diff --git a/test/certs/dhp2048.pem b/test/certs/dhp2048.pem index 9ee474b820..5e32efe779 100644 --- a/test/certs/dhp2048.pem +++ b/test/certs/dhp2048.pem @@ -1,8 +1,8 @@ -----BEGIN DH PARAMETERS----- -MIIBCAKCAQEAoI0V5HKAcsG4LlAnVJhYnnl2ErOcdvz7WN4n+LoSkZVkfPcPExAF -uXnT6v16rYfxCgZDPB/tSYaRhOxpJgaAHGA9PrfwprM4xQm9HLIWtidyIGtkgynQ -rrtxaCculbPOMxc1od7V0jw8/Sj4pdKjijmdvY3VsvuQPu6Lo7qV94u3pYN+WSP9 -ESPcY0lvIV0s0eYxzU5LOU7FZRv6gpe658yxnpaQf13M3sFBqcQEnw+vIjNyaBBK -Nm4jVFeKCN3aIz+yJL8y14HEnV/tnhtIrr33MAJvsG1qFBY7iFvbvlx/gKDW7qyk -V0/iN2uElrJZIGxD2uPMZNXO+dci+EriMwIBAg== +MIIBDAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb +IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft +awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT +mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh +fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq +5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAgICB/8= -----END DH PARAMETERS----- diff --git a/test/ssl-tests/20-cert-select.cnf b/test/ssl-tests/20-cert-select.cnf index b0e3b79013..267690ee35 100644 --- a/test/ssl-tests/20-cert-select.cnf +++ b/test/ssl-tests/20-cert-select.cnf @@ -17,14 +17,14 @@ test-11 = 11-RSA-PSS Signature Algorithm Selection test-12 = 12-RSA key exchange with all RSA certificate types test-13 = 13-Suite B P-256 Hash Algorithm Selection test-14 = 14-Suite B P-384 Hash Algorithm Selection -test-15 = 15-ECDSA Signature Algorithm Selection SHA1 -test-16 = 16-Ed25519 CipherString and Signature Algorithm Selection -test-17 = 17-Ed448 CipherString and Signature Algorithm Selection -test-18 = 18-ECDSA with brainpool -test-19 = 19-Ed25519 CipherString and Curves Selection -test-20 = 20-Ed448 CipherString and Curves Selection -test-21 = 21-TLS 1.2 Ed25519 Client Auth -test-22 = 22-TLS 1.2 Ed448 Client Auth +test-15 = 15-Ed25519 CipherString and Signature Algorithm Selection +test-16 = 16-Ed448 CipherString and Signature Algorithm Selection +test-17 = 17-Ed25519 CipherString and Curves Selection +test-18 = 18-Ed448 CipherString and Curves Selection +test-19 = 19-TLS 1.2 Ed25519 Client Auth +test-20 = 20-TLS 1.2 Ed448 Client Auth +test-21 = 21-ECDSA Signature Algorithm Selection SHA1 +test-22 = 22-ECDSA with brainpool test-23 = 23-RSA-PSS Certificate CipherString Selection test-24 = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection test-25 = 25-RSA-PSS Certificate Unified Signature Algorithm Selection @@ -529,48 +529,14 @@ ExpectedServerSignType = EC # =========================================================== -[15-ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 15-ECDSA Signature Algorithm Selection SHA1-ssl +[15-Ed25519 CipherString and Signature Algorithm Selection] +ssl_conf = 15-Ed25519 CipherString and Signature Algorithm Selection-ssl -[15-ECDSA Signature Algorithm Selection SHA1-ssl] -server = 15-ECDSA Signature Algorithm Selection SHA1-server -client = 15-ECDSA Signature Algorithm Selection SHA1-client +[15-Ed25519 CipherString and Signature Algorithm Selection-ssl] +server = 15-Ed25519 CipherString and Signature Algorithm Selection-server +client = 15-Ed25519 CipherString and Signature Algorithm Selection-client -[15-ECDSA Signature Algorithm Selection SHA1-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[15-ECDSA Signature Algorithm Selection SHA1-client] -CipherString = DEFAULT:@SECLEVEL=0 -SignatureAlgorithms = ECDSA+SHA1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-15] -ExpectedResult = Success -ExpectedServerCertType = P-256 -ExpectedServerSignHash = SHA1 -ExpectedServerSignType = EC - - -# =========================================================== - -[16-Ed25519 CipherString and Signature Algorithm Selection] -ssl_conf = 16-Ed25519 CipherString and Signature Algorithm Selection-ssl - -[16-Ed25519 CipherString and Signature Algorithm Selection-ssl] -server = 16-Ed25519 CipherString and Signature Algorithm Selection-server -client = 16-Ed25519 CipherString and Signature Algorithm Selection-client - -[16-Ed25519 CipherString and Signature Algorithm Selection-server] +[15-Ed25519 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -582,7 +548,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[16-Ed25519 CipherString and Signature Algorithm Selection-client] +[15-Ed25519 CipherString and Signature Algorithm Selection-client] CipherString = aECDSA MaxProtocol = TLSv1.2 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem @@ -590,7 +556,7 @@ SignatureAlgorithms = ed25519:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-16] +[test-15] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = Ed25519 @@ -599,14 +565,14 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[17-Ed448 CipherString and Signature Algorithm Selection] -ssl_conf = 17-Ed448 CipherString and Signature Algorithm Selection-ssl +[16-Ed448 CipherString and Signature Algorithm Selection] +ssl_conf = 16-Ed448 CipherString and Signature Algorithm Selection-ssl -[17-Ed448 CipherString and Signature Algorithm Selection-ssl] -server = 17-Ed448 CipherString and Signature Algorithm Selection-server -client = 17-Ed448 CipherString and Signature Algorithm Selection-client +[16-Ed448 CipherString and Signature Algorithm Selection-ssl] +server = 16-Ed448 CipherString and Signature Algorithm Selection-server +client = 16-Ed448 CipherString and Signature Algorithm Selection-client -[17-Ed448 CipherString and Signature Algorithm Selection-server] +[16-Ed448 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -618,7 +584,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[17-Ed448 CipherString and Signature Algorithm Selection-client] +[16-Ed448 CipherString and Signature Algorithm Selection-client] CipherString = aECDSA MaxProtocol = TLSv1.2 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem @@ -626,7 +592,7 @@ SignatureAlgorithms = ed448:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer -[test-17] +[test-16] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = Ed448 @@ -635,43 +601,14 @@ ExpectedServerSignType = Ed448 # =========================================================== -[18-ECDSA with brainpool] -ssl_conf = 18-ECDSA with brainpool-ssl +[17-Ed25519 CipherString and Curves Selection] +ssl_conf = 17-Ed25519 CipherString and Curves Selection-ssl -[18-ECDSA with brainpool-ssl] -server = 18-ECDSA with brainpool-server -client = 18-ECDSA with brainpool-client +[17-Ed25519 CipherString and Curves Selection-ssl] +server = 17-Ed25519 CipherString and Curves Selection-server +client = 17-Ed25519 CipherString and Curves Selection-client -[18-ECDSA with brainpool-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -CipherString = DEFAULT -Groups = brainpoolP256r1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem - -[18-ECDSA with brainpool-client] -CipherString = aECDSA -Groups = brainpoolP256r1 -RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-18] -ExpectedResult = Success -ExpectedServerCANames = empty -ExpectedServerCertType = brainpoolP256r1 -ExpectedServerSignType = EC - - -# =========================================================== - -[19-Ed25519 CipherString and Curves Selection] -ssl_conf = 19-Ed25519 CipherString and Curves Selection-ssl - -[19-Ed25519 CipherString and Curves Selection-ssl] -server = 19-Ed25519 CipherString and Curves Selection-server -client = 19-Ed25519 CipherString and Curves Selection-client - -[19-Ed25519 CipherString and Curves Selection-server] +[17-Ed25519 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -683,7 +620,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[19-Ed25519 CipherString and Curves Selection-client] +[17-Ed25519 CipherString and Curves Selection-client] CipherString = aECDSA Curves = X25519 MaxProtocol = TLSv1.2 @@ -691,7 +628,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-19] +[test-17] ExpectedResult = Success ExpectedServerCertType = Ed25519 ExpectedServerSignType = Ed25519 @@ -699,14 +636,14 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[20-Ed448 CipherString and Curves Selection] -ssl_conf = 20-Ed448 CipherString and Curves Selection-ssl +[18-Ed448 CipherString and Curves Selection] +ssl_conf = 18-Ed448 CipherString and Curves Selection-ssl -[20-Ed448 CipherString and Curves Selection-ssl] -server = 20-Ed448 CipherString and Curves Selection-server -client = 20-Ed448 CipherString and Curves Selection-client +[18-Ed448 CipherString and Curves Selection-ssl] +server = 18-Ed448 CipherString and Curves Selection-server +client = 18-Ed448 CipherString and Curves Selection-client -[20-Ed448 CipherString and Curves Selection-server] +[18-Ed448 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -718,7 +655,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[20-Ed448 CipherString and Curves Selection-client] +[18-Ed448 CipherString and Curves Selection-client] CipherString = aECDSA Curves = X448 MaxProtocol = TLSv1.2 @@ -726,7 +663,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer -[test-20] +[test-18] ExpectedResult = Success ExpectedServerCertType = Ed448 ExpectedServerSignType = Ed448 @@ -734,21 +671,21 @@ ExpectedServerSignType = Ed448 # =========================================================== -[21-TLS 1.2 Ed25519 Client Auth] -ssl_conf = 21-TLS 1.2 Ed25519 Client Auth-ssl +[19-TLS 1.2 Ed25519 Client Auth] +ssl_conf = 19-TLS 1.2 Ed25519 Client Auth-ssl -[21-TLS 1.2 Ed25519 Client Auth-ssl] -server = 21-TLS 1.2 Ed25519 Client Auth-server -client = 21-TLS 1.2 Ed25519 Client Auth-client +[19-TLS 1.2 Ed25519 Client Auth-ssl] +server = 19-TLS 1.2 Ed25519 Client Auth-server +client = 19-TLS 1.2 Ed25519 Client Auth-client -[21-TLS 1.2 Ed25519 Client Auth-server] +[19-TLS 1.2 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[21-TLS 1.2 Ed25519 Client Auth-client] +[19-TLS 1.2 Ed25519 Client Auth-client] CipherString = DEFAULT Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem @@ -757,7 +694,7 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-21] +[test-19] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -765,21 +702,21 @@ ExpectedResult = Success # =========================================================== -[22-TLS 1.2 Ed448 Client Auth] -ssl_conf = 22-TLS 1.2 Ed448 Client Auth-ssl +[20-TLS 1.2 Ed448 Client Auth] +ssl_conf = 20-TLS 1.2 Ed448 Client Auth-ssl -[22-TLS 1.2 Ed448 Client Auth-ssl] -server = 22-TLS 1.2 Ed448 Client Auth-server -client = 22-TLS 1.2 Ed448 Client Auth-client +[20-TLS 1.2 Ed448 Client Auth-ssl] +server = 20-TLS 1.2 Ed448 Client Auth-server +client = 20-TLS 1.2 Ed448 Client Auth-client -[22-TLS 1.2 Ed448 Client Auth-server] +[20-TLS 1.2 Ed448 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[22-TLS 1.2 Ed448 Client Auth-client] +[20-TLS 1.2 Ed448 Client Auth-client] CipherString = DEFAULT Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem @@ -788,12 +725,75 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-22] +[test-20] ExpectedClientCertType = Ed448 ExpectedClientSignType = Ed448 ExpectedResult = Success +# =========================================================== + +[21-ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 21-ECDSA Signature Algorithm Selection SHA1-ssl + +[21-ECDSA Signature Algorithm Selection SHA1-ssl] +server = 21-ECDSA Signature Algorithm Selection SHA1-server +client = 21-ECDSA Signature Algorithm Selection SHA1-client + +[21-ECDSA Signature Algorithm Selection SHA1-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[21-ECDSA Signature Algorithm Selection SHA1-client] +CipherString = DEFAULT:@SECLEVEL=0 +SignatureAlgorithms = ECDSA+SHA1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-21] +ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA1 +ExpectedServerSignType = EC + + +# =========================================================== + +[22-ECDSA with brainpool] +ssl_conf = 22-ECDSA with brainpool-ssl + +[22-ECDSA with brainpool-ssl] +server = 22-ECDSA with brainpool-server +client = 22-ECDSA with brainpool-client + +[22-ECDSA with brainpool-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem +CipherString = DEFAULT +Groups = brainpoolP256r1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem + +[22-ECDSA with brainpool-client] +CipherString = aECDSA +Groups = brainpoolP256r1 +RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-22] +ExpectedResult = Success +ExpectedServerCANames = empty +ExpectedServerCertType = brainpoolP256r1 +ExpectedServerSignType = EC + + # =========================================================== [23-RSA-PSS Certificate CipherString Selection] diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in index ddb9ff4747..1aa3b0aeec 100644 --- a/test/ssl-tests/20-cert-select.cnf.in +++ b/test/ssl-tests/20-cert-select.cnf.in @@ -12,26 +12,15 @@ use OpenSSL::Test::Utils; our $fips_mode; our $no_deflt_libctx; -my $server; - -if ($fips_mode) { - #TODO(3.0): No EdDSA support in FIPS mode at the moment - $server = { - "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), - "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "MaxProtocol" => "TLSv1.2" - }; -} else { - $server = { - "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), - "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), - "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), - "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), - "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), - "MaxProtocol" => "TLSv1.2" - }; -} +my $server = { + "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), + "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), + "MaxProtocol" => "TLSv1.2" +}; my $server_pss = { "PSS.Certificate" => test_pem("server-pss-cert.pem"), @@ -304,33 +293,6 @@ our @tests = ( "ExpectedResult" => "Success" }, }, -); - -my @tests_non_fips = ( - { - name => "ECDSA Signature Algorithm Selection SHA1", - server => { - "CipherString" => "DEFAULT:\@SECLEVEL=0", - "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), - "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), - "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), - "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), - "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), - "MaxProtocol" => "TLSv1.2" - }, - client => { - "CipherString" => "DEFAULT:\@SECLEVEL=0", - "SignatureAlgorithms" => "ECDSA+SHA1", - }, - test => { - "ExpectedServerCertType" => "P-256", - "ExpectedServerSignHash" => "SHA1", - "ExpectedServerSignType" => "EC", - "ExpectedResult" => "Success" - }, - }, - # TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment { name => "Ed25519 CipherString and Signature Algorithm Selection", server => $server, @@ -366,28 +328,6 @@ my @tests_non_fips = ( "ExpectedResult" => "Success" }, }, - { - name => "ECDSA with brainpool", - server => { - "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), - "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), - "Groups" => "brainpoolP256r1", - }, - client => { - #We don't restrict this to TLSv1.2, although use of brainpool - #should force this anyway so that this should succeed - "CipherString" => "aECDSA", - "RequestCAFile" => test_pem("root-cert.pem"), - "Groups" => "brainpoolP256r1", - }, - test => { - "ExpectedServerCertType" =>, "brainpoolP256r1", - "ExpectedServerSignType" =>, "EC", - # Note: certificate_authorities not sent for TLS < 1.3 - "ExpectedServerCANames" =>, "empty", - "ExpectedResult" => "Success" - }, - }, { name => "Ed25519 CipherString and Curves Selection", server => $server, @@ -461,6 +401,54 @@ my @tests_non_fips = ( }, ); +my @tests_non_fips = ( + { + name => "ECDSA Signature Algorithm Selection SHA1", + server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), + "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), + "MaxProtocol" => "TLSv1.2" + }, + client => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "SignatureAlgorithms" => "ECDSA+SHA1", + }, + test => { + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA1", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, + { + name => "ECDSA with brainpool", + server => { + "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), + "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), + "Groups" => "brainpoolP256r1", + }, + client => { + #We don't restrict this to TLSv1.2, although use of brainpool + #should force this anyway so that this should succeed + "CipherString" => "aECDSA", + "RequestCAFile" => test_pem("root-cert.pem"), + "Groups" => "brainpoolP256r1", + }, + test => { + "ExpectedServerCertType" =>, "brainpoolP256r1", + "ExpectedServerSignType" =>, "EC", + # Note: certificate_authorities not sent for TLS < 1.3 + "ExpectedServerCANames" =>, "empty", + "ExpectedResult" => "Success" + }, + }, +); + my @tests_pss = ( { name => "RSA-PSS Certificate CipherString Selection", @@ -980,7 +968,6 @@ my @tests_dsa_tls_1_3 = ( ); if (!disabled("dsa")) { - #TODO(3.0): Temporary workaround for DH issues in FIPS. Needs investigation - push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode; + push @tests, @tests_dsa_tls_1_2 unless disabled("dh"); push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3"); } diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in index 56c23eba3a..945f4599d1 100644 --- a/test/ssl-tests/28-seclevel.cnf.in +++ b/test/ssl-tests/28-seclevel.cnf.in @@ -81,6 +81,5 @@ our @tests_tls1_2 = ( }, ); -#TODO(3.0): No Ed448 or X25519 in FIPS mode at the moment -push @tests, @tests_ec unless disabled("ec") || $fips_mode; -push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec")|| $fips_mode; +push @tests, @tests_ec unless disabled("ec"); +push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");