test/ssl-tests/14-curves.cnf.in

   1 # -*- mode: perl; -*-
   2
   3 ## SSL test configurations
   4
   5 package ssltests;
   6
   7 use strict;
   8 use warnings;
   9
  10 use OpenSSL::Test;
  11 use OpenSSL::Test::Utils qw(anydisabled);
  12
  13 our $fips_mode;
  14
  15 my @curves = ("prime256v1", "secp384r1", "secp521r1", "X25519",
  16               "X448");
  17 #Curves *only* suitable for use in TLSv1.3
  18 my @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144",
  19                       "ffdhe8192");
  20 my @curves_tls_1_3_no_fips = ("brainpoolP256r1tls13", "brainpoolP384r1tls13",
  21                               "brainpoolP512r1tls13");
  22
  23 push @curves_tls_1_3, @curves_tls_1_3_no_fips if !$fips_mode;
  24 push @curves, @curves_tls_1_3;
  25
  26 my @curves_tls_1_2 = ("sect233k1", "sect233r1",
  27               "sect283k1", "sect283r1", "sect409k1", "sect409r1",
  28               "sect571k1", "sect571r1", "secp224r1");
  29
  30 my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1",
  31                        "sect163r1", "sect193r1", "sect193r2", "sect239k1",
  32                        "secp160k1", "secp160r1", "secp160r2", "secp192k1",
  33                        "secp224k1",  "secp256k1", "brainpoolP256r1",
  34                        "brainpoolP384r1", "brainpoolP512r1");
  35
  36 push @curves_tls_1_2, @curves_non_fips if !$fips_mode;
  37
  38 our @tests = ();
  39
  40 sub get_key_type {
  41     my $group = shift;
  42     my $keyType;
  43
  44     if ($group =~ /ffdhe/) {
  45         $keyType = "dhKeyAgreement";
  46     } else {
  47         $keyType = $group;
  48     }
  49
  50     return $keyType;
  51 }
  52
  53 sub generate_tests() {
  54     foreach (0..$#curves) {
  55         my $curve = $curves[$_];
  56         push @tests, {
  57             name => "curve-${curve}",
  58             server => {
  59                 "Curves" => $curve,
  60                 "CipherString" => 'DEFAULT@SECLEVEL=1',
  61                 "MaxProtocol" => "TLSv1.3"
  62             },
  63             client => {
  64                 "CipherString" => 'ECDHE@SECLEVEL=1',
  65                 "MaxProtocol" => "TLSv1.3",
  66                 "Curves" => $curve
  67             },
  68             test   => {
  69                 "ExpectedTmpKeyType" => get_key_type($curve),
  70                 "ExpectedProtocol" => "TLSv1.3",
  71                 "ExpectedResult" => "Success"
  72             },
  73         };
  74     }
  75     foreach (0..$#curves_tls_1_2) {
  76         my $curve = $curves_tls_1_2[$_];
  77         push @tests, {
  78             name => "curve-${curve}",
  79             server => {
  80                 "Curves" => $curve,
  81                 "CipherString" => 'DEFAULT@SECLEVEL=1',
  82                 "MaxProtocol" => "TLSv1.3"
  83             },
  84             client => {
  85                 "CipherString" => 'ECDHE@SECLEVEL=1',
  86                 "MaxProtocol" => "TLSv1.2",
  87                 "Curves" => $curve
  88             },
  89             test   => {
  90                 "ExpectedTmpKeyType" => get_key_type($curve),
  91                 "ExpectedProtocol" => "TLSv1.2",
  92                 "ExpectedResult" => "Success"
  93             },
  94         };
  95     }
  96     foreach (0..$#curves_tls_1_2) {
  97         my $curve = $curves_tls_1_2[$_];
  98         push @tests, {
  99             name => "curve-${curve}-tls12-in-tls13",
 100             server => {
 101                 "Curves" => "$curve:P-256",
 102                 "CipherString" => 'DEFAULT@SECLEVEL=1',
 103                 "MaxProtocol" => "TLSv1.3"
 104             },
 105             client => {
 106                 "CipherString" => 'ECDHE@SECLEVEL=1',
 107                 "MaxProtocol" => "TLSv1.3",
 108                 "MinProtocol" => "TLSv1.3",
 109                 "Curves" => "$curve:P-256"
 110             },
 111             test   => {
 112                 #This curve is not allowed in a TLSv1.3 key_share. We should
 113                 #succeed but fallback to P-256
 114                 "ExpectedTmpKeyType" => "P-256",
 115                 "ExpectedProtocol" => "TLSv1.3",
 116                 "ExpectedResult" => "Success"
 117             },
 118         };
 119     }
 120     foreach (0..$#curves_tls_1_2) {
 121         my $curve = $curves_tls_1_2[$_];
 122         push @tests, {
 123             name => "curve-${curve}-tls13",
 124             server => {
 125                 "Curves" => $curve,
 126                 "CipherString" => 'DEFAULT@SECLEVEL=1',
 127                 "MaxProtocol" => "TLSv1.3"
 128             },
 129             client => {
 130                 "CipherString" => 'ECDHE@SECLEVEL=1',
 131                 "MinProtocol" => "TLSv1.3",
 132                 "Curves" => $curve
 133             },
 134             test   => {
 135                 "ExpectedResult" => "ClientFail"
 136             },
 137         };
 138     }
 139     foreach (0..$#curves_tls_1_3) {
 140         my $curve = $curves_tls_1_3[$_];
 141         push @tests, {
 142             name => "curve-${curve}-tls13-in-tls12",
 143             server => {
 144                 "Curves" => $curve,
 145                 "CipherString" => 'DEFAULT@SECLEVEL=1',
 146                 "MaxProtocol" => "TLSv1.3"
 147             },
 148             client => {
 149                 "CipherString" => 'ECDHE@SECLEVEL=1',
 150                 "MaxProtocol" => "TLSv1.2",
 151                 "Curves" => $curve
 152             },
 153             test   => {
 154                 #These curves are only suitable for TLSv1.3 so we expect the
 155                 #server to fail because it has no shared groups for TLSv1.2
 156                 #ECDHE key exchange
 157                 "ExpectedResult" => "ServerFail"
 158             },
 159         };
 160         push @tests, {
 161             name => "curve-${curve}-tls13-in-tls12-2",
 162             server => {
 163                 "Curves" => $curve,
 164                 "CipherString" => 'DEFAULT@SECLEVEL=1',
 165                 "MaxProtocol" => "TLSv1.2"
 166             },
 167             client => {
 168                 "CipherString" => 'DEFAULT@SECLEVEL=1',
 169                 "MaxProtocol" => "TLSv1.3",
 170                 "Curves" => $curve
 171             },
 172             test   => {
 173                 #These curves are only suitable for TLSv1.3. We expect TLSv1.2
 174                 #negotiation to succeed because we fall back to some other
 175                 #ciphersuite
 176                 "ExpectedResult" => "Success"
 177             },
 178         };
 179     }
 180 }
 181
 182 generate_tests();