1# -*- mode: perl; -*- 2 3## SSL test configurations 4 5package ssltests; 6 7use strict; 8use warnings; 9 10use OpenSSL::Test; 11use OpenSSL::Test::Utils; 12 13our $fips_mode; 14our $fips_3_4; 15 16my @curves = ("prime256v1", "secp384r1", "secp521r1"); 17 18my @curves_no_fips = ("X25519", "X448"); 19 20push @curves, @curves_no_fips if !$fips_mode; 21 22#Curves *only* suitable for use in TLSv1.3 23my @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144", 24 "ffdhe8192"); 25my @curves_tls_1_3_no_fips = ("brainpoolP256r1tls13", "brainpoolP384r1tls13", 26 "brainpoolP512r1tls13"); 27 28push @curves_tls_1_3, @curves_tls_1_3_no_fips if !$fips_mode; 29push @curves, @curves_tls_1_3; 30 31my @curves_tls_1_2 = (); 32push @curves_tls_1_2, 33 "sect233k1", "sect233r1", "sect283k1", "sect283r1", "sect409k1", 34 "sect409r1", "sect571k1", "sect571r1", "secp224r1" 35 unless ($fips_3_4 || disabled("tls-deprecated-ec")); 36 37my @curves_non_fips = (); 38push @curves_non_fips, 39 "sect163k1", "sect163r2", "prime192v1", "sect163r1", "sect193r1", 40 "sect193r2", "sect239k1", "secp160k1", "secp160r1", "secp160r2", 41 "secp192k1", "secp224k1", "secp256k1" 42 unless disabled("tls-deprecated-ec"); 43push @curves_non_fips, 44 "brainpoolP256r1", "brainpoolP384r1", "brainpoolP512r1"; 45 46push @curves_tls_1_2, @curves_non_fips if !$fips_mode; 47 48our @tests = (); 49 50sub get_key_type { 51 my $group = shift; 52 my $keyType; 53 54 if ($group =~ /ffdhe/) { 55 $keyType = "dhKeyAgreement"; 56 } else { 57 $keyType = $group; 58 } 59 60 return $keyType; 61} 62 63sub generate_tests() { 64 foreach (0..$#curves) { 65 my $curve = $curves[$_]; 66 push @tests, { 67 name => "curve-${curve}", 68 server => { 69 "Curves" => $curve, 70 "CipherString" => 'DEFAULT@SECLEVEL=1', 71 "MaxProtocol" => "TLSv1.3" 72 }, 73 client => { 74 "CipherString" => 'ECDHE@SECLEVEL=1', 75 "MaxProtocol" => "TLSv1.3", 76 "Curves" => $curve 77 }, 78 test => { 79 "ExpectedTmpKeyType" => get_key_type($curve), 80 "ExpectedProtocol" => "TLSv1.3", 81 "ExpectedResult" => "Success" 82 }, 83 }; 84 } 85 foreach (0..$#curves_tls_1_2) { 86 my $curve = $curves_tls_1_2[$_]; 87 push @tests, { 88 name => "curve-${curve}", 89 server => { 90 "Curves" => $curve, 91 "CipherString" => 'DEFAULT@SECLEVEL=1', 92 "MaxProtocol" => "TLSv1.3" 93 }, 94 client => { 95 "CipherString" => 'ECDHE@SECLEVEL=1', 96 "MaxProtocol" => "TLSv1.2", 97 "Curves" => $curve 98 }, 99 test => { 100 "ExpectedTmpKeyType" => get_key_type($curve), 101 "ExpectedProtocol" => "TLSv1.2", 102 "ExpectedResult" => "Success" 103 }, 104 }; 105 } 106 foreach (0..$#curves_tls_1_2) { 107 my $curve = $curves_tls_1_2[$_]; 108 push @tests, { 109 name => "curve-${curve}-tls12-in-tls13", 110 server => { 111 "Curves" => "$curve:P-256", 112 "CipherString" => 'DEFAULT@SECLEVEL=1', 113 "MaxProtocol" => "TLSv1.3" 114 }, 115 client => { 116 "CipherString" => 'ECDHE@SECLEVEL=1', 117 "MaxProtocol" => "TLSv1.3", 118 "MinProtocol" => "TLSv1.3", 119 "Curves" => "$curve:P-256" 120 }, 121 test => { 122 #This curve is not allowed in a TLSv1.3 key_share. We should 123 #succeed but fallback to P-256 124 "ExpectedTmpKeyType" => "P-256", 125 "ExpectedProtocol" => "TLSv1.3", 126 "ExpectedResult" => "Success" 127 }, 128 }; 129 } 130 foreach (0..$#curves_tls_1_2) { 131 my $curve = $curves_tls_1_2[$_]; 132 push @tests, { 133 name => "curve-${curve}-tls13", 134 server => { 135 "Curves" => $curve, 136 "CipherString" => 'DEFAULT@SECLEVEL=1', 137 "MaxProtocol" => "TLSv1.3" 138 }, 139 client => { 140 "CipherString" => 'ECDHE@SECLEVEL=1', 141 "MinProtocol" => "TLSv1.3", 142 "Curves" => $curve 143 }, 144 test => { 145 "ExpectedResult" => "ClientFail" 146 }, 147 }; 148 } 149 if (!$fips_3_4) { 150 foreach (0..$#curves_tls_1_3) { 151 my $curve = $curves_tls_1_3[$_]; 152 push @tests, { 153 name => "curve-${curve}-tls13-in-tls12", 154 server => { 155 "Curves" => $curve, 156 "CipherString" => 'DEFAULT@SECLEVEL=1', 157 "MaxProtocol" => "TLSv1.3" 158 }, 159 client => { 160 "CipherString" => 'ECDHE@SECLEVEL=1', 161 "MaxProtocol" => "TLSv1.2", 162 "Curves" => $curve 163 }, 164 test => { 165 #These curves are only suitable for TLSv1.3 so we expect the 166 #server to fail because it has no shared groups for TLSv1.2 167 #ECDHE key exchange 168 "ExpectedResult" => "ServerFail" 169 }, 170 }; 171 push @tests, { 172 name => "curve-${curve}-tls13-in-tls12-2", 173 server => { 174 "Curves" => $curve, 175 "CipherString" => 'DEFAULT@SECLEVEL=1', 176 "MaxProtocol" => "TLSv1.2" 177 }, 178 client => { 179 "CipherString" => 'DEFAULT@SECLEVEL=1', 180 "MaxProtocol" => "TLSv1.3", 181 "Curves" => $curve 182 }, 183 test => { 184 #These curves are only suitable for TLSv1.3. We expect TLSv1.2 185 #negotiation to succeed because we fall back to some other 186 #ciphersuite 187 "ExpectedResult" => "Success" 188 }, 189 }; 190 } 191 } 192} 193 194generate_tests(); 195