generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix ssltest to use 1024-bit DHE parameters

Browse Source 
Also add more ciphersuite test coverage, and a negative test for
512-bit DHE.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 1ee85aab75d7c9f20058f781bfe9222323df08eb)
This commit is contained in:
Emilia Kasper 2015-05-22 18:35:50 +02:00
parent 9c89d29083
commit e8356e32ae
2 changed files with 45 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
test/ssltest.c
View File

@ -766,7 +766,9 @@ static void sv_usage(void)
" -bytes <val> - number of bytes to swap between client/server\n"); " -bytes <val> - number of bytes to swap between client/server\n");
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
fprintf(stderr, fprintf(stderr,
" -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); " -dhe512 - use 512 bit key for DHE (to test failure)\n");
fprintf(stderr,
" -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
fprintf(stderr, fprintf(stderr,
" -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
fprintf(stderr, " -no_dhe - disable DHE\n"); fprintf(stderr, " -no_dhe - disable DHE\n");
@ -978,7 +980,7 @@ int main(int argc, char *argv[])
long bytes = 256L; long bytes = 256L;
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
DH *dh; DH *dh;
int dhe1024 = 0, dhe1024dsa = 0; int dhe512 = 0, dhe1024dsa = 0;
#endif #endif
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
EC_KEY *ecdh = NULL; EC_KEY *ecdh = NULL;
@ -1084,19 +1086,19 @@ int main(int argc, char *argv[])
debug = 1; debug = 1;
else if (strcmp(*argv, "-reuse") == 0) else if (strcmp(*argv, "-reuse") == 0)
reuse = 1; reuse = 1;
else if (strcmp(*argv, "-dhe1024") == 0) { else if (strcmp(*argv, "-dhe512") == 0) {
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
dhe1024 = 1; dhe512 = 1;
#else #else
fprintf(stderr, fprintf(stderr,
"ignoring -dhe1024, since I'm compiled without DH\n"); "ignoring -dhe512, since I'm compiled without DH\n");
#endif #endif
} else if (strcmp(*argv, "-dhe1024dsa") == 0) { } else if (strcmp(*argv, "-dhe1024dsa") == 0) {
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
dhe1024dsa = 1; dhe1024dsa = 1;
#else #else
fprintf(stderr, fprintf(stderr,
"ignoring -dhe1024, since I'm compiled without DH\n"); "ignoring -dhe1024dsa, since I'm compiled without DH\n");
#endif #endif
} else if (strcmp(*argv, "-no_dhe") == 0) } else if (strcmp(*argv, "-no_dhe") == 0)
no_dhe = 1; no_dhe = 1;
@ -1473,10 +1475,10 @@ int main(int argc, char *argv[])
*/ */
SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
dh = get_dh1024dsa(); dh = get_dh1024dsa();
} else if (dhe1024) } else if (dhe512)
dh = get_dh1024();
else
dh = get_dh512(); dh = get_dh512();
else
dh = get_dh1024();
SSL_CTX_set_tmp_dh(s_ctx, dh); SSL_CTX_set_tmp_dh(s_ctx, dh);
DH_free(dh); DH_free(dh);
} }

38
test/testssl
View File

@ -118,10 +118,9 @@ $ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
echo "Testing ciphersuites" test_cipher() {
for protocol in TLSv1.2 SSLv3; do local cipher=$1
echo "Testing ciphersuites for $protocol" local protocol=$2
for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
echo "Testing $cipher" echo "Testing $cipher"
prot="" prot=""
if [ $protocol = "SSLv3" ] ; then if [ $protocol = "SSLv3" ] ; then
@ -132,7 +131,38 @@ for protocol in TLSv1.2 SSLv3; do
echo "Failed $cipher" echo "Failed $cipher"
exit 1 exit 1
fi fi
}
echo "Testing ciphersuites"
for protocol in TLSv1.2 SSLv3; do
echo "Testing ciphersuites for $protocol"
for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
test_cipher $cipher $protocol
done done
if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
echo "skipping RSA+DHE tests"
else
for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
test_cipher $cipher $protocol
done
echo "testing connection with weak DH, expecting failure"
if [ $protocol = "SSLv3" ] ; then
$ssltest -cipher EDH -dhe512 -ssl3
else
$ssltest -cipher EDH -dhe512
fi
if [ $? -eq 0 ]; then
echo "FAIL: connection with weak DH succeeded"
exit 1
fi
fi
if ../util/shlib_wrap.sh ../apps/openssl no-ec; then
echo "skipping RSA+ECDHE tests"
else
for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EECDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
test_cipher $cipher $protocol
done
fi
done done
############################################################################# #############################################################################