-8]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = Yes
@ -393,8 +393,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-9]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = Yes
@ -429,8 +429,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-10]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = No
@ -465,8 +465,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-11]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = No
@ -501,8 +501,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-12]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = No
@ -537,8 +537,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-13]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = No
@ -573,8 +573,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-14]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = No
@ -609,8 +609,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-15]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = No
@ -645,8 +645,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-16]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = Yes
@ -681,8 +681,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-17]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = Yes
@ -717,8 +717,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-18]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = Yes
@ -753,8 +753,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-19]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = Yes
@ -789,8 +789,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-20]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = No
@ -825,8 +825,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-21]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = No
@ -861,8 +861,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-22]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = No
@ -897,8 +897,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-23]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = No
@ -933,8 +933,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-24]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = No
@ -969,8 +969,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-25]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = No
@ -1005,8 +1005,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-26]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = Yes
@ -1041,8 +1041,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-27]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = Yes
@ -1077,8 +1077,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-28]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = No
@ -1113,8 +1113,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-29]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = No
@ -1149,8 +1149,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-30]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = No
@ -1185,8 +1185,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-31]
ExpectedProtocol = TLSv1
HandshakeMode = Resume
Protocol = TLSv1
ResumptionExpected = No
@ -1221,8 +1221,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-32]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = No
@ -1257,8 +1257,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-33]
ExpectedProtocol = TLSv1.1
HandshakeMode = Resume
Protocol = TLSv1.1
ResumptionExpected = No
@ -1293,8 +1293,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-34]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = Yes
@ -1329,8 +1329,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-35]
ExpectedProtocol = TLSv1.2
HandshakeMode = Resume
Protocol = TLSv1.2
ResumptionExpected = Yes

32
test/ssl-tests/11-dtls_resumption.conf
View file

@ -49,9 +49,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-0]
ExpectedProtocol = DTLSv1
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1
ResumptionExpected = Yes
@ -86,9 +86,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-1]
ExpectedProtocol = DTLSv1
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1
ResumptionExpected = Yes
@ -123,9 +123,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-2]
ExpectedProtocol = DTLSv1.2
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1.2
ResumptionExpected = No
@ -160,9 +160,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-3]
ExpectedProtocol = DTLSv1.2
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1.2
ResumptionExpected = No
@ -197,9 +197,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-4]
ExpectedProtocol = DTLSv1
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1
ResumptionExpected = No
@ -234,9 +234,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-5]
ExpectedProtocol = DTLSv1
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1
ResumptionExpected = No
@ -271,9 +271,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-6]
ExpectedProtocol = DTLSv1.2
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1.2
ResumptionExpected = Yes
@ -308,9 +308,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-7]
ExpectedProtocol = DTLSv1.2
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1.2
ResumptionExpected = Yes
@ -345,9 +345,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-8]
ExpectedProtocol = DTLSv1
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1
ResumptionExpected = Yes
@ -382,9 +382,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-9]
ExpectedProtocol = DTLSv1
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1
ResumptionExpected = Yes
@ -419,9 +419,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-10]
ExpectedProtocol = DTLSv1.2
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1.2
ResumptionExpected = No
@ -456,9 +456,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-11]
ExpectedProtocol = DTLSv1.2
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1.2
ResumptionExpected = No
@ -493,9 +493,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-12]
ExpectedProtocol = DTLSv1
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1
ResumptionExpected = No
@ -530,9 +530,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-13]
ExpectedProtocol = DTLSv1
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1
ResumptionExpected = No
@ -567,9 +567,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-14]
ExpectedProtocol = DTLSv1.2
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1.2
ResumptionExpected = Yes
@ -604,9 +604,9 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-15]
ExpectedProtocol = DTLSv1.2
HandshakeMode = Resume
Method = DTLS
Protocol = DTLSv1.2
ResumptionExpected = Yes

6
test/ssl-tests/protocol_version.pm
View file

@ -117,7 +117,7 @@ sub generate_version_tests {
},
"test" => {
"ExpectedResult" => $result,
"Protocol" => $protocol,
"ExpectedProtocol" => $protocol,
"Method" => $method,
}
};
@ -172,7 +172,7 @@ sub generate_resumption_tests {
"MaxProtocol" => $protocols[$resume_protocol],
},
"test" => {
"Protocol" => $protocols[$resume_protocol],
"ExpectedProtocol" => $protocols[$resume_protocol],
"Method" => $method,
"HandshakeMode" => "Resume",
"ResumptionExpected" => $resumption_expected,
@ -192,7 +192,7 @@ sub generate_resumption_tests {
"MaxProtocol" => $protocols[$resume_protocol],
},
"test" => {
"Protocol" => $protocols[$resume_protocol],
"ExpectedProtocol" => $protocols[$resume_protocol],
"Method" => $method,
"HandshakeMode" => "Resume",
"ResumptionExpected" => $resumption_expected,

28
test/ssl_test.c
View file

@ -79,23 +79,23 @@ static int check_alerts(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
}
/* Tolerate an alert if one wasn't explicitly specified in the test. */
if (test_ctx->client_alert
if (test_ctx->expected_client_alert
/*
* The info callback alert value is computed as
* (s->s3->send_alert[0] << 8) | s->s3->send_alert[1]
* where the low byte is the alert code and the high byte is other stuff.
*/
&& (result->client_alert_sent & 0xff) != test_ctx->client_alert) {
&& (result->client_alert_sent & 0xff) != test_ctx->expected_client_alert) {
fprintf(stderr, "ClientAlert mismatch: expected %s, got %s.\n",
print_alert(test_ctx->client_alert),
print_alert(test_ctx->expected_client_alert),
print_alert(result->client_alert_sent));
return 0;
}
if (test_ctx->server_alert
&& (result->server_alert_sent & 0xff) != test_ctx->server_alert) {
if (test_ctx->expected_server_alert
&& (result->server_alert_sent & 0xff) != test_ctx->expected_server_alert) {
fprintf(stderr, "ServerAlert mismatch: expected %s, got %s.\n",
print_alert(test_ctx->server_alert),
print_alert(test_ctx->expected_server_alert),
print_alert(result->server_alert_sent));
return 0;
}
@ -112,10 +112,10 @@ static int check_protocol(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
return 0;
}
if (test_ctx->protocol) {
if (result->client_protocol != test_ctx->protocol) {
if (test_ctx->expected_protocol) {
if (result->client_protocol != test_ctx->expected_protocol) {
fprintf(stderr, "Protocol mismatch: expected %s, got %s.\n",
ssl_protocol_name(test_ctx->protocol),
ssl_protocol_name(test_ctx->expected_protocol),
ssl_protocol_name(result->client_protocol));
return 0;
}
@ -138,9 +138,6 @@ static int check_session_ticket(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx
{
if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_IGNORE)
return 1;
if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_BROKEN &&
result->session_ticket == SSL_TEST_SESSION_TICKET_NO)
return 1;
if (result->session_ticket != test_ctx->session_ticket_expected) {
fprintf(stderr, "Client SessionTicketExpected mismatch, expected %s, got %s\n.",
ssl_session_ticket_name(test_ctx->session_ticket_expected),
@ -230,7 +227,8 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
#ifndef OPENSSL_NO_DTLS
if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
server_ctx = SSL_CTX_new(DTLS_server_method());
if (test_ctx->servername_callback != SSL_TEST_SERVERNAME_CB_NONE) {
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
server2_ctx = SSL_CTX_new(DTLS_server_method());
OPENSSL_assert(server2_ctx != NULL);
}
@ -245,7 +243,9 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
#endif
if (test_ctx->method == SSL_TEST_METHOD_TLS) {
server_ctx = SSL_CTX_new(TLS_server_method());
if (test_ctx->servername_callback != SSL_TEST_SERVERNAME_CB_NONE) {
/* SNI on resumption isn't supported/tested yet. */
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
server2_ctx = SSL_CTX_new(TLS_server_method());
OPENSSL_assert(server2_ctx != NULL);
}

65
test/ssl_test.tmpl
View file

@ -26,17 +26,21 @@ client = {-$testname-}-client{-
[{-$testname-}-server]
{-
foreach my $key (sort keys %server) {
# Emitted in the test section.
next if ($key eq "extra");
$OUT .= qq{$key} . " = " . qq{$server{$key}\n} if defined $server{$key};
}
if (%server2) {
$OUT .= "\n[$testname-server2]\n";
foreach my $key (sort keys %server2) {
next if ($key eq "extra");
$OUT .= qq{$key} . " = " . qq{$server2{$key}\n} if defined $server2{$key};
}
}
if (%resume_server) {
$OUT .= "\n[$testname-resume-server]\n";
foreach my $key (sort keys %resume_server) {
next if ($key eq "extra");
$OUT .= qq{$key} . " = " . qq{$resume_server{$key}\n} if defined $resume_server{$key};
}
}
@ -44,11 +48,13 @@ client = {-$testname-}-client{-
[{-$testname-}-client]
{-
foreach my $key (sort keys %client) {
next if ($key eq "extra");
$OUT .= qq{$key} . " = " . qq{$client{$key}\n} if defined $client{$key};
}
if (%resume_client) {
$OUT .= "\n[$testname-resume-client]\n";
foreach my $key (sort keys %resume_client) {
next if ($key eq "extra");
$OUT .= qq{$key} . " = " . qq{$resume_client{$key}\n} if defined $resume_client{$key};
}
}
@ -58,4 +64,63 @@ client = {-$testname-}-client{-
foreach my $key (sort keys %test) {
$OUT .= qq{$key} ." = " . qq{$test{$key}\n} if defined $test{$key};
}
# The extra server/client configuration sections.
if ($server{"extra"}) {
$OUT .= "server = $testname-server-extra\n";
}
if (%server2 && $server2{"extra"}) {
$OUT .= "server2 = $testname-server2-extra\n";
} elsif ($reuse_server2 && $server{"extra"}) {
$OUT .= "server2 = $testname-server-extra\n";
}
if (%resume_server && $resume_server{"extra"}) {
$OUT .= "resume-server = $testname-resume-server-extra\n";
} elsif ($reuse_resume_server && $server{"extra"}) {
$OUT .= "resume-server = $testname-server-extra\n";
}
if ($client{"extra"}) {
$OUT .= "client = $testname-client-extra\n";
}
if (%resume_client && $resume_client{"extra"}) {
$OUT .= "resume-client = $testname-resume-client-extra\n";
} elsif ($reuse_resume_client && $client{"extra"}) {
$OUT .= "client = $testname-client-extra\n";
}
if ($server{"extra"}) {
$OUT .= "\n[$testname-server-extra]\n";
foreach my $key (sort keys $server{"extra"}) {
$OUT .= qq{$key} . " = " . qq{$server{"extra"}{$key}\n}
if defined $server{"extra"}{$key};
}
}
if (%server2 && $server2{"extra"}) {
$OUT .= "\n[$testname-server2-extra]\n";
foreach my $key (sort keys $server2{"extra"}) {
$OUT .= qq{$key} . " = " . qq{$server2{"extra"}{$key}\n}
if defined $server2{"extra"}{$key};
}
}
if (%resume_server && $resume_server{"extra"}) {
$OUT .= "\n[$testname-resume-server-extra]\n";
foreach my $key (sort keys $resume_server{"extra"}) {
$OUT .= qq{$key} . " = " . qq{$resume_server{"extra"}{$key}\n}
if defined $resume_server{"extra"}{$key};
}
}
if ($client{"extra"}) {
$OUT .= "\n[$testname-client-extra]\n";
foreach my $key (sort keys $client{"extra"}) {
$OUT .= qq{$key} . " = " . qq{$client{"extra"}{$key}\n}
if defined $client{"extra"}{$key};
}
}
if (%resume_client && $resume_client{"extra"}) {
$OUT .= "\n[$testname-resume-client-extra]\n";
foreach my $key (sort keys $resume_client{"extra"}) {
$OUT .= qq{$key} . " = " . qq{$resume_client{"extra"}{$key}\n}
if defined $resume_client{"extra"}{$key};
}
}
-}

269
test/ssl_test_ctx.c
View file

@ -75,9 +75,9 @@ const char *ssl_test_result_name(ssl_test_result_t result)
return enum_name(ssl_test_results, OSSL_NELEM(ssl_test_results), result);
}
/******************************/
/* ClientAlert / ServerAlert. */
/******************************/
/**********************************************/
/* ExpectedClientAlert / ExpectedServerAlert. */
/**********************************************/
static const test_enum ssl_alerts[] = {
{"UnknownCA", SSL_AD_UNKNOWN_CA},
@ -94,12 +94,12 @@ __owur static int parse_alert(int *alert, const char *value)
__owur static int parse_client_alert(SSL_TEST_CTX *test_ctx, const char *value)
{
return parse_alert(&test_ctx->client_alert, value);
return parse_alert(&test_ctx->expected_client_alert, value);
}
__owur static int parse_server_alert(SSL_TEST_CTX *test_ctx, const char *value)
{
return parse_alert(&test_ctx->server_alert, value);
return parse_alert(&test_ctx->expected_server_alert, value);
}
const char *ssl_alert_name(int alert)
@ -107,9 +107,9 @@ const char *ssl_alert_name(int alert)
return enum_name(ssl_alerts, OSSL_NELEM(ssl_alerts), alert);
}
/************/
/* Protocol */
/************/
/********************/
/* ExpectedProtocol */
/********************/
static const test_enum ssl_protocols[] = {
{"TLSv1.2", TLS1_2_VERSION},
@ -123,7 +123,7 @@ static const test_enum ssl_protocols[] = {
__owur static int parse_protocol(SSL_TEST_CTX *test_ctx, const char *value)
{
return parse_enum(ssl_protocols, OSSL_NELEM(ssl_protocols),
&test_ctx->protocol, value);
&test_ctx->expected_protocol, value);
}
const char *ssl_protocol_name(int protocol)
@ -132,7 +132,7 @@ const char *ssl_protocol_name(int protocol)
}
/***********************/
/* CertVerifyCallback. */
/* VerifyCallback. */
/***********************/
static const test_enum ssl_verify_callbacks[] = {
@ -141,7 +141,7 @@ static const test_enum ssl_verify_callbacks[] = {
{"RejectAll", SSL_TEST_VERIFY_REJECT_ALL},
};
__owur static int parse_client_verify_callback(SSL_TEST_CTX *test_ctx,
__owur static int parse_client_verify_callback(SSL_TEST_CLIENT_CONF *client_conf,
const char *value)
{
int ret_value;
@ -149,7 +149,7 @@ __owur static int parse_client_verify_callback(SSL_TEST_CTX *test_ctx,
&ret_value, value)) {
return 0;
}
test_ctx->client_verify_callback = ret_value;
client_conf->verify_callback = ret_value;
return 1;
}
@ -170,7 +170,7 @@ static const test_enum ssl_servername[] = {
{"invalid", SSL_TEST_SERVERNAME_INVALID},
};
__owur static int parse_servername(SSL_TEST_CTX *test_ctx,
__owur static int parse_servername(SSL_TEST_CLIENT_CONF *client_conf,
const char *value)
{
int ret_value;
@ -178,7 +178,7 @@ __owur static int parse_servername(SSL_TEST_CTX *test_ctx,
&ret_value, value)) {
return 0;
}
test_ctx->servername = ret_value;
client_conf->servername = ret_value;
return 1;
}
@ -200,9 +200,9 @@ const char *ssl_servername_name(ssl_servername_t server)
server);
}
/***********************/
/* ServerNameCallback. */
/***********************/
/**********************/
/* ServerNameCallback */
/**********************/
static const test_enum ssl_servername_callbacks[] = {
{"None", SSL_TEST_SERVERNAME_CB_NONE},
@ -210,15 +210,15 @@ static const test_enum ssl_servername_callbacks[] = {
{"RejectMismatch", SSL_TEST_SERVERNAME_REJECT_MISMATCH},
};
__owur static int parse_servername_callback(SSL_TEST_CTX *test_ctx,
const char *value)
__owur static int parse_servername_callback(SSL_TEST_SERVER_CONF *server_conf,
const char *value)
{
int ret_value;
if (!parse_enum(ssl_servername_callbacks,
OSSL_NELEM(ssl_servername_callbacks), &ret_value, value)) {
return 0;
}
test_ctx->servername_callback = ret_value;
server_conf->servername_callback = ret_value;
return 1;
}
@ -236,7 +236,6 @@ static const test_enum ssl_session_ticket[] = {
{"Ignore", SSL_TEST_SESSION_TICKET_IGNORE},
{"Yes", SSL_TEST_SESSION_TICKET_YES},
{"No", SSL_TEST_SESSION_TICKET_NO},
{"Broken", SSL_TEST_SESSION_TICKET_BROKEN},
};
__owur static int parse_session_ticket(SSL_TEST_CTX *test_ctx, const char *value)
@ -258,7 +257,7 @@ const char *ssl_session_ticket_name(ssl_session_ticket_t server)
}
/***********************/
/* Method. */
/* Method */
/***********************/
static const test_enum ssl_test_methods[] = {
@ -282,12 +281,12 @@ const char *ssl_test_method_name(ssl_test_method_t method)
return enum_name(ssl_test_methods, OSSL_NELEM(ssl_test_methods), method);
}
#define IMPLEMENT_SSL_TEST_CTX_STRING_OPTION(field) \
static int parse_##field(SSL_TEST_CTX *test_ctx, const char *value) \
#define IMPLEMENT_SSL_TEST_STRING_OPTION(struct_type, name, field) \
static int parse_##name##_##field(struct_type *ctx, const char *value) \
{ \
OPENSSL_free(test_ctx->field); \
test_ctx->field = OPENSSL_strdup(value); \
OPENSSL_assert(test_ctx->field != NULL); \
OPENSSL_free(ctx->field); \
ctx->field = OPENSSL_strdup(value); \
OPENSSL_assert(ctx->field != NULL); \
return 1; \
}
@ -295,14 +294,12 @@ const char *ssl_test_method_name(ssl_test_method_t method)
/* NPN and ALPN options */
/************************************/
IMPLEMENT_SSL_TEST_CTX_STRING_OPTION(client_npn_protocols)
IMPLEMENT_SSL_TEST_CTX_STRING_OPTION(server_npn_protocols)
IMPLEMENT_SSL_TEST_CTX_STRING_OPTION(server2_npn_protocols)
IMPLEMENT_SSL_TEST_CTX_STRING_OPTION(expected_npn_protocol)
IMPLEMENT_SSL_TEST_CTX_STRING_OPTION(client_alpn_protocols)
IMPLEMENT_SSL_TEST_CTX_STRING_OPTION(server_alpn_protocols)
IMPLEMENT_SSL_TEST_CTX_STRING_OPTION(server2_alpn_protocols)
IMPLEMENT_SSL_TEST_CTX_STRING_OPTION(expected_alpn_protocol)
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, npn_protocols)
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, npn_protocols)
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, expected_npn_protocol)
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, alpn_protocols)
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, alpn_protocols)
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, expected_alpn_protocol)
/***********************/
/* Handshake mode */
@ -344,18 +341,20 @@ static int parse_boolean(const char *value, int *result)
return 0;
}
#define IMPLEMENT_SSL_TEST_CTX_BOOL_OPTION(field) \
static int parse_##field(SSL_TEST_CTX *test_ctx, const char *value) \
#define IMPLEMENT_SSL_TEST_BOOL_OPTION(struct_type, name, field) \
static int parse_##name##_##field(struct_type *ctx, const char *value) \
{ \
return parse_boolean(value, &test_ctx->field); \
return parse_boolean(value, &ctx->field); \
}
IMPLEMENT_SSL_TEST_CTX_BOOL_OPTION(resumption_expected)
IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CTX, test, resumption_expected)
IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, broken_session_ticket)
/*************************************************************/
/* Known test options and their corresponding parse methods. */
/*************************************************************/
/* Top-level options. */
typedef struct {
const char *name;
int (*parse)(SSL_TEST_CTX *test_ctx, const char *value);
@ -363,25 +362,42 @@ typedef struct {
static const ssl_test_ctx_option ssl_test_ctx_options[] = {
{ "ExpectedResult", &parse_expected_result },
{ "ClientAlert", &parse_client_alert },
{ "ServerAlert", &parse_server_alert },
{ "Protocol", &parse_protocol },
{ "ClientVerifyCallback", &parse_client_verify_callback },
{ "ServerName", &parse_servername },
{ "ExpectedClientAlert", &parse_client_alert },
{ "ExpectedServerAlert", &parse_server_alert },
{ "ExpectedProtocol", &parse_protocol },
{ "ExpectedServerName", &parse_expected_servername },
{ "ServerNameCallback", &parse_servername_callback },
{ "SessionTicketExpected", &parse_session_ticket },
{ "Method", &parse_test_method },
{ "ClientNPNProtocols", &parse_client_npn_protocols },
{ "ServerNPNProtocols", &parse_server_npn_protocols },
{ "Server2NPNProtocols", &parse_server2_npn_protocols },
{ "ExpectedNPNProtocol", &parse_expected_npn_protocol },
{ "ClientALPNProtocols", &parse_client_alpn_protocols },
{ "ServerALPNProtocols", &parse_server_alpn_protocols },
{ "Server2ALPNProtocols", &parse_server2_alpn_protocols },
{ "ExpectedALPNProtocol", &parse_expected_alpn_protocol },
{ "ExpectedNPNProtocol", &parse_test_expected_npn_protocol },
{ "ExpectedALPNProtocol", &parse_test_expected_alpn_protocol },
{ "HandshakeMode", &parse_handshake_mode },
{ "ResumptionExpected", &parse_resumption_expected },
{ "ResumptionExpected", &parse_test_resumption_expected },
};
/* Nested client options. */
typedef struct {
const char *name;
int (*parse)(SSL_TEST_CLIENT_CONF *conf, const char *value);
} ssl_test_client_option;
static const ssl_test_client_option ssl_test_client_options[] = {
{ "VerifyCallback", &parse_client_verify_callback },
{ "ServerName", &parse_servername },
{ "NPNProtocols", &parse_client_npn_protocols },
{ "ALPNProtocols", &parse_client_alpn_protocols },
};
/* Nested server options. */
typedef struct {
const char *name;
int (*parse)(SSL_TEST_SERVER_CONF *conf, const char *value);
} ssl_test_server_option;
static const ssl_test_server_option ssl_test_server_options[] = {
{ "ServerNameCallback", &parse_servername_callback },
{ "NPNProtocols", &parse_server_npn_protocols },
{ "ALPNProtocols", &parse_server_alpn_protocols },
{ "BrokenSessionTicket", &parse_server_broken_session_ticket },
};
/*
@ -396,22 +412,96 @@ SSL_TEST_CTX *SSL_TEST_CTX_new()
return ret;
}
static void ssl_test_extra_conf_free_data(SSL_TEST_EXTRA_CONF *conf)
{
OPENSSL_free(conf->client.npn_protocols);
OPENSSL_free(conf->server.npn_protocols);
OPENSSL_free(conf->server2.npn_protocols);
OPENSSL_free(conf->client.alpn_protocols);
OPENSSL_free(conf->server.alpn_protocols);
OPENSSL_free(conf->server2.alpn_protocols);
}
static void ssl_test_ctx_free_extra_data(SSL_TEST_CTX *ctx)
{
ssl_test_extra_conf_free_data(&ctx->extra);
ssl_test_extra_conf_free_data(&ctx->resume_extra);
}
void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx)
{
#ifndef OPENSSL_NO_NEXTPROTONEG
OPENSSL_free(ctx->client_npn_protocols);
OPENSSL_free(ctx->server_npn_protocols);
OPENSSL_free(ctx->server2_npn_protocols);
OPENSSL_free(ctx->client_alpn_protocols);
OPENSSL_free(ctx->server_alpn_protocols);
OPENSSL_free(ctx->server2_alpn_protocols);
ssl_test_ctx_free_extra_data(ctx);
OPENSSL_free(ctx->expected_npn_protocol);
OPENSSL_free(ctx->expected_alpn_protocol);
#endif
OPENSSL_free(ctx);
}
static int parse_client_options(SSL_TEST_CLIENT_CONF *client, const CONF *conf,
const char *client_section)
{
STACK_OF(CONF_VALUE) *sk_conf;
int i;
size_t j;
sk_conf = NCONF_get_section(conf, client_section);
OPENSSL_assert(sk_conf != NULL);
for (i = 0; i < sk_CONF_VALUE_num(sk_conf); i++) {
int found = 0;
const CONF_VALUE *option = sk_CONF_VALUE_value(sk_conf, i);
for (j = 0; j < OSSL_NELEM(ssl_test_client_options); j++) {
if (strcmp(option->name, ssl_test_client_options[j].name) == 0) {
if (!ssl_test_client_options[j].parse(client, option->value)) {
fprintf(stderr, "Bad value %s for option %s\n",
option->value, option->name);
return 0;
}
found = 1;
break;
}
}
if (!found) {
fprintf(stderr, "Unknown test option: %s\n", option->name);
return 0;
}
}
return 1;
}
static int parse_server_options(SSL_TEST_SERVER_CONF *server, const CONF *conf,
const char *server_section)
{
STACK_OF(CONF_VALUE) *sk_conf;
int i;
size_t j;
sk_conf = NCONF_get_section(conf, server_section);
OPENSSL_assert(sk_conf != NULL);
for (i = 0; i < sk_CONF_VALUE_num(sk_conf); i++) {
int found = 0;
const CONF_VALUE *option = sk_CONF_VALUE_value(sk_conf, i);
for (j = 0; j < OSSL_NELEM(ssl_test_server_options); j++) {
if (strcmp(option->name, ssl_test_server_options[j].name) == 0) {
if (!ssl_test_server_options[j].parse(server, option->value)) {
fprintf(stderr, "Bad value %s for option %s\n",
option->value, option->name);
return 0;
}
found = 1;
break;
}
}
if (!found) {
fprintf(stderr, "Unknown test option: %s\n", option->name);
return 0;
}
}
return 1;
}
SSL_TEST_CTX *SSL_TEST_CTX_create(const CONF *conf, const char *test_section)
{
STACK_OF(CONF_VALUE) *sk_conf;
@ -428,20 +518,49 @@ SSL_TEST_CTX *SSL_TEST_CTX_create(const CONF *conf, const char *test_section)
for (i = 0; i < sk_CONF_VALUE_num(sk_conf); i++) {
int found = 0;
const CONF_VALUE *option = sk_CONF_VALUE_value(sk_conf, i);
for (j = 0; j < OSSL_NELEM(ssl_test_ctx_options); j++) {
if (strcmp(option->name, ssl_test_ctx_options[j].name) == 0) {
if (!ssl_test_ctx_options[j].parse(ctx, option->value)) {
fprintf(stderr, "Bad value %s for option %s\n",
option->value, option->name);
goto err;
/* Subsections */
if (strcmp(option->name, "client") == 0) {
if (!parse_client_options(&ctx->extra.client, conf,
option->value))
goto err;
} else if (strcmp(option->name, "server") == 0) {
if (!parse_server_options(&ctx->extra.server, conf,
option->value))
goto err;
} else if (strcmp(option->name, "server2") == 0) {
if (!parse_server_options(&ctx->extra.server2, conf,
option->value))
goto err;
} else if (strcmp(option->name, "resume-client") == 0) {
if (!parse_client_options(&ctx->resume_extra.client, conf,
option->value))
goto err;
} else if (strcmp(option->name, "resume-server") == 0) {
if (!parse_server_options(&ctx->resume_extra.server, conf,
option->value))
goto err;
} else if (strcmp(option->name, "resume-server2") == 0) {
if (!parse_server_options(&ctx->resume_extra.server2, conf,
option->value))
goto err;
} else {
for (j = 0; j < OSSL_NELEM(ssl_test_ctx_options); j++) {
if (strcmp(option->name, ssl_test_ctx_options[j].name) == 0) {
if (!ssl_test_ctx_options[j].parse(ctx, option->value)) {
fprintf(stderr, "Bad value %s for option %s\n",
option->value, option->name);
goto err;
}
found = 1;
break;
}
found = 1;
break;
}
}
if (!found) {
fprintf(stderr, "Unknown test option: %s\n", option->name);
goto err;
if (!found) {
fprintf(stderr, "Unknown test option: %s\n", option->name);
goto err;
}
}
}

82
test/ssl_test_ctx.h
View file

@ -60,23 +60,67 @@ typedef enum {
SSL_TEST_HANDSHAKE_RENEGOTIATE
} ssl_handshake_mode_t;
typedef struct ssl_test_ctx {
/* Test expectations. */
/*
* Server/client settings that aren't supported by the SSL CONF library,
* such as callbacks.
*/
typedef struct {
/* One of a number of predefined custom callbacks. */
ssl_verify_callback_t verify_callback;
/* One of a number of predefined server names use by the client */
ssl_servername_t servername;
/* Supported NPN and ALPN protocols. A comma-separated list. */
char *npn_protocols;
char *alpn_protocols;
} SSL_TEST_CLIENT_CONF;
typedef struct {
/* SNI callback (server-side). */
ssl_servername_callback_t servername_callback;
/* Supported NPN and ALPN protocols. A comma-separated list. */
char *npn_protocols;
char *alpn_protocols;
/* Whether to set a broken session ticket callback. */
int broken_session_ticket;
} SSL_TEST_SERVER_CONF;
typedef struct {
SSL_TEST_CLIENT_CONF client;
SSL_TEST_SERVER_CONF server;
SSL_TEST_SERVER_CONF server2;
} SSL_TEST_EXTRA_CONF;
typedef struct {
/*
* Global test configuration. Does not change between handshakes.
*/
/* Whether the server/client CTX should use DTLS or TLS. */
ssl_test_method_t method;
/* Whether to test a resumed/renegotiated handshake. */
ssl_handshake_mode_t handshake_mode;
/*
* Extra server/client configurations. Per-handshake.
*/
/* First handshake. */
SSL_TEST_EXTRA_CONF extra;
/* Resumed handshake. */
SSL_TEST_EXTRA_CONF resume_extra;
/*
* Test expectations. These apply to the LAST handshake.
*/
/* Defaults to SUCCESS. */
ssl_test_result_t expected_result;
/* Alerts. 0 if no expectation. */
/* See ssl.h for alert codes. */
/* Alert sent by the client / received by the server. */
int client_alert;
int expected_client_alert;
/* Alert sent by the server / received by the client. */
int server_alert;
int expected_server_alert;
/* Negotiated protocol version. 0 if no expectation. */
/* See ssl.h for protocol versions. */
int protocol;
/* One of a number of predefined custom callbacks. */
ssl_verify_callback_t client_verify_callback;
/* One of a number of predefined server names use by the client */
ssl_servername_t servername;
int expected_protocol;
/*
* The expected SNI context to use.
* We test server-side that the server switched to the expected context.
@ -88,26 +132,10 @@ typedef struct ssl_test_ctx {
* client-side via the API that this was the case.
*/
ssl_servername_t expected_servername;
ssl_servername_callback_t servername_callback;
ssl_session_ticket_t session_ticket_expected;
/* Whether the server/client CTX should use DTLS or TLS. */
ssl_test_method_t method;
/*
* NPN and ALPN protocols supported by the client, server, and second
* (SNI) server. A comma-separated list.
*/
char *client_npn_protocols;
char *server_npn_protocols;
char *server2_npn_protocols;
/* The expected NPN/ALPN protocol to negotiate. */
char *expected_npn_protocol;
char *client_alpn_protocols;
char *server_alpn_protocols;
char *server2_alpn_protocols;
char *expected_alpn_protocol;
/* Whether to test a resumed/renegotiated handshake. */
ssl_handshake_mode_t handshake_mode;
/* Whether the second handshake is resumed or a full handshake (boolean). */
int resumption_expected;
} SSL_TEST_CTX;
@ -125,7 +153,7 @@ const char *ssl_handshake_mode_name(ssl_handshake_mode_t mode);
/*
* Load the test case context from |conf|.
* See test/README.ssl_test for details on the conf file format.
* See test/README.ssltest.md for details on the conf file format.
*/
SSL_TEST_CTX *SSL_TEST_CTX_create(const CONF *conf, const char *test_section);

187
test/ssl_test_ctx_test.c
View file

@ -32,43 +32,109 @@ typedef struct ssl_test_ctx_test_fixture {
SSL_TEST_CTX *expected_ctx;
} SSL_TEST_CTX_TEST_FIXTURE;
static int SSL_TEST_CLIENT_CONF_equal(SSL_TEST_CLIENT_CONF *client,
SSL_TEST_CLIENT_CONF *client2)
{
if (client->verify_callback != client2->verify_callback) {
fprintf(stderr, "ClientVerifyCallback mismatch: %s vs %s.\n",
ssl_verify_callback_name(client->verify_callback),
ssl_verify_callback_name(client2->verify_callback));
return 0;
}
if (client->servername != client2->servername) {
fprintf(stderr, "ServerName mismatch: %s vs %s.\n",
ssl_servername_name(client->servername),
ssl_servername_name(client2->servername));
return 0;
}
if (!strings_equal("Client NPNProtocols", client->npn_protocols,
client2->npn_protocols))
return 0;
if (!strings_equal("Client ALPNProtocols", client->alpn_protocols,
client2->alpn_protocols))
return 0;
return 1;
}
static int SSL_TEST_SERVER_CONF_equal(SSL_TEST_SERVER_CONF *server,
SSL_TEST_SERVER_CONF *server2)
{
if (server->servername_callback != server2->servername_callback) {
fprintf(stderr, "ServerNameCallback mismatch: %s vs %s.\n",
ssl_servername_callback_name(server->servername_callback),
ssl_servername_callback_name(server2->servername_callback));
return 0;
}
if (!strings_equal("Server NPNProtocols", server->npn_protocols,
server2->npn_protocols))
return 0;
if (!strings_equal("Server ALPNProtocols", server->alpn_protocols,
server2->alpn_protocols))
return 0;
if (server->broken_session_ticket != server2->broken_session_ticket) {
fprintf(stderr, "Broken session ticket mismatch: %d vs %d.\n",
server->broken_session_ticket, server2->broken_session_ticket);
return 0;
}
return 1;
}
static int SSL_TEST_EXTRA_CONF_equal(SSL_TEST_EXTRA_CONF *extra,
SSL_TEST_EXTRA_CONF *extra2)
{
return SSL_TEST_CLIENT_CONF_equal(&extra->client, &extra2->client)
&& SSL_TEST_SERVER_CONF_equal(&extra->server, &extra2->server)
&& SSL_TEST_SERVER_CONF_equal(&extra->server2, &extra2->server2);
}
/* Returns 1 if the contexts are equal, 0 otherwise. */
static int SSL_TEST_CTX_equal(SSL_TEST_CTX *ctx, SSL_TEST_CTX *ctx2)
{
if (ctx->method != ctx2->method) {
fprintf(stderr, "Method mismatch: %s vs %s.\n",
ssl_test_method_name(ctx->method),
ssl_test_method_name(ctx2->method));
return 0;
}
if (ctx->handshake_mode != ctx2->handshake_mode) {
fprintf(stderr, "HandshakeMode mismatch: %s vs %s.\n",
ssl_handshake_mode_name(ctx->handshake_mode),
ssl_handshake_mode_name(ctx2->handshake_mode));
return 0;
}
if (!SSL_TEST_EXTRA_CONF_equal(&ctx->extra, &ctx2->extra)) {
fprintf(stderr, "Extra conf mismatch.\n");
return 0;
}
if (!SSL_TEST_EXTRA_CONF_equal(&ctx->resume_extra, &ctx2->resume_extra)) {
fprintf(stderr, "Resume extra conf mismatch.\n");
return 0;
}
if (ctx->expected_result != ctx2->expected_result) {
fprintf(stderr, "ExpectedResult mismatch: %s vs %s.\n",
ssl_test_result_name(ctx->expected_result),
ssl_test_result_name(ctx2->expected_result));
return 0;
}
if (ctx->client_alert != ctx2->client_alert) {
if (ctx->expected_client_alert != ctx2->expected_client_alert) {
fprintf(stderr, "ClientAlert mismatch: %s vs %s.\n",
ssl_alert_name(ctx->client_alert),
ssl_alert_name(ctx2->client_alert));
ssl_alert_name(ctx->expected_client_alert),
ssl_alert_name(ctx2->expected_client_alert));
return 0;
}
if (ctx->server_alert != ctx2->server_alert) {
if (ctx->expected_server_alert != ctx2->expected_server_alert) {
fprintf(stderr, "ServerAlert mismatch: %s vs %s.\n",
ssl_alert_name(ctx->server_alert),
ssl_alert_name(ctx2->server_alert));
ssl_alert_name(ctx->expected_server_alert),
ssl_alert_name(ctx2->expected_server_alert));
return 0;
}
if (ctx->protocol != ctx2->protocol) {
if (ctx->expected_protocol != ctx2->expected_protocol) {
fprintf(stderr, "ClientAlert mismatch: %s vs %s.\n",
ssl_protocol_name(ctx->protocol),
ssl_protocol_name(ctx2->protocol));
return 0;
}
if (ctx->client_verify_callback != ctx2->client_verify_callback) {
fprintf(stderr, "ClientVerifyCallback mismatch: %s vs %s.\n",
ssl_verify_callback_name(ctx->client_verify_callback),
ssl_verify_callback_name(ctx2->client_verify_callback));
return 0;
}
if (ctx->servername != ctx2->servername) {
fprintf(stderr, "ServerName mismatch: %s vs %s.\n",
ssl_servername_name(ctx->servername),
ssl_servername_name(ctx2->servername));
ssl_protocol_name(ctx->expected_protocol),
ssl_protocol_name(ctx2->expected_protocol));
return 0;
}
if (ctx->expected_servername != ctx2->expected_servername) {
@ -77,57 +143,18 @@ static int SSL_TEST_CTX_equal(SSL_TEST_CTX *ctx, SSL_TEST_CTX *ctx2)
ssl_servername_name(ctx2->expected_servername));
return 0;
}
if (ctx->servername_callback != ctx2->servername_callback) {
fprintf(stderr, "ServerNameCallback mismatch: %s vs %s.\n",
ssl_servername_callback_name(ctx->servername_callback),
ssl_servername_callback_name(ctx2->servername_callback));
return 0;
}
if (ctx->session_ticket_expected != ctx2->session_ticket_expected) {
fprintf(stderr, "SessionTicketExpected mismatch: %s vs %s.\n",
ssl_session_ticket_name(ctx->session_ticket_expected),
ssl_session_ticket_name(ctx2->session_ticket_expected));
return 0;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
if (!strings_equal("ClientNPNProtocols", ctx->client_npn_protocols,
ctx2->client_npn_protocols))
return 0;
if (ctx->method != ctx2->method) {
fprintf(stderr, "Method mismatch: %s vs %s.\n",
ssl_test_method_name(ctx->method),
ssl_test_method_name(ctx2->method));
return 0;
}
if (!strings_equal("ServerNPNProtocols", ctx->server_npn_protocols,
ctx2->server_npn_protocols))
return 0;
if (!strings_equal("Server2NPNProtocols", ctx->server_npn_protocols,
ctx2->server_npn_protocols))
return 0;
if (!strings_equal("ExpectedNPNProtocol", ctx->expected_npn_protocol,
ctx2->expected_npn_protocol))
return 0;
if (!strings_equal("ClientALPNProtocols", ctx->client_alpn_protocols,
ctx2->client_alpn_protocols))
return 0;
if (!strings_equal("ServerALPNProtocols", ctx->server_alpn_protocols,
ctx2->server_alpn_protocols))
return 0;
if (!strings_equal("Server2ALPNProtocols", ctx->server_alpn_protocols,
ctx2->server_alpn_protocols))
return 0;
if (!strings_equal("ExpectedALPNProtocol", ctx->expected_alpn_protocol,
ctx2->expected_alpn_protocol))
return 0;
#endif
if (ctx->handshake_mode != ctx2->handshake_mode) {
fprintf(stderr, "HandshakeMode mismatch: %s vs %s.\n",
ssl_handshake_mode_name(ctx->handshake_mode),
ssl_handshake_mode_name(ctx2->handshake_mode));
return 0;
}
if (ctx->resumption_expected != ctx2->resumption_expected) {
fprintf(stderr, "ResumptionExpected mismatch: %d vs %d.\n",
ctx->resumption_expected, ctx2->resumption_expected);
@ -205,25 +232,33 @@ static int test_good_configuration()
{
SETUP_SSL_TEST_CTX_TEST_FIXTURE();
fixture.test_section = "ssltest_good";
fixture.expected_ctx->expected_result = SSL_TEST_SERVER_FAIL;
fixture.expected_ctx->client_alert = SSL_AD_UNKNOWN_CA;
fixture.expected_ctx->server_alert = 0; /* No alert. */
fixture.expected_ctx->protocol = TLS1_1_VERSION;
fixture.expected_ctx->client_verify_callback = SSL_TEST_VERIFY_REJECT_ALL;
fixture.expected_ctx->servername = SSL_TEST_SERVERNAME_SERVER2;
fixture.expected_ctx->expected_servername = SSL_TEST_SERVERNAME_SERVER2;
fixture.expected_ctx->servername_callback =
SSL_TEST_SERVERNAME_IGNORE_MISMATCH;
fixture.expected_ctx->session_ticket_expected = SSL_TEST_SESSION_TICKET_YES;
fixture.expected_ctx->method = SSL_TEST_METHOD_DTLS;
#ifndef OPENSSL_NO_NEXTPROTONEG
fixture.expected_ctx->client_npn_protocols = OPENSSL_strdup("foo,bar");
fixture.expected_ctx->server2_alpn_protocols = OPENSSL_strdup("baz");
OPENSSL_assert(fixture.expected_ctx->client_npn_protocols != NULL);
OPENSSL_assert(fixture.expected_ctx->server2_alpn_protocols != NULL);
#endif
fixture.expected_ctx->handshake_mode = SSL_TEST_HANDSHAKE_RESUME;
fixture.expected_ctx->expected_result = SSL_TEST_SERVER_FAIL;
fixture.expected_ctx->expected_client_alert = SSL_AD_UNKNOWN_CA;
fixture.expected_ctx->expected_server_alert = 0; /* No alert. */
fixture.expected_ctx->expected_protocol = TLS1_1_VERSION;
fixture.expected_ctx->expected_servername = SSL_TEST_SERVERNAME_SERVER2;
fixture.expected_ctx->session_ticket_expected = SSL_TEST_SESSION_TICKET_YES;
fixture.expected_ctx->resumption_expected = 1;
fixture.expected_ctx->extra.client.verify_callback =
SSL_TEST_VERIFY_REJECT_ALL;
fixture.expected_ctx->extra.client.servername = SSL_TEST_SERVERNAME_SERVER2;
fixture.expected_ctx->extra.client.npn_protocols =
OPENSSL_strdup("foo,bar");
OPENSSL_assert(fixture.expected_ctx->extra.client.npn_protocols != NULL);
fixture.expected_ctx->extra.server.servername_callback =
SSL_TEST_SERVERNAME_IGNORE_MISMATCH;
fixture.expected_ctx->extra.server.broken_session_ticket = 1;
fixture.expected_ctx->resume_extra.server2.alpn_protocols =
OPENSSL_strdup("baz");
OPENSSL_assert(
fixture.expected_ctx->resume_extra.server2.alpn_protocols != NULL);
EXECUTE_SSL_TEST_CTX_TEST();
}

34
test/ssl_test_ctx_test.conf
View file

@ -1,19 +1,31 @@
[ssltest_default]
[ssltest_good]
ExpectedResult = ServerFail
ClientAlert = UnknownCA
Protocol = TLSv1.1
ClientVerifyCallback = RejectAll
ServerName = server2
ExpectedServerName = server2
ServerNameCallback = IgnoreMismatch
SessionTicketExpected = Yes
client = ssltest_good_client_extra
server = ssltest_good_server_extra
resume-server2 = ssltest_good_resume_server2_extra
Method = DTLS
ClientNPNProtocols = foo,bar
Server2ALPNProtocols = baz
HandshakeMode = Resume
ResumptionExpected = yes
ExpectedResult = ServerFail
ExpectedClientAlert = UnknownCA
ExpectedProtocol = TLSv1.1
ExpectedServerName = server2
SessionTicketExpected = Yes
ResumptionExpected = Yes
[ssltest_good_client_extra]
VerifyCallback = RejectAll
ServerName = server2
NPNProtocols = foo,bar
[ssltest_good_server_extra]
ServerNameCallback = IgnoreMismatch
BrokenSessionTicket = Yes
[ssltest_good_resume_server2_extra]
ALPNProtocols = baz
[ssltest_unknown_option]
UnknownOption = Foo