From 5e2f580d4ae51e60892adcdde6c5c25d83fe88e9 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 26 Feb 2021 14:42:57 +0100 Subject: [PATCH] test_ssl_new: X448, X25519, and EdDSA are supported with fips Removed the related TODOs. Also adjusted the DH parameters used for the DH test to be acceptable for FIPS as that now allows only known safe prime parameters. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/14367) --- test/certs/dhp2048.pem | 12 +- test/ssl-tests/20-cert-select.cnf | 238 +++++++++++++-------------- test/ssl-tests/20-cert-select.cnf.in | 129 +++++++-------- test/ssl-tests/28-seclevel.cnf.in | 5 +- 4 files changed, 185 insertions(+), 199 deletions(-) diff --git a/test/certs/dhp2048.pem b/test/certs/dhp2048.pem index 9ee474b820..5e32efe779 100644 --- a/test/certs/dhp2048.pem +++ b/test/certs/dhp2048.pem @@ -1,8 +1,8 @@ -----BEGIN DH PARAMETERS----- -MIIBCAKCAQEAoI0V5HKAcsG4LlAnVJhYnnl2ErOcdvz7WN4n+LoSkZVkfPcPExAF -uXnT6v16rYfxCgZDPB/tSYaRhOxpJgaAHGA9PrfwprM4xQm9HLIWtidyIGtkgynQ -rrtxaCculbPOMxc1od7V0jw8/Sj4pdKjijmdvY3VsvuQPu6Lo7qV94u3pYN+WSP9 -ESPcY0lvIV0s0eYxzU5LOU7FZRv6gpe658yxnpaQf13M3sFBqcQEnw+vIjNyaBBK -Nm4jVFeKCN3aIz+yJL8y14HEnV/tnhtIrr33MAJvsG1qFBY7iFvbvlx/gKDW7qyk -V0/iN2uElrJZIGxD2uPMZNXO+dci+EriMwIBAg== +MIIBDAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb +IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft +awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT +mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh +fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq +5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAgICB/8= -----END DH PARAMETERS----- diff --git a/test/ssl-tests/20-cert-select.cnf b/test/ssl-tests/20-cert-select.cnf index b0e3b79013..267690ee35 100644 --- a/test/ssl-tests/20-cert-select.cnf +++ b/test/ssl-tests/20-cert-select.cnf @@ -17,14 +17,14 @@ test-11 = 11-RSA-PSS Signature Algorithm Selection test-12 = 12-RSA key exchange with all RSA certificate types test-13 = 13-Suite B P-256 Hash Algorithm Selection test-14 = 14-Suite B P-384 Hash Algorithm Selection -test-15 = 15-ECDSA Signature Algorithm Selection SHA1 -test-16 = 16-Ed25519 CipherString and Signature Algorithm Selection -test-17 = 17-Ed448 CipherString and Signature Algorithm Selection -test-18 = 18-ECDSA with brainpool -test-19 = 19-Ed25519 CipherString and Curves Selection -test-20 = 20-Ed448 CipherString and Curves Selection -test-21 = 21-TLS 1.2 Ed25519 Client Auth -test-22 = 22-TLS 1.2 Ed448 Client Auth +test-15 = 15-Ed25519 CipherString and Signature Algorithm Selection +test-16 = 16-Ed448 CipherString and Signature Algorithm Selection +test-17 = 17-Ed25519 CipherString and Curves Selection +test-18 = 18-Ed448 CipherString and Curves Selection +test-19 = 19-TLS 1.2 Ed25519 Client Auth +test-20 = 20-TLS 1.2 Ed448 Client Auth +test-21 = 21-ECDSA Signature Algorithm Selection SHA1 +test-22 = 22-ECDSA with brainpool test-23 = 23-RSA-PSS Certificate CipherString Selection test-24 = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection test-25 = 25-RSA-PSS Certificate Unified Signature Algorithm Selection @@ -529,48 +529,14 @@ ExpectedServerSignType = EC # =========================================================== -[15-ECDSA Signature Algorithm Selection SHA1] -ssl_conf = 15-ECDSA Signature Algorithm Selection SHA1-ssl +[15-Ed25519 CipherString and Signature Algorithm Selection] +ssl_conf = 15-Ed25519 CipherString and Signature Algorithm Selection-ssl -[15-ECDSA Signature Algorithm Selection SHA1-ssl] -server = 15-ECDSA Signature Algorithm Selection SHA1-server -client = 15-ECDSA Signature Algorithm Selection SHA1-client +[15-Ed25519 CipherString and Signature Algorithm Selection-ssl] +server = 15-Ed25519 CipherString and Signature Algorithm Selection-server +client = 15-Ed25519 CipherString and Signature Algorithm Selection-client -[15-ECDSA Signature Algorithm Selection SHA1-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem -ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem -Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem -Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem -Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem -Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[15-ECDSA Signature Algorithm Selection SHA1-client] -CipherString = DEFAULT:@SECLEVEL=0 -SignatureAlgorithms = ECDSA+SHA1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-15] -ExpectedResult = Success -ExpectedServerCertType = P-256 -ExpectedServerSignHash = SHA1 -ExpectedServerSignType = EC - - -# =========================================================== - -[16-Ed25519 CipherString and Signature Algorithm Selection] -ssl_conf = 16-Ed25519 CipherString and Signature Algorithm Selection-ssl - -[16-Ed25519 CipherString and Signature Algorithm Selection-ssl] -server = 16-Ed25519 CipherString and Signature Algorithm Selection-server -client = 16-Ed25519 CipherString and Signature Algorithm Selection-client - -[16-Ed25519 CipherString and Signature Algorithm Selection-server] +[15-Ed25519 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -582,7 +548,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[16-Ed25519 CipherString and Signature Algorithm Selection-client] +[15-Ed25519 CipherString and Signature Algorithm Selection-client] CipherString = aECDSA MaxProtocol = TLSv1.2 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem @@ -590,7 +556,7 @@ SignatureAlgorithms = ed25519:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-16] +[test-15] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = Ed25519 @@ -599,14 +565,14 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[17-Ed448 CipherString and Signature Algorithm Selection] -ssl_conf = 17-Ed448 CipherString and Signature Algorithm Selection-ssl +[16-Ed448 CipherString and Signature Algorithm Selection] +ssl_conf = 16-Ed448 CipherString and Signature Algorithm Selection-ssl -[17-Ed448 CipherString and Signature Algorithm Selection-ssl] -server = 17-Ed448 CipherString and Signature Algorithm Selection-server -client = 17-Ed448 CipherString and Signature Algorithm Selection-client +[16-Ed448 CipherString and Signature Algorithm Selection-ssl] +server = 16-Ed448 CipherString and Signature Algorithm Selection-server +client = 16-Ed448 CipherString and Signature Algorithm Selection-client -[17-Ed448 CipherString and Signature Algorithm Selection-server] +[16-Ed448 CipherString and Signature Algorithm Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -618,7 +584,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[17-Ed448 CipherString and Signature Algorithm Selection-client] +[16-Ed448 CipherString and Signature Algorithm Selection-client] CipherString = aECDSA MaxProtocol = TLSv1.2 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem @@ -626,7 +592,7 @@ SignatureAlgorithms = ed448:ECDSA+SHA256 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer -[test-17] +[test-16] ExpectedResult = Success ExpectedServerCANames = empty ExpectedServerCertType = Ed448 @@ -635,43 +601,14 @@ ExpectedServerSignType = Ed448 # =========================================================== -[18-ECDSA with brainpool] -ssl_conf = 18-ECDSA with brainpool-ssl +[17-Ed25519 CipherString and Curves Selection] +ssl_conf = 17-Ed25519 CipherString and Curves Selection-ssl -[18-ECDSA with brainpool-ssl] -server = 18-ECDSA with brainpool-server -client = 18-ECDSA with brainpool-client +[17-Ed25519 CipherString and Curves Selection-ssl] +server = 17-Ed25519 CipherString and Curves Selection-server +client = 17-Ed25519 CipherString and Curves Selection-client -[18-ECDSA with brainpool-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -CipherString = DEFAULT -Groups = brainpoolP256r1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem - -[18-ECDSA with brainpool-client] -CipherString = aECDSA -Groups = brainpoolP256r1 -RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-18] -ExpectedResult = Success -ExpectedServerCANames = empty -ExpectedServerCertType = brainpoolP256r1 -ExpectedServerSignType = EC - - -# =========================================================== - -[19-Ed25519 CipherString and Curves Selection] -ssl_conf = 19-Ed25519 CipherString and Curves Selection-ssl - -[19-Ed25519 CipherString and Curves Selection-ssl] -server = 19-Ed25519 CipherString and Curves Selection-server -client = 19-Ed25519 CipherString and Curves Selection-client - -[19-Ed25519 CipherString and Curves Selection-server] +[17-Ed25519 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -683,7 +620,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[19-Ed25519 CipherString and Curves Selection-client] +[17-Ed25519 CipherString and Curves Selection-client] CipherString = aECDSA Curves = X25519 MaxProtocol = TLSv1.2 @@ -691,7 +628,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed25519 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-19] +[test-17] ExpectedResult = Success ExpectedServerCertType = Ed25519 ExpectedServerSignType = Ed25519 @@ -699,14 +636,14 @@ ExpectedServerSignType = Ed25519 # =========================================================== -[20-Ed448 CipherString and Curves Selection] -ssl_conf = 20-Ed448 CipherString and Curves Selection-ssl +[18-Ed448 CipherString and Curves Selection] +ssl_conf = 18-Ed448 CipherString and Curves Selection-ssl -[20-Ed448 CipherString and Curves Selection-ssl] -server = 20-Ed448 CipherString and Curves Selection-server -client = 20-Ed448 CipherString and Curves Selection-client +[18-Ed448 CipherString and Curves Selection-ssl] +server = 18-Ed448 CipherString and Curves Selection-server +client = 18-Ed448 CipherString and Curves Selection-client -[20-Ed448 CipherString and Curves Selection-server] +[18-Ed448 CipherString and Curves Selection-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem @@ -718,7 +655,7 @@ Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[20-Ed448 CipherString and Curves Selection-client] +[18-Ed448 CipherString and Curves Selection-client] CipherString = aECDSA Curves = X448 MaxProtocol = TLSv1.2 @@ -726,7 +663,7 @@ SignatureAlgorithms = ECDSA+SHA256:ed448 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer -[test-20] +[test-18] ExpectedResult = Success ExpectedServerCertType = Ed448 ExpectedServerSignType = Ed448 @@ -734,21 +671,21 @@ ExpectedServerSignType = Ed448 # =========================================================== -[21-TLS 1.2 Ed25519 Client Auth] -ssl_conf = 21-TLS 1.2 Ed25519 Client Auth-ssl +[19-TLS 1.2 Ed25519 Client Auth] +ssl_conf = 19-TLS 1.2 Ed25519 Client Auth-ssl -[21-TLS 1.2 Ed25519 Client Auth-ssl] -server = 21-TLS 1.2 Ed25519 Client Auth-server -client = 21-TLS 1.2 Ed25519 Client Auth-client +[19-TLS 1.2 Ed25519 Client Auth-ssl] +server = 19-TLS 1.2 Ed25519 Client Auth-server +client = 19-TLS 1.2 Ed25519 Client Auth-client -[21-TLS 1.2 Ed25519 Client Auth-server] +[19-TLS 1.2 Ed25519 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[21-TLS 1.2 Ed25519 Client Auth-client] +[19-TLS 1.2 Ed25519 Client Auth-client] CipherString = DEFAULT Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed25519-key.pem @@ -757,7 +694,7 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-21] +[test-19] ExpectedClientCertType = Ed25519 ExpectedClientSignType = Ed25519 ExpectedResult = Success @@ -765,21 +702,21 @@ ExpectedResult = Success # =========================================================== -[22-TLS 1.2 Ed448 Client Auth] -ssl_conf = 22-TLS 1.2 Ed448 Client Auth-ssl +[20-TLS 1.2 Ed448 Client Auth] +ssl_conf = 20-TLS 1.2 Ed448 Client Auth-ssl -[22-TLS 1.2 Ed448 Client Auth-ssl] -server = 22-TLS 1.2 Ed448 Client Auth-server -client = 22-TLS 1.2 Ed448 Client Auth-client +[20-TLS 1.2 Ed448 Client Auth-ssl] +server = 20-TLS 1.2 Ed448 Client Auth-server +client = 20-TLS 1.2 Ed448 Client Auth-client -[22-TLS 1.2 Ed448 Client Auth-server] +[20-TLS 1.2 Ed448 Client Auth-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require -[22-TLS 1.2 Ed448 Client Auth-client] +[20-TLS 1.2 Ed448 Client Auth-client] CipherString = DEFAULT Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/client-ed448-key.pem @@ -788,12 +725,75 @@ MinProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[test-22] +[test-20] ExpectedClientCertType = Ed448 ExpectedClientSignType = Ed448 ExpectedResult = Success +# =========================================================== + +[21-ECDSA Signature Algorithm Selection SHA1] +ssl_conf = 21-ECDSA Signature Algorithm Selection SHA1-ssl + +[21-ECDSA Signature Algorithm Selection SHA1-ssl] +server = 21-ECDSA Signature Algorithm Selection SHA1-server +client = 21-ECDSA Signature Algorithm Selection SHA1-client + +[21-ECDSA Signature Algorithm Selection SHA1-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem +ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem +Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem +Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem +Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[21-ECDSA Signature Algorithm Selection SHA1-client] +CipherString = DEFAULT:@SECLEVEL=0 +SignatureAlgorithms = ECDSA+SHA1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-21] +ExpectedResult = Success +ExpectedServerCertType = P-256 +ExpectedServerSignHash = SHA1 +ExpectedServerSignType = EC + + +# =========================================================== + +[22-ECDSA with brainpool] +ssl_conf = 22-ECDSA with brainpool-ssl + +[22-ECDSA with brainpool-ssl] +server = 22-ECDSA with brainpool-server +client = 22-ECDSA with brainpool-client + +[22-ECDSA with brainpool-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem +CipherString = DEFAULT +Groups = brainpoolP256r1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem + +[22-ECDSA with brainpool-client] +CipherString = aECDSA +Groups = brainpoolP256r1 +RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-22] +ExpectedResult = Success +ExpectedServerCANames = empty +ExpectedServerCertType = brainpoolP256r1 +ExpectedServerSignType = EC + + # =========================================================== [23-RSA-PSS Certificate CipherString Selection] diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in index ddb9ff4747..1aa3b0aeec 100644 --- a/test/ssl-tests/20-cert-select.cnf.in +++ b/test/ssl-tests/20-cert-select.cnf.in @@ -12,26 +12,15 @@ use OpenSSL::Test::Utils; our $fips_mode; our $no_deflt_libctx; -my $server; - -if ($fips_mode) { - #TODO(3.0): No EdDSA support in FIPS mode at the moment - $server = { - "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), - "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "MaxProtocol" => "TLSv1.2" - }; -} else { - $server = { - "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), - "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), - "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), - "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), - "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), - "MaxProtocol" => "TLSv1.2" - }; -} +my $server = { + "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), + "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), + "MaxProtocol" => "TLSv1.2" +}; my $server_pss = { "PSS.Certificate" => test_pem("server-pss-cert.pem"), @@ -304,33 +293,6 @@ our @tests = ( "ExpectedResult" => "Success" }, }, -); - -my @tests_non_fips = ( - { - name => "ECDSA Signature Algorithm Selection SHA1", - server => { - "CipherString" => "DEFAULT:\@SECLEVEL=0", - "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), - "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), - "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), - "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), - "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), - "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), - "MaxProtocol" => "TLSv1.2" - }, - client => { - "CipherString" => "DEFAULT:\@SECLEVEL=0", - "SignatureAlgorithms" => "ECDSA+SHA1", - }, - test => { - "ExpectedServerCertType" => "P-256", - "ExpectedServerSignHash" => "SHA1", - "ExpectedServerSignType" => "EC", - "ExpectedResult" => "Success" - }, - }, - # TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment { name => "Ed25519 CipherString and Signature Algorithm Selection", server => $server, @@ -366,28 +328,6 @@ my @tests_non_fips = ( "ExpectedResult" => "Success" }, }, - { - name => "ECDSA with brainpool", - server => { - "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), - "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), - "Groups" => "brainpoolP256r1", - }, - client => { - #We don't restrict this to TLSv1.2, although use of brainpool - #should force this anyway so that this should succeed - "CipherString" => "aECDSA", - "RequestCAFile" => test_pem("root-cert.pem"), - "Groups" => "brainpoolP256r1", - }, - test => { - "ExpectedServerCertType" =>, "brainpoolP256r1", - "ExpectedServerSignType" =>, "EC", - # Note: certificate_authorities not sent for TLS < 1.3 - "ExpectedServerCANames" =>, "empty", - "ExpectedResult" => "Success" - }, - }, { name => "Ed25519 CipherString and Curves Selection", server => $server, @@ -461,6 +401,54 @@ my @tests_non_fips = ( }, ); +my @tests_non_fips = ( + { + name => "ECDSA Signature Algorithm Selection SHA1", + server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"), + "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"), + "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"), + "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"), + "Ed448.Certificate" => test_pem("server-ed448-cert.pem"), + "Ed448.PrivateKey" => test_pem("server-ed448-key.pem"), + "MaxProtocol" => "TLSv1.2" + }, + client => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "SignatureAlgorithms" => "ECDSA+SHA1", + }, + test => { + "ExpectedServerCertType" => "P-256", + "ExpectedServerSignHash" => "SHA1", + "ExpectedServerSignType" => "EC", + "ExpectedResult" => "Success" + }, + }, + { + name => "ECDSA with brainpool", + server => { + "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), + "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), + "Groups" => "brainpoolP256r1", + }, + client => { + #We don't restrict this to TLSv1.2, although use of brainpool + #should force this anyway so that this should succeed + "CipherString" => "aECDSA", + "RequestCAFile" => test_pem("root-cert.pem"), + "Groups" => "brainpoolP256r1", + }, + test => { + "ExpectedServerCertType" =>, "brainpoolP256r1", + "ExpectedServerSignType" =>, "EC", + # Note: certificate_authorities not sent for TLS < 1.3 + "ExpectedServerCANames" =>, "empty", + "ExpectedResult" => "Success" + }, + }, +); + my @tests_pss = ( { name => "RSA-PSS Certificate CipherString Selection", @@ -980,7 +968,6 @@ my @tests_dsa_tls_1_3 = ( ); if (!disabled("dsa")) { - #TODO(3.0): Temporary workaround for DH issues in FIPS. Needs investigation - push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode; + push @tests, @tests_dsa_tls_1_2 unless disabled("dh"); push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3"); } diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in index 56c23eba3a..945f4599d1 100644 --- a/test/ssl-tests/28-seclevel.cnf.in +++ b/test/ssl-tests/28-seclevel.cnf.in @@ -81,6 +81,5 @@ our @tests_tls1_2 = ( }, ); -#TODO(3.0): No Ed448 or X25519 in FIPS mode at the moment -push @tests, @tests_ec unless disabled("ec") || $fips_mode; -push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec")|| $fips_mode; +push @tests, @tests_ec unless disabled("ec"); +push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");