[thirdparty/openssl.git] / test / ssl-tests / 28-seclevel.cnf.in

# -*- mode: perl; -*-
# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html


## SSL test configurations

package ssltests;
use OpenSSL::Test::Utils;

our @tests = (
    {
        name => "SECLEVEL 3 with default key",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
        client => { },
        test   => { "ExpectedResult" => "ServerFail" },
    },
);

our @tests_ec = (
    {
        name => "SECLEVEL 4 with ED448 key",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
                    "Certificate" => test_pem("server-ed448-cert.pem"),
                    "PrivateKey" => test_pem("server-ed448-key.pem") },
        client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
        test   => { "ExpectedResult" => "Success" },
    },
    {
        # The Ed488 signature algorithm will not be enabled.
        # Because of the config order, the certificate is first loaded, and
        # then the security level is chaged. If you try this with s_server
        # the order will be reversed and it will instead fail to load the key.
        name => "SECLEVEL 5 server with ED448 key",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
                    "Certificate" => test_pem("server-ed448-cert.pem"),
                    "PrivateKey" => test_pem("server-ed448-key.pem") },
        client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
        test   => { "ExpectedResult" => "ServerFail" },
    },
    {
        # The client will not sent the Ed488 signature algorithm, so the server
        # doesn't have a useable signature algorithm for the certificate.
        name => "SECLEVEL 5 client with ED448 key",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
                    "Certificate" => test_pem("server-ed448-cert.pem"),
                    "PrivateKey" => test_pem("server-ed448-key.pem") },
        client => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
        test   => { "ExpectedResult" => "ServerFail" },
    },
    {
        name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
                    "Certificate" => test_pem("p384-server-cert.pem"),
                    "PrivateKey" => test_pem("p384-server-key.pem"),
                    "Groups" => "X25519" },
        client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
                    "VerifyCAFile" => test_pem("p384-root.pem") },
        test   => { "ExpectedResult" => "Success" },
    },
);

our @tests_tls1_2 = (
    {
        name => "SECLEVEL 3 with ED448 key, TLSv1.2",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
                    "Certificate" => test_pem("server-ed448-cert.pem"),
                    "PrivateKey" => test_pem("server-ed448-key.pem"),
                    "MaxProtocol" => "TLSv1.2" },
        client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
        test   => { "ExpectedResult" => "Success" },
    },
);

push @tests, @tests_ec unless disabled("ec");
push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
Commit	Line	Data
75b68c9e	1	# -- mode: perl; --
c486283c	2	# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
75b68c9e	3	#
909f1a2e	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
75b68c9e TM	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9
	10	## SSL test configurations
	11
	12	package ssltests;
65d2c16c	13	use OpenSSL::Test::Utils;
75b68c9e TM	14
	15	our @tests = (
	16	{
	17	name => "SECLEVEL 3 with default key",
	18	server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
	19	client => { },
	20	test => { "ExpectedResult" => "ServerFail" },
	21	},
65d2c16c MC	22	);
	23
	24	our @tests_ec = (
75b68c9e	25	{
620c97b6 KR	26	name => "SECLEVEL 4 with ED448 key",
620c97b6 KR	27	server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
75b68c9e TM	28	"Certificate" => test_pem("server-ed448-cert.pem"),
75b68c9e TM	29	"PrivateKey" => test_pem("server-ed448-key.pem") },
620c97b6 KR	30	client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
620c97b6 KR	31	"VerifyCAFile" => test_pem("root-ed448-cert.pem") },
75b68c9e TM	32	test => { "ExpectedResult" => "Success" },
75b68c9e TM	33	},
620c97b6 KR	34	{
	35	# The Ed488 signature algorithm will not be enabled.
	36	# Because of the config order, the certificate is first loaded, and
	37	# then the security level is chaged. If you try this with s_server
	38	# the order will be reversed and it will instead fail to load the key.
	39	name => "SECLEVEL 5 server with ED448 key",
	40	server => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
	41	"Certificate" => test_pem("server-ed448-cert.pem"),
	42	"PrivateKey" => test_pem("server-ed448-key.pem") },
	43	client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
	44	"VerifyCAFile" => test_pem("root-ed448-cert.pem") },
	45	test => { "ExpectedResult" => "ServerFail" },
	46	},
	47	{
	48	# The client will not sent the Ed488 signature algorithm, so the server
	49	# doesn't have a useable signature algorithm for the certificate.
	50	name => "SECLEVEL 5 client with ED448 key",
	51	server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
	52	"Certificate" => test_pem("server-ed448-cert.pem"),
	53	"PrivateKey" => test_pem("server-ed448-key.pem") },
	54	client => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
	55	"VerifyCAFile" => test_pem("root-ed448-cert.pem") },
	56	test => { "ExpectedResult" => "ServerFail" },
	57	},
75b68c9e TM	58	{
	59	name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
	60	server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
	61	"Certificate" => test_pem("p384-server-cert.pem"),
	62	"PrivateKey" => test_pem("p384-server-key.pem"),
	63	"Groups" => "X25519" },
	64	client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
	65	"VerifyCAFile" => test_pem("p384-root.pem") },
	66	test => { "ExpectedResult" => "Success" },
	67	},
	68	);
65d2c16c MC	69
	70	our @tests_tls1_2 = (
	71	{
	72	name => "SECLEVEL 3 with ED448 key, TLSv1.2",
	73	server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
	74	"Certificate" => test_pem("server-ed448-cert.pem"),
	75	"PrivateKey" => test_pem("server-ed448-key.pem"),
	76	"MaxProtocol" => "TLSv1.2" },
77c4d397	77	client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
65d2c16c MC	78	test => { "ExpectedResult" => "Success" },
	79	},
	80	);
	81
	82	push @tests, @tests_ec unless disabled("ec");
	83	push @tests, @tests_tls1_2 unless disabled("tls1_2") \|\| disabled("ec");