test-12 = 12-RSA key exchange with all RSA certificate types
test-13 = 13-Suite B P-256 Hash Algorithm Selection
test-14 = 14-Suite B P-384 Hash Algorithm Selection
-test-15 = 15-ECDSA Signature Algorithm Selection SHA1
-test-16 = 16-Ed25519 CipherString and Signature Algorithm Selection
-test-17 = 17-Ed448 CipherString and Signature Algorithm Selection
-test-18 = 18-ECDSA with brainpool
-test-19 = 19-Ed25519 CipherString and Curves Selection
-test-20 = 20-Ed448 CipherString and Curves Selection
-test-21 = 21-TLS 1.2 Ed25519 Client Auth
-test-22 = 22-TLS 1.2 Ed448 Client Auth
+test-15 = 15-Ed25519 CipherString and Signature Algorithm Selection
+test-16 = 16-Ed448 CipherString and Signature Algorithm Selection
+test-17 = 17-Ed25519 CipherString and Curves Selection
+test-18 = 18-Ed448 CipherString and Curves Selection
+test-19 = 19-TLS 1.2 Ed25519 Client Auth
+test-20 = 20-TLS 1.2 Ed448 Client Auth
+test-21 = 21-ECDSA Signature Algorithm Selection SHA1
+test-22 = 22-ECDSA with brainpool
test-23 = 23-RSA-PSS Certificate CipherString Selection
test-24 = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection
test-25 = 25-RSA-PSS Certificate Unified Signature Algorithm Selection
# ===========================================================
-[15-ECDSA Signature Algorithm Selection SHA1]
-ssl_conf = 15-ECDSA Signature Algorithm Selection SHA1-ssl
+[15-Ed25519 CipherString and Signature Algorithm Selection]
+ssl_conf = 15-Ed25519 CipherString and Signature Algorithm Selection-ssl
-[15-ECDSA Signature Algorithm Selection SHA1-ssl]
-server = 15-ECDSA Signature Algorithm Selection SHA1-server
-client = 15-ECDSA Signature Algorithm Selection SHA1-client
+[15-Ed25519 CipherString and Signature Algorithm Selection-ssl]
+server = 15-Ed25519 CipherString and Signature Algorithm Selection-server
+client = 15-Ed25519 CipherString and Signature Algorithm Selection-client
-[15-ECDSA Signature Algorithm Selection SHA1-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT:@SECLEVEL=0
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[15-ECDSA Signature Algorithm Selection SHA1-client]
-CipherString = DEFAULT:@SECLEVEL=0
-SignatureAlgorithms = ECDSA+SHA1
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-15]
-ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignHash = SHA1
-ExpectedServerSignType = EC
-
-
-# ===========================================================
-
-[16-Ed25519 CipherString and Signature Algorithm Selection]
-ssl_conf = 16-Ed25519 CipherString and Signature Algorithm Selection-ssl
-
-[16-Ed25519 CipherString and Signature Algorithm Selection-ssl]
-server = 16-Ed25519 CipherString and Signature Algorithm Selection-server
-client = 16-Ed25519 CipherString and Signature Algorithm Selection-client
-
-[16-Ed25519 CipherString and Signature Algorithm Selection-server]
+[15-Ed25519 CipherString and Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[16-Ed25519 CipherString and Signature Algorithm Selection-client]
+[15-Ed25519 CipherString and Signature Algorithm Selection-client]
CipherString = aECDSA
MaxProtocol = TLSv1.2
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-16]
+[test-15]
ExpectedResult = Success
ExpectedServerCANames = empty
ExpectedServerCertType = Ed25519
# ===========================================================
-[17-Ed448 CipherString and Signature Algorithm Selection]
-ssl_conf = 17-Ed448 CipherString and Signature Algorithm Selection-ssl
+[16-Ed448 CipherString and Signature Algorithm Selection]
+ssl_conf = 16-Ed448 CipherString and Signature Algorithm Selection-ssl
-[17-Ed448 CipherString and Signature Algorithm Selection-ssl]
-server = 17-Ed448 CipherString and Signature Algorithm Selection-server
-client = 17-Ed448 CipherString and Signature Algorithm Selection-client
+[16-Ed448 CipherString and Signature Algorithm Selection-ssl]
+server = 16-Ed448 CipherString and Signature Algorithm Selection-server
+client = 16-Ed448 CipherString and Signature Algorithm Selection-client
-[17-Ed448 CipherString and Signature Algorithm Selection-server]
+[16-Ed448 CipherString and Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[17-Ed448 CipherString and Signature Algorithm Selection-client]
+[16-Ed448 CipherString and Signature Algorithm Selection-client]
CipherString = aECDSA
MaxProtocol = TLSv1.2
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
VerifyMode = Peer
-[test-17]
+[test-16]
ExpectedResult = Success
ExpectedServerCANames = empty
ExpectedServerCertType = Ed448
# ===========================================================
-[18-ECDSA with brainpool]
-ssl_conf = 18-ECDSA with brainpool-ssl
-
-[18-ECDSA with brainpool-ssl]
-server = 18-ECDSA with brainpool-server
-client = 18-ECDSA with brainpool-client
-
-[18-ECDSA with brainpool-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
-CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
+[17-Ed25519 CipherString and Curves Selection]
+ssl_conf = 17-Ed25519 CipherString and Curves Selection-ssl
-[18-ECDSA with brainpool-client]
-CipherString = aECDSA
-Groups = brainpoolP256r1
-RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
+[17-Ed25519 CipherString and Curves Selection-ssl]
+server = 17-Ed25519 CipherString and Curves Selection-server
+client = 17-Ed25519 CipherString and Curves Selection-client
-[test-18]
-ExpectedResult = Success
-ExpectedServerCANames = empty
-ExpectedServerCertType = brainpoolP256r1
-ExpectedServerSignType = EC
-
-
-# ===========================================================
-
-[19-Ed25519 CipherString and Curves Selection]
-ssl_conf = 19-Ed25519 CipherString and Curves Selection-ssl
-
-[19-Ed25519 CipherString and Curves Selection-ssl]
-server = 19-Ed25519 CipherString and Curves Selection-server
-client = 19-Ed25519 CipherString and Curves Selection-client
-
-[19-Ed25519 CipherString and Curves Selection-server]
+[17-Ed25519 CipherString and Curves Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[19-Ed25519 CipherString and Curves Selection-client]
+[17-Ed25519 CipherString and Curves Selection-client]
CipherString = aECDSA
Curves = X25519
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-19]
+[test-17]
ExpectedResult = Success
ExpectedServerCertType = Ed25519
ExpectedServerSignType = Ed25519
# ===========================================================
-[20-Ed448 CipherString and Curves Selection]
-ssl_conf = 20-Ed448 CipherString and Curves Selection-ssl
+[18-Ed448 CipherString and Curves Selection]
+ssl_conf = 18-Ed448 CipherString and Curves Selection-ssl
-[20-Ed448 CipherString and Curves Selection-ssl]
-server = 20-Ed448 CipherString and Curves Selection-server
-client = 20-Ed448 CipherString and Curves Selection-client
+[18-Ed448 CipherString and Curves Selection-ssl]
+server = 18-Ed448 CipherString and Curves Selection-server
+client = 18-Ed448 CipherString and Curves Selection-client
-[20-Ed448 CipherString and Curves Selection-server]
+[18-Ed448 CipherString and Curves Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[20-Ed448 CipherString and Curves Selection-client]
+[18-Ed448 CipherString and Curves Selection-client]
CipherString = aECDSA
Curves = X448
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
VerifyMode = Peer
-[test-20]
+[test-18]
ExpectedResult = Success
ExpectedServerCertType = Ed448
ExpectedServerSignType = Ed448
# ===========================================================
-[21-TLS 1.2 Ed25519 Client Auth]
-ssl_conf = 21-TLS 1.2 Ed25519 Client Auth-ssl
+[19-TLS 1.2 Ed25519 Client Auth]
+ssl_conf = 19-TLS 1.2 Ed25519 Client Auth-ssl
-[21-TLS 1.2 Ed25519 Client Auth-ssl]
-server = 21-TLS 1.2 Ed25519 Client Auth-server
-client = 21-TLS 1.2 Ed25519 Client Auth-client
+[19-TLS 1.2 Ed25519 Client Auth-ssl]
+server = 19-TLS 1.2 Ed25519 Client Auth-server
+client = 19-TLS 1.2 Ed25519 Client Auth-client
-[21-TLS 1.2 Ed25519 Client Auth-server]
+[19-TLS 1.2 Ed25519 Client Auth-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[21-TLS 1.2 Ed25519 Client Auth-client]
+[19-TLS 1.2 Ed25519 Client Auth-client]
CipherString = DEFAULT
Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem
Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-21]
+[test-19]
ExpectedClientCertType = Ed25519
ExpectedClientSignType = Ed25519
ExpectedResult = Success
# ===========================================================
-[22-TLS 1.2 Ed448 Client Auth]
-ssl_conf = 22-TLS 1.2 Ed448 Client Auth-ssl
+[20-TLS 1.2 Ed448 Client Auth]
+ssl_conf = 20-TLS 1.2 Ed448 Client Auth-ssl
-[22-TLS 1.2 Ed448 Client Auth-ssl]
-server = 22-TLS 1.2 Ed448 Client Auth-server
-client = 22-TLS 1.2 Ed448 Client Auth-client
+[20-TLS 1.2 Ed448 Client Auth-ssl]
+server = 20-TLS 1.2 Ed448 Client Auth-server
+client = 20-TLS 1.2 Ed448 Client Auth-client
-[22-TLS 1.2 Ed448 Client Auth-server]
+[20-TLS 1.2 Ed448 Client Auth-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
-[22-TLS 1.2 Ed448 Client Auth-client]
+[20-TLS 1.2 Ed448 Client Auth-client]
CipherString = DEFAULT
Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem
Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-22]
+[test-20]
ExpectedClientCertType = Ed448
ExpectedClientSignType = Ed448
ExpectedResult = Success
+# ===========================================================
+
+[21-ECDSA Signature Algorithm Selection SHA1]
+ssl_conf = 21-ECDSA Signature Algorithm Selection SHA1-ssl
+
+[21-ECDSA Signature Algorithm Selection SHA1-ssl]
+server = 21-ECDSA Signature Algorithm Selection SHA1-server
+client = 21-ECDSA Signature Algorithm Selection SHA1-client
+
+[21-ECDSA Signature Algorithm Selection SHA1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT:@SECLEVEL=0
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[21-ECDSA Signature Algorithm Selection SHA1-client]
+CipherString = DEFAULT:@SECLEVEL=0
+SignatureAlgorithms = ECDSA+SHA1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-21]
+ExpectedResult = Success
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA1
+ExpectedServerSignType = EC
+
+
+# ===========================================================
+
+[22-ECDSA with brainpool]
+ssl_conf = 22-ECDSA with brainpool-ssl
+
+[22-ECDSA with brainpool-ssl]
+server = 22-ECDSA with brainpool-server
+client = 22-ECDSA with brainpool-client
+
+[22-ECDSA with brainpool-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
+CipherString = DEFAULT
+Groups = brainpoolP256r1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
+
+[22-ECDSA with brainpool-client]
+CipherString = aECDSA
+Groups = brainpoolP256r1
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-22]
+ExpectedResult = Success
+ExpectedServerCANames = empty
+ExpectedServerCertType = brainpoolP256r1
+ExpectedServerSignType = EC
+
+
# ===========================================================
[23-RSA-PSS Certificate CipherString Selection]
our $fips_mode;
our $no_deflt_libctx;
-my $server;
-
-if ($fips_mode) {
- #TODO(3.0): No EdDSA support in FIPS mode at the moment
- $server = {
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "MaxProtocol" => "TLSv1.2"
- };
-} else {
- $server = {
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
- "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
- "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
- "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
- "MaxProtocol" => "TLSv1.2"
- };
-}
+my $server = {
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+ "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+ "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+ "MaxProtocol" => "TLSv1.2"
+};
my $server_pss = {
"PSS.Certificate" => test_pem("server-pss-cert.pem"),
"ExpectedResult" => "Success"
},
},
-);
-
-my @tests_non_fips = (
- {
- name => "ECDSA Signature Algorithm Selection SHA1",
- server => {
- "CipherString" => "DEFAULT:\@SECLEVEL=0",
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
- "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
- "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
- "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
- "MaxProtocol" => "TLSv1.2"
- },
- client => {
- "CipherString" => "DEFAULT:\@SECLEVEL=0",
- "SignatureAlgorithms" => "ECDSA+SHA1",
- },
- test => {
- "ExpectedServerCertType" => "P-256",
- "ExpectedServerSignHash" => "SHA1",
- "ExpectedServerSignType" => "EC",
- "ExpectedResult" => "Success"
- },
- },
- # TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment
{
name => "Ed25519 CipherString and Signature Algorithm Selection",
server => $server,
"ExpectedResult" => "Success"
},
},
- {
- name => "ECDSA with brainpool",
- server => {
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
- "Groups" => "brainpoolP256r1",
- },
- client => {
- #We don't restrict this to TLSv1.2, although use of brainpool
- #should force this anyway so that this should succeed
- "CipherString" => "aECDSA",
- "RequestCAFile" => test_pem("root-cert.pem"),
- "Groups" => "brainpoolP256r1",
- },
- test => {
- "ExpectedServerCertType" =>, "brainpoolP256r1",
- "ExpectedServerSignType" =>, "EC",
- # Note: certificate_authorities not sent for TLS < 1.3
- "ExpectedServerCANames" =>, "empty",
- "ExpectedResult" => "Success"
- },
- },
{
name => "Ed25519 CipherString and Curves Selection",
server => $server,
},
);
+my @tests_non_fips = (
+ {
+ name => "ECDSA Signature Algorithm Selection SHA1",
+ server => {
+ "CipherString" => "DEFAULT:\@SECLEVEL=0",
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+ "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+ "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+ "MaxProtocol" => "TLSv1.2"
+ },
+ client => {
+ "CipherString" => "DEFAULT:\@SECLEVEL=0",
+ "SignatureAlgorithms" => "ECDSA+SHA1",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA1",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA with brainpool",
+ server => {
+ "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+ "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+ "Groups" => "brainpoolP256r1",
+ },
+ client => {
+ #We don't restrict this to TLSv1.2, although use of brainpool
+ #should force this anyway so that this should succeed
+ "CipherString" => "aECDSA",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ "Groups" => "brainpoolP256r1",
+ },
+ test => {
+ "ExpectedServerCertType" =>, "brainpoolP256r1",
+ "ExpectedServerSignType" =>, "EC",
+ # Note: certificate_authorities not sent for TLS < 1.3
+ "ExpectedServerCANames" =>, "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+);
+
my @tests_pss = (
{
name => "RSA-PSS Certificate CipherString Selection",
);
if (!disabled("dsa")) {
- #TODO(3.0): Temporary workaround for DH issues in FIPS. Needs investigation
- push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
+ push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
}
projects / thirdparty / openssl.git / commitdiff
