From: Tomas Mraz Date: Thu, 11 Feb 2021 17:18:49 +0000 (+0100) Subject: ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 X-Git-Tag: openssl-3.0.0-alpha12~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ff5bd612a415571b12cc9febe22c710d9d2d42a;p=thirdparty%2Fopenssl.git ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3 Also correctly mark max protocol version for some curves. Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/14154) --- diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c index f708beb16de..da3cf508207 100644 --- a/providers/common/capabilities.c +++ b/providers/common/capabilities.c @@ -31,28 +31,50 @@ typedef struct tls_group_constants_st { } TLS_GROUP_CONSTANTS; static const TLS_GROUP_CONSTANTS group_list[35] = { - { OSSL_TLS_GROUP_ID_sect163k1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect163r1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect163r2, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect193r1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect193r2, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect233k1, 112, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect233r1, 112, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect239k1, 112, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect283k1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect283r1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect409k1, 192, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect409r1, 192, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect571k1, 256, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_sect571r1, 256, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp160k1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp160r1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp160r2, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp192k1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp192r1, 80, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp224k1, 112, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp224r1, 112, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_secp256k1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_sect163k1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect163r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect163r2, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect193r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect193r2, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect233k1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect233r1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect239k1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect283k1, 128, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect283r1, 128, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect409k1, 192, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect409r1, 192, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect571k1, 256, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_sect571r1, 256, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp160k1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp160r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp160r2, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp192k1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp192r1, 80, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp224k1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp224r1, 112, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, + { OSSL_TLS_GROUP_ID_secp256k1, 128, TLS1_VERSION, TLS1_2_VERSION, + DTLS1_VERSION, DTLS1_2_VERSION }, { OSSL_TLS_GROUP_ID_secp256r1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, { OSSL_TLS_GROUP_ID_secp384r1, 192, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, { OSSL_TLS_GROUP_ID_secp521r1, 256, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, diff --git a/test/ssl-tests/14-curves.cnf b/test/ssl-tests/14-curves.cnf index 1982c99db7a..824a9f9a0e8 100644 --- a/test/ssl-tests/14-curves.cnf +++ b/test/ssl-tests/14-curves.cnf @@ -1,21 +1,21 @@ # Generated with generate_ssl_tests.pl -num_tests = 30 - -test-0 = 0-curve-sect233k1 -test-1 = 1-curve-sect233r1 -test-2 = 2-curve-sect283k1 -test-3 = 3-curve-sect283r1 -test-4 = 4-curve-sect409k1 -test-5 = 5-curve-sect409r1 -test-6 = 6-curve-sect571k1 -test-7 = 7-curve-sect571r1 -test-8 = 8-curve-secp224r1 -test-9 = 9-curve-prime256v1 -test-10 = 10-curve-secp384r1 -test-11 = 11-curve-secp521r1 -test-12 = 12-curve-X25519 -test-13 = 13-curve-X448 +num_tests = 55 + +test-0 = 0-curve-prime256v1 +test-1 = 1-curve-secp384r1 +test-2 = 2-curve-secp521r1 +test-3 = 3-curve-X25519 +test-4 = 4-curve-X448 +test-5 = 5-curve-sect233k1 +test-6 = 6-curve-sect233r1 +test-7 = 7-curve-sect283k1 +test-8 = 8-curve-sect283r1 +test-9 = 9-curve-sect409k1 +test-10 = 10-curve-sect409r1 +test-11 = 11-curve-sect571k1 +test-12 = 12-curve-sect571r1 +test-13 = 13-curve-secp224r1 test-14 = 14-curve-sect163k1 test-15 = 15-curve-sect163r2 test-16 = 16-curve-prime192v1 @@ -32,396 +32,435 @@ test-26 = 26-curve-secp256k1 test-27 = 27-curve-brainpoolP256r1 test-28 = 28-curve-brainpoolP384r1 test-29 = 29-curve-brainpoolP512r1 +test-30 = 30-curve-sect233k1-tls13 +test-31 = 31-curve-sect233r1-tls13 +test-32 = 32-curve-sect283k1-tls13 +test-33 = 33-curve-sect283r1-tls13 +test-34 = 34-curve-sect409k1-tls13 +test-35 = 35-curve-sect409r1-tls13 +test-36 = 36-curve-sect571k1-tls13 +test-37 = 37-curve-sect571r1-tls13 +test-38 = 38-curve-secp224r1-tls13 +test-39 = 39-curve-sect163k1-tls13 +test-40 = 40-curve-sect163r2-tls13 +test-41 = 41-curve-prime192v1-tls13 +test-42 = 42-curve-sect163r1-tls13 +test-43 = 43-curve-sect193r1-tls13 +test-44 = 44-curve-sect193r2-tls13 +test-45 = 45-curve-sect239k1-tls13 +test-46 = 46-curve-secp160k1-tls13 +test-47 = 47-curve-secp160r1-tls13 +test-48 = 48-curve-secp160r2-tls13 +test-49 = 49-curve-secp192k1-tls13 +test-50 = 50-curve-secp224k1-tls13 +test-51 = 51-curve-secp256k1-tls13 +test-52 = 52-curve-brainpoolP256r1-tls13 +test-53 = 53-curve-brainpoolP384r1-tls13 +test-54 = 54-curve-brainpoolP512r1-tls13 # =========================================================== -[0-curve-sect233k1] -ssl_conf = 0-curve-sect233k1-ssl +[0-curve-prime256v1] +ssl_conf = 0-curve-prime256v1-ssl -[0-curve-sect233k1-ssl] -server = 0-curve-sect233k1-server -client = 0-curve-sect233k1-client +[0-curve-prime256v1-ssl] +server = 0-curve-prime256v1-server +client = 0-curve-prime256v1-client -[0-curve-sect233k1-server] +[0-curve-prime256v1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect233k1 -MaxProtocol = TLSv1.2 +Curves = prime256v1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[0-curve-sect233k1-client] +[0-curve-prime256v1-client] CipherString = ECDHE -Curves = sect233k1 -MaxProtocol = TLSv1.2 +Curves = prime256v1 +MaxProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-0] +ExpectedProtocol = TLSv1.3 ExpectedResult = Success -ExpectedTmpKeyType = sect233k1 +ExpectedTmpKeyType = prime256v1 # =========================================================== -[1-curve-sect233r1] -ssl_conf = 1-curve-sect233r1-ssl +[1-curve-secp384r1] +ssl_conf = 1-curve-secp384r1-ssl -[1-curve-sect233r1-ssl] -server = 1-curve-sect233r1-server -client = 1-curve-sect233r1-client +[1-curve-secp384r1-ssl] +server = 1-curve-secp384r1-server +client = 1-curve-secp384r1-client -[1-curve-sect233r1-server] +[1-curve-secp384r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect233r1 -MaxProtocol = TLSv1.2 +Curves = secp384r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[1-curve-sect233r1-client] +[1-curve-secp384r1-client] CipherString = ECDHE -Curves = sect233r1 -MaxProtocol = TLSv1.2 +Curves = secp384r1 +MaxProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-1] +ExpectedProtocol = TLSv1.3 ExpectedResult = Success -ExpectedTmpKeyType = sect233r1 +ExpectedTmpKeyType = secp384r1 # =========================================================== -[2-curve-sect283k1] -ssl_conf = 2-curve-sect283k1-ssl +[2-curve-secp521r1] +ssl_conf = 2-curve-secp521r1-ssl -[2-curve-sect283k1-ssl] -server = 2-curve-sect283k1-server -client = 2-curve-sect283k1-client +[2-curve-secp521r1-ssl] +server = 2-curve-secp521r1-server +client = 2-curve-secp521r1-client -[2-curve-sect283k1-server] +[2-curve-secp521r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect283k1 -MaxProtocol = TLSv1.2 +Curves = secp521r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[2-curve-sect283k1-client] +[2-curve-secp521r1-client] CipherString = ECDHE -Curves = sect283k1 -MaxProtocol = TLSv1.2 +Curves = secp521r1 +MaxProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-2] +ExpectedProtocol = TLSv1.3 ExpectedResult = Success -ExpectedTmpKeyType = sect283k1 +ExpectedTmpKeyType = secp521r1 # =========================================================== -[3-curve-sect283r1] -ssl_conf = 3-curve-sect283r1-ssl +[3-curve-X25519] +ssl_conf = 3-curve-X25519-ssl -[3-curve-sect283r1-ssl] -server = 3-curve-sect283r1-server -client = 3-curve-sect283r1-client +[3-curve-X25519-ssl] +server = 3-curve-X25519-server +client = 3-curve-X25519-client -[3-curve-sect283r1-server] +[3-curve-X25519-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect283r1 -MaxProtocol = TLSv1.2 +Curves = X25519 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[3-curve-sect283r1-client] +[3-curve-X25519-client] CipherString = ECDHE -Curves = sect283r1 -MaxProtocol = TLSv1.2 +Curves = X25519 +MaxProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-3] +ExpectedProtocol = TLSv1.3 ExpectedResult = Success -ExpectedTmpKeyType = sect283r1 +ExpectedTmpKeyType = X25519 # =========================================================== -[4-curve-sect409k1] -ssl_conf = 4-curve-sect409k1-ssl +[4-curve-X448] +ssl_conf = 4-curve-X448-ssl -[4-curve-sect409k1-ssl] -server = 4-curve-sect409k1-server -client = 4-curve-sect409k1-client +[4-curve-X448-ssl] +server = 4-curve-X448-server +client = 4-curve-X448-client -[4-curve-sect409k1-server] +[4-curve-X448-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect409k1 -MaxProtocol = TLSv1.2 +Curves = X448 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[4-curve-sect409k1-client] +[4-curve-X448-client] CipherString = ECDHE -Curves = sect409k1 -MaxProtocol = TLSv1.2 +Curves = X448 +MaxProtocol = TLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-4] +ExpectedProtocol = TLSv1.3 ExpectedResult = Success -ExpectedTmpKeyType = sect409k1 +ExpectedTmpKeyType = X448 # =========================================================== -[5-curve-sect409r1] -ssl_conf = 5-curve-sect409r1-ssl +[5-curve-sect233k1] +ssl_conf = 5-curve-sect233k1-ssl -[5-curve-sect409r1-ssl] -server = 5-curve-sect409r1-server -client = 5-curve-sect409r1-client +[5-curve-sect233k1-ssl] +server = 5-curve-sect233k1-server +client = 5-curve-sect233k1-client -[5-curve-sect409r1-server] +[5-curve-sect233k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect409r1 -MaxProtocol = TLSv1.2 +Curves = sect233k1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-curve-sect409r1-client] +[5-curve-sect233k1-client] CipherString = ECDHE -Curves = sect409r1 +Curves = sect233k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-5] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = sect409r1 +ExpectedTmpKeyType = sect233k1 # =========================================================== -[6-curve-sect571k1] -ssl_conf = 6-curve-sect571k1-ssl +[6-curve-sect233r1] +ssl_conf = 6-curve-sect233r1-ssl -[6-curve-sect571k1-ssl] -server = 6-curve-sect571k1-server -client = 6-curve-sect571k1-client +[6-curve-sect233r1-ssl] +server = 6-curve-sect233r1-server +client = 6-curve-sect233r1-client -[6-curve-sect571k1-server] +[6-curve-sect233r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect571k1 -MaxProtocol = TLSv1.2 +Curves = sect233r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-curve-sect571k1-client] +[6-curve-sect233r1-client] CipherString = ECDHE -Curves = sect571k1 +Curves = sect233r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-6] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = sect571k1 +ExpectedTmpKeyType = sect233r1 # =========================================================== -[7-curve-sect571r1] -ssl_conf = 7-curve-sect571r1-ssl +[7-curve-sect283k1] +ssl_conf = 7-curve-sect283k1-ssl -[7-curve-sect571r1-ssl] -server = 7-curve-sect571r1-server -client = 7-curve-sect571r1-client +[7-curve-sect283k1-ssl] +server = 7-curve-sect283k1-server +client = 7-curve-sect283k1-client -[7-curve-sect571r1-server] +[7-curve-sect283k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect571r1 -MaxProtocol = TLSv1.2 +Curves = sect283k1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-curve-sect571r1-client] +[7-curve-sect283k1-client] CipherString = ECDHE -Curves = sect571r1 +Curves = sect283k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-7] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = sect571r1 +ExpectedTmpKeyType = sect283k1 # =========================================================== -[8-curve-secp224r1] -ssl_conf = 8-curve-secp224r1-ssl +[8-curve-sect283r1] +ssl_conf = 8-curve-sect283r1-ssl -[8-curve-secp224r1-ssl] -server = 8-curve-secp224r1-server -client = 8-curve-secp224r1-client +[8-curve-sect283r1-ssl] +server = 8-curve-sect283r1-server +client = 8-curve-sect283r1-client -[8-curve-secp224r1-server] +[8-curve-sect283r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp224r1 -MaxProtocol = TLSv1.2 +Curves = sect283r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[8-curve-secp224r1-client] +[8-curve-sect283r1-client] CipherString = ECDHE -Curves = secp224r1 +Curves = sect283r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-8] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = secp224r1 +ExpectedTmpKeyType = sect283r1 # =========================================================== -[9-curve-prime256v1] -ssl_conf = 9-curve-prime256v1-ssl +[9-curve-sect409k1] +ssl_conf = 9-curve-sect409k1-ssl -[9-curve-prime256v1-ssl] -server = 9-curve-prime256v1-server -client = 9-curve-prime256v1-client +[9-curve-sect409k1-ssl] +server = 9-curve-sect409k1-server +client = 9-curve-sect409k1-client -[9-curve-prime256v1-server] +[9-curve-sect409k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = prime256v1 -MaxProtocol = TLSv1.2 +Curves = sect409k1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-curve-prime256v1-client] +[9-curve-sect409k1-client] CipherString = ECDHE -Curves = prime256v1 +Curves = sect409k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-9] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = prime256v1 +ExpectedTmpKeyType = sect409k1 # =========================================================== -[10-curve-secp384r1] -ssl_conf = 10-curve-secp384r1-ssl +[10-curve-sect409r1] +ssl_conf = 10-curve-sect409r1-ssl -[10-curve-secp384r1-ssl] -server = 10-curve-secp384r1-server -client = 10-curve-secp384r1-client +[10-curve-sect409r1-ssl] +server = 10-curve-sect409r1-server +client = 10-curve-sect409r1-client -[10-curve-secp384r1-server] +[10-curve-sect409r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp384r1 -MaxProtocol = TLSv1.2 +Curves = sect409r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-curve-secp384r1-client] +[10-curve-sect409r1-client] CipherString = ECDHE -Curves = secp384r1 +Curves = sect409r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-10] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = secp384r1 +ExpectedTmpKeyType = sect409r1 # =========================================================== -[11-curve-secp521r1] -ssl_conf = 11-curve-secp521r1-ssl +[11-curve-sect571k1] +ssl_conf = 11-curve-sect571k1-ssl -[11-curve-secp521r1-ssl] -server = 11-curve-secp521r1-server -client = 11-curve-secp521r1-client +[11-curve-sect571k1-ssl] +server = 11-curve-sect571k1-server +client = 11-curve-sect571k1-client -[11-curve-secp521r1-server] +[11-curve-sect571k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp521r1 -MaxProtocol = TLSv1.2 +Curves = sect571k1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[11-curve-secp521r1-client] +[11-curve-sect571k1-client] CipherString = ECDHE -Curves = secp521r1 +Curves = sect571k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-11] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = secp521r1 +ExpectedTmpKeyType = sect571k1 # =========================================================== -[12-curve-X25519] -ssl_conf = 12-curve-X25519-ssl +[12-curve-sect571r1] +ssl_conf = 12-curve-sect571r1-ssl -[12-curve-X25519-ssl] -server = 12-curve-X25519-server -client = 12-curve-X25519-client +[12-curve-sect571r1-ssl] +server = 12-curve-sect571r1-server +client = 12-curve-sect571r1-client -[12-curve-X25519-server] +[12-curve-sect571r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = X25519 -MaxProtocol = TLSv1.2 +Curves = sect571r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[12-curve-X25519-client] +[12-curve-sect571r1-client] CipherString = ECDHE -Curves = X25519 +Curves = sect571r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-12] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = X25519 +ExpectedTmpKeyType = sect571r1 # =========================================================== -[13-curve-X448] -ssl_conf = 13-curve-X448-ssl +[13-curve-secp224r1] +ssl_conf = 13-curve-secp224r1-ssl -[13-curve-X448-ssl] -server = 13-curve-X448-server -client = 13-curve-X448-client +[13-curve-secp224r1-ssl] +server = 13-curve-secp224r1-server +client = 13-curve-secp224r1-client -[13-curve-X448-server] +[13-curve-secp224r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = X448 -MaxProtocol = TLSv1.2 +Curves = secp224r1 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[13-curve-X448-client] +[13-curve-secp224r1-client] CipherString = ECDHE -Curves = X448 +Curves = secp224r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-13] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success -ExpectedTmpKeyType = X448 +ExpectedTmpKeyType = secp224r1 # =========================================================== @@ -437,7 +476,7 @@ client = 14-curve-sect163k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect163k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [14-curve-sect163k1-client] @@ -448,6 +487,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-14] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect163k1 @@ -465,7 +505,7 @@ client = 15-curve-sect163r2-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect163r2 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [15-curve-sect163r2-client] @@ -476,6 +516,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-15] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect163r2 @@ -493,7 +534,7 @@ client = 16-curve-prime192v1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = prime192v1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [16-curve-prime192v1-client] @@ -504,6 +545,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-16] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = prime192v1 @@ -521,7 +563,7 @@ client = 17-curve-sect163r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect163r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [17-curve-sect163r1-client] @@ -532,6 +574,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-17] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect163r1 @@ -549,7 +592,7 @@ client = 18-curve-sect193r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect193r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [18-curve-sect193r1-client] @@ -560,6 +603,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-18] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect193r1 @@ -577,7 +621,7 @@ client = 19-curve-sect193r2-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect193r2 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [19-curve-sect193r2-client] @@ -588,6 +632,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-19] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect193r2 @@ -605,7 +650,7 @@ client = 20-curve-sect239k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = sect239k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [20-curve-sect239k1-client] @@ -616,6 +661,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-20] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = sect239k1 @@ -633,7 +679,7 @@ client = 21-curve-secp160k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp160k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [21-curve-secp160k1-client] @@ -644,6 +690,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-21] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp160k1 @@ -661,7 +708,7 @@ client = 22-curve-secp160r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp160r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [22-curve-secp160r1-client] @@ -672,6 +719,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-22] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp160r1 @@ -689,7 +737,7 @@ client = 23-curve-secp160r2-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp160r2 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [23-curve-secp160r2-client] @@ -700,6 +748,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-23] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp160r2 @@ -717,7 +766,7 @@ client = 24-curve-secp192k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp192k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [24-curve-secp192k1-client] @@ -728,6 +777,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-24] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp192k1 @@ -745,7 +795,7 @@ client = 25-curve-secp224k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp224k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [25-curve-secp224k1-client] @@ -756,6 +806,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-25] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp224k1 @@ -773,7 +824,7 @@ client = 26-curve-secp256k1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = secp256k1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [26-curve-secp256k1-client] @@ -784,6 +835,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-26] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = secp256k1 @@ -801,7 +853,7 @@ client = 27-curve-brainpoolP256r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = brainpoolP256r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [27-curve-brainpoolP256r1-client] @@ -812,6 +864,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-27] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = brainpoolP256r1 @@ -829,7 +882,7 @@ client = 28-curve-brainpoolP384r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = brainpoolP384r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [28-curve-brainpoolP384r1-client] @@ -840,6 +893,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-28] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = brainpoolP384r1 @@ -857,7 +911,7 @@ client = 29-curve-brainpoolP512r1-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = brainpoolP512r1 -MaxProtocol = TLSv1.2 +MaxProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [29-curve-brainpoolP512r1-client] @@ -868,7 +922,683 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-29] +ExpectedProtocol = TLSv1.2 ExpectedResult = Success ExpectedTmpKeyType = brainpoolP512r1 +# =========================================================== + +[30-curve-sect233k1-tls13] +ssl_conf = 30-curve-sect233k1-tls13-ssl + +[30-curve-sect233k1-tls13-ssl] +server = 30-curve-sect233k1-tls13-server +client = 30-curve-sect233k1-tls13-client + +[30-curve-sect233k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect233k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[30-curve-sect233k1-tls13-client] +CipherString = ECDHE +Curves = sect233k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-30] +ExpectedResult = ClientFail + + +# =========================================================== + +[31-curve-sect233r1-tls13] +ssl_conf = 31-curve-sect233r1-tls13-ssl + +[31-curve-sect233r1-tls13-ssl] +server = 31-curve-sect233r1-tls13-server +client = 31-curve-sect233r1-tls13-client + +[31-curve-sect233r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect233r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[31-curve-sect233r1-tls13-client] +CipherString = ECDHE +Curves = sect233r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-31] +ExpectedResult = ClientFail + + +# =========================================================== + +[32-curve-sect283k1-tls13] +ssl_conf = 32-curve-sect283k1-tls13-ssl + +[32-curve-sect283k1-tls13-ssl] +server = 32-curve-sect283k1-tls13-server +client = 32-curve-sect283k1-tls13-client + +[32-curve-sect283k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect283k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[32-curve-sect283k1-tls13-client] +CipherString = ECDHE +Curves = sect283k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-32] +ExpectedResult = ClientFail + + +# =========================================================== + +[33-curve-sect283r1-tls13] +ssl_conf = 33-curve-sect283r1-tls13-ssl + +[33-curve-sect283r1-tls13-ssl] +server = 33-curve-sect283r1-tls13-server +client = 33-curve-sect283r1-tls13-client + +[33-curve-sect283r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect283r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[33-curve-sect283r1-tls13-client] +CipherString = ECDHE +Curves = sect283r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-33] +ExpectedResult = ClientFail + + +# =========================================================== + +[34-curve-sect409k1-tls13] +ssl_conf = 34-curve-sect409k1-tls13-ssl + +[34-curve-sect409k1-tls13-ssl] +server = 34-curve-sect409k1-tls13-server +client = 34-curve-sect409k1-tls13-client + +[34-curve-sect409k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect409k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[34-curve-sect409k1-tls13-client] +CipherString = ECDHE +Curves = sect409k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-34] +ExpectedResult = ClientFail + + +# =========================================================== + +[35-curve-sect409r1-tls13] +ssl_conf = 35-curve-sect409r1-tls13-ssl + +[35-curve-sect409r1-tls13-ssl] +server = 35-curve-sect409r1-tls13-server +client = 35-curve-sect409r1-tls13-client + +[35-curve-sect409r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect409r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[35-curve-sect409r1-tls13-client] +CipherString = ECDHE +Curves = sect409r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-35] +ExpectedResult = ClientFail + + +# =========================================================== + +[36-curve-sect571k1-tls13] +ssl_conf = 36-curve-sect571k1-tls13-ssl + +[36-curve-sect571k1-tls13-ssl] +server = 36-curve-sect571k1-tls13-server +client = 36-curve-sect571k1-tls13-client + +[36-curve-sect571k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect571k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[36-curve-sect571k1-tls13-client] +CipherString = ECDHE +Curves = sect571k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-36] +ExpectedResult = ClientFail + + +# =========================================================== + +[37-curve-sect571r1-tls13] +ssl_conf = 37-curve-sect571r1-tls13-ssl + +[37-curve-sect571r1-tls13-ssl] +server = 37-curve-sect571r1-tls13-server +client = 37-curve-sect571r1-tls13-client + +[37-curve-sect571r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect571r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[37-curve-sect571r1-tls13-client] +CipherString = ECDHE +Curves = sect571r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-37] +ExpectedResult = ClientFail + + +# =========================================================== + +[38-curve-secp224r1-tls13] +ssl_conf = 38-curve-secp224r1-tls13-ssl + +[38-curve-secp224r1-tls13-ssl] +server = 38-curve-secp224r1-tls13-server +client = 38-curve-secp224r1-tls13-client + +[38-curve-secp224r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp224r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[38-curve-secp224r1-tls13-client] +CipherString = ECDHE +Curves = secp224r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-38] +ExpectedResult = ClientFail + + +# =========================================================== + +[39-curve-sect163k1-tls13] +ssl_conf = 39-curve-sect163k1-tls13-ssl + +[39-curve-sect163k1-tls13-ssl] +server = 39-curve-sect163k1-tls13-server +client = 39-curve-sect163k1-tls13-client + +[39-curve-sect163k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect163k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[39-curve-sect163k1-tls13-client] +CipherString = ECDHE +Curves = sect163k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-39] +ExpectedResult = ClientFail + + +# =========================================================== + +[40-curve-sect163r2-tls13] +ssl_conf = 40-curve-sect163r2-tls13-ssl + +[40-curve-sect163r2-tls13-ssl] +server = 40-curve-sect163r2-tls13-server +client = 40-curve-sect163r2-tls13-client + +[40-curve-sect163r2-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect163r2 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[40-curve-sect163r2-tls13-client] +CipherString = ECDHE +Curves = sect163r2 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-40] +ExpectedResult = ClientFail + + +# =========================================================== + +[41-curve-prime192v1-tls13] +ssl_conf = 41-curve-prime192v1-tls13-ssl + +[41-curve-prime192v1-tls13-ssl] +server = 41-curve-prime192v1-tls13-server +client = 41-curve-prime192v1-tls13-client + +[41-curve-prime192v1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = prime192v1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[41-curve-prime192v1-tls13-client] +CipherString = ECDHE +Curves = prime192v1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-41] +ExpectedResult = ClientFail + + +# =========================================================== + +[42-curve-sect163r1-tls13] +ssl_conf = 42-curve-sect163r1-tls13-ssl + +[42-curve-sect163r1-tls13-ssl] +server = 42-curve-sect163r1-tls13-server +client = 42-curve-sect163r1-tls13-client + +[42-curve-sect163r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect163r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[42-curve-sect163r1-tls13-client] +CipherString = ECDHE +Curves = sect163r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-42] +ExpectedResult = ClientFail + + +# =========================================================== + +[43-curve-sect193r1-tls13] +ssl_conf = 43-curve-sect193r1-tls13-ssl + +[43-curve-sect193r1-tls13-ssl] +server = 43-curve-sect193r1-tls13-server +client = 43-curve-sect193r1-tls13-client + +[43-curve-sect193r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect193r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[43-curve-sect193r1-tls13-client] +CipherString = ECDHE +Curves = sect193r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-43] +ExpectedResult = ClientFail + + +# =========================================================== + +[44-curve-sect193r2-tls13] +ssl_conf = 44-curve-sect193r2-tls13-ssl + +[44-curve-sect193r2-tls13-ssl] +server = 44-curve-sect193r2-tls13-server +client = 44-curve-sect193r2-tls13-client + +[44-curve-sect193r2-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect193r2 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[44-curve-sect193r2-tls13-client] +CipherString = ECDHE +Curves = sect193r2 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-44] +ExpectedResult = ClientFail + + +# =========================================================== + +[45-curve-sect239k1-tls13] +ssl_conf = 45-curve-sect239k1-tls13-ssl + +[45-curve-sect239k1-tls13-ssl] +server = 45-curve-sect239k1-tls13-server +client = 45-curve-sect239k1-tls13-client + +[45-curve-sect239k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = sect239k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[45-curve-sect239k1-tls13-client] +CipherString = ECDHE +Curves = sect239k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-45] +ExpectedResult = ClientFail + + +# =========================================================== + +[46-curve-secp160k1-tls13] +ssl_conf = 46-curve-secp160k1-tls13-ssl + +[46-curve-secp160k1-tls13-ssl] +server = 46-curve-secp160k1-tls13-server +client = 46-curve-secp160k1-tls13-client + +[46-curve-secp160k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp160k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[46-curve-secp160k1-tls13-client] +CipherString = ECDHE +Curves = secp160k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-46] +ExpectedResult = ClientFail + + +# =========================================================== + +[47-curve-secp160r1-tls13] +ssl_conf = 47-curve-secp160r1-tls13-ssl + +[47-curve-secp160r1-tls13-ssl] +server = 47-curve-secp160r1-tls13-server +client = 47-curve-secp160r1-tls13-client + +[47-curve-secp160r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp160r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[47-curve-secp160r1-tls13-client] +CipherString = ECDHE +Curves = secp160r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-47] +ExpectedResult = ClientFail + + +# =========================================================== + +[48-curve-secp160r2-tls13] +ssl_conf = 48-curve-secp160r2-tls13-ssl + +[48-curve-secp160r2-tls13-ssl] +server = 48-curve-secp160r2-tls13-server +client = 48-curve-secp160r2-tls13-client + +[48-curve-secp160r2-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp160r2 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[48-curve-secp160r2-tls13-client] +CipherString = ECDHE +Curves = secp160r2 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-48] +ExpectedResult = ClientFail + + +# =========================================================== + +[49-curve-secp192k1-tls13] +ssl_conf = 49-curve-secp192k1-tls13-ssl + +[49-curve-secp192k1-tls13-ssl] +server = 49-curve-secp192k1-tls13-server +client = 49-curve-secp192k1-tls13-client + +[49-curve-secp192k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp192k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[49-curve-secp192k1-tls13-client] +CipherString = ECDHE +Curves = secp192k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-49] +ExpectedResult = ClientFail + + +# =========================================================== + +[50-curve-secp224k1-tls13] +ssl_conf = 50-curve-secp224k1-tls13-ssl + +[50-curve-secp224k1-tls13-ssl] +server = 50-curve-secp224k1-tls13-server +client = 50-curve-secp224k1-tls13-client + +[50-curve-secp224k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp224k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[50-curve-secp224k1-tls13-client] +CipherString = ECDHE +Curves = secp224k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-50] +ExpectedResult = ClientFail + + +# =========================================================== + +[51-curve-secp256k1-tls13] +ssl_conf = 51-curve-secp256k1-tls13-ssl + +[51-curve-secp256k1-tls13-ssl] +server = 51-curve-secp256k1-tls13-server +client = 51-curve-secp256k1-tls13-client + +[51-curve-secp256k1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = secp256k1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[51-curve-secp256k1-tls13-client] +CipherString = ECDHE +Curves = secp256k1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-51] +ExpectedResult = ClientFail + + +# =========================================================== + +[52-curve-brainpoolP256r1-tls13] +ssl_conf = 52-curve-brainpoolP256r1-tls13-ssl + +[52-curve-brainpoolP256r1-tls13-ssl] +server = 52-curve-brainpoolP256r1-tls13-server +client = 52-curve-brainpoolP256r1-tls13-client + +[52-curve-brainpoolP256r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = brainpoolP256r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[52-curve-brainpoolP256r1-tls13-client] +CipherString = ECDHE +Curves = brainpoolP256r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-52] +ExpectedResult = ClientFail + + +# =========================================================== + +[53-curve-brainpoolP384r1-tls13] +ssl_conf = 53-curve-brainpoolP384r1-tls13-ssl + +[53-curve-brainpoolP384r1-tls13-ssl] +server = 53-curve-brainpoolP384r1-tls13-server +client = 53-curve-brainpoolP384r1-tls13-client + +[53-curve-brainpoolP384r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = brainpoolP384r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[53-curve-brainpoolP384r1-tls13-client] +CipherString = ECDHE +Curves = brainpoolP384r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-53] +ExpectedResult = ClientFail + + +# =========================================================== + +[54-curve-brainpoolP512r1-tls13] +ssl_conf = 54-curve-brainpoolP512r1-tls13-ssl + +[54-curve-brainpoolP512r1-tls13-ssl] +server = 54-curve-brainpoolP512r1-tls13-server +client = 54-curve-brainpoolP512r1-tls13-client + +[54-curve-brainpoolP512r1-tls13-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Curves = brainpoolP512r1 +MaxProtocol = TLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[54-curve-brainpoolP512r1-tls13-client] +CipherString = ECDHE +Curves = brainpoolP512r1 +MinProtocol = TLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-54] +ExpectedResult = ClientFail + + diff --git a/test/ssl-tests/14-curves.cnf.in b/test/ssl-tests/14-curves.cnf.in index b5ee4d28276..4c905a8ea85 100644 --- a/test/ssl-tests/14-curves.cnf.in +++ b/test/ssl-tests/14-curves.cnf.in @@ -12,19 +12,20 @@ use OpenSSL::Test::Utils qw(anydisabled); our $fips_mode; -my @curves = ("sect233k1", "sect233r1", - "sect283k1", "sect283r1", "sect409k1", "sect409r1", - "sect571k1", "sect571r1", "secp224r1", - "prime256v1", "secp384r1", "secp521r1", "X25519", +my @curves = ("prime256v1", "secp384r1", "secp521r1", "X25519", "X448"); +my @curves_tls_1_2 = ("sect233k1", "sect233r1", + "sect283k1", "sect283r1", "sect409k1", "sect409r1", + "sect571k1", "sect571r1", "secp224r1"); + my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1", "sect163r1", "sect193r1", "sect193r2", "sect239k1", "secp160k1", "secp160r1", "secp160r2", "secp192k1", "secp224k1", "secp256k1", "brainpoolP256r1", "brainpoolP384r1", "brainpoolP512r1"); -push @curves, @curves_non_fips if !$fips_mode; +push @curves_tls_1_2, @curves_non_fips if !$fips_mode; our @tests = (); @@ -35,8 +36,27 @@ sub generate_tests() { name => "curve-${curve}", server => { "Curves" => $curve, - # TODO(TLS1.3): Can we get this to work for TLSv1.3? - "MaxProtocol" => "TLSv1.2" + "MaxProtocol" => "TLSv1.3" + }, + client => { + "CipherString" => "ECDHE", + "MaxProtocol" => "TLSv1.3", + "Curves" => $curve + }, + test => { + "ExpectedTmpKeyType" => $curve, + "ExpectedProtocol" => "TLSv1.3", + "ExpectedResult" => "Success" + }, + }; + } + foreach (0..$#curves_tls_1_2) { + my $curve = $curves_tls_1_2[$_]; + push @tests, { + name => "curve-${curve}", + server => { + "Curves" => $curve, + "MaxProtocol" => "TLSv1.3" }, client => { "CipherString" => "ECDHE", @@ -45,10 +65,29 @@ sub generate_tests() { }, test => { "ExpectedTmpKeyType" => $curve, + "ExpectedProtocol" => "TLSv1.2", "ExpectedResult" => "Success" }, }; } + foreach (0..$#curves_tls_1_2) { + my $curve = $curves_tls_1_2[$_]; + push @tests, { + name => "curve-${curve}-tls13", + server => { + "Curves" => $curve, + "MaxProtocol" => "TLSv1.3" + }, + client => { + "CipherString" => "ECDHE", + "MinProtocol" => "TLSv1.3", + "Curves" => $curve + }, + test => { + "ExpectedResult" => "ClientFail" + }, + }; + } } generate_tests();