From bcc364896e0afe822ba83485d8fc9d47cd75d009 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 21 Feb 2025 17:09:22 +0100 Subject: [PATCH] 28-seclevel.cnf.in: Enable some groups required for high SECLEVELs MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Reviewed-by: Tim Hudson Reviewed-by: Saša Nedvědický (Merged from https://github.com/openssl/openssl/pull/26801) --- test/ssl-tests/28-seclevel.cnf | 6 ++++++ test/ssl-tests/28-seclevel.cnf.in | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/test/ssl-tests/28-seclevel.cnf b/test/ssl-tests/28-seclevel.cnf index 99fa8109c36..d75a7b1ef9a 100644 --- a/test/ssl-tests/28-seclevel.cnf +++ b/test/ssl-tests/28-seclevel.cnf @@ -43,10 +43,12 @@ client = 1-SECLEVEL 4 with ED448 key-client [1-SECLEVEL 4 with ED448 key-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem CipherString = DEFAULT:@SECLEVEL=4 +Groups = ?X448:?secp521r1 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem [1-SECLEVEL 4 with ED448 key-client] CipherString = DEFAULT:@SECLEVEL=4 +Groups = ?X448:?secp521r1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer @@ -66,10 +68,12 @@ client = 2-SECLEVEL 5 server with ED448 key-client [2-SECLEVEL 5 server with ED448 key-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem CipherString = DEFAULT:@SECLEVEL=5 +Groups = ?X448:?secp521r1 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem [2-SECLEVEL 5 server with ED448 key-client] CipherString = DEFAULT:@SECLEVEL=4 +Groups = ?X448:?secp521r1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer @@ -89,10 +93,12 @@ client = 3-SECLEVEL 5 client with ED448 key-client [3-SECLEVEL 5 client with ED448 key-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem CipherString = DEFAULT:@SECLEVEL=4 +Groups = ?X448:?secp521r1 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem [3-SECLEVEL 5 client with ED448 key-client] CipherString = DEFAULT:@SECLEVEL=5 +Groups = ?X448:?secp521r1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in index f227deadcdf..b9d0fe87e38 100644 --- a/test/ssl-tests/28-seclevel.cnf.in +++ b/test/ssl-tests/28-seclevel.cnf.in @@ -27,9 +27,11 @@ our @tests_ec = ( { name => "SECLEVEL 4 with ED448 key", server => { "CipherString" => "DEFAULT:\@SECLEVEL=4", + "Groups" => "?X448:?secp521r1", "Certificate" => test_pem("server-ed448-cert.pem"), "PrivateKey" => test_pem("server-ed448-key.pem") }, client => { "CipherString" => "DEFAULT:\@SECLEVEL=4", + "Groups" => "?X448:?secp521r1", "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, test => { "ExpectedResult" => "Success" }, }, @@ -40,9 +42,11 @@ our @tests_ec = ( # the order will be reversed and it will instead fail to load the key. name => "SECLEVEL 5 server with ED448 key", server => { "CipherString" => "DEFAULT:\@SECLEVEL=5", + "Groups" => "?X448:?secp521r1", "Certificate" => test_pem("server-ed448-cert.pem"), "PrivateKey" => test_pem("server-ed448-key.pem") }, client => { "CipherString" => "DEFAULT:\@SECLEVEL=4", + "Groups" => "?X448:?secp521r1", "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, test => { "ExpectedResult" => "ServerFail" }, }, @@ -51,9 +55,11 @@ our @tests_ec = ( # doesn't have a usable signature algorithm for the certificate. name => "SECLEVEL 5 client with ED448 key", server => { "CipherString" => "DEFAULT:\@SECLEVEL=4", + "Groups" => "?X448:?secp521r1", "Certificate" => test_pem("server-ed448-cert.pem"), "PrivateKey" => test_pem("server-ed448-key.pem") }, client => { "CipherString" => "DEFAULT:\@SECLEVEL=5", + "Groups" => "?X448:?secp521r1", "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, test => { "ExpectedResult" => "ServerFail" }, } -- 2.47.2