sub read_config {
my $fname = shift;
my $provider = shift;
- my $fips_mode = "0";
- my $no_deflt_libctx = "0";
-
- $fips_mode = "1" if $provider eq "fips";
- $no_deflt_libctx = "1" if $provider eq "default" || $provider eq "fips";
+ local $ssltests::fips_mode = $provider eq "fips";
+ local $ssltests::no_deflt_libctx =
+ $provider eq "default" || $provider eq "fips";
open(INPUT, "< $fname") or die "Can't open input file '$fname'!\n";
local $/ = undef;
my $content = <INPUT>;
- $content =~ s/FIPS_MODE/$fips_mode/g;
- $content =~ s/NO_DEFLT_LIBCTX/$no_deflt_libctx/g;
-
close(INPUT);
eval $content;
warn $@ if $@;
use File::Basename;
use File::Compare qw/compare_text/;
use OpenSSL::Glob;
-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_file bldtop_dir/;
use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/;
+BEGIN {
setup("test_ssl_new");
+}
+
+use lib srctop_dir('Configurations');
+use lib bldtop_dir('.');
+use platform;
+
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
+$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.cnf");
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
-plan tests => 30; # = scalar @conf_srcs
+plan tests => 30 # = scalar @conf_srcs
+ + ($no_fips ? 0 : 1); # fipsinstall
# Some test results depend on the configuration of enabled protocols. We only
# verify generated sources in the default configuration.
"29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"),
);
+unless ($no_fips) {
+ ok(run(app(['openssl', 'fipsinstall',
+ '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+ '-module', bldtop_file('providers', platform->dso('fips')),
+ '-provider_name', 'fips', '-mac_name', 'HMAC',
+ '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-section_name', 'fips_sect'])),
+ "fipsinstall");
+}
+
foreach my $conf (@conf_files) {
subtest "Test configuration $conf" => sub {
- plan tests => 6;
+ plan tests => 6 + ($no_fips ? 0 : 3);
test_conf($conf,
$conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1,
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
0,
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
"default");
+ test_conf($conf,
+ 0,
+ defined($skip{$conf}) ? $skip{$conf} : $no_tls,
+ "fips") unless $no_fips;
}
}
skip "No tests available; skipping tests", 1 if $skip;
skip "Stale sources; skipping tests", 1 if !$run_test;
- ok(run(test(["ssl_test", $output_file, $provider])),
- "running ssl_test $conf");
+ if ($provider eq "fips") {
+ ok(run(test(["ssl_test", $output_file, $provider,
+ srctop_file("test", "fips.cnf")])),
+ "running ssl_test $conf");
+ } else {
+ ok(run(test(["ssl_test", $output_file, $provider])),
+ "running ssl_test $conf");
+ }
}
}
use protocol_version;
-our @tests = generate_version_tests("TLS");
+our $fips_mode;
+
+our @tests = generate_version_tests("TLS", $fips_mode);
use OpenSSL::Test::Utils qw(anydisabled disabled);
setup("no_test_here");
-# We test version-flexible negotiation (undef) and each protocol version.
-my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
+our $fips_mode;
+my @protocols;
my @is_disabled = (0);
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
+# We test version-flexible negotiation (undef) and each protocol version.
+if ($fips_mode) {
+ @protocols = (undef, "TLSv1.2", "DTLSv1.2");
+} else {
+ @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
+}
+
our @tests = ();
sub generate_tests() {
package ssltests;
use OpenSSL::Test::Utils;
+our $fips_mode;
+
our @tests = (
{
name => "SNI-switch-context",
},
);
-push @tests, @tests_tls_1_1 unless disabled("tls1_1");
+push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $fips_mode;
use protocol_version;
-our @tests = generate_version_tests("DTLS");
+our $fips_mode;
+
+our @tests = generate_version_tests("DTLS", $fips_mode);
use protocol_version;
-our @tests = generate_resumption_tests("TLS");
+our $fips_mode;
+
+our @tests = generate_resumption_tests("TLS", $fips_mode);
use protocol_version;
-our @tests = generate_resumption_tests("DTLS");
+our $fips_mode;
+
+our @tests = generate_resumption_tests("DTLS", $fips_mode);
num_tests = 30
test-0 = 0-curve-sect163k1
-test-1 = 1-curve-sect163r1
-test-2 = 2-curve-sect163r2
-test-3 = 3-curve-sect193r1
-test-4 = 4-curve-sect193r2
-test-5 = 5-curve-sect233k1
-test-6 = 6-curve-sect233r1
-test-7 = 7-curve-sect239k1
-test-8 = 8-curve-sect283k1
-test-9 = 9-curve-sect283r1
-test-10 = 10-curve-sect409k1
-test-11 = 11-curve-sect409r1
-test-12 = 12-curve-sect571k1
-test-13 = 13-curve-sect571r1
-test-14 = 14-curve-secp160k1
-test-15 = 15-curve-secp160r1
-test-16 = 16-curve-secp160r2
-test-17 = 17-curve-secp192k1
-test-18 = 18-curve-prime192v1
-test-19 = 19-curve-secp224k1
-test-20 = 20-curve-secp224r1
-test-21 = 21-curve-secp256k1
-test-22 = 22-curve-prime256v1
-test-23 = 23-curve-secp384r1
-test-24 = 24-curve-secp521r1
-test-25 = 25-curve-brainpoolP256r1
-test-26 = 26-curve-brainpoolP384r1
-test-27 = 27-curve-brainpoolP512r1
-test-28 = 28-curve-X25519
-test-29 = 29-curve-X448
+test-1 = 1-curve-sect163r2
+test-2 = 2-curve-sect233k1
+test-3 = 3-curve-sect233r1
+test-4 = 4-curve-sect283k1
+test-5 = 5-curve-sect283r1
+test-6 = 6-curve-sect409k1
+test-7 = 7-curve-sect409r1
+test-8 = 8-curve-sect571k1
+test-9 = 9-curve-sect571r1
+test-10 = 10-curve-prime192v1
+test-11 = 11-curve-secp224r1
+test-12 = 12-curve-prime256v1
+test-13 = 13-curve-secp384r1
+test-14 = 14-curve-secp521r1
+test-15 = 15-curve-X25519
+test-16 = 16-curve-X448
+test-17 = 17-curve-sect163r1
+test-18 = 18-curve-sect193r1
+test-19 = 19-curve-sect193r2
+test-20 = 20-curve-sect239k1
+test-21 = 21-curve-secp160k1
+test-22 = 22-curve-secp160r1
+test-23 = 23-curve-secp160r2
+test-24 = 24-curve-secp192k1
+test-25 = 25-curve-secp224k1
+test-26 = 26-curve-secp256k1
+test-27 = 27-curve-brainpoolP256r1
+test-28 = 28-curve-brainpoolP384r1
+test-29 = 29-curve-brainpoolP512r1
# ===========================================================
[0-curve-sect163k1]
# ===========================================================
-[1-curve-sect163r1]
-ssl_conf = 1-curve-sect163r1-ssl
+[1-curve-sect163r2]
+ssl_conf = 1-curve-sect163r2-ssl
-[1-curve-sect163r1-ssl]
-server = 1-curve-sect163r1-server
-client = 1-curve-sect163r1-client
+[1-curve-sect163r2-ssl]
+server = 1-curve-sect163r2-server
+client = 1-curve-sect163r2-client
-[1-curve-sect163r1-server]
+[1-curve-sect163r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect163r1
+Curves = sect163r2
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[1-curve-sect163r1-client]
+[1-curve-sect163r2-client]
CipherString = ECDHE
-Curves = sect163r1
+Curves = sect163r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-1]
ExpectedResult = Success
-ExpectedTmpKeyType = sect163r1
+ExpectedTmpKeyType = sect163r2
# ===========================================================
-[2-curve-sect163r2]
-ssl_conf = 2-curve-sect163r2-ssl
+[2-curve-sect233k1]
+ssl_conf = 2-curve-sect233k1-ssl
-[2-curve-sect163r2-ssl]
-server = 2-curve-sect163r2-server
-client = 2-curve-sect163r2-client
+[2-curve-sect233k1-ssl]
+server = 2-curve-sect233k1-server
+client = 2-curve-sect233k1-client
-[2-curve-sect163r2-server]
+[2-curve-sect233k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect163r2
+Curves = sect233k1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[2-curve-sect163r2-client]
+[2-curve-sect233k1-client]
CipherString = ECDHE
-Curves = sect163r2
+Curves = sect233k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-2]
ExpectedResult = Success
-ExpectedTmpKeyType = sect163r2
+ExpectedTmpKeyType = sect233k1
# ===========================================================
-[3-curve-sect193r1]
-ssl_conf = 3-curve-sect193r1-ssl
+[3-curve-sect233r1]
+ssl_conf = 3-curve-sect233r1-ssl
-[3-curve-sect193r1-ssl]
-server = 3-curve-sect193r1-server
-client = 3-curve-sect193r1-client
+[3-curve-sect233r1-ssl]
+server = 3-curve-sect233r1-server
+client = 3-curve-sect233r1-client
-[3-curve-sect193r1-server]
+[3-curve-sect233r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect193r1
+Curves = sect233r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[3-curve-sect193r1-client]
+[3-curve-sect233r1-client]
CipherString = ECDHE
-Curves = sect193r1
+Curves = sect233r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-3]
ExpectedResult = Success
-ExpectedTmpKeyType = sect193r1
+ExpectedTmpKeyType = sect233r1
# ===========================================================
-[4-curve-sect193r2]
-ssl_conf = 4-curve-sect193r2-ssl
+[4-curve-sect283k1]
+ssl_conf = 4-curve-sect283k1-ssl
-[4-curve-sect193r2-ssl]
-server = 4-curve-sect193r2-server
-client = 4-curve-sect193r2-client
+[4-curve-sect283k1-ssl]
+server = 4-curve-sect283k1-server
+client = 4-curve-sect283k1-client
-[4-curve-sect193r2-server]
+[4-curve-sect283k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect193r2
+Curves = sect283k1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[4-curve-sect193r2-client]
+[4-curve-sect283k1-client]
CipherString = ECDHE
-Curves = sect193r2
+Curves = sect283k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-4]
ExpectedResult = Success
-ExpectedTmpKeyType = sect193r2
+ExpectedTmpKeyType = sect283k1
# ===========================================================
-[5-curve-sect233k1]
-ssl_conf = 5-curve-sect233k1-ssl
+[5-curve-sect283r1]
+ssl_conf = 5-curve-sect283r1-ssl
-[5-curve-sect233k1-ssl]
-server = 5-curve-sect233k1-server
-client = 5-curve-sect233k1-client
+[5-curve-sect283r1-ssl]
+server = 5-curve-sect283r1-server
+client = 5-curve-sect283r1-client
-[5-curve-sect233k1-server]
+[5-curve-sect283r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect233k1
+Curves = sect283r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[5-curve-sect233k1-client]
+[5-curve-sect283r1-client]
CipherString = ECDHE
-Curves = sect233k1
+Curves = sect283r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-5]
ExpectedResult = Success
-ExpectedTmpKeyType = sect233k1
+ExpectedTmpKeyType = sect283r1
# ===========================================================
-[6-curve-sect233r1]
-ssl_conf = 6-curve-sect233r1-ssl
+[6-curve-sect409k1]
+ssl_conf = 6-curve-sect409k1-ssl
-[6-curve-sect233r1-ssl]
-server = 6-curve-sect233r1-server
-client = 6-curve-sect233r1-client
+[6-curve-sect409k1-ssl]
+server = 6-curve-sect409k1-server
+client = 6-curve-sect409k1-client
-[6-curve-sect233r1-server]
+[6-curve-sect409k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect233r1
+Curves = sect409k1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[6-curve-sect233r1-client]
+[6-curve-sect409k1-client]
CipherString = ECDHE
-Curves = sect233r1
+Curves = sect409k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-6]
ExpectedResult = Success
-ExpectedTmpKeyType = sect233r1
+ExpectedTmpKeyType = sect409k1
# ===========================================================
-[7-curve-sect239k1]
-ssl_conf = 7-curve-sect239k1-ssl
+[7-curve-sect409r1]
+ssl_conf = 7-curve-sect409r1-ssl
-[7-curve-sect239k1-ssl]
-server = 7-curve-sect239k1-server
-client = 7-curve-sect239k1-client
+[7-curve-sect409r1-ssl]
+server = 7-curve-sect409r1-server
+client = 7-curve-sect409r1-client
-[7-curve-sect239k1-server]
+[7-curve-sect409r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect239k1
+Curves = sect409r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[7-curve-sect239k1-client]
+[7-curve-sect409r1-client]
CipherString = ECDHE
-Curves = sect239k1
+Curves = sect409r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-7]
ExpectedResult = Success
-ExpectedTmpKeyType = sect239k1
+ExpectedTmpKeyType = sect409r1
# ===========================================================
-[8-curve-sect283k1]
-ssl_conf = 8-curve-sect283k1-ssl
+[8-curve-sect571k1]
+ssl_conf = 8-curve-sect571k1-ssl
-[8-curve-sect283k1-ssl]
-server = 8-curve-sect283k1-server
-client = 8-curve-sect283k1-client
+[8-curve-sect571k1-ssl]
+server = 8-curve-sect571k1-server
+client = 8-curve-sect571k1-client
-[8-curve-sect283k1-server]
+[8-curve-sect571k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect283k1
+Curves = sect571k1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[8-curve-sect283k1-client]
+[8-curve-sect571k1-client]
CipherString = ECDHE
-Curves = sect283k1
+Curves = sect571k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-8]
ExpectedResult = Success
-ExpectedTmpKeyType = sect283k1
+ExpectedTmpKeyType = sect571k1
# ===========================================================
-[9-curve-sect283r1]
-ssl_conf = 9-curve-sect283r1-ssl
+[9-curve-sect571r1]
+ssl_conf = 9-curve-sect571r1-ssl
-[9-curve-sect283r1-ssl]
-server = 9-curve-sect283r1-server
-client = 9-curve-sect283r1-client
+[9-curve-sect571r1-ssl]
+server = 9-curve-sect571r1-server
+client = 9-curve-sect571r1-client
-[9-curve-sect283r1-server]
+[9-curve-sect571r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect283r1
+Curves = sect571r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[9-curve-sect283r1-client]
+[9-curve-sect571r1-client]
CipherString = ECDHE
-Curves = sect283r1
+Curves = sect571r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-9]
ExpectedResult = Success
-ExpectedTmpKeyType = sect283r1
+ExpectedTmpKeyType = sect571r1
# ===========================================================
-[10-curve-sect409k1]
-ssl_conf = 10-curve-sect409k1-ssl
+[10-curve-prime192v1]
+ssl_conf = 10-curve-prime192v1-ssl
-[10-curve-sect409k1-ssl]
-server = 10-curve-sect409k1-server
-client = 10-curve-sect409k1-client
+[10-curve-prime192v1-ssl]
+server = 10-curve-prime192v1-server
+client = 10-curve-prime192v1-client
-[10-curve-sect409k1-server]
+[10-curve-prime192v1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect409k1
+Curves = prime192v1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[10-curve-sect409k1-client]
+[10-curve-prime192v1-client]
CipherString = ECDHE
-Curves = sect409k1
+Curves = prime192v1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-10]
ExpectedResult = Success
-ExpectedTmpKeyType = sect409k1
+ExpectedTmpKeyType = prime192v1
# ===========================================================
-[11-curve-sect409r1]
-ssl_conf = 11-curve-sect409r1-ssl
+[11-curve-secp224r1]
+ssl_conf = 11-curve-secp224r1-ssl
-[11-curve-sect409r1-ssl]
-server = 11-curve-sect409r1-server
-client = 11-curve-sect409r1-client
+[11-curve-secp224r1-ssl]
+server = 11-curve-secp224r1-server
+client = 11-curve-secp224r1-client
-[11-curve-sect409r1-server]
+[11-curve-secp224r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect409r1
+Curves = secp224r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[11-curve-sect409r1-client]
+[11-curve-secp224r1-client]
CipherString = ECDHE
-Curves = sect409r1
+Curves = secp224r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-11]
ExpectedResult = Success
-ExpectedTmpKeyType = sect409r1
+ExpectedTmpKeyType = secp224r1
# ===========================================================
-[12-curve-sect571k1]
-ssl_conf = 12-curve-sect571k1-ssl
+[12-curve-prime256v1]
+ssl_conf = 12-curve-prime256v1-ssl
-[12-curve-sect571k1-ssl]
-server = 12-curve-sect571k1-server
-client = 12-curve-sect571k1-client
+[12-curve-prime256v1-ssl]
+server = 12-curve-prime256v1-server
+client = 12-curve-prime256v1-client
-[12-curve-sect571k1-server]
+[12-curve-prime256v1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect571k1
+Curves = prime256v1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[12-curve-sect571k1-client]
+[12-curve-prime256v1-client]
CipherString = ECDHE
-Curves = sect571k1
+Curves = prime256v1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-12]
ExpectedResult = Success
-ExpectedTmpKeyType = sect571k1
+ExpectedTmpKeyType = prime256v1
# ===========================================================
-[13-curve-sect571r1]
-ssl_conf = 13-curve-sect571r1-ssl
+[13-curve-secp384r1]
+ssl_conf = 13-curve-secp384r1-ssl
-[13-curve-sect571r1-ssl]
-server = 13-curve-sect571r1-server
-client = 13-curve-sect571r1-client
+[13-curve-secp384r1-ssl]
+server = 13-curve-secp384r1-server
+client = 13-curve-secp384r1-client
-[13-curve-sect571r1-server]
+[13-curve-secp384r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = sect571r1
+Curves = secp384r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[13-curve-sect571r1-client]
+[13-curve-secp384r1-client]
CipherString = ECDHE
-Curves = sect571r1
+Curves = secp384r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-13]
ExpectedResult = Success
-ExpectedTmpKeyType = sect571r1
+ExpectedTmpKeyType = secp384r1
# ===========================================================
-[14-curve-secp160k1]
-ssl_conf = 14-curve-secp160k1-ssl
+[14-curve-secp521r1]
+ssl_conf = 14-curve-secp521r1-ssl
-[14-curve-secp160k1-ssl]
-server = 14-curve-secp160k1-server
-client = 14-curve-secp160k1-client
+[14-curve-secp521r1-ssl]
+server = 14-curve-secp521r1-server
+client = 14-curve-secp521r1-client
-[14-curve-secp160k1-server]
+[14-curve-secp521r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = secp160k1
+Curves = secp521r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[14-curve-secp160k1-client]
+[14-curve-secp521r1-client]
CipherString = ECDHE
-Curves = secp160k1
+Curves = secp521r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-14]
ExpectedResult = Success
-ExpectedTmpKeyType = secp160k1
+ExpectedTmpKeyType = secp521r1
# ===========================================================
-[15-curve-secp160r1]
-ssl_conf = 15-curve-secp160r1-ssl
+[15-curve-X25519]
+ssl_conf = 15-curve-X25519-ssl
-[15-curve-secp160r1-ssl]
-server = 15-curve-secp160r1-server
-client = 15-curve-secp160r1-client
+[15-curve-X25519-ssl]
+server = 15-curve-X25519-server
+client = 15-curve-X25519-client
-[15-curve-secp160r1-server]
+[15-curve-X25519-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = secp160r1
+Curves = X25519
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[15-curve-secp160r1-client]
+[15-curve-X25519-client]
CipherString = ECDHE
-Curves = secp160r1
+Curves = X25519
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-15]
ExpectedResult = Success
-ExpectedTmpKeyType = secp160r1
+ExpectedTmpKeyType = X25519
# ===========================================================
-[16-curve-secp160r2]
-ssl_conf = 16-curve-secp160r2-ssl
+[16-curve-X448]
+ssl_conf = 16-curve-X448-ssl
-[16-curve-secp160r2-ssl]
-server = 16-curve-secp160r2-server
-client = 16-curve-secp160r2-client
+[16-curve-X448-ssl]
+server = 16-curve-X448-server
+client = 16-curve-X448-client
-[16-curve-secp160r2-server]
+[16-curve-X448-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = secp160r2
+Curves = X448
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[16-curve-secp160r2-client]
+[16-curve-X448-client]
CipherString = ECDHE
-Curves = secp160r2
+Curves = X448
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-16]
ExpectedResult = Success
-ExpectedTmpKeyType = secp160r2
+ExpectedTmpKeyType = X448
# ===========================================================
-[17-curve-secp192k1]
-ssl_conf = 17-curve-secp192k1-ssl
+[17-curve-sect163r1]
+ssl_conf = 17-curve-sect163r1-ssl
-[17-curve-secp192k1-ssl]
-server = 17-curve-secp192k1-server
-client = 17-curve-secp192k1-client
+[17-curve-sect163r1-ssl]
+server = 17-curve-sect163r1-server
+client = 17-curve-sect163r1-client
-[17-curve-secp192k1-server]
+[17-curve-sect163r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = secp192k1
+Curves = sect163r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[17-curve-secp192k1-client]
+[17-curve-sect163r1-client]
CipherString = ECDHE
-Curves = secp192k1
+Curves = sect163r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-17]
ExpectedResult = Success
-ExpectedTmpKeyType = secp192k1
+ExpectedTmpKeyType = sect163r1
# ===========================================================
-[18-curve-prime192v1]
-ssl_conf = 18-curve-prime192v1-ssl
+[18-curve-sect193r1]
+ssl_conf = 18-curve-sect193r1-ssl
-[18-curve-prime192v1-ssl]
-server = 18-curve-prime192v1-server
-client = 18-curve-prime192v1-client
+[18-curve-sect193r1-ssl]
+server = 18-curve-sect193r1-server
+client = 18-curve-sect193r1-client
-[18-curve-prime192v1-server]
+[18-curve-sect193r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = prime192v1
+Curves = sect193r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[18-curve-prime192v1-client]
+[18-curve-sect193r1-client]
CipherString = ECDHE
-Curves = prime192v1
+Curves = sect193r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-18]
ExpectedResult = Success
-ExpectedTmpKeyType = prime192v1
+ExpectedTmpKeyType = sect193r1
# ===========================================================
-[19-curve-secp224k1]
-ssl_conf = 19-curve-secp224k1-ssl
+[19-curve-sect193r2]
+ssl_conf = 19-curve-sect193r2-ssl
-[19-curve-secp224k1-ssl]
-server = 19-curve-secp224k1-server
-client = 19-curve-secp224k1-client
+[19-curve-sect193r2-ssl]
+server = 19-curve-sect193r2-server
+client = 19-curve-sect193r2-client
-[19-curve-secp224k1-server]
+[19-curve-sect193r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = secp224k1
+Curves = sect193r2
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[19-curve-secp224k1-client]
+[19-curve-sect193r2-client]
CipherString = ECDHE
-Curves = secp224k1
+Curves = sect193r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-19]
ExpectedResult = Success
-ExpectedTmpKeyType = secp224k1
+ExpectedTmpKeyType = sect193r2
# ===========================================================
-[20-curve-secp224r1]
-ssl_conf = 20-curve-secp224r1-ssl
+[20-curve-sect239k1]
+ssl_conf = 20-curve-sect239k1-ssl
-[20-curve-secp224r1-ssl]
-server = 20-curve-secp224r1-server
-client = 20-curve-secp224r1-client
+[20-curve-sect239k1-ssl]
+server = 20-curve-sect239k1-server
+client = 20-curve-sect239k1-client
-[20-curve-secp224r1-server]
+[20-curve-sect239k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = secp224r1
+Curves = sect239k1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[20-curve-secp224r1-client]
+[20-curve-sect239k1-client]
CipherString = ECDHE
-Curves = secp224r1
+Curves = sect239k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-20]
ExpectedResult = Success
-ExpectedTmpKeyType = secp224r1
+ExpectedTmpKeyType = sect239k1
# ===========================================================
-[21-curve-secp256k1]
-ssl_conf = 21-curve-secp256k1-ssl
+[21-curve-secp160k1]
+ssl_conf = 21-curve-secp160k1-ssl
-[21-curve-secp256k1-ssl]
-server = 21-curve-secp256k1-server
-client = 21-curve-secp256k1-client
+[21-curve-secp160k1-ssl]
+server = 21-curve-secp160k1-server
+client = 21-curve-secp160k1-client
-[21-curve-secp256k1-server]
+[21-curve-secp160k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = secp256k1
+Curves = secp160k1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[21-curve-secp256k1-client]
+[21-curve-secp160k1-client]
CipherString = ECDHE
-Curves = secp256k1
+Curves = secp160k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-21]
ExpectedResult = Success
-ExpectedTmpKeyType = secp256k1
+ExpectedTmpKeyType = secp160k1
# ===========================================================
-[22-curve-prime256v1]
-ssl_conf = 22-curve-prime256v1-ssl
+[22-curve-secp160r1]
+ssl_conf = 22-curve-secp160r1-ssl
-[22-curve-prime256v1-ssl]
-server = 22-curve-prime256v1-server
-client = 22-curve-prime256v1-client
+[22-curve-secp160r1-ssl]
+server = 22-curve-secp160r1-server
+client = 22-curve-secp160r1-client
-[22-curve-prime256v1-server]
+[22-curve-secp160r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = prime256v1
+Curves = secp160r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[22-curve-prime256v1-client]
+[22-curve-secp160r1-client]
CipherString = ECDHE
-Curves = prime256v1
+Curves = secp160r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-22]
ExpectedResult = Success
-ExpectedTmpKeyType = prime256v1
+ExpectedTmpKeyType = secp160r1
# ===========================================================
-[23-curve-secp384r1]
-ssl_conf = 23-curve-secp384r1-ssl
+[23-curve-secp160r2]
+ssl_conf = 23-curve-secp160r2-ssl
-[23-curve-secp384r1-ssl]
-server = 23-curve-secp384r1-server
-client = 23-curve-secp384r1-client
+[23-curve-secp160r2-ssl]
+server = 23-curve-secp160r2-server
+client = 23-curve-secp160r2-client
-[23-curve-secp384r1-server]
+[23-curve-secp160r2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = secp384r1
+Curves = secp160r2
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[23-curve-secp384r1-client]
+[23-curve-secp160r2-client]
CipherString = ECDHE
-Curves = secp384r1
+Curves = secp160r2
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-23]
ExpectedResult = Success
-ExpectedTmpKeyType = secp384r1
+ExpectedTmpKeyType = secp160r2
# ===========================================================
-[24-curve-secp521r1]
-ssl_conf = 24-curve-secp521r1-ssl
+[24-curve-secp192k1]
+ssl_conf = 24-curve-secp192k1-ssl
-[24-curve-secp521r1-ssl]
-server = 24-curve-secp521r1-server
-client = 24-curve-secp521r1-client
+[24-curve-secp192k1-ssl]
+server = 24-curve-secp192k1-server
+client = 24-curve-secp192k1-client
-[24-curve-secp521r1-server]
+[24-curve-secp192k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = secp521r1
+Curves = secp192k1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[24-curve-secp521r1-client]
+[24-curve-secp192k1-client]
CipherString = ECDHE
-Curves = secp521r1
+Curves = secp192k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-24]
ExpectedResult = Success
-ExpectedTmpKeyType = secp521r1
+ExpectedTmpKeyType = secp192k1
# ===========================================================
-[25-curve-brainpoolP256r1]
-ssl_conf = 25-curve-brainpoolP256r1-ssl
+[25-curve-secp224k1]
+ssl_conf = 25-curve-secp224k1-ssl
-[25-curve-brainpoolP256r1-ssl]
-server = 25-curve-brainpoolP256r1-server
-client = 25-curve-brainpoolP256r1-client
+[25-curve-secp224k1-ssl]
+server = 25-curve-secp224k1-server
+client = 25-curve-secp224k1-client
-[25-curve-brainpoolP256r1-server]
+[25-curve-secp224k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = brainpoolP256r1
+Curves = secp224k1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[25-curve-brainpoolP256r1-client]
+[25-curve-secp224k1-client]
CipherString = ECDHE
-Curves = brainpoolP256r1
+Curves = secp224k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-25]
ExpectedResult = Success
-ExpectedTmpKeyType = brainpoolP256r1
+ExpectedTmpKeyType = secp224k1
# ===========================================================
-[26-curve-brainpoolP384r1]
-ssl_conf = 26-curve-brainpoolP384r1-ssl
+[26-curve-secp256k1]
+ssl_conf = 26-curve-secp256k1-ssl
-[26-curve-brainpoolP384r1-ssl]
-server = 26-curve-brainpoolP384r1-server
-client = 26-curve-brainpoolP384r1-client
+[26-curve-secp256k1-ssl]
+server = 26-curve-secp256k1-server
+client = 26-curve-secp256k1-client
-[26-curve-brainpoolP384r1-server]
+[26-curve-secp256k1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = brainpoolP384r1
+Curves = secp256k1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[26-curve-brainpoolP384r1-client]
+[26-curve-secp256k1-client]
CipherString = ECDHE
-Curves = brainpoolP384r1
+Curves = secp256k1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-26]
ExpectedResult = Success
-ExpectedTmpKeyType = brainpoolP384r1
+ExpectedTmpKeyType = secp256k1
# ===========================================================
-[27-curve-brainpoolP512r1]
-ssl_conf = 27-curve-brainpoolP512r1-ssl
+[27-curve-brainpoolP256r1]
+ssl_conf = 27-curve-brainpoolP256r1-ssl
-[27-curve-brainpoolP512r1-ssl]
-server = 27-curve-brainpoolP512r1-server
-client = 27-curve-brainpoolP512r1-client
+[27-curve-brainpoolP256r1-ssl]
+server = 27-curve-brainpoolP256r1-server
+client = 27-curve-brainpoolP256r1-client
-[27-curve-brainpoolP512r1-server]
+[27-curve-brainpoolP256r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = brainpoolP512r1
+Curves = brainpoolP256r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[27-curve-brainpoolP512r1-client]
+[27-curve-brainpoolP256r1-client]
CipherString = ECDHE
-Curves = brainpoolP512r1
+Curves = brainpoolP256r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-27]
ExpectedResult = Success
-ExpectedTmpKeyType = brainpoolP512r1
+ExpectedTmpKeyType = brainpoolP256r1
# ===========================================================
-[28-curve-X25519]
-ssl_conf = 28-curve-X25519-ssl
+[28-curve-brainpoolP384r1]
+ssl_conf = 28-curve-brainpoolP384r1-ssl
-[28-curve-X25519-ssl]
-server = 28-curve-X25519-server
-client = 28-curve-X25519-client
+[28-curve-brainpoolP384r1-ssl]
+server = 28-curve-brainpoolP384r1-server
+client = 28-curve-brainpoolP384r1-client
-[28-curve-X25519-server]
+[28-curve-brainpoolP384r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = X25519
+Curves = brainpoolP384r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[28-curve-X25519-client]
+[28-curve-brainpoolP384r1-client]
CipherString = ECDHE
-Curves = X25519
+Curves = brainpoolP384r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-28]
ExpectedResult = Success
-ExpectedTmpKeyType = X25519
+ExpectedTmpKeyType = brainpoolP384r1
# ===========================================================
-[29-curve-X448]
-ssl_conf = 29-curve-X448-ssl
+[29-curve-brainpoolP512r1]
+ssl_conf = 29-curve-brainpoolP512r1-ssl
-[29-curve-X448-ssl]
-server = 29-curve-X448-server
-client = 29-curve-X448-client
+[29-curve-brainpoolP512r1-ssl]
+server = 29-curve-brainpoolP512r1-server
+client = 29-curve-brainpoolP512r1-client
-[29-curve-X448-server]
+[29-curve-brainpoolP512r1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Curves = X448
+Curves = brainpoolP512r1
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[29-curve-X448-client]
+[29-curve-brainpoolP512r1-client]
CipherString = ECDHE
-Curves = X448
+Curves = brainpoolP512r1
MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-29]
ExpectedResult = Success
-ExpectedTmpKeyType = X448
+ExpectedTmpKeyType = brainpoolP512r1
use OpenSSL::Test;
use OpenSSL::Test::Utils qw(anydisabled);
-my @curves = ("sect163k1", "sect163r1", "sect163r2", "sect193r1",
- "sect193r2", "sect233k1", "sect233r1", "sect239k1",
+our $fips_mode;
+
+my @curves = ("sect163k1", "sect163r2", "sect233k1", "sect233r1",
"sect283k1", "sect283r1", "sect409k1", "sect409r1",
- "sect571k1", "sect571r1", "secp160k1", "secp160r1",
- "secp160r2", "secp192k1", "prime192v1", "secp224k1",
- "secp224r1", "secp256k1", "prime256v1", "secp384r1",
- "secp521r1", "brainpoolP256r1", "brainpoolP384r1",
- "brainpoolP512r1", "X25519", "X448");
+ "sect571k1", "sect571r1", "prime192v1", "secp224r1",
+ "prime256v1", "secp384r1", "secp521r1", "X25519",
+ "X448");
+
+my @curves_non_fips = ("sect163r1", "sect193r1", "sect193r2", "sect239k1",
+ "secp160k1", "secp160r1", "secp160r2", "secp192k1",
+ "secp224k1", "secp256k1", "brainpoolP256r1",
+ "brainpoolP384r1", "brainpoolP512r1");
+
+push @curves, @curves_non_fips if !$fips_mode;
our @tests = ();
test-0 = 0-ECDSA CipherString Selection
test-1 = 1-ECDSA CipherString Selection
test-2 = 2-ECDSA CipherString Selection
-test-3 = 3-Ed25519 CipherString and Signature Algorithm Selection
-test-4 = 4-Ed448 CipherString and Signature Algorithm Selection
-test-5 = 5-ECDSA with brainpool
-test-6 = 6-RSA CipherString Selection
-test-7 = 7-P-256 CipherString and Signature Algorithm Selection
-test-8 = 8-Ed25519 CipherString and Curves Selection
-test-9 = 9-Ed448 CipherString and Curves Selection
-test-10 = 10-ECDSA CipherString Selection, no ECDSA certificate
-test-11 = 11-ECDSA Signature Algorithm Selection
-test-12 = 12-ECDSA Signature Algorithm Selection SHA384
-test-13 = 13-ECDSA Signature Algorithm Selection SHA1
-test-14 = 14-ECDSA Signature Algorithm Selection compressed point
-test-15 = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate
-test-16 = 16-RSA Signature Algorithm Selection
-test-17 = 17-RSA-PSS Signature Algorithm Selection
-test-18 = 18-RSA key exchange with all RSA certificate types
-test-19 = 19-Suite B P-256 Hash Algorithm Selection
-test-20 = 20-Suite B P-384 Hash Algorithm Selection
+test-3 = 3-RSA CipherString Selection
+test-4 = 4-P-256 CipherString and Signature Algorithm Selection
+test-5 = 5-ECDSA CipherString Selection, no ECDSA certificate
+test-6 = 6-ECDSA Signature Algorithm Selection
+test-7 = 7-ECDSA Signature Algorithm Selection SHA384
+test-8 = 8-ECDSA Signature Algorithm Selection SHA1
+test-9 = 9-ECDSA Signature Algorithm Selection compressed point
+test-10 = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate
+test-11 = 11-RSA Signature Algorithm Selection
+test-12 = 12-RSA-PSS Signature Algorithm Selection
+test-13 = 13-RSA key exchange with all RSA certificate types
+test-14 = 14-Suite B P-256 Hash Algorithm Selection
+test-15 = 15-Suite B P-384 Hash Algorithm Selection
+test-16 = 16-Ed25519 CipherString and Signature Algorithm Selection
+test-17 = 17-Ed448 CipherString and Signature Algorithm Selection
+test-18 = 18-ECDSA with brainpool
+test-19 = 19-Ed25519 CipherString and Curves Selection
+test-20 = 20-Ed448 CipherString and Curves Selection
test-21 = 21-TLS 1.2 Ed25519 Client Auth
test-22 = 22-TLS 1.2 Ed448 Client Auth
test-23 = 23-RSA-PSS Certificate CipherString Selection
test-40 = 40-TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate
test-41 = 41-TLS 1.3 RSA Signature Algorithm Selection, no PSS
test-42 = 42-TLS 1.3 RSA-PSS Signature Algorithm Selection
-test-43 = 43-TLS 1.3 Ed25519 Signature Algorithm Selection
-test-44 = 44-TLS 1.3 Ed448 Signature Algorithm Selection
-test-45 = 45-TLS 1.3 Ed25519 CipherString and Groups Selection
-test-46 = 46-TLS 1.3 Ed448 CipherString and Groups Selection
-test-47 = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection
-test-48 = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names
-test-49 = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection
+test-43 = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection
+test-44 = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names
+test-45 = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection
+test-46 = 46-TLS 1.3 Ed25519 Signature Algorithm Selection
+test-47 = 47-TLS 1.3 Ed448 Signature Algorithm Selection
+test-48 = 48-TLS 1.3 Ed25519 CipherString and Groups Selection
+test-49 = 49-TLS 1.3 Ed448 CipherString and Groups Selection
test-50 = 50-TLS 1.3 Ed25519 Client Auth
test-51 = 51-TLS 1.3 Ed448 Client Auth
test-52 = 52-TLS 1.3 ECDSA with brainpool
# ===========================================================
-[3-Ed25519 CipherString and Signature Algorithm Selection]
-ssl_conf = 3-Ed25519 CipherString and Signature Algorithm Selection-ssl
+[3-RSA CipherString Selection]
+ssl_conf = 3-RSA CipherString Selection-ssl
-[3-Ed25519 CipherString and Signature Algorithm Selection-ssl]
-server = 3-Ed25519 CipherString and Signature Algorithm Selection-server
-client = 3-Ed25519 CipherString and Signature Algorithm Selection-client
+[3-RSA CipherString Selection-ssl]
+server = 3-RSA CipherString Selection-server
+client = 3-RSA CipherString Selection-client
-[3-Ed25519 CipherString and Signature Algorithm Selection-server]
+[3-RSA CipherString Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[3-Ed25519 CipherString and Signature Algorithm Selection-client]
-CipherString = aECDSA
+[3-RSA CipherString Selection-client]
+CipherString = aRSA
MaxProtocol = TLSv1.2
-RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-SignatureAlgorithms = ed25519:ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-3]
ExpectedResult = Success
-ExpectedServerCANames = empty
-ExpectedServerCertType = Ed25519
-ExpectedServerSignType = Ed25519
+ExpectedServerCertType = RSA
+ExpectedServerSignType = RSA-PSS
# ===========================================================
-[4-Ed448 CipherString and Signature Algorithm Selection]
-ssl_conf = 4-Ed448 CipherString and Signature Algorithm Selection-ssl
+[4-P-256 CipherString and Signature Algorithm Selection]
+ssl_conf = 4-P-256 CipherString and Signature Algorithm Selection-ssl
-[4-Ed448 CipherString and Signature Algorithm Selection-ssl]
-server = 4-Ed448 CipherString and Signature Algorithm Selection-server
-client = 4-Ed448 CipherString and Signature Algorithm Selection-client
+[4-P-256 CipherString and Signature Algorithm Selection-ssl]
+server = 4-P-256 CipherString and Signature Algorithm Selection-server
+client = 4-P-256 CipherString and Signature Algorithm Selection-client
-[4-Ed448 CipherString and Signature Algorithm Selection-server]
+[4-P-256 CipherString and Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[4-Ed448 CipherString and Signature Algorithm Selection-client]
+[4-P-256 CipherString and Signature Algorithm Selection-client]
CipherString = aECDSA
MaxProtocol = TLSv1.2
-RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
-SignatureAlgorithms = ed448:ECDSA+SHA256
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
+SignatureAlgorithms = ECDSA+SHA256:ed25519
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-4]
ExpectedResult = Success
-ExpectedServerCANames = empty
-ExpectedServerCertType = Ed448
-ExpectedServerSignType = Ed448
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = EC
# ===========================================================
-[5-ECDSA with brainpool]
-ssl_conf = 5-ECDSA with brainpool-ssl
+[5-ECDSA CipherString Selection, no ECDSA certificate]
+ssl_conf = 5-ECDSA CipherString Selection, no ECDSA certificate-ssl
-[5-ECDSA with brainpool-ssl]
-server = 5-ECDSA with brainpool-server
-client = 5-ECDSA with brainpool-client
+[5-ECDSA CipherString Selection, no ECDSA certificate-ssl]
+server = 5-ECDSA CipherString Selection, no ECDSA certificate-server
+client = 5-ECDSA CipherString Selection, no ECDSA certificate-client
-[5-ECDSA with brainpool-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
+[5-ECDSA CipherString Selection, no ECDSA certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-Groups = brainpoolP256r1
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[5-ECDSA with brainpool-client]
+[5-ECDSA CipherString Selection, no ECDSA certificate-client]
CipherString = aECDSA
-Groups = brainpoolP256r1
-RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-5]
-ExpectedResult = Success
-ExpectedServerCANames = empty
-ExpectedServerCertType = brainpoolP256r1
-ExpectedServerSignType = EC
+ExpectedResult = ServerFail
# ===========================================================
-[6-RSA CipherString Selection]
-ssl_conf = 6-RSA CipherString Selection-ssl
+[6-ECDSA Signature Algorithm Selection]
+ssl_conf = 6-ECDSA Signature Algorithm Selection-ssl
-[6-RSA CipherString Selection-ssl]
-server = 6-RSA CipherString Selection-server
-client = 6-RSA CipherString Selection-client
+[6-ECDSA Signature Algorithm Selection-ssl]
+server = 6-ECDSA Signature Algorithm Selection-server
+client = 6-ECDSA Signature Algorithm Selection-client
-[6-RSA CipherString Selection-server]
+[6-ECDSA Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[6-RSA CipherString Selection-client]
-CipherString = aRSA
-MaxProtocol = TLSv1.2
+[6-ECDSA Signature Algorithm Selection-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-6]
ExpectedResult = Success
-ExpectedServerCertType = RSA
-ExpectedServerSignType = RSA-PSS
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = EC
# ===========================================================
-[7-P-256 CipherString and Signature Algorithm Selection]
-ssl_conf = 7-P-256 CipherString and Signature Algorithm Selection-ssl
+[7-ECDSA Signature Algorithm Selection SHA384]
+ssl_conf = 7-ECDSA Signature Algorithm Selection SHA384-ssl
-[7-P-256 CipherString and Signature Algorithm Selection-ssl]
-server = 7-P-256 CipherString and Signature Algorithm Selection-server
-client = 7-P-256 CipherString and Signature Algorithm Selection-client
+[7-ECDSA Signature Algorithm Selection SHA384-ssl]
+server = 7-ECDSA Signature Algorithm Selection SHA384-server
+client = 7-ECDSA Signature Algorithm Selection SHA384-client
-[7-P-256 CipherString and Signature Algorithm Selection-server]
+[7-ECDSA Signature Algorithm Selection SHA384-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[7-P-256 CipherString and Signature Algorithm Selection-client]
-CipherString = aECDSA
-MaxProtocol = TLSv1.2
-SignatureAlgorithms = ECDSA+SHA256:ed25519
+[7-ECDSA Signature Algorithm Selection SHA384-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA384
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-7]
ExpectedResult = Success
ExpectedServerCertType = P-256
-ExpectedServerSignHash = SHA256
+ExpectedServerSignHash = SHA384
ExpectedServerSignType = EC
# ===========================================================
-[8-Ed25519 CipherString and Curves Selection]
-ssl_conf = 8-Ed25519 CipherString and Curves Selection-ssl
+[8-ECDSA Signature Algorithm Selection SHA1]
+ssl_conf = 8-ECDSA Signature Algorithm Selection SHA1-ssl
-[8-Ed25519 CipherString and Curves Selection-ssl]
-server = 8-Ed25519 CipherString and Curves Selection-server
-client = 8-Ed25519 CipherString and Curves Selection-client
+[8-ECDSA Signature Algorithm Selection SHA1-ssl]
+server = 8-ECDSA Signature Algorithm Selection SHA1-server
+client = 8-ECDSA Signature Algorithm Selection SHA1-client
-[8-Ed25519 CipherString and Curves Selection-server]
+[8-ECDSA Signature Algorithm Selection SHA1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[8-Ed25519 CipherString and Curves Selection-client]
-CipherString = aECDSA
-Curves = X25519
-MaxProtocol = TLSv1.2
-SignatureAlgorithms = ECDSA+SHA256:ed25519
+[8-ECDSA Signature Algorithm Selection SHA1-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-8]
ExpectedResult = Success
-ExpectedServerCertType = Ed25519
-ExpectedServerSignType = Ed25519
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA1
+ExpectedServerSignType = EC
# ===========================================================
-[9-Ed448 CipherString and Curves Selection]
-ssl_conf = 9-Ed448 CipherString and Curves Selection-ssl
+[9-ECDSA Signature Algorithm Selection compressed point]
+ssl_conf = 9-ECDSA Signature Algorithm Selection compressed point-ssl
-[9-Ed448 CipherString and Curves Selection-ssl]
-server = 9-Ed448 CipherString and Curves Selection-server
-client = 9-Ed448 CipherString and Curves Selection-client
+[9-ECDSA Signature Algorithm Selection compressed point-ssl]
+server = 9-ECDSA Signature Algorithm Selection compressed point-server
+client = 9-ECDSA Signature Algorithm Selection compressed point-client
-[9-Ed448 CipherString and Curves Selection-server]
+[9-ECDSA Signature Algorithm Selection compressed point-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[9-Ed448 CipherString and Curves Selection-client]
-CipherString = aECDSA
-Curves = X448
-MaxProtocol = TLSv1.2
-SignatureAlgorithms = ECDSA+SHA256:ed448
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
+[9-ECDSA Signature Algorithm Selection compressed point-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-9]
ExpectedResult = Success
-ExpectedServerCertType = Ed448
-ExpectedServerSignType = Ed448
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = EC
# ===========================================================
-[10-ECDSA CipherString Selection, no ECDSA certificate]
-ssl_conf = 10-ECDSA CipherString Selection, no ECDSA certificate-ssl
+[10-ECDSA Signature Algorithm Selection, no ECDSA certificate]
+ssl_conf = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
-[10-ECDSA CipherString Selection, no ECDSA certificate-ssl]
-server = 10-ECDSA CipherString Selection, no ECDSA certificate-server
-client = 10-ECDSA CipherString Selection, no ECDSA certificate-client
+[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
+server = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
+client = 10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
-[10-ECDSA CipherString Selection, no ECDSA certificate-server]
+[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[10-ECDSA CipherString Selection, no ECDSA certificate-client]
-CipherString = aECDSA
-MaxProtocol = TLSv1.2
+[10-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
# ===========================================================
-[11-ECDSA Signature Algorithm Selection]
-ssl_conf = 11-ECDSA Signature Algorithm Selection-ssl
+[11-RSA Signature Algorithm Selection]
+ssl_conf = 11-RSA Signature Algorithm Selection-ssl
-[11-ECDSA Signature Algorithm Selection-ssl]
-server = 11-ECDSA Signature Algorithm Selection-server
-client = 11-ECDSA Signature Algorithm Selection-client
+[11-RSA Signature Algorithm Selection-ssl]
+server = 11-RSA Signature Algorithm Selection-server
+client = 11-RSA Signature Algorithm Selection-client
-[11-ECDSA Signature Algorithm Selection-server]
+[11-RSA Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[11-ECDSA Signature Algorithm Selection-client]
+[11-RSA Signature Algorithm Selection-client]
CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA256
+SignatureAlgorithms = RSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-11]
ExpectedResult = Success
-ExpectedServerCertType = P-256
+ExpectedServerCertType = RSA
ExpectedServerSignHash = SHA256
-ExpectedServerSignType = EC
+ExpectedServerSignType = RSA
# ===========================================================
-[12-ECDSA Signature Algorithm Selection SHA384]
-ssl_conf = 12-ECDSA Signature Algorithm Selection SHA384-ssl
+[12-RSA-PSS Signature Algorithm Selection]
+ssl_conf = 12-RSA-PSS Signature Algorithm Selection-ssl
-[12-ECDSA Signature Algorithm Selection SHA384-ssl]
-server = 12-ECDSA Signature Algorithm Selection SHA384-server
-client = 12-ECDSA Signature Algorithm Selection SHA384-client
+[12-RSA-PSS Signature Algorithm Selection-ssl]
+server = 12-RSA-PSS Signature Algorithm Selection-server
+client = 12-RSA-PSS Signature Algorithm Selection-client
-[12-ECDSA Signature Algorithm Selection SHA384-server]
+[12-RSA-PSS Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[12-ECDSA Signature Algorithm Selection SHA384-client]
+[12-RSA-PSS Signature Algorithm Selection-client]
CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA384
+SignatureAlgorithms = RSA-PSS+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-12]
ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignHash = SHA384
-ExpectedServerSignType = EC
+ExpectedServerCertType = RSA
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = RSA-PSS
# ===========================================================
-[13-ECDSA Signature Algorithm Selection SHA1]
-ssl_conf = 13-ECDSA Signature Algorithm Selection SHA1-ssl
+[13-RSA key exchange with all RSA certificate types]
+ssl_conf = 13-RSA key exchange with all RSA certificate types-ssl
-[13-ECDSA Signature Algorithm Selection SHA1-ssl]
-server = 13-ECDSA Signature Algorithm Selection SHA1-server
-client = 13-ECDSA Signature Algorithm Selection SHA1-client
+[13-RSA key exchange with all RSA certificate types-ssl]
+server = 13-RSA key exchange with all RSA certificate types-server
+client = 13-RSA key exchange with all RSA certificate types-client
-[13-ECDSA Signature Algorithm Selection SHA1-server]
+[13-RSA key exchange with all RSA certificate types-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.2
+PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
+PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[13-ECDSA Signature Algorithm Selection SHA1-client]
-CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA1
+[13-RSA key exchange with all RSA certificate types-client]
+CipherString = kRSA
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-13]
ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignHash = SHA1
-ExpectedServerSignType = EC
+ExpectedServerCertType = RSA
# ===========================================================
-[14-ECDSA Signature Algorithm Selection compressed point]
-ssl_conf = 14-ECDSA Signature Algorithm Selection compressed point-ssl
+[14-Suite B P-256 Hash Algorithm Selection]
+ssl_conf = 14-Suite B P-256 Hash Algorithm Selection-ssl
-[14-ECDSA Signature Algorithm Selection compressed point-ssl]
-server = 14-ECDSA Signature Algorithm Selection compressed point-server
-client = 14-ECDSA Signature Algorithm Selection compressed point-client
+[14-Suite B P-256 Hash Algorithm Selection-ssl]
+server = 14-Suite B P-256 Hash Algorithm Selection-server
+client = 14-Suite B P-256 Hash Algorithm Selection-client
-[14-ECDSA Signature Algorithm Selection compressed point-server]
+[14-Suite B P-256 Hash Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem
+CipherString = SUITEB128
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[14-ECDSA Signature Algorithm Selection compressed point-client]
+[14-Suite B P-256 Hash Algorithm Selection-client]
CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA256
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
VerifyMode = Peer
[test-14]
# ===========================================================
-[15-ECDSA Signature Algorithm Selection, no ECDSA certificate]
-ssl_conf = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
+[15-Suite B P-384 Hash Algorithm Selection]
+ssl_conf = 15-Suite B P-384 Hash Algorithm Selection-ssl
-[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
-server = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
-client = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
+[15-Suite B P-384 Hash Algorithm Selection-ssl]
+server = 15-Suite B P-384 Hash Algorithm Selection-server
+client = 15-Suite B P-384 Hash Algorithm Selection-client
-[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
+[15-Suite B P-384 Hash Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = SUITEB128
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
+[15-Suite B P-384 Hash Algorithm Selection-client]
CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA256
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
VerifyMode = Peer
[test-15]
-ExpectedResult = ServerFail
+ExpectedResult = Success
+ExpectedServerCertType = P-384
+ExpectedServerSignHash = SHA384
+ExpectedServerSignType = EC
# ===========================================================
-[16-RSA Signature Algorithm Selection]
-ssl_conf = 16-RSA Signature Algorithm Selection-ssl
+[16-Ed25519 CipherString and Signature Algorithm Selection]
+ssl_conf = 16-Ed25519 CipherString and Signature Algorithm Selection-ssl
-[16-RSA Signature Algorithm Selection-ssl]
-server = 16-RSA Signature Algorithm Selection-server
-client = 16-RSA Signature Algorithm Selection-client
+[16-Ed25519 CipherString and Signature Algorithm Selection-ssl]
+server = 16-Ed25519 CipherString and Signature Algorithm Selection-server
+client = 16-Ed25519 CipherString and Signature Algorithm Selection-client
-[16-RSA Signature Algorithm Selection-server]
+[16-Ed25519 CipherString and Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[16-RSA Signature Algorithm Selection-client]
-CipherString = DEFAULT
-SignatureAlgorithms = RSA+SHA256
+[16-Ed25519 CipherString and Signature Algorithm Selection-client]
+CipherString = aECDSA
+MaxProtocol = TLSv1.2
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+SignatureAlgorithms = ed25519:ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-16]
ExpectedResult = Success
-ExpectedServerCertType = RSA
-ExpectedServerSignHash = SHA256
-ExpectedServerSignType = RSA
+ExpectedServerCANames = empty
+ExpectedServerCertType = Ed25519
+ExpectedServerSignType = Ed25519
# ===========================================================
-[17-RSA-PSS Signature Algorithm Selection]
-ssl_conf = 17-RSA-PSS Signature Algorithm Selection-ssl
+[17-Ed448 CipherString and Signature Algorithm Selection]
+ssl_conf = 17-Ed448 CipherString and Signature Algorithm Selection-ssl
-[17-RSA-PSS Signature Algorithm Selection-ssl]
-server = 17-RSA-PSS Signature Algorithm Selection-server
-client = 17-RSA-PSS Signature Algorithm Selection-client
+[17-Ed448 CipherString and Signature Algorithm Selection-ssl]
+server = 17-Ed448 CipherString and Signature Algorithm Selection-server
+client = 17-Ed448 CipherString and Signature Algorithm Selection-client
-[17-RSA-PSS Signature Algorithm Selection-server]
+[17-Ed448 CipherString and Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[17-RSA-PSS Signature Algorithm Selection-client]
-CipherString = DEFAULT
-SignatureAlgorithms = RSA-PSS+SHA256
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+[17-Ed448 CipherString and Signature Algorithm Selection-client]
+CipherString = aECDSA
+MaxProtocol = TLSv1.2
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
+SignatureAlgorithms = ed448:ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
VerifyMode = Peer
[test-17]
ExpectedResult = Success
-ExpectedServerCertType = RSA
-ExpectedServerSignHash = SHA256
-ExpectedServerSignType = RSA-PSS
+ExpectedServerCANames = empty
+ExpectedServerCertType = Ed448
+ExpectedServerSignType = Ed448
# ===========================================================
-[18-RSA key exchange with all RSA certificate types]
-ssl_conf = 18-RSA key exchange with all RSA certificate types-ssl
+[18-ECDSA with brainpool]
+ssl_conf = 18-ECDSA with brainpool-ssl
-[18-RSA key exchange with all RSA certificate types-ssl]
-server = 18-RSA key exchange with all RSA certificate types-server
-client = 18-RSA key exchange with all RSA certificate types-client
+[18-ECDSA with brainpool-ssl]
+server = 18-ECDSA with brainpool-server
+client = 18-ECDSA with brainpool-client
-[18-RSA key exchange with all RSA certificate types-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+[18-ECDSA with brainpool-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
CipherString = DEFAULT
-PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem
-PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+Groups = brainpoolP256r1
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
-[18-RSA key exchange with all RSA certificate types-client]
-CipherString = kRSA
-MaxProtocol = TLSv1.2
+[18-ECDSA with brainpool-client]
+CipherString = aECDSA
+Groups = brainpoolP256r1
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-18]
ExpectedResult = Success
-ExpectedServerCertType = RSA
+ExpectedServerCANames = empty
+ExpectedServerCertType = brainpoolP256r1
+ExpectedServerSignType = EC
# ===========================================================
-[19-Suite B P-256 Hash Algorithm Selection]
-ssl_conf = 19-Suite B P-256 Hash Algorithm Selection-ssl
+[19-Ed25519 CipherString and Curves Selection]
+ssl_conf = 19-Ed25519 CipherString and Curves Selection-ssl
-[19-Suite B P-256 Hash Algorithm Selection-ssl]
-server = 19-Suite B P-256 Hash Algorithm Selection-server
-client = 19-Suite B P-256 Hash Algorithm Selection-client
+[19-Ed25519 CipherString and Curves Selection-ssl]
+server = 19-Ed25519 CipherString and Curves Selection-server
+client = 19-Ed25519 CipherString and Curves Selection-client
-[19-Suite B P-256 Hash Algorithm Selection-server]
+[19-Ed25519 CipherString and Curves Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = SUITEB128
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[19-Suite B P-256 Hash Algorithm Selection-client]
-CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
+[19-Ed25519 CipherString and Curves Selection-client]
+CipherString = aECDSA
+Curves = X25519
+MaxProtocol = TLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ed25519
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-19]
ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignHash = SHA256
-ExpectedServerSignType = EC
+ExpectedServerCertType = Ed25519
+ExpectedServerSignType = Ed25519
# ===========================================================
-[20-Suite B P-384 Hash Algorithm Selection]
-ssl_conf = 20-Suite B P-384 Hash Algorithm Selection-ssl
+[20-Ed448 CipherString and Curves Selection]
+ssl_conf = 20-Ed448 CipherString and Curves Selection-ssl
-[20-Suite B P-384 Hash Algorithm Selection-ssl]
-server = 20-Suite B P-384 Hash Algorithm Selection-server
-client = 20-Suite B P-384 Hash Algorithm Selection-client
+[20-Ed448 CipherString and Curves Selection-ssl]
+server = 20-Ed448 CipherString and Curves Selection-server
+client = 20-Ed448 CipherString and Curves Selection-client
-[20-Suite B P-384 Hash Algorithm Selection-server]
+[20-Ed448 CipherString and Curves Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = SUITEB128
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[20-Suite B P-384 Hash Algorithm Selection-client]
-CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
+[20-Ed448 CipherString and Curves Selection-client]
+CipherString = aECDSA
+Curves = X448
+MaxProtocol = TLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ed448
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
VerifyMode = Peer
[test-20]
ExpectedResult = Success
-ExpectedServerCertType = P-384
-ExpectedServerSignHash = SHA384
-ExpectedServerSignType = EC
+ExpectedServerCertType = Ed448
+ExpectedServerSignType = Ed448
# ===========================================================
# ===========================================================
-[43-TLS 1.3 Ed25519 Signature Algorithm Selection]
-ssl_conf = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl
+[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection]
+ssl_conf = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl
-[43-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl]
-server = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-server
-client = 43-TLS 1.3 Ed25519 Signature Algorithm Selection-client
+[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl]
+server = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server
+client = 43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client
-[43-TLS 1.3 Ed25519 Signature Algorithm Selection-server]
+[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
+ClientSignatureAlgorithms = PSS+SHA256
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
-[43-TLS 1.3 Ed25519 Signature Algorithm Selection-client]
+[43-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client]
CipherString = DEFAULT
-SignatureAlgorithms = ed25519
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-43]
+ExpectedClientCANames = empty
+ExpectedClientCertType = RSA
+ExpectedClientSignHash = SHA256
+ExpectedClientSignType = RSA-PSS
ExpectedResult = Success
-ExpectedServerCertType = Ed25519
-ExpectedServerSignType = Ed25519
# ===========================================================
-[44-TLS 1.3 Ed448 Signature Algorithm Selection]
-ssl_conf = 44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl
+[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names]
+ssl_conf = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl
-[44-TLS 1.3 Ed448 Signature Algorithm Selection-ssl]
-server = 44-TLS 1.3 Ed448 Signature Algorithm Selection-server
-client = 44-TLS 1.3 Ed448 Signature Algorithm Selection-client
+[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl]
+server = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server
+client = 44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client
-[44-TLS 1.3 Ed448 Signature Algorithm Selection-server]
+[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
+ClientSignatureAlgorithms = PSS+SHA256
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
-[44-TLS 1.3 Ed448 Signature Algorithm Selection-client]
+[44-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client]
CipherString = DEFAULT
-SignatureAlgorithms = ed448
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-44]
+ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+ExpectedClientCertType = RSA
+ExpectedClientSignHash = SHA256
+ExpectedClientSignType = RSA-PSS
ExpectedResult = Success
-ExpectedServerCertType = Ed448
-ExpectedServerSignType = Ed448
# ===========================================================
-[45-TLS 1.3 Ed25519 CipherString and Groups Selection]
-ssl_conf = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl
+[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection]
+ssl_conf = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl
-[45-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl]
-server = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-server
-client = 45-TLS 1.3 Ed25519 CipherString and Groups Selection-client
+[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl]
+server = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server
+client = 45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client
-[45-TLS 1.3 Ed25519 CipherString and Groups Selection-server]
+[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
+ClientSignatureAlgorithms = ECDSA+SHA256
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
-[45-TLS 1.3 Ed25519 CipherString and Groups Selection-client]
+[45-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client]
CipherString = DEFAULT
-Groups = X25519
-SignatureAlgorithms = ECDSA+SHA256:ed25519
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
+RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-45]
+ExpectedClientCertType = P-256
+ExpectedClientSignHash = SHA256
+ExpectedClientSignType = EC
ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignType = EC
# ===========================================================
-[46-TLS 1.3 Ed448 CipherString and Groups Selection]
-ssl_conf = 46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl
+[46-TLS 1.3 Ed25519 Signature Algorithm Selection]
+ssl_conf = 46-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl
-[46-TLS 1.3 Ed448 CipherString and Groups Selection-ssl]
-server = 46-TLS 1.3 Ed448 CipherString and Groups Selection-server
-client = 46-TLS 1.3 Ed448 CipherString and Groups Selection-client
+[46-TLS 1.3 Ed25519 Signature Algorithm Selection-ssl]
+server = 46-TLS 1.3 Ed25519 Signature Algorithm Selection-server
+client = 46-TLS 1.3 Ed25519 Signature Algorithm Selection-client
-[46-TLS 1.3 Ed448 CipherString and Groups Selection-server]
+[46-TLS 1.3 Ed25519 Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[46-TLS 1.3 Ed448 CipherString and Groups Selection-client]
+[46-TLS 1.3 Ed25519 Signature Algorithm Selection-client]
CipherString = DEFAULT
-Groups = X448
-SignatureAlgorithms = ECDSA+SHA256:ed448
+SignatureAlgorithms = ed25519
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-46]
ExpectedResult = Success
-ExpectedServerCertType = P-256
-ExpectedServerSignType = EC
+ExpectedServerCertType = Ed25519
+ExpectedServerSignType = Ed25519
# ===========================================================
-[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection]
-ssl_conf = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl
+[47-TLS 1.3 Ed448 Signature Algorithm Selection]
+ssl_conf = 47-TLS 1.3 Ed448 Signature Algorithm Selection-ssl
-[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-ssl]
-server = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server
-client = 47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client
+[47-TLS 1.3 Ed448 Signature Algorithm Selection-ssl]
+server = 47-TLS 1.3 Ed448 Signature Algorithm Selection-server
+client = 47-TLS 1.3 Ed448 Signature Algorithm Selection-client
-[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-server]
+[47-TLS 1.3 Ed448 Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-ClientSignatureAlgorithms = PSS+SHA256
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyMode = Require
-[47-TLS 1.3 RSA Client Auth Signature Algorithm Selection-client]
+[47-TLS 1.3 Ed448 Signature Algorithm Selection-client]
CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
-RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
-RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+SignatureAlgorithms = ed448
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
VerifyMode = Peer
[test-47]
-ExpectedClientCANames = empty
-ExpectedClientCertType = RSA
-ExpectedClientSignHash = SHA256
-ExpectedClientSignType = RSA-PSS
ExpectedResult = Success
+ExpectedServerCertType = Ed448
+ExpectedServerSignType = Ed448
# ===========================================================
-[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names]
-ssl_conf = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl
+[48-TLS 1.3 Ed25519 CipherString and Groups Selection]
+ssl_conf = 48-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl
-[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-ssl]
-server = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server
-client = 48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client
+[48-TLS 1.3 Ed25519 CipherString and Groups Selection-ssl]
+server = 48-TLS 1.3 Ed25519 CipherString and Groups Selection-server
+client = 48-TLS 1.3 Ed25519 CipherString and Groups Selection-client
-[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-server]
+[48-TLS 1.3 Ed25519 CipherString and Groups Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-ClientSignatureAlgorithms = PSS+SHA256
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyMode = Require
-[48-TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names-client]
+[48-TLS 1.3 Ed25519 CipherString and Groups Selection-client]
CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
-RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
-RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Groups = X25519
+SignatureAlgorithms = ECDSA+SHA256:ed25519
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-48]
-ExpectedClientCANames = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-ExpectedClientCertType = RSA
-ExpectedClientSignHash = SHA256
-ExpectedClientSignType = RSA-PSS
ExpectedResult = Success
+ExpectedServerCertType = P-256
+ExpectedServerSignType = EC
# ===========================================================
-[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection]
-ssl_conf = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl
+[49-TLS 1.3 Ed448 CipherString and Groups Selection]
+ssl_conf = 49-TLS 1.3 Ed448 CipherString and Groups Selection-ssl
-[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-ssl]
-server = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server
-client = 49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client
+[49-TLS 1.3 Ed448 CipherString and Groups Selection-ssl]
+server = 49-TLS 1.3 Ed448 CipherString and Groups Selection-server
+client = 49-TLS 1.3 Ed448 CipherString and Groups Selection-client
-[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-server]
+[49-TLS 1.3 Ed448 CipherString and Groups Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-ClientSignatureAlgorithms = ECDSA+SHA256
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.3
+MinProtocol = TLSv1.3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
-VerifyMode = Require
-[49-TLS 1.3 ECDSA Client Auth Signature Algorithm Selection-client]
+[49-TLS 1.3 Ed448 CipherString and Groups Selection-client]
CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-client-chain.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-ecdsa-key.pem
-MaxProtocol = TLSv1.3
-MinProtocol = TLSv1.3
-RSA.Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
-RSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+Groups = X448
+SignatureAlgorithms = ECDSA+SHA256:ed448
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-49]
-ExpectedClientCertType = P-256
-ExpectedClientSignHash = SHA256
-ExpectedClientSignType = EC
ExpectedResult = Success
+ExpectedServerCertType = P-256
+ExpectedServerSignType = EC
# ===========================================================
package ssltests;
use OpenSSL::Test::Utils;
-my $server = {
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
- "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
- "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
- "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
- "MaxProtocol" => "TLSv1.2"
-};
+our $fips_mode;
+our $no_deflt_libctx;
+
+my $server;
+
+if ($fips_mode) {
+ #TODO(3.0): No EdDSA support in FIPS mode at the moment
+ $server = {
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "MaxProtocol" => "TLSv1.2"
+ };
+} else {
+ $server = {
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+ "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+ "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+ "MaxProtocol" => "TLSv1.2"
+ };
+}
my $server_pss = {
"PSS.Certificate" => test_pem("server-pss-cert.pem"),
my $server_rsa_all;
-if (NO_DEFLT_LIBCTX) {
+if ($no_deflt_libctx) {
$server_rsa_all = {
"Certificate" => test_pem("servercert.pem"),
"PrivateKey" => test_pem("serverkey.pem"),
"ExpectedResult" => "ServerFail"
},
},
- {
- name => "Ed25519 CipherString and Signature Algorithm Selection",
- server => $server,
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
- "RequestCAFile" => test_pem("root-cert.pem"),
- },
- test => {
- "ExpectedServerCertType" =>, "Ed25519",
- "ExpectedServerSignType" =>, "Ed25519",
- # Note: certificate_authorities not sent for TLS < 1.3
- "ExpectedServerCANames" =>, "empty",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "Ed448 CipherString and Signature Algorithm Selection",
- server => $server,
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
- "RequestCAFile" => test_pem("root-ed448-cert.pem"),
- "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
- },
- test => {
- "ExpectedServerCertType" =>, "Ed448",
- "ExpectedServerSignType" =>, "Ed448",
- # Note: certificate_authorities not sent for TLS < 1.3
- "ExpectedServerCANames" =>, "empty",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "ECDSA with brainpool",
- server => {
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
- "Groups" => "brainpoolP256r1",
- },
- client => {
- #We don't restrict this to TLSv1.2, although use of brainpool
- #should force this anyway so that this should succeed
- "CipherString" => "aECDSA",
- "RequestCAFile" => test_pem("root-cert.pem"),
- "Groups" => "brainpoolP256r1",
- },
- test => {
- "ExpectedServerCertType" =>, "brainpoolP256r1",
- "ExpectedServerSignType" =>, "EC",
- # Note: certificate_authorities not sent for TLS < 1.3
- "ExpectedServerCANames" =>, "empty",
- "ExpectedResult" => "Success"
- },
- },
{
name => "RSA CipherString Selection",
server => $server,
"ExpectedResult" => "Success"
},
},
- {
- name => "Ed25519 CipherString and Curves Selection",
- server => $server,
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
- # Excluding P-256 from the supported curves list means server
- # certificate should be Ed25519 and not P-256
- "Curves" => "X25519"
- },
- test => {
- "ExpectedServerCertType" =>, "Ed25519",
- "ExpectedServerSignType" =>, "Ed25519",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "Ed448 CipherString and Curves Selection",
- server => $server,
- client => {
- "CipherString" => "aECDSA",
- "MaxProtocol" => "TLSv1.2",
- "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
- "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
- # Excluding P-256 from the supported curves list means server
- # certificate should be Ed25519 and not P-256
- "Curves" => "X448"
- },
- test => {
- "ExpectedServerCertType" =>, "Ed448",
- "ExpectedServerSignType" =>, "Ed448",
- "ExpectedResult" => "Success"
- },
- },
{
name => "ECDSA CipherString Selection, no ECDSA certificate",
server => {
"ExpectedResult" => "Success"
},
},
+);
+
+my @tests_non_fips = (
+ # TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment
+ {
+ name => "Ed25519 CipherString and Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ },
+ test => {
+ "ExpectedServerCertType" =>, "Ed25519",
+ "ExpectedServerSignType" =>, "Ed25519",
+ # Note: certificate_authorities not sent for TLS < 1.3
+ "ExpectedServerCANames" =>, "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Ed448 CipherString and Signature Algorithm Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ed448:ECDSA+SHA256",
+ "RequestCAFile" => test_pem("root-ed448-cert.pem"),
+ "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
+ },
+ test => {
+ "ExpectedServerCertType" =>, "Ed448",
+ "ExpectedServerSignType" =>, "Ed448",
+ # Note: certificate_authorities not sent for TLS < 1.3
+ "ExpectedServerCANames" =>, "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA with brainpool",
+ server => {
+ "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
+ "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
+ "Groups" => "brainpoolP256r1",
+ },
+ client => {
+ #We don't restrict this to TLSv1.2, although use of brainpool
+ #should force this anyway so that this should succeed
+ "CipherString" => "aECDSA",
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ "Groups" => "brainpoolP256r1",
+ },
+ test => {
+ "ExpectedServerCertType" =>, "brainpoolP256r1",
+ "ExpectedServerSignType" =>, "EC",
+ # Note: certificate_authorities not sent for TLS < 1.3
+ "ExpectedServerCANames" =>, "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Ed25519 CipherString and Curves Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+ # Excluding P-256 from the supported curves list means server
+ # certificate should be Ed25519 and not P-256
+ "Curves" => "X25519"
+ },
+ test => {
+ "ExpectedServerCertType" =>, "Ed25519",
+ "ExpectedServerSignType" =>, "Ed25519",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "Ed448 CipherString and Curves Selection",
+ server => $server,
+ client => {
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
+ "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
+ "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
+ # Excluding P-256 from the supported curves list means server
+ # certificate should be Ed25519 and not P-256
+ "Curves" => "X448"
+ },
+ test => {
+ "ExpectedServerCertType" =>, "Ed448",
+ "ExpectedServerSignType" =>, "Ed448",
+ "ExpectedResult" => "Success"
+ },
+ },
{
name => "TLS 1.2 Ed25519 Client Auth",
server => {
},
);
-#TODO(3.0): Re-enable these PSS tests in a NO_DEFLT_LIBCTX build once we have
+push @tests, @tests_non_fips unless $fips_mode;
+
+#TODO(3.0): Re-enable these PSS tests in a $no_deflt_libctx build once we have
# support for it
-push @tests, @tests_pss unless NO_DEFLT_LIBCTX;
-push @tests, @tests_tls_1_1 unless disabled("tls1_1") || NO_DEFLT_LIBCTX;
+push @tests, @tests_pss unless $no_deflt_libctx;
+push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $no_deflt_libctx;
-my $server_tls_1_3 = {
- "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
- "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
- "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
- "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
- "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
- "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
- "MinProtocol" => "TLSv1.3",
- "MaxProtocol" => "TLSv1.3"
-};
+my $server_tls_1_3;
+
+if ($fips_mode) {
+ $server_tls_1_3 = {
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+ };
+} else {
+ $server_tls_1_3 = {
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
+ "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
+ "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
+ "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
+ "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+ };
+}
my $client_tls_1_3 = {
"RSA.Certificate" => test_pem("ee-client-chain.pem"),
"ExpectedResult" => "Success"
},
},
+ {
+ name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
+ server => {
+ "ClientSignatureAlgorithms" => "PSS+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => $client_tls_1_3,
+ test => {
+ "ExpectedClientCertType" => "RSA",
+ "ExpectedClientSignHash" => "SHA256",
+ "ExpectedClientSignType" => "RSA-PSS",
+ "ExpectedClientCANames" => "empty",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
+ server => {
+ "ClientSignatureAlgorithms" => "PSS+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "RequestCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => $client_tls_1_3,
+ test => {
+ "ExpectedClientCertType" => "RSA",
+ "ExpectedClientSignHash" => "SHA256",
+ "ExpectedClientSignType" => "RSA-PSS",
+ "ExpectedClientCANames" => test_pem("root-cert.pem"),
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
+ server => {
+ "ClientSignatureAlgorithms" => "ECDSA+SHA256",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
+ "VerifyMode" => "Require"
+ },
+ client => $client_tls_1_3,
+ test => {
+ "ExpectedClientCertType" => "P-256",
+ "ExpectedClientSignHash" => "SHA256",
+ "ExpectedClientSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+);
+
+my @tests_tls_1_3_non_fips = (
{
name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
server => $server_tls_1_3,
"ExpectedResult" => "Success"
},
},
- {
- name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
- server => {
- "ClientSignatureAlgorithms" => "PSS+SHA256",
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require"
- },
- client => $client_tls_1_3,
- test => {
- "ExpectedClientCertType" => "RSA",
- "ExpectedClientSignHash" => "SHA256",
- "ExpectedClientSignType" => "RSA-PSS",
- "ExpectedClientCANames" => "empty",
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
- server => {
- "ClientSignatureAlgorithms" => "PSS+SHA256",
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "RequestCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require"
- },
- client => $client_tls_1_3,
- test => {
- "ExpectedClientCertType" => "RSA",
- "ExpectedClientSignHash" => "SHA256",
- "ExpectedClientSignType" => "RSA-PSS",
- "ExpectedClientCANames" => test_pem("root-cert.pem"),
- "ExpectedResult" => "Success"
- },
- },
- {
- name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
- server => {
- "ClientSignatureAlgorithms" => "ECDSA+SHA256",
- "VerifyCAFile" => test_pem("root-cert.pem"),
- "VerifyMode" => "Require"
- },
- client => $client_tls_1_3,
- test => {
- "ExpectedClientCertType" => "P-256",
- "ExpectedClientSignHash" => "SHA256",
- "ExpectedClientSignType" => "EC",
- "ExpectedResult" => "Success"
- },
- },
{
name => "TLS 1.3 Ed25519 Client Auth",
server => {
);
push @tests, @tests_tls_1_3 unless disabled("tls1_3");
+push @tests, @tests_tls_1_3_non_fips unless disabled("tls1_3") || $fips_mode;
my @tests_dsa_tls_1_2 = (
{
);
if (!disabled("dsa")) {
- push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
+ #TODO(3.0): Temporary workaround for DH issues in FIPS. Needs investigation
+ push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
}
package ssltests;
use OpenSSL::Test::Utils;
+our $fips_mode;
+
our @tests = (
{
name => "cipher-server-1",
},
);
-push @tests, @tests_poly1305 unless disabled("poly1305") || disabled("chacha");
+push @tests, @tests_poly1305
+ unless disabled("poly1305") || disabled("chacha") || $fips_mode;
package ssltests;
use OpenSSL::Test::Utils;
+our $fips_mode;
+
our @tests = (
{
name => "SECLEVEL 3 with default key",
},
);
-push @tests, @tests_ec unless disabled("ec");
-push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
+#TODO(3.0): No Ed448 or X25519 in FIPS mode at the moment
+push @tests, @tests_ec unless disabled("ec") || $fips_mode;
+push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec")|| $fips_mode;
setup("no_test_here");
my @tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3");
+my @tls_protocols_fips = ("TLSv1.2", "TLSv1.3");
# undef stands for "no limit".
my @min_tls_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3");
+my @min_tls_protocols_fips = (undef, "TLSv1.2", "TLSv1.3");
my @max_tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3", undef);
+my @max_tls_protocols_fips = ("TLSv1.2", "TLSv1.3", undef);
my @is_tls_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3");
+my @is_tls_disabled_fips = anydisabled("tls1_2", "tls1_3");
my $min_tls_enabled; my $max_tls_enabled;
+my $min_tls_enabled_fips; my $max_tls_enabled_fips;
# Protocol configuration works in cascades, i.e.,
# $no_tls1_1 disables TLSv1.1 and below.
#
# $min_enabled and $max_enabled will be correct if there is at least one
# protocol enabled.
-foreach my $i (0..$#tls_protocols) {
- if (!$is_tls_disabled[$i]) {
- $min_tls_enabled = $i;
- last;
+
+sub min_prot_enabled {
+ my $protref = shift;
+ my $disabledref = shift;
+ my @protocols = @{$protref};
+ my @is_disabled = @{$disabledref};
+ my $min_enabled;
+
+ foreach my $i (0..$#protocols) {
+ if (!$is_disabled[$i]) {
+ $min_enabled = $i;
+ last;
+ }
}
+ return $min_enabled;
}
-foreach my $i (0..$#tls_protocols) {
- if (!$is_tls_disabled[$i]) {
- $max_tls_enabled = $i;
+sub max_prot_enabled {
+ my $protref = shift;
+ my $disabledref = shift;
+ my @protocols = @{$protref};
+ my @is_disabled = @{$disabledref};
+ my $max_enabled;
+
+ foreach my $i (0..$#protocols) {
+ if (!$is_disabled[$i]) {
+ $max_enabled = $i;
+ }
}
+ return $max_enabled;
}
+$min_tls_enabled = min_prot_enabled(\@tls_protocols, \@is_tls_disabled);
+$max_tls_enabled = max_prot_enabled(\@tls_protocols, \@is_tls_disabled);
+$min_tls_enabled_fips = min_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled_fips);
+$max_tls_enabled_fips = max_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled_fips);
+
+
my @dtls_protocols = ("DTLSv1", "DTLSv1.2");
+my @dtls_protocols_fips = ("DTLSv1.2");
# undef stands for "no limit".
my @min_dtls_protocols = (undef, "DTLSv1", "DTLSv1.2");
+my @min_dtls_protocols_fips = (undef, "DTLSv1.2");
my @max_dtls_protocols = ("DTLSv1", "DTLSv1.2", undef);
+my @max_dtls_protocols_fips = ("DTLSv1.2", undef);
my @is_dtls_disabled = anydisabled("dtls1", "dtls1_2");
+my @is_dtls_disabled_fips = anydisabled("dtls1_2");
my $min_dtls_enabled; my $max_dtls_enabled;
+my $min_dtls_enabled_fips; my $max_dtls_enabled_fips;
# $min_enabled and $max_enabled will be correct if there is at least one
# protocol enabled.
-foreach my $i (0..$#dtls_protocols) {
- if (!$is_dtls_disabled[$i]) {
- $min_dtls_enabled = $i;
- last;
- }
-}
-
-foreach my $i (0..$#dtls_protocols) {
- if (!$is_dtls_disabled[$i]) {
- $max_dtls_enabled = $i;
- }
-}
+$min_dtls_enabled = min_prot_enabled(\@dtls_protocols, \@is_dtls_disabled);
+$max_dtls_enabled = max_prot_enabled(\@dtls_protocols, \@is_dtls_disabled);
+$min_dtls_enabled_fips = min_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips);
+$max_dtls_enabled_fips = max_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips);
sub no_tests {
my ($dtls) = @_;
}
sub generate_version_tests {
- my ($method) = @_;
+ my $method = shift;
+ my $fips = shift;
my $dtls = $method eq "DTLS";
# Don't write the redundant "Method = TLS" into the configuration.
undef $method if !$dtls;
- my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
- my @min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols;
- my @max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols;
- my $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
- my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
+ my @protocols;
+ my @min_protocols;
+ my @max_protocols;
+ my $min_enabled;
+ my $max_enabled;
+ if ($fips) {
+ @protocols = $dtls ? @dtls_protocols_fips : @tls_protocols_fips;
+ @min_protocols = $dtls ? @min_dtls_protocols_fips : @min_tls_protocols_fips;
+ @max_protocols = $dtls ? @max_dtls_protocols_fips : @max_tls_protocols_fips;
+ $min_enabled = $dtls ? $min_dtls_enabled_fips : $min_tls_enabled_fips;
+ $max_enabled = $dtls ? $max_dtls_enabled_fips : $max_tls_enabled_fips;
+ } else {
+ @protocols = $dtls ? @dtls_protocols : @tls_protocols;
+ @min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols;
+ @max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols;
+ $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
+ $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
+ }
if (no_tests($dtls)) {
return;
}
sub generate_resumption_tests {
- my ($method) = @_;
+ my $method = shift;
+ my $fips = shift;
my $dtls = $method eq "DTLS";
# Don't write the redundant "Method = TLS" into the configuration.
undef $method if !$dtls;
- my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
- my $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
- my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
+ my @protocols;
+ my $min_enabled;
+ my $max_enabled;
+
+ if ($fips) {
+ @protocols = $dtls ? @dtls_protocols_fips : @tls_protocols_fips;
+ $min_enabled = $dtls ? $min_dtls_enabled_fips : $min_tls_enabled_fips;
+ $max_enabled = $dtls ? $max_dtls_enabled_fips : $max_tls_enabled_fips;
+ } else {
+ @protocols = $dtls ? @dtls_protocols : @tls_protocols;
+ $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
+ $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
+ }
if (no_tests($dtls)) {
return;
return "\${ENV::TEST_CERTS_DIR}" . $dir_sep . $file,
}
+our $fips_mode = 0;
+our $no_deflt_libctx = 0;
+
our %base_server = (
"Certificate" => test_pem("servercert.pem"),
"PrivateKey" => test_pem("serverkey.pem"),
return ret;
}
-OPT_TEST_DECLARE_USAGE("conf_file\n")
+OPT_TEST_DECLARE_USAGE("conf_file modulename [fips_conf_file]\n")
int setup_tests(void)
{
return 0;
if (strcmp(modulename, "none") != 0) {
+ const char *configfile = test_get_argument(2);
+
defctxnull = OSSL_PROVIDER_load(NULL, "null");
libctx = OPENSSL_CTX_new();
if (!TEST_ptr(libctx))
return 0;
+ if (configfile != NULL
+ && !TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
+ return 0;
+
thisprov = OSSL_PROVIDER_load(libctx, modulename);
if (!TEST_ptr(thisprov))
return 0;
projects / oweals / openssl.git / commitdiff