[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Emilia Kasper
emilia at openssl.org
Tue May 26 11:01:45 UTC 2015
The branch OpenSSL_1_0_2-stable has been updated
via b6f33dce3b1ee563c0866654a9b5c44adc7b79b8 (commit)
from cdc47dcf195b309f48abf11a81b957cf697da162 (commit)
- Log -----------------------------------------------------------------
commit b6f33dce3b1ee563c0866654a9b5c44adc7b79b8
Author: Emilia Kasper <emilia at openssl.org>
Date: Fri May 22 18:35:50 2015 +0200
Fix ssltest to use 1024-bit DHE parameters
Also add more ciphersuite test coverage, and a negative test for
512-bit DHE.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(cherry picked from commit 1ee85aab75d7c9f20058f781bfe9222323df08eb)
-----------------------------------------------------------------------
Summary of changes:
ssl/ssltest.c | 20 +++++++++++---------
test/testssl | 38 ++++++++++++++++++++++++++++++++++----
2 files changed, 45 insertions(+), 13 deletions(-)
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 805da4c..6737adf 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -692,7 +692,9 @@ static void sv_usage(void)
" -bytes <val> - number of bytes to swap between client/server\n");
#ifndef OPENSSL_NO_DH
fprintf(stderr,
- " -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
+ " -dhe512 - use 512 bit key for DHE (to test failure)\n");
+ fprintf(stderr,
+ " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
fprintf(stderr,
" -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
fprintf(stderr, " -no_dhe - disable DHE\n");
@@ -901,7 +903,7 @@ int main(int argc, char *argv[])
long bytes = 256L;
#ifndef OPENSSL_NO_DH
DH *dh;
- int dhe1024 = 0, dhe1024dsa = 0;
+ int dhe512 = 0, dhe1024dsa = 0;
#endif
#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh = NULL;
@@ -981,19 +983,19 @@ int main(int argc, char *argv[])
debug = 1;
else if (strcmp(*argv, "-reuse") == 0)
reuse = 1;
- else if (strcmp(*argv, "-dhe1024") == 0) {
+ else if (strcmp(*argv, "-dhe512") == 0) {
#ifndef OPENSSL_NO_DH
- dhe1024 = 1;
+ dhe512 = 1;
#else
fprintf(stderr,
- "ignoring -dhe1024, since I'm compiled without DH\n");
+ "ignoring -dhe512, since I'm compiled without DH\n");
#endif
} else if (strcmp(*argv, "-dhe1024dsa") == 0) {
#ifndef OPENSSL_NO_DH
dhe1024dsa = 1;
#else
fprintf(stderr,
- "ignoring -dhe1024, since I'm compiled without DH\n");
+ "ignoring -dhe1024dsa, since I'm compiled without DH\n");
#endif
} else if (strcmp(*argv, "-no_dhe") == 0)
no_dhe = 1;
@@ -1318,10 +1320,10 @@ int main(int argc, char *argv[])
*/
SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
dh = get_dh1024dsa();
- } else if (dhe1024)
- dh = get_dh1024();
- else
+ } else if (dhe512)
dh = get_dh512();
+ else
+ dh = get_dh1024();
SSL_CTX_set_tmp_dh(s_ctx, dh);
DH_free(dh);
}
diff --git a/test/testssl b/test/testssl
index 64e22b9..ddebf08 100644
--- a/test/testssl
+++ b/test/testssl
@@ -145,10 +145,9 @@ $ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
-echo "Testing ciphersuites"
-for protocol in TLSv1.2 SSLv3; do
- echo "Testing ciphersuites for $protocol"
- for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
+test_cipher() {
+ local cipher=$1
+ local protocol=$2
echo "Testing $cipher"
prot=""
if [ $protocol = "SSLv3" ] ; then
@@ -159,7 +158,38 @@ for protocol in TLSv1.2 SSLv3; do
echo "Failed $cipher"
exit 1
fi
+}
+
+echo "Testing ciphersuites"
+for protocol in TLSv1.2 SSLv3; do
+ echo "Testing ciphersuites for $protocol"
+ for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
+ test_cipher $cipher $protocol
done
+ if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
+ echo "skipping RSA+DHE tests"
+ else
+ for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
+ test_cipher $cipher $protocol
+ done
+ echo "testing connection with weak DH, expecting failure"
+ if [ $protocol = "SSLv3" ] ; then
+ $ssltest -cipher EDH -dhe512 -ssl3
+ else
+ $ssltest -cipher EDH -dhe512
+ fi
+ if [ $? -eq 0 ]; then
+ echo "FAIL: connection with weak DH succeeded"
+ exit 1
+ fi
+ fi
+ if ../util/shlib_wrap.sh ../apps/openssl no-ec; then
+ echo "skipping RSA+ECDHE tests"
+ else
+ for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EECDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
+ test_cipher $cipher $protocol
+ done
+ fi
done
#############################################################################
More information about the openssl-commits
mailing list