Add some test_ssl_new tests for the ffdhe groups

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21295)
2025-02-17 14:32:04 +08:00 · 2023-06-23 16:01:41 +01:00 · 2023-06-23 16:01:41 +01:00 · 5cd269461a
commit 5cd269461a
parent 01e765f054
2 changed files with 1395 additions and 905 deletions
--- a/test/ssl-tests/14-curves.cnf
+++ b/test/ssl-tests/14-curves.cnf
--- a/test/ssl-tests/14-curves.cnf.in
+++ b/test/ssl-tests/14-curves.cnf.in
@ -15,6 +15,12 @@ our $fips_mode;
 my @curves = ("prime256v1", "secp384r1", "secp521r1", "X25519",
              "X448");

+#Curves *only* suitable for use in TLSv1.3
+my @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144",
+                      "ffdhe8192");
+
+push @curves, @curves_tls_1_3;
+
 my @curves_tls_1_2 = ("sect233k1", "sect233r1",
              "sect283k1", "sect283r1", "sect409k1", "sect409r1",
              "sect571k1", "sect571r1", "secp224r1");
@ -29,6 +35,19 @@ push @curves_tls_1_2, @curves_non_fips if !$fips_mode;

 our @tests = ();

+sub get_key_type {
+    my $group = shift;
+    my $keyType;
+
+    if ($group =~ /ffdhe/) {
+        $keyType = "dhKeyAgreement";
+    } else {
+        $keyType = $group;
+    }
+
+    return $keyType;
+}
+
 sub generate_tests() {
    foreach (0..$#curves) {
        my $curve = $curves[$_];
@ -44,7 +63,7 @@ sub generate_tests() {
                "Curves" => $curve
            },
            test   => {
-                "ExpectedTmpKeyType" => $curve,
+                "ExpectedTmpKeyType" => get_key_type($curve),
                "ExpectedProtocol" => "TLSv1.3",
                "ExpectedResult" => "Success"
            },
@ -64,7 +83,7 @@ sub generate_tests() {
                "Curves" => $curve
            },
            test   => {
-                "ExpectedTmpKeyType" => $curve,
+                "ExpectedTmpKeyType" => get_key_type($curve),
                "ExpectedProtocol" => "TLSv1.2",
                "ExpectedResult" => "Success"
            },
@ -112,6 +131,47 @@ sub generate_tests() {
            },
        };
    }
+    foreach (0..$#curves_tls_1_3) {
+        my $curve = $curves_tls_1_3[$_];
+        push @tests, {
+            name => "curve-${curve}-tls13-in-tls12",
+            server => {
+                "Curves" => $curve,
+                "CipherString" => 'DEFAULT@SECLEVEL=1',
+                "MaxProtocol" => "TLSv1.3"
+            },
+            client => {
+                "CipherString" => 'ECDHE@SECLEVEL=1',
+                "MaxProtocol" => "TLSv1.2",
+                "Curves" => $curve
+            },
+            test   => {
+                #These curves are only suitable for TLSv1.3 so we expect the
+                #server to fail because it has no shared groups for TLSv1.2
+                #ECDHE key exchange
+                "ExpectedResult" => "ServerFail"
+            },
+        };
+        push @tests, {
+            name => "curve-${curve}-tls13-in-tls12-2",
+            server => {
+                "Curves" => $curve,
+                "CipherString" => 'DEFAULT@SECLEVEL=1',
+                "MaxProtocol" => "TLSv1.2"
+            },
+            client => {
+                "CipherString" => 'DEFAULT@SECLEVEL=1',
+                "MaxProtocol" => "TLSv1.3",
+                "Curves" => $curve
+            },
+            test   => {
+                #These curves are only suitable for TLSv1.3. We expect TLSv1.2
+                #negotiation to succeed because we fall back to some other
+                #ciphersuite
+                "ExpectedResult" => "Success"
+            },
+        };
+    }
 }

 generate_tests();