xref: /freebsd/crypto/openssl/test/ssl-tests/14-curves.cnf.in (revision 95eb4b873b6a8b527c5bd78d7191975dfca38998)
1# -*- mode: perl; -*-
2
3## SSL test configurations
4
5package ssltests;
6
7use strict;
8use warnings;
9
10use OpenSSL::Test;
11use OpenSSL::Test::Utils qw(anydisabled);
12
13our $fips_mode;
14
15my @curves = ("prime256v1", "secp384r1", "secp521r1");
16
17my @curves_no_fips = ("X25519", "X448");
18
19push @curves, @curves_no_fips if !$fips_mode;
20
21#Curves *only* suitable for use in TLSv1.3
22my @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144",
23                      "ffdhe8192");
24
25push @curves, @curves_tls_1_3;
26
27my @curves_tls_1_2 = ("sect233k1", "sect233r1",
28              "sect283k1", "sect283r1", "sect409k1", "sect409r1",
29              "sect571k1", "sect571r1", "secp224r1");
30
31my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1",
32                       "sect163r1", "sect193r1", "sect193r2", "sect239k1",
33                       "secp160k1", "secp160r1", "secp160r2", "secp192k1",
34                       "secp224k1",  "secp256k1", "brainpoolP256r1",
35                       "brainpoolP384r1", "brainpoolP512r1");
36
37push @curves_tls_1_2, @curves_non_fips if !$fips_mode;
38
39our @tests = ();
40
41sub get_key_type {
42    my $group = shift;
43    my $keyType;
44
45    if ($group =~ /ffdhe/) {
46        $keyType = "dhKeyAgreement";
47    } else {
48        $keyType = $group;
49    }
50
51    return $keyType;
52}
53
54sub generate_tests() {
55    foreach (0..$#curves) {
56        my $curve = $curves[$_];
57        push @tests, {
58            name => "curve-${curve}",
59            server => {
60                "Curves" => $curve,
61                "MaxProtocol" => "TLSv1.3"
62            },
63            client => {
64                "CipherString" => "ECDHE",
65                "MaxProtocol" => "TLSv1.3",
66                "Curves" => $curve
67            },
68            test   => {
69                "ExpectedTmpKeyType" => get_key_type($curve),
70                "ExpectedProtocol" => "TLSv1.3",
71                "ExpectedResult" => "Success"
72            },
73        };
74    }
75    foreach (0..$#curves_tls_1_2) {
76        my $curve = $curves_tls_1_2[$_];
77        push @tests, {
78            name => "curve-${curve}",
79            server => {
80                "Curves" => $curve,
81                "MaxProtocol" => "TLSv1.3"
82            },
83            client => {
84                "CipherString" => "ECDHE",
85                "MaxProtocol" => "TLSv1.2",
86                "Curves" => $curve
87            },
88            test   => {
89                "ExpectedTmpKeyType" => get_key_type($curve),
90                "ExpectedProtocol" => "TLSv1.2",
91                "ExpectedResult" => "Success"
92            },
93        };
94    }
95    foreach (0..$#curves_tls_1_2) {
96        my $curve = $curves_tls_1_2[$_];
97        push @tests, {
98            name => "curve-${curve}-tls12-in-tls13",
99            server => {
100                "Curves" => "$curve:P-256",
101                "CipherString" => 'DEFAULT@SECLEVEL=1',
102                "MaxProtocol" => "TLSv1.3"
103            },
104            client => {
105                "CipherString" => 'ECDHE@SECLEVEL=1',
106                "MaxProtocol" => "TLSv1.3",
107                "MinProtocol" => "TLSv1.3",
108                "Curves" => "$curve:P-256"
109            },
110            test   => {
111                #This curve is not allowed in a TLSv1.3 key_share. We should
112                #succeed but fallback to P-256
113                "ExpectedTmpKeyType" => "P-256",
114                "ExpectedProtocol" => "TLSv1.3",
115                "ExpectedResult" => "Success"
116            },
117        };
118    }
119    foreach (0..$#curves_tls_1_2) {
120        my $curve = $curves_tls_1_2[$_];
121        push @tests, {
122            name => "curve-${curve}-tls13",
123            server => {
124                "Curves" => $curve,
125                "MaxProtocol" => "TLSv1.3"
126            },
127            client => {
128                "CipherString" => "ECDHE",
129                "MinProtocol" => "TLSv1.3",
130                "Curves" => $curve
131            },
132            test   => {
133                "ExpectedResult" => "ClientFail"
134            },
135        };
136    }
137    foreach (0..$#curves_tls_1_3) {
138        my $curve = $curves_tls_1_3[$_];
139        push @tests, {
140            name => "curve-${curve}-tls13-in-tls12",
141            server => {
142                "Curves" => $curve,
143                "CipherString" => 'DEFAULT@SECLEVEL=1',
144                "MaxProtocol" => "TLSv1.3"
145            },
146            client => {
147                "CipherString" => 'ECDHE@SECLEVEL=1',
148                "MaxProtocol" => "TLSv1.2",
149                "Curves" => $curve
150            },
151            test   => {
152                #These curves are only suitable for TLSv1.3 so we expect the
153                #server to fail because it has no shared groups for TLSv1.2
154                #ECDHE key exchange
155                "ExpectedResult" => "ServerFail"
156            },
157        };
158        push @tests, {
159            name => "curve-${curve}-tls13-in-tls12-2",
160            server => {
161                "Curves" => $curve,
162                "CipherString" => 'DEFAULT@SECLEVEL=1',
163                "MaxProtocol" => "TLSv1.2"
164            },
165            client => {
166                "CipherString" => 'DEFAULT@SECLEVEL=1',
167                "MaxProtocol" => "TLSv1.3",
168                "Curves" => $curve
169            },
170            test   => {
171                #These curves are only suitable for TLSv1.3. We expect TLSv1.2
172                #negotiation to succeed because we fall back to some other
173                #ciphersuite
174                "ExpectedResult" => "Success"
175            },
176        };
177    }
178}
179
180generate_tests();
181