diff options
author | Kurt Roeckx <kurt@roeckx.be> | 2020-02-09 19:28:15 +0100 |
---|---|---|
committer | Kurt Roeckx <kurt@roeckx.be> | 2020-02-16 11:55:42 +0100 |
commit | 57225c99ef848f0d0d1a7ab586a61ef71740f1ff (patch) | |
tree | b4c91a0e0eeadf0504c64f20388b16f183f2fd88 /test | |
parent | 42fc47964727fb2b12024eaf390c28fcb3caf561 (diff) |
Check that ed25519 and ed448 are allowed by the security level
Signature algorithms not using an MD weren't checked that they're
allowed by the security level.
Reviewed-by: Tomáš Mráz <tmraz@fedoraproject.org>
GH: #11062
Diffstat (limited to 'test')
-rw-r--r-- | test/ssl-tests/28-seclevel.conf | 106 | ||||
-rw-r--r-- | test/ssl-tests/28-seclevel.conf.in | 31 |
2 files changed, 105 insertions, 32 deletions
diff --git a/test/ssl-tests/28-seclevel.conf b/test/ssl-tests/28-seclevel.conf index 04a0c4fbd5..99fa8109c3 100644 --- a/test/ssl-tests/28-seclevel.conf +++ b/test/ssl-tests/28-seclevel.conf @@ -1,11 +1,13 @@ # Generated with generate_ssl_tests.pl -num_tests = 4 +num_tests = 6 test-0 = 0-SECLEVEL 3 with default key -test-1 = 1-SECLEVEL 3 with ED448 key -test-2 = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE -test-3 = 3-SECLEVEL 3 with ED448 key, TLSv1.2 +test-1 = 1-SECLEVEL 4 with ED448 key +test-2 = 2-SECLEVEL 5 server with ED448 key +test-3 = 3-SECLEVEL 5 client with ED448 key +test-4 = 4-SECLEVEL 3 with P-384 key, X25519 ECDHE +test-5 = 5-SECLEVEL 3 with ED448 key, TLSv1.2 # =========================================================== [0-SECLEVEL 3 with default key] @@ -31,20 +33,20 @@ ExpectedResult = ServerFail # =========================================================== -[1-SECLEVEL 3 with ED448 key] -ssl_conf = 1-SECLEVEL 3 with ED448 key-ssl +[1-SECLEVEL 4 with ED448 key] +ssl_conf = 1-SECLEVEL 4 with ED448 key-ssl -[1-SECLEVEL 3 with ED448 key-ssl] -server = 1-SECLEVEL 3 with ED448 key-server -client = 1-SECLEVEL 3 with ED448 key-client +[1-SECLEVEL 4 with ED448 key-ssl] +server = 1-SECLEVEL 4 with ED448 key-server +client = 1-SECLEVEL 4 with ED448 key-client -[1-SECLEVEL 3 with ED448 key-server] +[1-SECLEVEL 4 with ED448 key-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -CipherString = DEFAULT:@SECLEVEL=3 +CipherString = DEFAULT:@SECLEVEL=4 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -[1-SECLEVEL 3 with ED448 key-client] -CipherString = DEFAULT +[1-SECLEVEL 4 with ED448 key-client] +CipherString = DEFAULT:@SECLEVEL=4 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer @@ -54,49 +56,95 @@ ExpectedResult = Success # =========================================================== -[2-SECLEVEL 3 with P-384 key, X25519 ECDHE] -ssl_conf = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl +[2-SECLEVEL 5 server with ED448 key] +ssl_conf = 2-SECLEVEL 5 server with ED448 key-ssl + +[2-SECLEVEL 5 server with ED448 key-ssl] +server = 2-SECLEVEL 5 server with ED448 key-server +client = 2-SECLEVEL 5 server with ED448 key-client + +[2-SECLEVEL 5 server with ED448 key-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +CipherString = DEFAULT:@SECLEVEL=5 +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem + +[2-SECLEVEL 5 server with ED448 key-client] +CipherString = DEFAULT:@SECLEVEL=4 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem +VerifyMode = Peer + +[test-2] +ExpectedResult = ServerFail + + +# =========================================================== + +[3-SECLEVEL 5 client with ED448 key] +ssl_conf = 3-SECLEVEL 5 client with ED448 key-ssl -[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl] -server = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server -client = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client +[3-SECLEVEL 5 client with ED448 key-ssl] +server = 3-SECLEVEL 5 client with ED448 key-server +client = 3-SECLEVEL 5 client with ED448 key-client -[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server] +[3-SECLEVEL 5 client with ED448 key-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +CipherString = DEFAULT:@SECLEVEL=4 +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem + +[3-SECLEVEL 5 client with ED448 key-client] +CipherString = DEFAULT:@SECLEVEL=5 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem +VerifyMode = Peer + +[test-3] +ExpectedResult = ServerFail + + +# =========================================================== + +[4-SECLEVEL 3 with P-384 key, X25519 ECDHE] +ssl_conf = 4-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl + +[4-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl] +server = 4-SECLEVEL 3 with P-384 key, X25519 ECDHE-server +client = 4-SECLEVEL 3 with P-384 key, X25519 ECDHE-client + +[4-SECLEVEL 3 with P-384 key, X25519 ECDHE-server] Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem CipherString = DEFAULT:@SECLEVEL=3 Groups = X25519 PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem -[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client] +[4-SECLEVEL 3 with P-384 key, X25519 ECDHE-client] CipherString = ECDHE:@SECLEVEL=3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer -[test-2] +[test-4] ExpectedResult = Success # =========================================================== -[3-SECLEVEL 3 with ED448 key, TLSv1.2] -ssl_conf = 3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl +[5-SECLEVEL 3 with ED448 key, TLSv1.2] +ssl_conf = 5-SECLEVEL 3 with ED448 key, TLSv1.2-ssl -[3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl] -server = 3-SECLEVEL 3 with ED448 key, TLSv1.2-server -client = 3-SECLEVEL 3 with ED448 key, TLSv1.2-client +[5-SECLEVEL 3 with ED448 key, TLSv1.2-ssl] +server = 5-SECLEVEL 3 with ED448 key, TLSv1.2-server +client = 5-SECLEVEL 3 with ED448 key, TLSv1.2-client -[3-SECLEVEL 3 with ED448 key, TLSv1.2-server] +[5-SECLEVEL 3 with ED448 key, TLSv1.2-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem CipherString = DEFAULT:@SECLEVEL=3 MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -[3-SECLEVEL 3 with ED448 key, TLSv1.2-client] +[5-SECLEVEL 3 with ED448 key, TLSv1.2-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer -[test-3] +[test-5] ExpectedResult = Success diff --git a/test/ssl-tests/28-seclevel.conf.in b/test/ssl-tests/28-seclevel.conf.in index 6f8debb059..8a1e8ef847 100644 --- a/test/ssl-tests/28-seclevel.conf.in +++ b/test/ssl-tests/28-seclevel.conf.in @@ -23,14 +23,39 @@ our @tests = ( our @tests_ec = ( { - name => "SECLEVEL 3 with ED448 key", - server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", + name => "SECLEVEL 4 with ED448 key", + server => { "CipherString" => "DEFAULT:\@SECLEVEL=4", "Certificate" => test_pem("server-ed448-cert.pem"), "PrivateKey" => test_pem("server-ed448-key.pem") }, - client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, + client => { "CipherString" => "DEFAULT:\@SECLEVEL=4", + "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, test => { "ExpectedResult" => "Success" }, }, { + # The Ed488 signature algorithm will not be enabled. + # Because of the config order, the certificate is first loaded, and + # then the security level is chaged. If you try this with s_server + # the order will be reversed and it will instead fail to load the key. + name => "SECLEVEL 5 server with ED448 key", + server => { "CipherString" => "DEFAULT:\@SECLEVEL=5", + "Certificate" => test_pem("server-ed448-cert.pem"), + "PrivateKey" => test_pem("server-ed448-key.pem") }, + client => { "CipherString" => "DEFAULT:\@SECLEVEL=4", + "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, + test => { "ExpectedResult" => "ServerFail" }, + }, + { + # The client will not sent the Ed488 signature algorithm, so the server + # doesn't have a useable signature algorithm for the certificate. + name => "SECLEVEL 5 client with ED448 key", + server => { "CipherString" => "DEFAULT:\@SECLEVEL=4", + "Certificate" => test_pem("server-ed448-cert.pem"), + "PrivateKey" => test_pem("server-ed448-key.pem") }, + client => { "CipherString" => "DEFAULT:\@SECLEVEL=5", + "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, + test => { "ExpectedResult" => "ServerFail" }, + }, + { name => "SECLEVEL 3 with P-384 key, X25519 ECDHE", server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", "Certificate" => test_pem("p384-server-cert.pem"), |