[openssl-commits] [openssl] master update

Emilia Kasper emilia at openssl.org
Fri Jun 3 10:03:33 UTC 2016


The branch master has been updated
       via  63936115e8e70ac36fc865ea32830dc93a7a5157 (commit)
      from  66bceb5f19d8a1c4436138e6c9e66f25fa0f75d4 (commit)


- Log -----------------------------------------------------------------
commit 63936115e8e70ac36fc865ea32830dc93a7a5157
Author: Emilia Kasper <emilia at openssl.org>
Date:   Tue May 31 16:42:58 2016 +0200

    Update client authentication tests
    
    Port client auth tests to the new framework, add coverage. The old tests
    were only testing success, and only for some protocol versions; the new
    tests add all protocol versions and various failure modes.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 test/certs/{ee-client.pem => ee-client-chain.pem} |  18 +
 test/recipes/80-test_ssl_new.t                    |   2 +-
 test/recipes/80-test_ssl_old.t                    |  89 ++--
 test/ssl-tests/04-client_auth.conf                | 602 ++++++++++++++++++++++
 test/ssl-tests/04-client_auth.conf.in             | 109 ++++
 5 files changed, 759 insertions(+), 61 deletions(-)
 copy test/certs/{ee-client.pem => ee-client-chain.pem} (51%)
 create mode 100644 test/ssl-tests/04-client_auth.conf
 create mode 100644 test/ssl-tests/04-client_auth.conf.in

diff --git a/test/certs/ee-client.pem b/test/certs/ee-client-chain.pem
similarity index 51%
copy from test/certs/ee-client.pem
copy to test/certs/ee-client-chain.pem
index a6105b2..27652fa 100644
--- a/test/certs/ee-client.pem
+++ b/test/certs/ee-client-chain.pem
@@ -17,3 +17,21 @@ A5/3RqteQaeQETFbZdlb6e7jAjiGp6DmAiH/WLrVvMY8k0z81TD0+UjJqI9097mF
 VtNX0l+46/tR4zvyA4yYqxK+L8M57SjfwxvwUpDxxVVnRsf3kHhudeAc+UDWzqws
 n5P71o+AfbkYzhHsSFIZyYUnGv+JApFpcGEMEiHL2iBhCRdx
 -----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD
+DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
+j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
+n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
+l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
+YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
+ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
+CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G
+A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk
+IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6
+AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi
+8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6
+uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR
+5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4=
+-----END CERTIFICATE-----
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 2bce02a..d432d1a 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -42,7 +42,7 @@ foreach my $conf (@conf_files) {
 
 # We hard-code the number of tests to double-check that the globbing above
 # finds all files as expected.
-plan tests => 3;  # = scalar @conf_srcs
+plan tests => 4;  # = scalar @conf_srcs
 
 sub test_conf {
     plan tests => 3;
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index b41e67a..74d4360 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -311,11 +311,8 @@ sub testss {
 }
 
 sub testssl {
-    my $key = shift || bldtop_file("apps","server.pem");
-    my $cert = shift || bldtop_file("apps","server.pem");
-    my $CAtmp = shift;
+    my ($key, $cert, $CAtmp) = @_;
     my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs"));
-    my @extra = @_;
 
     my @ssltest = ("ssltest_old",
 		   "-s_key", $key, "-s_cert", $cert,
@@ -334,47 +331,19 @@ sub testssl {
 
     subtest 'standard SSL tests' => sub {
 	######################################################################
-	plan tests => 29;
+        plan tests => 21;
 
       SKIP: {
 	  skip "SSLv3 is not supported by this OpenSSL build", 4
 	      if disabled("ssl3");
 
-	  ok(run(test([@ssltest, "-ssl3", @extra])),
-	     'test sslv3');
-	  ok(run(test([@ssltest, "-ssl3", "-server_auth", @CA, @extra])),
-	     'test sslv3 with server authentication');
-	  ok(run(test([@ssltest, "-ssl3", "-client_auth", @CA, @extra])),
-	     'test sslv3 with client authentication');
-	  ok(run(test([@ssltest, "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
-	     'test sslv3 with both server and client authentication');
-	}
-
-      SKIP: {
-	  skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 4
-	      if $no_anytls;
-
-	  ok(run(test([@ssltest, @extra])),
-	     'test sslv2/sslv3');
-	  ok(run(test([@ssltest, "-server_auth", @CA, @extra])),
-	     'test sslv2/sslv3 with server authentication');
-	  ok(run(test([@ssltest, "-client_auth", @CA, @extra])),
-	     'test sslv2/sslv3 with client authentication');
-	  ok(run(test([@ssltest, "-server_auth", "-client_auth", @CA, @extra])),
-	     'test sslv2/sslv3 with both server and client authentication');
-	}
-
-      SKIP: {
-	  skip "SSLv3 is not supported by this OpenSSL build", 4
-	      if disabled("ssl3");
-
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-ssl3"])),
 	     'test sslv3 via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])),
 	     'test sslv3 with server authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])),
 	     'test sslv3 with client authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])),
 	     'test sslv3 with both server and client authentication via BIO pair');
 	}
 
@@ -382,7 +351,7 @@ sub testssl {
 	  skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1
 	      if $no_anytls;
 
-	  ok(run(test([@ssltest, "-bio_pair", @extra])),
+	  ok(run(test([@ssltest, "-bio_pair"])),
 	     'test sslv2/sslv3 via BIO pair');
 	}
 
@@ -390,13 +359,13 @@ sub testssl {
 	  skip "DTLSv1 is not supported by this OpenSSL build", 4
 	      if disabled("dtls1");
 
-	  ok(run(test([@ssltest, "-dtls1", @extra])),
+	  ok(run(test([@ssltest, "-dtls1"])),
 	     'test dtlsv1');
-	  ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])),
 	   'test dtlsv1 with server authentication');
-	  ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])),
 	     'test dtlsv1 with client authentication');
-	  ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])),
 	     'test dtlsv1 with both server and client authentication');
 	}
 
@@ -404,13 +373,13 @@ sub testssl {
 	  skip "DTLSv1.2 is not supported by this OpenSSL build", 4
 	      if disabled("dtls1_2");
 
-	  ok(run(test([@ssltest, "-dtls12", @extra])),
+	  ok(run(test([@ssltest, "-dtls12"])),
 	     'test dtlsv1.2');
-	  ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])),
 	     'test dtlsv1.2 with server authentication');
-	  ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])),
 	     'test dtlsv1.2 with client authentication');
-	  ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])),
 	     'test dtlsv1.2 with both server and client authentication');
 	}
 
@@ -421,32 +390,32 @@ sub testssl {
 	SKIP: {
 	    skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;
 
-	    ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe", @extra])),
+	    ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])),
 	       'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
 	  }
 
-	  ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v", @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
 	     'test sslv2/sslv3 with 1024bit DHE via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
 	     'test sslv2/sslv3 with server authentication');
-	  ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
 	     'test sslv2/sslv3 with client authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])),
 	     'test sslv2/sslv3 with both client and server authentication via BIO pair');
-	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA, @extra])),
+	  ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
 	     'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
 
         SKIP: {
             skip "No IPv4 available on this machine", 1
                 unless !disabled("sock") && have_IPv4();
-            ok(run(test([@ssltest, "-ipv4", @extra])),
+            ok(run(test([@ssltest, "-ipv4"])),
                'test TLS via IPv4');
           }
 
         SKIP: {
             skip "No IPv6 available on this machine", 1
                 unless !disabled("sock") && have_IPv6();
-            ok(run(test([@ssltest, "-ipv6", @extra])),
+            ok(run(test([@ssltest, "-ipv6"])),
                'test TLS via IPv6');
           }
         }
@@ -525,7 +494,7 @@ sub testssl {
 	    skip "skipping anonymous DH tests", 1
 	      if ($no_dh);
 
-	    ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
+	    ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])),
 	       'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
 	  }
 
@@ -533,13 +502,13 @@ sub testssl {
 	    skip "skipping RSA tests", 2
 		if $no_rsa;
 
-	    ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])),
+	    ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])),
 	       'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');
 
 	    skip "skipping RSA+DHE tests", 1
 		if $no_dh;
 
-	    ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
+	    ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])),
 	       'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
 	  }
 
@@ -547,10 +516,10 @@ sub testssl {
 	    skip "skipping PSK tests", 2
 	        if ($no_psk);
 
-	    ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
+	    ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
 	       'test tls1 with PSK');
 
-	    ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
+	    ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
 	       'test tls1 with PSK via BIO pair');
 	  }
 	}
@@ -702,7 +671,7 @@ sub testssl {
 	      if $no_anytls;
 
 	  skip "skipping multi-buffer tests", 2
-	      if @extra || (POSIX::uname())[4] ne "x86_64";
+	      if (POSIX::uname())[4] ne "x86_64";
 
 	  ok(run(test([@ssltest, "-cipher", "AES128-SHA",    "-bytes", "8m"])));
 
diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf
new file mode 100644
index 0000000..191d666
--- /dev/null
+++ b/test/ssl-tests/04-client_auth.conf
@@ -0,0 +1,602 @@
+# Generated with generate_ssl_tests.pl
+
+num_tests = 20
+
+test-0 = 0-server-auth-flex
+test-1 = 1-client-auth-flex-request
+test-2 = 2-client-auth-flex-require-fail
+test-3 = 3-client-auth-flex-require
+test-4 = 4-client-auth-flex-noroot
+test-5 = 5-server-auth-TLSv1
+test-6 = 6-client-auth-TLSv1-request
+test-7 = 7-client-auth-TLSv1-require-fail
+test-8 = 8-client-auth-TLSv1-require
+test-9 = 9-client-auth-TLSv1-noroot
+test-10 = 10-server-auth-TLSv1.1
+test-11 = 11-client-auth-TLSv1.1-request
+test-12 = 12-client-auth-TLSv1.1-require-fail
+test-13 = 13-client-auth-TLSv1.1-require
+test-14 = 14-client-auth-TLSv1.1-noroot
+test-15 = 15-server-auth-TLSv1.2
+test-16 = 16-client-auth-TLSv1.2-request
+test-17 = 17-client-auth-TLSv1.2-require-fail
+test-18 = 18-client-auth-TLSv1.2-require
+test-19 = 19-client-auth-TLSv1.2-noroot
+# ===========================================================
+
+[0-server-auth-flex]
+ssl_conf = 0-server-auth-flex-ssl
+
+[0-server-auth-flex-ssl]
+server = 0-server-auth-flex-server
+client = 0-server-auth-flex-client
+
+[0-server-auth-flex-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[0-server-auth-flex-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-0]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[1-client-auth-flex-request]
+ssl_conf = 1-client-auth-flex-request-ssl
+
+[1-client-auth-flex-request-ssl]
+server = 1-client-auth-flex-request-server
+client = 1-client-auth-flex-request-client
+
+[1-client-auth-flex-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyMode = Request
+
+
+[1-client-auth-flex-request-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-1]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[2-client-auth-flex-require-fail]
+ssl_conf = 2-client-auth-flex-require-fail-ssl
+
+[2-client-auth-flex-require-fail-ssl]
+server = 2-client-auth-flex-require-fail-server
+client = 2-client-auth-flex-require-fail-client
+
+[2-client-auth-flex-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[2-client-auth-flex-require-fail-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-2]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[3-client-auth-flex-require]
+ssl_conf = 3-client-auth-flex-require-ssl
+
+[3-client-auth-flex-require-ssl]
+server = 3-client-auth-flex-require-server
+client = 3-client-auth-flex-require-client
+
+[3-client-auth-flex-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[3-client-auth-flex-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-3]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[4-client-auth-flex-noroot]
+ssl_conf = 4-client-auth-flex-noroot-ssl
+
+[4-client-auth-flex-noroot-ssl]
+server = 4-client-auth-flex-noroot-server
+client = 4-client-auth-flex-noroot-client
+
+[4-client-auth-flex-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyMode = Require
+
+
+[4-client-auth-flex-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-4]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
+# ===========================================================
+
+[5-server-auth-TLSv1]
+ssl_conf = 5-server-auth-TLSv1-ssl
+
+[5-server-auth-TLSv1-ssl]
+server = 5-server-auth-TLSv1-server
+client = 5-server-auth-TLSv1-client
+
+[5-server-auth-TLSv1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+
+
+[5-server-auth-TLSv1-client]
+CipherString = DEFAULT
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-5]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[6-client-auth-TLSv1-request]
+ssl_conf = 6-client-auth-TLSv1-request-ssl
+
+[6-client-auth-TLSv1-request-ssl]
+server = 6-client-auth-TLSv1-request-server
+client = 6-client-auth-TLSv1-request-client
+
+[6-client-auth-TLSv1-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyMode = Request
+
+
+[6-client-auth-TLSv1-request-client]
+CipherString = DEFAULT
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-6]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[7-client-auth-TLSv1-require-fail]
+ssl_conf = 7-client-auth-TLSv1-require-fail-ssl
+
+[7-client-auth-TLSv1-require-fail-ssl]
+server = 7-client-auth-TLSv1-require-fail-server
+client = 7-client-auth-TLSv1-require-fail-client
+
+[7-client-auth-TLSv1-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[7-client-auth-TLSv1-require-fail-client]
+CipherString = DEFAULT
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-7]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[8-client-auth-TLSv1-require]
+ssl_conf = 8-client-auth-TLSv1-require-ssl
+
+[8-client-auth-TLSv1-require-ssl]
+server = 8-client-auth-TLSv1-require-server
+client = 8-client-auth-TLSv1-require-client
+
+[8-client-auth-TLSv1-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[8-client-auth-TLSv1-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-8]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[9-client-auth-TLSv1-noroot]
+ssl_conf = 9-client-auth-TLSv1-noroot-ssl
+
+[9-client-auth-TLSv1-noroot-ssl]
+server = 9-client-auth-TLSv1-noroot-server
+client = 9-client-auth-TLSv1-noroot-client
+
+[9-client-auth-TLSv1-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyMode = Require
+
+
+[9-client-auth-TLSv1-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-9]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
+# ===========================================================
+
+[10-server-auth-TLSv1.1]
+ssl_conf = 10-server-auth-TLSv1.1-ssl
+
+[10-server-auth-TLSv1.1-ssl]
+server = 10-server-auth-TLSv1.1-server
+client = 10-server-auth-TLSv1.1-client
+
+[10-server-auth-TLSv1.1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+
+
+[10-server-auth-TLSv1.1-client]
+CipherString = DEFAULT
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-10]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[11-client-auth-TLSv1.1-request]
+ssl_conf = 11-client-auth-TLSv1.1-request-ssl
+
+[11-client-auth-TLSv1.1-request-ssl]
+server = 11-client-auth-TLSv1.1-request-server
+client = 11-client-auth-TLSv1.1-request-client
+
+[11-client-auth-TLSv1.1-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyMode = Request
+
+
+[11-client-auth-TLSv1.1-request-client]
+CipherString = DEFAULT
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-11]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[12-client-auth-TLSv1.1-require-fail]
+ssl_conf = 12-client-auth-TLSv1.1-require-fail-ssl
+
+[12-client-auth-TLSv1.1-require-fail-ssl]
+server = 12-client-auth-TLSv1.1-require-fail-server
+client = 12-client-auth-TLSv1.1-require-fail-client
+
+[12-client-auth-TLSv1.1-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[12-client-auth-TLSv1.1-require-fail-client]
+CipherString = DEFAULT
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-12]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[13-client-auth-TLSv1.1-require]
+ssl_conf = 13-client-auth-TLSv1.1-require-ssl
+
+[13-client-auth-TLSv1.1-require-ssl]
+server = 13-client-auth-TLSv1.1-require-server
+client = 13-client-auth-TLSv1.1-require-client
+
+[13-client-auth-TLSv1.1-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[13-client-auth-TLSv1.1-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-13]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[14-client-auth-TLSv1.1-noroot]
+ssl_conf = 14-client-auth-TLSv1.1-noroot-ssl
+
+[14-client-auth-TLSv1.1-noroot-ssl]
+server = 14-client-auth-TLSv1.1-noroot-server
+client = 14-client-auth-TLSv1.1-noroot-client
+
+[14-client-auth-TLSv1.1-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyMode = Require
+
+
+[14-client-auth-TLSv1.1-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-14]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
+# ===========================================================
+
+[15-server-auth-TLSv1.2]
+ssl_conf = 15-server-auth-TLSv1.2-ssl
+
+[15-server-auth-TLSv1.2-ssl]
+server = 15-server-auth-TLSv1.2-server
+client = 15-server-auth-TLSv1.2-client
+
+[15-server-auth-TLSv1.2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+
+
+[15-server-auth-TLSv1.2-client]
+CipherString = DEFAULT
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-15]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[16-client-auth-TLSv1.2-request]
+ssl_conf = 16-client-auth-TLSv1.2-request-ssl
+
+[16-client-auth-TLSv1.2-request-ssl]
+server = 16-client-auth-TLSv1.2-request-server
+client = 16-client-auth-TLSv1.2-request-client
+
+[16-client-auth-TLSv1.2-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyMode = Request
+
+
+[16-client-auth-TLSv1.2-request-client]
+CipherString = DEFAULT
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-16]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[17-client-auth-TLSv1.2-require-fail]
+ssl_conf = 17-client-auth-TLSv1.2-require-fail-ssl
+
+[17-client-auth-TLSv1.2-require-fail-ssl]
+server = 17-client-auth-TLSv1.2-require-fail-server
+client = 17-client-auth-TLSv1.2-require-fail-client
+
+[17-client-auth-TLSv1.2-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[17-client-auth-TLSv1.2-require-fail-client]
+CipherString = DEFAULT
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-17]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[18-client-auth-TLSv1.2-require]
+ssl_conf = 18-client-auth-TLSv1.2-require-ssl
+
+[18-client-auth-TLSv1.2-require-ssl]
+server = 18-client-auth-TLSv1.2-require-server
+client = 18-client-auth-TLSv1.2-require-client
+
+[18-client-auth-TLSv1.2-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[18-client-auth-TLSv1.2-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-18]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[19-client-auth-TLSv1.2-noroot]
+ssl_conf = 19-client-auth-TLSv1.2-noroot-ssl
+
+[19-client-auth-TLSv1.2-noroot-ssl]
+server = 19-client-auth-TLSv1.2-noroot-server
+client = 19-client-auth-TLSv1.2-noroot-client
+
+[19-client-auth-TLSv1.2-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyMode = Require
+
+
+[19-client-auth-TLSv1.2-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-19]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in
new file mode 100644
index 0000000..36d13df
--- /dev/null
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -0,0 +1,109 @@
+# -*- mode: perl; -*-
+
+## SSL test configurations
+
+package ssltests;
+
+use strict;
+use warnings;
+
+use OpenSSL::Test;
+use OpenSSL::Test::Utils qw(anydisabled);
+setup("no_test_here");
+
+# We test version-flexible negotiation (undef) and each protocol version.
+my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
+
+my @is_disabled = (0);
+push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
+
+our @tests = ();
+
+my $dir_sep = $^O ne "VMS" ? "/" : "";
+
+sub generate_tests() {
+
+    foreach (0..$#protocols) {
+        my $protocol = $protocols[$_];
+        my $protocol_name = $protocol || "flex";
+        if (!$is_disabled[$_]) {
+            # Sanity-check simple handshake.
+            push @tests, {
+                name => "server-auth-${protocol_name}",
+                server => {
+                    "Protocol" => $protocol
+                },
+                client => {
+                    "Protocol" => $protocol
+                },
+                test   => { "ExpectedResult" => "Success" },
+            };
+
+            # Handshake with client cert requested but not required or received.
+            push @tests, {
+                name => "client-auth-${protocol_name}-request",
+                server => {
+                    "Protocol" => $protocol,
+                    "VerifyMode" => "Request",
+                },
+                client => {
+                    "Protocol" => $protocol
+                },
+                test   => { "ExpectedResult" => "Success" },
+            };
+
+            # Handshake with client cert required but not present.
+            push @tests, {
+                name => "client-auth-${protocol_name}-require-fail",
+                server => {
+                    "Protocol" => $protocol,
+                    "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+                    "VerifyMode" => "Require",
+                },
+                client => {
+                    "Protocol" => $protocol,
+                },
+                test   => {
+                    "ExpectedResult" => "ServerFail",
+                    "ServerAlert" => "HandshakeFailure",
+                },
+            };
+
+            # Successful handshake with client authentication.
+            push @tests, {
+                name => "client-auth-${protocol_name}-require",
+                server => {
+                    "Protocol" => $protocol,
+                    "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+                    "VerifyMode" => "Request",
+                },
+                client => {
+                    "Protocol" => $protocol,
+                    "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
+                    "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
+                },
+                test   => { "ExpectedResult" => "Success" },
+            };
+
+            # Handshake with client authentication but without the root certificate.
+            push @tests, {
+                name => "client-auth-${protocol_name}-noroot",
+                server => {
+                    "Protocol" => $protocol,
+                    "VerifyMode" => "Require",
+                },
+                client => {
+                    "Protocol" => $protocol,
+                    "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
+                    "PrivateKey"  => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
+                },
+                test   => {
+                    "ExpectedResult" => "ServerFail",
+                    "ServerAlert" => "UnknownCA",
+                },
+            };
+        }
+    }
+}
+ 
+generate_tests();


More information about the openssl-commits mailing list