xref: /freebsd-src/crypto/openssl/test/ssl-tests/28-seclevel.cnf.in (revision 44096ebd22ddd0081a357011714eff8963614b65) 
1e0c4386eSCy Schubert# -*- mode: perl; -*-
2*44096ebdSEnji Cooper# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3e0c4386eSCy Schubert#
4e0c4386eSCy Schubert# Licensed under the Apache License 2.0 (the "License").  You may not use
5e0c4386eSCy Schubert# this file except in compliance with the License.  You can obtain a copy
6e0c4386eSCy Schubert# in the file LICENSE in the source distribution or at
7e0c4386eSCy Schubert# https://www.openssl.org/source/license.html
8e0c4386eSCy Schubert
9e0c4386eSCy Schubert
10e0c4386eSCy Schubert## SSL test configurations
11e0c4386eSCy Schubert
12e0c4386eSCy Schubertpackage ssltests;
13e0c4386eSCy Schubertuse OpenSSL::Test::Utils;
14e0c4386eSCy Schubert
15e0c4386eSCy Schubertour $fips_mode;
16e0c4386eSCy Schubert
17e0c4386eSCy Schubertour @tests = (
18e0c4386eSCy Schubert    {
19e0c4386eSCy Schubert        name => "SECLEVEL 3 with default key",
20e0c4386eSCy Schubert        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
21e0c4386eSCy Schubert        client => { },
22e0c4386eSCy Schubert        test   => { "ExpectedResult" => "ServerFail" },
23e0c4386eSCy Schubert    },
24e0c4386eSCy Schubert);
25e0c4386eSCy Schubert
26e0c4386eSCy Schubertour @tests_ec = (
27e0c4386eSCy Schubert    {
28e0c4386eSCy Schubert        name => "SECLEVEL 4 with ED448 key",
29e0c4386eSCy Schubert        server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
30e0c4386eSCy Schubert                    "Certificate" => test_pem("server-ed448-cert.pem"),
31e0c4386eSCy Schubert                    "PrivateKey" => test_pem("server-ed448-key.pem") },
32e0c4386eSCy Schubert        client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
33e0c4386eSCy Schubert                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
34e0c4386eSCy Schubert        test   => { "ExpectedResult" => "Success" },
35e0c4386eSCy Schubert    },
36e0c4386eSCy Schubert    {
37e0c4386eSCy Schubert        # The Ed448 signature algorithm will not be enabled.
38e0c4386eSCy Schubert        # Because of the config order, the certificate is first loaded, and
39e0c4386eSCy Schubert        # then the security level is chaged. If you try this with s_server
40e0c4386eSCy Schubert        # the order will be reversed and it will instead fail to load the key.
41e0c4386eSCy Schubert        name => "SECLEVEL 5 server with ED448 key",
42e0c4386eSCy Schubert        server => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
43e0c4386eSCy Schubert                    "Certificate" => test_pem("server-ed448-cert.pem"),
44e0c4386eSCy Schubert                    "PrivateKey" => test_pem("server-ed448-key.pem") },
45e0c4386eSCy Schubert        client => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
46e0c4386eSCy Schubert                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
47e0c4386eSCy Schubert        test   => { "ExpectedResult" => "ServerFail" },
48e0c4386eSCy Schubert    },
49e0c4386eSCy Schubert    {
50e0c4386eSCy Schubert        # The client will not sent the Ed448 signature algorithm, so the server
51e0c4386eSCy Schubert        # doesn't have a useable signature algorithm for the certificate.
52e0c4386eSCy Schubert        name => "SECLEVEL 5 client with ED448 key",
53e0c4386eSCy Schubert        server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
54e0c4386eSCy Schubert                    "Certificate" => test_pem("server-ed448-cert.pem"),
55e0c4386eSCy Schubert                    "PrivateKey" => test_pem("server-ed448-key.pem") },
56e0c4386eSCy Schubert        client => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
57e0c4386eSCy Schubert                    "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
58e0c4386eSCy Schubert        test   => { "ExpectedResult" => "ServerFail" },
59*44096ebdSEnji Cooper    }
60*44096ebdSEnji Cooper);
61*44096ebdSEnji Cooper
62*44096ebdSEnji Cooperour @tests_ec_non_fips = (
63e0c4386eSCy Schubert    {
64e0c4386eSCy Schubert        name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
65e0c4386eSCy Schubert        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
66e0c4386eSCy Schubert                    "Certificate" => test_pem("p384-server-cert.pem"),
67e0c4386eSCy Schubert                    "PrivateKey" => test_pem("p384-server-key.pem"),
68e0c4386eSCy Schubert                    "Groups" => "X25519" },
69e0c4386eSCy Schubert        client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
70e0c4386eSCy Schubert                    "VerifyCAFile" => test_pem("p384-root.pem") },
71e0c4386eSCy Schubert        test   => { "ExpectedResult" => "Success" },
72e0c4386eSCy Schubert    },
73e0c4386eSCy Schubert);
74e0c4386eSCy Schubert
75e0c4386eSCy Schubertour @tests_tls1_2 = (
76e0c4386eSCy Schubert    {
77e0c4386eSCy Schubert        name => "SECLEVEL 3 with ED448 key, TLSv1.2",
78e0c4386eSCy Schubert        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
79e0c4386eSCy Schubert                    "Certificate" => test_pem("server-ed448-cert.pem"),
80e0c4386eSCy Schubert                    "PrivateKey" => test_pem("server-ed448-key.pem"),
81e0c4386eSCy Schubert                    "MaxProtocol" => "TLSv1.2" },
82e0c4386eSCy Schubert        client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
83e0c4386eSCy Schubert        test   => { "ExpectedResult" => "Success" },
84e0c4386eSCy Schubert    },
85e0c4386eSCy Schubert);
86e0c4386eSCy Schubert
87*44096ebdSEnji Cooperpush @tests_ec, @tests_ec_non_fips unless $fips_mode;
88e0c4386eSCy Schubertpush @tests, @tests_ec unless disabled("ec");
89e0c4386eSCy Schubertpush @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
90