diff options
Diffstat (limited to 'test')
-rw-r--r-- | test/recipes/80-test_ssl_new.t | 2 | ||||
-rw-r--r-- | test/recipes/80-test_ssl_old.t | 30 | ||||
-rw-r--r-- | test/ssl-tests/04-client_auth.conf | 318 | ||||
-rw-r--r-- | test/ssl-tests/04-client_auth.conf.in | 33 |
4 files changed, 342 insertions, 41 deletions
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 903dc91c52..50057948b7 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -55,7 +55,7 @@ my $no_ocsp = disabled("ocsp"); # expectations dynamically based on the OpenSSL compile-time config. my %conf_dependent_tests = ( "02-protocol-version.conf" => !$is_default_tls, - "04-client_auth.conf" => !$is_default_tls, + "04-client_auth.conf" => !$is_default_tls || !$is_default_dtls, "05-sni.conf" => disabled("tls1_1"), "07-dtls-protocol-version.conf" => !$is_default_dtls, "10-resumption.conf" => !$is_default_tls, diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 05cc794693..5342ede7bd 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -331,7 +331,7 @@ sub testssl { subtest 'standard SSL tests' => sub { ###################################################################### - plan tests => 21; + plan tests => 13; SKIP: { skip "SSLv3 is not supported by this OpenSSL build", 4 @@ -356,34 +356,6 @@ sub testssl { } SKIP: { - skip "DTLSv1 is not supported by this OpenSSL build", 4 - if disabled("dtls1"); - - ok(run(test([@ssltest, "-dtls1"])), - 'test dtlsv1'); - ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])), - 'test dtlsv1 with server authentication'); - ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])), - 'test dtlsv1 with client authentication'); - ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])), - 'test dtlsv1 with both server and client authentication'); - } - - SKIP: { - skip "DTLSv1.2 is not supported by this OpenSSL build", 4 - if disabled("dtls1_2"); - - ok(run(test([@ssltest, "-dtls12"])), - 'test dtlsv1.2'); - ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])), - 'test dtlsv1.2 with server authentication'); - ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])), - 'test dtlsv1.2 with client authentication'); - ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])), - 'test dtlsv1.2 with both server and client authentication'); - } - - SKIP: { skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8 if $no_anytls; diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf index 96024884d9..ef65d71764 100644 --- a/test/ssl-tests/04-client_auth.conf +++ b/test/ssl-tests/04-client_auth.conf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 20 +num_tests = 30 test-0 = 0-server-auth-flex test-1 = 1-client-auth-flex-request @@ -22,6 +22,16 @@ test-16 = 16-client-auth-TLSv1.2-request test-17 = 17-client-auth-TLSv1.2-require-fail test-18 = 18-client-auth-TLSv1.2-require test-19 = 19-client-auth-TLSv1.2-noroot +test-20 = 20-server-auth-DTLSv1 +test-21 = 21-client-auth-DTLSv1-request +test-22 = 22-client-auth-DTLSv1-require-fail +test-23 = 23-client-auth-DTLSv1-require +test-24 = 24-client-auth-DTLSv1-noroot +test-25 = 25-server-auth-DTLSv1.2 +test-26 = 26-client-auth-DTLSv1.2-request +test-27 = 27-client-auth-DTLSv1.2-require-fail +test-28 = 28-client-auth-DTLSv1.2-require +test-29 = 29-client-auth-DTLSv1.2-noroot # =========================================================== [0-server-auth-flex] @@ -597,3 +607,309 @@ ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA +# =========================================================== + +[20-server-auth-DTLSv1] +ssl_conf = 20-server-auth-DTLSv1-ssl + +[20-server-auth-DTLSv1-ssl] +server = 20-server-auth-DTLSv1-server +client = 20-server-auth-DTLSv1-client + +[20-server-auth-DTLSv1-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[20-server-auth-DTLSv1-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-20] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[21-client-auth-DTLSv1-request] +ssl_conf = 21-client-auth-DTLSv1-request-ssl + +[21-client-auth-DTLSv1-request-ssl] +server = 21-client-auth-DTLSv1-request-server +client = 21-client-auth-DTLSv1-request-client + +[21-client-auth-DTLSv1-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Request + +[21-client-auth-DTLSv1-request-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-21] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[22-client-auth-DTLSv1-require-fail] +ssl_conf = 22-client-auth-DTLSv1-require-fail-ssl + +[22-client-auth-DTLSv1-require-fail-ssl] +server = 22-client-auth-DTLSv1-require-fail-server +client = 22-client-auth-DTLSv1-require-fail-client + +[22-client-auth-DTLSv1-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + +[22-client-auth-DTLSv1-require-fail-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-22] +ExpectedResult = ServerFail +ExpectedServerAlert = HandshakeFailure +Method = DTLS + + +# =========================================================== + +[23-client-auth-DTLSv1-require] +ssl_conf = 23-client-auth-DTLSv1-require-ssl + +[23-client-auth-DTLSv1-require-ssl] +server = 23-client-auth-DTLSv1-require-server +client = 23-client-auth-DTLSv1-require-client + +[23-client-auth-DTLSv1-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[23-client-auth-DTLSv1-require-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-23] +ExpectedClientCertType = RSA +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[24-client-auth-DTLSv1-noroot] +ssl_conf = 24-client-auth-DTLSv1-noroot-ssl + +[24-client-auth-DTLSv1-noroot-ssl] +server = 24-client-auth-DTLSv1-noroot-server +client = 24-client-auth-DTLSv1-noroot-client + +[24-client-auth-DTLSv1-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + +[24-client-auth-DTLSv1-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-24] +ExpectedResult = ServerFail +ExpectedServerAlert = UnknownCA +Method = DTLS + + +# =========================================================== + +[25-server-auth-DTLSv1.2] +ssl_conf = 25-server-auth-DTLSv1.2-ssl + +[25-server-auth-DTLSv1.2-ssl] +server = 25-server-auth-DTLSv1.2-server +client = 25-server-auth-DTLSv1.2-client + +[25-server-auth-DTLSv1.2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[25-server-auth-DTLSv1.2-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-25] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[26-client-auth-DTLSv1.2-request] +ssl_conf = 26-client-auth-DTLSv1.2-request-ssl + +[26-client-auth-DTLSv1.2-request-ssl] +server = 26-client-auth-DTLSv1.2-request-server +client = 26-client-auth-DTLSv1.2-request-client + +[26-client-auth-DTLSv1.2-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Request + +[26-client-auth-DTLSv1.2-request-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-26] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[27-client-auth-DTLSv1.2-require-fail] +ssl_conf = 27-client-auth-DTLSv1.2-require-fail-ssl + +[27-client-auth-DTLSv1.2-require-fail-ssl] +server = 27-client-auth-DTLSv1.2-require-fail-server +client = 27-client-auth-DTLSv1.2-require-fail-client + +[27-client-auth-DTLSv1.2-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + +[27-client-auth-DTLSv1.2-require-fail-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-27] +ExpectedResult = ServerFail +ExpectedServerAlert = HandshakeFailure +Method = DTLS + + +# =========================================================== + +[28-client-auth-DTLSv1.2-require] +ssl_conf = 28-client-auth-DTLSv1.2-require-ssl + +[28-client-auth-DTLSv1.2-require-ssl] +server = 28-client-auth-DTLSv1.2-require-server +client = 28-client-auth-DTLSv1.2-require-client + +[28-client-auth-DTLSv1.2-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[28-client-auth-DTLSv1.2-require-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-28] +ExpectedClientCertType = RSA +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[29-client-auth-DTLSv1.2-noroot] +ssl_conf = 29-client-auth-DTLSv1.2-noroot-ssl + +[29-client-auth-DTLSv1.2-noroot-ssl] +server = 29-client-auth-DTLSv1.2-noroot-server +client = 29-client-auth-DTLSv1.2-noroot-client + +[29-client-auth-DTLSv1.2-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + +[29-client-auth-DTLSv1.2-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-29] +ExpectedResult = ServerFail +ExpectedServerAlert = UnknownCA +Method = DTLS + + diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in index 8b92836e69..abe6ad43e4 100644 --- a/test/ssl-tests/04-client_auth.conf.in +++ b/test/ssl-tests/04-client_auth.conf.in @@ -12,25 +12,28 @@ use OpenSSL::Test::Utils qw(anydisabled); setup("no_test_here"); # We test version-flexible negotiation (undef) and each protocol version. -my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"); +my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); my @is_disabled = (0); -push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2"); +push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); our @tests = (); sub generate_tests() { - foreach (0..$#protocols) { my $protocol = $protocols[$_]; my $protocol_name = $protocol || "flex"; my $caalert; + my $method; if (!$is_disabled[$_]) { if ($protocol_name eq "SSLv3") { $caalert = "BadCertificate"; } else { $caalert = "UnknownCA"; } + if ($protocol_name =~ m/^DTLS/) { + $method = "DTLS"; + } my $clihash; my $clisigtype; my $clisigalgs; @@ -51,7 +54,10 @@ sub generate_tests() { "MinProtocol" => $protocol, "MaxProtocol" => $protocol }, - test => { "ExpectedResult" => "Success" }, + test => { + "ExpectedResult" => "Success", + "Method" => $method, + }, }; # Handshake with client cert requested but not required or received. @@ -66,7 +72,10 @@ sub generate_tests() { "MinProtocol" => $protocol, "MaxProtocol" => $protocol }, - test => { "ExpectedResult" => "Success" }, + test => { + "ExpectedResult" => "Success", + "Method" => $method, + }, }; # Handshake with client cert required but not present. @@ -85,6 +94,7 @@ sub generate_tests() { test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => "HandshakeFailure", + "Method" => $method, }, }; @@ -104,10 +114,12 @@ sub generate_tests() { "Certificate" => test_pem("ee-client-chain.pem"), "PrivateKey" => test_pem("ee-key.pem"), }, - test => { "ExpectedResult" => "Success", - "ExpectedClientCertType" => "RSA", - "ExpectedClientSignType" => $clisigtype, - "ExpectedClientSignHash" => $clihash, + test => { + "ExpectedResult" => "Success", + "ExpectedClientCertType" => "RSA", + "ExpectedClientSignType" => $clisigtype, + "ExpectedClientSignHash" => $clihash, + "Method" => $method, }, }; @@ -128,10 +140,11 @@ sub generate_tests() { test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => $caalert, + "Method" => $method, }, }; } } } - + generate_tests(); |