1# -*- mode: perl; -*-
2
3## SSL test configurations
4
5package ssltests;
6
7use strict;
8use warnings;
9
10use OpenSSL::Test;
11use OpenSSL::Test::Utils qw(anydisabled);
12
13our $fips_mode;
14
15my @curves = ("prime256v1", "secp384r1", "secp521r1", "X25519",
16              "X448");
17
18#Curves *only* suitable for use in TLSv1.3
19my @curves_tls_1_3 = ("ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144",
20                      "ffdhe8192");
21
22push @curves, @curves_tls_1_3;
23
24my @curves_tls_1_2 = ("sect233k1", "sect233r1",
25              "sect283k1", "sect283r1", "sect409k1", "sect409r1",
26              "sect571k1", "sect571r1", "secp224r1");
27
28my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1",
29                       "sect163r1", "sect193r1", "sect193r2", "sect239k1",
30                       "secp160k1", "secp160r1", "secp160r2", "secp192k1",
31                       "secp224k1",  "secp256k1", "brainpoolP256r1",
32                       "brainpoolP384r1", "brainpoolP512r1");
33
34push @curves_tls_1_2, @curves_non_fips if !$fips_mode;
35
36our @tests = ();
37
38sub get_key_type {
39    my $group = shift;
40    my $keyType;
41
42    if ($group =~ /ffdhe/) {
43        $keyType = "dhKeyAgreement";
44    } else {
45        $keyType = $group;
46    }
47
48    return $keyType;
49}
50
51sub generate_tests() {
52    foreach (0..$#curves) {
53        my $curve = $curves[$_];
54        push @tests, {
55            name => "curve-${curve}",
56            server => {
57                "Curves" => $curve,
58                "MaxProtocol" => "TLSv1.3"
59            },
60            client => {
61                "CipherString" => "ECDHE",
62                "MaxProtocol" => "TLSv1.3",
63                "Curves" => $curve
64            },
65            test   => {
66                "ExpectedTmpKeyType" => get_key_type($curve),
67                "ExpectedProtocol" => "TLSv1.3",
68                "ExpectedResult" => "Success"
69            },
70        };
71    }
72    foreach (0..$#curves_tls_1_2) {
73        my $curve = $curves_tls_1_2[$_];
74        push @tests, {
75            name => "curve-${curve}",
76            server => {
77                "Curves" => $curve,
78                "MaxProtocol" => "TLSv1.3"
79            },
80            client => {
81                "CipherString" => "ECDHE",
82                "MaxProtocol" => "TLSv1.2",
83                "Curves" => $curve
84            },
85            test   => {
86                "ExpectedTmpKeyType" => get_key_type($curve),
87                "ExpectedProtocol" => "TLSv1.2",
88                "ExpectedResult" => "Success"
89            },
90        };
91    }
92    foreach (0..$#curves_tls_1_2) {
93        my $curve = $curves_tls_1_2[$_];
94        push @tests, {
95            name => "curve-${curve}-tls12-in-tls13",
96            server => {
97                "Curves" => "$curve:P-256",
98                "CipherString" => 'DEFAULT@SECLEVEL=1',
99                "MaxProtocol" => "TLSv1.3"
100            },
101            client => {
102                "CipherString" => 'ECDHE@SECLEVEL=1',
103                "MaxProtocol" => "TLSv1.3",
104                "MinProtocol" => "TLSv1.3",
105                "Curves" => "$curve:P-256"
106            },
107            test   => {
108                #This curve is not allowed in a TLSv1.3 key_share. We should
109                #succeed but fallback to P-256
110                "ExpectedTmpKeyType" => "P-256",
111                "ExpectedProtocol" => "TLSv1.3",
112                "ExpectedResult" => "Success"
113            },
114        };
115    }
116    foreach (0..$#curves_tls_1_2) {
117        my $curve = $curves_tls_1_2[$_];
118        push @tests, {
119            name => "curve-${curve}-tls13",
120            server => {
121                "Curves" => $curve,
122                "MaxProtocol" => "TLSv1.3"
123            },
124            client => {
125                "CipherString" => "ECDHE",
126                "MinProtocol" => "TLSv1.3",
127                "Curves" => $curve
128            },
129            test   => {
130                "ExpectedResult" => "ClientFail"
131            },
132        };
133    }
134    foreach (0..$#curves_tls_1_3) {
135        my $curve = $curves_tls_1_3[$_];
136        push @tests, {
137            name => "curve-${curve}-tls13-in-tls12",
138            server => {
139                "Curves" => $curve,
140                "CipherString" => 'DEFAULT@SECLEVEL=1',
141                "MaxProtocol" => "TLSv1.3"
142            },
143            client => {
144                "CipherString" => 'ECDHE@SECLEVEL=1',
145                "MaxProtocol" => "TLSv1.2",
146                "Curves" => $curve
147            },
148            test   => {
149                #These curves are only suitable for TLSv1.3 so we expect the
150                #server to fail because it has no shared groups for TLSv1.2
151                #ECDHE key exchange
152                "ExpectedResult" => "ServerFail"
153            },
154        };
155        push @tests, {
156            name => "curve-${curve}-tls13-in-tls12-2",
157            server => {
158                "Curves" => $curve,
159                "CipherString" => 'DEFAULT@SECLEVEL=1',
160                "MaxProtocol" => "TLSv1.2"
161            },
162            client => {
163                "CipherString" => 'DEFAULT@SECLEVEL=1',
164                "MaxProtocol" => "TLSv1.3",
165                "Curves" => $curve
166            },
167            test   => {
168                #These curves are only suitable for TLSv1.3. We expect TLSv1.2
169                #negotiation to succeed because we fall back to some other
170                #ciphersuite
171                "ExpectedResult" => "Success"
172            },
173        };
174    }
175}
176
177generate_tests();
178