From ab5a02f70726e28b3c39391aac29a4aedb080ea3 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 7 Apr 2020 16:22:49 +0100 Subject: [PATCH 1/1] Teach ssl_test_new to have different tests for different loaded providers We now run the tests twice: Once with no specific providers loaded and just using the default libctx, and a second time with a non-default libctx and the default provider. In the second run we disable tests which use a PSS cert/key because we don't yet have support for that. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/11511) --- test/generate_ssl_tests.pl | 13 +- test/recipes/80-test_ssl_new.t | 18 +- test/ssl-tests/20-cert-select.cnf | 728 +++++++++++++-------------- test/ssl-tests/20-cert-select.cnf.in | 239 ++++----- test/ssl_test.c | 16 +- 5 files changed, 516 insertions(+), 498 deletions(-) diff --git a/test/generate_ssl_tests.pl b/test/generate_ssl_tests.pl index 8cfc451fbb..580bfb5e70 100644 --- a/test/generate_ssl_tests.pl +++ b/test/generate_ssl_tests.pl @@ -127,17 +127,28 @@ sub print_templates { # Shamelessly copied from Configure. sub read_config { my $fname = shift; + my $provider = shift; + my $fips_mode = "0"; + my $no_deflt_libctx = "0"; + + $fips_mode = "1" if $provider eq "fips"; + $no_deflt_libctx = "1" if $provider eq "default" || $provider eq "fips"; + open(INPUT, "< $fname") or die "Can't open input file '$fname'!\n"; local $/ = undef; my $content = ; + $content =~ s/FIPS_MODE/$fips_mode/g; + $content =~ s/NO_DEFLT_LIBCTX/$no_deflt_libctx/g; + close(INPUT); eval $content; warn $@ if $@; } my $input_file = shift; +my $provider = shift; # Reads the tests into ssltests::tests. -read_config($input_file); +read_config($input_file, $provider); print_templates(); 1; diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 5ee872557d..6d6fa5cae3 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -108,26 +108,30 @@ my %skip = ( foreach my $conf (@conf_files) { subtest "Test configuration $conf" => sub { + plan tests => 6; test_conf($conf, $conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1, - defined($skip{$conf}) ? $skip{$conf} : $no_tls); + defined($skip{$conf}) ? $skip{$conf} : $no_tls, + "none"); + test_conf($conf, + 0, + defined($skip{$conf}) ? $skip{$conf} : $no_tls, + "default"); } } sub test_conf { - plan tests => 3; - - my ($conf, $check_source, $skip) = @_; + my ($conf, $check_source, $skip, $provider) = @_; my $conf_file = srctop_file("test", "ssl-tests", $conf); my $input_file = $conf_file . ".in"; - my $output_file = $conf; + my $output_file = $conf . "." . $provider; my $run_test = 1; SKIP: { # "Test" 1. Generate the source. skip 'failure', 2 unless - ok(run(perltest(["generate_ssl_tests.pl", $input_file], + ok(run(perltest(["generate_ssl_tests.pl", $input_file, $provider], interpreter_args => [ "-I", srctop_dir("util", "perl")], stdout => $output_file)), "Getting output from generate_ssl_tests.pl."); @@ -145,7 +149,7 @@ sub test_conf { skip "No tests available; skipping tests", 1 if $skip; skip "Stale sources; skipping tests", 1 if !$run_test; - ok(run(test(["ssl_test", $output_file, "default"])), + ok(run(test(["ssl_test", $output_file, $provider])), "running ssl_test $conf"); } } diff --git a/test/ssl-tests/20-cert-select.cnf b/test/ssl-tests/20-cert-select.cnf index 757b973e57..5f75ae191c 100644 --- a/test/ssl-tests/20-cert-select.cnf +++ b/test/ssl-tests/20-cert-select.cnf @@ -9,33 +9,33 @@ test-3 = 3-Ed25519 CipherString and Signature Algorithm Selection test-4 = 4-Ed448 CipherString and Signature Algorithm Selection test-5 = 5-ECDSA with brainpool test-6 = 6-RSA CipherString Selection -test-7 = 7-RSA-PSS Certificate CipherString Selection -test-8 = 8-P-256 CipherString and Signature Algorithm Selection -test-9 = 9-Ed25519 CipherString and Curves Selection -test-10 = 10-Ed448 CipherString and Curves Selection -test-11 = 11-ECDSA CipherString Selection, no ECDSA certificate -test-12 = 12-ECDSA Signature Algorithm Selection -test-13 = 13-ECDSA Signature Algorithm Selection SHA384 -test-14 = 14-ECDSA Signature Algorithm Selection SHA1 -test-15 = 15-ECDSA Signature Algorithm Selection compressed point -test-16 = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate -test-17 = 17-RSA Signature Algorithm Selection -test-18 = 18-RSA-PSS Signature Algorithm Selection -test-19 = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection -test-20 = 20-RSA-PSS Certificate Unified Signature Algorithm Selection -test-21 = 21-Only RSA-PSS Certificate -test-22 = 22-Only RSA-PSS Certificate Valid Signature Algorithms -test-23 = 23-RSA-PSS Certificate, no PSS signature algorithms -test-24 = 24-Only RSA-PSS Restricted Certificate -test-25 = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms -test-26 = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm -test-27 = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms -test-28 = 28-RSA key exchange with all RSA certificate types -test-29 = 29-RSA key exchange with only RSA-PSS certificate -test-30 = 30-Suite B P-256 Hash Algorithm Selection -test-31 = 31-Suite B P-384 Hash Algorithm Selection -test-32 = 32-TLS 1.2 Ed25519 Client Auth -test-33 = 33-TLS 1.2 Ed448 Client Auth +test-7 = 7-P-256 CipherString and Signature Algorithm Selection +test-8 = 8-Ed25519 CipherString and Curves Selection +test-9 = 9-Ed448 CipherString and Curves Selection +test-10 = 10-ECDSA CipherString Selection, no ECDSA certificate +test-11 = 11-ECDSA Signature Algorithm Selection +test-12 = 12-ECDSA Signature Algorithm Selection SHA384 +test-13 = 13-ECDSA Signature Algorithm Selection SHA1 +test-14 = 14-ECDSA Signature Algorithm Selection compressed point +test-15 = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate +test-16 = 16-RSA Signature Algorithm Selection +test-17 = 17-RSA-PSS Signature Algorithm Selection +test-18 = 18-RSA key exchange with all RSA certificate types +test-19 = 19-Suite B P-256 Hash Algorithm Selection +test-20 = 20-Suite B P-384 Hash Algorithm Selection +test-21 = 21-TLS 1.2 Ed25519 Client Auth +test-22 = 22-TLS 1.2 Ed448 Client Auth +test-23 = 23-RSA-PSS Certificate CipherString Selection +test-24 = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection +test-25 = 25-RSA-PSS Certificate Unified Signature Algorithm Selection +test-26 = 26-Only RSA-PSS Certificate +test-27 = 27-Only RSA-PSS Certificate Valid Signature Algorithms +test-28 = 28-RSA-PSS Certificate, no PSS signature algorithms +test-29 = 29-Only RSA-PSS Restricted Certificate +test-30 = 30-RSA-PSS Restricted Certificate Valid Signature Algorithms +test-31 = 31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm +test-32 = 32-RSA-PSS Restricted Certificate Invalid Signature Algorithms +test-33 = 33-RSA key exchange with only RSA-PSS certificate test-34 = 34-Only RSA-PSS Certificate, TLS v1.1 test-35 = 35-TLS 1.3 ECDSA Signature Algorithm Selection test-36 = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point @@ -292,14 +292,14 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[7-RSA-PSS Certificate CipherString Selection] -ssl_conf = 7-RSA-PSS Certificate CipherString Selection-ssl +[7-P-256 CipherString and Signature Algorithm Selection] +ssl_conf = 7-P-256 CipherString and Signature Algorithm Selection-ssl -[7-RSA-PSS Certificate CipherString Selection-ssl] -server = 7-RSA-PSS Certificate CipherString Selection-server -client = 7-RSA-PSS Certificate CipherString Selection-client +[7-P-256 CipherString and Signature Algorithm Selection-ssl] +server = 7-P-256 CipherString and Signature Algorithm Selection-server +client = 7-P-256 CipherString and Signature Algorithm Selection-client -[7-RSA-PSS Certificate CipherString Selection-server] +[7-P-256 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -309,51 +309,16 @@ Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 -PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem -PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-RSA-PSS Certificate CipherString Selection-client] -CipherString = aRSA -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-7] -ExpectedResult = Success -ExpectedServerCertType = RSA-PSS -ExpectedServerSignType = RSA-PSS - - -# =========================================================== - -[8-P-256 CipherString and Signature Algorithm Selection] -ssl_conf = 8-P-256 CipherString and Signature Algorithm Selection-ssl - -[8-P-256 CipherString and Signature Algorithm Selection-ssl] -server = 8-P-256 CipherString and Signature Algorithm Selection-server -client = 8-P-256 CipherString and Signature Algorithm Selection-client - -[8-P-256 CipherString and Signature Algorithm Selection-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[8-P-256 CipherString and Signature Algorithm Selection-client] +[7-P-256 CipherString and Signature Algorithm Selection-client] CipherString = aECDSA MaxProtocol = TLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-8] +[test-7] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -362,14 +327,14 @@ ExpectedServerSignType = EC # =========================================================== -[9-Ed25519 CipherString and Curves Selection] -ssl_conf = 9-Ed25519 CipherString and Curves Selection-ssl +[8-Ed25519 CipherString and Curves Selection] +ssl_conf = 8-Ed25519 CipherString and Curves Selection-ssl -[9-Ed25519 CipherString and Curves Selection-ssl] -server = 9-Ed25519 CipherString and Curves Selection-server -client = 9-Ed25519 CipherString and Curves Selection-client +[8-Ed25519 CipherString and Curves Selection-ssl] +server = 8-Ed25519 CipherString and Curves Selection-server +client = 8-Ed25519 CipherString and Curves Selection-client -[9-Ed25519 CipherString and Curves Selection-server] +[8-Ed25519 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -381,7 +346,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-Ed25519 CipherString and Curves Selection-client] +[8-Ed25519 CipherString and Curves Selection-client] CipherString = aECDSA Curves = X25519 MaxProtocol = TLSv1.2 @@ -389,7 +354,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-9] +[test-8] ExpectedResult = Success ExpectedServerCertType = Ed25519 ExpectedServerSignType = Ed25519 @@ -397,14 +362,14 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[10-Ed448 CipherString and Curves Selection] -ssl_conf = 10-Ed448 CipherString and Curves Selection-ssl +[9-Ed448 CipherString and Curves Selection] +ssl_conf = 9-Ed448 CipherString and Curves Selection-ssl -[10-Ed448 CipherString and Curves Selection-ssl] -server = 10-Ed448 CipherString and Curves Selection-server -client = 10-Ed448 CipherString and Curves Selection-client +[9-Ed448 CipherString and Curves Selection-ssl] +server = 9-Ed448 CipherString and Curves Selection-server +client = 9-Ed448 CipherString and Curves Selection-client -[10-Ed448 CipherString and Curves Selection-server] +[9-Ed448 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -416,7 +381,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-Ed448 CipherString and Curves Selection-client] +[9-Ed448 CipherString and Curves Selection-client] CipherString = aECDSA Curves = X448 MaxProtocol = TLSv1.2 @@ -424,7 +389,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer -[test-10] +[test-9] ExpectedResult = Success ExpectedServerCertType = Ed448 ExpectedServerSignType = Ed448 @@ -432,39 +397,39 @@ ExpectedServerSignType = Ed448 # =========================================================== -[11-ECDSA CipherString Selection, no ECDSA certificate] -ssl_conf = 11-ECDSA CipherString Selection, no ECDSA certificate-ssl +[10-ECDSA CipherString Selection, no ECDSA certificate] +ssl_conf = 10-ECDSA CipherString Selection, no ECDSA certificate-ssl -[11-ECDSA CipherString Selection, no ECDSA certificate-ssl] -server = 11-ECDSA CipherString Selection, no ECDSA certificate-server -client = 11-ECDSA CipherString Selection, no ECDSA certificate-client +[10-ECDSA CipherString Selection, no ECDSA certificate-ssl] +server = 10-ECDSA CipherString Selection, no ECDSA certificate-server +client = 10-ECDSA CipherString Selection, no ECDSA certificate-client -[11-ECDSA CipherString Selection, no ECDSA certificate-server] +[10-ECDSA CipherString Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[11-ECDSA CipherString Selection, no ECDSA certificate-client] +[10-ECDSA CipherString Selection, no ECDSA certificate-client] CipherString = aECDSA MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-11] +[test-10] ExpectedResult = ServerFail # =========================================================== -[12-ECDSA Signature Algorithm Selection] -ssl_conf = 12-ECDSA Signature Algorithm Selection-ssl +[11-ECDSA Signature Algorithm Selection] +ssl_conf = 11-ECDSA Signature Algorithm Selection-ssl -[12-ECDSA Signature Algorithm Selection-ssl] -server = 12-ECDSA Signature Algorithm Selection-server -client = 12-ECDSA Signature Algorithm Selection-client +[11-ECDSA Signature Algorithm Selection-ssl] +server = 11-ECDSA Signature Algorithm Selection-server +client = 11-ECDSA Signature Algorithm Selection-client -[12-ECDSA Signature Algorithm Selection-server] +[11-ECDSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -476,13 +441,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[12-ECDSA Signature Algorithm Selection-client] +[11-ECDSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-12] +[test-11] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -491,14 +456,14 @@ ExpectedServerSignType = EC # =========================================================== -[13-ECDSA Signature Algorithm Selection SHA384] -ssl_conf = 13-ECDSA Signature Algorithm Selection SHA384-ssl +[12-ECDSA Signature Algorithm Selection SHA384] +ssl_conf = 12-ECDSA Signature Algorithm Selection SHA384-ssl -[13-ECDSA Signature Algorithm Selection SHA384-ssl] -server = 13-ECDSA Signature Algorithm Selection SHA384-server -client = 13-ECDSA Signature Algorithm Selection SHA384-client +[12-ECDSA Signature Algorithm Selection SHA384-ssl] +server = 12-ECDSA Signature Algorithm Selection SHA384-server +client = 12-ECDSA Signature Algorithm Selection SHA384-client -[13-ECDSA Signature Algorithm Selection SHA384-server] +[12-ECDSA Signature Algorithm Selection SHA384-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -510,13 +475,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[13-ECDSA Signature Algorithm Selection SHA384-client] +[12-ECDSA Signature Algorithm Selection SHA384-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-13] +[test-12] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA384 @@ -525,14 +490,14 @@ ExpectedServerSignType = EC # =========================================================== -[14-ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 14-ECDSA Signature Algorithm Selection SHA1-ssl +[13-ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 13-ECDSA Signature Algorithm Selection SHA1-ssl -[14-ECDSA Signature Algorithm Selection SHA1-ssl] -server = 14-ECDSA Signature Algorithm Selection SHA1-server -client = 14-ECDSA Signature Algorithm Selection SHA1-client +[13-ECDSA Signature Algorithm Selection SHA1-ssl] +server = 13-ECDSA Signature Algorithm Selection SHA1-server +client = 13-ECDSA Signature Algorithm Selection SHA1-client -[14-ECDSA Signature Algorithm Selection SHA1-server] +[13-ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -544,13 +509,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[14-ECDSA Signature Algorithm Selection SHA1-client] +[13-ECDSA Signature Algorithm Selection SHA1-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-14] +[test-13] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA1 @@ -559,14 +524,14 @@ ExpectedServerSignType = EC # =========================================================== -[15-ECDSA Signature Algorithm Selection compressed point] -ssl_conf = 15-ECDSA Signature Algorithm Selection compressed point-ssl +[14-ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 14-ECDSA Signature Algorithm Selection compressed point-ssl -[15-ECDSA Signature Algorithm Selection compressed point-ssl] -server = 15-ECDSA Signature Algorithm Selection compressed point-server -client = 15-ECDSA Signature Algorithm Selection compressed point-client +[14-ECDSA Signature Algorithm Selection compressed point-ssl] +server = 14-ECDSA Signature Algorithm Selection compressed point-server +client = 14-ECDSA Signature Algorithm Selection compressed point-client -[15-ECDSA Signature Algorithm Selection compressed point-server] +[14-ECDSA Signature Algorithm Selection compressed point-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem @@ -574,13 +539,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[15-ECDSA Signature Algorithm Selection compressed point-client] +[14-ECDSA Signature Algorithm Selection compressed point-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-15] +[test-14] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -589,39 +554,39 @@ ExpectedServerSignType = EC # =========================================================== -[16-ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[15-ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl -[16-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-client -[16-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[16-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-16] +[test-15] ExpectedResult = ServerFail # =========================================================== -[17-RSA Signature Algorithm Selection] -ssl_conf = 17-RSA Signature Algorithm Selection-ssl +[16-RSA Signature Algorithm Selection] +ssl_conf = 16-RSA Signature Algorithm Selection-ssl -[17-RSA Signature Algorithm Selection-ssl] -server = 17-RSA Signature Algorithm Selection-server -client = 17-RSA Signature Algorithm Selection-client +[16-RSA Signature Algorithm Selection-ssl] +server = 16-RSA Signature Algorithm Selection-server +client = 16-RSA Signature Algorithm Selection-client -[17-RSA Signature Algorithm Selection-server] +[16-RSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -633,13 +598,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[17-RSA Signature Algorithm Selection-client] +[16-RSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-17] +[test-16] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -648,14 +613,14 @@ ExpectedServerSignType = RSA # =========================================================== -[18-RSA-PSS Signature Algorithm Selection] -ssl_conf = 18-RSA-PSS Signature Algorithm Selection-ssl +[17-RSA-PSS Signature Algorithm Selection] +ssl_conf = 17-RSA-PSS Signature Algorithm Selection-ssl -[18-RSA-PSS Signature Algorithm Selection-ssl] -server = 18-RSA-PSS Signature Algorithm Selection-server -client = 18-RSA-PSS Signature Algorithm Selection-client +[17-RSA-PSS Signature Algorithm Selection-ssl] +server = 17-RSA-PSS Signature Algorithm Selection-server +client = 17-RSA-PSS Signature Algorithm Selection-client -[18-RSA-PSS Signature Algorithm Selection-server] +[17-RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -667,13 +632,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[18-RSA-PSS Signature Algorithm Selection-client] +[17-RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-18] +[test-17] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -682,196 +647,250 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[19-RSA-PSS Certificate Legacy Signature Algorithm Selection] -ssl_conf = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl +[18-RSA key exchange with all RSA certificate types] +ssl_conf = 18-RSA key exchange with all RSA certificate types-ssl -[19-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl] -server = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection-server -client = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection-client +[18-RSA key exchange with all RSA certificate types-ssl] +server = 18-RSA key exchange with all RSA certificate types-server +client = 18-RSA key exchange with all RSA certificate types-client -[19-RSA-PSS Certificate Legacy Signature Algorithm Selection-server] +[18-RSA key exchange with all RSA certificate types-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.2 PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[19-RSA-PSS Certificate Legacy Signature Algorithm Selection-client] -CipherString = DEFAULT -SignatureAlgorithms = RSA-PSS+SHA256 +[18-RSA key exchange with all RSA certificate types-client] +CipherString = kRSA +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-19] +[test-18] ExpectedResult = Success ExpectedServerCertType = RSA -ExpectedServerSignHash = SHA256 -ExpectedServerSignType = RSA-PSS # =========================================================== -[20-RSA-PSS Certificate Unified Signature Algorithm Selection] -ssl_conf = 20-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl +[19-Suite B P-256 Hash Algorithm Selection] +ssl_conf = 19-Suite B P-256 Hash Algorithm Selection-ssl -[20-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl] -server = 20-RSA-PSS Certificate Unified Signature Algorithm Selection-server -client = 20-RSA-PSS Certificate Unified Signature Algorithm Selection-client +[19-Suite B P-256 Hash Algorithm Selection-ssl] +server = 19-Suite B P-256 Hash Algorithm Selection-server +client = 19-Suite B P-256 Hash Algorithm Selection-client -[20-RSA-PSS Certificate Unified Signature Algorithm Selection-server] +[19-Suite B P-256 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = SUITEB128 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[19-Suite B P-256 Hash Algorithm Selection-client] CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem +VerifyMode = Peer + +[test-19] +ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = EC + + +# =========================================================== + +[20-Suite B P-384 Hash Algorithm Selection] +ssl_conf = 20-Suite B P-384 Hash Algorithm Selection-ssl + +[20-Suite B P-384 Hash Algorithm Selection-ssl] +server = 20-Suite B P-384 Hash Algorithm Selection-server +client = 20-Suite B P-384 Hash Algorithm Selection-client + +[20-Suite B P-384 Hash Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = SUITEB128 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem MaxProtocol = TLSv1.2 -PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem -PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[20-RSA-PSS Certificate Unified Signature Algorithm Selection-client] +[20-Suite B P-384 Hash Algorithm Selection-client] CipherString = DEFAULT -SignatureAlgorithms = rsa_pss_pss_sha256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer [test-20] ExpectedResult = Success -ExpectedServerCertType = RSA-PSS -ExpectedServerSignHash = SHA256 -ExpectedServerSignType = RSA-PSS +ExpectedServerCertType = P-384 +ExpectedServerSignHash = SHA384 +ExpectedServerSignType = EC # =========================================================== -[21-Only RSA-PSS Certificate] -ssl_conf = 21-Only RSA-PSS Certificate-ssl +[21-TLS 1.2 Ed25519 Client Auth] +ssl_conf = 21-TLS 1.2 Ed25519 Client Auth-ssl -[21-Only RSA-PSS Certificate-ssl] -server = 21-Only RSA-PSS Certificate-server -client = 21-Only RSA-PSS Certificate-client +[21-TLS 1.2 Ed25519 Client Auth-ssl] +server = 21-TLS 1.2 Ed25519 Client Auth-server +client = 21-TLS 1.2 Ed25519 Client Auth-client -[21-Only RSA-PSS Certificate-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +[21-TLS 1.2 Ed25519 Client Auth-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require -[21-Only RSA-PSS Certificate-client] +[21-TLS 1.2 Ed25519 Client Auth-client] CipherString = DEFAULT +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-21] +ExpectedClientCertType = Ed25519 +ExpectedClientSignType = Ed25519 ExpectedResult = Success -ExpectedServerCertType = RSA-PSS -ExpectedServerSignHash = SHA256 -ExpectedServerSignType = RSA-PSS # =========================================================== -[22-Only RSA-PSS Certificate Valid Signature Algorithms] -ssl_conf = 22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl +[22-TLS 1.2 Ed448 Client Auth] +ssl_conf = 22-TLS 1.2 Ed448 Client Auth-ssl -[22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl] -server = 22-Only RSA-PSS Certificate Valid Signature Algorithms-server -client = 22-Only RSA-PSS Certificate Valid Signature Algorithms-client +[22-TLS 1.2 Ed448 Client Auth-ssl] +server = 22-TLS 1.2 Ed448 Client Auth-server +client = 22-TLS 1.2 Ed448 Client Auth-client -[22-Only RSA-PSS Certificate Valid Signature Algorithms-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +[22-TLS 1.2 Ed448 Client Auth-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require -[22-Only RSA-PSS Certificate Valid Signature Algorithms-client] +[22-TLS 1.2 Ed448 Client Auth-client] CipherString = DEFAULT -SignatureAlgorithms = rsa_pss_pss_sha512 +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-22] +ExpectedClientCertType = Ed448 +ExpectedClientSignType = Ed448 ExpectedResult = Success -ExpectedServerCertType = RSA-PSS -ExpectedServerSignHash = SHA512 -ExpectedServerSignType = RSA-PSS # =========================================================== -[23-RSA-PSS Certificate, no PSS signature algorithms] -ssl_conf = 23-RSA-PSS Certificate, no PSS signature algorithms-ssl +[23-RSA-PSS Certificate CipherString Selection] +ssl_conf = 23-RSA-PSS Certificate CipherString Selection-ssl -[23-RSA-PSS Certificate, no PSS signature algorithms-ssl] -server = 23-RSA-PSS Certificate, no PSS signature algorithms-server -client = 23-RSA-PSS Certificate, no PSS signature algorithms-client +[23-RSA-PSS Certificate CipherString Selection-ssl] +server = 23-RSA-PSS Certificate CipherString Selection-server +client = 23-RSA-PSS Certificate CipherString Selection-client -[23-RSA-PSS Certificate, no PSS signature algorithms-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +[23-RSA-PSS Certificate CipherString Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.2 +PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[23-RSA-PSS Certificate, no PSS signature algorithms-client] -CipherString = DEFAULT -SignatureAlgorithms = RSA+SHA256 +[23-RSA-PSS Certificate CipherString Selection-client] +CipherString = aRSA +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-23] -ExpectedResult = ServerFail +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignType = RSA-PSS # =========================================================== -[24-Only RSA-PSS Restricted Certificate] -ssl_conf = 24-Only RSA-PSS Restricted Certificate-ssl +[24-RSA-PSS Certificate Legacy Signature Algorithm Selection] +ssl_conf = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl -[24-Only RSA-PSS Restricted Certificate-ssl] -server = 24-Only RSA-PSS Restricted Certificate-server -client = 24-Only RSA-PSS Restricted Certificate-client +[24-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl] +server = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection-server +client = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection-client -[24-Only RSA-PSS Restricted Certificate-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +[24-RSA-PSS Certificate Legacy Signature Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.2 +PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[24-Only RSA-PSS Restricted Certificate-client] +[24-RSA-PSS Certificate Legacy Signature Algorithm Selection-client] CipherString = DEFAULT +SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-24] ExpectedResult = Success -ExpectedServerCertType = RSA-PSS +ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 ExpectedServerSignType = RSA-PSS # =========================================================== -[25-RSA-PSS Restricted Certificate Valid Signature Algorithms] -ssl_conf = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl +[25-RSA-PSS Certificate Unified Signature Algorithm Selection] +ssl_conf = 25-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl -[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl] -server = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server -client = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client +[25-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl] +server = 25-RSA-PSS Certificate Unified Signature Algorithm Selection-server +client = 25-RSA-PSS Certificate Unified Signature Algorithm Selection-client -[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +[25-RSA-PSS Certificate Unified Signature Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.2 +PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[25-RSA-PSS Restricted Certificate Valid Signature Algorithms-client] +[25-RSA-PSS Certificate Unified Signature Algorithm Selection-client] CipherString = DEFAULT -SignatureAlgorithms = rsa_pss_pss_sha256:rsa_pss_pss_sha512 +SignatureAlgorithms = rsa_pss_pss_sha256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -884,21 +903,20 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm] -ssl_conf = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl +[26-Only RSA-PSS Certificate] +ssl_conf = 26-Only RSA-PSS Certificate-ssl -[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl] -server = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server -client = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client +[26-Only RSA-PSS Certificate-ssl] +server = 26-Only RSA-PSS Certificate-server +client = 26-Only RSA-PSS Certificate-client -[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +[26-Only RSA-PSS Certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client] +[26-Only RSA-PSS Certificate-client] CipherString = DEFAULT -SignatureAlgorithms = rsa_pss_pss_sha512:rsa_pss_pss_sha256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -911,199 +929,181 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms] -ssl_conf = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl +[27-Only RSA-PSS Certificate Valid Signature Algorithms] +ssl_conf = 27-Only RSA-PSS Certificate Valid Signature Algorithms-ssl -[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl] -server = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server -client = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client +[27-Only RSA-PSS Certificate Valid Signature Algorithms-ssl] +server = 27-Only RSA-PSS Certificate Valid Signature Algorithms-server +client = 27-Only RSA-PSS Certificate Valid Signature Algorithms-client -[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +[27-Only RSA-PSS Certificate Valid Signature Algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[27-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client] +[27-Only RSA-PSS Certificate Valid Signature Algorithms-client] CipherString = DEFAULT SignatureAlgorithms = rsa_pss_pss_sha512 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-27] -ExpectedResult = ServerFail +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA512 +ExpectedServerSignType = RSA-PSS # =========================================================== -[28-RSA key exchange with all RSA certificate types] -ssl_conf = 28-RSA key exchange with all RSA certificate types-ssl +[28-RSA-PSS Certificate, no PSS signature algorithms] +ssl_conf = 28-RSA-PSS Certificate, no PSS signature algorithms-ssl -[28-RSA key exchange with all RSA certificate types-ssl] -server = 28-RSA key exchange with all RSA certificate types-server -client = 28-RSA key exchange with all RSA certificate types-client +[28-RSA-PSS Certificate, no PSS signature algorithms-ssl] +server = 28-RSA-PSS Certificate, no PSS signature algorithms-server +client = 28-RSA-PSS Certificate, no PSS signature algorithms-client -[28-RSA key exchange with all RSA certificate types-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[28-RSA-PSS Certificate, no PSS signature algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT -PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem -PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[28-RSA key exchange with all RSA certificate types-client] -CipherString = kRSA -MaxProtocol = TLSv1.2 +[28-RSA-PSS Certificate, no PSS signature algorithms-client] +CipherString = DEFAULT +SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-28] -ExpectedResult = Success -ExpectedServerCertType = RSA +ExpectedResult = ServerFail # =========================================================== -[29-RSA key exchange with only RSA-PSS certificate] -ssl_conf = 29-RSA key exchange with only RSA-PSS certificate-ssl +[29-Only RSA-PSS Restricted Certificate] +ssl_conf = 29-Only RSA-PSS Restricted Certificate-ssl -[29-RSA key exchange with only RSA-PSS certificate-ssl] -server = 29-RSA key exchange with only RSA-PSS certificate-server -client = 29-RSA key exchange with only RSA-PSS certificate-client +[29-Only RSA-PSS Restricted Certificate-ssl] +server = 29-Only RSA-PSS Restricted Certificate-server +client = 29-Only RSA-PSS Restricted Certificate-client -[29-RSA key exchange with only RSA-PSS certificate-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +[29-Only RSA-PSS Restricted Certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem -[29-RSA key exchange with only RSA-PSS certificate-client] -CipherString = kRSA -MaxProtocol = TLSv1.2 +[29-Only RSA-PSS Restricted Certificate-client] +CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-29] -ExpectedResult = ServerFail +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS # =========================================================== -[30-Suite B P-256 Hash Algorithm Selection] -ssl_conf = 30-Suite B P-256 Hash Algorithm Selection-ssl +[30-RSA-PSS Restricted Certificate Valid Signature Algorithms] +ssl_conf = 30-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl -[30-Suite B P-256 Hash Algorithm Selection-ssl] -server = 30-Suite B P-256 Hash Algorithm Selection-server -client = 30-Suite B P-256 Hash Algorithm Selection-client +[30-RSA-PSS Restricted Certificate Valid Signature Algorithms-ssl] +server = 30-RSA-PSS Restricted Certificate Valid Signature Algorithms-server +client = 30-RSA-PSS Restricted Certificate Valid Signature Algorithms-client -[30-Suite B P-256 Hash Algorithm Selection-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = SUITEB128 -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +[30-RSA-PSS Restricted Certificate Valid Signature Algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem -[30-Suite B P-256 Hash Algorithm Selection-client] +[30-RSA-PSS Restricted Certificate Valid Signature Algorithms-client] CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem +SignatureAlgorithms = rsa_pss_pss_sha256:rsa_pss_pss_sha512 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-30] ExpectedResult = Success -ExpectedServerCertType = P-256 +ExpectedServerCertType = RSA-PSS ExpectedServerSignHash = SHA256 -ExpectedServerSignType = EC +ExpectedServerSignType = RSA-PSS # =========================================================== -[31-Suite B P-384 Hash Algorithm Selection] -ssl_conf = 31-Suite B P-384 Hash Algorithm Selection-ssl +[31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm] +ssl_conf = 31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl -[31-Suite B P-384 Hash Algorithm Selection-ssl] -server = 31-Suite B P-384 Hash Algorithm Selection-server -client = 31-Suite B P-384 Hash Algorithm Selection-client +[31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-ssl] +server = 31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server +client = 31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client -[31-Suite B P-384 Hash Algorithm Selection-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = SUITEB128 -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +[31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem -[31-Suite B P-384 Hash Algorithm Selection-client] +[31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm-client] CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem +SignatureAlgorithms = rsa_pss_pss_sha512:rsa_pss_pss_sha256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-31] ExpectedResult = Success -ExpectedServerCertType = P-384 -ExpectedServerSignHash = SHA384 -ExpectedServerSignType = EC +ExpectedServerCertType = RSA-PSS +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS # =========================================================== -[32-TLS 1.2 Ed25519 Client Auth] -ssl_conf = 32-TLS 1.2 Ed25519 Client Auth-ssl +[32-RSA-PSS Restricted Certificate Invalid Signature Algorithms] +ssl_conf = 32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl -[32-TLS 1.2 Ed25519 Client Auth-ssl] -server = 32-TLS 1.2 Ed25519 Client Auth-server -client = 32-TLS 1.2 Ed25519 Client Auth-client +[32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-ssl] +server = 32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server +client = 32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client -[32-TLS 1.2 Ed25519 Client Auth-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Require +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem -[32-TLS 1.2 Ed25519 Client Auth-client] +[32-RSA-PSS Restricted Certificate Invalid Signature Algorithms-client] CipherString = DEFAULT -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem -MaxProtocol = TLSv1.2 -MinProtocol = TLSv1.2 +SignatureAlgorithms = rsa_pss_pss_sha512 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-32] -ExpectedClientCertType = Ed25519 -ExpectedClientSignType = Ed25519 -ExpectedResult = Success +ExpectedResult = ServerFail # =========================================================== -[33-TLS 1.2 Ed448 Client Auth] -ssl_conf = 33-TLS 1.2 Ed448 Client Auth-ssl +[33-RSA key exchange with only RSA-PSS certificate] +ssl_conf = 33-RSA key exchange with only RSA-PSS certificate-ssl -[33-TLS 1.2 Ed448 Client Auth-ssl] -server = 33-TLS 1.2 Ed448 Client Auth-server -client = 33-TLS 1.2 Ed448 Client Auth-client +[33-RSA key exchange with only RSA-PSS certificate-ssl] +server = 33-RSA key exchange with only RSA-PSS certificate-server +client = 33-RSA key exchange with only RSA-PSS certificate-client -[33-TLS 1.2 Ed448 Client Auth-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[33-RSA key exchange with only RSA-PSS certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Require +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -[33-TLS 1.2 Ed448 Client Auth-client] -CipherString = DEFAULT -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem +[33-RSA key exchange with only RSA-PSS certificate-client] +CipherString = kRSA MaxProtocol = TLSv1.2 -MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-33] -ExpectedClientCertType = Ed448 -ExpectedClientSignType = Ed448 -ExpectedResult = Success +ExpectedResult = ServerFail # =========================================================== diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in index 24093548cd..eeadf9ad3d 100644 --- a/test/ssl-tests/20-cert-select.cnf.in +++ b/test/ssl-tests/20-cert-select.cnf.in @@ -41,13 +41,21 @@ my $server_pss_restrict_only = { "PrivateKey" => test_pem("server-pss-restrict-key.pem"), }; +my $server_rsa_all; -my $server_rsa_all = { - "PSS.Certificate" => test_pem("server-pss-cert.pem"), - "PSS.PrivateKey" => test_pem("server-pss-key.pem"), - "Certificate" => test_pem("servercert.pem"), - "PrivateKey" => test_pem("serverkey.pem"), -}; +if (NO_DEFLT_LIBCTX) { + $server_rsa_all = { + "Certificate" => test_pem("servercert.pem"), + "PrivateKey" => test_pem("serverkey.pem"), + }; +} else { + $server_rsa_all = { + "PSS.Certificate" => test_pem("server-pss-cert.pem"), + "PSS.PrivateKey" => test_pem("server-pss-key.pem"), + "Certificate" => test_pem("servercert.pem"), + "PrivateKey" => test_pem("serverkey.pem"), + }; +} our @tests = ( { @@ -180,19 +188,6 @@ our @tests = ( "ExpectedResult" => "Success" }, }, - { - name => "RSA-PSS Certificate CipherString Selection", - server => $server_pss, - client => { - "CipherString" => "aRSA", - "MaxProtocol" => "TLSv1.2", - }, - test => { - "ExpectedServerCertType" =>, "RSA-PSS", - "ExpectedServerSignType" =>, "RSA-PSS", - "ExpectedResult" => "Success" - }, - }, { name => "P-256 CipherString and Signature Algorithm Selection", server => $server, @@ -350,6 +345,108 @@ our @tests = ( "ExpectedResult" => "Success" }, }, + { + name => "RSA key exchange with all RSA certificate types", + server => $server_rsa_all, + client => { + "CipherString" => "kRSA", + "MaxProtocol" => "TLSv1.2", + }, + test => { + "ExpectedServerCertType" =>, "RSA", + "ExpectedResult" => "Success" + }, + }, + { + name => "Suite B P-256 Hash Algorithm Selection", + server => { + "ECDSA.Certificate" => test_pem("p256-server-cert.pem"), + "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"), + "MaxProtocol" => "TLSv1.2", + "CipherString" => "SUITEB128" + }, + client => { + "VerifyCAFile" => test_pem("p384-root.pem"), + "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256" + }, + test => { + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA256", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, + { + name => "Suite B P-384 Hash Algorithm Selection", + server => { + "ECDSA.Certificate" => test_pem("p384-server-cert.pem"), + "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"), + "MaxProtocol" => "TLSv1.2", + "CipherString" => "SUITEB128" + }, + client => { + "VerifyCAFile" => test_pem("p384-root.pem"), + "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384" + }, + test => { + "ExpectedServerCertType" => "P-384", + "ExpectedServerSignHash" => "SHA384", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, + { + name => "TLS 1.2 Ed25519 Client Auth", + server => { + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Require" + }, + client => { + "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"), + "MinProtocol" => "TLSv1.2", + "MaxProtocol" => "TLSv1.2" + }, + test => { + "ExpectedClientCertType" => "Ed25519", + "ExpectedClientSignType" => "Ed25519", + "ExpectedResult" => "Success" + }, + }, + { + name => "TLS 1.2 Ed448 Client Auth", + server => { + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Require" + }, + client => { + "Ed448.Certificate" => test_pem("client-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"), + "MinProtocol" => "TLSv1.2", + "MaxProtocol" => "TLSv1.2" + }, + test => { + "ExpectedClientCertType" => "Ed448", + "ExpectedClientSignType" => "Ed448", + "ExpectedResult" => "Success" + }, + }, +); + +my @tests_pss = ( + { + name => "RSA-PSS Certificate CipherString Selection", + server => $server_pss, + client => { + "CipherString" => "aRSA", + "MaxProtocol" => "TLSv1.2", + }, + test => { + "ExpectedServerCertType" =>, "RSA-PSS", + "ExpectedServerSignType" =>, "RSA-PSS", + "ExpectedResult" => "Success" + }, + }, { name => "RSA-PSS Certificate Legacy Signature Algorithm Selection", server => $server_pss, @@ -457,18 +554,6 @@ our @tests = ( "ExpectedResult" => "ServerFail" }, }, - { - name => "RSA key exchange with all RSA certificate types", - server => $server_rsa_all, - client => { - "CipherString" => "kRSA", - "MaxProtocol" => "TLSv1.2", - }, - test => { - "ExpectedServerCertType" =>, "RSA", - "ExpectedResult" => "Success" - }, - }, { name => "RSA key exchange with only RSA-PSS certificate", server => $server_pss_only, @@ -480,80 +565,6 @@ our @tests = ( "ExpectedResult" => "ServerFail" }, }, - { - name => "Suite B P-256 Hash Algorithm Selection", - server => { - "ECDSA.Certificate" => test_pem("p256-server-cert.pem"), - "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"), - "MaxProtocol" => "TLSv1.2", - "CipherString" => "SUITEB128" - }, - client => { - "VerifyCAFile" => test_pem("p384-root.pem"), - "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256" - }, - test => { - "ExpectedServerCertType" => "P-256", - "ExpectedServerSignHash" => "SHA256", - "ExpectedServerSignType" => "EC", - "ExpectedResult" => "Success" - }, - }, - { - name => "Suite B P-384 Hash Algorithm Selection", - server => { - "ECDSA.Certificate" => test_pem("p384-server-cert.pem"), - "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"), - "MaxProtocol" => "TLSv1.2", - "CipherString" => "SUITEB128" - }, - client => { - "VerifyCAFile" => test_pem("p384-root.pem"), - "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384" - }, - test => { - "ExpectedServerCertType" => "P-384", - "ExpectedServerSignHash" => "SHA384", - "ExpectedServerSignType" => "EC", - "ExpectedResult" => "Success" - }, - }, - { - name => "TLS 1.2 Ed25519 Client Auth", - server => { - "VerifyCAFile" => test_pem("root-cert.pem"), - "VerifyMode" => "Require" - }, - client => { - "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"), - "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"), - "MinProtocol" => "TLSv1.2", - "MaxProtocol" => "TLSv1.2" - }, - test => { - "ExpectedClientCertType" => "Ed25519", - "ExpectedClientSignType" => "Ed25519", - "ExpectedResult" => "Success" - }, - }, - { - name => "TLS 1.2 Ed448 Client Auth", - server => { - "VerifyCAFile" => test_pem("root-cert.pem"), - "VerifyMode" => "Require" - }, - client => { - "Ed448.Certificate" => test_pem("client-ed448-cert.pem"), - "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"), - "MinProtocol" => "TLSv1.2", - "MaxProtocol" => "TLSv1.2" - }, - test => { - "ExpectedClientCertType" => "Ed448", - "ExpectedClientSignType" => "Ed448", - "ExpectedResult" => "Success" - }, - }, ); my @tests_tls_1_1 = ( @@ -569,7 +580,10 @@ my @tests_tls_1_1 = ( }, ); -push @tests, @tests_tls_1_1 unless disabled("tls1_1"); +#TODO(3.0): Re-enable these PSS tests in a NO_DEFLT_LIBCTX build once we have +# support for it +push @tests, @tests_pss unless NO_DEFLT_LIBCTX; +push @tests, @tests_tls_1_1 unless disabled("tls1_1") || NO_DEFLT_LIBCTX; my $server_tls_1_3 = { "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), @@ -582,19 +596,6 @@ my $server_tls_1_3 = { "MaxProtocol" => "TLSv1.3" }; -my $server_tls_1_3_pss = { - "PSS.Certificate" => test_pem("server-pss-cert.pem"), - "PSS.PrivateKey" => test_pem("server-pss-key.pem"), - "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), - "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), - "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), - "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), - "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"), - "MinProtocol" => "TLSv1.3", - "MaxProtocol" => "TLSv1.3" -}; - my $client_tls_1_3 = { "RSA.Certificate" => test_pem("ee-client-chain.pem"), "RSA.PrivateKey" => test_pem("ee-key.pem"), diff --git a/test/ssl_test.c b/test/ssl_test.c index 6715cd69d5..c4f1c6006e 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -533,14 +533,16 @@ int setup_tests(void) if (!TEST_ptr(modulename = test_get_argument(1))) return 0; - defctxnull = OSSL_PROVIDER_load(NULL, "null"); - libctx = OPENSSL_CTX_new(); - if (!TEST_ptr(libctx)) - return 0; + if (strcmp(modulename, "none") != 0) { + defctxnull = OSSL_PROVIDER_load(NULL, "null"); + libctx = OPENSSL_CTX_new(); + if (!TEST_ptr(libctx)) + return 0; - thisprov = OSSL_PROVIDER_load(libctx, modulename); - if (!TEST_ptr(thisprov)) - return 0; + thisprov = OSSL_PROVIDER_load(libctx, modulename); + if (!TEST_ptr(thisprov)) + return 0; + } ADD_ALL_TESTS(test_handshake, (int)num_tests); return 1; -- 2.34.1