1e0c4386eSCy Schubert# -*- mode: perl; -*- 2e0c4386eSCy Schubert 3e0c4386eSCy Schubert## SSL test configurations 4e0c4386eSCy Schubert 5e0c4386eSCy Schubert 6e0c4386eSCy Schubertuse strict; 7e0c4386eSCy Schubertuse warnings; 8e0c4386eSCy Schubert 9e0c4386eSCy Schubertpackage ssltests; 10e0c4386eSCy Schubertuse OpenSSL::Test::Utils; 11e0c4386eSCy Schubert 12e0c4386eSCy Schubertour $fips_mode; 13e0c4386eSCy Schubertour $no_deflt_libctx; 14e0c4386eSCy Schubert 15e0c4386eSCy Schubertmy $server = { 16e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 17e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 18e0c4386eSCy Schubert "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), 19e0c4386eSCy Schubert "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), 20e0c4386eSCy Schubert "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), 21e0c4386eSCy Schubert "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), 22e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2" 23e0c4386eSCy Schubert}; 24e0c4386eSCy Schubert 25e0c4386eSCy Schubertmy $server_pss = { 26e0c4386eSCy Schubert "PSS.Certificate" => test_pem("server-pss-cert.pem"), 27e0c4386eSCy Schubert "PSS.PrivateKey" => test_pem("server-pss-key.pem"), 28e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 29e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 30e0c4386eSCy Schubert "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), 31e0c4386eSCy Schubert "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), 32e0c4386eSCy Schubert "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), 33e0c4386eSCy Schubert "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), 34e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2" 35e0c4386eSCy Schubert}; 36e0c4386eSCy Schubert 37e0c4386eSCy Schubertmy $server_pss_only = { 38e0c4386eSCy Schubert "Certificate" => test_pem("server-pss-cert.pem"), 39e0c4386eSCy Schubert "PrivateKey" => test_pem("server-pss-key.pem"), 40e0c4386eSCy Schubert}; 41e0c4386eSCy Schubert 42e0c4386eSCy Schubertmy $server_pss_restrict_only = { 43e0c4386eSCy Schubert "Certificate" => test_pem("server-pss-restrict-cert.pem"), 44e0c4386eSCy Schubert "PrivateKey" => test_pem("server-pss-restrict-key.pem"), 45e0c4386eSCy Schubert}; 46e0c4386eSCy Schubert 47e0c4386eSCy Schubertmy $server_rsa_all; 48e0c4386eSCy Schubert 49e0c4386eSCy Schubertif ($no_deflt_libctx) { 50e0c4386eSCy Schubert $server_rsa_all = { 51e0c4386eSCy Schubert "Certificate" => test_pem("servercert.pem"), 52e0c4386eSCy Schubert "PrivateKey" => test_pem("serverkey.pem"), 53e0c4386eSCy Schubert }; 54e0c4386eSCy Schubert} else { 55e0c4386eSCy Schubert $server_rsa_all = { 56e0c4386eSCy Schubert "PSS.Certificate" => test_pem("server-pss-cert.pem"), 57e0c4386eSCy Schubert "PSS.PrivateKey" => test_pem("server-pss-key.pem"), 58e0c4386eSCy Schubert "Certificate" => test_pem("servercert.pem"), 59e0c4386eSCy Schubert "PrivateKey" => test_pem("serverkey.pem"), 60e0c4386eSCy Schubert }; 61e0c4386eSCy Schubert} 62e0c4386eSCy Schubert 63e0c4386eSCy Schubertour @tests = ( 64e0c4386eSCy Schubert { 65e0c4386eSCy Schubert name => "ECDSA CipherString Selection", 66e0c4386eSCy Schubert server => $server, 67e0c4386eSCy Schubert client => { 68e0c4386eSCy Schubert "CipherString" => "aECDSA", 69e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 70e0c4386eSCy Schubert "RequestCAFile" => test_pem("root-cert.pem"), 71e0c4386eSCy Schubert }, 72e0c4386eSCy Schubert test => { 73e0c4386eSCy Schubert "ExpectedServerCertType" =>, "P-256", 74e0c4386eSCy Schubert "ExpectedServerSignType" =>, "EC", 75e0c4386eSCy Schubert # Note: certificate_authorities not sent for TLS < 1.3 76e0c4386eSCy Schubert "ExpectedServerCANames" =>, "empty", 77e0c4386eSCy Schubert "ExpectedResult" => "Success" 78e0c4386eSCy Schubert }, 79e0c4386eSCy Schubert }, 80e0c4386eSCy Schubert { 81e0c4386eSCy Schubert name => "ECDSA CipherString Selection", 82e0c4386eSCy Schubert server => { 83e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 84e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 85e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 86e0c4386eSCy Schubert #Deliberately set supported_groups to one not in the cert. This 87e0c4386eSCy Schubert #should be tolerated 88e0c4386eSCy Schubert "Groups" => "P-384" 89e0c4386eSCy Schubert }, 90e0c4386eSCy Schubert client => { 91e0c4386eSCy Schubert "CipherString" => "aECDSA", 92e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 93e0c4386eSCy Schubert "Groups" => "P-256:P-384", 94e0c4386eSCy Schubert "RequestCAFile" => test_pem("root-cert.pem"), 95e0c4386eSCy Schubert }, 96e0c4386eSCy Schubert test => { 97e0c4386eSCy Schubert "ExpectedServerCertType" =>, "P-256", 98e0c4386eSCy Schubert "ExpectedServerSignType" =>, "EC", 99e0c4386eSCy Schubert # Note: certificate_authorities not sent for TLS < 1.3 100e0c4386eSCy Schubert "ExpectedServerCANames" =>, "empty", 101e0c4386eSCy Schubert "ExpectedResult" => "Success" 102e0c4386eSCy Schubert }, 103e0c4386eSCy Schubert }, 104e0c4386eSCy Schubert { 105e0c4386eSCy Schubert name => "ECDSA CipherString Selection", 106e0c4386eSCy Schubert server => { 107e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 108e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 109e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 110e0c4386eSCy Schubert "Groups" => "P-256:P-384" 111e0c4386eSCy Schubert }, 112e0c4386eSCy Schubert client => { 113e0c4386eSCy Schubert "CipherString" => "aECDSA", 114e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 115e0c4386eSCy Schubert #Deliberately set groups to not include the certificate group. This 116e0c4386eSCy Schubert #should fail 117e0c4386eSCy Schubert "Groups" => "P-384", 118e0c4386eSCy Schubert "RequestCAFile" => test_pem("root-cert.pem"), 119e0c4386eSCy Schubert }, 120e0c4386eSCy Schubert test => { 121e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 122e0c4386eSCy Schubert }, 123e0c4386eSCy Schubert }, 124e0c4386eSCy Schubert { 125e0c4386eSCy Schubert name => "RSA CipherString Selection", 126e0c4386eSCy Schubert server => $server, 127e0c4386eSCy Schubert client => { 128e0c4386eSCy Schubert "CipherString" => "aRSA", 129e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 130e0c4386eSCy Schubert }, 131e0c4386eSCy Schubert test => { 132e0c4386eSCy Schubert "ExpectedServerCertType" =>, "RSA", 133e0c4386eSCy Schubert "ExpectedServerSignType" =>, "RSA-PSS", 134e0c4386eSCy Schubert "ExpectedResult" => "Success" 135e0c4386eSCy Schubert }, 136e0c4386eSCy Schubert }, 137e0c4386eSCy Schubert { 138e0c4386eSCy Schubert name => "P-256 CipherString and Signature Algorithm Selection", 139e0c4386eSCy Schubert server => $server, 140e0c4386eSCy Schubert client => { 141e0c4386eSCy Schubert "CipherString" => "aECDSA", 142e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 143e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", 144e0c4386eSCy Schubert }, 145e0c4386eSCy Schubert test => { 146e0c4386eSCy Schubert "ExpectedServerCertType" => "P-256", 147e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 148e0c4386eSCy Schubert "ExpectedServerSignType" => "EC", 149e0c4386eSCy Schubert "ExpectedResult" => "Success" 150e0c4386eSCy Schubert }, 151e0c4386eSCy Schubert }, 152e0c4386eSCy Schubert { 153e0c4386eSCy Schubert name => "ECDSA CipherString Selection, no ECDSA certificate", 154e0c4386eSCy Schubert server => { 155e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2" 156e0c4386eSCy Schubert }, 157e0c4386eSCy Schubert client => { 158e0c4386eSCy Schubert "CipherString" => "aECDSA", 159e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2" 160e0c4386eSCy Schubert }, 161e0c4386eSCy Schubert test => { 162e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 163e0c4386eSCy Schubert }, 164e0c4386eSCy Schubert }, 165e0c4386eSCy Schubert { 166e0c4386eSCy Schubert name => "ECDSA Signature Algorithm Selection", 167e0c4386eSCy Schubert server => $server, 168e0c4386eSCy Schubert client => { 169e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA256", 170e0c4386eSCy Schubert }, 171e0c4386eSCy Schubert test => { 172e0c4386eSCy Schubert "ExpectedServerCertType" => "P-256", 173e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 174e0c4386eSCy Schubert "ExpectedServerSignType" => "EC", 175e0c4386eSCy Schubert "ExpectedResult" => "Success" 176e0c4386eSCy Schubert }, 177e0c4386eSCy Schubert }, 178e0c4386eSCy Schubert { 179e0c4386eSCy Schubert name => "ECDSA Signature Algorithm Selection SHA384", 180e0c4386eSCy Schubert server => $server, 181e0c4386eSCy Schubert client => { 182e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA384", 183e0c4386eSCy Schubert }, 184e0c4386eSCy Schubert test => { 185e0c4386eSCy Schubert "ExpectedServerCertType" => "P-256", 186e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA384", 187e0c4386eSCy Schubert "ExpectedServerSignType" => "EC", 188e0c4386eSCy Schubert "ExpectedResult" => "Success" 189e0c4386eSCy Schubert }, 190e0c4386eSCy Schubert }, 191e0c4386eSCy Schubert { 192e0c4386eSCy Schubert name => "ECDSA Signature Algorithm Selection compressed point", 193e0c4386eSCy Schubert server => { 194e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"), 195e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"), 196e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2" 197e0c4386eSCy Schubert }, 198e0c4386eSCy Schubert client => { 199e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA256", 200e0c4386eSCy Schubert }, 201e0c4386eSCy Schubert test => { 202e0c4386eSCy Schubert "ExpectedServerCertType" => "P-256", 203e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 204e0c4386eSCy Schubert "ExpectedServerSignType" => "EC", 205e0c4386eSCy Schubert "ExpectedResult" => "Success" 206e0c4386eSCy Schubert }, 207e0c4386eSCy Schubert }, 208e0c4386eSCy Schubert { 209e0c4386eSCy Schubert name => "ECDSA Signature Algorithm Selection, no ECDSA certificate", 210e0c4386eSCy Schubert server => { 211e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2" 212e0c4386eSCy Schubert }, 213e0c4386eSCy Schubert client => { 214e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA256", 215e0c4386eSCy Schubert }, 216e0c4386eSCy Schubert test => { 217e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 218e0c4386eSCy Schubert }, 219e0c4386eSCy Schubert }, 220e0c4386eSCy Schubert { 221e0c4386eSCy Schubert name => "RSA Signature Algorithm Selection", 222e0c4386eSCy Schubert server => $server, 223e0c4386eSCy Schubert client => { 224e0c4386eSCy Schubert "SignatureAlgorithms" => "RSA+SHA256", 225e0c4386eSCy Schubert }, 226e0c4386eSCy Schubert test => { 227e0c4386eSCy Schubert "ExpectedServerCertType" => "RSA", 228e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 229e0c4386eSCy Schubert "ExpectedServerSignType" => "RSA", 230e0c4386eSCy Schubert "ExpectedResult" => "Success" 231e0c4386eSCy Schubert }, 232e0c4386eSCy Schubert }, 233e0c4386eSCy Schubert { 234e0c4386eSCy Schubert name => "RSA-PSS Signature Algorithm Selection", 235e0c4386eSCy Schubert server => $server, 236e0c4386eSCy Schubert client => { 237e0c4386eSCy Schubert "SignatureAlgorithms" => "RSA-PSS+SHA256", 238e0c4386eSCy Schubert }, 239e0c4386eSCy Schubert test => { 240e0c4386eSCy Schubert "ExpectedServerCertType" => "RSA", 241e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 242e0c4386eSCy Schubert "ExpectedServerSignType" => "RSA-PSS", 243e0c4386eSCy Schubert "ExpectedResult" => "Success" 244e0c4386eSCy Schubert }, 245e0c4386eSCy Schubert }, 246e0c4386eSCy Schubert { 247e0c4386eSCy Schubert name => "RSA key exchange with all RSA certificate types", 248e0c4386eSCy Schubert server => $server_rsa_all, 249e0c4386eSCy Schubert client => { 250e0c4386eSCy Schubert "CipherString" => "kRSA", 251e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 252e0c4386eSCy Schubert }, 253e0c4386eSCy Schubert test => { 254e0c4386eSCy Schubert "ExpectedServerCertType" =>, "RSA", 255e0c4386eSCy Schubert "ExpectedResult" => "Success" 256e0c4386eSCy Schubert }, 257e0c4386eSCy Schubert }, 258e0c4386eSCy Schubert { 259e0c4386eSCy Schubert name => "Suite B P-256 Hash Algorithm Selection", 260e0c4386eSCy Schubert server => { 261e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("p256-server-cert.pem"), 262e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"), 263e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 264e0c4386eSCy Schubert "CipherString" => "SUITEB128" 265e0c4386eSCy Schubert }, 266e0c4386eSCy Schubert client => { 267e0c4386eSCy Schubert "VerifyCAFile" => test_pem("p384-root.pem"), 268e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256" 269e0c4386eSCy Schubert }, 270e0c4386eSCy Schubert test => { 271e0c4386eSCy Schubert "ExpectedServerCertType" => "P-256", 272e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 273e0c4386eSCy Schubert "ExpectedServerSignType" => "EC", 274e0c4386eSCy Schubert "ExpectedResult" => "Success" 275e0c4386eSCy Schubert }, 276e0c4386eSCy Schubert }, 277e0c4386eSCy Schubert { 278e0c4386eSCy Schubert name => "Suite B P-384 Hash Algorithm Selection", 279e0c4386eSCy Schubert server => { 280e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("p384-server-cert.pem"), 281e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"), 282e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 283e0c4386eSCy Schubert "CipherString" => "SUITEB128" 284e0c4386eSCy Schubert }, 285e0c4386eSCy Schubert client => { 286e0c4386eSCy Schubert "VerifyCAFile" => test_pem("p384-root.pem"), 287e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384" 288e0c4386eSCy Schubert }, 289e0c4386eSCy Schubert test => { 290e0c4386eSCy Schubert "ExpectedServerCertType" => "P-384", 291e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA384", 292e0c4386eSCy Schubert "ExpectedServerSignType" => "EC", 293e0c4386eSCy Schubert "ExpectedResult" => "Success" 294e0c4386eSCy Schubert }, 295e0c4386eSCy Schubert }, 296e0c4386eSCy Schubert { 297e0c4386eSCy Schubert name => "Ed25519 CipherString and Signature Algorithm Selection", 298e0c4386eSCy Schubert server => $server, 299e0c4386eSCy Schubert client => { 300e0c4386eSCy Schubert "CipherString" => "aECDSA", 301e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 302e0c4386eSCy Schubert "SignatureAlgorithms" => "ed25519:ECDSA+SHA256", 303e0c4386eSCy Schubert "RequestCAFile" => test_pem("root-cert.pem"), 304e0c4386eSCy Schubert }, 305e0c4386eSCy Schubert test => { 306e0c4386eSCy Schubert "ExpectedServerCertType" =>, "Ed25519", 307e0c4386eSCy Schubert "ExpectedServerSignType" =>, "Ed25519", 308e0c4386eSCy Schubert # Note: certificate_authorities not sent for TLS < 1.3 309e0c4386eSCy Schubert "ExpectedServerCANames" =>, "empty", 310e0c4386eSCy Schubert "ExpectedResult" => "Success" 311e0c4386eSCy Schubert }, 312e0c4386eSCy Schubert }, 313e0c4386eSCy Schubert { 314e0c4386eSCy Schubert name => "Ed448 CipherString and Signature Algorithm Selection", 315e0c4386eSCy Schubert server => $server, 316e0c4386eSCy Schubert client => { 317e0c4386eSCy Schubert "CipherString" => "aECDSA", 318e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 319e0c4386eSCy Schubert "SignatureAlgorithms" => "ed448:ECDSA+SHA256", 320e0c4386eSCy Schubert "RequestCAFile" => test_pem("root-ed448-cert.pem"), 321e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-ed448-cert.pem"), 322e0c4386eSCy Schubert }, 323e0c4386eSCy Schubert test => { 324e0c4386eSCy Schubert "ExpectedServerCertType" =>, "Ed448", 325e0c4386eSCy Schubert "ExpectedServerSignType" =>, "Ed448", 326e0c4386eSCy Schubert # Note: certificate_authorities not sent for TLS < 1.3 327e0c4386eSCy Schubert "ExpectedServerCANames" =>, "empty", 328e0c4386eSCy Schubert "ExpectedResult" => "Success" 329e0c4386eSCy Schubert }, 330e0c4386eSCy Schubert }, 331e0c4386eSCy Schubert { 332e0c4386eSCy Schubert name => "TLS 1.2 Ed25519 Client Auth", 333e0c4386eSCy Schubert server => { 334e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-cert.pem"), 335e0c4386eSCy Schubert "VerifyMode" => "Require" 336e0c4386eSCy Schubert }, 337e0c4386eSCy Schubert client => { 338e0c4386eSCy Schubert "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"), 339e0c4386eSCy Schubert "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"), 340e0c4386eSCy Schubert "MinProtocol" => "TLSv1.2", 341e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2" 342e0c4386eSCy Schubert }, 343e0c4386eSCy Schubert test => { 344e0c4386eSCy Schubert "ExpectedClientCertType" => "Ed25519", 345e0c4386eSCy Schubert "ExpectedClientSignType" => "Ed25519", 346e0c4386eSCy Schubert "ExpectedResult" => "Success" 347e0c4386eSCy Schubert }, 348e0c4386eSCy Schubert }, 349e0c4386eSCy Schubert { 350e0c4386eSCy Schubert name => "TLS 1.2 Ed448 Client Auth", 351e0c4386eSCy Schubert server => { 352e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-cert.pem"), 353e0c4386eSCy Schubert "VerifyMode" => "Require" 354e0c4386eSCy Schubert }, 355e0c4386eSCy Schubert client => { 356e0c4386eSCy Schubert "Ed448.Certificate" => test_pem("client-ed448-cert.pem"), 357e0c4386eSCy Schubert "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"), 358e0c4386eSCy Schubert "MinProtocol" => "TLSv1.2", 359e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2" 360e0c4386eSCy Schubert }, 361e0c4386eSCy Schubert test => { 362e0c4386eSCy Schubert "ExpectedClientCertType" => "Ed448", 363e0c4386eSCy Schubert "ExpectedClientSignType" => "Ed448", 364e0c4386eSCy Schubert "ExpectedResult" => "Success" 365e0c4386eSCy Schubert }, 366e0c4386eSCy Schubert }, 367e0c4386eSCy Schubert); 368e0c4386eSCy Schubert 369e0c4386eSCy Schubertmy @tests_non_fips = ( 370e0c4386eSCy Schubert { 371e0c4386eSCy Schubert name => "ECDSA Signature Algorithm Selection SHA1", 372e0c4386eSCy Schubert server => { 373e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 374e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 375e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 376e0c4386eSCy Schubert "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), 377e0c4386eSCy Schubert "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), 378e0c4386eSCy Schubert "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), 379e0c4386eSCy Schubert "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), 380e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2" 381e0c4386eSCy Schubert }, 382e0c4386eSCy Schubert client => { 383e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 384e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA1", 385e0c4386eSCy Schubert }, 386e0c4386eSCy Schubert test => { 387e0c4386eSCy Schubert "ExpectedServerCertType" => "P-256", 388e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA1", 389e0c4386eSCy Schubert "ExpectedServerSignType" => "EC", 390e0c4386eSCy Schubert "ExpectedResult" => "Success" 391e0c4386eSCy Schubert }, 392e0c4386eSCy Schubert }, 393e0c4386eSCy Schubert { 394e0c4386eSCy Schubert name => "ECDSA with brainpool", 395e0c4386eSCy Schubert server => { 396e0c4386eSCy Schubert "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), 397e0c4386eSCy Schubert "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), 398e0c4386eSCy Schubert "Groups" => "brainpoolP256r1", 399e0c4386eSCy Schubert }, 400e0c4386eSCy Schubert client => { 401e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 402e0c4386eSCy Schubert "CipherString" => "aECDSA", 403e0c4386eSCy Schubert "RequestCAFile" => test_pem("root-cert.pem"), 404e0c4386eSCy Schubert "Groups" => "brainpoolP256r1", 405e0c4386eSCy Schubert }, 406e0c4386eSCy Schubert test => { 407e0c4386eSCy Schubert "ExpectedServerCertType" =>, "brainpoolP256r1", 408e0c4386eSCy Schubert "ExpectedServerSignType" =>, "EC", 409e0c4386eSCy Schubert # Note: certificate_authorities not sent for TLS < 1.3 410e0c4386eSCy Schubert "ExpectedServerCANames" =>, "empty", 411e0c4386eSCy Schubert "ExpectedResult" => "Success" 412e0c4386eSCy Schubert }, 413e0c4386eSCy Schubert }, 414*44096ebdSEnji Cooper { 415*44096ebdSEnji Cooper name => "Ed25519 CipherString and Curves Selection", 416*44096ebdSEnji Cooper server => $server, 417*44096ebdSEnji Cooper client => { 418*44096ebdSEnji Cooper "CipherString" => "aECDSA", 419*44096ebdSEnji Cooper "MaxProtocol" => "TLSv1.2", 420*44096ebdSEnji Cooper "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", 421*44096ebdSEnji Cooper # Excluding P-256 from the supported curves list means server 422*44096ebdSEnji Cooper # certificate should be Ed25519 and not P-256 423*44096ebdSEnji Cooper "Curves" => "X25519" 424*44096ebdSEnji Cooper }, 425*44096ebdSEnji Cooper test => { 426*44096ebdSEnji Cooper "ExpectedServerCertType" =>, "Ed25519", 427*44096ebdSEnji Cooper "ExpectedServerSignType" =>, "Ed25519", 428*44096ebdSEnji Cooper "ExpectedResult" => "Success" 429*44096ebdSEnji Cooper }, 430*44096ebdSEnji Cooper }, 431*44096ebdSEnji Cooper { 432*44096ebdSEnji Cooper name => "Ed448 CipherString and Curves Selection", 433*44096ebdSEnji Cooper server => $server, 434*44096ebdSEnji Cooper client => { 435*44096ebdSEnji Cooper "CipherString" => "aECDSA", 436*44096ebdSEnji Cooper "MaxProtocol" => "TLSv1.2", 437*44096ebdSEnji Cooper "SignatureAlgorithms" => "ECDSA+SHA256:ed448", 438*44096ebdSEnji Cooper "VerifyCAFile" => test_pem("root-ed448-cert.pem"), 439*44096ebdSEnji Cooper # Excluding P-256 from the supported curves list means server 440*44096ebdSEnji Cooper # certificate should be Ed25519 and not P-256 441*44096ebdSEnji Cooper "Curves" => "X448" 442*44096ebdSEnji Cooper }, 443*44096ebdSEnji Cooper test => { 444*44096ebdSEnji Cooper "ExpectedServerCertType" =>, "Ed448", 445*44096ebdSEnji Cooper "ExpectedServerSignType" =>, "Ed448", 446*44096ebdSEnji Cooper "ExpectedResult" => "Success" 447*44096ebdSEnji Cooper }, 448*44096ebdSEnji Cooper }, 449e0c4386eSCy Schubert); 450e0c4386eSCy Schubert 451e0c4386eSCy Schubertmy @tests_pss = ( 452e0c4386eSCy Schubert { 453e0c4386eSCy Schubert name => "RSA-PSS Certificate CipherString Selection", 454e0c4386eSCy Schubert server => $server_pss, 455e0c4386eSCy Schubert client => { 456e0c4386eSCy Schubert "CipherString" => "aRSA", 457e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 458e0c4386eSCy Schubert }, 459e0c4386eSCy Schubert test => { 460e0c4386eSCy Schubert "ExpectedServerCertType" =>, "RSA-PSS", 461e0c4386eSCy Schubert "ExpectedServerSignType" =>, "RSA-PSS", 462e0c4386eSCy Schubert "ExpectedResult" => "Success" 463e0c4386eSCy Schubert }, 464e0c4386eSCy Schubert }, 465e0c4386eSCy Schubert { 466e0c4386eSCy Schubert name => "RSA-PSS Certificate Legacy Signature Algorithm Selection", 467e0c4386eSCy Schubert server => $server_pss, 468e0c4386eSCy Schubert client => { 469e0c4386eSCy Schubert "SignatureAlgorithms" => "RSA-PSS+SHA256", 470e0c4386eSCy Schubert }, 471e0c4386eSCy Schubert test => { 472e0c4386eSCy Schubert "ExpectedServerCertType" => "RSA", 473e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 474e0c4386eSCy Schubert "ExpectedServerSignType" => "RSA-PSS", 475e0c4386eSCy Schubert "ExpectedResult" => "Success" 476e0c4386eSCy Schubert }, 477e0c4386eSCy Schubert }, 478e0c4386eSCy Schubert { 479e0c4386eSCy Schubert name => "RSA-PSS Certificate Unified Signature Algorithm Selection", 480e0c4386eSCy Schubert server => $server_pss, 481e0c4386eSCy Schubert client => { 482e0c4386eSCy Schubert "SignatureAlgorithms" => "rsa_pss_pss_sha256", 483e0c4386eSCy Schubert }, 484e0c4386eSCy Schubert test => { 485e0c4386eSCy Schubert "ExpectedServerCertType" => "RSA-PSS", 486e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 487e0c4386eSCy Schubert "ExpectedServerSignType" => "RSA-PSS", 488e0c4386eSCy Schubert "ExpectedResult" => "Success" 489e0c4386eSCy Schubert }, 490e0c4386eSCy Schubert }, 491e0c4386eSCy Schubert { 492e0c4386eSCy Schubert name => "Only RSA-PSS Certificate", 493e0c4386eSCy Schubert server => $server_pss_only, 494e0c4386eSCy Schubert client => {}, 495e0c4386eSCy Schubert test => { 496e0c4386eSCy Schubert "ExpectedServerCertType" => "RSA-PSS", 497e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 498e0c4386eSCy Schubert "ExpectedServerSignType" => "RSA-PSS", 499e0c4386eSCy Schubert "ExpectedResult" => "Success" 500e0c4386eSCy Schubert }, 501e0c4386eSCy Schubert }, 502e0c4386eSCy Schubert { 503e0c4386eSCy Schubert name => "Only RSA-PSS Certificate Valid Signature Algorithms", 504e0c4386eSCy Schubert server => $server_pss_only, 505e0c4386eSCy Schubert client => { 506e0c4386eSCy Schubert "SignatureAlgorithms" => "rsa_pss_pss_sha512", 507e0c4386eSCy Schubert }, 508e0c4386eSCy Schubert test => { 509e0c4386eSCy Schubert "ExpectedServerCertType" => "RSA-PSS", 510e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA512", 511e0c4386eSCy Schubert "ExpectedServerSignType" => "RSA-PSS", 512e0c4386eSCy Schubert "ExpectedResult" => "Success" 513e0c4386eSCy Schubert }, 514e0c4386eSCy Schubert }, 515e0c4386eSCy Schubert { 516e0c4386eSCy Schubert name => "RSA-PSS Certificate, no PSS signature algorithms", 517e0c4386eSCy Schubert server => $server_pss_only, 518e0c4386eSCy Schubert client => { 519e0c4386eSCy Schubert "SignatureAlgorithms" => "RSA+SHA256", 520e0c4386eSCy Schubert }, 521e0c4386eSCy Schubert test => { 522e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 523e0c4386eSCy Schubert }, 524e0c4386eSCy Schubert }, 525e0c4386eSCy Schubert { 526e0c4386eSCy Schubert name => "Only RSA-PSS Restricted Certificate", 527e0c4386eSCy Schubert server => $server_pss_restrict_only, 528e0c4386eSCy Schubert client => {}, 529e0c4386eSCy Schubert test => { 530e0c4386eSCy Schubert "ExpectedServerCertType" => "RSA-PSS", 531e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 532e0c4386eSCy Schubert "ExpectedServerSignType" => "RSA-PSS", 533e0c4386eSCy Schubert "ExpectedResult" => "Success" 534e0c4386eSCy Schubert }, 535e0c4386eSCy Schubert }, 536e0c4386eSCy Schubert { 537e0c4386eSCy Schubert name => "RSA-PSS Restricted Certificate Valid Signature Algorithms", 538e0c4386eSCy Schubert server => $server_pss_restrict_only, 539e0c4386eSCy Schubert client => { 540e0c4386eSCy Schubert "SignatureAlgorithms" => "rsa_pss_pss_sha256:rsa_pss_pss_sha512", 541e0c4386eSCy Schubert }, 542e0c4386eSCy Schubert test => { 543e0c4386eSCy Schubert "ExpectedServerCertType" => "RSA-PSS", 544e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 545e0c4386eSCy Schubert "ExpectedServerSignType" => "RSA-PSS", 546e0c4386eSCy Schubert "ExpectedResult" => "Success" 547e0c4386eSCy Schubert }, 548e0c4386eSCy Schubert }, 549e0c4386eSCy Schubert { 550e0c4386eSCy Schubert name => "RSA-PSS Restricted Cert client prefers invalid Signature Algorithm", 551e0c4386eSCy Schubert server => $server_pss_restrict_only, 552e0c4386eSCy Schubert client => { 553e0c4386eSCy Schubert "SignatureAlgorithms" => "rsa_pss_pss_sha512:rsa_pss_pss_sha256", 554e0c4386eSCy Schubert }, 555e0c4386eSCy Schubert test => { 556e0c4386eSCy Schubert "ExpectedServerCertType" => "RSA-PSS", 557e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 558e0c4386eSCy Schubert "ExpectedServerSignType" => "RSA-PSS", 559e0c4386eSCy Schubert "ExpectedResult" => "Success" 560e0c4386eSCy Schubert }, 561e0c4386eSCy Schubert }, 562e0c4386eSCy Schubert { 563e0c4386eSCy Schubert name => "RSA-PSS Restricted Certificate Invalid Signature Algorithms", 564e0c4386eSCy Schubert server => $server_pss_restrict_only, 565e0c4386eSCy Schubert client => { 566e0c4386eSCy Schubert "SignatureAlgorithms" => "rsa_pss_pss_sha512", 567e0c4386eSCy Schubert }, 568e0c4386eSCy Schubert test => { 569e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 570e0c4386eSCy Schubert }, 571e0c4386eSCy Schubert }, 572e0c4386eSCy Schubert { 573e0c4386eSCy Schubert name => "RSA key exchange with only RSA-PSS certificate", 574e0c4386eSCy Schubert server => $server_pss_only, 575e0c4386eSCy Schubert client => { 576e0c4386eSCy Schubert "CipherString" => "kRSA", 577e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 578e0c4386eSCy Schubert }, 579e0c4386eSCy Schubert test => { 580e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 581e0c4386eSCy Schubert }, 582e0c4386eSCy Schubert }, 583e0c4386eSCy Schubert); 584e0c4386eSCy Schubert 585e0c4386eSCy Schubertmy @tests_tls_1_1 = ( 586e0c4386eSCy Schubert { 587e0c4386eSCy Schubert name => "Only RSA-PSS Certificate, TLS v1.1", 588e0c4386eSCy Schubert server => $server_pss_only, 589e0c4386eSCy Schubert client => { 590e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.1", 591e0c4386eSCy Schubert }, 592e0c4386eSCy Schubert test => { 593e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 594e0c4386eSCy Schubert }, 595e0c4386eSCy Schubert }, 596e0c4386eSCy Schubert); 597e0c4386eSCy Schubert 598e0c4386eSCy Schubertpush @tests, @tests_non_fips unless $fips_mode; 599e0c4386eSCy Schubertpush @tests, @tests_pss; 600e0c4386eSCy Schubertpush @tests, @tests_tls_1_1 unless disabled("tls1_1") || $no_deflt_libctx; 601e0c4386eSCy Schubert 602e0c4386eSCy Schubertmy $server_tls_1_3; 603e0c4386eSCy Schubert 604e0c4386eSCy Schubertif ($fips_mode) { 605e0c4386eSCy Schubert $server_tls_1_3 = { 606e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 607e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 608e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 609e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 610e0c4386eSCy Schubert }; 611e0c4386eSCy Schubert} else { 612e0c4386eSCy Schubert $server_tls_1_3 = { 613e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 614e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 615e0c4386eSCy Schubert "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), 616e0c4386eSCy Schubert "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), 617e0c4386eSCy Schubert "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), 618e0c4386eSCy Schubert "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), 619e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 620e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 621e0c4386eSCy Schubert }; 622e0c4386eSCy Schubert} 623e0c4386eSCy Schubert 624e0c4386eSCy Schubertmy $client_tls_1_3 = { 625e0c4386eSCy Schubert "RSA.Certificate" => test_pem("ee-client-chain.pem"), 626e0c4386eSCy Schubert "RSA.PrivateKey" => test_pem("ee-key.pem"), 627e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"), 628e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"), 629e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 630e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 631e0c4386eSCy Schubert}; 632e0c4386eSCy Schubert 633e0c4386eSCy Schubertmy @tests_tls_1_3 = ( 634e0c4386eSCy Schubert { 635e0c4386eSCy Schubert name => "TLS 1.3 ECDSA Signature Algorithm Selection", 636e0c4386eSCy Schubert server => $server_tls_1_3, 637e0c4386eSCy Schubert client => { 638e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA256", 639e0c4386eSCy Schubert }, 640e0c4386eSCy Schubert test => { 641e0c4386eSCy Schubert "ExpectedServerCertType" => "P-256", 642e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 643e0c4386eSCy Schubert "ExpectedServerSignType" => "EC", 644e0c4386eSCy Schubert "ExpectedServerCANames" => "empty", 645e0c4386eSCy Schubert "ExpectedResult" => "Success" 646e0c4386eSCy Schubert }, 647e0c4386eSCy Schubert }, 648e0c4386eSCy Schubert { 649e0c4386eSCy Schubert name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point", 650e0c4386eSCy Schubert server => { 651e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"), 652e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"), 653e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 654e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 655e0c4386eSCy Schubert }, 656e0c4386eSCy Schubert client => { 657e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA256", 658e0c4386eSCy Schubert }, 659e0c4386eSCy Schubert test => { 660e0c4386eSCy Schubert "ExpectedServerCertType" => "P-256", 661e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 662e0c4386eSCy Schubert "ExpectedServerSignType" => "EC", 663e0c4386eSCy Schubert "ExpectedServerCANames" => "empty", 664e0c4386eSCy Schubert "ExpectedResult" => "Success" 665e0c4386eSCy Schubert }, 666e0c4386eSCy Schubert }, 667e0c4386eSCy Schubert { 668e0c4386eSCy Schubert name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1", 669e0c4386eSCy Schubert server => { 670e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 671e0c4386eSCy Schubert "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), 672e0c4386eSCy Schubert "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), 673e0c4386eSCy Schubert "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), 674e0c4386eSCy Schubert "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), 675e0c4386eSCy Schubert "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), 676e0c4386eSCy Schubert "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), 677e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 678e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 679e0c4386eSCy Schubert }, 680e0c4386eSCy Schubert client => { 681e0c4386eSCy Schubert "CipherString" => "DEFAULT:\@SECLEVEL=0", 682e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA1", 683e0c4386eSCy Schubert }, 684e0c4386eSCy Schubert test => { 685e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 686e0c4386eSCy Schubert }, 687e0c4386eSCy Schubert }, 688e0c4386eSCy Schubert { 689e0c4386eSCy Schubert name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS", 690e0c4386eSCy Schubert server => $server_tls_1_3, 691e0c4386eSCy Schubert client => { 692e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA256:RSA-PSS+SHA256", 693e0c4386eSCy Schubert "RequestCAFile" => test_pem("root-cert.pem"), 694e0c4386eSCy Schubert }, 695e0c4386eSCy Schubert test => { 696e0c4386eSCy Schubert "ExpectedServerCertType" => "P-256", 697e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 698e0c4386eSCy Schubert "ExpectedServerSignType" => "EC", 699e0c4386eSCy Schubert "ExpectedServerCANames" => test_pem("root-cert.pem"), 700e0c4386eSCy Schubert "ExpectedResult" => "Success" 701e0c4386eSCy Schubert }, 702e0c4386eSCy Schubert }, 703e0c4386eSCy Schubert { 704e0c4386eSCy Schubert name => "TLS 1.3 RSA Signature Algorithm Selection SHA384 with PSS", 705e0c4386eSCy Schubert server => $server_tls_1_3, 706e0c4386eSCy Schubert client => { 707e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA384:RSA-PSS+SHA384", 708e0c4386eSCy Schubert }, 709e0c4386eSCy Schubert test => { 710e0c4386eSCy Schubert "ExpectedServerCertType" => "RSA", 711e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA384", 712e0c4386eSCy Schubert "ExpectedServerSignType" => "RSA-PSS", 713e0c4386eSCy Schubert "ExpectedResult" => "Success" 714e0c4386eSCy Schubert }, 715e0c4386eSCy Schubert }, 716e0c4386eSCy Schubert { 717e0c4386eSCy Schubert name => "TLS 1.3 ECDSA Signature Algorithm Selection, no ECDSA certificate", 718e0c4386eSCy Schubert server => { 719e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 720e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 721e0c4386eSCy Schubert }, 722e0c4386eSCy Schubert client => { 723e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA256", 724e0c4386eSCy Schubert }, 725e0c4386eSCy Schubert test => { 726e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 727e0c4386eSCy Schubert }, 728e0c4386eSCy Schubert }, 729e0c4386eSCy Schubert { 730e0c4386eSCy Schubert name => "TLS 1.3 RSA Signature Algorithm Selection, no PSS", 731e0c4386eSCy Schubert server => $server_tls_1_3, 732e0c4386eSCy Schubert client => { 733e0c4386eSCy Schubert "SignatureAlgorithms" => "RSA+SHA256", 734e0c4386eSCy Schubert }, 735e0c4386eSCy Schubert test => { 736e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 737e0c4386eSCy Schubert }, 738e0c4386eSCy Schubert }, 739e0c4386eSCy Schubert { 740e0c4386eSCy Schubert name => "TLS 1.3 RSA-PSS Signature Algorithm Selection", 741e0c4386eSCy Schubert server => $server_tls_1_3, 742e0c4386eSCy Schubert client => { 743e0c4386eSCy Schubert "SignatureAlgorithms" => "RSA-PSS+SHA256", 744e0c4386eSCy Schubert }, 745e0c4386eSCy Schubert test => { 746e0c4386eSCy Schubert "ExpectedServerCertType" => "RSA", 747e0c4386eSCy Schubert "ExpectedServerSignHash" => "SHA256", 748e0c4386eSCy Schubert "ExpectedServerSignType" => "RSA-PSS", 749e0c4386eSCy Schubert "ExpectedResult" => "Success" 750e0c4386eSCy Schubert }, 751e0c4386eSCy Schubert }, 752e0c4386eSCy Schubert { 753e0c4386eSCy Schubert name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection", 754e0c4386eSCy Schubert server => { 755e0c4386eSCy Schubert "ClientSignatureAlgorithms" => "PSS+SHA256", 756e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-cert.pem"), 757e0c4386eSCy Schubert "VerifyMode" => "Require" 758e0c4386eSCy Schubert }, 759e0c4386eSCy Schubert client => $client_tls_1_3, 760e0c4386eSCy Schubert test => { 761e0c4386eSCy Schubert "ExpectedClientCertType" => "RSA", 762e0c4386eSCy Schubert "ExpectedClientSignHash" => "SHA256", 763e0c4386eSCy Schubert "ExpectedClientSignType" => "RSA-PSS", 764e0c4386eSCy Schubert "ExpectedClientCANames" => "empty", 765e0c4386eSCy Schubert "ExpectedResult" => "Success" 766e0c4386eSCy Schubert }, 767e0c4386eSCy Schubert }, 768e0c4386eSCy Schubert { 769e0c4386eSCy Schubert name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names", 770e0c4386eSCy Schubert server => { 771e0c4386eSCy Schubert "ClientSignatureAlgorithms" => "PSS+SHA256", 772e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-cert.pem"), 773e0c4386eSCy Schubert "RequestCAFile" => test_pem("root-cert.pem"), 774e0c4386eSCy Schubert "VerifyMode" => "Require" 775e0c4386eSCy Schubert }, 776e0c4386eSCy Schubert client => $client_tls_1_3, 777e0c4386eSCy Schubert test => { 778e0c4386eSCy Schubert "ExpectedClientCertType" => "RSA", 779e0c4386eSCy Schubert "ExpectedClientSignHash" => "SHA256", 780e0c4386eSCy Schubert "ExpectedClientSignType" => "RSA-PSS", 781e0c4386eSCy Schubert "ExpectedClientCANames" => test_pem("root-cert.pem"), 782e0c4386eSCy Schubert "ExpectedResult" => "Success" 783e0c4386eSCy Schubert }, 784e0c4386eSCy Schubert }, 785e0c4386eSCy Schubert { 786e0c4386eSCy Schubert name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection", 787e0c4386eSCy Schubert server => { 788e0c4386eSCy Schubert "ClientSignatureAlgorithms" => "ECDSA+SHA256", 789e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-cert.pem"), 790e0c4386eSCy Schubert "VerifyMode" => "Require" 791e0c4386eSCy Schubert }, 792e0c4386eSCy Schubert client => $client_tls_1_3, 793e0c4386eSCy Schubert test => { 794e0c4386eSCy Schubert "ExpectedClientCertType" => "P-256", 795e0c4386eSCy Schubert "ExpectedClientSignHash" => "SHA256", 796e0c4386eSCy Schubert "ExpectedClientSignType" => "EC", 797e0c4386eSCy Schubert "ExpectedResult" => "Success" 798e0c4386eSCy Schubert }, 799e0c4386eSCy Schubert }, 800e0c4386eSCy Schubert); 801e0c4386eSCy Schubert 802e0c4386eSCy Schubertmy @tests_tls_1_3_non_fips = ( 803e0c4386eSCy Schubert { 804e0c4386eSCy Schubert name => "TLS 1.3 Ed25519 Signature Algorithm Selection", 805e0c4386eSCy Schubert server => $server_tls_1_3, 806e0c4386eSCy Schubert client => { 807e0c4386eSCy Schubert "SignatureAlgorithms" => "ed25519", 808e0c4386eSCy Schubert }, 809e0c4386eSCy Schubert test => { 810e0c4386eSCy Schubert "ExpectedServerCertType" => "Ed25519", 811e0c4386eSCy Schubert "ExpectedServerSignType" => "Ed25519", 812e0c4386eSCy Schubert "ExpectedResult" => "Success" 813e0c4386eSCy Schubert }, 814e0c4386eSCy Schubert }, 815e0c4386eSCy Schubert { 816e0c4386eSCy Schubert name => "TLS 1.3 Ed448 Signature Algorithm Selection", 817e0c4386eSCy Schubert server => $server_tls_1_3, 818e0c4386eSCy Schubert client => { 819e0c4386eSCy Schubert "SignatureAlgorithms" => "ed448", 820e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-ed448-cert.pem"), 821e0c4386eSCy Schubert }, 822e0c4386eSCy Schubert test => { 823e0c4386eSCy Schubert "ExpectedServerCertType" => "Ed448", 824e0c4386eSCy Schubert "ExpectedServerSignType" => "Ed448", 825e0c4386eSCy Schubert "ExpectedResult" => "Success" 826e0c4386eSCy Schubert }, 827e0c4386eSCy Schubert }, 828e0c4386eSCy Schubert { 829e0c4386eSCy Schubert name => "TLS 1.3 Ed25519 CipherString and Groups Selection", 830e0c4386eSCy Schubert server => $server_tls_1_3, 831e0c4386eSCy Schubert client => { 832e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA256:ed25519", 833e0c4386eSCy Schubert # Excluding P-256 from the supported groups list should 834e0c4386eSCy Schubert # mean server still uses a P-256 certificate because supported 835e0c4386eSCy Schubert # groups is not used in signature selection for TLS 1.3 836e0c4386eSCy Schubert "Groups" => "X25519" 837e0c4386eSCy Schubert }, 838e0c4386eSCy Schubert test => { 839e0c4386eSCy Schubert "ExpectedServerCertType" =>, "P-256", 840e0c4386eSCy Schubert "ExpectedServerSignType" =>, "EC", 841e0c4386eSCy Schubert "ExpectedResult" => "Success" 842e0c4386eSCy Schubert }, 843e0c4386eSCy Schubert }, 844e0c4386eSCy Schubert { 845e0c4386eSCy Schubert name => "TLS 1.3 Ed448 CipherString and Groups Selection", 846e0c4386eSCy Schubert server => $server_tls_1_3, 847e0c4386eSCy Schubert client => { 848e0c4386eSCy Schubert "SignatureAlgorithms" => "ECDSA+SHA256:ed448", 849e0c4386eSCy Schubert # Excluding P-256 from the supported groups list should 850e0c4386eSCy Schubert # mean server still uses a P-256 certificate because supported 851e0c4386eSCy Schubert # groups is not used in signature selection for TLS 1.3 852e0c4386eSCy Schubert "Groups" => "X448" 853e0c4386eSCy Schubert }, 854e0c4386eSCy Schubert test => { 855e0c4386eSCy Schubert "ExpectedServerCertType" =>, "P-256", 856e0c4386eSCy Schubert "ExpectedServerSignType" =>, "EC", 857e0c4386eSCy Schubert "ExpectedResult" => "Success" 858e0c4386eSCy Schubert }, 859e0c4386eSCy Schubert }, 860e0c4386eSCy Schubert { 861e0c4386eSCy Schubert name => "TLS 1.3 Ed25519 Client Auth", 862e0c4386eSCy Schubert server => { 863e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-cert.pem"), 864e0c4386eSCy Schubert "VerifyMode" => "Require" 865e0c4386eSCy Schubert }, 866e0c4386eSCy Schubert client => { 867e0c4386eSCy Schubert "EdDSA.Certificate" => test_pem("client-ed25519-cert.pem"), 868e0c4386eSCy Schubert "EdDSA.PrivateKey" => test_pem("client-ed25519-key.pem"), 869e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 870e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 871e0c4386eSCy Schubert }, 872e0c4386eSCy Schubert test => { 873e0c4386eSCy Schubert "ExpectedClientCertType" => "Ed25519", 874e0c4386eSCy Schubert "ExpectedClientSignType" => "Ed25519", 875e0c4386eSCy Schubert "ExpectedResult" => "Success" 876e0c4386eSCy Schubert }, 877e0c4386eSCy Schubert }, 878e0c4386eSCy Schubert { 879e0c4386eSCy Schubert name => "TLS 1.3 Ed448 Client Auth", 880e0c4386eSCy Schubert server => { 881e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-cert.pem"), 882e0c4386eSCy Schubert "VerifyMode" => "Require" 883e0c4386eSCy Schubert }, 884e0c4386eSCy Schubert client => { 885e0c4386eSCy Schubert "EdDSA.Certificate" => test_pem("client-ed448-cert.pem"), 886e0c4386eSCy Schubert "EdDSA.PrivateKey" => test_pem("client-ed448-key.pem"), 887e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 888e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 889e0c4386eSCy Schubert }, 890e0c4386eSCy Schubert test => { 891e0c4386eSCy Schubert "ExpectedClientCertType" => "Ed448", 892e0c4386eSCy Schubert "ExpectedClientSignType" => "Ed448", 893e0c4386eSCy Schubert "ExpectedResult" => "Success" 894e0c4386eSCy Schubert }, 895e0c4386eSCy Schubert }, 896e0c4386eSCy Schubert { 897e0c4386eSCy Schubert name => "TLS 1.3 ECDSA with brainpool but no suitable groups", 898e0c4386eSCy Schubert server => { 899e0c4386eSCy Schubert "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), 900e0c4386eSCy Schubert "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), 901e0c4386eSCy Schubert "Groups" => "brainpoolP256r1", 902e0c4386eSCy Schubert }, 903e0c4386eSCy Schubert client => { 904e0c4386eSCy Schubert "CipherString" => "aECDSA", 905e0c4386eSCy Schubert "RequestCAFile" => test_pem("root-cert.pem"), 906e0c4386eSCy Schubert "Groups" => "brainpoolP256r1", 907e0c4386eSCy Schubert }, 908e0c4386eSCy Schubert test => { 909e0c4386eSCy Schubert #We only configured brainpoolP256r1 on the client side, but TLSv1.3 910e0c4386eSCy Schubert #is enabled and this group is not allowed in TLSv1.3. Therefore this 911e0c4386eSCy Schubert #should fail 912e0c4386eSCy Schubert "ExpectedResult" => "ClientFail" 913e0c4386eSCy Schubert }, 914e0c4386eSCy Schubert }, 915e0c4386eSCy Schubert { 916e0c4386eSCy Schubert name => "TLS 1.3 ECDSA with brainpool", 917e0c4386eSCy Schubert server => { 918e0c4386eSCy Schubert "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), 919e0c4386eSCy Schubert "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), 920e0c4386eSCy Schubert }, 921e0c4386eSCy Schubert client => { 922e0c4386eSCy Schubert "RequestCAFile" => test_pem("root-cert.pem"), 923e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 924e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3" 925e0c4386eSCy Schubert }, 926e0c4386eSCy Schubert test => { 927e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 928e0c4386eSCy Schubert }, 929e0c4386eSCy Schubert }, 930e0c4386eSCy Schubert); 931e0c4386eSCy Schubert 932e0c4386eSCy Schubertpush @tests, @tests_tls_1_3 unless disabled("tls1_3"); 933e0c4386eSCy Schubertpush @tests, @tests_tls_1_3_non_fips unless disabled("tls1_3") || $fips_mode; 934e0c4386eSCy Schubert 935e0c4386eSCy Schubertmy @tests_dsa_tls_1_2 = ( 936e0c4386eSCy Schubert { 937e0c4386eSCy Schubert name => "TLS 1.2 DSA Certificate Test", 938e0c4386eSCy Schubert server => { 939e0c4386eSCy Schubert "DSA.Certificate" => test_pem("server-dsa-cert.pem"), 940e0c4386eSCy Schubert "DSA.PrivateKey" => test_pem("server-dsa-key.pem"), 941e0c4386eSCy Schubert "DHParameters" => test_pem("dhp2048.pem"), 942e0c4386eSCy Schubert "MinProtocol" => "TLSv1.2", 943e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.2", 944e0c4386eSCy Schubert "CipherString" => "ALL", 945e0c4386eSCy Schubert }, 946e0c4386eSCy Schubert client => { 947e0c4386eSCy Schubert "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1", 948e0c4386eSCy Schubert "CipherString" => "ALL", 949e0c4386eSCy Schubert }, 950e0c4386eSCy Schubert test => { 951e0c4386eSCy Schubert "ExpectedResult" => "Success" 952e0c4386eSCy Schubert }, 953e0c4386eSCy Schubert }, 954e0c4386eSCy Schubert); 955e0c4386eSCy Schubert 956e0c4386eSCy Schubertmy @tests_dsa_tls_1_3 = ( 957e0c4386eSCy Schubert { 958e0c4386eSCy Schubert name => "TLS 1.3 Client Auth No TLS 1.3 Signature Algorithms", 959e0c4386eSCy Schubert server => { 960e0c4386eSCy Schubert "ClientSignatureAlgorithms" => "ECDSA+SHA1:DSA+SHA256:RSA+SHA256", 961e0c4386eSCy Schubert "VerifyCAFile" => test_pem("root-cert.pem"), 962e0c4386eSCy Schubert "VerifyMode" => "Request" 963e0c4386eSCy Schubert }, 964e0c4386eSCy Schubert client => {}, 965e0c4386eSCy Schubert test => { 966e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 967e0c4386eSCy Schubert }, 968e0c4386eSCy Schubert }, 969e0c4386eSCy Schubert { 970e0c4386eSCy Schubert name => "TLS 1.3 DSA Certificate Test", 971e0c4386eSCy Schubert server => { 972e0c4386eSCy Schubert "DSA.Certificate" => test_pem("server-dsa-cert.pem"), 973e0c4386eSCy Schubert "DSA.PrivateKey" => test_pem("server-dsa-key.pem"), 974e0c4386eSCy Schubert "MinProtocol" => "TLSv1.3", 975e0c4386eSCy Schubert "MaxProtocol" => "TLSv1.3", 976e0c4386eSCy Schubert "CipherString" => "ALL", 977e0c4386eSCy Schubert }, 978e0c4386eSCy Schubert client => { 979e0c4386eSCy Schubert "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256:ECDSA+SHA256", 980e0c4386eSCy Schubert "CipherString" => "ALL", 981e0c4386eSCy Schubert }, 982e0c4386eSCy Schubert test => { 983e0c4386eSCy Schubert "ExpectedResult" => "ServerFail" 984e0c4386eSCy Schubert }, 985e0c4386eSCy Schubert }, 986e0c4386eSCy Schubert); 987e0c4386eSCy Schubert 988e0c4386eSCy Schubertif (!disabled("dsa")) { 989e0c4386eSCy Schubert push @tests, @tests_dsa_tls_1_2 unless disabled("dh"); 990e0c4386eSCy Schubert push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3"); 991e0c4386eSCy Schubert} 992