1# -*- mode: perl; -*- 2# Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10## SSL test configurations 11 12package ssltests; 13use OpenSSL::Test::Utils; 14 15our $fips_mode; 16 17our @tests = ( 18 { 19 name => "SECLEVEL 3 with default key", 20 server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" }, 21 client => { }, 22 test => { "ExpectedResult" => "ServerFail" }, 23 }, 24); 25 26our @tests_ec = ( 27 { 28 name => "SECLEVEL 4 with ED448 key", 29 server => { "CipherString" => "DEFAULT:\@SECLEVEL=4", 30 "Groups" => "?X448:?secp521r1", 31 "Certificate" => test_pem("server-ed448-cert.pem"), 32 "PrivateKey" => test_pem("server-ed448-key.pem") }, 33 client => { "CipherString" => "DEFAULT:\@SECLEVEL=4", 34 "Groups" => "?X448:?secp521r1", 35 "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, 36 test => { "ExpectedResult" => "Success" }, 37 }, 38 { 39 # The Ed448 signature algorithm will not be enabled. 40 # Because of the config order, the certificate is first loaded, and 41 # then the security level is changed. If you try this with s_server 42 # the order will be reversed and it will instead fail to load the key. 43 name => "SECLEVEL 5 server with ED448 key", 44 server => { "CipherString" => "DEFAULT:\@SECLEVEL=5", 45 "Groups" => "?X448:?secp521r1", 46 "Certificate" => test_pem("server-ed448-cert.pem"), 47 "PrivateKey" => test_pem("server-ed448-key.pem") }, 48 client => { "CipherString" => "DEFAULT:\@SECLEVEL=4", 49 "Groups" => "?X448:?secp521r1", 50 "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, 51 test => { "ExpectedResult" => "ServerFail" }, 52 }, 53 { 54 # The client will not sent the Ed448 signature algorithm, so the server 55 # doesn't have a usable signature algorithm for the certificate. 56 name => "SECLEVEL 5 client with ED448 key", 57 server => { "CipherString" => "DEFAULT:\@SECLEVEL=4", 58 "Groups" => "?X448:?secp521r1", 59 "Certificate" => test_pem("server-ed448-cert.pem"), 60 "PrivateKey" => test_pem("server-ed448-key.pem") }, 61 client => { "CipherString" => "DEFAULT:\@SECLEVEL=5", 62 "Groups" => "?X448:?secp521r1", 63 "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, 64 test => { "ExpectedResult" => "ServerFail" }, 65 } 66); 67 68our @tests_ec_non_fips = ( 69 { 70 name => "SECLEVEL 3 with P-384 key, X25519 ECDHE", 71 server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", 72 "Certificate" => test_pem("p384-server-cert.pem"), 73 "PrivateKey" => test_pem("p384-server-key.pem"), 74 "Groups" => "X25519" }, 75 client => { "CipherString" => "ECDHE:\@SECLEVEL=3", 76 "VerifyCAFile" => test_pem("p384-root.pem") }, 77 test => { "ExpectedResult" => "Success" }, 78 }, 79); 80 81our @tests_tls1_2 = ( 82 { 83 name => "SECLEVEL 3 with ED448 key, TLSv1.2", 84 server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", 85 "Certificate" => test_pem("server-ed448-cert.pem"), 86 "PrivateKey" => test_pem("server-ed448-key.pem"), 87 "MaxProtocol" => "TLSv1.2" }, 88 client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, 89 test => { "ExpectedResult" => "Success" }, 90 }, 91); 92 93push @tests_ec, @tests_ec_non_fips unless $fips_mode; 94push @tests, @tests_ec unless disabled("ecx"); 95push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ecx"); 96