xref: /freebsd/crypto/openssl/test/ssl-tests/28-seclevel.cnf.in (revision 44096ebd22ddd0081a357011714eff8963614b65)
1# -*- mode: perl; -*-
2# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9
10## SSL test configurations
11
12package ssltests;
13use OpenSSL::Test::Utils;
14
15our $fips_mode;
16
17our @tests = (
18    {
19        name => "SECLEVEL 3 with default key",
20        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
21        client => { },
22        test   => { "ExpectedResult" => "ServerFail" },
23    },
24);
25
26our @tests_ec = (
27    {
28        name => "SECLEVEL 4 with ED448 key",
29        server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
30                    "Certificate" => test_pem("server-ed448-cert.pem"),
31                    "PrivateKey" => test_pem("server-ed448-key.pem") },
32        client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
33                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
34        test   => { "ExpectedResult" => "Success" },
35    },
36    {
37        # The Ed448 signature algorithm will not be enabled.
38        # Because of the config order, the certificate is first loaded, and
39        # then the security level is chaged. If you try this with s_server
40        # the order will be reversed and it will instead fail to load the key.
41        name => "SECLEVEL 5 server with ED448 key",
42        server => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
43                    "Certificate" => test_pem("server-ed448-cert.pem"),
44                    "PrivateKey" => test_pem("server-ed448-key.pem") },
45        client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
46                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
47        test   => { "ExpectedResult" => "ServerFail" },
48    },
49    {
50        # The client will not sent the Ed448 signature algorithm, so the server
51        # doesn't have a useable signature algorithm for the certificate.
52        name => "SECLEVEL 5 client with ED448 key",
53        server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
54                    "Certificate" => test_pem("server-ed448-cert.pem"),
55                    "PrivateKey" => test_pem("server-ed448-key.pem") },
56        client => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
57                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
58        test   => { "ExpectedResult" => "ServerFail" },
59    }
60);
61
62our @tests_ec_non_fips = (
63    {
64        name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
65        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
66                    "Certificate" => test_pem("p384-server-cert.pem"),
67                    "PrivateKey" => test_pem("p384-server-key.pem"),
68                    "Groups" => "X25519" },
69        client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
70                    "VerifyCAFile" => test_pem("p384-root.pem") },
71        test   => { "ExpectedResult" => "Success" },
72    },
73);
74
75our @tests_tls1_2 = (
76    {
77        name => "SECLEVEL 3 with ED448 key, TLSv1.2",
78        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
79                    "Certificate" => test_pem("server-ed448-cert.pem"),
80                    "PrivateKey" => test_pem("server-ed448-key.pem"),
81                    "MaxProtocol" => "TLSv1.2" },
82        client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
83        test   => { "ExpectedResult" => "Success" },
84    },
85);
86
87push @tests_ec, @tests_ec_non_fips unless $fips_mode;
88push @tests, @tests_ec unless disabled("ec");
89push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
90