2
0

14-curves.cnf.in 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186
  1. # -*- mode: perl; -*-
  2. ## SSL test configurations
  3. package ssltests;
  4. use strict;
  5. use warnings;
  6. use OpenSSL::Test;
  7. use OpenSSL::Test::Utils qw(anydisabled);
  8. our $fips_mode;
  9. my @curves = ("prime256v1", "secp384r1", "secp521r1");
  10. my @curves_no_fips = ("X25519", "X448");
  11. push @curves, @curves_no_fips if !$fips_mode;
  12. #Curves *only* suitable for use in TLSv1.3
  13. my @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144",
  14. "ffdhe8192");
  15. my @curves_tls_1_3_no_fips = ("brainpoolP256r1tls13", "brainpoolP384r1tls13",
  16. "brainpoolP512r1tls13");
  17. push @curves_tls_1_3, @curves_tls_1_3_no_fips if !$fips_mode;
  18. push @curves, @curves_tls_1_3;
  19. my @curves_tls_1_2 = ("sect233k1", "sect233r1",
  20. "sect283k1", "sect283r1", "sect409k1", "sect409r1",
  21. "sect571k1", "sect571r1", "secp224r1");
  22. my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1",
  23. "sect163r1", "sect193r1", "sect193r2", "sect239k1",
  24. "secp160k1", "secp160r1", "secp160r2", "secp192k1",
  25. "secp224k1", "secp256k1", "brainpoolP256r1",
  26. "brainpoolP384r1", "brainpoolP512r1");
  27. push @curves_tls_1_2, @curves_non_fips if !$fips_mode;
  28. our @tests = ();
  29. sub get_key_type {
  30. my $group = shift;
  31. my $keyType;
  32. if ($group =~ /ffdhe/) {
  33. $keyType = "dhKeyAgreement";
  34. } else {
  35. $keyType = $group;
  36. }
  37. return $keyType;
  38. }
  39. sub generate_tests() {
  40. foreach (0..$#curves) {
  41. my $curve = $curves[$_];
  42. push @tests, {
  43. name => "curve-${curve}",
  44. server => {
  45. "Curves" => $curve,
  46. "CipherString" => 'DEFAULT@SECLEVEL=1',
  47. "MaxProtocol" => "TLSv1.3"
  48. },
  49. client => {
  50. "CipherString" => 'ECDHE@SECLEVEL=1',
  51. "MaxProtocol" => "TLSv1.3",
  52. "Curves" => $curve
  53. },
  54. test => {
  55. "ExpectedTmpKeyType" => get_key_type($curve),
  56. "ExpectedProtocol" => "TLSv1.3",
  57. "ExpectedResult" => "Success"
  58. },
  59. };
  60. }
  61. foreach (0..$#curves_tls_1_2) {
  62. my $curve = $curves_tls_1_2[$_];
  63. push @tests, {
  64. name => "curve-${curve}",
  65. server => {
  66. "Curves" => $curve,
  67. "CipherString" => 'DEFAULT@SECLEVEL=1',
  68. "MaxProtocol" => "TLSv1.3"
  69. },
  70. client => {
  71. "CipherString" => 'ECDHE@SECLEVEL=1',
  72. "MaxProtocol" => "TLSv1.2",
  73. "Curves" => $curve
  74. },
  75. test => {
  76. "ExpectedTmpKeyType" => get_key_type($curve),
  77. "ExpectedProtocol" => "TLSv1.2",
  78. "ExpectedResult" => "Success"
  79. },
  80. };
  81. }
  82. foreach (0..$#curves_tls_1_2) {
  83. my $curve = $curves_tls_1_2[$_];
  84. push @tests, {
  85. name => "curve-${curve}-tls12-in-tls13",
  86. server => {
  87. "Curves" => "$curve:P-256",
  88. "CipherString" => 'DEFAULT@SECLEVEL=1',
  89. "MaxProtocol" => "TLSv1.3"
  90. },
  91. client => {
  92. "CipherString" => 'ECDHE@SECLEVEL=1',
  93. "MaxProtocol" => "TLSv1.3",
  94. "MinProtocol" => "TLSv1.3",
  95. "Curves" => "$curve:P-256"
  96. },
  97. test => {
  98. #This curve is not allowed in a TLSv1.3 key_share. We should
  99. #succeed but fallback to P-256
  100. "ExpectedTmpKeyType" => "P-256",
  101. "ExpectedProtocol" => "TLSv1.3",
  102. "ExpectedResult" => "Success"
  103. },
  104. };
  105. }
  106. foreach (0..$#curves_tls_1_2) {
  107. my $curve = $curves_tls_1_2[$_];
  108. push @tests, {
  109. name => "curve-${curve}-tls13",
  110. server => {
  111. "Curves" => $curve,
  112. "CipherString" => 'DEFAULT@SECLEVEL=1',
  113. "MaxProtocol" => "TLSv1.3"
  114. },
  115. client => {
  116. "CipherString" => 'ECDHE@SECLEVEL=1',
  117. "MinProtocol" => "TLSv1.3",
  118. "Curves" => $curve
  119. },
  120. test => {
  121. "ExpectedResult" => "ClientFail"
  122. },
  123. };
  124. }
  125. foreach (0..$#curves_tls_1_3) {
  126. my $curve = $curves_tls_1_3[$_];
  127. push @tests, {
  128. name => "curve-${curve}-tls13-in-tls12",
  129. server => {
  130. "Curves" => $curve,
  131. "CipherString" => 'DEFAULT@SECLEVEL=1',
  132. "MaxProtocol" => "TLSv1.3"
  133. },
  134. client => {
  135. "CipherString" => 'ECDHE@SECLEVEL=1',
  136. "MaxProtocol" => "TLSv1.2",
  137. "Curves" => $curve
  138. },
  139. test => {
  140. #These curves are only suitable for TLSv1.3 so we expect the
  141. #server to fail because it has no shared groups for TLSv1.2
  142. #ECDHE key exchange
  143. "ExpectedResult" => "ServerFail"
  144. },
  145. };
  146. push @tests, {
  147. name => "curve-${curve}-tls13-in-tls12-2",
  148. server => {
  149. "Curves" => $curve,
  150. "CipherString" => 'DEFAULT@SECLEVEL=1',
  151. "MaxProtocol" => "TLSv1.2"
  152. },
  153. client => {
  154. "CipherString" => 'DEFAULT@SECLEVEL=1',
  155. "MaxProtocol" => "TLSv1.3",
  156. "Curves" => $curve
  157. },
  158. test => {
  159. #These curves are only suitable for TLSv1.3. We expect TLSv1.2
  160. #negotiation to succeed because we fall back to some other
  161. #ciphersuite
  162. "ExpectedResult" => "Success"
  163. },
  164. };
  165. }
  166. }
  167. generate_tests();