The branch master has been updated via cf170f558b6051a66b5e182ac447b7b8ce85c8d2 (commit) via 04dc8b36ef40d7ba8f33ff3d6c7c87a921e0715e (commit) via 6a096889d731a68fb74b7f71de9c9faf206a9da8 (commit) via cb0585c2cb5f3bdc7fe94cfcdc2cef6a9b2810c2 (commit) from 0b58c6ad9e9651a83f2e25e98c76b1ee4fecaa03 (commit)
- Log ----------------------------------------------------------------- commit cf170f558b6051a66b5e182ac447b7b8ce85c8d2 Author: Dr. Stephen Henson <st...@openssl.org> Date: Wed Aug 26 14:28:38 2015 +0100 Extend ciphersuite test coverage. Add support for testing ECDSA and DSA ciphersuites. Reviewed-by: Matt Caswell <m...@openssl.org> commit 04dc8b36ef40d7ba8f33ff3d6c7c87a921e0715e Author: Dr. Stephen Henson <st...@openssl.org> Date: Wed Aug 26 14:03:24 2015 +0100 Fix CCM support in DTLS Reviewed-by: Matt Caswell <m...@openssl.org> commit 6a096889d731a68fb74b7f71de9c9faf206a9da8 Author: Dr. Stephen Henson <st...@openssl.org> Date: Wed Aug 26 12:22:39 2015 +0100 Update ssltest certificate handling. Use SSL_CONF for certificate handling is ssltest.c, this changes the behaviour slightly: the -cert and -key options are no longer recognised and a default certificate file is not used. This change means that -s_cert and -c_cert can be used mode than once to support use of multiple certificates. Reviewed-by: Matt Caswell <m...@openssl.org> commit cb0585c2cb5f3bdc7fe94cfcdc2cef6a9b2810c2 Author: Dr. Stephen Henson <st...@openssl.org> Date: Wed Aug 26 12:20:32 2015 +0100 Create DSA and ECDSA certificates. If supported create DSA and ECDSA certificates and test them. Reviewed-by: Matt Caswell <m...@openssl.org> ----------------------------------------------------------------------- Summary of changes: ssl/d1_both.c | 3 ++- test/Uss.cnf | 33 +++++++++++++++------------ test/ssltest.c | 70 +++++----------------------------------------------------- test/testss | 43 +++++++++++++++++++++++++++++++++++- test/testssl | 47 ++++++++++++++++++++++----------------- 5 files changed, 96 insertions(+), 100 deletions(-) diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 2c3ab54..d2f5def 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -270,7 +270,8 @@ int dtls1_do_write(SSL *s, int type) if (s->write_hash) { if (s->enc_write_ctx - && EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_GCM_MODE) + && ((EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_GCM_MODE) || + (EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CCM_MODE))) mac_size = 0; else mac_size = EVP_MD_CTX_size(s->write_hash); diff --git a/test/Uss.cnf b/test/Uss.cnf index 58ac0ca..f655e74 100644 --- a/test/Uss.cnf +++ b/test/Uss.cnf @@ -4,6 +4,7 @@ # RANDFILE = ./.rnd +CN2 = Brother 2 #################################################################### [ req ] @@ -11,26 +12,30 @@ default_bits = 2048 default_keyfile = keySS.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no -default_md = sha256 +default_md = sha256 +prompt = no [ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_value = AU - -organizationName = Organization Name (eg, company) -organizationName_value = Dodgy Brothers - -0.commonName = Common Name (eg, YOUR name) -0.commonName_value = Brother 1 - -1.commonName = Common Name (eg, YOUR name) -1.commonName_value = Brother 2 +countryName = AU +organizationName = Dodgy Brothers +0.commonName = Brother 1 +1.commonName = $ENV::CN2 [ v3_ee ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always basicConstraints = CA:false keyUsage = nonRepudiation, digitalSignature, keyEncipherment -issuerAltName=issuer:copy + +[ v3_ee_dsa ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature + +[ v3_ee_ec ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature, keyAgreement diff --git a/test/ssltest.c b/test/ssltest.c index 26cf96c..9144191 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -204,20 +204,6 @@ # include OPENSSL_UNISTD #endif -#ifdef OPENSSL_SYS_VMS -# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" -# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" -#elif defined(OPENSSL_SYS_WINCE) -# define TEST_SERVER_CERT "\\OpenSSL\\server.pem" -# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem" -#elif defined(OPENSSL_SYS_NETWARE) -# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem" -# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem" -#else -# define TEST_SERVER_CERT "../apps/server.pem" -# define TEST_CLIENT_CERT "../apps/client.pem" -#endif - /* * There is really no standard for this, so let's assign something * only for this test @@ -965,10 +951,6 @@ int main(int argc, char *argv[]) int server_auth = 0, i; struct app_verify_arg app_verify_arg = { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; - char *server_cert = TEST_SERVER_CERT; - char *server_key = NULL; - char *client_cert = TEST_CLIENT_CERT; - char *client_key = NULL; #ifndef OPENSSL_NO_EC char *named_curve = NULL; #endif @@ -1043,14 +1025,18 @@ int main(int argc, char *argv[]) } SSL_CONF_CTX_set_flags(s_cctx, - SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER); + SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER | + SSL_CONF_FLAG_CERTIFICATE | + SSL_CONF_FLAG_REQUIRE_PRIVATE); if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) { ERR_print_errors(bio_err); goto end; } SSL_CONF_CTX_set_flags(c_cctx, - SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT); + SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT | + SSL_CONF_FLAG_CERTIFICATE | + SSL_CONF_FLAG_REQUIRE_PRIVATE); if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) { ERR_print_errors(bio_err); goto end; @@ -1165,30 +1151,6 @@ int main(int argc, char *argv[]) bytes *= 1024L; if (argv[0][i - 1] == 'm') bytes *= 1024L * 1024L; - } else if (strcmp(*argv, "-cert") == 0) { - if (--argc < 1) - goto bad; - server_cert = *(++argv); - } else if (strcmp(*argv, "-s_cert") == 0) { - if (--argc < 1) - goto bad; - server_cert = *(++argv); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - server_key = *(++argv); - } else if (strcmp(*argv, "-s_key") == 0) { - if (--argc < 1) - goto bad; - server_key = *(++argv); - } else if (strcmp(*argv, "-c_cert") == 0) { - if (--argc < 1) - goto bad; - client_cert = *(++argv); - } else if (strcmp(*argv, "-c_key") == 0) { - if (--argc < 1) - goto bad; - client_key = *(++argv); } else if (strcmp(*argv, "-cipher") == 0) { if (--argc < 1) goto bad; @@ -1519,26 +1481,6 @@ int main(int argc, char *argv[]) SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); #endif - if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - } else if (!SSL_CTX_use_PrivateKey_file(s_ctx, - (server_key ? server_key : - server_cert), - SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - goto end; - } - - if (client_auth) { - if (!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM) - || !SSL_CTX_use_PrivateKey_file(c_ctx, - (client_key ? client_key : client_cert), - SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - goto end; - } - } - if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(s_ctx)) || (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || diff --git a/test/testss b/test/testss index 5c5389b..45aedc8 100644 --- a/test/testss +++ b/test/testss @@ -18,6 +18,14 @@ Ukey="keyU.ss" Ureq="reqU.ss" Ucert="certU.ss" +Dkey="keyD.ss" +Dreq="reqD.ss" +Dcert="certD.ss" + +Ekey="keyE.ss" +Ereq="reqE.ss" +Ecert="certE.ss" + P1conf="P1ss.cnf" P1key="keyP1.ss" P1req="reqP1.ss" @@ -33,8 +41,10 @@ P2intermediate="tmp_intP2.ss" echo string to make the random number generator think it has entropy >> ./.rnd +req_dsa='-newkey dsa:../apps/dsa1024.pem' + if ../util/shlib_wrap.sh ../apps/openssl no-rsa >/dev/null; then - req_new='-newkey dsa:../apps/dsa512.pem' + req_new=$req_dsa else req_new='-new' fi @@ -67,6 +77,37 @@ $verifycmd -CAfile $CAcert $Ucert || exit 1 echo Certificate details $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert || exit 1 +if ../util/shlib_wrap.sh ../apps/openssl no-dsa >/dev/null; then + echo skipping DSA certificate creation +else + echo make a DSA user cert request + CN2="DSA Certificate" $reqcmd -config $Uconf -out $Dreq -keyout $Dkey $req_dsa >err.ss || exit 1 + + echo sign DSA user cert request + $x509cmd -CAcreateserial -in $Dreq -days 30 -req -out $Dcert -CA $CAcert -CAkey $CAkey -CAserial $CAserial -extfile $Uconf -extensions v3_ee_dsa >err.ss || exit 1 + $verifycmd -CAfile $CAcert $Dcert || exit 1 + + echo DSA Certificate details + $x509cmd -subject -issuer -startdate -enddate -noout -in $Dcert || exit 1 + +fi + +if ../util/shlib_wrap.sh ../apps/openssl no-ec >/dev/null; then + echo skipping ECDSA/ECDH certificate creation +else + echo make an ECDSA/ECDH user cert request + ../util/shlib_wrap.sh ../apps/openssl ecparam -name P-256 -out ecp.ss || exit 1 + CN2="ECDSA Certificate" $reqcmd -config $Uconf -out $Ereq -keyout $Ekey -newkey ec:ecp.ss >err.ss || exit 1 + + echo sign ECDSA/ECDH user cert request + $x509cmd -CAcreateserial -in $Ereq -days 30 -req -out $Ecert -CA $CAcert -CAkey $CAkey -CAserial $CAserial -extfile $Uconf -extensions v3_ee_ec >err.ss || exit 1 + $verifycmd -CAfile $CAcert $Ecert || exit 1 + + echo ECDSA Certificate details + $x509cmd -subject -issuer -startdate -enddate -noout -in $Ecert || exit 1 + +fi + echo make a proxy cert request $reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss || exit 1 diff --git a/test/testssl b/test/testssl index 81b8a93..d41a4bd 100644 --- a/test/testssl +++ b/test/testssl @@ -10,7 +10,7 @@ if [ "$2" = "" ]; then else cert="$2" fi -ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert" +ssltest="../util/shlib_wrap.sh ./ssltest -s_key $key -s_cert $cert -c_key $key -c_cert $cert" if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then dsa_cert=YES @@ -124,7 +124,8 @@ test_cipher() { if [ $2 = "SSLv3" ] ; then prot="-ssl3" fi - $ssltest -cipher $_cipher $prot + _exarg=$3 + $ssltest $_exarg -cipher $_cipher $prot if [ $? -ne 0 ] ; then echo "Failed $_cipher" exit 1 @@ -132,17 +133,31 @@ test_cipher() { } echo "Testing ciphersuites" +exkeys="" +ciphers="-EXP:-PSK:-SRP:-kDH:-kECDHe" +if ../util/shlib_wrap.sh ../apps/openssl no-dhparam >/dev/null; then + echo "skipping DHE tests" + ciphers="$ciphers:-kDHE" +fi +if ../util/shlib_wrap.sh ../apps/openssl no-dsa >/dev/null; then + echo "skipping DSA tests" + ciphers="$ciphers:-aDSA" +else + exkeys="$exkeys -s_cert certD.ss -s_key keyD.ss" +fi + +if ../util/shlib_wrap.sh ../apps/openssl no-ec >/dev/null; then + echo "skipping EC tests" + ciphers="$ciphers:!aECDSA:!kECDH" +else + exkeys="$exkeys -s_cert certE.ss -s_key keyE.ss" +fi + for protocol in TLSv1.2 SSLv3; do echo "Testing ciphersuites for $protocol" - for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do - test_cipher $cipher $protocol + for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "$protocol:$ciphers" | tr ':' ' '`; do + test_cipher $cipher $protocol "$exkeys" done - if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then - echo "skipping RSA+DHE tests" - else - for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do - test_cipher $cipher $protocol - done echo "testing connection with weak DH, expecting failure" if [ $protocol = "SSLv3" ] ; then $ssltest -s_cipher "EDH" -c_cipher "EDH:@SECLEVEL=1" -dhe512 -ssl3 @@ -153,14 +168,6 @@ for protocol in TLSv1.2 SSLv3; do echo "FAIL: connection with weak DH succeeded" exit 1 fi - fi - if ../util/shlib_wrap.sh ../apps/openssl no-ec; then - echo "skipping RSA+ECDHE tests" - else - for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EECDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do - test_cipher $cipher $protocol - done - fi done ############################################################################# @@ -176,13 +183,13 @@ if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then echo skipping RSA tests else echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes' - ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -s_cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1 if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then echo skipping RSA+DHE tests else echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes - ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -s_cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 fi fi _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits