From: Matt Caswell Date: Tue, 7 Apr 2020 16:03:19 +0000 (+0100) Subject: Teach ssl_test_new how to test the FIPS module X-Git-Tag: openssl-3.0.0-alpha1~34 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=682bc861a92d09fb5155cd1aceee7b1ce298ddb9;p=oweals%2Fopenssl.git Teach ssl_test_new how to test the FIPS module We load the FIPS module and make sure it is configured before running the ssl_test_new tests. Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/11511) --- diff --git a/test/generate_ssl_tests.pl b/test/generate_ssl_tests.pl index 580bfb5e70..21515b7a20 100644 --- a/test/generate_ssl_tests.pl +++ b/test/generate_ssl_tests.pl @@ -128,18 +128,13 @@ sub print_templates { sub read_config { my $fname = shift; my $provider = shift; - my $fips_mode = "0"; - my $no_deflt_libctx = "0"; - - $fips_mode = "1" if $provider eq "fips"; - $no_deflt_libctx = "1" if $provider eq "default" || $provider eq "fips"; + local $ssltests::fips_mode = $provider eq "fips"; + local $ssltests::no_deflt_libctx = + $provider eq "default" || $provider eq "fips"; open(INPUT, "< $fname") or die "Can't open input file '$fname'!\n"; local $/ = undef; my $content = ; - $content =~ s/FIPS_MODE/$fips_mode/g; - $content =~ s/NO_DEFLT_LIBCTX/$no_deflt_libctx/g; - close(INPUT); eval $content; warn $@ if $@; diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 6d6fa5cae3..aa57d1565d 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -13,11 +13,21 @@ use warnings; use File::Basename; use File::Compare qw/compare_text/; use OpenSSL::Glob; -use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; +use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_file bldtop_dir/; use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/; +BEGIN { setup("test_ssl_new"); +} + +use lib srctop_dir('Configurations'); +use lib bldtop_dir('.'); +use platform; + +my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); +$ENV{OPENSSL_MODULES} = bldtop_dir("providers"); +$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers"); $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.cnf"); @@ -28,7 +38,8 @@ map { s/\^// } @conf_files if $^O eq "VMS"; # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. -plan tests => 30; # = scalar @conf_srcs +plan tests => 30 # = scalar @conf_srcs + + ($no_fips ? 0 : 1); # fipsinstall # Some test results depend on the configuration of enabled protocols. We only # verify generated sources in the default configuration. @@ -106,9 +117,19 @@ my %skip = ( "29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"), ); +unless ($no_fips) { + ok(run(app(['openssl', 'fipsinstall', + '-out', bldtop_file('providers', 'fipsinstall.cnf'), + '-module', bldtop_file('providers', platform->dso('fips')), + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', + '-section_name', 'fips_sect'])), + "fipsinstall"); +} + foreach my $conf (@conf_files) { subtest "Test configuration $conf" => sub { - plan tests => 6; + plan tests => 6 + ($no_fips ? 0 : 3); test_conf($conf, $conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1, defined($skip{$conf}) ? $skip{$conf} : $no_tls, @@ -117,6 +138,10 @@ foreach my $conf (@conf_files) { 0, defined($skip{$conf}) ? $skip{$conf} : $no_tls, "default"); + test_conf($conf, + 0, + defined($skip{$conf}) ? $skip{$conf} : $no_tls, + "fips") unless $no_fips; } } @@ -149,8 +174,14 @@ sub test_conf { skip "No tests available; skipping tests", 1 if $skip; skip "Stale sources; skipping tests", 1 if !$run_test; - ok(run(test(["ssl_test", $output_file, $provider])), - "running ssl_test $conf"); + if ($provider eq "fips") { + ok(run(test(["ssl_test", $output_file, $provider, + srctop_file("test", "fips.cnf")])), + "running ssl_test $conf"); + } else { + ok(run(test(["ssl_test", $output_file, $provider])), + "running ssl_test $conf"); + } } } diff --git a/test/ssl-tests/02-protocol-version.cnf.in b/test/ssl-tests/02-protocol-version.cnf.in index a6799df0ac..70bad4cf6c 100644 --- a/test/ssl-tests/02-protocol-version.cnf.in +++ b/test/ssl-tests/02-protocol-version.cnf.in @@ -16,4 +16,6 @@ use warnings; use protocol_version; -our @tests = generate_version_tests("TLS"); +our $fips_mode; + +our @tests = generate_version_tests("TLS", $fips_mode); diff --git a/test/ssl-tests/04-client_auth.cnf.in b/test/ssl-tests/04-client_auth.cnf.in index b9c014d2c0..f90f7eb79d 100644 --- a/test/ssl-tests/04-client_auth.cnf.in +++ b/test/ssl-tests/04-client_auth.cnf.in @@ -11,12 +11,19 @@ use OpenSSL::Test; use OpenSSL::Test::Utils qw(anydisabled disabled); setup("no_test_here"); -# We test version-flexible negotiation (undef) and each protocol version. -my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); +our $fips_mode; +my @protocols; my @is_disabled = (0); push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2"); +# We test version-flexible negotiation (undef) and each protocol version. +if ($fips_mode) { + @protocols = (undef, "TLSv1.2", "DTLSv1.2"); +} else { + @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2"); +} + our @tests = (); sub generate_tests() { diff --git a/test/ssl-tests/05-sni.cnf.in b/test/ssl-tests/05-sni.cnf.in index 6651899618..b34a55c7d2 100644 --- a/test/ssl-tests/05-sni.cnf.in +++ b/test/ssl-tests/05-sni.cnf.in @@ -15,6 +15,8 @@ use warnings; package ssltests; use OpenSSL::Test::Utils; +our $fips_mode; + our @tests = ( { name => "SNI-switch-context", @@ -166,4 +168,4 @@ our @tests_tls_1_1 = ( }, ); -push @tests, @tests_tls_1_1 unless disabled("tls1_1"); +push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $fips_mode; diff --git a/test/ssl-tests/07-dtls-protocol-version.cnf.in b/test/ssl-tests/07-dtls-protocol-version.cnf.in index 2a53433b68..9f9ab6e72f 100644 --- a/test/ssl-tests/07-dtls-protocol-version.cnf.in +++ b/test/ssl-tests/07-dtls-protocol-version.cnf.in @@ -16,4 +16,6 @@ use warnings; use protocol_version; -our @tests = generate_version_tests("DTLS"); +our $fips_mode; + +our @tests = generate_version_tests("DTLS", $fips_mode); diff --git a/test/ssl-tests/10-resumption.cnf.in b/test/ssl-tests/10-resumption.cnf.in index 39c69395bf..ace714a8b5 100644 --- a/test/ssl-tests/10-resumption.cnf.in +++ b/test/ssl-tests/10-resumption.cnf.in @@ -16,4 +16,6 @@ package ssltests; use protocol_version; -our @tests = generate_resumption_tests("TLS"); +our $fips_mode; + +our @tests = generate_resumption_tests("TLS", $fips_mode); diff --git a/test/ssl-tests/11-dtls_resumption.cnf.in b/test/ssl-tests/11-dtls_resumption.cnf.in index 9f600e6625..4cee1e2022 100644 --- a/test/ssl-tests/11-dtls_resumption.cnf.in +++ b/test/ssl-tests/11-dtls_resumption.cnf.in @@ -16,4 +16,6 @@ package ssltests; use protocol_version; -our @tests = generate_resumption_tests("DTLS"); +our $fips_mode; + +our @tests = generate_resumption_tests("DTLS", $fips_mode); diff --git a/test/ssl-tests/14-curves.cnf b/test/ssl-tests/14-curves.cnf index f76f08fd7d..26d0949f0d 100644 --- a/test/ssl-tests/14-curves.cnf +++ b/test/ssl-tests/14-curves.cnf @@ -3,35 +3,35 @@ num_tests = 30 test-0 = 0-curve-sect163k1 -test-1 = 1-curve-sect163r1 -test-2 = 2-curve-sect163r2 -test-3 = 3-curve-sect193r1 -test-4 = 4-curve-sect193r2 -test-5 = 5-curve-sect233k1 -test-6 = 6-curve-sect233r1 -test-7 = 7-curve-sect239k1 -test-8 = 8-curve-sect283k1 -test-9 = 9-curve-sect283r1 -test-10 = 10-curve-sect409k1 -test-11 = 11-curve-sect409r1 -test-12 = 12-curve-sect571k1 -test-13 = 13-curve-sect571r1 -test-14 = 14-curve-secp160k1 -test-15 = 15-curve-secp160r1 -test-16 = 16-curve-secp160r2 -test-17 = 17-curve-secp192k1 -test-18 = 18-curve-prime192v1 -test-19 = 19-curve-secp224k1 -test-20 = 20-curve-secp224r1 -test-21 = 21-curve-secp256k1 -test-22 = 22-curve-prime256v1 -test-23 = 23-curve-secp384r1 -test-24 = 24-curve-secp521r1 -test-25 = 25-curve-brainpoolP256r1 -test-26 = 26-curve-brainpoolP384r1 -test-27 = 27-curve-brainpoolP512r1 -test-28 = 28-curve-X25519 -test-29 = 29-curve-X448 +test-1 = 1-curve-sect163r2 +test-2 = 2-curve-sect233k1 +test-3 = 3-curve-sect233r1 +test-4 = 4-curve-sect283k1 +test-5 = 5-curve-sect283r1 +test-6 = 6-curve-sect409k1 +test-7 = 7-curve-sect409r1 +test-8 = 8-curve-sect571k1 +test-9 = 9-curve-sect571r1 +test-10 = 10-curve-prime192v1 +test-11 = 11-curve-secp224r1 +test-12 = 12-curve-prime256v1 +test-13 = 13-curve-secp384r1 +test-14 = 14-curve-secp521r1 +test-15 = 15-curve-X25519 +test-16 = 16-curve-X448 +test-17 = 17-curve-sect163r1 +test-18 = 18-curve-sect193r1 +test-19 = 19-curve-sect193r2 +test-20 = 20-curve-sect239k1 +test-21 = 21-curve-secp160k1 +test-22 = 22-curve-secp160r1 +test-23 = 23-curve-secp160r2 +test-24 = 24-curve-secp192k1 +test-25 = 25-curve-secp224k1 +test-26 = 26-curve-secp256k1 +test-27 = 27-curve-brainpoolP256r1 +test-28 = 28-curve-brainpoolP384r1 +test-29 = 29-curve-brainpoolP512r1 # =========================================================== [0-curve-sect163k1] @@ -62,813 +62,813 @@ ExpectedTmpKeyType = sect163k1 # =========================================================== -[1-curve-sect163r1] -ssl_conf = 1-curve-sect163r1-ssl +[1-curve-sect163r2] +ssl_conf = 1-curve-sect163r2-ssl -[1-curve-sect163r1-ssl] -server = 1-curve-sect163r1-server -client = 1-curve-sect163r1-client +[1-curve-sect163r2-ssl] +server = 1-curve-sect163r2-server +client = 1-curve-sect163r2-client -[1-curve-sect163r1-server] +[1-curve-sect163r2-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect163r1 +Curves = sect163r2 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[1-curve-sect163r1-client] +[1-curve-sect163r2-client] CipherString = ECDHE -Curves = sect163r1 +Curves = sect163r2 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-1] ExpectedResult = Success -ExpectedTmpKeyType = sect163r1 +ExpectedTmpKeyType = sect163r2 # =========================================================== -[2-curve-sect163r2] -ssl_conf = 2-curve-sect163r2-ssl +[2-curve-sect233k1] +ssl_conf = 2-curve-sect233k1-ssl -[2-curve-sect163r2-ssl] -server = 2-curve-sect163r2-server -client = 2-curve-sect163r2-client +[2-curve-sect233k1-ssl] +server = 2-curve-sect233k1-server +client = 2-curve-sect233k1-client -[2-curve-sect163r2-server] +[2-curve-sect233k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect163r2 +Curves = sect233k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[2-curve-sect163r2-client] +[2-curve-sect233k1-client] CipherString = ECDHE -Curves = sect163r2 +Curves = sect233k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-2] ExpectedResult = Success -ExpectedTmpKeyType = sect163r2 +ExpectedTmpKeyType = sect233k1 # =========================================================== -[3-curve-sect193r1] -ssl_conf = 3-curve-sect193r1-ssl +[3-curve-sect233r1] +ssl_conf = 3-curve-sect233r1-ssl -[3-curve-sect193r1-ssl] -server = 3-curve-sect193r1-server -client = 3-curve-sect193r1-client +[3-curve-sect233r1-ssl] +server = 3-curve-sect233r1-server +client = 3-curve-sect233r1-client -[3-curve-sect193r1-server] +[3-curve-sect233r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect193r1 +Curves = sect233r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[3-curve-sect193r1-client] +[3-curve-sect233r1-client] CipherString = ECDHE -Curves = sect193r1 +Curves = sect233r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-3] ExpectedResult = Success -ExpectedTmpKeyType = sect193r1 +ExpectedTmpKeyType = sect233r1 # =========================================================== -[4-curve-sect193r2] -ssl_conf = 4-curve-sect193r2-ssl +[4-curve-sect283k1] +ssl_conf = 4-curve-sect283k1-ssl -[4-curve-sect193r2-ssl] -server = 4-curve-sect193r2-server -client = 4-curve-sect193r2-client +[4-curve-sect283k1-ssl] +server = 4-curve-sect283k1-server +client = 4-curve-sect283k1-client -[4-curve-sect193r2-server] +[4-curve-sect283k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect193r2 +Curves = sect283k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[4-curve-sect193r2-client] +[4-curve-sect283k1-client] CipherString = ECDHE -Curves = sect193r2 +Curves = sect283k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-4] ExpectedResult = Success -ExpectedTmpKeyType = sect193r2 +ExpectedTmpKeyType = sect283k1 # =========================================================== -[5-curve-sect233k1] -ssl_conf = 5-curve-sect233k1-ssl +[5-curve-sect283r1] +ssl_conf = 5-curve-sect283r1-ssl -[5-curve-sect233k1-ssl] -server = 5-curve-sect233k1-server -client = 5-curve-sect233k1-client +[5-curve-sect283r1-ssl] +server = 5-curve-sect283r1-server +client = 5-curve-sect283r1-client -[5-curve-sect233k1-server] +[5-curve-sect283r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect233k1 +Curves = sect283r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-curve-sect233k1-client] +[5-curve-sect283r1-client] CipherString = ECDHE -Curves = sect233k1 +Curves = sect283r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-5] ExpectedResult = Success -ExpectedTmpKeyType = sect233k1 +ExpectedTmpKeyType = sect283r1 # =========================================================== -[6-curve-sect233r1] -ssl_conf = 6-curve-sect233r1-ssl +[6-curve-sect409k1] +ssl_conf = 6-curve-sect409k1-ssl -[6-curve-sect233r1-ssl] -server = 6-curve-sect233r1-server -client = 6-curve-sect233r1-client +[6-curve-sect409k1-ssl] +server = 6-curve-sect409k1-server +client = 6-curve-sect409k1-client -[6-curve-sect233r1-server] +[6-curve-sect409k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect233r1 +Curves = sect409k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-curve-sect233r1-client] +[6-curve-sect409k1-client] CipherString = ECDHE -Curves = sect233r1 +Curves = sect409k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-6] ExpectedResult = Success -ExpectedTmpKeyType = sect233r1 +ExpectedTmpKeyType = sect409k1 # =========================================================== -[7-curve-sect239k1] -ssl_conf = 7-curve-sect239k1-ssl +[7-curve-sect409r1] +ssl_conf = 7-curve-sect409r1-ssl -[7-curve-sect239k1-ssl] -server = 7-curve-sect239k1-server -client = 7-curve-sect239k1-client +[7-curve-sect409r1-ssl] +server = 7-curve-sect409r1-server +client = 7-curve-sect409r1-client -[7-curve-sect239k1-server] +[7-curve-sect409r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect239k1 +Curves = sect409r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-curve-sect239k1-client] +[7-curve-sect409r1-client] CipherString = ECDHE -Curves = sect239k1 +Curves = sect409r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-7] ExpectedResult = Success -ExpectedTmpKeyType = sect239k1 +ExpectedTmpKeyType = sect409r1 # =========================================================== -[8-curve-sect283k1] -ssl_conf = 8-curve-sect283k1-ssl +[8-curve-sect571k1] +ssl_conf = 8-curve-sect571k1-ssl -[8-curve-sect283k1-ssl] -server = 8-curve-sect283k1-server -client = 8-curve-sect283k1-client +[8-curve-sect571k1-ssl] +server = 8-curve-sect571k1-server +client = 8-curve-sect571k1-client -[8-curve-sect283k1-server] +[8-curve-sect571k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect283k1 +Curves = sect571k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[8-curve-sect283k1-client] +[8-curve-sect571k1-client] CipherString = ECDHE -Curves = sect283k1 +Curves = sect571k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-8] ExpectedResult = Success -ExpectedTmpKeyType = sect283k1 +ExpectedTmpKeyType = sect571k1 # =========================================================== -[9-curve-sect283r1] -ssl_conf = 9-curve-sect283r1-ssl +[9-curve-sect571r1] +ssl_conf = 9-curve-sect571r1-ssl -[9-curve-sect283r1-ssl] -server = 9-curve-sect283r1-server -client = 9-curve-sect283r1-client +[9-curve-sect571r1-ssl] +server = 9-curve-sect571r1-server +client = 9-curve-sect571r1-client -[9-curve-sect283r1-server] +[9-curve-sect571r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect283r1 +Curves = sect571r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-curve-sect283r1-client] +[9-curve-sect571r1-client] CipherString = ECDHE -Curves = sect283r1 +Curves = sect571r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-9] ExpectedResult = Success -ExpectedTmpKeyType = sect283r1 +ExpectedTmpKeyType = sect571r1 # =========================================================== -[10-curve-sect409k1] -ssl_conf = 10-curve-sect409k1-ssl +[10-curve-prime192v1] +ssl_conf = 10-curve-prime192v1-ssl -[10-curve-sect409k1-ssl] -server = 10-curve-sect409k1-server -client = 10-curve-sect409k1-client +[10-curve-prime192v1-ssl] +server = 10-curve-prime192v1-server +client = 10-curve-prime192v1-client -[10-curve-sect409k1-server] +[10-curve-prime192v1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect409k1 +Curves = prime192v1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-curve-sect409k1-client] +[10-curve-prime192v1-client] CipherString = ECDHE -Curves = sect409k1 +Curves = prime192v1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-10] ExpectedResult = Success -ExpectedTmpKeyType = sect409k1 +ExpectedTmpKeyType = prime192v1 # =========================================================== -[11-curve-sect409r1] -ssl_conf = 11-curve-sect409r1-ssl +[11-curve-secp224r1] +ssl_conf = 11-curve-secp224r1-ssl -[11-curve-sect409r1-ssl] -server = 11-curve-sect409r1-server -client = 11-curve-sect409r1-client +[11-curve-secp224r1-ssl] +server = 11-curve-secp224r1-server +client = 11-curve-secp224r1-client -[11-curve-sect409r1-server] +[11-curve-secp224r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect409r1 +Curves = secp224r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[11-curve-sect409r1-client] +[11-curve-secp224r1-client] CipherString = ECDHE -Curves = sect409r1 +Curves = secp224r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-11] ExpectedResult = Success -ExpectedTmpKeyType = sect409r1 +ExpectedTmpKeyType = secp224r1 # =========================================================== -[12-curve-sect571k1] -ssl_conf = 12-curve-sect571k1-ssl +[12-curve-prime256v1] +ssl_conf = 12-curve-prime256v1-ssl -[12-curve-sect571k1-ssl] -server = 12-curve-sect571k1-server -client = 12-curve-sect571k1-client +[12-curve-prime256v1-ssl] +server = 12-curve-prime256v1-server +client = 12-curve-prime256v1-client -[12-curve-sect571k1-server] +[12-curve-prime256v1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect571k1 +Curves = prime256v1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[12-curve-sect571k1-client] +[12-curve-prime256v1-client] CipherString = ECDHE -Curves = sect571k1 +Curves = prime256v1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-12] ExpectedResult = Success -ExpectedTmpKeyType = sect571k1 +ExpectedTmpKeyType = prime256v1 # =========================================================== -[13-curve-sect571r1] -ssl_conf = 13-curve-sect571r1-ssl +[13-curve-secp384r1] +ssl_conf = 13-curve-secp384r1-ssl -[13-curve-sect571r1-ssl] -server = 13-curve-sect571r1-server -client = 13-curve-sect571r1-client +[13-curve-secp384r1-ssl] +server = 13-curve-secp384r1-server +client = 13-curve-secp384r1-client -[13-curve-sect571r1-server] +[13-curve-secp384r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = sect571r1 +Curves = secp384r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[13-curve-sect571r1-client] +[13-curve-secp384r1-client] CipherString = ECDHE -Curves = sect571r1 +Curves = secp384r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-13] ExpectedResult = Success -ExpectedTmpKeyType = sect571r1 +ExpectedTmpKeyType = secp384r1 # =========================================================== -[14-curve-secp160k1] -ssl_conf = 14-curve-secp160k1-ssl +[14-curve-secp521r1] +ssl_conf = 14-curve-secp521r1-ssl -[14-curve-secp160k1-ssl] -server = 14-curve-secp160k1-server -client = 14-curve-secp160k1-client +[14-curve-secp521r1-ssl] +server = 14-curve-secp521r1-server +client = 14-curve-secp521r1-client -[14-curve-secp160k1-server] +[14-curve-secp521r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp160k1 +Curves = secp521r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[14-curve-secp160k1-client] +[14-curve-secp521r1-client] CipherString = ECDHE -Curves = secp160k1 +Curves = secp521r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-14] ExpectedResult = Success -ExpectedTmpKeyType = secp160k1 +ExpectedTmpKeyType = secp521r1 # =========================================================== -[15-curve-secp160r1] -ssl_conf = 15-curve-secp160r1-ssl +[15-curve-X25519] +ssl_conf = 15-curve-X25519-ssl -[15-curve-secp160r1-ssl] -server = 15-curve-secp160r1-server -client = 15-curve-secp160r1-client +[15-curve-X25519-ssl] +server = 15-curve-X25519-server +client = 15-curve-X25519-client -[15-curve-secp160r1-server] +[15-curve-X25519-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp160r1 +Curves = X25519 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[15-curve-secp160r1-client] +[15-curve-X25519-client] CipherString = ECDHE -Curves = secp160r1 +Curves = X25519 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-15] ExpectedResult = Success -ExpectedTmpKeyType = secp160r1 +ExpectedTmpKeyType = X25519 # =========================================================== -[16-curve-secp160r2] -ssl_conf = 16-curve-secp160r2-ssl +[16-curve-X448] +ssl_conf = 16-curve-X448-ssl -[16-curve-secp160r2-ssl] -server = 16-curve-secp160r2-server -client = 16-curve-secp160r2-client +[16-curve-X448-ssl] +server = 16-curve-X448-server +client = 16-curve-X448-client -[16-curve-secp160r2-server] +[16-curve-X448-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp160r2 +Curves = X448 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[16-curve-secp160r2-client] +[16-curve-X448-client] CipherString = ECDHE -Curves = secp160r2 +Curves = X448 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-16] ExpectedResult = Success -ExpectedTmpKeyType = secp160r2 +ExpectedTmpKeyType = X448 # =========================================================== -[17-curve-secp192k1] -ssl_conf = 17-curve-secp192k1-ssl +[17-curve-sect163r1] +ssl_conf = 17-curve-sect163r1-ssl -[17-curve-secp192k1-ssl] -server = 17-curve-secp192k1-server -client = 17-curve-secp192k1-client +[17-curve-sect163r1-ssl] +server = 17-curve-sect163r1-server +client = 17-curve-sect163r1-client -[17-curve-secp192k1-server] +[17-curve-sect163r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp192k1 +Curves = sect163r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[17-curve-secp192k1-client] +[17-curve-sect163r1-client] CipherString = ECDHE -Curves = secp192k1 +Curves = sect163r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-17] ExpectedResult = Success -ExpectedTmpKeyType = secp192k1 +ExpectedTmpKeyType = sect163r1 # =========================================================== -[18-curve-prime192v1] -ssl_conf = 18-curve-prime192v1-ssl +[18-curve-sect193r1] +ssl_conf = 18-curve-sect193r1-ssl -[18-curve-prime192v1-ssl] -server = 18-curve-prime192v1-server -client = 18-curve-prime192v1-client +[18-curve-sect193r1-ssl] +server = 18-curve-sect193r1-server +client = 18-curve-sect193r1-client -[18-curve-prime192v1-server] +[18-curve-sect193r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = prime192v1 +Curves = sect193r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[18-curve-prime192v1-client] +[18-curve-sect193r1-client] CipherString = ECDHE -Curves = prime192v1 +Curves = sect193r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-18] ExpectedResult = Success -ExpectedTmpKeyType = prime192v1 +ExpectedTmpKeyType = sect193r1 # =========================================================== -[19-curve-secp224k1] -ssl_conf = 19-curve-secp224k1-ssl +[19-curve-sect193r2] +ssl_conf = 19-curve-sect193r2-ssl -[19-curve-secp224k1-ssl] -server = 19-curve-secp224k1-server -client = 19-curve-secp224k1-client +[19-curve-sect193r2-ssl] +server = 19-curve-sect193r2-server +client = 19-curve-sect193r2-client -[19-curve-secp224k1-server] +[19-curve-sect193r2-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp224k1 +Curves = sect193r2 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[19-curve-secp224k1-client] +[19-curve-sect193r2-client] CipherString = ECDHE -Curves = secp224k1 +Curves = sect193r2 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-19] ExpectedResult = Success -ExpectedTmpKeyType = secp224k1 +ExpectedTmpKeyType = sect193r2 # =========================================================== -[20-curve-secp224r1] -ssl_conf = 20-curve-secp224r1-ssl +[20-curve-sect239k1] +ssl_conf = 20-curve-sect239k1-ssl -[20-curve-secp224r1-ssl] -server = 20-curve-secp224r1-server -client = 20-curve-secp224r1-client +[20-curve-sect239k1-ssl] +server = 20-curve-sect239k1-server +client = 20-curve-sect239k1-client -[20-curve-secp224r1-server] +[20-curve-sect239k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp224r1 +Curves = sect239k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[20-curve-secp224r1-client] +[20-curve-sect239k1-client] CipherString = ECDHE -Curves = secp224r1 +Curves = sect239k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-20] ExpectedResult = Success -ExpectedTmpKeyType = secp224r1 +ExpectedTmpKeyType = sect239k1 # =========================================================== -[21-curve-secp256k1] -ssl_conf = 21-curve-secp256k1-ssl +[21-curve-secp160k1] +ssl_conf = 21-curve-secp160k1-ssl -[21-curve-secp256k1-ssl] -server = 21-curve-secp256k1-server -client = 21-curve-secp256k1-client +[21-curve-secp160k1-ssl] +server = 21-curve-secp160k1-server +client = 21-curve-secp160k1-client -[21-curve-secp256k1-server] +[21-curve-secp160k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp256k1 +Curves = secp160k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[21-curve-secp256k1-client] +[21-curve-secp160k1-client] CipherString = ECDHE -Curves = secp256k1 +Curves = secp160k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-21] ExpectedResult = Success -ExpectedTmpKeyType = secp256k1 +ExpectedTmpKeyType = secp160k1 # =========================================================== -[22-curve-prime256v1] -ssl_conf = 22-curve-prime256v1-ssl +[22-curve-secp160r1] +ssl_conf = 22-curve-secp160r1-ssl -[22-curve-prime256v1-ssl] -server = 22-curve-prime256v1-server -client = 22-curve-prime256v1-client +[22-curve-secp160r1-ssl] +server = 22-curve-secp160r1-server +client = 22-curve-secp160r1-client -[22-curve-prime256v1-server] +[22-curve-secp160r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = prime256v1 +Curves = secp160r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[22-curve-prime256v1-client] +[22-curve-secp160r1-client] CipherString = ECDHE -Curves = prime256v1 +Curves = secp160r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-22] ExpectedResult = Success -ExpectedTmpKeyType = prime256v1 +ExpectedTmpKeyType = secp160r1 # =========================================================== -[23-curve-secp384r1] -ssl_conf = 23-curve-secp384r1-ssl +[23-curve-secp160r2] +ssl_conf = 23-curve-secp160r2-ssl -[23-curve-secp384r1-ssl] -server = 23-curve-secp384r1-server -client = 23-curve-secp384r1-client +[23-curve-secp160r2-ssl] +server = 23-curve-secp160r2-server +client = 23-curve-secp160r2-client -[23-curve-secp384r1-server] +[23-curve-secp160r2-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp384r1 +Curves = secp160r2 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[23-curve-secp384r1-client] +[23-curve-secp160r2-client] CipherString = ECDHE -Curves = secp384r1 +Curves = secp160r2 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-23] ExpectedResult = Success -ExpectedTmpKeyType = secp384r1 +ExpectedTmpKeyType = secp160r2 # =========================================================== -[24-curve-secp521r1] -ssl_conf = 24-curve-secp521r1-ssl +[24-curve-secp192k1] +ssl_conf = 24-curve-secp192k1-ssl -[24-curve-secp521r1-ssl] -server = 24-curve-secp521r1-server -client = 24-curve-secp521r1-client +[24-curve-secp192k1-ssl] +server = 24-curve-secp192k1-server +client = 24-curve-secp192k1-client -[24-curve-secp521r1-server] +[24-curve-secp192k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = secp521r1 +Curves = secp192k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[24-curve-secp521r1-client] +[24-curve-secp192k1-client] CipherString = ECDHE -Curves = secp521r1 +Curves = secp192k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-24] ExpectedResult = Success -ExpectedTmpKeyType = secp521r1 +ExpectedTmpKeyType = secp192k1 # =========================================================== -[25-curve-brainpoolP256r1] -ssl_conf = 25-curve-brainpoolP256r1-ssl +[25-curve-secp224k1] +ssl_conf = 25-curve-secp224k1-ssl -[25-curve-brainpoolP256r1-ssl] -server = 25-curve-brainpoolP256r1-server -client = 25-curve-brainpoolP256r1-client +[25-curve-secp224k1-ssl] +server = 25-curve-secp224k1-server +client = 25-curve-secp224k1-client -[25-curve-brainpoolP256r1-server] +[25-curve-secp224k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = brainpoolP256r1 +Curves = secp224k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[25-curve-brainpoolP256r1-client] +[25-curve-secp224k1-client] CipherString = ECDHE -Curves = brainpoolP256r1 +Curves = secp224k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-25] ExpectedResult = Success -ExpectedTmpKeyType = brainpoolP256r1 +ExpectedTmpKeyType = secp224k1 # =========================================================== -[26-curve-brainpoolP384r1] -ssl_conf = 26-curve-brainpoolP384r1-ssl +[26-curve-secp256k1] +ssl_conf = 26-curve-secp256k1-ssl -[26-curve-brainpoolP384r1-ssl] -server = 26-curve-brainpoolP384r1-server -client = 26-curve-brainpoolP384r1-client +[26-curve-secp256k1-ssl] +server = 26-curve-secp256k1-server +client = 26-curve-secp256k1-client -[26-curve-brainpoolP384r1-server] +[26-curve-secp256k1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = brainpoolP384r1 +Curves = secp256k1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[26-curve-brainpoolP384r1-client] +[26-curve-secp256k1-client] CipherString = ECDHE -Curves = brainpoolP384r1 +Curves = secp256k1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-26] ExpectedResult = Success -ExpectedTmpKeyType = brainpoolP384r1 +ExpectedTmpKeyType = secp256k1 # =========================================================== -[27-curve-brainpoolP512r1] -ssl_conf = 27-curve-brainpoolP512r1-ssl +[27-curve-brainpoolP256r1] +ssl_conf = 27-curve-brainpoolP256r1-ssl -[27-curve-brainpoolP512r1-ssl] -server = 27-curve-brainpoolP512r1-server -client = 27-curve-brainpoolP512r1-client +[27-curve-brainpoolP256r1-ssl] +server = 27-curve-brainpoolP256r1-server +client = 27-curve-brainpoolP256r1-client -[27-curve-brainpoolP512r1-server] +[27-curve-brainpoolP256r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = brainpoolP512r1 +Curves = brainpoolP256r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[27-curve-brainpoolP512r1-client] +[27-curve-brainpoolP256r1-client] CipherString = ECDHE -Curves = brainpoolP512r1 +Curves = brainpoolP256r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-27] ExpectedResult = Success -ExpectedTmpKeyType = brainpoolP512r1 +ExpectedTmpKeyType = brainpoolP256r1 # =========================================================== -[28-curve-X25519] -ssl_conf = 28-curve-X25519-ssl +[28-curve-brainpoolP384r1] +ssl_conf = 28-curve-brainpoolP384r1-ssl -[28-curve-X25519-ssl] -server = 28-curve-X25519-server -client = 28-curve-X25519-client +[28-curve-brainpoolP384r1-ssl] +server = 28-curve-brainpoolP384r1-server +client = 28-curve-brainpoolP384r1-client -[28-curve-X25519-server] +[28-curve-brainpoolP384r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = X25519 +Curves = brainpoolP384r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[28-curve-X25519-client] +[28-curve-brainpoolP384r1-client] CipherString = ECDHE -Curves = X25519 +Curves = brainpoolP384r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-28] ExpectedResult = Success -ExpectedTmpKeyType = X25519 +ExpectedTmpKeyType = brainpoolP384r1 # =========================================================== -[29-curve-X448] -ssl_conf = 29-curve-X448-ssl +[29-curve-brainpoolP512r1] +ssl_conf = 29-curve-brainpoolP512r1-ssl -[29-curve-X448-ssl] -server = 29-curve-X448-server -client = 29-curve-X448-client +[29-curve-brainpoolP512r1-ssl] +server = 29-curve-brainpoolP512r1-server +client = 29-curve-brainpoolP512r1-client -[29-curve-X448-server] +[29-curve-brainpoolP512r1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Curves = X448 +Curves = brainpoolP512r1 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[29-curve-X448-client] +[29-curve-brainpoolP512r1-client] CipherString = ECDHE -Curves = X448 +Curves = brainpoolP512r1 MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-29] ExpectedResult = Success -ExpectedTmpKeyType = X448 +ExpectedTmpKeyType = brainpoolP512r1 diff --git a/test/ssl-tests/14-curves.cnf.in b/test/ssl-tests/14-curves.cnf.in index 2f8077c44a..d074e561c9 100644 --- a/test/ssl-tests/14-curves.cnf.in +++ b/test/ssl-tests/14-curves.cnf.in @@ -10,14 +10,20 @@ use warnings; use OpenSSL::Test; use OpenSSL::Test::Utils qw(anydisabled); -my @curves = ("sect163k1", "sect163r1", "sect163r2", "sect193r1", - "sect193r2", "sect233k1", "sect233r1", "sect239k1", +our $fips_mode; + +my @curves = ("sect163k1", "sect163r2", "sect233k1", "sect233r1", "sect283k1", "sect283r1", "sect409k1", "sect409r1", - "sect571k1", "sect571r1", "secp160k1", "secp160r1", - "secp160r2", "secp192k1", "prime192v1", "secp224k1", - "secp224r1", "secp256k1", "prime256v1", "secp384r1", - "secp521r1", "brainpoolP256r1", "brainpoolP384r1", - "brainpoolP512r1", "X25519", "X448"); + "sect571k1", "sect571r1", "prime192v1", "secp224r1", + "prime256v1", "secp384r1", "secp521r1", "X25519", + "X448"); + +my @curves_non_fips = ("sect163r1", "sect193r1", "sect193r2", "sect239k1", + "secp160k1", "secp160r1", "secp160r2", "secp192k1", + "secp224k1", "secp256k1", "brainpoolP256r1", + "brainpoolP384r1", "brainpoolP512r1"); + +push @curves, @curves_non_fips if !$fips_mode; our @tests = (); diff --git a/test/ssl-tests/20-cert-select.cnf b/test/ssl-tests/20-cert-select.cnf index 5f75ae191c..f788069f56 100644 --- a/test/ssl-tests/20-cert-select.cnf +++ b/test/ssl-tests/20-cert-select.cnf @@ -5,24 +5,24 @@ num_tests = 56 test-0 = 0-ECDSA CipherString Selection test-1 = 1-ECDSA CipherString Selection test-2 = 2-ECDSA CipherString Selection -test-3 = 3-Ed25519 CipherString and Signature Algorithm Selection -test-4 = 4-Ed448 CipherString and Signature Algorithm Selection -test-5 = 5-ECDSA with brainpool -test-6 = 6-RSA CipherString Selection -test-7 = 7-P-256 CipherString and Signature Algorithm Selection -test-8 = 8-Ed25519 CipherString and Curves Selection -test-9 = 9-Ed448 CipherString and Curves Selection -test-10 = 10-ECDSA CipherString Selection, no ECDSA certificate -test-11 = 11-ECDSA Signature Algorithm Selection -test-12 = 12-ECDSA Signature Algorithm Selection SHA384 -test-13 = 13-ECDSA Signature Algorithm Selection SHA1 -test-14 = 14-ECDSA Signature Algorithm Selection compressed point -test-15 = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate -test-16 = 16-RSA Signature Algorithm Selection -test-17 = 17-RSA-PSS Signature Algorithm Selection -test-18 = 18-RSA key exchange with all RSA certificate types -test-19 = 19-Suite B P-256 Hash Algorithm Selection -test-20 = 20-Suite B P-384 Hash Algorithm Selection +test-3 = 3-RSA CipherString Selection +test-4 = 4-P-256 CipherString and Signature Algorithm Selection +test-5 = 5-ECDSA CipherString Selection, no ECDSA certificate +test-6 = 6-ECDSA Signature Algorithm Selection +test-7 = 7-ECDSA Signature Algorithm Selection SHA384 +test-8 = 8-ECDSA Signature Algorithm Selection SHA1 +test-9 = 9-ECDSA Signature Algorithm Selection compressed point +test-10 = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate +test-11 = 11-RSA Signature Algorithm Selection +test-12 = 12-RSA-PSS Signature Algorithm Selection +test-13 = 13-RSA key exchange with all RSA certificate types +test-14 = 14-Suite B P-256 Hash Algorithm Selection +test-15 = 15-Suite B P-384 Hash Algorithm Selection +test-16 = 16-Ed25519 CipherString and Signature Algorithm Selection +test-17 = 17-Ed448 CipherString and Signature Algorithm Selection +test-18 = 18-ECDSA with brainpool +test-19 = 19-Ed25519 CipherString and Curves Selection +test-20 = 20-Ed448 CipherString and Curves Selection test-21 = 21-TLS 1.2 Ed25519 Client Auth test-22 = 22-TLS 1.2 Ed448 Client Auth test-23 = 23-RSA-PSS Certificate CipherString Selection @@ -45,13 +45,13 @@ test-39 = 39-TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS test-40 = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate test-41 = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS test-42 = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection -test-43 = 43-TLS 1.3 Ed25519 Signature Algorithm Selection -test-44 = 44-TLS 1.3 Ed448 Signature Algorithm Selection -test-45 = 45-TLS 1.3 Ed25519 CipherString and Groups Selection -test-46 = 46-TLS 1.3 Ed448 CipherString and Groups Selection -test-47 = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection -test-48 = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names -test-49 = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection +test-43 = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection +test-44 = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names +test-45 = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection +test-46 = 46-TLS 1.3 Ed25519 Signature Algorithm Selection +test-47 = 47-TLS 1.3 Ed448 Signature Algorithm Selection +test-48 = 48-TLS 1.3 Ed25519 CipherString and Groups Selection +test-49 = 49-TLS 1.3 Ed448 CipherString and Groups Selection test-50 = 50-TLS 1.3 Ed25519 Client Auth test-51 = 51-TLS 1.3 Ed448 Client Auth test-52 = 52-TLS 1.3 ECDSA with brainpool @@ -158,14 +158,14 @@ ExpectedResult = ServerFail # =========================================================== -[3-Ed25519 CipherString and Signature Algorithm Selection] -ssl_conf = 3-Ed25519 CipherString and Signature Algorithm Selection-ssl +[3-RSA CipherString Selection] +ssl_conf = 3-RSA CipherString Selection-ssl -[3-Ed25519 CipherString and Signature Algorithm Selection-ssl] -server = 3-Ed25519 CipherString and Signature Algorithm Selection-server -client = 3-Ed25519 CipherString and Signature Algorithm Selection-client +[3-RSA CipherString Selection-ssl] +server = 3-RSA CipherString Selection-server +client = 3-RSA CipherString Selection-client -[3-Ed25519 CipherString and Signature Algorithm Selection-server] +[3-RSA CipherString Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -177,31 +177,28 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[3-Ed25519 CipherString and Signature Algorithm Selection-client] -CipherString = aECDSA +[3-RSA CipherString Selection-client] +CipherString = aRSA MaxProtocol = TLSv1.2 -RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -SignatureAlgorithms = ed25519:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-3] ExpectedResult = Success -ExpectedServerCANames = empty -ExpectedServerCertType = Ed25519 -ExpectedServerSignType = Ed25519 +ExpectedServerCertType = RSA +ExpectedServerSignType = RSA-PSS # =========================================================== -[4-Ed448 CipherString and Signature Algorithm Selection] -ssl_conf = 4-Ed448 CipherString and Signature Algorithm Selection-ssl +[4-P-256 CipherString and Signature Algorithm Selection] +ssl_conf = 4-P-256 CipherString and Signature Algorithm Selection-ssl -[4-Ed448 CipherString and Signature Algorithm Selection-ssl] -server = 4-Ed448 CipherString and Signature Algorithm Selection-server -client = 4-Ed448 CipherString and Signature Algorithm Selection-client +[4-P-256 CipherString and Signature Algorithm Selection-ssl] +server = 4-P-256 CipherString and Signature Algorithm Selection-server +client = 4-P-256 CipherString and Signature Algorithm Selection-client -[4-Ed448 CipherString and Signature Algorithm Selection-server] +[4-P-256 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -213,60 +210,55 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[4-Ed448 CipherString and Signature Algorithm Selection-client] +[4-P-256 CipherString and Signature Algorithm Selection-client] CipherString = aECDSA MaxProtocol = TLSv1.2 -RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem -SignatureAlgorithms = ed448:ECDSA+SHA256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem +SignatureAlgorithms = ECDSA+SHA256:ed25519 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-4] ExpectedResult = Success -ExpectedServerCANames = empty -ExpectedServerCertType = Ed448 -ExpectedServerSignType = Ed448 +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = EC # =========================================================== -[5-ECDSA with brainpool] -ssl_conf = 5-ECDSA with brainpool-ssl +[5-ECDSA CipherString Selection, no ECDSA certificate] +ssl_conf = 5-ECDSA CipherString Selection, no ECDSA certificate-ssl -[5-ECDSA with brainpool-ssl] -server = 5-ECDSA with brainpool-server -client = 5-ECDSA with brainpool-client +[5-ECDSA CipherString Selection, no ECDSA certificate-ssl] +server = 5-ECDSA CipherString Selection, no ECDSA certificate-server +client = 5-ECDSA CipherString Selection, no ECDSA certificate-client -[5-ECDSA with brainpool-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem +[5-ECDSA CipherString Selection, no ECDSA certificate-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -Groups = brainpoolP256r1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[5-ECDSA with brainpool-client] +[5-ECDSA CipherString Selection, no ECDSA certificate-client] CipherString = aECDSA -Groups = brainpoolP256r1 -RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-5] -ExpectedResult = Success -ExpectedServerCANames = empty -ExpectedServerCertType = brainpoolP256r1 -ExpectedServerSignType = EC +ExpectedResult = ServerFail # =========================================================== -[6-RSA CipherString Selection] -ssl_conf = 6-RSA CipherString Selection-ssl +[6-ECDSA Signature Algorithm Selection] +ssl_conf = 6-ECDSA Signature Algorithm Selection-ssl -[6-RSA CipherString Selection-ssl] -server = 6-RSA CipherString Selection-server -client = 6-RSA CipherString Selection-client +[6-ECDSA Signature Algorithm Selection-ssl] +server = 6-ECDSA Signature Algorithm Selection-server +client = 6-ECDSA Signature Algorithm Selection-client -[6-RSA CipherString Selection-server] +[6-ECDSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -278,28 +270,29 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[6-RSA CipherString Selection-client] -CipherString = aRSA -MaxProtocol = TLSv1.2 +[6-ECDSA Signature Algorithm Selection-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-6] ExpectedResult = Success -ExpectedServerCertType = RSA -ExpectedServerSignType = RSA-PSS +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = EC # =========================================================== -[7-P-256 CipherString and Signature Algorithm Selection] -ssl_conf = 7-P-256 CipherString and Signature Algorithm Selection-ssl +[7-ECDSA Signature Algorithm Selection SHA384] +ssl_conf = 7-ECDSA Signature Algorithm Selection SHA384-ssl -[7-P-256 CipherString and Signature Algorithm Selection-ssl] -server = 7-P-256 CipherString and Signature Algorithm Selection-server -client = 7-P-256 CipherString and Signature Algorithm Selection-client +[7-ECDSA Signature Algorithm Selection SHA384-ssl] +server = 7-ECDSA Signature Algorithm Selection SHA384-server +client = 7-ECDSA Signature Algorithm Selection SHA384-client -[7-P-256 CipherString and Signature Algorithm Selection-server] +[7-ECDSA Signature Algorithm Selection SHA384-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -311,30 +304,29 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-P-256 CipherString and Signature Algorithm Selection-client] -CipherString = aECDSA -MaxProtocol = TLSv1.2 -SignatureAlgorithms = ECDSA+SHA256:ed25519 +[7-ECDSA Signature Algorithm Selection SHA384-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-7] ExpectedResult = Success ExpectedServerCertType = P-256 -ExpectedServerSignHash = SHA256 +ExpectedServerSignHash = SHA384 ExpectedServerSignType = EC # =========================================================== -[8-Ed25519 CipherString and Curves Selection] -ssl_conf = 8-Ed25519 CipherString and Curves Selection-ssl +[8-ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 8-ECDSA Signature Algorithm Selection SHA1-ssl -[8-Ed25519 CipherString and Curves Selection-ssl] -server = 8-Ed25519 CipherString and Curves Selection-server -client = 8-Ed25519 CipherString and Curves Selection-client +[8-ECDSA Signature Algorithm Selection SHA1-ssl] +server = 8-ECDSA Signature Algorithm Selection SHA1-server +client = 8-ECDSA Signature Algorithm Selection SHA1-client -[8-Ed25519 CipherString and Curves Selection-server] +[8-ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -346,73 +338,67 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[8-Ed25519 CipherString and Curves Selection-client] -CipherString = aECDSA -Curves = X25519 -MaxProtocol = TLSv1.2 -SignatureAlgorithms = ECDSA+SHA256:ed25519 +[8-ECDSA Signature Algorithm Selection SHA1-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-8] ExpectedResult = Success -ExpectedServerCertType = Ed25519 -ExpectedServerSignType = Ed25519 +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA1 +ExpectedServerSignType = EC # =========================================================== -[9-Ed448 CipherString and Curves Selection] -ssl_conf = 9-Ed448 CipherString and Curves Selection-ssl +[9-ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 9-ECDSA Signature Algorithm Selection compressed point-ssl -[9-Ed448 CipherString and Curves Selection-ssl] -server = 9-Ed448 CipherString and Curves Selection-server -client = 9-Ed448 CipherString and Curves Selection-client +[9-ECDSA Signature Algorithm Selection compressed point-ssl] +server = 9-ECDSA Signature Algorithm Selection compressed point-server +client = 9-ECDSA Signature Algorithm Selection compressed point-client -[9-Ed448 CipherString and Curves Selection-server] +[9-ECDSA Signature Algorithm Selection compressed point-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-Ed448 CipherString and Curves Selection-client] -CipherString = aECDSA -Curves = X448 -MaxProtocol = TLSv1.2 -SignatureAlgorithms = ECDSA+SHA256:ed448 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem +[9-ECDSA Signature Algorithm Selection compressed point-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-9] ExpectedResult = Success -ExpectedServerCertType = Ed448 -ExpectedServerSignType = Ed448 +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = EC # =========================================================== -[10-ECDSA CipherString Selection, no ECDSA certificate] -ssl_conf = 10-ECDSA CipherString Selection, no ECDSA certificate-ssl +[10-ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl -[10-ECDSA CipherString Selection, no ECDSA certificate-ssl] -server = 10-ECDSA CipherString Selection, no ECDSA certificate-server -client = 10-ECDSA CipherString Selection, no ECDSA certificate-client +[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client -[10-ECDSA CipherString Selection, no ECDSA certificate-server] +[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-ECDSA CipherString Selection, no ECDSA certificate-client] -CipherString = aECDSA -MaxProtocol = TLSv1.2 +[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +CipherString = DEFAULT +SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -422,14 +408,14 @@ ExpectedResult = ServerFail # =========================================================== -[11-ECDSA Signature Algorithm Selection] -ssl_conf = 11-ECDSA Signature Algorithm Selection-ssl +[11-RSA Signature Algorithm Selection] +ssl_conf = 11-RSA Signature Algorithm Selection-ssl -[11-ECDSA Signature Algorithm Selection-ssl] -server = 11-ECDSA Signature Algorithm Selection-server -client = 11-ECDSA Signature Algorithm Selection-client +[11-RSA Signature Algorithm Selection-ssl] +server = 11-RSA Signature Algorithm Selection-server +client = 11-RSA Signature Algorithm Selection-client -[11-ECDSA Signature Algorithm Selection-server] +[11-RSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -441,29 +427,29 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[11-ECDSA Signature Algorithm Selection-client] +[11-RSA Signature Algorithm Selection-client] CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA256 +SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-11] ExpectedResult = Success -ExpectedServerCertType = P-256 +ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 -ExpectedServerSignType = EC +ExpectedServerSignType = RSA # =========================================================== -[12-ECDSA Signature Algorithm Selection SHA384] -ssl_conf = 12-ECDSA Signature Algorithm Selection SHA384-ssl +[12-RSA-PSS Signature Algorithm Selection] +ssl_conf = 12-RSA-PSS Signature Algorithm Selection-ssl -[12-ECDSA Signature Algorithm Selection SHA384-ssl] -server = 12-ECDSA Signature Algorithm Selection SHA384-server -client = 12-ECDSA Signature Algorithm Selection SHA384-client +[12-RSA-PSS Signature Algorithm Selection-ssl] +server = 12-RSA-PSS Signature Algorithm Selection-server +client = 12-RSA-PSS Signature Algorithm Selection-client -[12-ECDSA Signature Algorithm Selection SHA384-server] +[12-RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -475,74 +461,67 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[12-ECDSA Signature Algorithm Selection SHA384-client] +[12-RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA384 +SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-12] ExpectedResult = Success -ExpectedServerCertType = P-256 -ExpectedServerSignHash = SHA384 -ExpectedServerSignType = EC +ExpectedServerCertType = RSA +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = RSA-PSS # =========================================================== -[13-ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 13-ECDSA Signature Algorithm Selection SHA1-ssl +[13-RSA key exchange with all RSA certificate types] +ssl_conf = 13-RSA key exchange with all RSA certificate types-ssl -[13-ECDSA Signature Algorithm Selection SHA1-ssl] -server = 13-ECDSA Signature Algorithm Selection SHA1-server -client = 13-ECDSA Signature Algorithm Selection SHA1-client +[13-RSA key exchange with all RSA certificate types-ssl] +server = 13-RSA key exchange with all RSA certificate types-server +client = 13-RSA key exchange with all RSA certificate types-client -[13-ECDSA Signature Algorithm Selection SHA1-server] +[13-RSA key exchange with all RSA certificate types-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.2 +PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[13-ECDSA Signature Algorithm Selection SHA1-client] -CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA1 +[13-RSA key exchange with all RSA certificate types-client] +CipherString = kRSA +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-13] ExpectedResult = Success -ExpectedServerCertType = P-256 -ExpectedServerSignHash = SHA1 -ExpectedServerSignType = EC +ExpectedServerCertType = RSA # =========================================================== -[14-ECDSA Signature Algorithm Selection compressed point] -ssl_conf = 14-ECDSA Signature Algorithm Selection compressed point-ssl +[14-Suite B P-256 Hash Algorithm Selection] +ssl_conf = 14-Suite B P-256 Hash Algorithm Selection-ssl -[14-ECDSA Signature Algorithm Selection compressed point-ssl] -server = 14-ECDSA Signature Algorithm Selection compressed point-server -client = 14-ECDSA Signature Algorithm Selection compressed point-client +[14-Suite B P-256 Hash Algorithm Selection-ssl] +server = 14-Suite B P-256 Hash Algorithm Selection-server +client = 14-Suite B P-256 Hash Algorithm Selection-client -[14-ECDSA Signature Algorithm Selection compressed point-server] +[14-Suite B P-256 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem +CipherString = SUITEB128 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[14-ECDSA Signature Algorithm Selection compressed point-client] +[14-Suite B P-256 Hash Algorithm Selection-client] CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer [test-14] @@ -554,39 +533,44 @@ ExpectedServerSignType = EC # =========================================================== -[15-ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[15-Suite B P-384 Hash Algorithm Selection] +ssl_conf = 15-Suite B P-384 Hash Algorithm Selection-ssl -[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[15-Suite B P-384 Hash Algorithm Selection-ssl] +server = 15-Suite B P-384 Hash Algorithm Selection-server +client = 15-Suite B P-384 Hash Algorithm Selection-client -[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[15-Suite B P-384 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = SUITEB128 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[15-Suite B P-384 Hash Algorithm Selection-client] CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer [test-15] -ExpectedResult = ServerFail +ExpectedResult = Success +ExpectedServerCertType = P-384 +ExpectedServerSignHash = SHA384 +ExpectedServerSignType = EC # =========================================================== -[16-RSA Signature Algorithm Selection] -ssl_conf = 16-RSA Signature Algorithm Selection-ssl +[16-Ed25519 CipherString and Signature Algorithm Selection] +ssl_conf = 16-Ed25519 CipherString and Signature Algorithm Selection-ssl -[16-RSA Signature Algorithm Selection-ssl] -server = 16-RSA Signature Algorithm Selection-server -client = 16-RSA Signature Algorithm Selection-client +[16-Ed25519 CipherString and Signature Algorithm Selection-ssl] +server = 16-Ed25519 CipherString and Signature Algorithm Selection-server +client = 16-Ed25519 CipherString and Signature Algorithm Selection-client -[16-RSA Signature Algorithm Selection-server] +[16-Ed25519 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -598,29 +582,31 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[16-RSA Signature Algorithm Selection-client] -CipherString = DEFAULT -SignatureAlgorithms = RSA+SHA256 +[16-Ed25519 CipherString and Signature Algorithm Selection-client] +CipherString = aECDSA +MaxProtocol = TLSv1.2 +RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +SignatureAlgorithms = ed25519:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-16] ExpectedResult = Success -ExpectedServerCertType = RSA -ExpectedServerSignHash = SHA256 -ExpectedServerSignType = RSA +ExpectedServerCANames = empty +ExpectedServerCertType = Ed25519 +ExpectedServerSignType = Ed25519 # =========================================================== -[17-RSA-PSS Signature Algorithm Selection] -ssl_conf = 17-RSA-PSS Signature Algorithm Selection-ssl +[17-Ed448 CipherString and Signature Algorithm Selection] +ssl_conf = 17-Ed448 CipherString and Signature Algorithm Selection-ssl -[17-RSA-PSS Signature Algorithm Selection-ssl] -server = 17-RSA-PSS Signature Algorithm Selection-server -client = 17-RSA-PSS Signature Algorithm Selection-client +[17-Ed448 CipherString and Signature Algorithm Selection-ssl] +server = 17-Ed448 CipherString and Signature Algorithm Selection-server +client = 17-Ed448 CipherString and Signature Algorithm Selection-client -[17-RSA-PSS Signature Algorithm Selection-server] +[17-Ed448 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -632,104 +618,118 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[17-RSA-PSS Signature Algorithm Selection-client] -CipherString = DEFAULT -SignatureAlgorithms = RSA-PSS+SHA256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +[17-Ed448 CipherString and Signature Algorithm Selection-client] +CipherString = aECDSA +MaxProtocol = TLSv1.2 +RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem +SignatureAlgorithms = ed448:ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer [test-17] ExpectedResult = Success -ExpectedServerCertType = RSA -ExpectedServerSignHash = SHA256 -ExpectedServerSignType = RSA-PSS +ExpectedServerCANames = empty +ExpectedServerCertType = Ed448 +ExpectedServerSignType = Ed448 # =========================================================== -[18-RSA key exchange with all RSA certificate types] -ssl_conf = 18-RSA key exchange with all RSA certificate types-ssl +[18-ECDSA with brainpool] +ssl_conf = 18-ECDSA with brainpool-ssl -[18-RSA key exchange with all RSA certificate types-ssl] -server = 18-RSA key exchange with all RSA certificate types-server -client = 18-RSA key exchange with all RSA certificate types-client +[18-ECDSA with brainpool-ssl] +server = 18-ECDSA with brainpool-server +client = 18-ECDSA with brainpool-client -[18-RSA key exchange with all RSA certificate types-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +[18-ECDSA with brainpool-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem CipherString = DEFAULT -PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem -PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +Groups = brainpoolP256r1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -[18-RSA key exchange with all RSA certificate types-client] -CipherString = kRSA -MaxProtocol = TLSv1.2 +[18-ECDSA with brainpool-client] +CipherString = aECDSA +Groups = brainpoolP256r1 +RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-18] ExpectedResult = Success -ExpectedServerCertType = RSA +ExpectedServerCANames = empty +ExpectedServerCertType = brainpoolP256r1 +ExpectedServerSignType = EC # =========================================================== -[19-Suite B P-256 Hash Algorithm Selection] -ssl_conf = 19-Suite B P-256 Hash Algorithm Selection-ssl +[19-Ed25519 CipherString and Curves Selection] +ssl_conf = 19-Ed25519 CipherString and Curves Selection-ssl -[19-Suite B P-256 Hash Algorithm Selection-ssl] -server = 19-Suite B P-256 Hash Algorithm Selection-server -client = 19-Suite B P-256 Hash Algorithm Selection-client +[19-Ed25519 CipherString and Curves Selection-ssl] +server = 19-Ed25519 CipherString and Curves Selection-server +client = 19-Ed25519 CipherString and Curves Selection-client -[19-Suite B P-256 Hash Algorithm Selection-server] +[19-Ed25519 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = SUITEB128 -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[19-Suite B P-256 Hash Algorithm Selection-client] -CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem +[19-Ed25519 CipherString and Curves Selection-client] +CipherString = aECDSA +Curves = X25519 +MaxProtocol = TLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ed25519 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-19] ExpectedResult = Success -ExpectedServerCertType = P-256 -ExpectedServerSignHash = SHA256 -ExpectedServerSignType = EC +ExpectedServerCertType = Ed25519 +ExpectedServerSignType = Ed25519 # =========================================================== -[20-Suite B P-384 Hash Algorithm Selection] -ssl_conf = 20-Suite B P-384 Hash Algorithm Selection-ssl +[20-Ed448 CipherString and Curves Selection] +ssl_conf = 20-Ed448 CipherString and Curves Selection-ssl -[20-Suite B P-384 Hash Algorithm Selection-ssl] -server = 20-Suite B P-384 Hash Algorithm Selection-server -client = 20-Suite B P-384 Hash Algorithm Selection-client +[20-Ed448 CipherString and Curves Selection-ssl] +server = 20-Ed448 CipherString and Curves Selection-server +client = 20-Ed448 CipherString and Curves Selection-client -[20-Suite B P-384 Hash Algorithm Selection-server] +[20-Ed448 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = SUITEB128 -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem +CipherString = DEFAULT +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[20-Suite B P-384 Hash Algorithm Selection-client] -CipherString = DEFAULT -SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem +[20-Ed448 CipherString and Curves Selection-client] +CipherString = aECDSA +Curves = X448 +MaxProtocol = TLSv1.2 +SignatureAlgorithms = ECDSA+SHA256:ed448 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer [test-20] ExpectedResult = Success -ExpectedServerCertType = P-384 -ExpectedServerSignHash = SHA384 -ExpectedServerSignType = EC +ExpectedServerCertType = Ed448 +ExpectedServerSignType = Ed448 # =========================================================== @@ -1397,117 +1397,122 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[43-TLS 1.3 Ed25519 Signature Algorithm Selection] -ssl_conf = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl +[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection] +ssl_conf = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl -[43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl] -server = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-server -client = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-client +[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl] +server = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server +client = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client -[43-TLS 1.3 Ed25519 Signature Algorithm Selection-server] +[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.3 -MinProtocol = TLSv1.3 +ClientSignatureAlgorithms = PSS+SHA256 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require -[43-TLS 1.3 Ed25519 Signature Algorithm Selection-client] +[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client] CipherString = DEFAULT -SignatureAlgorithms = ed25519 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem +MaxProtocol = TLSv1.3 +MinProtocol = TLSv1.3 +RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-43] +ExpectedClientCANames = empty +ExpectedClientCertType = RSA +ExpectedClientSignHash = SHA256 +ExpectedClientSignType = RSA-PSS ExpectedResult = Success -ExpectedServerCertType = Ed25519 -ExpectedServerSignType = Ed25519 # =========================================================== -[44-TLS 1.3 Ed448 Signature Algorithm Selection] -ssl_conf = 44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl +[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names] +ssl_conf = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl -[44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl] -server = 44-TLS 1.3 Ed448 Signature Algorithm Selection-server -client = 44-TLS 1.3 Ed448 Signature Algorithm Selection-client +[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl] +server = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server +client = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client -[44-TLS 1.3 Ed448 Signature Algorithm Selection-server] +[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.3 -MinProtocol = TLSv1.3 +ClientSignatureAlgorithms = PSS+SHA256 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require -[44-TLS 1.3 Ed448 Signature Algorithm Selection-client] +[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client] CipherString = DEFAULT -SignatureAlgorithms = ed448 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem +MaxProtocol = TLSv1.3 +MinProtocol = TLSv1.3 +RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-44] +ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem +ExpectedClientCertType = RSA +ExpectedClientSignHash = SHA256 +ExpectedClientSignType = RSA-PSS ExpectedResult = Success -ExpectedServerCertType = Ed448 -ExpectedServerSignType = Ed448 # =========================================================== -[45-TLS 1.3 Ed25519 CipherString and Groups Selection] -ssl_conf = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl +[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection] +ssl_conf = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl -[45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl] -server = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-server -client = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-client +[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl] +server = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server +client = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client -[45-TLS 1.3 Ed25519 CipherString and Groups Selection-server] +[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.3 -MinProtocol = TLSv1.3 +ClientSignatureAlgorithms = ECDSA+SHA256 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require -[45-TLS 1.3 Ed25519 CipherString and Groups Selection-client] +[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client] CipherString = DEFAULT -Groups = X25519 -SignatureAlgorithms = ECDSA+SHA256:ed25519 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem +MaxProtocol = TLSv1.3 +MinProtocol = TLSv1.3 +RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem +RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-45] +ExpectedClientCertType = P-256 +ExpectedClientSignHash = SHA256 +ExpectedClientSignType = EC ExpectedResult = Success -ExpectedServerCertType = P-256 -ExpectedServerSignType = EC # =========================================================== -[46-TLS 1.3 Ed448 CipherString and Groups Selection] -ssl_conf = 46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl +[46-TLS 1.3 Ed25519 Signature Algorithm Selection] +ssl_conf = 46-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl -[46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl] -server = 46-TLS 1.3 Ed448 CipherString and Groups Selection-server -client = 46-TLS 1.3 Ed448 CipherString and Groups Selection-client +[46-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl] +server = 46-TLS 1.3 Ed25519 Signature Algorithm Selection-server +client = 46-TLS 1.3 Ed25519 Signature Algorithm Selection-client -[46-TLS 1.3 Ed448 CipherString and Groups Selection-server] +[46-TLS 1.3 Ed25519 Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -1520,125 +1525,120 @@ MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[46-TLS 1.3 Ed448 CipherString and Groups Selection-client] +[46-TLS 1.3 Ed25519 Signature Algorithm Selection-client] CipherString = DEFAULT -Groups = X448 -SignatureAlgorithms = ECDSA+SHA256:ed448 +SignatureAlgorithms = ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-46] ExpectedResult = Success -ExpectedServerCertType = P-256 -ExpectedServerSignType = EC +ExpectedServerCertType = Ed25519 +ExpectedServerSignType = Ed25519 # =========================================================== -[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection] -ssl_conf = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl +[47-TLS 1.3 Ed448 Signature Algorithm Selection] +ssl_conf = 47-TLS 1.3 Ed448 Signature Algorithm Selection-ssl -[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl] -server = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server -client = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client +[47-TLS 1.3 Ed448 Signature Algorithm Selection-ssl] +server = 47-TLS 1.3 Ed448 Signature Algorithm Selection-server +client = 47-TLS 1.3 Ed448 Signature Algorithm Selection-client -[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server] +[47-TLS 1.3 Ed448 Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -ClientSignatureAlgorithms = PSS+SHA256 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.3 +MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Require -[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client] +[47-TLS 1.3 Ed448 Signature Algorithm Selection-client] CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem -MaxProtocol = TLSv1.3 -MinProtocol = TLSv1.3 -RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem -RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +SignatureAlgorithms = ed448 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer [test-47] -ExpectedClientCANames = empty -ExpectedClientCertType = RSA -ExpectedClientSignHash = SHA256 -ExpectedClientSignType = RSA-PSS ExpectedResult = Success +ExpectedServerCertType = Ed448 +ExpectedServerSignType = Ed448 # =========================================================== -[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names] -ssl_conf = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl +[48-TLS 1.3 Ed25519 CipherString and Groups Selection] +ssl_conf = 48-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl -[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl] -server = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server -client = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client +[48-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl] +server = 48-TLS 1.3 Ed25519 CipherString and Groups Selection-server +client = 48-TLS 1.3 Ed25519 CipherString and Groups Selection-client -[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server] +[48-TLS 1.3 Ed25519 CipherString and Groups Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -ClientSignatureAlgorithms = PSS+SHA256 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.3 +MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Require -[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client] +[48-TLS 1.3 Ed25519 CipherString and Groups Selection-client] CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem -MaxProtocol = TLSv1.3 -MinProtocol = TLSv1.3 -RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem -RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +Groups = X25519 +SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-48] -ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem -ExpectedClientCertType = RSA -ExpectedClientSignHash = SHA256 -ExpectedClientSignType = RSA-PSS ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignType = EC # =========================================================== -[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection] -ssl_conf = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl +[49-TLS 1.3 Ed448 CipherString and Groups Selection] +ssl_conf = 49-TLS 1.3 Ed448 CipherString and Groups Selection-ssl -[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl] -server = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server -client = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client +[49-TLS 1.3 Ed448 CipherString and Groups Selection-ssl] +server = 49-TLS 1.3 Ed448 CipherString and Groups Selection-server +client = 49-TLS 1.3 Ed448 CipherString and Groups Selection-client -[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server] +[49-TLS 1.3 Ed448 CipherString and Groups Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -ClientSignatureAlgorithms = ECDSA+SHA256 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.3 +MinProtocol = TLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyMode = Require -[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client] +[49-TLS 1.3 Ed448 CipherString and Groups Selection-client] CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem -MaxProtocol = TLSv1.3 -MinProtocol = TLSv1.3 -RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem -RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem +Groups = X448 +SignatureAlgorithms = ECDSA+SHA256:ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-49] -ExpectedClientCertType = P-256 -ExpectedClientSignHash = SHA256 -ExpectedClientSignType = EC ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignType = EC # =========================================================== diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in index eeadf9ad3d..fd3f09d7fb 100644 --- a/test/ssl-tests/20-cert-select.cnf.in +++ b/test/ssl-tests/20-cert-select.cnf.in @@ -9,15 +9,29 @@ use warnings; package ssltests; use OpenSSL::Test::Utils; -my $server = { - "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), - "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), - "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), - "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), - "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), - "MaxProtocol" => "TLSv1.2" -}; +our $fips_mode; +our $no_deflt_libctx; + +my $server; + +if ($fips_mode) { + #TODO(3.0): No EdDSA support in FIPS mode at the moment + $server = { + "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), + "MaxProtocol" => "TLSv1.2" + }; +} else { + $server = { + "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), + "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), + "MaxProtocol" => "TLSv1.2" + }; +} my $server_pss = { "PSS.Certificate" => test_pem("server-pss-cert.pem"), @@ -43,7 +57,7 @@ my $server_pss_restrict_only = { my $server_rsa_all; -if (NO_DEFLT_LIBCTX) { +if ($no_deflt_libctx) { $server_rsa_all = { "Certificate" => test_pem("servercert.pem"), "PrivateKey" => test_pem("serverkey.pem"), @@ -118,63 +132,6 @@ our @tests = ( "ExpectedResult" => "ServerFail" }, }, - { - name => "Ed25519 CipherString and Signature Algorithm Selection", - server => $server, - client => { - "CipherString" => "aECDSA", - "MaxProtocol" => "TLSv1.2", - "SignatureAlgorithms" => "ed25519:ECDSA+SHA256", - "RequestCAFile" => test_pem("root-cert.pem"), - }, - test => { - "ExpectedServerCertType" =>, "Ed25519", - "ExpectedServerSignType" =>, "Ed25519", - # Note: certificate_authorities not sent for TLS < 1.3 - "ExpectedServerCANames" =>, "empty", - "ExpectedResult" => "Success" - }, - }, - { - name => "Ed448 CipherString and Signature Algorithm Selection", - server => $server, - client => { - "CipherString" => "aECDSA", - "MaxProtocol" => "TLSv1.2", - "SignatureAlgorithms" => "ed448:ECDSA+SHA256", - "RequestCAFile" => test_pem("root-ed448-cert.pem"), - "VerifyCAFile" => test_pem("root-ed448-cert.pem"), - }, - test => { - "ExpectedServerCertType" =>, "Ed448", - "ExpectedServerSignType" =>, "Ed448", - # Note: certificate_authorities not sent for TLS < 1.3 - "ExpectedServerCANames" =>, "empty", - "ExpectedResult" => "Success" - }, - }, - { - name => "ECDSA with brainpool", - server => { - "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), - "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), - "Groups" => "brainpoolP256r1", - }, - client => { - #We don't restrict this to TLSv1.2, although use of brainpool - #should force this anyway so that this should succeed - "CipherString" => "aECDSA", - "RequestCAFile" => test_pem("root-cert.pem"), - "Groups" => "brainpoolP256r1", - }, - test => { - "ExpectedServerCertType" =>, "brainpoolP256r1", - "ExpectedServerSignType" =>, "EC", - # Note: certificate_authorities not sent for TLS < 1.3 - "ExpectedServerCANames" =>, "empty", - "ExpectedResult" => "Success" - }, - }, { name => "RSA CipherString Selection", server => $server, @@ -203,41 +160,6 @@ our @tests = ( "ExpectedResult" => "Success" }, }, - { - name => "Ed25519 CipherString and Curves Selection", - server => $server, - client => { - "CipherString" => "aECDSA", - "MaxProtocol" => "TLSv1.2", - "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", - # Excluding P-256 from the supported curves list means server - # certificate should be Ed25519 and not P-256 - "Curves" => "X25519" - }, - test => { - "ExpectedServerCertType" =>, "Ed25519", - "ExpectedServerSignType" =>, "Ed25519", - "ExpectedResult" => "Success" - }, - }, - { - name => "Ed448 CipherString and Curves Selection", - server => $server, - client => { - "CipherString" => "aECDSA", - "MaxProtocol" => "TLSv1.2", - "SignatureAlgorithms" => "ECDSA+SHA256:ed448", - "VerifyCAFile" => test_pem("root-ed448-cert.pem"), - # Excluding P-256 from the supported curves list means server - # certificate should be Ed25519 and not P-256 - "Curves" => "X448" - }, - test => { - "ExpectedServerCertType" =>, "Ed448", - "ExpectedServerSignType" =>, "Ed448", - "ExpectedResult" => "Success" - }, - }, { name => "ECDSA CipherString Selection, no ECDSA certificate", server => { @@ -395,6 +317,102 @@ our @tests = ( "ExpectedResult" => "Success" }, }, +); + +my @tests_non_fips = ( + # TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment + { + name => "Ed25519 CipherString and Signature Algorithm Selection", + server => $server, + client => { + "CipherString" => "aECDSA", + "MaxProtocol" => "TLSv1.2", + "SignatureAlgorithms" => "ed25519:ECDSA+SHA256", + "RequestCAFile" => test_pem("root-cert.pem"), + }, + test => { + "ExpectedServerCertType" =>, "Ed25519", + "ExpectedServerSignType" =>, "Ed25519", + # Note: certificate_authorities not sent for TLS < 1.3 + "ExpectedServerCANames" =>, "empty", + "ExpectedResult" => "Success" + }, + }, + { + name => "Ed448 CipherString and Signature Algorithm Selection", + server => $server, + client => { + "CipherString" => "aECDSA", + "MaxProtocol" => "TLSv1.2", + "SignatureAlgorithms" => "ed448:ECDSA+SHA256", + "RequestCAFile" => test_pem("root-ed448-cert.pem"), + "VerifyCAFile" => test_pem("root-ed448-cert.pem"), + }, + test => { + "ExpectedServerCertType" =>, "Ed448", + "ExpectedServerSignType" =>, "Ed448", + # Note: certificate_authorities not sent for TLS < 1.3 + "ExpectedServerCANames" =>, "empty", + "ExpectedResult" => "Success" + }, + }, + { + name => "ECDSA with brainpool", + server => { + "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), + "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), + "Groups" => "brainpoolP256r1", + }, + client => { + #We don't restrict this to TLSv1.2, although use of brainpool + #should force this anyway so that this should succeed + "CipherString" => "aECDSA", + "RequestCAFile" => test_pem("root-cert.pem"), + "Groups" => "brainpoolP256r1", + }, + test => { + "ExpectedServerCertType" =>, "brainpoolP256r1", + "ExpectedServerSignType" =>, "EC", + # Note: certificate_authorities not sent for TLS < 1.3 + "ExpectedServerCANames" =>, "empty", + "ExpectedResult" => "Success" + }, + }, + { + name => "Ed25519 CipherString and Curves Selection", + server => $server, + client => { + "CipherString" => "aECDSA", + "MaxProtocol" => "TLSv1.2", + "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", + # Excluding P-256 from the supported curves list means server + # certificate should be Ed25519 and not P-256 + "Curves" => "X25519" + }, + test => { + "ExpectedServerCertType" =>, "Ed25519", + "ExpectedServerSignType" =>, "Ed25519", + "ExpectedResult" => "Success" + }, + }, + { + name => "Ed448 CipherString and Curves Selection", + server => $server, + client => { + "CipherString" => "aECDSA", + "MaxProtocol" => "TLSv1.2", + "SignatureAlgorithms" => "ECDSA+SHA256:ed448", + "VerifyCAFile" => test_pem("root-ed448-cert.pem"), + # Excluding P-256 from the supported curves list means server + # certificate should be Ed25519 and not P-256 + "Curves" => "X448" + }, + test => { + "ExpectedServerCertType" =>, "Ed448", + "ExpectedServerSignType" =>, "Ed448", + "ExpectedResult" => "Success" + }, + }, { name => "TLS 1.2 Ed25519 Client Auth", server => { @@ -580,21 +598,34 @@ my @tests_tls_1_1 = ( }, ); -#TODO(3.0): Re-enable these PSS tests in a NO_DEFLT_LIBCTX build once we have +push @tests, @tests_non_fips unless $fips_mode; + +#TODO(3.0): Re-enable these PSS tests in a $no_deflt_libctx build once we have # support for it -push @tests, @tests_pss unless NO_DEFLT_LIBCTX; -push @tests, @tests_tls_1_1 unless disabled("tls1_1") || NO_DEFLT_LIBCTX; +push @tests, @tests_pss unless $no_deflt_libctx; +push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $no_deflt_libctx; -my $server_tls_1_3 = { - "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), - "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), - "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), - "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), - "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), - "MinProtocol" => "TLSv1.3", - "MaxProtocol" => "TLSv1.3" -}; +my $server_tls_1_3; + +if ($fips_mode) { + $server_tls_1_3 = { + "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), + "MinProtocol" => "TLSv1.3", + "MaxProtocol" => "TLSv1.3" + }; +} else { + $server_tls_1_3 = { + "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), + "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), + "MinProtocol" => "TLSv1.3", + "MaxProtocol" => "TLSv1.3" + }; +} my $client_tls_1_3 = { "RSA.Certificate" => test_pem("ee-client-chain.pem"), @@ -713,6 +744,57 @@ my @tests_tls_1_3 = ( "ExpectedResult" => "Success" }, }, + { + name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection", + server => { + "ClientSignatureAlgorithms" => "PSS+SHA256", + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Require" + }, + client => $client_tls_1_3, + test => { + "ExpectedClientCertType" => "RSA", + "ExpectedClientSignHash" => "SHA256", + "ExpectedClientSignType" => "RSA-PSS", + "ExpectedClientCANames" => "empty", + "ExpectedResult" => "Success" + }, + }, + { + name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names", + server => { + "ClientSignatureAlgorithms" => "PSS+SHA256", + "VerifyCAFile" => test_pem("root-cert.pem"), + "RequestCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Require" + }, + client => $client_tls_1_3, + test => { + "ExpectedClientCertType" => "RSA", + "ExpectedClientSignHash" => "SHA256", + "ExpectedClientSignType" => "RSA-PSS", + "ExpectedClientCANames" => test_pem("root-cert.pem"), + "ExpectedResult" => "Success" + }, + }, + { + name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection", + server => { + "ClientSignatureAlgorithms" => "ECDSA+SHA256", + "VerifyCAFile" => test_pem("root-cert.pem"), + "VerifyMode" => "Require" + }, + client => $client_tls_1_3, + test => { + "ExpectedClientCertType" => "P-256", + "ExpectedClientSignHash" => "SHA256", + "ExpectedClientSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, +); + +my @tests_tls_1_3_non_fips = ( { name => "TLS 1.3 Ed25519 Signature Algorithm Selection", server => $server_tls_1_3, @@ -770,54 +852,6 @@ my @tests_tls_1_3 = ( "ExpectedResult" => "Success" }, }, - { - name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection", - server => { - "ClientSignatureAlgorithms" => "PSS+SHA256", - "VerifyCAFile" => test_pem("root-cert.pem"), - "VerifyMode" => "Require" - }, - client => $client_tls_1_3, - test => { - "ExpectedClientCertType" => "RSA", - "ExpectedClientSignHash" => "SHA256", - "ExpectedClientSignType" => "RSA-PSS", - "ExpectedClientCANames" => "empty", - "ExpectedResult" => "Success" - }, - }, - { - name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names", - server => { - "ClientSignatureAlgorithms" => "PSS+SHA256", - "VerifyCAFile" => test_pem("root-cert.pem"), - "RequestCAFile" => test_pem("root-cert.pem"), - "VerifyMode" => "Require" - }, - client => $client_tls_1_3, - test => { - "ExpectedClientCertType" => "RSA", - "ExpectedClientSignHash" => "SHA256", - "ExpectedClientSignType" => "RSA-PSS", - "ExpectedClientCANames" => test_pem("root-cert.pem"), - "ExpectedResult" => "Success" - }, - }, - { - name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection", - server => { - "ClientSignatureAlgorithms" => "ECDSA+SHA256", - "VerifyCAFile" => test_pem("root-cert.pem"), - "VerifyMode" => "Require" - }, - client => $client_tls_1_3, - test => { - "ExpectedClientCertType" => "P-256", - "ExpectedClientSignHash" => "SHA256", - "ExpectedClientSignType" => "EC", - "ExpectedResult" => "Success" - }, - }, { name => "TLS 1.3 Ed25519 Client Auth", server => { @@ -874,6 +908,7 @@ my @tests_tls_1_3 = ( ); push @tests, @tests_tls_1_3 unless disabled("tls1_3"); +push @tests, @tests_tls_1_3_non_fips unless disabled("tls1_3") || $fips_mode; my @tests_dsa_tls_1_2 = ( { @@ -929,6 +964,7 @@ my @tests_dsa_tls_1_3 = ( ); if (!disabled("dsa")) { - push @tests, @tests_dsa_tls_1_2 unless disabled("dh"); + #TODO(3.0): Temporary workaround for DH issues in FIPS. Needs investigation + push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode; push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3"); } diff --git a/test/ssl-tests/25-cipher.cnf.in b/test/ssl-tests/25-cipher.cnf.in index c7bfc61c9e..6eb51faad7 100644 --- a/test/ssl-tests/25-cipher.cnf.in +++ b/test/ssl-tests/25-cipher.cnf.in @@ -15,6 +15,8 @@ use warnings; package ssltests; use OpenSSL::Test::Utils; +our $fips_mode; + our @tests = ( { name => "cipher-server-1", @@ -153,4 +155,5 @@ my @tests_poly1305 = ( }, ); -push @tests, @tests_poly1305 unless disabled("poly1305") || disabled("chacha"); +push @tests, @tests_poly1305 + unless disabled("poly1305") || disabled("chacha") || $fips_mode; diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in index aba5007947..2bd92533a4 100644 --- a/test/ssl-tests/28-seclevel.cnf.in +++ b/test/ssl-tests/28-seclevel.cnf.in @@ -12,6 +12,8 @@ package ssltests; use OpenSSL::Test::Utils; +our $fips_mode; + our @tests = ( { name => "SECLEVEL 3 with default key", @@ -79,5 +81,6 @@ our @tests_tls1_2 = ( }, ); -push @tests, @tests_ec unless disabled("ec"); -push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec"); +#TODO(3.0): No Ed448 or X25519 in FIPS mode at the moment +push @tests, @tests_ec unless disabled("ec") || $fips_mode; +push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec")|| $fips_mode; diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm index 6923e2120a..36d19db76f 100644 --- a/test/ssl-tests/protocol_version.pm +++ b/test/ssl-tests/protocol_version.pm @@ -21,55 +21,82 @@ use OpenSSL::Test::Utils qw/anydisabled alldisabled disabled/; setup("no_test_here"); my @tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"); +my @tls_protocols_fips = ("TLSv1.2", "TLSv1.3"); # undef stands for "no limit". my @min_tls_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"); +my @min_tls_protocols_fips = (undef, "TLSv1.2", "TLSv1.3"); my @max_tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3", undef); +my @max_tls_protocols_fips = ("TLSv1.2", "TLSv1.3", undef); my @is_tls_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3"); +my @is_tls_disabled_fips = anydisabled("tls1_2", "tls1_3"); my $min_tls_enabled; my $max_tls_enabled; +my $min_tls_enabled_fips; my $max_tls_enabled_fips; # Protocol configuration works in cascades, i.e., # $no_tls1_1 disables TLSv1.1 and below. # # $min_enabled and $max_enabled will be correct if there is at least one # protocol enabled. -foreach my $i (0..$#tls_protocols) { - if (!$is_tls_disabled[$i]) { - $min_tls_enabled = $i; - last; + +sub min_prot_enabled { + my $protref = shift; + my $disabledref = shift; + my @protocols = @{$protref}; + my @is_disabled = @{$disabledref}; + my $min_enabled; + + foreach my $i (0..$#protocols) { + if (!$is_disabled[$i]) { + $min_enabled = $i; + last; + } } + return $min_enabled; } -foreach my $i (0..$#tls_protocols) { - if (!$is_tls_disabled[$i]) { - $max_tls_enabled = $i; +sub max_prot_enabled { + my $protref = shift; + my $disabledref = shift; + my @protocols = @{$protref}; + my @is_disabled = @{$disabledref}; + my $max_enabled; + + foreach my $i (0..$#protocols) { + if (!$is_disabled[$i]) { + $max_enabled = $i; + } } + return $max_enabled; } +$min_tls_enabled = min_prot_enabled(\@tls_protocols, \@is_tls_disabled); +$max_tls_enabled = max_prot_enabled(\@tls_protocols, \@is_tls_disabled); +$min_tls_enabled_fips = min_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled_fips); +$max_tls_enabled_fips = max_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled_fips); + + my @dtls_protocols = ("DTLSv1", "DTLSv1.2"); +my @dtls_protocols_fips = ("DTLSv1.2"); # undef stands for "no limit". my @min_dtls_protocols = (undef, "DTLSv1", "DTLSv1.2"); +my @min_dtls_protocols_fips = (undef, "DTLSv1.2"); my @max_dtls_protocols = ("DTLSv1", "DTLSv1.2", undef); +my @max_dtls_protocols_fips = ("DTLSv1.2", undef); my @is_dtls_disabled = anydisabled("dtls1", "dtls1_2"); +my @is_dtls_disabled_fips = anydisabled("dtls1_2"); my $min_dtls_enabled; my $max_dtls_enabled; +my $min_dtls_enabled_fips; my $max_dtls_enabled_fips; # $min_enabled and $max_enabled will be correct if there is at least one # protocol enabled. -foreach my $i (0..$#dtls_protocols) { - if (!$is_dtls_disabled[$i]) { - $min_dtls_enabled = $i; - last; - } -} - -foreach my $i (0..$#dtls_protocols) { - if (!$is_dtls_disabled[$i]) { - $max_dtls_enabled = $i; - } -} +$min_dtls_enabled = min_prot_enabled(\@dtls_protocols, \@is_dtls_disabled); +$max_dtls_enabled = max_prot_enabled(\@dtls_protocols, \@is_dtls_disabled); +$min_dtls_enabled_fips = min_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips); +$max_dtls_enabled_fips = max_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips); sub no_tests { my ($dtls) = @_; @@ -78,17 +105,31 @@ sub no_tests { } sub generate_version_tests { - my ($method) = @_; + my $method = shift; + my $fips = shift; my $dtls = $method eq "DTLS"; # Don't write the redundant "Method = TLS" into the configuration. undef $method if !$dtls; - my @protocols = $dtls ? @dtls_protocols : @tls_protocols; - my @min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols; - my @max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols; - my $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled; - my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled; + my @protocols; + my @min_protocols; + my @max_protocols; + my $min_enabled; + my $max_enabled; + if ($fips) { + @protocols = $dtls ? @dtls_protocols_fips : @tls_protocols_fips; + @min_protocols = $dtls ? @min_dtls_protocols_fips : @min_tls_protocols_fips; + @max_protocols = $dtls ? @max_dtls_protocols_fips : @max_tls_protocols_fips; + $min_enabled = $dtls ? $min_dtls_enabled_fips : $min_tls_enabled_fips; + $max_enabled = $dtls ? $max_dtls_enabled_fips : $max_tls_enabled_fips; + } else { + @protocols = $dtls ? @dtls_protocols : @tls_protocols; + @min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols; + @max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols; + $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled; + $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled; + } if (no_tests($dtls)) { return; @@ -166,15 +207,26 @@ sub generate_version_tests { } sub generate_resumption_tests { - my ($method) = @_; + my $method = shift; + my $fips = shift; my $dtls = $method eq "DTLS"; # Don't write the redundant "Method = TLS" into the configuration. undef $method if !$dtls; - my @protocols = $dtls ? @dtls_protocols : @tls_protocols; - my $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled; - my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled; + my @protocols; + my $min_enabled; + my $max_enabled; + + if ($fips) { + @protocols = $dtls ? @dtls_protocols_fips : @tls_protocols_fips; + $min_enabled = $dtls ? $min_dtls_enabled_fips : $min_tls_enabled_fips; + $max_enabled = $dtls ? $max_dtls_enabled_fips : $max_tls_enabled_fips; + } else { + @protocols = $dtls ? @dtls_protocols : @tls_protocols; + $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled; + $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled; + } if (no_tests($dtls)) { return; diff --git a/test/ssl-tests/ssltests_base.pm b/test/ssl-tests/ssltests_base.pm index c6004fa7b2..98c9a839ad 100644 --- a/test/ssl-tests/ssltests_base.pm +++ b/test/ssl-tests/ssltests_base.pm @@ -17,6 +17,9 @@ sub test_pem return "\${ENV::TEST_CERTS_DIR}" . $dir_sep . $file, } +our $fips_mode = 0; +our $no_deflt_libctx = 0; + our %base_server = ( "Certificate" => test_pem("servercert.pem"), "PrivateKey" => test_pem("serverkey.pem"), diff --git a/test/ssl_test.c b/test/ssl_test.c index c4f1c6006e..d7fd9c273f 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -511,7 +511,7 @@ err: return ret; } -OPT_TEST_DECLARE_USAGE("conf_file\n") +OPT_TEST_DECLARE_USAGE("conf_file modulename [fips_conf_file]\n") int setup_tests(void) { @@ -534,11 +534,17 @@ int setup_tests(void) return 0; if (strcmp(modulename, "none") != 0) { + const char *configfile = test_get_argument(2); + defctxnull = OSSL_PROVIDER_load(NULL, "null"); libctx = OPENSSL_CTX_new(); if (!TEST_ptr(libctx)) return 0; + if (configfile != NULL + && !TEST_true(OPENSSL_CTX_load_config(libctx, configfile))) + return 0; + thisprov = OSSL_PROVIDER_load(libctx, modulename); if (!TEST_ptr(thisprov)) return 0;