diff options
author | Matt Caswell <matt@openssl.org> | 2020-04-07 16:22:49 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-04-20 11:25:56 +0100 |
commit | ab5a02f70726e28b3c39391aac29a4aedb080ea3 (patch) | |
tree | 368badd16c3f6ed604b3baabe8ccc18518a301f0 | |
parent | fea4e2bd36584cebb79f45680c6da0c14fde3d1e (diff) |
Teach ssl_test_new to have different tests for different loaded providers
We now run the tests twice: Once with no specific providers loaded and
just using the default libctx, and a second time with a non-default libctx
and the default provider.
In the second run we disable tests which use a PSS cert/key because we
don't yet have support for that.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11511)
-rw-r--r-- | test/generate_ssl_tests.pl | 13 | ||||
-rw-r--r-- | test/recipes/80-test_ssl_new.t | 18 | ||||
-rw-r--r-- | test/ssl-tests/20-cert-select.cnf | 728 | ||||
-rw-r--r-- | test/ssl-tests/20-cert-select.cnf.in | 239 | ||||
-rw-r--r-- | test/ssl_test.c | 16 |
5 files changed, 516 insertions, 498 deletions
diff --git a/test/generate_ssl_tests.pl b/test/generate_ssl_tests.pl index 8cfc451fbb..580bfb5e70 100644 --- a/test/generate_ssl_tests.pl +++ b/test/generate_ssl_tests.pl @@ -127,17 +127,28 @@ sub print_templates { # Shamelessly copied from Configure. sub read_config { my $fname = shift; + my $provider = shift; + my $fips_mode = "0"; + my $no_deflt_libctx = "0"; + + $fips_mode = "1" if $provider eq "fips"; + $no_deflt_libctx = "1" if $provider eq "default" || $provider eq "fips"; + open(INPUT, "< $fname") or die "Can't open input file '$fname'!\n"; local $/ = undef; my $content = <INPUT>; + $content =~ s/FIPS_MODE/$fips_mode/g; + $content =~ s/NO_DEFLT_LIBCTX/$no_deflt_libctx/g; + close(INPUT); eval $content; warn $@ if $@; } my $input_file = shift; +my $provider = shift; # Reads the tests into ssltests::tests. -read_config($input_file); +read_config($input_file, $provider); print_templates(); 1; diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 5ee872557d..6d6fa5cae3 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -108,26 +108,30 @@ my %skip = ( foreach my $conf (@conf_files) { subtest "Test configuration $conf" => sub { + plan tests => 6; test_conf($conf, $conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1, - defined($skip{$conf}) ? $skip{$conf} : $no_tls); + defined($skip{$conf}) ? $skip{$conf} : $no_tls, + "none"); + test_conf($conf, + 0, + defined($skip{$conf}) ? $skip{$conf} : $no_tls, + "default"); } } sub test_conf { - plan tests => 3; - - my ($conf, $check_source, $skip) = @_; + my ($conf, $check_source, $skip, $provider) = @_; my $conf_file = srctop_file("test", "ssl-tests", $conf); my $input_file = $conf_file . ".in"; - my $output_file = $conf; + my $output_file = $conf . "." . $provider; my $run_test = 1; SKIP: { # "Test" 1. Generate the source. skip 'failure', 2 unless - ok(run(perltest(["generate_ssl_tests.pl", $input_file], + ok(run(perltest(["generate_ssl_tests.pl", $input_file, $provider], interpreter_args => [ "-I", srctop_dir("util", "perl")], stdout => $output_file)), "Getting output from generate_ssl_tests.pl."); @@ -145,7 +149,7 @@ sub test_conf { skip "No tests available; skipping tests", 1 if $skip; skip "Stale sources; skipping tests", 1 if !$run_test; - ok(run(test(["ssl_test", $output_file, "default"])), + ok(run(test(["ssl_test", $output_file, $provider])), "running ssl_test $conf"); } } diff --git a/test/ssl-tests/20-cert-select.cnf b/test/ssl-tests/20-cert-select.cnf index 757b973e57..5f75ae191c 100644 --- a/test/ssl-tests/20-cert-select.cnf +++ b/test/ssl-tests/20-cert-select.cnf @@ -9,33 +9,33 @@ test-3 = 3-Ed25519 CipherString and Signature Algorithm Selection test-4 = 4-Ed448 CipherString and Signature Algorithm Selection test-5 = 5-ECDSA with brainpool test-6 = 6-RSA CipherString Selection -test-7 = 7-RSA-PSS Certificate CipherString Selection -test-8 = 8-P-256 CipherString and Signature Algorithm Selection -test-9 = 9-Ed25519 CipherString and Curves Selection -test-10 = 10-Ed448 CipherString and Curves Selection -test-11 = 11-ECDSA CipherString Selection, no ECDSA certificate -test-12 = 12-ECDSA Signature Algorithm Selection -test-13 = 13-ECDSA Signature Algorithm Selection SHA384 -test-14 = 14-ECDSA Signature Algorithm Selection SHA1 -test-15 = 15-ECDSA Signature Algorithm Selection compressed point -test-16 = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate -test-17 = 17-RSA Signature Algorithm Selection -test-18 = 18-RSA-PSS Signature Algorithm Selection -test-19 = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection -test-20 = 20-RSA-PSS Certificate Unified Signature Algorithm Selection -test-21 = 21-Only RSA-PSS Certificate -test-22 = 22-Only RSA-PSS Certificate Valid Signature Algorithms -test-23 = 23-RSA-PSS Certificate, no PSS signature algorithms -test-24 = 24-Only RSA-PSS Restricted Certificate -test-25 = 25-RSA-PSS Restricted Certificate Valid Signature Algorithms -test-26 = 26-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm -test-27 = 27-RSA-PSS Restricted Certificate Invalid Signature Algorithms -test-28 = 28-RSA key exchange with all RSA certificate types -test-29 = 29-RSA key exchange with only RSA-PSS certificate -test-30 = 30-Suite B P-256 Hash Algorithm Selection -test-31 = 31-Suite B P-384 Hash Algorithm Selection -test-32 = 32-TLS 1.2 Ed25519 Client Auth -test-33 = 33-TLS 1.2 Ed448 Client Auth +test-7 = 7-P-256 CipherString and Signature Algorithm Selection +test-8 = 8-Ed25519 CipherString and Curves Selection +test-9 = 9-Ed448 CipherString and Curves Selection +test-10 = 10-ECDSA CipherString Selection, no ECDSA certificate +test-11 = 11-ECDSA Signature Algorithm Selection +test-12 = 12-ECDSA Signature Algorithm Selection SHA384 +test-13 = 13-ECDSA Signature Algorithm Selection SHA1 +test-14 = 14-ECDSA Signature Algorithm Selection compressed point +test-15 = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate +test-16 = 16-RSA Signature Algorithm Selection +test-17 = 17-RSA-PSS Signature Algorithm Selection +test-18 = 18-RSA key exchange with all RSA certificate types +test-19 = 19-Suite B P-256 Hash Algorithm Selection +test-20 = 20-Suite B P-384 Hash Algorithm Selection +test-21 = 21-TLS 1.2 Ed25519 Client Auth +test-22 = 22-TLS 1.2 Ed448 Client Auth +test-23 = 23-RSA-PSS Certificate CipherString Selection +test-24 = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection +test-25 = 25-RSA-PSS Certificate Unified Signature Algorithm Selection +test-26 = 26-Only RSA-PSS Certificate +test-27 = 27-Only RSA-PSS Certificate Valid Signature Algorithms +test-28 = 28-RSA-PSS Certificate, no PSS signature algorithms +test-29 = 29-Only RSA-PSS Restricted Certificate +test-30 = 30-RSA-PSS Restricted Certificate Valid Signature Algorithms +test-31 = 31-RSA-PSS Restricted Cert client prefers invalid Signature Algorithm +test-32 = 32-RSA-PSS Restricted Certificate Invalid Signature Algorithms +test-33 = 33-RSA key exchange with only RSA-PSS certificate test-34 = 34-Only RSA-PSS Certificate, TLS v1.1 test-35 = 35-TLS 1.3 ECDSA Signature Algorithm Selection test-36 = 36-TLS 1.3 ECDSA Signature Algorithm Selection compressed point @@ -292,14 +292,14 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[7-RSA-PSS Certificate CipherString Selection] -ssl_conf = 7-RSA-PSS Certificate CipherString Selection-ssl +[7-P-256 CipherString and Signature Algorithm Selection] +ssl_conf = 7-P-256 CipherString and Signature Algorithm Selection-ssl -[7-RSA-PSS Certificate CipherString Selection-ssl] -server = 7-RSA-PSS Certificate CipherString Selection-server -client = 7-RSA-PSS Certificate CipherString Selection-client +[7-P-256 CipherString and Signature Algorithm Selection-ssl] +server = 7-P-256 CipherString and Signature Algorithm Selection-server +client = 7-P-256 CipherString and Signature Algorithm Selection-client -[7-RSA-PSS Certificate CipherString Selection-server] +[7-P-256 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -309,51 +309,16 @@ Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 -PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem -PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[7-RSA-PSS Certificate CipherString Selection-client] -CipherString = aRSA -MaxProtocol = TLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-7] -ExpectedResult = Success -ExpectedServerCertType = RSA-PSS -ExpectedServerSignType = RSA-PSS - - -# =========================================================== - -[8-P-256 CipherString and Signature Algorithm Selection] -ssl_conf = 8-P-256 CipherString and Signature Algorithm Selection-ssl - -[8-P-256 CipherString and Signature Algorithm Selection-ssl] -server = 8-P-256 CipherString and Signature Algorithm Selection-server -client = 8-P-256 CipherString and Signature Algorithm Selection-client - -[8-P-256 CipherString and Signature Algorithm Selection-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[8-P-256 CipherString and Signature Algorithm Selection-client] +[7-P-256 CipherString and Signature Algorithm Selection-client] CipherString = aECDSA MaxProtocol = TLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-8] +[test-7] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -362,14 +327,14 @@ ExpectedServerSignType = EC # =========================================================== -[9-Ed25519 CipherString and Curves Selection] -ssl_conf = 9-Ed25519 CipherString and Curves Selection-ssl +[8-Ed25519 CipherString and Curves Selection] +ssl_conf = 8-Ed25519 CipherString and Curves Selection-ssl -[9-Ed25519 CipherString and Curves Selection-ssl] -server = 9-Ed25519 CipherString and Curves Selection-server -client = 9-Ed25519 CipherString and Curves Selection-client +[8-Ed25519 CipherString and Curves Selection-ssl] +server = 8-Ed25519 CipherString and Curves Selection-server +client = 8-Ed25519 CipherString and Curves Selection-client -[9-Ed25519 CipherString and Curves Selection-server] +[8-Ed25519 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -381,7 +346,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[9-Ed25519 CipherString and Curves Selection-client] +[8-Ed25519 CipherString and Curves Selection-client] CipherString = aECDSA Curves = X25519 MaxProtocol = TLSv1.2 @@ -389,7 +354,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-9] +[test-8] ExpectedResult = Success ExpectedServerCertType = Ed25519 ExpectedServerSignType = Ed25519 @@ -397,14 +362,14 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[10-Ed448 CipherString and Curves Selection] -ssl_conf = 10-Ed448 CipherString and Curves Selection-ssl +[9-Ed448 CipherString and Curves Selection] +ssl_conf = 9-Ed448 CipherString and Curves Selection-ssl -[10-Ed448 CipherString and Curves Selection-ssl] -server = 10-Ed448 CipherString and Curves Selection-server -client = 10-Ed448 CipherString and Curves Selection-client +[9-Ed448 CipherString and Curves Selection-ssl] +server = 9-Ed448 CipherString and Curves Selection-server +client = 9-Ed448 CipherString and Curves Selection-client -[10-Ed448 CipherString and Curves Selection-server] +[9-Ed448 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -416,7 +381,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[10-Ed448 CipherString and Curves Selection-client] +[9-Ed448 CipherString and Curves Selection-client] CipherString = aECDSA Curves = X448 MaxProtocol = TLSv1.2 @@ -424,7 +389,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer -[test-10] +[test-9] ExpectedResult = Success ExpectedServerCertType = Ed448 ExpectedServerSignType = Ed448 @@ -432,39 +397,39 @@ ExpectedServerSignType = Ed448 # =========================================================== -[11-ECDSA CipherString Selection, no ECDSA certificate] -ssl_conf = 11-ECDSA CipherString Selection, no ECDSA certificate-ssl +[10-ECDSA CipherString Selection, no ECDSA certificate] +ssl_conf = 10-ECDSA CipherString Selection, no ECDSA certificate-ssl -[11-ECDSA CipherString Selection, no ECDSA certificate-ssl] -server = 11-ECDSA CipherString Selection, no ECDSA certificate-server -client = 11-ECDSA CipherString Selection, no ECDSA certificate-client +[10-ECDSA CipherString Selection, no ECDSA certificate-ssl] +server = 10-ECDSA CipherString Selection, no ECDSA certificate-server +client = 10-ECDSA CipherString Selection, no ECDSA certificate-client -[11-ECDSA CipherString Selection, no ECDSA certificate-server] +[10-ECDSA CipherString Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[11-ECDSA CipherString Selection, no ECDSA certificate-client] +[10-ECDSA CipherString Selection, no ECDSA certificate-client] CipherString = aECDSA MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-11] +[test-10] ExpectedResult = ServerFail # =========================================================== -[12-ECDSA Signature Algorithm Selection] -ssl_conf = 12-ECDSA Signature Algorithm Selection-ssl +[11-ECDSA Signature Algorithm Selection] +ssl_conf = 11-ECDSA Signature Algorithm Selection-ssl -[12-ECDSA Signature Algorithm Selection-ssl] -server = 12-ECDSA Signature Algorithm Selection-server -client = 12-ECDSA Signature Algorithm Selection-client +[11-ECDSA Signature Algorithm Selection-ssl] +server = 11-ECDSA Signature Algorithm Selection-server +client = 11-ECDSA Signature Algorithm Selection-client -[12-ECDSA Signature Algorithm Selection-server] +[11-ECDSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -476,13 +441,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[12-ECDSA Signature Algorithm Selection-client] +[11-ECDSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-12] +[test-11] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -491,14 +456,14 @@ ExpectedServerSignType = EC # =========================================================== -[13-ECDSA Signature Algorithm Selection SHA384] -ssl_conf = 13-ECDSA Signature Algorithm Selection SHA384-ssl +[12-ECDSA Signature Algorithm Selection SHA384] +ssl_conf = 12-ECDSA Signature Algorithm Selection SHA384-ssl -[13-ECDSA Signature Algorithm Selection SHA384-ssl] -server = 13-ECDSA Signature Algorithm Selection SHA384-server -client = 13-ECDSA Signature Algorithm Selection SHA384-client +[12-ECDSA Signature Algorithm Selection SHA384-ssl] +server = 12-ECDSA Signature Algorithm Selection SHA384-server +client = 12-ECDSA Signature Algorithm Selection SHA384-client -[13-ECDSA Signature Algorithm Selection SHA384-server] +[12-ECDSA Signature Algorithm Selection SHA384-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -510,13 +475,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[13-ECDSA Signature Algorithm Selection SHA384-client] +[12-ECDSA Signature Algorithm Selection SHA384-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA384 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-13] +[test-12] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA384 @@ -525,14 +490,14 @@ ExpectedServerSignType = EC # =========================================================== -[14-ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 14-ECDSA Signature Algorithm Selection SHA1-ssl +[13-ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 13-ECDSA Signature Algorithm Selection SHA1-ssl -[14-ECDSA Signature Algorithm Selection SHA1-ssl] -server = 14-ECDSA Signature Algorithm Selection SHA1-server -client = 14-ECDSA Signature Algorithm Selection SHA1-client +[13-ECDSA Signature Algorithm Selection SHA1-ssl] +server = 13-ECDSA Signature Algorithm Selection SHA1-server +client = 13-ECDSA Signature Algorithm Selection SHA1-client -[14-ECDSA Signature Algorithm Selection SHA1-server] +[13-ECDSA Signature Algorithm Selection SHA1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -544,13 +509,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[14-ECDSA Signature Algorithm Selection SHA1-client] +[13-ECDSA Signature Algorithm Selection SHA1-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-14] +[test-13] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA1 @@ -559,14 +524,14 @@ ExpectedServerSignType = EC # =========================================================== -[15-ECDSA Signature Algorithm Selection compressed point] -ssl_conf = 15-ECDSA Signature Algorithm Selection compressed point-ssl +[14-ECDSA Signature Algorithm Selection compressed point] +ssl_conf = 14-ECDSA Signature Algorithm Selection compressed point-ssl -[15-ECDSA Signature Algorithm Selection compressed point-ssl] -server = 15-ECDSA Signature Algorithm Selection compressed point-server -client = 15-ECDSA Signature Algorithm Selection compressed point-client +[14-ECDSA Signature Algorithm Selection compressed point-ssl] +server = 14-ECDSA Signature Algorithm Selection compressed point-server +client = 14-ECDSA Signature Algorithm Selection compressed point-client -[15-ECDSA Signature Algorithm Selection compressed point-server] +[14-ECDSA Signature Algorithm Selection compressed point-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem @@ -574,13 +539,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[15-ECDSA Signature Algorithm Selection compressed point-client] +[14-ECDSA Signature Algorithm Selection compressed point-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-15] +[test-14] ExpectedResult = Success ExpectedServerCertType = P-256 ExpectedServerSignHash = SHA256 @@ -589,39 +554,39 @@ ExpectedServerSignType = EC # =========================================================== -[16-ECDSA Signature Algorithm Selection, no ECDSA certificate] -ssl_conf = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl +[15-ECDSA Signature Algorithm Selection, no ECDSA certificate] +ssl_conf = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl -[16-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] -server = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate-server -client = 16-ECDSA Signature Algorithm Selection, no ECDSA certificate-client +[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl] +server = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-server +client = 15-ECDSA Signature Algorithm Selection, no ECDSA certificate-client -[16-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] +[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[16-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] +[15-ECDSA Signature Algorithm Selection, no ECDSA certificate-client] CipherString = DEFAULT SignatureAlgorithms = ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-16] +[test-15] ExpectedResult = ServerFail # =========================================================== -[17-RSA Signature Algorithm Selection] -ssl_conf = 17-RSA Signature Algorithm Selection-ssl +[16-RSA Signature Algorithm Selection] +ssl_conf = 16-RSA Signature Algorithm Selection-ssl -[17-RSA Signature Algorithm Selection-ssl] -server = 17-RSA Signature Algorithm Selection-server -client = 17-RSA Signature Algorithm Selection-client +[16-RSA Signature Algorithm Selection-ssl] +server = 16-RSA Signature Algorithm Selection-server +client = 16-RSA Signature Algorithm Selection-client -[17-RSA Signature Algorithm Selection-server] +[16-RSA Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -633,13 +598,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[17-RSA Signature Algorithm Selection-client] +[16-RSA Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-17] +[test-16] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -648,14 +613,14 @@ ExpectedServerSignType = RSA # =========================================================== -[18-RSA-PSS Signature Algorithm Selection] -ssl_conf = 18-RSA-PSS Signature Algorithm Selection-ssl +[17-RSA-PSS Signature Algorithm Selection] +ssl_conf = 17-RSA-PSS Signature Algorithm Selection-ssl -[18-RSA-PSS Signature Algorithm Selection-ssl] -server = 18-RSA-PSS Signature Algorithm Selection-server -client = 18-RSA-PSS Signature Algorithm Selection-client +[17-RSA-PSS Signature Algorithm Selection-ssl] +server = 17-RSA-PSS Signature Algorithm Selection-server +client = 17-RSA-PSS Signature Algorithm Selection-client -[18-RSA-PSS Signature Algorithm Selection-server] +[17-RSA-PSS Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -667,13 +632,13 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[18-RSA-PSS Signature Algorithm Selection-client] +[17-RSA-PSS Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = RSA-PSS+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-18] +[test-17] ExpectedResult = Success ExpectedServerCertType = RSA ExpectedServerSignHash = SHA256 @@ -682,196 +647,250 @@ ExpectedServerSignType = RSA-PSS # =========================================================== -[19-RSA-PSS Certificate Legacy Signature Algorithm Selection] -ssl_conf = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl +[18-RSA key exchange with all RSA certificate types] +ssl_conf = 18-RSA key exchange with all RSA certificate types-ssl -[19-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl] -server = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection-server -client = 19-RSA-PSS Certificate Legacy Signature Algorithm Selection-client +[18-RSA key exchange with all RSA certificate types-ssl] +server = 18-RSA key exchange with all RSA certificate types-server +client = 18-RSA key exchange with all RSA certificate types-client -[19-RSA-PSS Certificate Legacy Signature Algorithm Selection-server] +[18-RSA key exchange with all RSA certificate types-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.2 PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[19-RSA-PSS Certificate Legacy Signature Algorithm Selection-client] -CipherString = DEFAULT -SignatureAlgorithms = RSA-PSS+SHA256 +[18-RSA key exchange with all RSA certificate types-client] +CipherString = kRSA +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-19] +[test-18] ExpectedResult = Success ExpectedServerCertType = RSA -ExpectedServerSignHash = SHA256 -ExpectedServerSignType = RSA-PSS # =========================================================== -[20-RSA-PSS Certificate Unified Signature Algorithm Selection] -ssl_conf = 20-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl +[19-Suite B P-256 Hash Algorithm Selection] +ssl_conf = 19-Suite B P-256 Hash Algorithm Selection-ssl -[20-RSA-PSS Certificate Unified Signature Algorithm Selection-ssl] -server = 20-RSA-PSS Certificate Unified Signature Algorithm Selection-server -client = 20-RSA-PSS Certificate Unified Signature Algorithm Selection-client +[19-Suite B P-256 Hash Algorithm Selection-ssl] +server = 19-Suite B P-256 Hash Algorithm Selection-server +client = 19-Suite B P-256 Hash Algorithm Selection-client -[20-RSA-PSS Certificate Unified Signature Algorithm Selection-server] +[19-Suite B P-256 Hash Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = SUITEB128 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[19-Suite B P-256 Hash Algorithm Selection-client] CipherString = DEFAULT -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem +VerifyMode = Peer + +[test-19] +ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA256 +ExpectedServerSignType = EC + + +# =========================================================== + +[20-Suite B P-384 Hash Algorithm Selection] +ssl_conf = 20-Suite B P-384 Hash Algorithm Selection-ssl + +[20-Suite B P-384 Hash Algorithm Selection-ssl] +server = 20-Suite B P-384 Hash Algorithm Selection-server +client = 20-Suite B P-384 Hash Algorithm Selection-client + +[20-Suite B P-384 Hash Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = SUITEB128 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem MaxProtocol = TLSv1.2 -PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem -PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[20-RSA-PSS Certificate Unified Signature Algorithm Selection-client] +[20-Suite B P-384 Hash Algorithm Selection-client] CipherString = DEFAULT -SignatureAlgorithms = rsa_pss_pss_sha256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer [test-20] ExpectedResult = Success -ExpectedServerCertType = RSA-PSS -ExpectedServerSignHash = SHA256 -ExpectedServerSignType = RSA-PSS +ExpectedServerCertType = P-384 +ExpectedServerSignHash = SHA384 +ExpectedServerSignType = EC # =========================================================== -[21-Only RSA-PSS Certificate] -ssl_conf = 21-Only RSA-PSS Certificate-ssl +[21-TLS 1.2 Ed25519 Client Auth] +ssl_conf = 21-TLS 1.2 Ed25519 Client Auth-ssl -[21-Only RSA-PSS Certificate-ssl] -server = 21-Only RSA-PSS Certificate-server -client = 21-Only RSA-PSS Certificate-client +[21-TLS 1.2 Ed25519 Client Auth-ssl] +server = 21-TLS 1.2 Ed25519 Client Auth-server +client = 21-TLS 1.2 Ed25519 Client Auth-client -[21-Only RSA-PSS Certificate-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +[21-TLS 1.2 Ed25519 Client Auth-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require -[21-Only RSA-PSS Certificate-client] +[21-TLS 1.2 Ed25519 Client Auth-client] CipherString = DEFAULT +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-21] +ExpectedClientCertType = Ed25519 +ExpectedClientSignType = Ed25519 ExpectedResult = Success -ExpectedServerCertType = RSA-PSS -ExpectedServerSignHash = SHA256 -ExpectedServerSignType = RSA-PSS # =========================================================== -[22-Only RSA-PSS Certificate Valid Signature Algorithms] -ssl_conf = 22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl +[22-TLS 1.2 Ed448 Client Auth] +ssl_conf = 22-TLS 1.2 Ed448 Client Auth-ssl -[22-Only RSA-PSS Certificate Valid Signature Algorithms-ssl] -server = 22-Only RSA-PSS Certificate Valid Signature Algorithms-server -client = 22-Only RSA-PSS Certificate Valid Signature Algorithms-client +[22-TLS 1.2 Ed448 Client Auth-ssl] +server = 22-TLS 1.2 Ed448 Client Auth-server +client = 22-TLS 1.2 Ed448 Client Auth-client -[22-Only RSA-PSS Certificate Valid Signature Algorithms-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +[22-TLS 1.2 Ed448 Client Auth-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyMode = Require -[22-Only RSA-PSS Certificate Valid Signature Algorithms-client] +[22-TLS 1.2 Ed448 Client Auth-client] CipherString = DEFAULT -SignatureAlgorithms = rsa_pss_pss_sha512 +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-22] +ExpectedClientCertType = Ed448 +ExpectedClientSignType = Ed448 ExpectedResult = Success -ExpectedServerCertType = RSA-PSS -ExpectedServerSignHash = SHA512 -ExpectedServerSignType = RSA-PSS # =========================================================== -[23-RSA-PSS Certificate, no PSS signature algorithms] -ssl_conf = 23-RSA-PSS Certificate, no PSS signature algorithms-ssl +[23-RSA-PSS Certificate CipherString Selection] +ssl_conf = 23-RSA-PSS Certificate CipherString Selection-ssl -[23-RSA-PSS Certificate, no PSS signature algorithms-ssl] -server = 23-RSA-PSS Certificate, no PSS signature algorithms-server -client = 23-RSA-PSS Certificate, no PSS signature algorithms-client +[23-RSA-PSS Certificate CipherString Selection-ssl] +server = 23-RSA-PSS Certificate CipherString Selection-server +client = 23-RSA-PSS Certificate CipherString Selection-client -[23-RSA-PSS Certificate, no PSS signature algorithms-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +[23-RSA-PSS Certificate CipherString Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.2 +PSS.Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem +PSS.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[23-RSA-PSS Certificate, no PSS signature algorithms-client] -CipherString = DEFAULT -SignatureAlgorithms = RSA+SHA256 +[23-RSA-PSS Certificate CipherString Selection-client] +CipherString = aRSA +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-23] -ExpectedResult = ServerFail +ExpectedResult = Success +ExpectedServerCertType = RSA-PSS +ExpectedServerSignType = RSA-PSS # =========================================================== -[24-Only RSA-PSS Restricted Certificate] -ssl_conf = 24-Only RSA-PSS Restricted Certificate-ssl +[24-RSA-PSS Certificate Legacy Signature Algorithm Selection] +ssl_conf = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl -[24-Only RSA-PSS Restricted Certificate-ssl] -server = 24-Only RSA-PSS Restricted Certificate-server -client = 24-Only RSA-PSS Restricted Certificate-client +[24-RSA-PSS Certificate Legacy Signature Algorithm Selection-ssl] +server = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection-server +client = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection-client -[24-Only RSA-PSS Restricted Certificate-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-cert.pem +[24-RSA-PSS Certificate Legacy Signature Algorithm Selection-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-restrict-key.pem +ECDSA.Certificate = ${ENV::TEST_CERTS |