test/ssl-tests/28-seclevel.cnf.in

   1 # -*- mode: perl; -*-
   2 # Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the Apache License 2.0 (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9
  10 ## SSL test configurations
  11
  12 package ssltests;
  13 use OpenSSL::Test::Utils;
  14
  15 our $fips_mode;
  16
  17 our @tests = (
  18     {
  19         name => "SECLEVEL 3 with default key",
  20         server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
  21         client => { },
  22         test   => { "ExpectedResult" => "ServerFail" },
  23     },
  24 );
  25
  26 our @tests_ec = (
  27     {
  28         name => "SECLEVEL 4 with ED448 key",
  29         server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  30                     "Certificate" => test_pem("server-ed448-cert.pem"),
  31                     "PrivateKey" => test_pem("server-ed448-key.pem") },
  32         client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  33                     "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  34         test   => { "ExpectedResult" => "Success" },
  35     },
  36     {
  37         # The Ed448 signature algorithm will not be enabled.
  38         # Because of the config order, the certificate is first loaded, and
  39         # then the security level is changed. If you try this with s_server
  40         # the order will be reversed and it will instead fail to load the key.
  41         name => "SECLEVEL 5 server with ED448 key",
  42         server => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
  43                     "Certificate" => test_pem("server-ed448-cert.pem"),
  44                     "PrivateKey" => test_pem("server-ed448-key.pem") },
  45         client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  46                     "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  47         test   => { "ExpectedResult" => "ServerFail" },
  48     },
  49     {
  50         # The client will not sent the Ed448 signature algorithm, so the server
  51         # doesn't have a usable signature algorithm for the certificate.
  52         name => "SECLEVEL 5 client with ED448 key",
  53         server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  54                     "Certificate" => test_pem("server-ed448-cert.pem"),
  55                     "PrivateKey" => test_pem("server-ed448-key.pem") },
  56         client => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
  57                     "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  58         test   => { "ExpectedResult" => "ServerFail" },
  59     },
  60     {
  61         name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
  62         server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
  63                     "Certificate" => test_pem("p384-server-cert.pem"),
  64                     "PrivateKey" => test_pem("p384-server-key.pem"),
  65                     "Groups" => "X25519" },
  66         client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
  67                     "VerifyCAFile" => test_pem("p384-root.pem") },
  68         test   => { "ExpectedResult" => "Success" },
  69     },
  70 );
  71
  72 our @tests_tls1_2 = (
  73     {
  74         name => "SECLEVEL 3 with ED448 key, TLSv1.2",
  75         server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
  76                     "Certificate" => test_pem("server-ed448-cert.pem"),
  77                     "PrivateKey" => test_pem("server-ed448-key.pem"),
  78                     "MaxProtocol" => "TLSv1.2" },
  79         client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  80         test   => { "ExpectedResult" => "Success" },
  81     },
  82 );
  83
  84 push @tests, @tests_ec unless disabled("ecx");
  85 push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ecx");