openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity

Re-enable testing of ciphersuites 

Commit be9d82bb3 inadvertently disabled ciphersuite testing. This masked
some issues. Therefore we fix this testing.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13378)
This commit is contained in:
Matt Caswell 2020-11-10 17:04:02 +00:00
parent 6db0d58d81
commit 6955e3f7e0
3 changed files with 107 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
test/recipes/80-test_ssl_old.t
View File

@ -13,7 +13,7 @@ use warnings;
use POSIX;
use File::Basename;
use File::Copy;
use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr/;
use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr data_file/;
use OpenSSL::Test::Utils;
BEGIN {
@ -104,7 +104,7 @@ subtest 'test_ss' => sub {
};
note('test_ssl -- key U');
testssl("keyU.ss", $Ucert, $CAcert, "default", srctop_file("test","default.cnf"));
testssl("keyU.ss", $Ucert, $CAcert, "default", srctop_file("test","default-and-legacy.cnf"));
unless ($no_fips) {
testssl("keyU.ss", $Ucert, $CAcert, "fips",
srctop_file("test","fips-and-base.cnf"));
@ -114,8 +114,8 @@ unless ($no_fips) {
# subtest functions
sub testss {
my @req_dsa = ("-newkey",
"dsa:".srctop_file("apps", "dsa1024.pem"));
my $dsaparams = srctop_file("apps", "dsa1024.pem");
"dsa:".data_file("dsa2048.pem"));
my $dsaparams = data_file("dsa2048.pem");
my @req_new;
if ($no_rsa) {
@req_new = @req_dsa;
@ -327,12 +327,18 @@ sub testss {
sub testssl {
my ($key, $cert, $CAtmp, $provider, $configfile) = @_;
my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs"));
my @providerflags = ("-provider", $provider);
if ($provider eq "default") {
push @providerflags, "-provider", "legacy";
}
my @ssltest = ("ssltest_old",
"-s_key", $key, "-s_cert", $cert,
"-c_key", $key, "-c_cert", $cert,
"-provider", $provider,
"-config", $configfile);
"-s_key", $key, "-s_cert", $cert,
"-c_key", $key, "-c_cert", $cert,
"-config", $configfile,
@providerflags);
my $serverinfo = srctop_file("test","serverinfo.pem");
@ -415,7 +421,7 @@ sub testssl {
subtest "Testing ciphersuites" => sub {
my @exkeys = ();
my $ciphers = "-PSK:-SRP";
my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
if (!$no_dsa) {
push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss";
@ -425,28 +431,33 @@ sub testssl {
push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss";
}
my @protocols = ();
# We only use the flags that ssltest_old understands
push @protocols, "-tls1_3" unless $no_tls1_3;
push @protocols, "-tls1_2" unless $no_tls1_2;
push @protocols, "-tls1" unless $no_tls1 || $provider eq "fips";
push @protocols, "-ssl3" unless $no_ssl3 || $provider eq "fips";
my $protocolciphersuitecount = 0;
my %ciphersuites = ();
my %ciphersstatus = ();
foreach my $protocol (@protocols) {
my $ciphersstatus = undef;
my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol,
"ALL:$ciphers"]),
capture => 1, statusvar => \$ciphersstatus);
@ciphers = grep {!/CAMELLIA|ARIA|CHACHA/} @ciphers;
$ciphersstatus{$protocol} = $ciphersstatus;
if ($ciphersstatus) {
$ciphersuites{$protocol} = [ map { s|\R||; split(/:/, $_) }
@ciphers ];
$protocolciphersuitecount += scalar @{$ciphersuites{$protocol}};
}
}
my @protocols = ();
# We only use the flags that ssltest_old understands
push @protocols, "-tls1_3" unless $no_tls1_3;
push @protocols, "-tls1_2" unless $no_tls1_2;
push @protocols, "-tls1" unless $no_tls1 || $provider eq "fips";
push @protocols, "-ssl3" unless $no_ssl3 || $provider eq "fips";
my $protocolciphersuitecount = 0;
my %ciphersuites = ();
my %ciphersstatus = ();
#There's no "-config" option to the ciphers command so we set the
#environment variable instead
my $opensslconf = $ENV{OPENSSL_CONF};
$ENV{OPENSSL_CONF} = $configfile;
foreach my $protocol (@protocols) {
my $ciphersstatus = undef;
my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol,
@providerflags,
"ALL:$ciphers"]),
capture => 1, statusvar => \$ciphersstatus);
$ciphersstatus{$protocol} = $ciphersstatus;
if ($ciphersstatus) {
$ciphersuites{$protocol} = [ map { s|\R||; split(/:/, $_) }
@ciphers ];
$protocolciphersuitecount += scalar @{$ciphersuites{$protocol}};
}
}
$ENV{OPENSSL_CONF} = $opensslconf;
plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build"
if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0;
@ -477,9 +488,13 @@ sub testssl {
if ($protocol eq "-tls1_3") {
$ciphersuites = $cipher;
$cipher = "";
} else {
$cipher = $cipher.':@SECLEVEL=0';
}
ok(run(test([@ssltest, @exkeys, "-cipher", $cipher,
"-ciphersuites", $ciphersuites, $flag || ()])),
ok(run(test([@ssltest, @exkeys, "-cipher",
$cipher,
"-ciphersuites", $ciphersuites,
$flag || ()])),
"Testing $cipher");
}
}

14
test/recipes/80-test_ssl_old_data/dsa2048.pem Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN DSA PARAMETERS-----
MIICKAKCAQEAgs47OPFxfQkX45kHL/B2S3nQciJ7n0KeYc0QQx/wJn5XSQN1/K7F
Jn70pXFg4xvj6TyATGbQwwkIf8faGA4lN/RWeNfhjW8nieXa1OtQQ/8oKU+LJWyT
mabObd6mMtD/8itrdozGxaLgSTOIqdqXY5wC28FWZP5NRmaM4IR4e3/aCcHHQIM/
n9jAornTNnkluB/iPTVfZtsUht7coM2d00TP2rxTW0ROiq6IcCNjEj66ENL/N9eP
+Pud3xNIqBVXWw8gp7WnpZwO0fBj/IpaldfMpv68AA/61qkv3GkAVqPHmNSu/7cV
+n+cota0QoCUXKFsW5H3wPqfbrPc/nDrsQIdAO08IJyljQlKs85MWKSOW8WpG/j3
Wf4H1Ri0SAECggEAT82XewPGwVOIK/Y0PzrAlLeYN/jicIVNqjKcZsaRKMzvO/g9
yJa4HTLslvH6fFyGEoWMC96b+DxtRayJ09beaBNFbFdB0H4hqF7ayiImQ+ROERcG
geFUew0x0pYuNllWkB6gctA0Z+olmLR3YI0l6qUGewFms/RA0eokgZJyLusPLlgY
tkrd75dxZ0Wdz6uHFzIVQwroubcrA7TBDSSbS6FjPPQC+tLCM3VcCH6OG9x1hHUq
pt9QI1//WwWrYDLc/bP0Gi4NHfPByMSnckNqPmREqXrhngeLyfjlQZnhWbrwPwwT
pC3Y8Wfzb9cs1jXO1tswXEMh+4CDyQ6ndCf9SQ==
-----END DSA PARAMETERS-----

92
test/ssltest_old.c
View File

@ -92,8 +92,8 @@ struct app_verify_arg {
};
static EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
static EVP_PKEY *get_dh1024(OSSL_LIB_CTX *libctx);
static EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx);
static EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
static char *psk_key = NULL; /* by default PSK is not used */
#ifndef OPENSSL_NO_PSK
@ -1487,12 +1487,13 @@ int main(int argc, char *argv[])
goto end;
}
if (!no_dhe) {
if (dhe1024dsa) {
if (dhe1024dsa)
dhpkey = get_dh1024dsa(libctx);
} else if (dhe512)
else if (dhe512)
dhpkey = get_dh512(libctx);
else
dhpkey = get_dh1024(libctx);
dhpkey = get_dh2048(libctx);
if (dhpkey == NULL || !EVP_PKEY_up_ref(dhpkey)) {
EVP_PKEY_free(dhpkey);
BIO_puts(bio_err, "Error getting DH parameters\n");
@ -2883,23 +2884,16 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg)
return ok;
}
static EVP_PKEY *get_dh_from_pg(OSSL_LIB_CTX *libctx, unsigned char *pdata,
size_t plen, unsigned char *gdata, size_t glen)
static EVP_PKEY *get_dh_from_pg_bn(OSSL_LIB_CTX *libctx, BIGNUM *p, BIGNUM *g)
{
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
OSSL_PARAM_BLD *tmpl = NULL;
OSSL_PARAM *params = NULL;
EVP_PKEY *dhpkey = NULL;
BIGNUM *p = NULL, *g = NULL;
if (pctx == NULL || !EVP_PKEY_key_fromdata_init(pctx))
goto err;
p = BN_bin2bn(pdata, plen, NULL);
g = BN_bin2bn(gdata, glen, NULL);
if (p == NULL || g == NULL)
goto err;
tmpl = OSSL_PARAM_BLD_new();
if (tmpl == NULL
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
@ -2911,13 +2905,29 @@ static EVP_PKEY *get_dh_from_pg(OSSL_LIB_CTX *libctx, unsigned char *pdata,
goto err;
err:
BN_free(p);
BN_free(g);
EVP_PKEY_CTX_free(pctx);
OSSL_PARAM_BLD_free_params(params);
OSSL_PARAM_BLD_free(tmpl);
return dhpkey;
}
static EVP_PKEY *get_dh_from_pg(OSSL_LIB_CTX *libctx, unsigned char *pdata,
size_t plen, unsigned char *gdata, size_t glen)
{
EVP_PKEY *dhpkey = NULL;
BIGNUM *p = NULL, *g = NULL;
p = BN_bin2bn(pdata, plen, NULL);
g = BN_bin2bn(gdata, glen, NULL);
if (p == NULL || g == NULL)
goto err;
dhpkey = get_dh_from_pg_bn(libctx, p, g);
err:
BN_free(p);
BN_free(g);
return dhpkey;
}
/* These DH parameters were generated using the dhparam command line app */
static EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx)
@ -2943,39 +2953,6 @@ static EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx)
sizeof(dh512_g));
}
static EVP_PKEY *get_dh1024(OSSL_LIB_CTX *libctx)
{
static unsigned char dh1024_p[] = {
0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF,
0x3A,
0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56,
0xA2,
0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F,
0xB0,
0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87,
0xC2,
0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0,
0x8C,
0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F,
0xB8,
0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D,
0x52,
0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC,
0xC1,
0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB,
0xB1,
0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89,
0xAB,
0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53,
};
static unsigned char dh1024_g[] = {
0x02,
};
return get_dh_from_pg(libctx, dh1024_p, sizeof(dh1024_p), dh1024_g,
sizeof(dh1024_g));
}
static EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
{
static unsigned char dh1024_p[] = {
@ -3029,6 +3006,27 @@ static EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
sizeof(dh1024_g));
}
static EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx)
{
BIGNUM *p = NULL, *g = NULL;
EVP_PKEY *dhpkey = NULL;
g = BN_new();
if (g == NULL || !BN_set_word(g, 2))
goto err;
p = BN_get_rfc3526_prime_2048(NULL);
if (p == NULL)
goto err;
dhpkey = get_dh_from_pg_bn(libctx, p, g);
err:
BN_free(p);
BN_free(g);
return dhpkey;
}
#ifndef OPENSSL_NO_PSK
/* convert the PSK key (psk_key) in ascii to binary (psk) */
static int psk_key2bn(const char *pskkey, unsigned char *psk,