1# -*- mode: perl; -*- 2 3## SSL test configurations 4 5package ssltests; 6 7use strict; 8use warnings; 9 10use OpenSSL::Test; 11use OpenSSL::Test::Utils qw(anydisabled); 12 13our $fips_mode; 14 15my @curves = ("prime256v1", "secp384r1", "secp521r1"); 16 17my @curves_no_fips = ("X25519", "X448"); 18 19push @curves, @curves_no_fips if !$fips_mode; 20 21#Curves *only* suitable for use in TLSv1.3 22my @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144", 23 "ffdhe8192"); 24my @curves_tls_1_3_no_fips = ("brainpoolP256r1tls13", "brainpoolP384r1tls13", 25 "brainpoolP512r1tls13"); 26 27push @curves_tls_1_3, @curves_tls_1_3_no_fips if !$fips_mode; 28push @curves, @curves_tls_1_3; 29 30my @curves_tls_1_2 = ("sect233k1", "sect233r1", 31 "sect283k1", "sect283r1", "sect409k1", "sect409r1", 32 "sect571k1", "sect571r1", "secp224r1"); 33 34my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1", 35 "sect163r1", "sect193r1", "sect193r2", "sect239k1", 36 "secp160k1", "secp160r1", "secp160r2", "secp192k1", 37 "secp224k1", "secp256k1", "brainpoolP256r1", 38 "brainpoolP384r1", "brainpoolP512r1"); 39 40push @curves_tls_1_2, @curves_non_fips if !$fips_mode; 41 42our @tests = (); 43 44sub get_key_type { 45 my $group = shift; 46 my $keyType; 47 48 if ($group =~ /ffdhe/) { 49 $keyType = "dhKeyAgreement"; 50 } else { 51 $keyType = $group; 52 } 53 54 return $keyType; 55} 56 57sub generate_tests() { 58 foreach (0..$#curves) { 59 my $curve = $curves[$_]; 60 push @tests, { 61 name => "curve-${curve}", 62 server => { 63 "Curves" => $curve, 64 "CipherString" => 'DEFAULT@SECLEVEL=1', 65 "MaxProtocol" => "TLSv1.3" 66 }, 67 client => { 68 "CipherString" => 'ECDHE@SECLEVEL=1', 69 "MaxProtocol" => "TLSv1.3", 70 "Curves" => $curve 71 }, 72 test => { 73 "ExpectedTmpKeyType" => get_key_type($curve), 74 "ExpectedProtocol" => "TLSv1.3", 75 "ExpectedResult" => "Success" 76 }, 77 }; 78 } 79 foreach (0..$#curves_tls_1_2) { 80 my $curve = $curves_tls_1_2[$_]; 81 push @tests, { 82 name => "curve-${curve}", 83 server => { 84 "Curves" => $curve, 85 "CipherString" => 'DEFAULT@SECLEVEL=1', 86 "MaxProtocol" => "TLSv1.3" 87 }, 88 client => { 89 "CipherString" => 'ECDHE@SECLEVEL=1', 90 "MaxProtocol" => "TLSv1.2", 91 "Curves" => $curve 92 }, 93 test => { 94 "ExpectedTmpKeyType" => get_key_type($curve), 95 "ExpectedProtocol" => "TLSv1.2", 96 "ExpectedResult" => "Success" 97 }, 98 }; 99 } 100 foreach (0..$#curves_tls_1_2) { 101 my $curve = $curves_tls_1_2[$_]; 102 push @tests, { 103 name => "curve-${curve}-tls12-in-tls13", 104 server => { 105 "Curves" => "$curve:P-256", 106 "CipherString" => 'DEFAULT@SECLEVEL=1', 107 "MaxProtocol" => "TLSv1.3" 108 }, 109 client => { 110 "CipherString" => 'ECDHE@SECLEVEL=1', 111 "MaxProtocol" => "TLSv1.3", 112 "MinProtocol" => "TLSv1.3", 113 "Curves" => "$curve:P-256" 114 }, 115 test => { 116 #This curve is not allowed in a TLSv1.3 key_share. We should 117 #succeed but fallback to P-256 118 "ExpectedTmpKeyType" => "P-256", 119 "ExpectedProtocol" => "TLSv1.3", 120 "ExpectedResult" => "Success" 121 }, 122 }; 123 } 124 foreach (0..$#curves_tls_1_2) { 125 my $curve = $curves_tls_1_2[$_]; 126 push @tests, { 127 name => "curve-${curve}-tls13", 128 server => { 129 "Curves" => $curve, 130 "CipherString" => 'DEFAULT@SECLEVEL=1', 131 "MaxProtocol" => "TLSv1.3" 132 }, 133 client => { 134 "CipherString" => 'ECDHE@SECLEVEL=1', 135 "MinProtocol" => "TLSv1.3", 136 "Curves" => $curve 137 }, 138 test => { 139 "ExpectedResult" => "ClientFail" 140 }, 141 }; 142 } 143 foreach (0..$#curves_tls_1_3) { 144 my $curve = $curves_tls_1_3[$_]; 145 push @tests, { 146 name => "curve-${curve}-tls13-in-tls12", 147 server => { 148 "Curves" => $curve, 149 "CipherString" => 'DEFAULT@SECLEVEL=1', 150 "MaxProtocol" => "TLSv1.3" 151 }, 152 client => { 153 "CipherString" => 'ECDHE@SECLEVEL=1', 154 "MaxProtocol" => "TLSv1.2", 155 "Curves" => $curve 156 }, 157 test => { 158 #These curves are only suitable for TLSv1.3 so we expect the 159 #server to fail because it has no shared groups for TLSv1.2 160 #ECDHE key exchange 161 "ExpectedResult" => "ServerFail" 162 }, 163 }; 164 push @tests, { 165 name => "curve-${curve}-tls13-in-tls12-2", 166 server => { 167 "Curves" => $curve, 168 "CipherString" => 'DEFAULT@SECLEVEL=1', 169 "MaxProtocol" => "TLSv1.2" 170 }, 171 client => { 172 "CipherString" => 'DEFAULT@SECLEVEL=1', 173 "MaxProtocol" => "TLSv1.3", 174 "Curves" => $curve 175 }, 176 test => { 177 #These curves are only suitable for TLSv1.3. We expect TLSv1.2 178 #negotiation to succeed because we fall back to some other 179 #ciphersuite 180 "ExpectedResult" => "Success" 181 }, 182 }; 183 } 184} 185 186generate_tests(); 187
