Add additional ECDSA/Ed25519 selection tests.

Add two tests with ECDSA+SHA256 preferred over Ed25519, the second also excludes P-256 from the supported curves extension which will force the use of Ed25519 in TLS 1.2, but not TLS 1.3: this would fail before the certificate table updates. Add TLS 1.3 test also with P-256 exclude from the groups extension: this should have no effect as the groups extension is not used for signature selection in TLS 1.3 Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3858)

Add additional ECDSA/Ed25519 selection tests.
Add two tests with ECDSA+SHA256 preferred over Ed25519, the second also excludes P-256 from the supported curves extension which will force the use of Ed25519 in TLS 1.2, but not TLS 1.3: this would fail before the certificate table updates. Add TLS 1.3 test also with P-256 exclude from the groups extension: this should have no effect as the groups extension is not used for signature selection in TLS 1.3 Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3858)
50a3a1f0 · Dr. Stephen Henson · 13cc2574 · 50a3a1f0 · 50a3a1f0
展开全部隐藏空白更改
内联并排

Showing with 224 addition and 108 deletion

test/ssl-tests/20-cert-select.conf test/ssl-tests/20-cert-select.conf +176 -108

test/ssl-tests/20-cert-select.conf.in test/ssl-tests/20-cert-select.conf.in +48 -0

未找到文件。
--- a/test/ssl-tests/20-cert-select.conf
+++ b/test/ssl-tests/20-cert-select.conf
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -64,6 +64,38 @@ our @tests = (
            "ExpectedResult" => "Success"
        },
    },
+    {
+        name => "P-256 CipherString and Signature Algorithm Selection",
+        server => $server,
+        client => {
+            "CipherString" => "aECDSA",
+            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+        },
+        test   => {
+            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerSignHash" => "SHA256",
+            "ExpectedServerSignType" => "EC",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "Ed25519 CipherString and Curves Selection",
+        server => $server,
+        client => {
+            "CipherString" => "aECDSA",
+            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+            # Excluding P-256 from the supported curves list means server
+            # certificate should be Ed25519 and not P-256
+            "Curves" => "X25519"
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "Ed25519",
+            "ExpectedServerSignType" =>, "Ed25519",
+            "ExpectedResult" => "Success"
+        },
+    },
    {
        name => "ECDSA CipherString Selection, no ECDSA certificate",
        server => {
@@ -364,6 +396,22 @@ my @tests_tls_1_3 = (
            "ExpectedResult" => "Success"
        },
    },
+    {
+        name => "TLS 1.3 Ed25519 CipherString and Groups Selection",
+        server => $server_tls_1_3,
+        client => {
+            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+            # Excluding P-256 from the supported groups list should
+            # mean server still uses a P-256 certificate because supported
+            # groups is not used in signature selection for TLS 1.3
+            "Groups" => "X25519"
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "P-256",
+            "ExpectedServerSignType" =>, "EC",
+            "ExpectedResult" => "Success"
+        },
+    },
    {
        name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
        server => {