14-curves.cnf.in 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182
  1. # -*- mode: perl; -*-
  2. ## SSL test configurations
  3. package ssltests;
  4. use strict;
  5. use warnings;
  6. use OpenSSL::Test;
  7. use OpenSSL::Test::Utils qw(anydisabled);
  8. our $fips_mode;
  9. my @curves = ("prime256v1", "secp384r1", "secp521r1", "X25519",
  10. "X448");
  11. #Curves *only* suitable for use in TLSv1.3
  12. my @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144",
  13. "ffdhe8192");
  14. my @curves_tls_1_3_no_fips = ("brainpoolP256r1tls13", "brainpoolP384r1tls13",
  15. "brainpoolP512r1tls13");
  16. push @curves_tls_1_3, @curves_tls_1_3_no_fips if !$fips_mode;
  17. push @curves, @curves_tls_1_3;
  18. my @curves_tls_1_2 = ("sect233k1", "sect233r1",
  19. "sect283k1", "sect283r1", "sect409k1", "sect409r1",
  20. "sect571k1", "sect571r1", "secp224r1");
  21. my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1",
  22. "sect163r1", "sect193r1", "sect193r2", "sect239k1",
  23. "secp160k1", "secp160r1", "secp160r2", "secp192k1",
  24. "secp224k1", "secp256k1", "brainpoolP256r1",
  25. "brainpoolP384r1", "brainpoolP512r1");
  26. push @curves_tls_1_2, @curves_non_fips if !$fips_mode;
  27. our @tests = ();
  28. sub get_key_type {
  29. my $group = shift;
  30. my $keyType;
  31. if ($group =~ /ffdhe/) {
  32. $keyType = "dhKeyAgreement";
  33. } else {
  34. $keyType = $group;
  35. }
  36. return $keyType;
  37. }
  38. sub generate_tests() {
  39. foreach (0..$#curves) {
  40. my $curve = $curves[$_];
  41. push @tests, {
  42. name => "curve-${curve}",
  43. server => {
  44. "Curves" => $curve,
  45. "CipherString" => 'DEFAULT@SECLEVEL=1',
  46. "MaxProtocol" => "TLSv1.3"
  47. },
  48. client => {
  49. "CipherString" => 'ECDHE@SECLEVEL=1',
  50. "MaxProtocol" => "TLSv1.3",
  51. "Curves" => $curve
  52. },
  53. test => {
  54. "ExpectedTmpKeyType" => get_key_type($curve),
  55. "ExpectedProtocol" => "TLSv1.3",
  56. "ExpectedResult" => "Success"
  57. },
  58. };
  59. }
  60. foreach (0..$#curves_tls_1_2) {
  61. my $curve = $curves_tls_1_2[$_];
  62. push @tests, {
  63. name => "curve-${curve}",
  64. server => {
  65. "Curves" => $curve,
  66. "CipherString" => 'DEFAULT@SECLEVEL=1',
  67. "MaxProtocol" => "TLSv1.3"
  68. },
  69. client => {
  70. "CipherString" => 'ECDHE@SECLEVEL=1',
  71. "MaxProtocol" => "TLSv1.2",
  72. "Curves" => $curve
  73. },
  74. test => {
  75. "ExpectedTmpKeyType" => get_key_type($curve),
  76. "ExpectedProtocol" => "TLSv1.2",
  77. "ExpectedResult" => "Success"
  78. },
  79. };
  80. }
  81. foreach (0..$#curves_tls_1_2) {
  82. my $curve = $curves_tls_1_2[$_];
  83. push @tests, {
  84. name => "curve-${curve}-tls12-in-tls13",
  85. server => {
  86. "Curves" => "$curve:P-256",
  87. "CipherString" => 'DEFAULT@SECLEVEL=1',
  88. "MaxProtocol" => "TLSv1.3"
  89. },
  90. client => {
  91. "CipherString" => 'ECDHE@SECLEVEL=1',
  92. "MaxProtocol" => "TLSv1.3",
  93. "MinProtocol" => "TLSv1.3",
  94. "Curves" => "$curve:P-256"
  95. },
  96. test => {
  97. #This curve is not allowed in a TLSv1.3 key_share. We should
  98. #succeed but fallback to P-256
  99. "ExpectedTmpKeyType" => "P-256",
  100. "ExpectedProtocol" => "TLSv1.3",
  101. "ExpectedResult" => "Success"
  102. },
  103. };
  104. }
  105. foreach (0..$#curves_tls_1_2) {
  106. my $curve = $curves_tls_1_2[$_];
  107. push @tests, {
  108. name => "curve-${curve}-tls13",
  109. server => {
  110. "Curves" => $curve,
  111. "CipherString" => 'DEFAULT@SECLEVEL=1',
  112. "MaxProtocol" => "TLSv1.3"
  113. },
  114. client => {
  115. "CipherString" => 'ECDHE@SECLEVEL=1',
  116. "MinProtocol" => "TLSv1.3",
  117. "Curves" => $curve
  118. },
  119. test => {
  120. "ExpectedResult" => "ClientFail"
  121. },
  122. };
  123. }
  124. foreach (0..$#curves_tls_1_3) {
  125. my $curve = $curves_tls_1_3[$_];
  126. push @tests, {
  127. name => "curve-${curve}-tls13-in-tls12",
  128. server => {
  129. "Curves" => $curve,
  130. "CipherString" => 'DEFAULT@SECLEVEL=1',
  131. "MaxProtocol" => "TLSv1.3"
  132. },
  133. client => {
  134. "CipherString" => 'ECDHE@SECLEVEL=1',
  135. "MaxProtocol" => "TLSv1.2",
  136. "Curves" => $curve
  137. },
  138. test => {
  139. #These curves are only suitable for TLSv1.3 so we expect the
  140. #server to fail because it has no shared groups for TLSv1.2
  141. #ECDHE key exchange
  142. "ExpectedResult" => "ServerFail"
  143. },
  144. };
  145. push @tests, {
  146. name => "curve-${curve}-tls13-in-tls12-2",
  147. server => {
  148. "Curves" => $curve,
  149. "CipherString" => 'DEFAULT@SECLEVEL=1',
  150. "MaxProtocol" => "TLSv1.2"
  151. },
  152. client => {
  153. "CipherString" => 'DEFAULT@SECLEVEL=1',
  154. "MaxProtocol" => "TLSv1.3",
  155. "Curves" => $curve
  156. },
  157. test => {
  158. #These curves are only suitable for TLSv1.3. We expect TLSv1.2
  159. #negotiation to succeed because we fall back to some other
  160. #ciphersuite
  161. "ExpectedResult" => "Success"
  162. },
  163. };
  164. }
  165. }
  166. generate_tests();