diff options
| author | Matt Caswell <matt@openssl.org> | 2020-11-10 17:04:02 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2020-11-25 10:14:43 +0000 |
| commit | 6955e3f7e0574a1f4bf373ba7e8940591b0138ed (patch) | |
| tree | 754757e33fcbd51f20977281f4eb8172d1139b5a | |
| parent | 6db0d58d815b84b44610471b71de1f259d00c166 (diff) | |
Re-enable testing of ciphersuites
Commit be9d82bb3 inadvertently disabled ciphersuite testing. This masked
some issues. Therefore we fix this testing.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13378)
| -rw-r--r-- | test/recipes/80-test_ssl_old.t | 81 | ||||
| -rw-r--r-- | test/recipes/80-test_ssl_old_data/dsa2048.pem | 14 | ||||
| -rw-r--r-- | test/ssltest_old.c | 92 |
3 files changed, 107 insertions, 80 deletions
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index a4d84c9b5c..26df2bdb3a 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -13,7 +13,7 @@ use warnings; use POSIX; use File::Basename; use File::Copy; -use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr/; +use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr data_file/; use OpenSSL::Test::Utils; BEGIN { @@ -104,7 +104,7 @@ subtest 'test_ss' => sub { }; note('test_ssl -- key U'); -testssl("keyU.ss", $Ucert, $CAcert, "default", srctop_file("test","default.cnf")); +testssl("keyU.ss", $Ucert, $CAcert, "default", srctop_file("test","default-and-legacy.cnf")); unless ($no_fips) { testssl("keyU.ss", $Ucert, $CAcert, "fips", srctop_file("test","fips-and-base.cnf")); @@ -114,8 +114,8 @@ unless ($no_fips) { # subtest functions sub testss { my @req_dsa = ("-newkey", - "dsa:".srctop_file("apps", "dsa1024.pem")); - my $dsaparams = srctop_file("apps", "dsa1024.pem"); + "dsa:".data_file("dsa2048.pem")); + my $dsaparams = data_file("dsa2048.pem"); my @req_new; if ($no_rsa) { @req_new = @req_dsa; @@ -327,12 +327,18 @@ sub testss { sub testssl { my ($key, $cert, $CAtmp, $provider, $configfile) = @_; my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs")); + my @providerflags = ("-provider", $provider); + + if ($provider eq "default") { + push @providerflags, "-provider", "legacy"; + } my @ssltest = ("ssltest_old", - "-s_key", $key, "-s_cert", $cert, - "-c_key", $key, "-c_cert", $cert, - "-provider", $provider, - "-config", $configfile); + "-s_key", $key, "-s_cert", $cert, + "-c_key", $key, "-c_cert", $cert, + "-config", $configfile, + @providerflags); + my $serverinfo = srctop_file("test","serverinfo.pem"); @@ -415,7 +421,7 @@ sub testssl { subtest "Testing ciphersuites" => sub { my @exkeys = (); - my $ciphers = "-PSK:-SRP"; + my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; if (!$no_dsa) { push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss"; @@ -425,28 +431,33 @@ sub testssl { push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss"; } - my @protocols = (); - # We only use the flags that ssltest_old understands - push @protocols, "-tls1_3" unless $no_tls1_3; - push @protocols, "-tls1_2" unless $no_tls1_2; - push @protocols, "-tls1" unless $no_tls1 || $provider eq "fips"; - push @protocols, "-ssl3" unless $no_ssl3 || $provider eq "fips"; - my $protocolciphersuitecount = 0; - my %ciphersuites = (); - my %ciphersstatus = (); - foreach my $protocol (@protocols) { - my $ciphersstatus = undef; - my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol, - "ALL:$ciphers"]), - capture => 1, statusvar => \$ciphersstatus); - @ciphers = grep {!/CAMELLIA|ARIA|CHACHA/} @ciphers; - $ciphersstatus{$protocol} = $ciphersstatus; - if ($ciphersstatus) { - $ciphersuites{$protocol} = [ map { s|\R||; split(/:/, $_) } - @ciphers ]; - $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}}; - } - } + my @protocols = (); + # We only use the flags that ssltest_old understands + push @protocols, "-tls1_3" unless $no_tls1_3; + push @protocols, "-tls1_2" unless $no_tls1_2; + push @protocols, "-tls1" unless $no_tls1 || $provider eq "fips"; + push @protocols, "-ssl3" unless $no_ssl3 || $provider eq "fips"; + my $protocolciphersuitecount = 0; + my %ciphersuites = (); + my %ciphersstatus = (); + #There's no "-config" option to the ciphers command so we set the + #environment variable instead + my $opensslconf = $ENV{OPENSSL_CONF}; + $ENV{OPENSSL_CONF} = $configfile; + foreach my $protocol (@protocols) { + my $ciphersstatus = undef; + my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol, + @providerflags, + "ALL:$ciphers"]), + capture => 1, statusvar => \$ciphersstatus); + $ciphersstatus{$protocol} = $ciphersstatus; + if ($ciphersstatus) { + $ciphersuites{$protocol} = [ map { s|\R||; split(/:/, $_) } + @ciphers ]; + $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}}; + } + } + $ENV{OPENSSL_CONF} = $opensslconf; plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build" if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0; @@ -477,9 +488,13 @@ sub testssl { if ($protocol eq "-tls1_3") { $ciphersuites = $cipher; $cipher = ""; + } else { + $cipher = $cipher.':@SECLEVEL=0'; } - ok(run(test([@ssltest, @exkeys, "-cipher", $cipher, - "-ciphersuites", $ciphersuites, $flag || ()])), + ok(run(test([@ssltest, @exkeys, "-cipher", + $cipher, + "-ciphersuites", $ciphersuites, + $flag || ()])), "Testing $cipher"); } } diff --git a/test/recipes/80-test_ssl_old_data/dsa2048.pem b/test/recipes/80-test_ssl_old_data/dsa2048.pem new file mode 100644 index 0000000000..fe19703445 --- /dev/null +++ b/test/recipes/80-test_ssl_old_data/dsa2048.pem @@ -0,0 +1,14 @@ +-----BEGIN DSA PARAMETERS----- +MIICKAKCAQEAgs47OPFxfQkX45kHL/B2S3nQciJ7n0KeYc0QQx/wJn5XSQN1/K7F +Jn70pXFg4xvj6TyATGbQwwkIf8faGA4lN/RWeNfhjW8nieXa1OtQQ/8oKU+LJWyT +mabObd6mMtD/8itrdozGxaLgSTOIqdqXY5wC28FWZP5NRmaM4IR4e3/aCcHHQIM/ +n9jAornTNnkluB/iPTVfZtsUht7coM2d00TP2rxTW0ROiq6IcCNjEj66ENL/N9eP ++Pud3xNIqBVXWw8gp7WnpZwO0fBj/IpaldfMpv68AA/61qkv3GkAVqPHmNSu/7cV ++n+cota0QoCUXKFsW5H3wPqfbrPc/nDrsQIdAO08IJyljQlKs85MWKSOW8WpG/j3 +Wf4H1Ri0SAECggEAT82XewPGwVOIK/Y0PzrAlLeYN/jicIVNqjKcZsaRKMzvO/g9 +yJa4HTLslvH6fFyGEoWMC96b+DxtRayJ09beaBNFbFdB0H4hqF7ayiImQ+ROERcG +geFUew0x0pYuNllWkB6gctA0Z+olmLR3YI0l6qUGewFms/RA0eokgZJyLusPLlgY +tkrd75dxZ0Wdz6uHFzIVQwroubcrA7TBDSSbS6FjPPQC+tLCM3VcCH6OG9x1hHUq +pt9QI1//WwWrYDLc/bP0Gi4NHfPByMSnckNqPmREqXrhngeLyfjlQZnhWbrwPwwT +pC3Y8Wfzb9cs1jXO1tswXEMh+4CDyQ6ndCf9SQ== +-----END DSA PARAMETERS----- diff --git a/test/ssltest_old.c b/test/ssltest_old.c index df88385042..cd5d1b3f4d 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -92,8 +92,8 @@ struct app_verify_arg { }; static EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx); -static EVP_PKEY *get_dh1024(OSSL_LIB_CTX *libctx); static EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx); +static EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx); static char *psk_key = NULL; /* by default PSK is not used */ #ifndef OPENSSL_NO_PSK @@ -1487,12 +1487,13 @@ int main(int argc, char *argv[]) goto end; } if (!no_dhe) { - if (dhe1024dsa) { + if (dhe1024dsa) dhpkey = get_dh1024dsa(libctx); - } else if (dhe512) + else if (dhe512) dhpkey = get_dh512(libctx); else - dhpkey = get_dh1024(libctx); + dhpkey = get_dh2048(libctx); + if (dhpkey == NULL || !EVP_PKEY_up_ref(dhpkey)) { EVP_PKEY_free(dhpkey); BIO_puts(bio_err, "Error getting DH parameters\n"); @@ -2883,23 +2884,16 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) return ok; } -static EVP_PKEY *get_dh_from_pg(OSSL_LIB_CTX *libctx, unsigned char *pdata, - size_t plen, unsigned char *gdata, size_t glen) +static EVP_PKEY *get_dh_from_pg_bn(OSSL_LIB_CTX *libctx, BIGNUM *p, BIGNUM *g) { EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL); OSSL_PARAM_BLD *tmpl = NULL; OSSL_PARAM *params = NULL; EVP_PKEY *dhpkey = NULL; - BIGNUM *p = NULL, *g = NULL; if (pctx == NULL || !EVP_PKEY_key_fromdata_init(pctx)) goto err; - p = BN_bin2bn(pdata, plen, NULL); - g = BN_bin2bn(gdata, glen, NULL); - if (p == NULL || g == NULL) - goto err; - tmpl = OSSL_PARAM_BLD_new(); if (tmpl == NULL || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p) @@ -2911,13 +2905,29 @@ static EVP_PKEY *get_dh_from_pg(OSSL_LIB_CTX *libctx, unsigned char *pdata, goto err; err: - BN_free(p); - BN_free(g); EVP_PKEY_CTX_free(pctx); OSSL_PARAM_BLD_free_params(params); OSSL_PARAM_BLD_free(tmpl); return dhpkey; } +static EVP_PKEY *get_dh_from_pg(OSSL_LIB_CTX *libctx, unsigned char *pdata, + size_t plen, unsigned char *gdata, size_t glen) +{ + EVP_PKEY *dhpkey = NULL; + BIGNUM *p = NULL, *g = NULL; + + p = BN_bin2bn(pdata, plen, NULL); + g = BN_bin2bn(gdata, glen, NULL); + if (p == NULL || g == NULL) + goto err; + + dhpkey = get_dh_from_pg_bn(libctx, p, g); + + err: + BN_free(p); + BN_free(g); + return dhpkey; +} /* These DH parameters were generated using the dhparam command line app */ static EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx) @@ -2943,39 +2953,6 @@ static EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx) sizeof(dh512_g)); } -static EVP_PKEY *get_dh1024(OSSL_LIB_CTX *libctx) -{ - static unsigned char dh1024_p[] = { - 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF, - 0x3A, - 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56, - 0xA2, - 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F, - 0xB0, - 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87, - 0xC2, - 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0, - 0x8C, - 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F, - 0xB8, - 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D, - 0x52, - 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC, - 0xC1, - 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB, - 0xB1, - 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89, - 0xAB, - 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53, - }; - static unsigned char dh1024_g[] = { - 0x02, - }; - - return get_dh_from_pg(libctx, dh1024_p, sizeof(dh1024_p), dh1024_g, - sizeof(dh1024_g)); -} - static EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx) { static unsigned char dh1024_p[] = { @@ -3029,6 +3006,27 @@ static EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx) sizeof(dh1024_g)); } +static EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx) +{ + BIGNUM *p = NULL, *g = NULL; + EVP_PKEY *dhpkey = NULL; + + g = BN_new(); + if (g == NULL || !BN_set_word(g, 2)) + goto err; + + p = BN_get_rfc3526_prime_2048(NULL); + if (p == NULL) + goto err; + + dhpkey = get_dh_from_pg_bn(libctx, p, g); + + err: + BN_free(p); + BN_free(g); + return dhpkey; +} + #ifndef OPENSSL_NO_PSK /* convert the PSK key (psk_key) in ascii to binary (psk) */ static int psk_key2bn(const char *pskkey, unsigned char *psk, |