1# -*- mode: perl; -*- 2 3## SSL test configurations 4 5package ssltests; 6 7use strict; 8use warnings; 9 10use OpenSSL::Test; 11use OpenSSL::Test::Utils qw(anydisabled); 12 13our $fips_mode; 14 15my @curves = ("prime256v1", "secp384r1", "secp521r1", "X25519", 16 "X448"); 17 18#Curves *only* suitable for use in TLSv1.3 19my @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144", 20 "ffdhe8192"); 21 22push @curves, @curves_tls_1_3; 23 24my @curves_tls_1_2 = ("sect233k1", "sect233r1", 25 "sect283k1", "sect283r1", "sect409k1", "sect409r1", 26 "sect571k1", "sect571r1", "secp224r1"); 27 28my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1", 29 "sect163r1", "sect193r1", "sect193r2", "sect239k1", 30 "secp160k1", "secp160r1", "secp160r2", "secp192k1", 31 "secp224k1", "secp256k1", "brainpoolP256r1", 32 "brainpoolP384r1", "brainpoolP512r1"); 33 34push @curves_tls_1_2, @curves_non_fips if !$fips_mode; 35 36our @tests = (); 37 38sub get_key_type { 39 my $group = shift; 40 my $keyType; 41 42 if ($group =~ /ffdhe/) { 43 $keyType = "dhKeyAgreement"; 44 } else { 45 $keyType = $group; 46 } 47 48 return $keyType; 49} 50 51sub generate_tests() { 52 foreach (0..$#curves) { 53 my $curve = $curves[$_]; 54 push @tests, { 55 name => "curve-${curve}", 56 server => { 57 "Curves" => $curve, 58 "MaxProtocol" => "TLSv1.3" 59 }, 60 client => { 61 "CipherString" => "ECDHE", 62 "MaxProtocol" => "TLSv1.3", 63 "Curves" => $curve 64 }, 65 test => { 66 "ExpectedTmpKeyType" => get_key_type($curve), 67 "ExpectedProtocol" => "TLSv1.3", 68 "ExpectedResult" => "Success" 69 }, 70 }; 71 } 72 foreach (0..$#curves_tls_1_2) { 73 my $curve = $curves_tls_1_2[$_]; 74 push @tests, { 75 name => "curve-${curve}", 76 server => { 77 "Curves" => $curve, 78 "MaxProtocol" => "TLSv1.3" 79 }, 80 client => { 81 "CipherString" => "ECDHE", 82 "MaxProtocol" => "TLSv1.2", 83 "Curves" => $curve 84 }, 85 test => { 86 "ExpectedTmpKeyType" => get_key_type($curve), 87 "ExpectedProtocol" => "TLSv1.2", 88 "ExpectedResult" => "Success" 89 }, 90 }; 91 } 92 foreach (0..$#curves_tls_1_2) { 93 my $curve = $curves_tls_1_2[$_]; 94 push @tests, { 95 name => "curve-${curve}-tls12-in-tls13", 96 server => { 97 "Curves" => "$curve:P-256", 98 "CipherString" => 'DEFAULT@SECLEVEL=1', 99 "MaxProtocol" => "TLSv1.3" 100 }, 101 client => { 102 "CipherString" => 'ECDHE@SECLEVEL=1', 103 "MaxProtocol" => "TLSv1.3", 104 "MinProtocol" => "TLSv1.3", 105 "Curves" => "$curve:P-256" 106 }, 107 test => { 108 #This curve is not allowed in a TLSv1.3 key_share. We should 109 #succeed but fallback to P-256 110 "ExpectedTmpKeyType" => "P-256", 111 "ExpectedProtocol" => "TLSv1.3", 112 "ExpectedResult" => "Success" 113 }, 114 }; 115 } 116 foreach (0..$#curves_tls_1_2) { 117 my $curve = $curves_tls_1_2[$_]; 118 push @tests, { 119 name => "curve-${curve}-tls13", 120 server => { 121 "Curves" => $curve, 122 "MaxProtocol" => "TLSv1.3" 123 }, 124 client => { 125 "CipherString" => "ECDHE", 126 "MinProtocol" => "TLSv1.3", 127 "Curves" => $curve 128 }, 129 test => { 130 "ExpectedResult" => "ClientFail" 131 }, 132 }; 133 } 134 foreach (0..$#curves_tls_1_3) { 135 my $curve = $curves_tls_1_3[$_]; 136 push @tests, { 137 name => "curve-${curve}-tls13-in-tls12", 138 server => { 139 "Curves" => $curve, 140 "CipherString" => 'DEFAULT@SECLEVEL=1', 141 "MaxProtocol" => "TLSv1.3" 142 }, 143 client => { 144 "CipherString" => 'ECDHE@SECLEVEL=1', 145 "MaxProtocol" => "TLSv1.2", 146 "Curves" => $curve 147 }, 148 test => { 149 #These curves are only suitable for TLSv1.3 so we expect the 150 #server to fail because it has no shared groups for TLSv1.2 151 #ECDHE key exchange 152 "ExpectedResult" => "ServerFail" 153 }, 154 }; 155 push @tests, { 156 name => "curve-${curve}-tls13-in-tls12-2", 157 server => { 158 "Curves" => $curve, 159 "CipherString" => 'DEFAULT@SECLEVEL=1', 160 "MaxProtocol" => "TLSv1.2" 161 }, 162 client => { 163 "CipherString" => 'DEFAULT@SECLEVEL=1', 164 "MaxProtocol" => "TLSv1.3", 165 "Curves" => $curve 166 }, 167 test => { 168 #These curves are only suitable for TLSv1.3. We expect TLSv1.2 169 #negotiation to succeed because we fall back to some other 170 #ciphersuite 171 "ExpectedResult" => "Success" 172 }, 173 }; 174 } 175} 176 177generate_tests(); 178