diff options
Diffstat (limited to 'demos')
| -rw-r--r-- | demos/easy_tls/easy-tls.c | 4 | ||||
| -rwxr-xr-x | demos/ssltest-ecc/ECC-RSAcertgen.sh | 93 | ||||
| -rwxr-xr-x | demos/ssltest-ecc/ECCcertgen.sh | 173 | ||||
| -rw-r--r-- | demos/ssltest-ecc/README | 13 | ||||
| -rwxr-xr-x | demos/ssltest-ecc/RSAcertgen.sh | 115 | ||||
| -rwxr-xr-x | demos/ssltest-ecc/ssltest.sh | 185 | ||||
| -rwxr-xr-x | demos/tunala/autoungunk.sh | 10 | ||||
| -rw-r--r-- | demos/tunala/cb.c | 10 | ||||
| -rwxr-xr-x | demos/tunala/test.sh | 107 | ||||
| -rw-r--r-- | demos/tunala/tunala.c | 28 | ||||
| -rw-r--r-- | demos/tunala/tunala.h | 1 |
11 files changed, 14 insertions, 725 deletions
diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c index 9cd8314c3e..9c1d982939 100644 --- a/demos/easy_tls/easy-tls.c +++ b/demos/easy_tls/easy-tls.c @@ -1,7 +1,7 @@ /* -*- Mode: C; c-file-style: "bsd" -*- */ /* * easy-tls.c -- generic TLS proxy. - * $Id: easy-tls.c,v 1.4 2002/03/05 09:07:16 bodo Exp $ + * $Id: easy-tls.c,v 1.2.2.2 2002/03/05 09:06:57 bodo Exp $ */ /* (c) Copyright 1999 Bodo Moeller. All rights reserved. @@ -73,7 +73,7 @@ */ static char const rcsid[] = -"$Id: easy-tls.c,v 1.4 2002/03/05 09:07:16 bodo Exp $"; +"$Id: easy-tls.c,v 1.2.2.2 2002/03/05 09:06:57 bodo Exp $"; #include <assert.h> #include <errno.h> diff --git a/demos/ssltest-ecc/ECC-RSAcertgen.sh b/demos/ssltest-ecc/ECC-RSAcertgen.sh deleted file mode 100755 index ce182e313d..0000000000 --- a/demos/ssltest-ecc/ECC-RSAcertgen.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/sh - -# For a list of supported curves, use "apps/openssl ecparam -list_curves". - -# Path to the openssl distribution -OPENSSL_DIR=../.. -# Path to the openssl program -OPENSSL_CMD=$OPENSSL_DIR/apps/openssl -# Option to find configuration file -OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf" -# Directory where certificates are stored -CERTS_DIR=./Certs -# Directory where private key files are stored -KEYS_DIR=$CERTS_DIR -# Directory where combo files (containing a certificate and corresponding -# private key together) are stored -COMBO_DIR=$CERTS_DIR -# cat command -CAT=/bin/cat -# rm command -RM=/bin/rm -# The certificate will expire these many days after the issue date. -DAYS=1500 -TEST_CA_FILE=rsa1024TestCA - -TEST_SERVER_CURVE=sect163r1 -TEST_SERVER_FILE=sect163r1-rsaTestServer -TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (sect163r1 key signed with RSA)" - -TEST_CLIENT_CURVE=sect163r1 -TEST_CLIENT_FILE=sect163r1-rsaTestClient -TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (sect163r1 key signed with RSA)" - -# Generating an EC certificate involves the following main steps -# 1. Generating curve parameters (if needed) -# 2. Generating a certificate request -# 3. Signing the certificate request -# 4. [Optional] One can combine the cert and private key into a single -# file and also delete the certificate request - - -echo "GENERATING A TEST SERVER CERTIFICATE (ECC key signed with RSA)" -echo "==============================================================" -$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem - -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \ - -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ - -newkey ecdsa:$TEST_SERVER_CURVE.pem -new \ - -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_SERVER_FILE.pem -$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -echo "GENERATING A TEST CLIENT CERTIFICATE (ECC key signed with RSA)" -echo "==============================================================" -$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem - -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \ - -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ - -newkey ecdsa:$TEST_CLIENT_CURVE.pem -new \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_CLIENT_FILE.pem -$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - diff --git a/demos/ssltest-ecc/ECCcertgen.sh b/demos/ssltest-ecc/ECCcertgen.sh deleted file mode 100755 index b99a9b9387..0000000000 --- a/demos/ssltest-ecc/ECCcertgen.sh +++ /dev/null @@ -1,173 +0,0 @@ -#!/bin/sh - -# For a list of supported curves, use "apps/openssl ecparam -list_curves". - -# Path to the openssl distribution -OPENSSL_DIR=../.. -# Path to the openssl program -OPENSSL_CMD=$OPENSSL_DIR/apps/openssl -# Option to find configuration file -OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf" -# Directory where certificates are stored -CERTS_DIR=./Certs -# Directory where private key files are stored -KEYS_DIR=$CERTS_DIR -# Directory where combo files (containing a certificate and corresponding -# private key together) are stored -COMBO_DIR=$CERTS_DIR -# cat command -CAT=/bin/cat -# rm command -RM=/bin/rm -# The certificate will expire these many days after the issue date. -DAYS=1500 -TEST_CA_CURVE=secp160r1 -TEST_CA_FILE=secp160r1TestCA -TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)" - -TEST_SERVER_CURVE=secp160r2 -TEST_SERVER_FILE=secp160r2TestServer -TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)" - -TEST_CLIENT_CURVE=secp160r2 -TEST_CLIENT_FILE=secp160r2TestClient -TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)" - -# Generating an EC certificate involves the following main steps -# 1. Generating curve parameters (if needed) -# 2. Generating a certificate request -# 3. Signing the certificate request -# 4. [Optional] One can combine the cert and private key into a single -# file and also delete the certificate request - -echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)" -echo "===============================================================" -$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem - -# Generate a new certificate request in $TEST_CA_FILE.req.pem. A -# new ecdsa (actually ECC) key pair is generated on the parameters in -# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem -# WARNING: By using the -nodes option, we force the private key to be -# stored in the clear (rather than encrypted with a password). -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \ - -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -newkey ecdsa:$TEST_CA_CURVE.pem -new \ - -out $CERTS_DIR/$TEST_CA_FILE.req.pem - -# Sign the certificate request in $TEST_CA_FILE.req.pem using the -# private key in $TEST_CA_FILE.key.pem and include the CA extension. -# Make the certificate valid for 1500 days from the time of signing. -# The certificate is written into $TEST_CA_FILE.cert.pem -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_CA_FILE.req.pem \ - -extfile $OPENSSL_DIR/apps/openssl.cnf \ - -extensions v3_ca \ - -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_CA_FILE.cert.pem - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_CA_FILE.pem -$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_CA_FILE.req.pem - -echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)" -echo "==========================================================================" -# Generate parameters for curve $TEST_SERVER_CURVE, if needed -$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem - -# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A -# new ecdsa (actually ECC) key pair is generated on the parameters in -# $TEST_SERVER_CURVE.pem and the private key is saved in -# $TEST_SERVER_FILE.key.pem -# WARNING: By using the -nodes option, we force the private key to be -# stored in the clear (rather than encrypted with a password). -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \ - -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ - -newkey ecdsa:$TEST_SERVER_CURVE.pem -new \ - -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the -# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in -# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number -# file for this CA, create one. Make the certificate valid for $DAYS days -# from the time of signing. The certificate is written into -# $TEST_SERVER_FILE.cert.pem -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_SERVER_FILE.pem -$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)" -echo "==========================================================================" -# Generate parameters for curve $TEST_CLIENT_CURVE, if needed -$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem - -# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A -# new ecdsa (actually ECC) key pair is generated on the parameters in -# $TEST_CLIENT_CURVE.pem and the private key is saved in -# $TEST_CLIENT_FILE.key.pem -# WARNING: By using the -nodes option, we force the private key to be -# stored in the clear (rather than encrypted with a password). -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \ - -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ - -newkey ecdsa:$TEST_CLIENT_CURVE.pem -new \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - -# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the -# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in -# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number -# file for this CA, create one. Make the certificate valid for $DAYS days -# from the time of signing. The certificate is written into -# $TEST_CLIENT_FILE.cert.pem -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_CLIENT_FILE.pem -$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - -############################################################################ -#OLD STUFF (ignore this) -# -#These are the commands I used, but you may wish to add -named_curve to the first command per our discussion about parameter encoding in certificates. -# -#apps/openssl ecdsaparam -out nist192.param.pem -NIST_192 -# -#apps/openssl ecdsaparam -out nistB163.param.pem -named_curve -NIST_B163 -# the nodes option causes output key to be stored unencrypted -#apps/openssl req -nodes -keyout nistB163.priv.pem -newkey ecdsa:nistB163.param.pem -new -out nistB163.req.pem -#apps/openssl x509 -req -in nistB163.req.pem -extfile apps/cert.cnf -extensions v3_ca -signkey nistB163.priv.pem -out nistB163.cert.pem -# -#crypto/x509/x509_ext.c has X509_EXTENSION *X509_get_ext(X509 *x, int loc) -#crypto/asn1/t_x509.c has code to print certificates -#crypto/x509v3/v3_prn.c has code to print extensions X509V3_extensions_print - - diff --git a/demos/ssltest-ecc/README b/demos/ssltest-ecc/README deleted file mode 100644 index 3e2c95cbec..0000000000 --- a/demos/ssltest-ecc/README +++ /dev/null @@ -1,13 +0,0 @@ -Scripts for using ECC ciphersuites with test/testssl. - -Use ECCcertgen.sh, RSAcertgen.sh, ECC-RSAcertgen.sh to generate -root, client and server certs of the following types: - - ECC certs signed with ECDSA - RSA certs signed with RSA - ECC certs signed with RSA - -Afterwards, you can use ssltest.sh to run the various tests; -specify one of the following options: - - aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa diff --git a/demos/ssltest-ecc/RSAcertgen.sh b/demos/ssltest-ecc/RSAcertgen.sh deleted file mode 100755 index ea7984bae3..0000000000 --- a/demos/ssltest-ecc/RSAcertgen.sh +++ /dev/null @@ -1,115 +0,0 @@ -#!/bin/sh - -# For a list of supported curves, use "apps/openssl ecparam -list_curves". - -# Path to the openssl distribution -OPENSSL_DIR=../.. -# Path to the openssl program -OPENSSL_CMD=$OPENSSL_DIR/apps/openssl -# Option to find configuration file -OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf" -# Directory where certificates are stored -CERTS_DIR=./Certs -# Directory where private key files are stored -KEYS_DIR=$CERTS_DIR -# Directory where combo files (containing a certificate and corresponding -# private key together) are stored -COMBO_DIR=$CERTS_DIR -# cat command -CAT=/bin/cat -# rm command -RM=/bin/rm -# The certificate will expire these many days after the issue date. -DAYS=1500 -TEST_CA_FILE=rsa1024TestCA -TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (1024 bit RSA)" - -TEST_SERVER_FILE=rsa1024TestServer -TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (1024 bit RSA)" - -TEST_CLIENT_FILE=rsa1024TestClient -TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (1024 bit RSA)" - -# Generating an EC certificate involves the following main steps -# 1. Generating curve parameters (if needed) -# 2. Generating a certificate request -# 3. Signing the certificate request -# 4. [Optional] One can combine the cert and private key into a single -# file and also delete the certificate request - -echo "Generating self-signed CA certificate (RSA)" -echo "===========================================" - -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \ - -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -newkey rsa:1024 -new \ - -out $CERTS_DIR/$TEST_CA_FILE.req.pem - -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_CA_FILE.req.pem \ - -extfile $OPENSSL_DIR/apps/openssl.cnf \ - -extensions v3_ca \ - -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_CA_FILE.cert.pem - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_CA_FILE.pem -$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_CA_FILE.req.pem - -echo "GENERATING A TEST SERVER CERTIFICATE (RSA)" -echo "==========================================" - -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \ - -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ - -newkey rsa:1024 -new \ - -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_SERVER_FILE.pem -$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem - -echo "GENERATING A TEST CLIENT CERTIFICATE (RSA)" -echo "==========================================" - -$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \ - -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ - -newkey rsa:1024 -new \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - -$OPENSSL_CMD x509 -req -days $DAYS \ - -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ - -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ - -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ - -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial - -# Display the certificate -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text - -# Place the certificate and key in a common file -$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ - > $COMBO_DIR/$TEST_CLIENT_FILE.pem -$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem - -# Remove the cert request file (no longer needed) -$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem - diff --git a/demos/ssltest-ecc/ssltest.sh b/demos/ssltest-ecc/ssltest.sh deleted file mode 100755 index 2d6ff167f5..0000000000 --- a/demos/ssltest-ecc/ssltest.sh +++ /dev/null @@ -1,185 +0,0 @@ -#! /bin/sh -# Tests ECC cipher suites using ssltest. Requires one argument which could -# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa. -# A second optional argument can be one of ssl2 ssl3 or tls1 - -if [ "$1" = "" ]; then - (echo "Usage: $0 test [ protocol ]" - echo " where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa" - echo " and protocol (optional) is one of ssl2, ssl3, tls1" - echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first." - ) >&2 - exit 1 -fi - - -OPENSSL_DIR=../.. -CERTS_DIR=./Certs -SSLTEST=$OPENSSL_DIR/test/ssltest -# SSL protocol version to test (one of ssl2 ssl3 or tls1)" -SSLVERSION= - -# These don't really require any certificates -AECDH_CIPHER_LIST="EXP-AECDH-RC4-40-SHA EXP-AECDH-DES-40-CBC-SHA AECDH-DES-CBC3-SHA AECDH-DES-CBC-SHA AECDH-RC4-SHA AECDH-NULL-SHA" - -# These require ECC certificates signed with ECDSA -# The EC public key must be authorized for key agreement. -ECDH_ECDSA_CIPHER_LIST="EXP-ECDH-ECDSA-RC4-56-SHA EXP-ECDH-ECDSA-RC4-40-SHA ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA" - -# These require ECC certificates. -# The EC public key must be authorized for digital signature. -ECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES128-SHA" - -# These require ECC certificates signed with RSA. -# The EC public key must be authorized for key agreement. -ECDH_RSA_CIPHER_LIST="EXP-ECDH-RSA-RC4-56-SHA EXP-ECDH-RSA-RC4-40-SHA ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-DES-CBC-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA" - -# These require RSA certificates. -# The RSA public key must be authorized for digital signature. -ECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES128-SHA" - -# List of Elliptic curves over which we wish to test generation of -# ephemeral ECDH keys when using AECDH or ECDHE ciphers -# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1 -#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1" -ELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1" - -DEFAULT_CURVE="sect163r2" - -if [ "$2" = "" ]; then - if [ "$SSL_VERSION" = "" ]; then - SSL_VERSION="" - else - SSL_VERSION="-$SSL_VERSION" - fi -else - SSL_VERSION="-$2" -fi - -#============================================================== -# Anonymous cipher suites do not require key or certificate files -# but ssltest expects a cert file and complains if it can't -# open the default one. -SERVER_PEM=$OPENSSL_DIR/apps/server.pem - -if [ "$1" = "aecdh" ]; then -for cipher in $AECDH_CIPHER_LIST -do - echo "Testing $cipher" - $SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher -done -#-------------------------------------------------------------- -for curve in $ELLIPTIC_CURVE_LIST -do - echo "Testing AECDH-NULL-SHA (with $curve)" - $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ - -named_curve $curve -cipher AECDH-NULL-SHA -done - -for curve in $ELLIPTIC_CURVE_LIST -do - echo "Testing EXP-AECDH-RC4-40-SHA (with $curve)" - $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ - -named_curve $curve -cipher EXP-AECDH-RC4-40-SHA -done -fi - -#============================================================== -# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require -# the server to have an ECC certificate signed with ECDSA. -CA_PEM=$CERTS_DIR/secp160r1TestCA.pem -SERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem -CLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem - -if [ "$1" = "ecdh-ecdsa" ]; then -for cipher in $ECDH_ECDSA_CIPHER_LIST -do - echo "Testing $cipher (with server authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -cipher $cipher - - echo "Testing $cipher (with server and client authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -c_cert $CLIENT_PEM -client_auth \ - -cipher $cipher -done -fi - -#============================================================== -if [ "$1" = "ecdhe-ecdsa" ]; then -for cipher in $ECDHE_ECDSA_CIPHER_LIST -do - echo "Testing $cipher (with server authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -cipher $cipher -named_curve $DEFAULT_CURVE - - echo "Testing $cipher (with server and client authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -c_cert $CLIENT_PEM -client_auth \ - -cipher $cipher -named_curve $DEFAULT_CURVE -done - -#-------------------------------------------------------------- -for curve in $ELLIPTIC_CURVE_LIST -do - echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -c_cert $CLIENT_PEM -client_auth \ - -cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve -done -fi - -#============================================================== -# ECDH-RSA cipher suites require the server to have an ECC -# certificate signed with RSA. -CA_PEM=$CERTS_DIR/rsa1024TestCA.pem -SERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem -CLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem - -if [ "$1" = "ecdh-rsa" ]; then -for cipher in $ECDH_RSA_CIPHER_LIST -do - echo "Testing $cipher (with server authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -cipher $cipher - - echo "Testing $cipher (with server and client authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -c_cert $CLIENT_PEM -client_auth \ - -cipher $cipher -done -fi - -#============================================================== -# ECDHE-RSA cipher suites require the server to have an RSA cert. -CA_PEM=$CERTS_DIR/rsa1024TestCA.pem -SERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem -CLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem - -if [ "$1" = "ecdhe-rsa" ]; then -for cipher in $ECDHE_RSA_CIPHER_LIST -do - echo "Testing $cipher (with server authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -cipher $cipher -named_curve $DEFAULT_CURVE - - echo "Testing $cipher (with server and client authentication)" - $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ - -cert $SERVER_PEM -server_auth \ - -c_cert $CLIENT_PEM -client_auth \ - -cipher $cipher -named_curve $DEFAULT_CURVE -done -fi -#============================================================== - - - - diff --git a/demos/tunala/autoungunk.sh b/demos/tunala/autoungunk.sh index 0c9123b6cf..14d10790fd 100755 --- a/demos/tunala/autoungunk.sh +++ b/demos/tunala/autoungunk.sh @@ -4,13 +4,13 @@ # mess has been left in the directory thanks to autoconf, automake, and their # friends. +if test -f Makefile; then + make distclean + rm -f Makefile +fi + if test -f Makefile.plain; then - if test -f Makefile; then - make distclean - fi mv Makefile.plain Makefile -else - make clean fi rm -f aclocal.m4 config.* configure install-sh \ diff --git a/demos/tunala/cb.c b/demos/tunala/cb.c index e64983896e..cd32f74c70 100644 --- a/demos/tunala/cb.c +++ b/demos/tunala/cb.c @@ -129,15 +129,5 @@ void cb_ssl_verify_set_level(unsigned int level) cb_ssl_verify_level = level; } -RSA *cb_generate_tmp_rsa(SSL *s, int is_export, int keylength) -{ - /* TODO: Perhaps make it so our global key can be generated on-the-fly - * after certain intervals? */ - static RSA *rsa_tmp = NULL; - if(!rsa_tmp) - rsa_tmp = RSA_generate_key(keylength, RSA_F4, NULL, NULL); - return rsa_tmp; -} - #endif /* !defined(NO_OPENSSL) */ diff --git a/demos/tunala/test.sh b/demos/tunala/test.sh deleted file mode 100755 index 105b447333..0000000000 --- a/demos/tunala/test.sh +++ /dev/null @@ -1,107 +0,0 @@ -#!/bin/sh - -HTTP="localhost:8080" -CLIENT_PORT="9020" -SERVER_PORT="9021" - -sub_test () -{ - echo "STARTING - $VER $CIPHER" - ./tunala -listen localhost:$CLIENT_PORT -proxy localhost:$SERVER_PORT \ - -cacert CA.pem -cert A-client.pem -server 0 \ - -dh_special standard -v_peer -v_strict \ - $VER -cipher $CIPHER 1> tc1.txt 2> tc2.txt & - ./tunala -listen localhost:$SERVER_PORT -proxy $HTTP \ - -cacert CA.pem -cert A-server.pem -server 1 \ - -dh_special standard -v_peer -v_strict \ - $VER -cipher $CIPHER 1> ts1.txt 2> ts2.txt & - # Wait for the servers to be listening before starting the wget test - DONE="no" - while [ "$DONE" != "yes" ]; do - L1=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$CLIENT_PORT"` - L2=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$SERVER_PORT"` - if [ "x$L1" != "x" ]; then - DONE="yes" - elif [ "x$L2" != "x" ]; then - DONE="yes" - else - sleep 1 - fi - done - HTML=`wget -O - -T 1 http://localhost:$CLIENT_PORT 2> /dev/null | grep "<HTML>"` - if [ "x$HTML" != "x" ]; then - echo "OK - $CIPHER ($VER)" - else - echo "FAIL - $CIPHER ($VER)" - killall tunala - exit 1 - fi - killall tunala - # Wait for the servers to stop before returning - otherwise the next - # test my fail to start ... (fscking race conditions) - DONE="yes" - while [ "$DONE" != "no" ]; do - L1=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$CLIENT_PORT"` - L2=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$SERVER_PORT"` - if [ "x$L1" != "x" ]; then - DONE="yes" - elif [ "x$L2" != "x" ]; then - DONE="yes" - else - DONE="no" - fi - done - exit 0 -} - -run_test () -{ - (sub_test 1> /dev/null) || exit 1 -} - -run_ssl_test () -{ -killall tunala 1> /dev/null 2> /dev/null -echo "" -echo "Starting all $PRETTY tests" -if [ "$PRETTY" != "SSLv2" ]; then - if [ "$PRETTY" != "SSLv3" ]; then - export VER="-no_ssl2 -no_ssl3" - export OSSL="-tls1" - else - export VER="-no_ssl2 -no_tls1" - export OSSL="-ssl3" - fi -else - export VER="-no_ssl3 -no_tls1" - export OSSL="-ssl2" -fi -LIST="`../../apps/openssl ciphers $OSSL | sed -e 's/:/ /g'`" -#echo "$LIST" -for i in $LIST; do \ - DSS=`echo "$i" | grep "DSS"` - if [ "x$DSS" != "x" ]; then - echo "---- skipping $i (no DSA cert/keys) ----" - else - export CIPHER=$i - run_test - echo "SUCCESS: $i" - fi -done; -} - -# Welcome the user -echo "Tests will assume an http server running at $HTTP" - -# TLSv1 test -export PRETTY="TLSv1" -run_ssl_test - -# SSLv3 test -export PRETTY="SSLv3" -run_ssl_test - -# SSLv2 test -export PRETTY="SSLv2" -run_ssl_test - diff --git a/demos/tunala/tunala.c b/demos/tunala/tunala.c index e918cba2ce..e802a6209f 100644 --- a/demos/tunala/tunala.c +++ b/demos/tunala/tunala.c @@ -69,8 +69,8 @@ typedef struct _tunala_world_t { static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id, const char *CAfile, const char *cert, const char *key, const char *dcert, const char *dkey, const char *cipher_list, - const char *dh_file, const char *dh_special, int tmp_rsa, - int ctx_options, int out_state, int out_verify, int verify_mode, + const char *dh_file, const char *dh_special, int ctx_options, + int out_state, int out_verify, int verify_mode, unsigned int verify_depth); static void selector_init(tunala_selector_t *selector); static void selector_add_listener(tunala_selector_t *selector, int fd); @@ -102,7 +102,6 @@ static int def_flipped = 0; static const char *def_cipher_list = NULL; static const char *def_dh_file = NULL; static const char *def_dh_special = NULL; -static int def_tmp_rsa = 1; static int def_ctx_options = 0; static int def_verify_mode = 0; static unsigned int def_verify_depth = 10; @@ -128,7 +127,6 @@ static const char *helpstring = " -cipher <list> (specifies cipher list to use)\n" " -dh_file <path> (a PEM file containing DH parameters to use)\n" " -dh_special <NULL|generate|standard> (see below: def=NULL)\n" -" -no_tmp_rsa (don't generate temporary RSA keys)\n" " -no_ssl2 (disable SSLv2)\n" " -no_ssl3 (disable SSLv3)\n" " -no_tls1 (disable TLSv1)\n" @@ -308,7 +306,6 @@ int main(int argc, char *argv[]) const char *cipher_list = def_cipher_list; const char *dh_file = def_dh_file; const char *dh_special = def_dh_special; - int tmp_rsa = def_tmp_rsa; int ctx_options = def_ctx_options; int verify_mode = def_verify_mode; unsigned int verify_depth = def_verify_depth; @@ -430,9 +427,6 @@ next_arg: if(!parse_dh_special(*argv, &dh_special)) return 1; goto next_arg; - } else if(strcmp(*argv, "-no_tmp_rsa") == 0) { - tmp_rsa = 0; - goto next_arg; } else if(strcmp(*argv, "-no_ssl2") == 0) { ctx_options |= SSL_OP_NO_SSLv2; goto next_arg; @@ -493,7 +487,7 @@ next_arg: /* Create the SSL_CTX */ if((world.ssl_ctx = initialise_ssl_ctx(server_mode, engine_id, cacert, cert, key, dcert, dkey, cipher_list, dh_file, - dh_special, tmp_rsa, ctx_options, out_state, out_verify, + dh_special, ctx_options, out_state, out_verify, verify_mode, verify_depth)) == NULL) return err_str1("initialise_ssl_ctx(engine_id=%s) failed", (engine_id == NULL) ? "NULL" : engine_id); @@ -528,13 +522,8 @@ main_loop: /* Now do the select */ switch(selector_select(&world.selector)) { case -1: - if(errno != EINTR) { - fprintf(stderr, "selector_select returned a " - "badness error.\n"); - goto shouldnt_happen; - } - fprintf(stderr, "Warn, selector interrupted by a signal\n"); - goto main_loop; + fprintf(stderr, "selector_select returned a badness error.\n"); + goto shouldnt_happen; case 0: fprintf(stderr, "Warn, selector_select returned 0 - signal?""?\n"); goto main_loop; @@ -728,8 +717,8 @@ do_it: static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id, const char *CAfile, const char *cert, const char *key, const char *dcert, const char *dkey, const char *cipher_list, - const char *dh_file, const char *dh_special, int tmp_rsa, - int ctx_options, int out_state, int out_verify, int verify_mode, + const char *dh_file, const char *dh_special, int ctx_options, + int out_state, int out_verify, int verify_mode, unsigned int verify_depth) { SSL_CTX *ctx = NULL, *ret = NULL; @@ -781,9 +770,6 @@ static SSL_CTX *initialise_ssl_ctx(int server_mode, const char *engine_id, /* dcert and dkey */ if((dcert || dkey) && !ctx_set_cert(ctx, dcert, dkey)) goto err; - /* temporary RSA key generation */ - if(tmp_rsa) - SSL_CTX_set_tmp_rsa_callback(ctx, cb_generate_tmp_rsa); /* cipher_list */ if(cipher_list) { diff --git a/demos/tunala/tunala.h b/demos/tunala/tunala.h index 3a752f259a..b4c8ec78d8 100644 --- a/demos/tunala/tunala.h +++ b/ |