use POSIX;
use File::Basename;
use File::Copy;
-use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr/;
+use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr data_file/;
use OpenSSL::Test::Utils;
BEGIN {
};
note('test_ssl -- key U');
-testssl("keyU.ss", $Ucert, $CAcert, "default", srctop_file("test","default.cnf"));
+testssl("keyU.ss", $Ucert, $CAcert, "default", srctop_file("test","default-and-legacy.cnf"));
unless ($no_fips) {
testssl("keyU.ss", $Ucert, $CAcert, "fips",
srctop_file("test","fips-and-base.cnf"));
# subtest functions
sub testss {
my @req_dsa = ("-newkey",
- "dsa:".srctop_file("apps", "dsa1024.pem"));
- my $dsaparams = srctop_file("apps", "dsa1024.pem");
+ "dsa:".data_file("dsa2048.pem"));
+ my $dsaparams = data_file("dsa2048.pem");
my @req_new;
if ($no_rsa) {
@req_new = @req_dsa;
sub testssl {
my ($key, $cert, $CAtmp, $provider, $configfile) = @_;
my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs"));
+ my @providerflags = ("-provider", $provider);
+
+ if ($provider eq "default") {
+ push @providerflags, "-provider", "legacy";
+ }
my @ssltest = ("ssltest_old",
- "-s_key", $key, "-s_cert", $cert,
- "-c_key", $key, "-c_cert", $cert,
- "-provider", $provider,
- "-config", $configfile);
+ "-s_key", $key, "-s_cert", $cert,
+ "-c_key", $key, "-c_cert", $cert,
+ "-config", $configfile,
+ @providerflags);
+
my $serverinfo = srctop_file("test","serverinfo.pem");
subtest "Testing ciphersuites" => sub {
my @exkeys = ();
- my $ciphers = "-PSK:-SRP";
+ my $ciphers = '-PSK:-SRP:@SECLEVEL=0';
if (!$no_dsa) {
push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss";
push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss";
}
- my @protocols = ();
- # We only use the flags that ssltest_old understands
- push @protocols, "-tls1_3" unless $no_tls1_3;
- push @protocols, "-tls1_2" unless $no_tls1_2;
- push @protocols, "-tls1" unless $no_tls1 || $provider eq "fips";
- push @protocols, "-ssl3" unless $no_ssl3 || $provider eq "fips";
- my $protocolciphersuitecount = 0;
- my %ciphersuites = ();
- my %ciphersstatus = ();
- foreach my $protocol (@protocols) {
- my $ciphersstatus = undef;
- my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol,
- "ALL:$ciphers"]),
- capture => 1, statusvar => \$ciphersstatus);
- @ciphers = grep {!/CAMELLIA|ARIA|CHACHA/} @ciphers;
- $ciphersstatus{$protocol} = $ciphersstatus;
- if ($ciphersstatus) {
- $ciphersuites{$protocol} = [ map { s|\R||; split(/:/, $_) }
- @ciphers ];
- $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}};
- }
- }
+ my @protocols = ();
+ # We only use the flags that ssltest_old understands
+ push @protocols, "-tls1_3" unless $no_tls1_3;
+ push @protocols, "-tls1_2" unless $no_tls1_2;
+ push @protocols, "-tls1" unless $no_tls1 || $provider eq "fips";
+ push @protocols, "-ssl3" unless $no_ssl3 || $provider eq "fips";
+ my $protocolciphersuitecount = 0;
+ my %ciphersuites = ();
+ my %ciphersstatus = ();
+ #There's no "-config" option to the ciphers command so we set the
+ #environment variable instead
+ my $opensslconf = $ENV{OPENSSL_CONF};
+ $ENV{OPENSSL_CONF} = $configfile;
+ foreach my $protocol (@protocols) {
+ my $ciphersstatus = undef;
+ my @ciphers = run(app(["openssl", "ciphers", "-s", $protocol,
+ @providerflags,
+ "ALL:$ciphers"]),
+ capture => 1, statusvar => \$ciphersstatus);
+ $ciphersstatus{$protocol} = $ciphersstatus;
+ if ($ciphersstatus) {
+ $ciphersuites{$protocol} = [ map { s|\R||; split(/:/, $_) }
+ @ciphers ];
+ $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}};
+ }
+ }
+ $ENV{OPENSSL_CONF} = $opensslconf;
plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build"
if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0;
if ($protocol eq "-tls1_3") {
$ciphersuites = $cipher;
$cipher = "";
+ } else {
+ $cipher = $cipher.':@SECLEVEL=0';
}
- ok(run(test([@ssltest, @exkeys, "-cipher", $cipher,
- "-ciphersuites", $ciphersuites, $flag || ()])),
+ ok(run(test([@ssltest, @exkeys, "-cipher",
+ $cipher,
+ "-ciphersuites", $ciphersuites,
+ $flag || ()])),
"Testing $cipher");
}
}
};
static EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
-static EVP_PKEY *get_dh1024(OSSL_LIB_CTX *libctx);
static EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx);
+static EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
static char *psk_key = NULL; /* by default PSK is not used */
#ifndef OPENSSL_NO_PSK
goto end;
}
if (!no_dhe) {
- if (dhe1024dsa) {
+ if (dhe1024dsa)
dhpkey = get_dh1024dsa(libctx);
- } else if (dhe512)
+ else if (dhe512)
dhpkey = get_dh512(libctx);
else
- dhpkey = get_dh1024(libctx);
+ dhpkey = get_dh2048(libctx);
+
if (dhpkey == NULL || !EVP_PKEY_up_ref(dhpkey)) {
EVP_PKEY_free(dhpkey);
BIO_puts(bio_err, "Error getting DH parameters\n");
return ok;
}
-static EVP_PKEY *get_dh_from_pg(OSSL_LIB_CTX *libctx, unsigned char *pdata,
- size_t plen, unsigned char *gdata, size_t glen)
+static EVP_PKEY *get_dh_from_pg_bn(OSSL_LIB_CTX *libctx, BIGNUM *p, BIGNUM *g)
{
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
OSSL_PARAM_BLD *tmpl = NULL;
OSSL_PARAM *params = NULL;
EVP_PKEY *dhpkey = NULL;
- BIGNUM *p = NULL, *g = NULL;
if (pctx == NULL || !EVP_PKEY_key_fromdata_init(pctx))
goto err;
- p = BN_bin2bn(pdata, plen, NULL);
- g = BN_bin2bn(gdata, glen, NULL);
- if (p == NULL || g == NULL)
- goto err;
-
tmpl = OSSL_PARAM_BLD_new();
if (tmpl == NULL
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
goto err;
err:
- BN_free(p);
- BN_free(g);
EVP_PKEY_CTX_free(pctx);
OSSL_PARAM_BLD_free_params(params);
OSSL_PARAM_BLD_free(tmpl);
return dhpkey;
}
+static EVP_PKEY *get_dh_from_pg(OSSL_LIB_CTX *libctx, unsigned char *pdata,
+ size_t plen, unsigned char *gdata, size_t glen)
+{
+ EVP_PKEY *dhpkey = NULL;
+ BIGNUM *p = NULL, *g = NULL;
+
+ p = BN_bin2bn(pdata, plen, NULL);
+ g = BN_bin2bn(gdata, glen, NULL);
+ if (p == NULL || g == NULL)
+ goto err;
+
+ dhpkey = get_dh_from_pg_bn(libctx, p, g);
+
+ err:
+ BN_free(p);
+ BN_free(g);
+ return dhpkey;
+}
/* These DH parameters were generated using the dhparam command line app */
static EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx)
sizeof(dh512_g));
}
-static EVP_PKEY *get_dh1024(OSSL_LIB_CTX *libctx)
-{
- static unsigned char dh1024_p[] = {
- 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF,
- 0x3A,
- 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56,
- 0xA2,
- 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F,
- 0xB0,
- 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87,
- 0xC2,
- 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0,
- 0x8C,
- 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F,
- 0xB8,
- 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D,
- 0x52,
- 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC,
- 0xC1,
- 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB,
- 0xB1,
- 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89,
- 0xAB,
- 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53,
- };
- static unsigned char dh1024_g[] = {
- 0x02,
- };
-
- return get_dh_from_pg(libctx, dh1024_p, sizeof(dh1024_p), dh1024_g,
- sizeof(dh1024_g));
-}
-
static EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
{
static unsigned char dh1024_p[] = {
sizeof(dh1024_g));
}
+static EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx)
+{
+ BIGNUM *p = NULL, *g = NULL;
+ EVP_PKEY *dhpkey = NULL;
+
+ g = BN_new();
+ if (g == NULL || !BN_set_word(g, 2))
+ goto err;
+
+ p = BN_get_rfc3526_prime_2048(NULL);
+ if (p == NULL)
+ goto err;
+
+ dhpkey = get_dh_from_pg_bn(libctx, p, g);
+
+ err:
+ BN_free(p);
+ BN_free(g);
+ return dhpkey;
+}
+
#ifndef OPENSSL_NO_PSK
/* convert the PSK key (psk_key) in ascii to binary (psk) */
static int psk_key2bn(const char *pskkey, unsigned char *psk,
projects / thirdparty / openssl.git / commitdiff
