diff options
| author | Emilia Kasper <emilia@openssl.org> | 2016-07-04 20:16:14 +0200 |
|---|---|---|
| committer | Emilia Kasper <emilia@openssl.org> | 2016-07-19 14:17:48 +0200 |
| commit | ce2cdac2787da32bcde210c7d6acdcbe41b1cd40 (patch) | |
| tree | aa513a318f435fd51c82df0f83aa09219d55e1cc | |
| parent | 02f730b34706150f8f40715d647cce3be5baf2ab (diff) | |
SSL test framework: port NPN and ALPN tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
| -rw-r--r-- | doc/ssl/SSL_CTX_set_alpn_select_cb.pod | 3 | ||||
| -rw-r--r-- | ssl/ssl_stat.c | 2 | ||||
| -rw-r--r-- | test/README.ssltest.md | 5 | ||||
| -rw-r--r-- | test/handshake_helper.c | 279 | ||||
| -rw-r--r-- | test/handshake_helper.h | 11 | ||||
| -rw-r--r-- | test/recipes/80-test_ssl_new.t | 4 | ||||
| -rw-r--r-- | test/recipes/80-test_ssl_old.t | 54 | ||||
| -rw-r--r-- | test/ssl-tests/08-npn.conf | 362 | ||||
| -rw-r--r-- | test/ssl-tests/08-npn.conf.in | 165 | ||||
| -rw-r--r-- | test/ssl-tests/09-alpn.conf | 298 | ||||
| -rw-r--r-- | test/ssl-tests/09-alpn.conf.in | 136 | ||||
| -rw-r--r-- | test/ssl_test.c | 89 | ||||
| -rw-r--r-- | test/ssl_test_ctx.c | 43 | ||||
| -rw-r--r-- | test/ssl_test_ctx.h | 12 | ||||
| -rw-r--r-- | test/ssl_test_ctx_test.c | 30 | ||||
| -rw-r--r-- | test/ssl_test_ctx_test.conf | 2 | ||||
| -rw-r--r-- | test/testutil.c | 18 | ||||
| -rw-r--r-- | test/testutil.h | 9 |
18 files changed, 1403 insertions, 119 deletions
diff --git a/doc/ssl/SSL_CTX_set_alpn_select_cb.pod b/doc/ssl/SSL_CTX_set_alpn_select_cb.pod index 4859b3c15f..59acbad545 100644 --- a/doc/ssl/SSL_CTX_set_alpn_select_cb.pod +++ b/doc/ssl/SSL_CTX_set_alpn_select_cb.pod @@ -44,7 +44,8 @@ the application callback. B<cb> is the application defined callback. The B<in>, B<inlen> parameters are a vector in protocol-list format. The value of the B<out>, B<outlen> vector should be set to the value of a single protocol selected from the B<in>, -B<inlen> vector. The B<arg> parameter is the pointer set via +B<inlen> vector. The B<out> buffer may point directly into B<in>, or to a +buffer that outlives the handshake. The B<arg> parameter is the pointer set via SSL_CTX_set_alpn_select_cb(). SSL_select_next_proto() is a helper function used to select protocols. It diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c index 1928bd2505..230eadf776 100644 --- a/ssl/ssl_stat.c +++ b/ssl/ssl_stat.c @@ -335,6 +335,8 @@ const char *SSL_alert_desc_string_long(int value) return "bad certificate hash value"; case TLS1_AD_UNKNOWN_PSK_IDENTITY: return "unknown PSK identity"; + case TLS1_AD_NO_APPLICATION_PROTOCOL: + return "no application protocol"; default: return "unknown"; } diff --git a/test/README.ssltest.md b/test/README.ssltest.md index ea90efcfdc..9d828b5146 100644 --- a/test/README.ssltest.md +++ b/test/README.ssltest.md @@ -84,6 +84,11 @@ The test section supports the following options: - No - a session ticket is not expected - Broken - a special test case where the session ticket callback does not initialize crypto +* ServerNPNProtocols, Server2NPNProtocols, ClientNPNProtocols, ExpectedNPNProtocol, + ServerALPNProtocols, Server2ALPNProtocols, ClientALPNProtocols, ExpectedALPNProtocol - + NPN and ALPN settings. Server and client protocols can be specified as a comma-separated list, + and a callback with the recommended behaviour will be installed automatically. + ## Configuring the client and server The client and server configurations can be any valid `SSL_CTX` diff --git a/test/handshake_helper.c b/test/handshake_helper.c index 8a8dab02bb..77852ad586 100644 --- a/test/handshake_helper.c +++ b/test/handshake_helper.c @@ -15,6 +15,23 @@ #include "handshake_helper.h" +HANDSHAKE_RESULT *HANDSHAKE_RESULT_new() +{ + HANDSHAKE_RESULT *ret; + ret = OPENSSL_zalloc(sizeof(*ret)); + OPENSSL_assert(ret != NULL); + return ret; +} + +void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result) +{ + OPENSSL_free(result->client_npn_negotiated); + OPENSSL_free(result->server_npn_negotiated); + OPENSSL_free(result->client_alpn_negotiated); + OPENSSL_free(result->server_alpn_negotiated); + OPENSSL_free(result); +} + /* * Since there appears to be no way to extract the sent/received alert * from the SSL object directly, we use the info callback and stash @@ -27,6 +44,22 @@ typedef struct handshake_ex_data { ssl_servername_t servername; } HANDSHAKE_EX_DATA; +typedef struct ctx_data { + unsigned char *npn_protocols; + size_t npn_protocols_len; + unsigned char *alpn_protocols; + size_t alpn_protocols_len; +} CTX_DATA; + +/* |ctx_data| itself is stack-allocated. */ +static void ctx_data_free_data(CTX_DATA *ctx_data) +{ + OPENSSL_free(ctx_data->npn_protocols); + ctx_data->npn_protocols = NULL; + OPENSSL_free(ctx_data->alpn_protocols); + ctx_data->alpn_protocols = NULL; +} + static int ex_data_idx; static void info_cb(const SSL *s, int where, int ret) @@ -42,8 +75,7 @@ static void info_cb(const SSL *s, int where, int ret) } } -/* - * Select the appropriate server CTX. +/* Select the appropriate server CTX. * Returns SSL_TLSEXT_ERR_OK if a match was found. * If |ignore| is 1, returns SSL_TLSEXT_ERR_NOACK on mismatch. * Otherwise, returns SSL_TLSEXT_ERR_ALERT_FATAL on mismatch. @@ -115,13 +147,13 @@ static int verify_accept_cb(X509_STORE_CTX *ctx, void *arg) { return 1; } -static int broken_session_ticket_cb(SSL* s, unsigned char* key_name, unsigned char *iv, +static int broken_session_ticket_cb(SSL *s, unsigned char *key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) { return 0; } -static int do_not_call_session_ticket_cb(SSL* s, unsigned char* key_name, +static int do_not_call_session_ticket_cb(SSL *s, unsigned char *key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) @@ -132,13 +164,114 @@ static int do_not_call_session_ticket_cb(SSL* s, unsigned char* key_name, return 0; } +/* Parse the comma-separated list into TLS format. */ +static void parse_protos(const char *protos, unsigned char **out, size_t *outlen) +{ + size_t len, i, prefix; + + len = strlen(protos); + + /* Should never have reuse. */ + OPENSSL_assert(*out == NULL); + + /* Test values are small, so we omit length limit checks. */ + *out = OPENSSL_malloc(len + 1); + OPENSSL_assert(*out != NULL); + *outlen = len + 1; + + /* + * foo => '3', 'f', 'o', 'o' + * foo,bar => '3', 'f', 'o', 'o', '3', 'b', 'a', 'r' + */ + memcpy(*out + 1, protos, len); + + prefix = 0; + i = prefix + 1; + while (i <= len) { + if ((*out)[i] == ',') { + OPENSSL_assert(i - 1 - prefix > 0); + (*out)[prefix] = i - 1 - prefix; + prefix = i; + } + i++; + } + OPENSSL_assert(len - prefix > 0); + (*out)[prefix] = len - prefix; +} + +/* + * The client SHOULD select the first protocol advertised by the server that it + * also supports. In the event that the client doesn't support any of server's + * protocols, or the server doesn't advertise any, it SHOULD select the first + * protocol that it supports. + */ +static int client_npn_cb(SSL *s, unsigned char **out, unsigned char *outlen, + const unsigned char *in, unsigned int inlen, + void *arg) +{ + CTX_DATA *ctx_data = (CTX_DATA*)(arg); + int ret; + + ret = SSL_select_next_proto(out, outlen, in, inlen, + ctx_data->npn_protocols, + ctx_data->npn_protocols_len); + /* Accept both OPENSSL_NPN_NEGOTIATED and OPENSSL_NPN_NO_OVERLAP. */ + OPENSSL_assert(ret == OPENSSL_NPN_NEGOTIATED + || ret == OPENSSL_NPN_NO_OVERLAP); + return SSL_TLSEXT_ERR_OK; +} + +static int server_npn_cb(SSL *s, const unsigned char **data, + unsigned int *len, void *arg) +{ + CTX_DATA *ctx_data = (CTX_DATA*)(arg); + *data = ctx_data->npn_protocols; + *len = ctx_data->npn_protocols_len; + return SSL_TLSEXT_ERR_OK; +} + +/* + * The server SHOULD select the most highly preferred protocol that it supports + * and that is also advertised by the client. In the event that the server + * supports no protocols that the client advertises, then the server SHALL + * respond with a fatal "no_application_protocol" alert. + */ +static int server_alpn_cb(SSL *s, const unsigned char **out, + unsigned char *outlen, const unsigned char *in, + unsigned int inlen, void *arg) +{ + CTX_DATA *ctx_data = (CTX_DATA*)(arg); + int ret; + + /* SSL_select_next_proto isn't const-correct... */ + unsigned char *tmp_out; + + /* + * The result points either to |in| or to |ctx_data->alpn_protocols|. + * The callback is allowed to point to |in| or to a long-lived buffer, + * so we can return directly without storing a copy. + */ + ret = SSL_select_next_proto(&tmp_out, outlen, + ctx_data->alpn_protocols, + ctx_data->alpn_protocols_len, in, inlen); + + *out = tmp_out; + /* Unlike NPN, we don't tolerate a mismatch. */ + return ret == OPENSSL_NPN_NEGOTIATED ? SSL_TLSEXT_ERR_OK + : SSL_TLSEXT_ERR_NOACK; +} + + /* * Configure callbacks and other properties that can't be set directly * in the server/client CONF. */ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx, - const SSL_TEST_CTX *test_ctx) + const SSL_TEST_CTX *test_ctx, + CTX_DATA *server_ctx_data, + CTX_DATA *server2_ctx_data, + CTX_DATA *client_ctx_data) { switch (test_ctx->client_verify_callback) { case SSL_TEST_VERIFY_ACCEPT_ALL: @@ -179,12 +312,55 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_BROKEN) { SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, broken_session_ticket_cb); } + + if (test_ctx->server_npn_protocols != NULL) { + parse_protos(test_ctx->server_npn_protocols, + &server_ctx_data->npn_protocols, + &server_ctx_data->npn_protocols_len); + SSL_CTX_set_next_protos_advertised_cb(server_ctx, server_npn_cb, + server_ctx_data); + } + if (test_ctx->server2_npn_protocols != NULL) { + parse_protos(test_ctx->server2_npn_protocols, + &server2_ctx_data->npn_protocols, + &server2_ctx_data->npn_protocols_len); + OPENSSL_assert(server2_ctx != NULL); + SSL_CTX_set_next_protos_advertised_cb(server2_ctx, server_npn_cb, + server2_ctx_data); + } + if (test_ctx->client_npn_protocols != NULL) { + parse_protos(test_ctx->client_npn_protocols, + &client_ctx_data->npn_protocols, + &client_ctx_data->npn_protocols_len); + SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb, + client_ctx_data); + } + if (test_ctx->server_alpn_protocols != NULL) { + parse_protos(test_ctx->server_alpn_protocols, + &server_ctx_data->alpn_protocols, + &server_ctx_data->alpn_protocols_len); + SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data); + } + if (test_ctx->server2_alpn_protocols != NULL) { + OPENSSL_assert(server2_ctx != NULL); + parse_protos(test_ctx->server2_alpn_protocols, + &server2_ctx_data->alpn_protocols, + &server2_ctx_data->alpn_protocols_len); + SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, server2_ctx_data); + } + if (test_ctx->client_alpn_protocols != NULL) { + unsigned char *alpn_protos = NULL; + size_t alpn_protos_len; + parse_protos(test_ctx->client_alpn_protocols, + &alpn_protos, &alpn_protos_len); + /* Reversed return value convention... */ + OPENSSL_assert(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos, + alpn_protos_len) == 0); + OPENSSL_free(alpn_protos); + } } -/* - * Configure callbacks and other properties that can't be set directly - * in the server/client CONF. - */ +/* Configure per-SSL callbacks and other properties. */ static void configure_handshake_ssl(SSL *server, SSL *client, const SSL_TEST_CTX *test_ctx) { @@ -293,21 +469,45 @@ static handshake_status_t handshake_status(peer_status_t last_status, return INTERNAL_ERROR; } -HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, - SSL_CTX *client_ctx, const SSL_TEST_CTX *test_ctx) +/* Convert unsigned char buf's that shouldn't contain any NUL-bytes to char. */ +static char *dup_str(const unsigned char *in, size_t len) +{ + char *ret; + + if(len == 0) + return NULL; + + /* Assert that the string does not contain NUL-bytes. */ + OPENSSL_assert(OPENSSL_strnlen((const char*)(in), len) == len); + ret = OPENSSL_strndup((const char*)(in), len); + OPENSSL_assert(ret != NULL); + return ret; +} + +HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, + SSL_CTX *client_ctx, const SSL_TEST_CTX *test_ctx) { SSL *server, *client; BIO *client_to_server, *server_to_client; HANDSHAKE_EX_DATA server_ex_data, client_ex_data; - HANDSHAKE_RESULT ret; + CTX_DATA client_ctx_data, server_ctx_data, server2_ctx_data; + HANDSHAKE_RESULT *ret = HANDSHAKE_RESULT_new(); int client_turn = 1; peer_status_t client_status = PEER_RETRY, server_status = PEER_RETRY; handshake_status_t status = HANDSHAKE_RETRY; unsigned char* tick = NULL; - size_t len = 0; + size_t tick_len = 0; SSL_SESSION* sess = NULL; + const unsigned char *proto = NULL; + /* API dictates unsigned int rather than size_t. */ + unsigned int proto_len = 0; - configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, test_ctx); + memset(&server_ctx_data, 0, sizeof(server_ctx_data)); + memset(&server2_ctx_data, 0, sizeof(server2_ctx_data)); + memset(&client_ctx_data, 0, sizeof(client_ctx_data)); + + configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, test_ctx, + &server_ctx_data, &server2_ctx_data, &client_ctx_data); server = SSL_new(server_ctx); client = SSL_new(client_ctx); @@ -317,8 +517,8 @@ HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, memset(&server_ex_data, 0, sizeof(server_ex_data)); memset(&client_ex_data, 0, sizeof(client_ex_data)); - memset(&ret, 0, sizeof(ret)); - ret.result = SSL_TEST_INTERNAL_ERROR; + + ret->result = SSL_TEST_INTERNAL_ERROR; client_to_server = BIO_new(BIO_s_mem()); server_to_client = BIO_new(BIO_s_mem()); @@ -370,16 +570,16 @@ HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, switch (status) { case HANDSHAKE_SUCCESS: - ret.result = SSL_TEST_SUCCESS; + ret->result = SSL_TEST_SUCCESS; goto err; case CLIENT_ERROR: - ret.result = SSL_TEST_CLIENT_FAIL; + ret->result = SSL_TEST_CLIENT_FAIL; goto err; case SERVER_ERROR: - ret.result = SSL_TEST_SERVER_FAIL; + ret->result = SSL_TEST_SERVER_FAIL; goto err; case INTERNAL_ERROR: - ret.result = SSL_TEST_INTERNAL_ERROR; + ret->result = SSL_TEST_INTERNAL_ERROR; goto err; case HANDSHAKE_RETRY: /* Continue. */ @@ -388,21 +588,36 @@ HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, } } err: - ret.server_alert_sent = server_ex_data.alert_sent; - ret.server_alert_received = client_ex_data.alert_received; - ret.client_alert_sent = client_ex_data.alert_sent; - ret.client_alert_received = server_ex_data.alert_received; - ret.server_protocol = SSL_version(server); - ret.client_protocol = SSL_version(client); - ret.servername = server_ex_data.servername; + ret->server_alert_sent = server_ex_data.alert_sent; + ret->server_alert_received = client_ex_data.alert_received; + ret->client_alert_sent = client_ex_data.alert_sent; + ret->client_alert_received = server_ex_data.alert_received; + ret->server_protocol = SSL_version(server); + ret->client_protocol = SSL_version(client); + ret->servername = server_ex_data.servername; if ((sess = SSL_get0_session(client)) != NULL) - SSL_SESSION_get0_ticket(sess, &tick, &len); - if (tick == NULL || len == 0) - ret.session_ticket = SSL_TEST_SESSION_TICKET_NO; + SSL_SESSION_get0_ticket(sess, &tick, &tick_len); + if (tick == NULL || tick_len == 0) + ret->session_ticket = SSL_TEST_SESSION_TICKET_NO; else - ret.session_ticket = SSL_TEST_SESSION_TICKET_YES; - ret.session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call; + ret->session_ticket = SSL_TEST_SESSION_TICKET_YES; + ret->session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call; + + SSL_get0_next_proto_negotiated(client, &proto, &proto_len); + ret->client_npn_negotiated = dup_str(proto, proto_len); + + SSL_get0_next_proto_negotiated(server, &proto, &proto_len); + ret->server_npn_negotiated = dup_str(proto, proto_len); + + SSL_get0_alpn_selected(client, &proto, &proto_len); + ret->client_alpn_negotiated = dup_str(proto, proto_len); + + SSL_get0_alpn_selected(server, &proto, &proto_len); + ret->server_alpn_negotiated = dup_str(proto, proto_len); + ctx_data_free_data(&server_ctx_data); + ctx_data_free_data(&server2_ctx_data); + ctx_data_free_data(&client_ctx_data); SSL_free(server); SSL_free(client); return ret; diff --git a/test/handshake_helper.h b/test/handshake_helper.h index 4a51ad4a6e..56c0aac28a 100644 --- a/test/handshake_helper.h +++ b/test/handshake_helper.h @@ -32,10 +32,17 @@ typedef struct handshake_result { ssl_session_ticket_t session_ticket; /* Was this called on the second context? */ int session_ticket_do_not_call; + char *client_npn_negotiated; + char *server_npn_negotiated; + char *client_alpn_negotiated; + char *server_alpn_negotiated; } HANDSHAKE_RESULT; +HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void); +void HANDSHAKE_RESULT_free(HANDSHAKE_RESULT *result); + /* Do a handshake and report some information about the result. */ -HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, - SSL_CTX *client_ctx, const SSL_TEST_CTX *test_ctx); +HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, + SSL_CTX *client_ctx, const SSL_TEST_CTX *test_ctx); #endif /* HEADER_HANDSHAKE_HELPER_H */ diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 258164fcfa..56afb6463c 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -36,6 +36,7 @@ my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2")); my $no_tls = alldisabled(available_protocols("tls")); my $no_dtls = alldisabled(available_protocols("dtls")); +my $no_npn = disabled("nextprotoneg"); my %conf_dependent_tests = ( "02-protocol-version.conf" => !$is_default_tls, @@ -46,6 +47,7 @@ my %conf_dependent_tests = ( # Default is $no_tls but some tests have different skip conditions. my %skip = ( "05-dtls-protocol-version.conf" => $no_dtls, + "08-npn.conf" => $no_tls || $no_npn, ); foreach my $conf (@conf_files) { @@ -58,7 +60,7 @@ foreach my $conf (@conf_files) { # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. -plan tests => 7; # = scalar @conf_srcs +plan tests => 9; # = scalar @conf_srcs sub test_conf { plan tests => 3; diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index becfbae890..5228112e16 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -79,7 +79,7 @@ my $client_sess="client.ss"; # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. plan tests => 1 # For testss - + 12 # For the first testssl + + 11 # For the first testssl ; subtest 'test_ss' => sub { @@ -529,19 +529,14 @@ sub testssl { subtest 'Next Protocol Negotiation Tests' => sub { ###################################################################### - plan tests => 7; + plan tests => 2; SKIP: { - skip "TLSv1.0 is not supported by this OpenSSL build", 7 + skip "TLSv1.0 is not supported by this OpenSSL build", 2 if $no_tls1; - skip "Next Protocol Negotiation is not supported by this OpenSSL build", 7 + skip "Next Protocol Negotiation is not supported by this OpenSSL build", 2 if disabled("nextprotoneg"); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_server"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_server_reject"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server_reject"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server"]))); ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server", "-num", "2"]))); ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server", "-num", "2", "-reuse"]))); } @@ -579,47 +574,6 @@ sub testssl { } }; - subtest 'ALPN tests' => sub { - ###################################################################### - - plan tests => 13; - - SKIP: { - skip "TLSv1.0 is not supported by this OpenSSL build", 13 - if $no_tls1; - - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_server", "foo"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo", "-alpn_server", "foo", "-alpn_expected", "foo"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo,bar", "-alpn_server", "foo", "-alpn_expected", "foo"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "foo", "-alpn_expected", "foo"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "foo,bar", "-alpn_expected", "foo"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "bar,foo", "-alpn_expected", "bar"]))); - ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo,bar", "-alpn_server", "bar,foo", "-alpn_expected", "bar"]))); - - is(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo", "-alpn_server", "bar"])), 0, - "Testing ALPN with protocol mismatch, expecting failure"); - is(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "baz", "-alpn_server", "bar,foo"])), 0, - "Testing ALPN with protocol mismatch, expecting failure"); - - # ALPN + SNI - ok(run(test([@ssltest, "-bio_pair", - "-alpn_client", "foo,bar", "-sn_client", "alice", - "-alpn_server1", "foo,123", "-sn_server1", "alice", - "-alpn_server2", "bar,456", "-sn_server2", "bob", - "-alpn_expected", "foo"]))); - ok(run(test([@ssltest, "-bio_pair", - "-alpn_client", "foo,bar", "-sn_client", "bob", - "-alpn_server1", "foo,123", "-sn_server1", "alice", - "-alpn_server2", "bar,456", "-sn_server2", "bob", - "-alpn_expected", "bar"]))); - ok(run(test([@ssltest, "-bio_pair", - "-alpn_client", "foo,bar", "-sn_client", "bob", - "-alpn_server2", "bar,456", "-sn_server2", "bob", - "-alpn_expected", "bar"]))); - } - }; - subtest 'SRP tests' => sub { plan tests => 4; diff --git a/test/ssl-tests/08-npn.conf b/test/ssl-tests/08-npn.conf new file mode 100644 index 0000000000..a76aa21c1e --- /dev/null +++ b/test/ssl-tests/08-npn.conf @@ -0,0 +1,362 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 12 + +test-0 = 0-npn-simple +test-1 = 1-npn-client-finds-match +test-2 = 2-npn-client-honours-server-pref +test-3 = 3-npn-client-first-pref-on-mismatch +test-4 = 4-npn-no-server-support +test-5 = 5-npn-no-client-support +test-6 = 6-npn-with-sni-no-context-switch +test-7 = 7-npn-with-sni-context-switch +test-8 = 8-npn-selected-sni-server-supports-npn +test-9 = 9-npn-selected-sni-server-does-not-support-npn +test-10 = 10-alpn-preferred-over-npn +test-11 = 11-sni-npn-preferred-over-alpn +# =========================================================== + +[0-npn-simple] +ssl_conf = 0-npn-simple-ssl + +[0-npn-simple-ssl] +server = 0-npn-simple-server +client = 0-npn-simple-client + +[0-npn-simple-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[0-npn-simple-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-0] +ClientNPNProtocols = foo +ExpectedNPNProtocol = foo +ServerNPNProtocols = foo + + +# =========================================================== + +[1-npn-client-finds-match] +ssl_conf = 1-npn-client-finds-match-ssl + +[1-npn-client-finds-match-ssl] +server = 1-npn-client-finds-match-server +client = 1-npn-client-finds-match-client + +[1-npn-client-finds-match-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[1-npn-client-finds-match-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-1] +ClientNPNProtocols = foo,bar +ExpectedNPNProtocol = bar +ServerNPNProtocols = baz,bar + + +# =========================================================== + +[2-npn-client-honours-server-pref] +ssl_conf = 2-npn-client-honours-server-pref-ssl + +[2-npn-client-honours-server-pref-ssl] +server = 2-npn-client-honours-server-pref-server +client = 2-npn-client-honours-server-pref-client + +[2-npn-client-honours-server-pref-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[2-npn-client-honours-server-pref-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-2] +ClientNPNProtocols = foo,bar +ExpectedNPNProtocol = bar +ServerNPNProtocols = bar,foo + + +# =========================================================== + +[3-npn-client-first-pref-on-mismatch] +ssl_conf = 3-npn-client-first-pref-on-mismatch-ssl + +[3-npn-client-first-pref-on-mismatch-ssl] +server = 3-npn-client-first-pref-on-mismatch-server +client = 3-npn-client-first-pref-on-mismatch-client + +[3-npn-client-first-pref-on-mismatch-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[3-npn-client-first-pref-on-mismatch-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-3] +ClientNPNProtocols = foo,bar +ExpectedNPNProtocol = foo +ServerNPNProtocols = baz + + +# =========================================================== + +[4-npn-no-server-support] +ssl_conf = 4-npn-no-server-support-ssl + +[4-npn-no-server-support-ssl] +server = 4-npn-no-server-support-server +client = 4-npn-no-server-support-client + +[4-npn-no-server-support-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[4-npn-no-server-support-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-4] +ClientNPNProtocols = foo + + +# =========================================================== + +[5-npn-no-client-support] +ssl_conf = 5-npn-no-client-support-ssl + +[5-npn-no-client-support-ssl] +server = 5-npn-no-client-support-server +client = 5-npn-no-client-support-client + +[5-npn-no-client-support-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[5-npn-no-client-support-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] +ServerNPNProtocols = foo + + +# =========================================================== + +[6-npn-with-sni-no-context-switch] +ssl_conf = 6-npn-with-sni-no-context-switch-ssl + +[6-npn-with-sni-no-context-switch-ssl] +server = 6-npn-with-sni-no-context-switch-server +server2 = 6-npn-with-sni-no-context-switch-server2 +client = 6-npn-with-sni-no-context-switch-client + +[6-npn-with-sni-no-context-switch-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[6-npn-with-sni-no-context-switch-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[6-npn-with-sni-no-context-switch-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-6] +ClientNPNProtocols = foo,bar +ExpectedNPNProtocol = foo +ExpectedServerName = server1 +Server2NPNProtocols = bar +ServerNPNProtocols = foo +ServerName = server1 +ServerNameCallback = IgnoreMismatch + + +# =========================================================== + +[7-npn-with-sni-context-switch] +ssl_conf = 7-npn-with-sni-context-switch-ssl + +[7-npn-with-sni-context-switch-ssl] +server = 7-npn-with-sni-context-switch-server +server2 = 7-npn-with-sni-context-switch-server2 +client = 7-npn-with-sni-context-switch-client + +[7-npn-with-sni-context-switch-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[7-npn-with-sni-context-switch-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[7-npn-with-sni-context-switch-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-7] +ClientNPNProtocols = foo,bar +ExpectedNPNProtocol = bar +ExpectedServerName = server2 +Server2NPNProtocols = bar +ServerNPNProtocols = foo +ServerName = server2 +ServerNameCallback = IgnoreMismatch + + +# =========================================================== + +[8-npn-selected-sni-server-supports-npn] +ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl + +[8-npn-selected-sni-server-supports-npn-ssl] +server = 8-npn-selected-sni-server-supports-npn-server +server2 = 8-npn-selected-sni-server-supports-npn-server2 +client = 8-npn-selected-sni-server-supports-npn-client + +[8-npn-selected-sni-server-supports-npn-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[8-npn-selected-sni-server-supports-npn-server2] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[8-npn-selected-sni-server-supports-npn-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-8] +ClientNPNProtocols = foo,bar +ExpectedNPNProtocol = bar +ExpectedServerName = server2 +Server2NPNProtocols = bar +ServerName = server2 +ServerNameCallback = IgnoreMismatch + + +# =========================================================== + +[9-npn-selected-sni-server-does-not-support-npn] +ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl + +[9-npn-selected-sni-server-does-not-s |