## SSL test configurations
-package ssltests;
use strict;
use warnings;
-use OpenSSL::Test;
-use OpenSSL::Test::Utils qw(anydisabled);
-
-my $dir_sep = $^O ne "VMS" ? "/" : "";
+package ssltests;
+use OpenSSL::Test::Utils;
my $server = {
- "ECDSA.Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-cert.pem",
- "ECDSA.PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}server-ecdsa-key.pem",
- # TODO: add test cases for TLSv1.3
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
"MaxProtocol" => "TLSv1.2"
};
},
test => {
"ExpectedServerCertType" =>, "P-256",
+ "ExpectedServerSignType" =>, "EC",
"ExpectedResult" => "Success"
},
},
},
test => {
"ExpectedServerCertType" =>, "RSA",
+ "ExpectedServerSignType" =>, "RSA-PSS",
"ExpectedResult" => "Success"
},
},
{
name => "ECDSA CipherString Selection, no ECDSA certificate",
- server => { },
+ server => {
+ "MaxProtocol" => "TLSv1.2"
+ },
client => {
"CipherString" => "aECDSA"
},
"SignatureAlgorithms" => "ECDSA+SHA256",
},
test => {
- "ExpectedServerCertType" =>, "P-256",
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA Signature Algorithm Selection SHA384",
+ server => $server,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA384",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA384",
+ "ExpectedServerSignType" => "EC",
"ExpectedResult" => "Success"
},
},
{
name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
- server => { },
+ server => {
+ "MaxProtocol" => "TLSv1.2"
+ },
client => {
"SignatureAlgorithms" => "ECDSA+SHA256",
},
"SignatureAlgorithms" => "RSA+SHA256",
},
test => {
- "ExpectedServerCertType" =>, "RSA",
+ "ExpectedServerCertType" => "RSA",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "RSA-PSS Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "SignatureAlgorithms" => "RSA-PSS+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Suite B P-256 Hash Algorithm Selection",
+ server => {
+ "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
+ "MaxProtocol" => "TLSv1.2",
+ "CipherString" => "SUITEB128"
+ },
+ client => {
+ "VerifyCAFile" => test_pem("p384-root.pem"),
+ "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Suite B P-384 Hash Algorithm Selection",
+ server => {
+ "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
+ "MaxProtocol" => "TLSv1.2",
+ "CipherString" => "SUITEB128"
+ },
+ client => {
+ "VerifyCAFile" => test_pem("p384-root.pem"),
+ "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
+ },
+ test => {
+ "ExpectedServerCertType" => "P-384",
+ "ExpectedServerSignHash" => "SHA384",
+ "ExpectedServerSignType" => "EC",
"ExpectedResult" => "Success"
},
}
);
+
+
+my $server_tls_1_3 = {
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+};
+
+my $client_tls_1_3 = {
+ "RSA.Certificate" => test_pem("ee-client-chain.pem"),
+ "RSA.PrivateKey" => test_pem("ee-key.pem"),
+ "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
+ "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+};
+
+my @tests_tls_1_3 = (
+ {
+ name => "TLS 1.3 ECDSA Signature Algorithm Selection",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA",
+ "ExpectedServerSignHash" => "SHA384",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate",
+ server => {
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+ },
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "RSA+SHA256",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "TLS 1.3 RSA-PSS Signature Algorithm Selection",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "RSA-PSS+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "RSA",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
+ server => {
+ "ClientSignatureAlgorithms" => "PSS+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => $client_tls_1_3,
+ test => {
+ "ExpectedClientCertType" => "RSA",
+ "ExpectedClientSignHash" => "SHA256",
+ "ExpectedClientSignType" => "RSA-PSS",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
+ server => {
+ "ClientSignatureAlgorithms" => "ECDSA+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => $client_tls_1_3,
+ test => {
+ "ExpectedClientCertType" => "P-256",
+ "ExpectedClientSignHash" => "SHA256",
+ "ExpectedClientSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+);
+
+push @tests, @tests_tls_1_3 unless disabled("tls1_3");
+
+my @tests_dsa_tls_1_2 = (
+ {
+ name => "TLS 1.2 DSA Certificate Test",
+ server => {
+ "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
+ "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
+ "DHParameters" => test_pem("dhp2048.pem"),
+ "MinProtocol" => "TLSv1.2",
+ "MaxProtocol" => "TLSv1.2",
+ "CipherString" => "ALL",
+ },
+ client => {
+ "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
+ "CipherString" => "ALL",
+ },
+ test => {
+ "ExpectedResult" => "Success"
+ },
+ },
+);
+
+my @tests_dsa_tls_1_3 = (
+ {
+ name => "TLS 1.3 DSA Certificate Test",
+ server => {
+ "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
+ "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3",
+ "CipherString" => "ALL",
+ },
+ client => {
+ "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256",
+ "CipherString" => "ALL",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+);
+
+if (!disabled("dsa")) {
+ push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
+ push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
+}