1# -*- mode: perl; -*- 2# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10## SSL test configurations 11 12package ssltests; 13use OpenSSL::Test::Utils; 14 15our $fips_mode; 16 17our @tests = ( 18 { 19 name => "SECLEVEL 3 with default key", 20 server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" }, 21 client => { }, 22 test => { "ExpectedResult" => "ServerFail" }, 23 }, 24); 25 26our @tests_ec = ( 27 { 28 name => "SECLEVEL 4 with ED448 key", 29 server => { "CipherString" => "DEFAULT:\@SECLEVEL=4", 30 "Certificate" => test_pem("server-ed448-cert.pem"), 31 "PrivateKey" => test_pem("server-ed448-key.pem") }, 32 client => { "CipherString" => "DEFAULT:\@SECLEVEL=4", 33 "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, 34 test => { "ExpectedResult" => "Success" }, 35 }, 36 { 37 # The Ed448 signature algorithm will not be enabled. 38 # Because of the config order, the certificate is first loaded, and 39 # then the security level is chaged. If you try this with s_server 40 # the order will be reversed and it will instead fail to load the key. 41 name => "SECLEVEL 5 server with ED448 key", 42 server => { "CipherString" => "DEFAULT:\@SECLEVEL=5", 43 "Certificate" => test_pem("server-ed448-cert.pem"), 44 "PrivateKey" => test_pem("server-ed448-key.pem") }, 45 client => { "CipherString" => "DEFAULT:\@SECLEVEL=4", 46 "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, 47 test => { "ExpectedResult" => "ServerFail" }, 48 }, 49 { 50 # The client will not sent the Ed448 signature algorithm, so the server 51 # doesn't have a useable signature algorithm for the certificate. 52 name => "SECLEVEL 5 client with ED448 key", 53 server => { "CipherString" => "DEFAULT:\@SECLEVEL=4", 54 "Certificate" => test_pem("server-ed448-cert.pem"), 55 "PrivateKey" => test_pem("server-ed448-key.pem") }, 56 client => { "CipherString" => "DEFAULT:\@SECLEVEL=5", 57 "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, 58 test => { "ExpectedResult" => "ServerFail" }, 59 } 60); 61 62our @tests_ec_non_fips = ( 63 { 64 name => "SECLEVEL 3 with P-384 key, X25519 ECDHE", 65 server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", 66 "Certificate" => test_pem("p384-server-cert.pem"), 67 "PrivateKey" => test_pem("p384-server-key.pem"), 68 "Groups" => "X25519" }, 69 client => { "CipherString" => "ECDHE:\@SECLEVEL=3", 70 "VerifyCAFile" => test_pem("p384-root.pem") }, 71 test => { "ExpectedResult" => "Success" }, 72 }, 73); 74 75our @tests_tls1_2 = ( 76 { 77 name => "SECLEVEL 3 with ED448 key, TLSv1.2", 78 server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", 79 "Certificate" => test_pem("server-ed448-cert.pem"), 80 "PrivateKey" => test_pem("server-ed448-key.pem"), 81 "MaxProtocol" => "TLSv1.2" }, 82 client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, 83 test => { "ExpectedResult" => "Success" }, 84 }, 85); 86 87push @tests_ec, @tests_ec_non_fips unless $fips_mode; 88push @tests, @tests_ec unless disabled("ec"); 89push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec"); 90