From: Frederic Lecaille <flecaille@haproxy.com>
Date: Fri, 5 Dec 2025 18:25:40 +0000 (+0100)
Subject: REGTESTS: quic/ssl: Add ssl_curves_selection.vtc
X-Git-Tag: v3.4-dev1~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7872260525fa696b12e43e948738c59fd7047a4d;p=thirdparty%2Fhaproxy.git

REGTESTS: quic/ssl: Add ssl_curves_selection.vtc

This reg test ensures the curves may be correctly set for frontend
and backends by "ssl-default-bind-curves" and "ssl-default-server-curves"
as global options or with "curves" options on "bind" and "server" lines.
---

diff --git a/reg-tests/quic/ssl_curves_selection.vtc b/reg-tests/quic/ssl_curves_selection.vtc
new file mode 100644
index 000000000..d831f730b
--- /dev/null
+++ b/reg-tests/quic/ssl_curves_selection.vtc
@@ -0,0 +1,17 @@
+#REGTEST_TYPE=devel
+
+# This reg-tests configures three backends and their listener whose
+# curves configured by ssl-default-server-curves and ssl-default-bind-curves
+# correspond to each other. The connection to such backends must all work.
+# A last "wrong-be1" backend with 2 series of 3 servers whose curves
+# do not match their listener curves for the 2 first servers. The last
+# server curves match its listener curves. So, the 2 first connection
+# to "wrong-be1" backend must fail contrary to the last one.
+
+
+varnishtest "Tests for ssl-default-{bind,server}-curves global option and curves option for backends/frontends"
+
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(QUIC) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(3.0.0) || feature(QUIC) && ssllib_name_startswith(AWS-LC) && awslc_api_atleast(35)'"
+
+setenv VTC_SOCK_TYPE quic
+include ${testdir}/../ssl/ssl_curves_selection.vtci
diff --git a/reg-tests/ssl/ssl_curves_selection.vtc b/reg-tests/ssl/ssl_curves_selection.vtc
new file mode 100644
index 000000000..ad38f12de
--- /dev/null
+++ b/reg-tests/ssl/ssl_curves_selection.vtc
@@ -0,0 +1,16 @@
+#REGTEST_TYPE=devel
+
+# This reg-tests configures three backends and their listener whose
+# curves configured by ssl-default-server-curves and ssl-default-bind-curves
+# correspond to each other. The connection to such backends must all work.
+# A last "wrong-be1" backend with 2 series of 3 servers whose curves
+# do not match their listener curves for the 2 first servers. The last
+# server curves match its listener curves. So, the 2 first connection
+# to "wrong-be1" backend must fail contrary to the last one.
+
+varnishtest "Tests for ssl-default-{bind,server}-curves global option and curves option for backends/frontends"
+
+feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL) && ssllib_name_startswith(OpenSSL) && openssl_version_atleast(3.0.0) || feature(OPENSSL) && ssllib_name_startswith(AWS-LC) && awslc_api_atleast(35)'"
+
+setenv VTC_SOCK_TYPE stream
+include ${testdir}/ssl_curves_selection.vtci
diff --git a/reg-tests/ssl/ssl_curves_selection.vtci b/reg-tests/ssl/ssl_curves_selection.vtci
new file mode 100644
index 000000000..815da2935
--- /dev/null
+++ b/reg-tests/ssl/ssl_curves_selection.vtci
@@ -0,0 +1,143 @@
+feature ignore_unknown_macro
+
+barrier b1 cond 2 -cyclic
+
+server s1 -repeat 6 {
+    rxreq
+    txresp
+} -start
+
+haproxy h1 -conf {
+    global
+    .if streq("$VTC_SOCK_TYPE",quic)
+        # required for backend connections
+        expose-experimental-directives
+    .endif
+    .if feature(THREAD)
+        thread-groups 1
+    .endif
+
+    defaults
+        mode http
+        option httpslog
+        log stderr local0 debug err
+        option logasap
+        timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout client  "${HAPROXY_TEST_TIMEOUT-5s}"
+        timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
+        retries 0
+
+    listen clearlst
+        bind fd@${clearlst}
+        use_backend X25519-be if { path /X25519 }
+        use_backend P-256-be if { path /P-256 }
+        use_backend P-384-be if { path /P-384 }
+        use_backend wrong-be1 if { path /wrong-be1 }
+
+	# Backend and listener for X25519
+    global
+        ssl-default-bind-curves   X25519
+        ssl-default-server-curves X25519
+
+    backend X25519-be
+        server s1 ${VTC_SOCK_TYPE}+${h1_X25519_lst_sock} ssl verify none
+    listen X25519_lst
+        http-response add-header x-curve %[ssl_fc_curve]
+        bind ${VTC_SOCK_TYPE}+fd@${X25519_lst} ssl crt ${testdir}/certs/common.pem
+        server s1 ${s1_sock}
+
+	# Backend and listener for P-256
+    global
+        ssl-default-bind-curves   P-256
+        ssl-default-server-curves P-256
+
+    backend P-256-be
+        server s1 ${VTC_SOCK_TYPE}+${h1_p_256_lst_sock} ssl verify none
+    listen P-256_lst
+        http-response add-header x-curve %[ssl_fc_curve]
+        bind ${VTC_SOCK_TYPE}+fd@${p_256_lst} ssl crt ${testdir}/certs/common.pem
+        server s1 ${s1_sock}
+
+	# Backend and listener for P-384
+    global
+        ssl-default-bind-curves   P-384
+        ssl-default-server-curves P-384
+
+    backend P-384-be
+        server s1 ${VTC_SOCK_TYPE}+${h1_p_384_lst_sock} ssl verify none
+    listen P-384_lst
+        http-response add-header x-curve %[ssl_fc_curve]
+        bind ${VTC_SOCK_TYPE}+fd@${p_384_lst} ssl crt ${testdir}/certs/common.pem
+        server s1 ${s1_sock}
+
+    # servers with their own curves.
+    # connections to s1, s2, s4 and s5 must work, contrary to s3 and s6.
+	backend wrong-be1
+		balance roundrobin
+		server s1 ${VTC_SOCK_TYPE}+${h1_X25519_lst_sock} ssl verify none curves P-384
+		server s2 ${VTC_SOCK_TYPE}+${h1_X25519_lst_sock} ssl verify none curves P-256
+		server s3 ${VTC_SOCK_TYPE}+${h1_X25519_lst_sock} ssl verify none curves X25519
+
+		server s4 ${VTC_SOCK_TYPE}+${h1_own_cipher_suites_chacha_sock} ssl verify none curves X25519
+		server s5 ${VTC_SOCK_TYPE}+${h1_own_cipher_suites_chacha_sock} ssl verify none curves P-256
+		server s6 ${VTC_SOCK_TYPE}+${h1_own_cipher_suites_chacha_sock} ssl verify none curves P-384
+    # listener with its own P-384 curves
+    listen own_cipher_suites_chacha
+        http-response add-header x-curve %[ssl_fc_curve]
+        bind ${VTC_SOCK_TYPE}+fd@${own_cipher_suites_chacha} ssl crt ${testdir}/certs/common.pem curves P-384
+        server s1 ${s1_sock}
+} -start
+
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/X25519"
+    rxresp
+    expect resp.http.x-curve == X25519
+    expect resp.status == 200
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/P-256"
+    rxresp
+    expect resp.http.x-curve ~ (SECP256R1|prime256v1)
+    expect resp.status == 200
+} -run
+
+client c1 -connect ${h1_clearlst_sock} {
+    txreq -url "/P-384"
+    rxresp
+    expect resp.http.x-curve ~ (SECP384R1|secp384r1)
+    expect resp.status == 200
+} -run
+
+
+# Handshake failures during connection to wrong-be1/s[12]
+client c2 -connect ${h1_clearlst_sock} -repeat 2 {
+    txreq -url "/wrong-be1"
+    rxresp
+    expect resp.status == 503
+} -run
+
+# successul connection to wrong-be1/s3
+client c3 -connect ${h1_clearlst_sock} {
+    txreq -url "/wrong-be1"
+    rxresp
+    expect resp.http.x-curve == X25519
+    expect resp.status == 200
+} -run
+
+# Handshake failures during connections to wrong-be/s[45]
+client c2 -connect ${h1_clearlst_sock} -repeat 2 {
+    txreq -url "/wrong-be1"
+    rxresp
+    expect resp.status == 503
+} -run
+
+# successul connection to wrong-be1/s6
+client c3 -connect ${h1_clearlst_sock} {
+    txreq -url "/wrong-be1"
+    rxresp
+    expect resp.http.x-curve ~ (SECP384R1|secp384r1)
+    expect resp.status == 200
+} -run
+