test/ssl-tests/14-curves.cnf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5 package ssltests;
   6
   7 use strict;
   8 use warnings;
   9
  10 use OpenSSL::Test;
  11 use OpenSSL::Test::Utils qw(anydisabled);
  12
  13 our $fips_mode;
  14
  15 my @curves = ("prime256v1", "secp384r1", "secp521r1");
  16
  17 my @curves_no_fips = ("X25519", "X448");
  18
  19 push @curves, @curves_no_fips if !$fips_mode;
  20
  21 #Curves *only* suitable for use in TLSv1.3
  22 my @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144",
  23                       "ffdhe8192");
  24 my @curves_tls_1_3_no_fips = ("brainpoolP256r1tls13", "brainpoolP384r1tls13",
  25                               "brainpoolP512r1tls13");
  26
  27 push @curves_tls_1_3, @curves_tls_1_3_no_fips if !$fips_mode;
  28 push @curves, @curves_tls_1_3;
  29
  30 my @curves_tls_1_2 = ("sect233k1", "sect233r1",
  31               "sect283k1", "sect283r1", "sect409k1", "sect409r1",
  32               "sect571k1", "sect571r1", "secp224r1");
  33
  34 my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1",
  35                        "sect163r1", "sect193r1", "sect193r2", "sect239k1",
  36                        "secp160k1", "secp160r1", "secp160r2", "secp192k1",
  37                        "secp224k1",  "secp256k1", "brainpoolP256r1",
  38                        "brainpoolP384r1", "brainpoolP512r1");
  39
  40 push @curves_tls_1_2, @curves_non_fips if !$fips_mode;
  41
  42 our @tests = ();
  43
  44 sub get_key_type {
  45     my $group = shift;
  46     my $keyType;
  47
  48     if ($group =~ /ffdhe/) {
  49         $keyType = "dhKeyAgreement";
  50     } else {
  51         $keyType = $group;
  52     }
  53
  54     return $keyType;
  55 }
  56
  57 sub generate_tests() {
  58     foreach (0..$#curves) {
  59         my $curve = $curves[$_];
  60         push @tests, {
  61             name => "curve-${curve}",
  62             server => {
  63                 "Curves" => $curve,
  64                 "CipherString" => 'DEFAULT@SECLEVEL=1',
  65                 "MaxProtocol" => "TLSv1.3"
  66             },
  67             client => {
  68                 "CipherString" => 'ECDHE@SECLEVEL=1',
  69                 "MaxProtocol" => "TLSv1.3",
  70                 "Curves" => $curve
  71             },
  72             test   => {
  73                 "ExpectedTmpKeyType" => get_key_type($curve),
  74                 "ExpectedProtocol" => "TLSv1.3",
  75                 "ExpectedResult" => "Success"
  76             },
  77         };
  78     }
  79     foreach (0..$#curves_tls_1_2) {
  80         my $curve = $curves_tls_1_2[$_];
  81         push @tests, {
  82             name => "curve-${curve}",
  83             server => {
  84                 "Curves" => $curve,
  85                 "CipherString" => 'DEFAULT@SECLEVEL=1',
  86                 "MaxProtocol" => "TLSv1.3"
  87             },
  88             client => {
  89                 "CipherString" => 'ECDHE@SECLEVEL=1',
  90                 "MaxProtocol" => "TLSv1.2",
  91                 "Curves" => $curve
  92             },
  93             test   => {
  94                 "ExpectedTmpKeyType" => get_key_type($curve),
  95                 "ExpectedProtocol" => "TLSv1.2",
  96                 "ExpectedResult" => "Success"
  97             },
  98         };
  99     }
 100     foreach (0..$#curves_tls_1_2) {
 101         my $curve = $curves_tls_1_2[$_];
 102         push @tests, {
 103             name => "curve-${curve}-tls12-in-tls13",
 104             server => {
 105                 "Curves" => "$curve:P-256",
 106                 "CipherString" => 'DEFAULT@SECLEVEL=1',
 107                 "MaxProtocol" => "TLSv1.3"
 108             },
 109             client => {
 110                 "CipherString" => 'ECDHE@SECLEVEL=1',
 111                 "MaxProtocol" => "TLSv1.3",
 112                 "MinProtocol" => "TLSv1.3",
 113                 "Curves" => "$curve:P-256"
 114             },
 115             test   => {
 116                 #This curve is not allowed in a TLSv1.3 key_share. We should
 117                 #succeed but fallback to P-256
 118                 "ExpectedTmpKeyType" => "P-256",
 119                 "ExpectedProtocol" => "TLSv1.3",
 120                 "ExpectedResult" => "Success"
 121             },
 122         };
 123     }
 124     foreach (0..$#curves_tls_1_2) {
 125         my $curve = $curves_tls_1_2[$_];
 126         push @tests, {
 127             name => "curve-${curve}-tls13",
 128             server => {
 129                 "Curves" => $curve,
 130                 "CipherString" => 'DEFAULT@SECLEVEL=1',
 131                 "MaxProtocol" => "TLSv1.3"
 132             },
 133             client => {
 134                 "CipherString" => 'ECDHE@SECLEVEL=1',
 135                 "MinProtocol" => "TLSv1.3",
 136                 "Curves" => $curve
 137             },
 138             test   => {
 139                 "ExpectedResult" => "ClientFail"
 140             },
 141         };
 142     }
 143     foreach (0..$#curves_tls_1_3) {
 144         my $curve = $curves_tls_1_3[$_];
 145         push @tests, {
 146             name => "curve-${curve}-tls13-in-tls12",
 147             server => {
 148                 "Curves" => $curve,
 149                 "CipherString" => 'DEFAULT@SECLEVEL=1',
 150                 "MaxProtocol" => "TLSv1.3"
 151             },
 152             client => {
 153                 "CipherString" => 'ECDHE@SECLEVEL=1',
 154                 "MaxProtocol" => "TLSv1.2",
 155                 "Curves" => $curve
 156             },
 157             test   => {
 158                 #These curves are only suitable for TLSv1.3 so we expect the
 159                 #server to fail because it has no shared groups for TLSv1.2
 160                 #ECDHE key exchange
 161                 "ExpectedResult" => "ServerFail"
 162             },
 163         };
 164         push @tests, {
 165             name => "curve-${curve}-tls13-in-tls12-2",
 166             server => {
 167                 "Curves" => $curve,
 168                 "CipherString" => 'DEFAULT@SECLEVEL=1',
 169                 "MaxProtocol" => "TLSv1.2"
 170             },
 171             client => {
 172                 "CipherString" => 'DEFAULT@SECLEVEL=1',
 173                 "MaxProtocol" => "TLSv1.3",
 174                 "Curves" => $curve
 175             },
 176             test   => {
 177                 #These curves are only suitable for TLSv1.3. We expect TLSv1.2
 178                 #negotiation to succeed because we fall back to some other
 179                 #ciphersuite
 180                 "ExpectedResult" => "Success"
 181             },
 182         };
 183     }
 184 }
 185
 186 generate_tests();