test/ssl-tests/28-seclevel.cnf.in

   1 # -*- mode: perl; -*-
   2 # Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
   3 #
   4 # Licensed under the Apache License 2.0 (the "License").  You may not use
   5 # this file except in compliance with the License.  You can obtain a copy
   6 # in the file LICENSE in the source distribution or at
   7 # https://www.openssl.org/source/license.html
   8
   9
  10 ## SSL test configurations
  11
  12 package ssltests;
  13 use OpenSSL::Test::Utils;
  14
  15 our @tests = (
  16     {
  17         name => "SECLEVEL 3 with default key",
  18         server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
  19         client => { },
  20         test   => { "ExpectedResult" => "ServerFail" },
  21     },
  22 );
  23
  24 our @tests_ec = (
  25     {
  26         name => "SECLEVEL 4 with ED448 key",
  27         server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  28                     "Certificate" => test_pem("server-ed448-cert.pem"),
  29                     "PrivateKey" => test_pem("server-ed448-key.pem") },
  30         client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  31                     "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  32         test   => { "ExpectedResult" => "Success" },
  33     },
  34     {
  35         # The Ed488 signature algorithm will not be enabled.
  36         # Because of the config order, the certificate is first loaded, and
  37         # then the security level is chaged. If you try this with s_server
  38         # the order will be reversed and it will instead fail to load the key.
  39         name => "SECLEVEL 5 server with ED448 key",
  40         server => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
  41                     "Certificate" => test_pem("server-ed448-cert.pem"),
  42                     "PrivateKey" => test_pem("server-ed448-key.pem") },
  43         client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  44                     "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  45         test   => { "ExpectedResult" => "ServerFail" },
  46     },
  47     {
  48         # The client will not sent the Ed488 signature algorithm, so the server
  49         # doesn't have a useable signature algorithm for the certificate.
  50         name => "SECLEVEL 5 client with ED448 key",
  51         server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
  52                     "Certificate" => test_pem("server-ed448-cert.pem"),
  53                     "PrivateKey" => test_pem("server-ed448-key.pem") },
  54         client => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
  55                     "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  56         test   => { "ExpectedResult" => "ServerFail" },
  57     },
  58     {
  59         name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
  60         server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
  61                     "Certificate" => test_pem("p384-server-cert.pem"),
  62                     "PrivateKey" => test_pem("p384-server-key.pem"),
  63                     "Groups" => "X25519" },
  64         client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
  65                     "VerifyCAFile" => test_pem("p384-root.pem") },
  66         test   => { "ExpectedResult" => "Success" },
  67     },
  68 );
  69
  70 our @tests_tls1_2 = (
  71     {
  72         name => "SECLEVEL 3 with ED448 key, TLSv1.2",
  73         server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
  74                     "Certificate" => test_pem("server-ed448-cert.pem"),
  75                     "PrivateKey" => test_pem("server-ed448-key.pem"),
  76                     "MaxProtocol" => "TLSv1.2" },
  77         client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
  78         test   => { "ExpectedResult" => "Success" },
  79     },
  80 );
  81
  82 push @tests, @tests_ec unless disabled("ec");
  83 push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");