From 49619ab008a651e49e7524c73ba6fb4b3c96f67f Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Tue, 14 Mar 2017 14:56:22 +0100 Subject: Port remaining old DTLS tests We already test DTLS protocol versions. For good measure, add some DTLS tests with client auth to the new test framework, so that we can remove the old tests without losing coverage. Reviewed-by: Richard Levitte --- test/recipes/80-test_ssl_new.t | 2 +- test/recipes/80-test_ssl_old.t | 30 +--- test/ssl-tests/04-client_auth.conf | 318 +++++++++++++++++++++++++++++++++- test/ssl-tests/04-client_auth.conf.in | 33 ++-- 4 files changed, 342 insertions(+), 41 deletions(-) diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 903dc91c52..50057948b7 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -55,7 +55,7 @@ my $no_ocsp = disabled("ocsp"); # expectations dynamically based on the OpenSSL compile-time config. my %conf_dependent_tests = ( "02-protocol-version.conf" => !$is_default_tls, - "04-client_auth.conf" => !$is_default_tls, + "04-client_auth.conf" => !$is_default_tls || !$is_default_dtls, "05-sni.conf" => disabled("tls1_1"), "07-dtls-protocol-version.conf" => !$is_default_dtls, "10-resumption.conf" => !$is_default_tls, diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 05cc794693..5342ede7bd 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -331,7 +331,7 @@ sub testssl { subtest 'standard SSL tests' => sub { ###################################################################### - plan tests => 21; + plan tests => 13; SKIP: { skip "SSLv3 is not supported by this OpenSSL build", 4 @@ -355,34 +355,6 @@ sub testssl { 'test sslv2/sslv3 via BIO pair'); } - SKIP: { - skip "DTLSv1 is not supported by this OpenSSL build", 4 - if disabled("dtls1"); - - ok(run(test([@ssltest, "-dtls1"])), - 'test dtlsv1'); - ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])), - 'test dtlsv1 with server authentication'); - ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])), - 'test dtlsv1 with client authentication'); - ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])), - 'test dtlsv1 with both server and client authentication'); - } - - SKIP: { - skip "DTLSv1.2 is not supported by this OpenSSL build", 4 - if disabled("dtls1_2"); - - ok(run(test([@ssltest, "-dtls12"])), - 'test dtlsv1.2'); - ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])), - 'test dtlsv1.2 with server authentication'); - ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])), - 'test dtlsv1.2 with client authentication'); - ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])), - 'test dtlsv1.2 with both server and client authentication'); - } - SKIP: { skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8 if $no_anytls; diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf index 96024884d9..ef65d71764 100644 --- a/test/ssl-tests/04-client_auth.conf +++ b/test/ssl-tests/04-client_auth.conf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 20 +num_tests = 30 test-0 = 0-server-auth-flex test-1 = 1-client-auth-flex-request @@ -22,6 +22,16 @@ test-16 = 16-client-auth-TLSv1.2-request test-17 = 17-client-auth-TLSv1.2-require-fail test-18 = 18-client-auth-TLSv1.2-require test-19 = 19-client-auth-TLSv1.2-noroot +test-20 = 20-server-auth-DTLSv1 +test-21 = 21-client-auth-DTLSv1-request +test-22 = 22-client-auth-DTLSv1-require-fail +test-23 = 23-client-auth-DTLSv1-require +test-24 = 24-client-auth-DTLSv1-noroot +test-25 = 25-server-auth-DTLSv1.2 +test-26 = 26-client-auth-DTLSv1.2-request +test-27 = 27-client-auth-DTLSv1.2-require-fail +test-28 = 28-client-auth-DTLSv1.2-require +test-29 = 29-client-auth-DTLSv1.2-noroot # =========================================================== [0-server-auth-flex] @@ -597,3 +607,309 @@ ExpectedResult = ServerFail ExpectedServerAlert = UnknownCA +# =========================================================== + +[20-server-auth-DTLSv1] +ssl_conf = 20-server-auth-DTLSv1-ssl + +[20-server-auth-DTLSv1-ssl] +server = 20-server-auth-DTLSv1-server +client = 20-server-auth-DTLSv1-client + +[20-server-auth-DTLSv1-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[20-server-auth-DTLSv1-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-20] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[21-client-auth-DTLSv1-request] +ssl_conf = 21-client-auth-DTLSv1-request-ssl + +[21-client-auth-DTLSv1-request-ssl] +server = 21-client-auth-DTLSv1-request-server +client = 21-client-auth-DTLSv1-request-client + +[21-client-auth-DTLSv1-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Request + +[21-client-auth-DTLSv1-request-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-21] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[22-client-auth-DTLSv1-require-fail] +ssl_conf = 22-client-auth-DTLSv1-require-fail-ssl + +[22-client-auth-DTLSv1-require-fail-ssl] +server = 22-client-auth-DTLSv1-require-fail-server +client = 22-client-auth-DTLSv1-require-fail-client + +[22-client-auth-DTLSv1-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + +[22-client-auth-DTLSv1-require-fail-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-22] +ExpectedResult = ServerFail +ExpectedServerAlert = HandshakeFailure +Method = DTLS + + +# =========================================================== + +[23-client-auth-DTLSv1-require] +ssl_conf = 23-client-auth-DTLSv1-require-ssl + +[23-client-auth-DTLSv1-require-ssl] +server = 23-client-auth-DTLSv1-require-server +client = 23-client-auth-DTLSv1-require-client + +[23-client-auth-DTLSv1-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[23-client-auth-DTLSv1-require-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-23] +ExpectedClientCertType = RSA +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[24-client-auth-DTLSv1-noroot] +ssl_conf = 24-client-auth-DTLSv1-noroot-ssl + +[24-client-auth-DTLSv1-noroot-ssl] +server = 24-client-auth-DTLSv1-noroot-server +client = 24-client-auth-DTLSv1-noroot-client + +[24-client-auth-DTLSv1-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + +[24-client-auth-DTLSv1-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-24] +ExpectedResult = ServerFail +ExpectedServerAlert = UnknownCA +Method = DTLS + + +# =========================================================== + +[25-server-auth-DTLSv1.2] +ssl_conf = 25-server-auth-DTLSv1.2-ssl + +[25-server-auth-DTLSv1.2-ssl] +server = 25-server-auth-DTLSv1.2-server +client = 25-server-auth-DTLSv1.2-client + +[25-server-auth-DTLSv1.2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[25-server-auth-DTLSv1.2-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-25] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[26-client-auth-DTLSv1.2-request] +ssl_conf = 26-client-auth-DTLSv1.2-request-ssl + +[26-client-auth-DTLSv1.2-request-ssl] +server = 26-client-auth-DTLSv1.2-request-server +client = 26-client-auth-DTLSv1.2-request-client + +[26-client-auth-DTLSv1.2-request-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Request + +[26-client-auth-DTLSv1.2-request-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-26] +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[27-client-auth-DTLSv1.2-require-fail] +ssl_conf = 27-client-auth-DTLSv1.2-require-fail-ssl + +[27-client-auth-DTLSv1.2-require-fail-ssl] +server = 27-client-auth-DTLSv1.2-require-fail-server +client = 27-client-auth-DTLSv1.2-require-fail-client + +[27-client-auth-DTLSv1.2-require-fail-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require + +[27-client-auth-DTLSv1.2-require-fail-client] +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-27] +ExpectedResult = ServerFail +ExpectedServerAlert = HandshakeFailure +Method = DTLS + + +# =========================================================== + +[28-client-auth-DTLSv1.2-require] +ssl_conf = 28-client-auth-DTLSv1.2-require-ssl + +[28-client-auth-DTLSv1.2-require-ssl] +server = 28-client-auth-DTLSv1.2-require-server +client = 28-client-auth-DTLSv1.2-require-client + +[28-client-auth-DTLSv1.2-require-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Request + +[28-client-auth-DTLSv1.2-require-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-28] +ExpectedClientCertType = RSA +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[29-client-auth-DTLSv1.2-noroot] +ssl_conf = 29-client-auth-DTLSv1.2-noroot-ssl + +[29-client-auth-DTLSv1.2-noroot-ssl] +server = 29-client-auth-DTLSv1.2-noroot-server +client = 29-client-auth-DTLSv1.2-noroot-client + +[29-client-auth-DTLSv1.2-noroot-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyMode = Require + +[29-client-auth-DTLSv1.2-noroot-client] +Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-29] +ExpectedResult = ServerFail +ExpectedServerAlert = UnknownCA +Method = DTLS + + diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in index 8b92836e69..abe6ad43e4 100644 --- a/test/ssl-tests/04-client_auth.conf.in +++ b/test/ssl-tests/04-client_auth.conf.in @@ -12,25 +12,28 @@ use OpenSSL::Test::Utils qw(anydisabled); setup("no_test_here"); # We test version-flexible negotiation (undef) and each protocol version. -my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"); +my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); my @is_disabled = (0); -push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2"); +push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); our @tests = (); sub generate_tests() { - foreach (0..$#protocols) { my $protocol = $protocols[$_]; my $protocol_name = $protocol || "flex"; my $caalert; + my $method; if (!$is_disabled[$_]) { if ($protocol_name eq "SSLv3") { $caalert = "BadCertificate"; } else { $caalert = "UnknownCA"; } + if ($protocol_name =~ m/^DTLS/) { + $method = "DTLS"; + } my $clihash; my $clisigtype; my $clisigalgs; @@ -51,7 +54,10 @@ sub generate_tests() { "MinProtocol" => $protocol, "MaxProtocol" => $protocol }, - test => { "ExpectedResult" => "Success" }, + test => { + "ExpectedResult" => "Success", + "Method" => $method, + }, }; # Handshake with client cert requested but not required or received. @@ -66,7 +72,10 @@ sub generate_tests() { "MinProtocol" => $protocol, "MaxProtocol" => $protocol }, - test => { "ExpectedResult" => "Success" }, + test => { + "ExpectedResult" => "Success", + "Method" => $method, + }, }; # Handshake with client cert required but not present. @@ -85,6 +94,7 @@ sub generate_tests() { test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => "HandshakeFailure", + "Method" => $method, }, }; @@ -104,10 +114,12 @@ sub generate_tests() { "Certificate" => test_pem("ee-client-chain.pem"), "PrivateKey" => test_pem("ee-key.pem"), }, - test => { "ExpectedResult" => "Success", - "ExpectedClientCertType" => "RSA", - "ExpectedClientSignType" => $clisigtype, - "ExpectedClientSignHash" => $clihash, + test => { + "ExpectedResult" => "Success", + "ExpectedClientCertType" => "RSA", + "ExpectedClientSignType" => $clisigtype, + "ExpectedClientSignHash" => $clihash, + "Method" => $method, }, }; @@ -128,10 +140,11 @@ sub generate_tests() { test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => $caalert, + "Method" => $method, }, }; } } } - + generate_tests(); -- cgit v1.2.3