[openssl-commits] [openssl] master update
Emilia Kasper
emilia at openssl.org
Fri Jun 3 10:03:33 UTC 2016
The branch master has been updated
via 63936115e8e70ac36fc865ea32830dc93a7a5157 (commit)
from 66bceb5f19d8a1c4436138e6c9e66f25fa0f75d4 (commit)
- Log -----------------------------------------------------------------
commit 63936115e8e70ac36fc865ea32830dc93a7a5157
Author: Emilia Kasper <emilia at openssl.org>
Date: Tue May 31 16:42:58 2016 +0200
Update client authentication tests
Port client auth tests to the new framework, add coverage. The old tests
were only testing success, and only for some protocol versions; the new
tests add all protocol versions and various failure modes.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
test/certs/{ee-client.pem => ee-client-chain.pem} | 18 +
test/recipes/80-test_ssl_new.t | 2 +-
test/recipes/80-test_ssl_old.t | 89 ++--
test/ssl-tests/04-client_auth.conf | 602 ++++++++++++++++++++++
test/ssl-tests/04-client_auth.conf.in | 109 ++++
5 files changed, 759 insertions(+), 61 deletions(-)
copy test/certs/{ee-client.pem => ee-client-chain.pem} (51%)
create mode 100644 test/ssl-tests/04-client_auth.conf
create mode 100644 test/ssl-tests/04-client_auth.conf.in
diff --git a/test/certs/ee-client.pem b/test/certs/ee-client-chain.pem
similarity index 51%
copy from test/certs/ee-client.pem
copy to test/certs/ee-client-chain.pem
index a6105b2..27652fa 100644
--- a/test/certs/ee-client.pem
+++ b/test/certs/ee-client-chain.pem
@@ -17,3 +17,21 @@ A5/3RqteQaeQETFbZdlb6e7jAjiGp6DmAiH/WLrVvMY8k0z81TD0+UjJqI9097mF
VtNX0l+46/tR4zvyA4yYqxK+L8M57SjfwxvwUpDxxVVnRsf3kHhudeAc+UDWzqws
n5P71o+AfbkYzhHsSFIZyYUnGv+JApFpcGEMEiHL2iBhCRdx
-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD
+DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
+j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
+n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
+l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
+YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
+ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
+CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G
+A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ
+KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk
+IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6
+AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi
+8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6
+uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR
+5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4=
+-----END CERTIFICATE-----
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 2bce02a..d432d1a 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -42,7 +42,7 @@ foreach my $conf (@conf_files) {
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
-plan tests => 3; # = scalar @conf_srcs
+plan tests => 4; # = scalar @conf_srcs
sub test_conf {
plan tests => 3;
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index b41e67a..74d4360 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -311,11 +311,8 @@ sub testss {
}
sub testssl {
- my $key = shift || bldtop_file("apps","server.pem");
- my $cert = shift || bldtop_file("apps","server.pem");
- my $CAtmp = shift;
+ my ($key, $cert, $CAtmp) = @_;
my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs"));
- my @extra = @_;
my @ssltest = ("ssltest_old",
"-s_key", $key, "-s_cert", $cert,
@@ -334,47 +331,19 @@ sub testssl {
subtest 'standard SSL tests' => sub {
######################################################################
- plan tests => 29;
+ plan tests => 21;
SKIP: {
skip "SSLv3 is not supported by this OpenSSL build", 4
if disabled("ssl3");
- ok(run(test([@ssltest, "-ssl3", @extra])),
- 'test sslv3');
- ok(run(test([@ssltest, "-ssl3", "-server_auth", @CA, @extra])),
- 'test sslv3 with server authentication');
- ok(run(test([@ssltest, "-ssl3", "-client_auth", @CA, @extra])),
- 'test sslv3 with client authentication');
- ok(run(test([@ssltest, "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
- 'test sslv3 with both server and client authentication');
- }
-
- SKIP: {
- skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 4
- if $no_anytls;
-
- ok(run(test([@ssltest, @extra])),
- 'test sslv2/sslv3');
- ok(run(test([@ssltest, "-server_auth", @CA, @extra])),
- 'test sslv2/sslv3 with server authentication');
- ok(run(test([@ssltest, "-client_auth", @CA, @extra])),
- 'test sslv2/sslv3 with client authentication');
- ok(run(test([@ssltest, "-server_auth", "-client_auth", @CA, @extra])),
- 'test sslv2/sslv3 with both server and client authentication');
- }
-
- SKIP: {
- skip "SSLv3 is not supported by this OpenSSL build", 4
- if disabled("ssl3");
-
- ok(run(test([@ssltest, "-bio_pair", "-ssl3", @extra])),
+ ok(run(test([@ssltest, "-bio_pair", "-ssl3"])),
'test sslv3 via BIO pair');
- ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])),
'test sslv3 with server authentication via BIO pair');
- ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA])),
'test sslv3 with client authentication via BIO pair');
- ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA])),
'test sslv3 with both server and client authentication via BIO pair');
}
@@ -382,7 +351,7 @@ sub testssl {
skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 1
if $no_anytls;
- ok(run(test([@ssltest, "-bio_pair", @extra])),
+ ok(run(test([@ssltest, "-bio_pair"])),
'test sslv2/sslv3 via BIO pair');
}
@@ -390,13 +359,13 @@ sub testssl {
skip "DTLSv1 is not supported by this OpenSSL build", 4
if disabled("dtls1");
- ok(run(test([@ssltest, "-dtls1", @extra])),
+ ok(run(test([@ssltest, "-dtls1"])),
'test dtlsv1');
- ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA])),
'test dtlsv1 with server authentication');
- ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA])),
'test dtlsv1 with client authentication');
- ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA])),
'test dtlsv1 with both server and client authentication');
}
@@ -404,13 +373,13 @@ sub testssl {
skip "DTLSv1.2 is not supported by this OpenSSL build", 4
if disabled("dtls1_2");
- ok(run(test([@ssltest, "-dtls12", @extra])),
+ ok(run(test([@ssltest, "-dtls12"])),
'test dtlsv1.2');
- ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA])),
'test dtlsv1.2 with server authentication');
- ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA])),
'test dtlsv1.2 with client authentication');
- ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA])),
'test dtlsv1.2 with both server and client authentication');
}
@@ -421,32 +390,32 @@ sub testssl {
SKIP: {
skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert;
- ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe", @extra])),
+ ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe"])),
'test sslv2/sslv3 w/o (EC)DHE via BIO pair');
}
- ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v", @extra])),
+ ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
- ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])),
'test sslv2/sslv3 with server authentication');
- ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])),
'test sslv2/sslv3 with client authentication via BIO pair');
- ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA, @extra])),
+ ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA])),
'test sslv2/sslv3 with both client and server authentication via BIO pair');
- ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA, @extra])),
+ ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])),
'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify');
SKIP: {
skip "No IPv4 available on this machine", 1
unless !disabled("sock") && have_IPv4();
- ok(run(test([@ssltest, "-ipv4", @extra])),
+ ok(run(test([@ssltest, "-ipv4"])),
'test TLS via IPv4');
}
SKIP: {
skip "No IPv6 available on this machine", 1
unless !disabled("sock") && have_IPv6();
- ok(run(test([@ssltest, "-ipv6", @extra])),
+ ok(run(test([@ssltest, "-ipv6"])),
'test TLS via IPv6');
}
}
@@ -525,7 +494,7 @@ sub testssl {
skip "skipping anonymous DH tests", 1
if ($no_dh);
- ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
+ ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time"])),
'test tlsv1 with 1024bit anonymous DH, multiple handshakes');
}
@@ -533,13 +502,13 @@ sub testssl {
skip "skipping RSA tests", 2
if $no_rsa;
- ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])),
+ ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time"])),
'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes');
skip "skipping RSA+DHE tests", 1
if $no_dh;
- ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])),
+ ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time"])),
'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes');
}
@@ -547,10 +516,10 @@ sub testssl {
skip "skipping PSK tests", 2
if ($no_psk);
- ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
+ ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
'test tls1 with PSK');
- ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])),
+ ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])),
'test tls1 with PSK via BIO pair');
}
}
@@ -702,7 +671,7 @@ sub testssl {
if $no_anytls;
skip "skipping multi-buffer tests", 2
- if @extra || (POSIX::uname())[4] ne "x86_64";
+ if (POSIX::uname())[4] ne "x86_64";
ok(run(test([@ssltest, "-cipher", "AES128-SHA", "-bytes", "8m"])));
diff --git a/test/ssl-tests/04-client_auth.conf b/test/ssl-tests/04-client_auth.conf
new file mode 100644
index 0000000..191d666
--- /dev/null
+++ b/test/ssl-tests/04-client_auth.conf
@@ -0,0 +1,602 @@
+# Generated with generate_ssl_tests.pl
+
+num_tests = 20
+
+test-0 = 0-server-auth-flex
+test-1 = 1-client-auth-flex-request
+test-2 = 2-client-auth-flex-require-fail
+test-3 = 3-client-auth-flex-require
+test-4 = 4-client-auth-flex-noroot
+test-5 = 5-server-auth-TLSv1
+test-6 = 6-client-auth-TLSv1-request
+test-7 = 7-client-auth-TLSv1-require-fail
+test-8 = 8-client-auth-TLSv1-require
+test-9 = 9-client-auth-TLSv1-noroot
+test-10 = 10-server-auth-TLSv1.1
+test-11 = 11-client-auth-TLSv1.1-request
+test-12 = 12-client-auth-TLSv1.1-require-fail
+test-13 = 13-client-auth-TLSv1.1-require
+test-14 = 14-client-auth-TLSv1.1-noroot
+test-15 = 15-server-auth-TLSv1.2
+test-16 = 16-client-auth-TLSv1.2-request
+test-17 = 17-client-auth-TLSv1.2-require-fail
+test-18 = 18-client-auth-TLSv1.2-require
+test-19 = 19-client-auth-TLSv1.2-noroot
+# ===========================================================
+
+[0-server-auth-flex]
+ssl_conf = 0-server-auth-flex-ssl
+
+[0-server-auth-flex-ssl]
+server = 0-server-auth-flex-server
+client = 0-server-auth-flex-client
+
+[0-server-auth-flex-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+
+[0-server-auth-flex-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-0]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[1-client-auth-flex-request]
+ssl_conf = 1-client-auth-flex-request-ssl
+
+[1-client-auth-flex-request-ssl]
+server = 1-client-auth-flex-request-server
+client = 1-client-auth-flex-request-client
+
+[1-client-auth-flex-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyMode = Request
+
+
+[1-client-auth-flex-request-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-1]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[2-client-auth-flex-require-fail]
+ssl_conf = 2-client-auth-flex-require-fail-ssl
+
+[2-client-auth-flex-require-fail-ssl]
+server = 2-client-auth-flex-require-fail-server
+client = 2-client-auth-flex-require-fail-client
+
+[2-client-auth-flex-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[2-client-auth-flex-require-fail-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-2]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[3-client-auth-flex-require]
+ssl_conf = 3-client-auth-flex-require-ssl
+
+[3-client-auth-flex-require-ssl]
+server = 3-client-auth-flex-require-server
+client = 3-client-auth-flex-require-client
+
+[3-client-auth-flex-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[3-client-auth-flex-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-3]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[4-client-auth-flex-noroot]
+ssl_conf = 4-client-auth-flex-noroot-ssl
+
+[4-client-auth-flex-noroot-ssl]
+server = 4-client-auth-flex-noroot-server
+client = 4-client-auth-flex-noroot-client
+
+[4-client-auth-flex-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyMode = Require
+
+
+[4-client-auth-flex-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-4]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
+# ===========================================================
+
+[5-server-auth-TLSv1]
+ssl_conf = 5-server-auth-TLSv1-ssl
+
+[5-server-auth-TLSv1-ssl]
+server = 5-server-auth-TLSv1-server
+client = 5-server-auth-TLSv1-client
+
+[5-server-auth-TLSv1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+
+
+[5-server-auth-TLSv1-client]
+CipherString = DEFAULT
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-5]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[6-client-auth-TLSv1-request]
+ssl_conf = 6-client-auth-TLSv1-request-ssl
+
+[6-client-auth-TLSv1-request-ssl]
+server = 6-client-auth-TLSv1-request-server
+client = 6-client-auth-TLSv1-request-client
+
+[6-client-auth-TLSv1-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyMode = Request
+
+
+[6-client-auth-TLSv1-request-client]
+CipherString = DEFAULT
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-6]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[7-client-auth-TLSv1-require-fail]
+ssl_conf = 7-client-auth-TLSv1-require-fail-ssl
+
+[7-client-auth-TLSv1-require-fail-ssl]
+server = 7-client-auth-TLSv1-require-fail-server
+client = 7-client-auth-TLSv1-require-fail-client
+
+[7-client-auth-TLSv1-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[7-client-auth-TLSv1-require-fail-client]
+CipherString = DEFAULT
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-7]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[8-client-auth-TLSv1-require]
+ssl_conf = 8-client-auth-TLSv1-require-ssl
+
+[8-client-auth-TLSv1-require-ssl]
+server = 8-client-auth-TLSv1-require-server
+client = 8-client-auth-TLSv1-require-client
+
+[8-client-auth-TLSv1-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[8-client-auth-TLSv1-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-8]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[9-client-auth-TLSv1-noroot]
+ssl_conf = 9-client-auth-TLSv1-noroot-ssl
+
+[9-client-auth-TLSv1-noroot-ssl]
+server = 9-client-auth-TLSv1-noroot-server
+client = 9-client-auth-TLSv1-noroot-client
+
+[9-client-auth-TLSv1-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1
+VerifyMode = Require
+
+
+[9-client-auth-TLSv1-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-9]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
+# ===========================================================
+
+[10-server-auth-TLSv1.1]
+ssl_conf = 10-server-auth-TLSv1.1-ssl
+
+[10-server-auth-TLSv1.1-ssl]
+server = 10-server-auth-TLSv1.1-server
+client = 10-server-auth-TLSv1.1-client
+
+[10-server-auth-TLSv1.1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+
+
+[10-server-auth-TLSv1.1-client]
+CipherString = DEFAULT
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-10]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[11-client-auth-TLSv1.1-request]
+ssl_conf = 11-client-auth-TLSv1.1-request-ssl
+
+[11-client-auth-TLSv1.1-request-ssl]
+server = 11-client-auth-TLSv1.1-request-server
+client = 11-client-auth-TLSv1.1-request-client
+
+[11-client-auth-TLSv1.1-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyMode = Request
+
+
+[11-client-auth-TLSv1.1-request-client]
+CipherString = DEFAULT
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-11]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[12-client-auth-TLSv1.1-require-fail]
+ssl_conf = 12-client-auth-TLSv1.1-require-fail-ssl
+
+[12-client-auth-TLSv1.1-require-fail-ssl]
+server = 12-client-auth-TLSv1.1-require-fail-server
+client = 12-client-auth-TLSv1.1-require-fail-client
+
+[12-client-auth-TLSv1.1-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[12-client-auth-TLSv1.1-require-fail-client]
+CipherString = DEFAULT
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-12]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[13-client-auth-TLSv1.1-require]
+ssl_conf = 13-client-auth-TLSv1.1-require-ssl
+
+[13-client-auth-TLSv1.1-require-ssl]
+server = 13-client-auth-TLSv1.1-require-server
+client = 13-client-auth-TLSv1.1-require-client
+
+[13-client-auth-TLSv1.1-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[13-client-auth-TLSv1.1-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-13]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[14-client-auth-TLSv1.1-noroot]
+ssl_conf = 14-client-auth-TLSv1.1-noroot-ssl
+
+[14-client-auth-TLSv1.1-noroot-ssl]
+server = 14-client-auth-TLSv1.1-noroot-server
+client = 14-client-auth-TLSv1.1-noroot-client
+
+[14-client-auth-TLSv1.1-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.1
+VerifyMode = Require
+
+
+[14-client-auth-TLSv1.1-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-14]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
+# ===========================================================
+
+[15-server-auth-TLSv1.2]
+ssl_conf = 15-server-auth-TLSv1.2-ssl
+
+[15-server-auth-TLSv1.2-ssl]
+server = 15-server-auth-TLSv1.2-server
+client = 15-server-auth-TLSv1.2-client
+
+[15-server-auth-TLSv1.2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+
+
+[15-server-auth-TLSv1.2-client]
+CipherString = DEFAULT
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-15]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[16-client-auth-TLSv1.2-request]
+ssl_conf = 16-client-auth-TLSv1.2-request-ssl
+
+[16-client-auth-TLSv1.2-request-ssl]
+server = 16-client-auth-TLSv1.2-request-server
+client = 16-client-auth-TLSv1.2-request-client
+
+[16-client-auth-TLSv1.2-request-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyMode = Request
+
+
+[16-client-auth-TLSv1.2-request-client]
+CipherString = DEFAULT
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-16]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[17-client-auth-TLSv1.2-require-fail]
+ssl_conf = 17-client-auth-TLSv1.2-require-fail-ssl
+
+[17-client-auth-TLSv1.2-require-fail-ssl]
+server = 17-client-auth-TLSv1.2-require-fail-server
+client = 17-client-auth-TLSv1.2-require-fail-client
+
+[17-client-auth-TLSv1.2-require-fail-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+
+[17-client-auth-TLSv1.2-require-fail-client]
+CipherString = DEFAULT
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-17]
+ExpectedResult = ServerFail
+ServerAlert = HandshakeFailure
+
+
+# ===========================================================
+
+[18-client-auth-TLSv1.2-require]
+ssl_conf = 18-client-auth-TLSv1.2-require-ssl
+
+[18-client-auth-TLSv1.2-require-ssl]
+server = 18-client-auth-TLSv1.2-require-server
+client = 18-client-auth-TLSv1.2-require-client
+
+[18-client-auth-TLSv1.2-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Request
+
+
+[18-client-auth-TLSv1.2-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-18]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[19-client-auth-TLSv1.2-noroot]
+ssl_conf = 19-client-auth-TLSv1.2-noroot-ssl
+
+[19-client-auth-TLSv1.2-noroot-ssl]
+server = 19-client-auth-TLSv1.2-noroot-server
+client = 19-client-auth-TLSv1.2-noroot-client
+
+[19-client-auth-TLSv1.2-noroot-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Protocol = TLSv1.2
+VerifyMode = Require
+
+
+[19-client-auth-TLSv1.2-noroot-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Protocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+
+[test-19]
+ExpectedResult = ServerFail
+ServerAlert = UnknownCA
+
+
diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in
new file mode 100644
index 0000000..36d13df
--- /dev/null
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -0,0 +1,109 @@
+# -*- mode: perl; -*-
+
+## SSL test configurations
+
+package ssltests;
+
+use strict;
+use warnings;
+
+use OpenSSL::Test;
+use OpenSSL::Test::Utils qw(anydisabled);
+setup("no_test_here");
+
+# We test version-flexible negotiation (undef) and each protocol version.
+my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2");
+
+my @is_disabled = (0);
+push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
+
+our @tests = ();
+
+my $dir_sep = $^O ne "VMS" ? "/" : "";
+
+sub generate_tests() {
+
+ foreach (0..$#protocols) {
+ my $protocol = $protocols[$_];
+ my $protocol_name = $protocol || "flex";
+ if (!$is_disabled[$_]) {
+ # Sanity-check simple handshake.
+ push @tests, {
+ name => "server-auth-${protocol_name}",
+ server => {
+ "Protocol" => $protocol
+ },
+ client => {
+ "Protocol" => $protocol
+ },
+ test => { "ExpectedResult" => "Success" },
+ };
+
+ # Handshake with client cert requested but not required or received.
+ push @tests, {
+ name => "client-auth-${protocol_name}-request",
+ server => {
+ "Protocol" => $protocol,
+ "VerifyMode" => "Request",
+ },
+ client => {
+ "Protocol" => $protocol
+ },
+ test => { "ExpectedResult" => "Success" },
+ };
+
+ # Handshake with client cert required but not present.
+ push @tests, {
+ name => "client-auth-${protocol_name}-require-fail",
+ server => {
+ "Protocol" => $protocol,
+ "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyMode" => "Require",
+ },
+ client => {
+ "Protocol" => $protocol,
+ },
+ test => {
+ "ExpectedResult" => "ServerFail",
+ "ServerAlert" => "HandshakeFailure",
+ },
+ };
+
+ # Successful handshake with client authentication.
+ push @tests, {
+ name => "client-auth-${protocol_name}-require",
+ server => {
+ "Protocol" => $protocol,
+ "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyMode" => "Request",
+ },
+ client => {
+ "Protocol" => $protocol,
+ "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
+ "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
+ },
+ test => { "ExpectedResult" => "Success" },
+ };
+
+ # Handshake with client authentication but without the root certificate.
+ push @tests, {
+ name => "client-auth-${protocol_name}-noroot",
+ server => {
+ "Protocol" => $protocol,
+ "VerifyMode" => "Require",
+ },
+ client => {
+ "Protocol" => $protocol,
+ "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
+ "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail",
+ "ServerAlert" => "UnknownCA",
+ },
+ };
+ }
+ }
+}
+
+generate_tests();
More information about the openssl-commits
mailing list