2018-10-12 23:24:14 +08:00
|
|
|
# -*- mode: perl; -*-
|
2020-04-23 20:55:52 +08:00
|
|
|
# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
2018-10-12 23:24:14 +08:00
|
|
|
#
|
2018-12-06 20:05:25 +08:00
|
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
2018-10-12 23:24:14 +08:00
|
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
|
|
# in the file LICENSE in the source distribution or at
|
|
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
|
|
|
|
|
|
|
|
## SSL test configurations
|
|
|
|
|
|
|
|
package ssltests;
|
2018-11-12 22:23:07 +08:00
|
|
|
use OpenSSL::Test::Utils;
|
2018-10-12 23:24:14 +08:00
|
|
|
|
2020-04-08 00:03:19 +08:00
|
|
|
our $fips_mode;
|
|
|
|
|
2018-10-12 23:24:14 +08:00
|
|
|
our @tests = (
|
|
|
|
{
|
|
|
|
name => "SECLEVEL 3 with default key",
|
|
|
|
server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
|
|
|
|
client => { },
|
|
|
|
test => { "ExpectedResult" => "ServerFail" },
|
|
|
|
},
|
2018-11-12 22:23:07 +08:00
|
|
|
);
|
|
|
|
|
|
|
|
our @tests_ec = (
|
2018-10-12 23:24:14 +08:00
|
|
|
{
|
2020-02-10 02:28:15 +08:00
|
|
|
name => "SECLEVEL 4 with ED448 key",
|
|
|
|
server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
|
2018-10-12 23:24:14 +08:00
|
|
|
"Certificate" => test_pem("server-ed448-cert.pem"),
|
|
|
|
"PrivateKey" => test_pem("server-ed448-key.pem") },
|
2020-02-10 02:28:15 +08:00
|
|
|
client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
|
|
|
|
"VerifyCAFile" => test_pem("root-ed448-cert.pem") },
|
2018-10-12 23:24:14 +08:00
|
|
|
test => { "ExpectedResult" => "Success" },
|
|
|
|
},
|
2020-02-10 02:28:15 +08:00
|
|
|
{
|
|
|
|
# The Ed488 signature algorithm will not be enabled.
|
|
|
|
# Because of the config order, the certificate is first loaded, and
|
|
|
|
# then the security level is chaged. If you try this with s_server
|
|
|
|
# the order will be reversed and it will instead fail to load the key.
|
|
|
|
name => "SECLEVEL 5 server with ED448 key",
|
|
|
|
server => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
|
|
|
|
"Certificate" => test_pem("server-ed448-cert.pem"),
|
|
|
|
"PrivateKey" => test_pem("server-ed448-key.pem") },
|
|
|
|
client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
|
|
|
|
"VerifyCAFile" => test_pem("root-ed448-cert.pem") },
|
|
|
|
test => { "ExpectedResult" => "ServerFail" },
|
|
|
|
},
|
|
|
|
{
|
|
|
|
# The client will not sent the Ed488 signature algorithm, so the server
|
|
|
|
# doesn't have a useable signature algorithm for the certificate.
|
|
|
|
name => "SECLEVEL 5 client with ED448 key",
|
|
|
|
server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
|
|
|
|
"Certificate" => test_pem("server-ed448-cert.pem"),
|
|
|
|
"PrivateKey" => test_pem("server-ed448-key.pem") },
|
|
|
|
client => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
|
|
|
|
"VerifyCAFile" => test_pem("root-ed448-cert.pem") },
|
|
|
|
test => { "ExpectedResult" => "ServerFail" },
|
|
|
|
},
|
2018-10-12 23:24:14 +08:00
|
|
|
{
|
|
|
|
name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
|
|
|
|
server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
|
|
|
|
"Certificate" => test_pem("p384-server-cert.pem"),
|
|
|
|
"PrivateKey" => test_pem("p384-server-key.pem"),
|
|
|
|
"Groups" => "X25519" },
|
|
|
|
client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
|
|
|
|
"VerifyCAFile" => test_pem("p384-root.pem") },
|
|
|
|
test => { "ExpectedResult" => "Success" },
|
|
|
|
},
|
|
|
|
);
|
2018-11-12 22:23:07 +08:00
|
|
|
|
|
|
|
our @tests_tls1_2 = (
|
|
|
|
{
|
|
|
|
name => "SECLEVEL 3 with ED448 key, TLSv1.2",
|
|
|
|
server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
|
|
|
|
"Certificate" => test_pem("server-ed448-cert.pem"),
|
|
|
|
"PrivateKey" => test_pem("server-ed448-key.pem"),
|
|
|
|
"MaxProtocol" => "TLSv1.2" },
|
2020-01-03 06:16:30 +08:00
|
|
|
client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
|
2018-11-12 22:23:07 +08:00
|
|
|
test => { "ExpectedResult" => "Success" },
|
|
|
|
},
|
|
|
|
);
|
|
|
|
|
2020-04-08 00:03:19 +08:00
|
|
|
#TODO(3.0): No Ed448 or X25519 in FIPS mode at the moment
|
|
|
|
push @tests, @tests_ec unless disabled("ec") || $fips_mode;
|
|
|
|
push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec")|| $fips_mode;
|