summaryrefslogtreecommitdiffstats
path: root/test/ssl_test_ctx.h
blob: 4e8d3df4ac5451f333e1d858dbb9e981b014f566 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
/*
 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#ifndef OSSL_TEST_SSL_TEST_CTX_H
#define OSSL_TEST_SSL_TEST_CTX_H

#include <openssl/conf.h>
#include <openssl/ssl.h>

typedef enum {
    SSL_TEST_SUCCESS = 0,  /* Default */
    SSL_TEST_SERVER_FAIL,
    SSL_TEST_CLIENT_FAIL,
    SSL_TEST_INTERNAL_ERROR,
    /* Couldn't test resumption/renegotiation: original handshake failed. */
    SSL_TEST_FIRST_HANDSHAKE_FAILED
} ssl_test_result_t;

typedef enum {
    SSL_TEST_VERIFY_NONE = 0, /* Default */
    SSL_TEST_VERIFY_ACCEPT_ALL,
    SSL_TEST_VERIFY_REJECT_ALL
} ssl_verify_callback_t;

typedef enum {
    SSL_TEST_SERVERNAME_NONE = 0, /* Default */
    SSL_TEST_SERVERNAME_SERVER1,
    SSL_TEST_SERVERNAME_SERVER2,
    SSL_TEST_SERVERNAME_INVALID
} ssl_servername_t;

typedef enum {
    SSL_TEST_SERVERNAME_CB_NONE = 0,  /* Default */
    SSL_TEST_SERVERNAME_IGNORE_MISMATCH,
    SSL_TEST_SERVERNAME_REJECT_MISMATCH,
    SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH,
    SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH,
    SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12
} ssl_servername_callback_t;

typedef enum {
    SSL_TEST_SESSION_TICKET_IGNORE = 0, /* Default */
    SSL_TEST_SESSION_TICKET_YES,
    SSL_TEST_SESSION_TICKET_NO,
    SSL_TEST_SESSION_TICKET_BROKEN /* Special test */
} ssl_session_ticket_t;

typedef enum {
    SSL_TEST_COMPRESSION_NO = 0, /* Default */
    SSL_TEST_COMPRESSION_YES
} ssl_compression_t;

typedef enum {
    SSL_TEST_SESSION_ID_IGNORE = 0, /* Default */
    SSL_TEST_SESSION_ID_YES,
    SSL_TEST_SESSION_ID_NO
} ssl_session_id_t;

typedef enum {
    SSL_TEST_METHOD_TLS = 0, /* Default */
    SSL_TEST_METHOD_DTLS
} ssl_test_method_t;

typedef enum {
    SSL_TEST_HANDSHAKE_SIMPLE = 0, /* Default */
    SSL_TEST_HANDSHAKE_RESUME,
    SSL_TEST_HANDSHAKE_RENEG_SERVER,
    SSL_TEST_HANDSHAKE_RENEG_CLIENT,
    SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER,
    SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT,
    SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH
} ssl_handshake_mode_t;

typedef enum {
    SSL_TEST_CT_VALIDATION_NONE = 0, /* Default */
    SSL_TEST_CT_VALIDATION_PERMISSIVE,
    SSL_TEST_CT_VALIDATION_STRICT
} ssl_ct_validation_t;

typedef enum {
    SSL_TEST_CERT_STATUS_NONE = 0, /* Default */
    SSL_TEST_CERT_STATUS_GOOD_RESPONSE,
    SSL_TEST_CERT_STATUS_BAD_RESPONSE
} ssl_cert_status_t;

/*
 * Server/client settings that aren't supported by the SSL CONF library,
 * such as callbacks.
 */
typedef struct {
    /* One of a number of predefined custom callbacks. */
    ssl_verify_callback_t verify_callback;
    /* One of a number of predefined server names use by the client */
    ssl_servername_t servername;
    /* Maximum Fragment Length extension mode */
    int max_fragment_len_mode;
    /* Supported NPN and ALPN protocols. A comma-separated list. */
    char *npn_protocols;
    char *alpn_protocols;
    ssl_ct_validation_t ct_validation;
    /* Ciphersuites to set on a renegotiation */
    char *reneg_ciphers;
    char *srp_user;
    char *srp_password;
    /* PHA enabled */
    int enable_pha;
    /* Do not send extms on renegotiation */
    int no_extms_on_reneg;
} SSL_TEST_CLIENT_CONF;

typedef struct {
    /* SNI callback (server-side). */
    ssl_servername_callback_t servername_callback;
    /* Supported NPN and ALPN protocols. A comma-separated list. */
    char *npn_protocols;
    char *alpn_protocols;
    /* Whether to set a broken session ticket callback. */
    int broken_session_ticket;
    /* Should we send a CertStatus message? */
    ssl_cert_status_t cert_status;
    /* An SRP user known to the server. */
    char *srp_user;
    char *srp_password;
    /* Forced PHA */
    int force_pha;
    char *session_ticket_app_data;
} SSL_TEST_SERVER_CONF;

typedef struct {
    SSL_TEST_CLIENT_CONF client;
    SSL_TEST_SERVER_CONF server;
    SSL_TEST_SERVER_CONF server2;
} SSL_TEST_EXTRA_CONF;

typedef struct {
    /*
     * Global test configuration. Does not change between handshakes.
     */
    /* Whether the server/client CTX should use DTLS or TLS. */
    ssl_test_method_t method;
    /* Whether to test a resumed/renegotiated handshake. */
    ssl_handshake_mode_t handshake_mode;
    /*
     * How much application data to exchange (default is 256 bytes).
     * Both peers will send |app_data_size| bytes interleaved.
     */
    int app_data_size;
    /* Maximum send fragment size. */
    int max_fragment_size;
    /* KeyUpdate type */
    int key_update_type;

    /*
     * Extra server/client configurations. Per-handshake.
     */
    /* First handshake. */
    SSL_TEST_EXTRA_CONF extra;
    /* Resumed handshake. */
    SSL_TEST_EXTRA_CONF resume_extra;

    /*
     * Test expectations. These apply to the LAST handshake.
     */
    /* Defaults to SUCCESS. */
    ssl_test_result_t expected_result;
    /* Alerts. 0 if no expectation. */
    /* See ssl.h for alert codes. */
    /* Alert sent by the client / received by the server. */
    int expected_client_alert;
    /* Alert sent by the server / received by the client. */
    int expected_server_alert;
    /* Negotiated protocol version. 0 if no expectation. */
    /* See ssl.h for protocol versions. */
    int expected_protocol;
    /*
     * The expected SNI context to use.
     * We test server-side that the server switched to the expected context.
     * Set by the callback upon success, so if the callback wasn't called or
     * terminated with an alert, the servername will match with
     * SSL_TEST_SERVERNAME_NONE.
     * Note: in the event that the servername was accepted, the client should
     * also receive an empty SNI extension back but we have no way of probing
     * client-side via the API that this was the case.
     */
    ssl_servername_t expected_servername;
    ssl_session_ticket_t session_ticket_expected;
    int compression_expected;
    /* The expected NPN/ALPN protocol to negotiate. */
    char *expected_npn_protocol;
    char *expected_alpn_protocol;
    /* Whether the second handshake is resumed or a full handshake (boolean). */
    int resumption_expected;
    /* Expected temporary key type */
    int expected_tmp_key_type;
    /* Expected server certificate key type */
    int expected_server_cert_type;
    /* Expected server signing hash */
    int expected_server_sign_hash;
    /* Expected server signature type */
    int expected_server_sign_type;
    /* Expected server CA names */
    STACK_OF(X509_NAME) *expected_server_ca_names;
    /* Expected client certificate key type */
    int expected_client_cert_type;
    /* Expected client signing hash */
    int expected_client_sign_hash;
    /* Expected client signature type */
    int expected_client_sign_type;
    /* Expected CA names for client auth */
    STACK_OF(X509_NAME) *expected_client_ca_names;
    /* Whether to use SCTP for the transport */
    int use_sctp;
    /* Enable SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG on client side */
    int enable_client_sctp_label_bug;
    /* Enable SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG on server side */
    int enable_server_sctp_label_bug;
    /* Whether to expect a session id from the server */
    ssl_session_id_t session_id_expected;
    char *expected_cipher;
    /* Expected Session Ticket Application Data */
    char *expected_session_ticket_app_data;

    OSSL_LIB_CTX *libctx;
} SSL_TEST_CTX;

const char *ssl_test_result_name(ssl_test_result_t result);
const char *ssl_alert_name(int alert);
const char *ssl_protocol_name(int protocol);
const char *ssl_verify_callback_name(ssl_verify_callback_t verify_callback);
const char *ssl_servername_name(ssl_servername_t server);
const char *ssl_servername_callback_name(ssl_servername_callback_t
                                         servername_callback);
const char *ssl_session_ticket_name(ssl_session_ticket_t server);
const char *ssl_session_id_name(ssl_session_id_t server);
const char *ssl_test_method_name(ssl_test_method_t method);
const char *ssl_handshake_mode_name(ssl_handshake_mode_t mode);
const char *ssl_ct_validation_name(ssl_ct_validation_t mode);
const char *ssl_certstatus_name(ssl_cert_status_t cert_status);
const char *ssl_max_fragment_len_name(int MFL_mode);

/*
 * Load the test case context from |conf|.
 * See test/README.ssltest.md for details on the conf file format.
 */
SSL_TEST_CTX *SSL_TEST_CTX_create(const CONF *conf, const char *test_section,
                                  OSSL_LIB_CTX *libctx);

SSL_TEST_CTX *SSL_TEST_CTX_new(OSSL_LIB_CTX *libctx);

void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx);

#endif  /* OSSL_TEST_SSL_TEST_CTX_H */