1e0c4386eSCy Schubert# -*- mode: perl; -*- 2e0c4386eSCy Schubert 3e0c4386eSCy Schubert## SSL test configurations 4e0c4386eSCy Schubert 5e0c4386eSCy Schubertpackage ssltests; 6e0c4386eSCy Schubert 7e0c4386eSCy Schubertuse strict; 8e0c4386eSCy Schubertuse warnings; 9e0c4386eSCy Schubert 10e0c4386eSCy Schubertuse OpenSSL::Test; 11e0c4386eSCy Schubertuse OpenSSL::Test::Utils qw(anydisabled); 12e0c4386eSCy Schubert 13e0c4386eSCy Schubertour $fips_mode; 14e0c4386eSCy Schubert 15*44096ebdSEnji Coopermy @curves = ("prime256v1", "secp384r1", "secp521r1"); 16*44096ebdSEnji Cooper 17*44096ebdSEnji Coopermy @curves_no_fips = ("X25519", "X448"); 18*44096ebdSEnji Cooper 19*44096ebdSEnji Cooperpush @curves, @curves_no_fips if !$fips_mode; 20e0c4386eSCy Schubert 21e0c4386eSCy Schubert#Curves *only* suitable for use in TLSv1.3 22e0c4386eSCy Schubertmy @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144", 23e0c4386eSCy Schubert "ffdhe8192"); 24e0c4386eSCy Schubert 25e0c4386eSCy Schubertpush @curves, @curves_tls_1_3; 26e0c4386eSCy Schubert 27e0c4386eSCy Schubertmy @curves_tls_1_2 = ("sect233k1", "sect233r1", 28e0c4386eSCy Schubert "sect283k1", "sect283r1", "sect409k1", "sect409r1", 29e0c4386eSCy Schubert "sect571k1", "sect571r1", "secp224r1"); 30e0c4386eSCy Schubert 31e0c4386eSCy Schubertmy @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1", 32e0c4386eSCy Schubert "sect163r1", "sect193r1", "sect193r2", "sect239k1", 33e0c4386eSCy Schubert "secp160k1", "secp160r1", "secp160r2", "secp192k1", 34e0c4386eSCy Schubert "secp224k1", "secp256k1", "brainpoolP256r1", 35e0c4386eSCy Schubert "brainpoolP384r1", "brainpoolP512r1"); 36e0c4386eSCy Schubert 37e0c4386eSCy Schubertpush @curves_tls_1_2, @curves_non_fips if !$fips_mode; 38e0c4386eSCy Schubert 39e0c4386eSCy Schubertour @tests = (); 40e0c4386eSCy Schubert 41e0c4386eSCy Schubertsub get_key_type { 42e0c4386eSCy Schubert my $group = shift; 43e0c4386eSCy Schubert my $keyType; 44e0c4386eSCy Schubert 45e0c4386eSCy Schubert if ($group =~ /ffdhe/) { 46e0c4386eSCy Schubert $keyType = "dhKeyAgreement"; 47e0c4386eSCy Schubert } else { 48e0c4386eSCy Schubert $keyType = $group; 49e0c4386eSCy Schubert } 50e0c4386eSCy Schubert 51e0c4386eSCy Schubert return $keyType; 52e0c4386eSCy Schubert} 53e0c4386eSCy Schubert 54e0c4386eSCy Schubertsub generate_tests() { 55e0c4386eSCy Schubert foreach (0..$#curves) { 56e0c4386eSCy Schubert my $curve = $curves[$_]; 57e0c4386eSCy Schubert push @tests, { 58e0c4386eSCy Schubert name => "curve-${curve}", 59e0c4386eSCy Schubert server => { 60e0c4386eSCy Schubert "Curves" => $curve, 61e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 62e0c4386eSCy Schubert }, 63e0c4386eSCy Schubert client => { 64e0c4386eSCy Schubert "CipherString" => "ECDHE", 65e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3", 66e0c4386eSCy Schubert "Curves" => $curve 67e0c4386eSCy Schubert }, 68e0c4386eSCy Schubert test => { 69e0c4386eSCy Schubert "ExpectedTmpKeyType" => get_key_type($curve), 70e0c4386eSCy Schubert "ExpectedProtocol" => "TLSv1.3", 71e0c4386eSCy Schubert "ExpectedResult" => "Success" 72e0c4386eSCy Schubert }, 73e0c4386eSCy Schubert }; 74e0c4386eSCy Schubert } 75e0c4386eSCy Schubert foreach (0..$#curves_tls_1_2) { 76e0c4386eSCy Schubert my $curve = $curves_tls_1_2[$_]; 77e0c4386eSCy Schubert push @tests, { 78e0c4386eSCy Schubert name => "curve-${curve}", 79e0c4386eSCy Schubert server => { 80e0c4386eSCy Schubert "Curves" => $curve, 81e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 82e0c4386eSCy Schubert }, 83e0c4386eSCy Schubert client => { 84e0c4386eSCy Schubert "CipherString" => "ECDHE", 85e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 86e0c4386eSCy Schubert "Curves" => $curve 87e0c4386eSCy Schubert }, 88e0c4386eSCy Schubert test => { 89e0c4386eSCy Schubert "ExpectedTmpKeyType" => get_key_type($curve), 90e0c4386eSCy Schubert "ExpectedProtocol" => "TLSv1.2", 91e0c4386eSCy Schubert "ExpectedResult" => "Success" 92e0c4386eSCy Schubert }, 93e0c4386eSCy Schubert }; 94e0c4386eSCy Schubert } 95e0c4386eSCy Schubert foreach (0..$#curves_tls_1_2) { 96e0c4386eSCy Schubert my $curve = $curves_tls_1_2[$_]; 97e0c4386eSCy Schubert push @tests, { 98e0c4386eSCy Schubert name => "curve-${curve}-tls12-in-tls13", 99e0c4386eSCy Schubert server => { 100e0c4386eSCy Schubert "Curves" => "$curve:P-256", 101e0c4386eSCy Schubert "CipherString" => 'DEFAULT@SECLEVEL=1', 102e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 103e0c4386eSCy Schubert }, 104e0c4386eSCy Schubert client => { 105e0c4386eSCy Schubert "CipherString" => 'ECDHE@SECLEVEL=1', 106e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3", 107e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 108e0c4386eSCy Schubert "Curves" => "$curve:P-256" 109e0c4386eSCy Schubert }, 110e0c4386eSCy Schubert test => { 111e0c4386eSCy Schubert #This curve is not allowed in a TLSv1.3 key_share. We should 112e0c4386eSCy Schubert #succeed but fallback to P-256 113e0c4386eSCy Schubert "ExpectedTmpKeyType" => "P-256", 114e0c4386eSCy Schubert "ExpectedProtocol" => "TLSv1.3", 115e0c4386eSCy Schubert "ExpectedResult" => "Success" 116e0c4386eSCy Schubert }, 117e0c4386eSCy Schubert }; 118e0c4386eSCy Schubert } 119e0c4386eSCy Schubert foreach (0..$#curves_tls_1_2) { 120e0c4386eSCy Schubert my $curve = $curves_tls_1_2[$_]; 121e0c4386eSCy Schubert push @tests, { 122e0c4386eSCy Schubert name => "curve-${curve}-tls13", 123e0c4386eSCy Schubert server => { 124e0c4386eSCy Schubert "Curves" => $curve, 125e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 126e0c4386eSCy Schubert }, 127e0c4386eSCy Schubert client => { 128e0c4386eSCy Schubert "CipherString" => "ECDHE", 129e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 130e0c4386eSCy Schubert "Curves" => $curve 131e0c4386eSCy Schubert }, 132e0c4386eSCy Schubert test => { 133e0c4386eSCy Schubert "ExpectedResult" => "ClientFail" 134e0c4386eSCy Schubert }, 135e0c4386eSCy Schubert }; 136e0c4386eSCy Schubert } 137e0c4386eSCy Schubert foreach (0..$#curves_tls_1_3) { 138e0c4386eSCy Schubert my $curve = $curves_tls_1_3[$_]; 139e0c4386eSCy Schubert push @tests, { 140e0c4386eSCy Schubert name => "curve-${curve}-tls13-in-tls12", 141e0c4386eSCy Schubert server => { 142e0c4386eSCy Schubert "Curves" => $curve, 143e0c4386eSCy Schubert "CipherString" => 'DEFAULT@SECLEVEL=1', 144e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 145e0c4386eSCy Schubert }, 146e0c4386eSCy Schubert client => { 147e0c4386eSCy Schubert "CipherString" => 'ECDHE@SECLEVEL=1', 148e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 149e0c4386eSCy Schubert "Curves" => $curve 150e0c4386eSCy Schubert }, 151e0c4386eSCy Schubert test => { 152e0c4386eSCy Schubert #These curves are only suitable for TLSv1.3 so we expect the 153e0c4386eSCy Schubert #server to fail because it has no shared groups for TLSv1.2 154e0c4386eSCy Schubert #ECDHE key exchange 155e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 156e0c4386eSCy Schubert }, 157e0c4386eSCy Schubert }; 158e0c4386eSCy Schubert push @tests, { 159e0c4386eSCy Schubert name => "curve-${curve}-tls13-in-tls12-2", 160e0c4386eSCy Schubert server => { 161e0c4386eSCy Schubert "Curves" => $curve, 162e0c4386eSCy Schubert "CipherString" => 'DEFAULT@SECLEVEL=1', 163e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2" 164e0c4386eSCy Schubert }, 165e0c4386eSCy Schubert client => { 166e0c4386eSCy Schubert "CipherString" => 'DEFAULT@SECLEVEL=1', 167e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3", 168e0c4386eSCy Schubert "Curves" => $curve 169e0c4386eSCy Schubert }, 170e0c4386eSCy Schubert test => { 171e0c4386eSCy Schubert #These curves are only suitable for TLSv1.3. We expect TLSv1.2 172e0c4386eSCy Schubert #negotiation to succeed because we fall back to some other 173e0c4386eSCy Schubert #ciphersuite 174e0c4386eSCy Schubert "ExpectedResult" => "Success" 175e0c4386eSCy Schubert }, 176e0c4386eSCy Schubert }; 177e0c4386eSCy Schubert } 178e0c4386eSCy Schubert} 179e0c4386eSCy Schubert 180e0c4386eSCy Schubertgenerate_tests(); 181