[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Wed Sep 2 20:24:53 UTC 2015
The branch master has been updated
via cf170f558b6051a66b5e182ac447b7b8ce85c8d2 (commit)
via 04dc8b36ef40d7ba8f33ff3d6c7c87a921e0715e (commit)
via 6a096889d731a68fb74b7f71de9c9faf206a9da8 (commit)
via cb0585c2cb5f3bdc7fe94cfcdc2cef6a9b2810c2 (commit)
from 0b58c6ad9e9651a83f2e25e98c76b1ee4fecaa03 (commit)
- Log -----------------------------------------------------------------
commit cf170f558b6051a66b5e182ac447b7b8ce85c8d2
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Aug 26 14:28:38 2015 +0100
Extend ciphersuite test coverage.
Add support for testing ECDSA and DSA ciphersuites.
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 04dc8b36ef40d7ba8f33ff3d6c7c87a921e0715e
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Aug 26 14:03:24 2015 +0100
Fix CCM support in DTLS
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 6a096889d731a68fb74b7f71de9c9faf206a9da8
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Aug 26 12:22:39 2015 +0100
Update ssltest certificate handling.
Use SSL_CONF for certificate handling is ssltest.c, this changes the
behaviour slightly: the -cert and -key options are no longer recognised
and a default certificate file is not used.
This change means that -s_cert and -c_cert can be used mode than once
to support use of multiple certificates.
Reviewed-by: Matt Caswell <matt at openssl.org>
commit cb0585c2cb5f3bdc7fe94cfcdc2cef6a9b2810c2
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Aug 26 12:20:32 2015 +0100
Create DSA and ECDSA certificates.
If supported create DSA and ECDSA certificates and test them.
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
ssl/d1_both.c | 3 ++-
test/Uss.cnf | 33 +++++++++++++++------------
test/ssltest.c | 70 +++++-----------------------------------------------------
test/testss | 43 +++++++++++++++++++++++++++++++++++-
test/testssl | 47 ++++++++++++++++++++++-----------------
5 files changed, 96 insertions(+), 100 deletions(-)
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 2c3ab54..d2f5def 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -270,7 +270,8 @@ int dtls1_do_write(SSL *s, int type)
if (s->write_hash) {
if (s->enc_write_ctx
- && EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_GCM_MODE)
+ && ((EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_GCM_MODE) ||
+ (EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CCM_MODE)))
mac_size = 0;
else
mac_size = EVP_MD_CTX_size(s->write_hash);
diff --git a/test/Uss.cnf b/test/Uss.cnf
index 58ac0ca..f655e74 100644
--- a/test/Uss.cnf
+++ b/test/Uss.cnf
@@ -4,6 +4,7 @@
#
RANDFILE = ./.rnd
+CN2 = Brother 2
####################################################################
[ req ]
@@ -11,26 +12,30 @@ default_bits = 2048
default_keyfile = keySS.pem
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
-default_md = sha256
+default_md = sha256
+prompt = no
[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = AU
-countryName_value = AU
-
-organizationName = Organization Name (eg, company)
-organizationName_value = Dodgy Brothers
-
-0.commonName = Common Name (eg, YOUR name)
-0.commonName_value = Brother 1
-
-1.commonName = Common Name (eg, YOUR name)
-1.commonName_value = Brother 2
+countryName = AU
+organizationName = Dodgy Brothers
+0.commonName = Brother 1
+1.commonName = $ENV::CN2
[ v3_ee ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-issuerAltName=issuer:copy
+
+[ v3_ee_dsa ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature
+
+[ v3_ee_ec ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyAgreement
diff --git a/test/ssltest.c b/test/ssltest.c
index 26cf96c..9144191 100644
--- a/test/ssltest.c
+++ b/test/ssltest.c
@@ -204,20 +204,6 @@
# include OPENSSL_UNISTD
#endif
-#ifdef OPENSSL_SYS_VMS
-# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
-# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
-#elif defined(OPENSSL_SYS_WINCE)
-# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
-# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
-#elif defined(OPENSSL_SYS_NETWARE)
-# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
-# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
-#else
-# define TEST_SERVER_CERT "../apps/server.pem"
-# define TEST_CLIENT_CERT "../apps/client.pem"
-#endif
-
/*
* There is really no standard for this, so let's assign something
* only for this test
@@ -965,10 +951,6 @@ int main(int argc, char *argv[])
int server_auth = 0, i;
struct app_verify_arg app_verify_arg =
{ APP_CALLBACK_STRING, 0, 0, NULL, NULL };
- char *server_cert = TEST_SERVER_CERT;
- char *server_key = NULL;
- char *client_cert = TEST_CLIENT_CERT;
- char *client_key = NULL;
#ifndef OPENSSL_NO_EC
char *named_curve = NULL;
#endif
@@ -1043,14 +1025,18 @@ int main(int argc, char *argv[])
}
SSL_CONF_CTX_set_flags(s_cctx,
- SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER);
+ SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
+ SSL_CONF_FLAG_CERTIFICATE |
+ SSL_CONF_FLAG_REQUIRE_PRIVATE);
if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) {
ERR_print_errors(bio_err);
goto end;
}
SSL_CONF_CTX_set_flags(c_cctx,
- SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT);
+ SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT |
+ SSL_CONF_FLAG_CERTIFICATE |
+ SSL_CONF_FLAG_REQUIRE_PRIVATE);
if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) {
ERR_print_errors(bio_err);
goto end;
@@ -1165,30 +1151,6 @@ int main(int argc, char *argv[])
bytes *= 1024L;
if (argv[0][i - 1] == 'm')
bytes *= 1024L * 1024L;
- } else if (strcmp(*argv, "-cert") == 0) {
- if (--argc < 1)
- goto bad;
- server_cert = *(++argv);
- } else if (strcmp(*argv, "-s_cert") == 0) {
- if (--argc < 1)
- goto bad;
- server_cert = *(++argv);
- } else if (strcmp(*argv, "-key") == 0) {
- if (--argc < 1)
- goto bad;
- server_key = *(++argv);
- } else if (strcmp(*argv, "-s_key") == 0) {
- if (--argc < 1)
- goto bad;
- server_key = *(++argv);
- } else if (strcmp(*argv, "-c_cert") == 0) {
- if (--argc < 1)
- goto bad;
- client_cert = *(++argv);
- } else if (strcmp(*argv, "-c_key") == 0) {
- if (--argc < 1)
- goto bad;
- client_key = *(++argv);
} else if (strcmp(*argv, "-cipher") == 0) {
if (--argc < 1)
goto bad;
@@ -1519,26 +1481,6 @@ int main(int argc, char *argv[])
SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);
#endif
- if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) {
- ERR_print_errors(bio_err);
- } else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
- (server_key ? server_key :
- server_cert),
- SSL_FILETYPE_PEM)) {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if (client_auth) {
- if (!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM)
- || !SSL_CTX_use_PrivateKey_file(c_ctx,
- (client_key ? client_key : client_cert),
- SSL_FILETYPE_PEM)) {
- ERR_print_errors(bio_err);
- goto end;
- }
- }
-
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
diff --git a/test/testss b/test/testss
index 5c5389b..45aedc8 100644
--- a/test/testss
+++ b/test/testss
@@ -18,6 +18,14 @@ Ukey="keyU.ss"
Ureq="reqU.ss"
Ucert="certU.ss"
+Dkey="keyD.ss"
+Dreq="reqD.ss"
+Dcert="certD.ss"
+
+Ekey="keyE.ss"
+Ereq="reqE.ss"
+Ecert="certE.ss"
+
P1conf="P1ss.cnf"
P1key="keyP1.ss"
P1req="reqP1.ss"
@@ -33,8 +41,10 @@ P2intermediate="tmp_intP2.ss"
echo string to make the random number generator think it has entropy >> ./.rnd
+req_dsa='-newkey dsa:../apps/dsa1024.pem'
+
if ../util/shlib_wrap.sh ../apps/openssl no-rsa >/dev/null; then
- req_new='-newkey dsa:../apps/dsa512.pem'
+ req_new=$req_dsa
else
req_new='-new'
fi
@@ -67,6 +77,37 @@ $verifycmd -CAfile $CAcert $Ucert || exit 1
echo Certificate details
$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert || exit 1
+if ../util/shlib_wrap.sh ../apps/openssl no-dsa >/dev/null; then
+ echo skipping DSA certificate creation
+else
+ echo make a DSA user cert request
+ CN2="DSA Certificate" $reqcmd -config $Uconf -out $Dreq -keyout $Dkey $req_dsa >err.ss || exit 1
+
+ echo sign DSA user cert request
+ $x509cmd -CAcreateserial -in $Dreq -days 30 -req -out $Dcert -CA $CAcert -CAkey $CAkey -CAserial $CAserial -extfile $Uconf -extensions v3_ee_dsa >err.ss || exit 1
+ $verifycmd -CAfile $CAcert $Dcert || exit 1
+
+ echo DSA Certificate details
+ $x509cmd -subject -issuer -startdate -enddate -noout -in $Dcert || exit 1
+
+fi
+
+if ../util/shlib_wrap.sh ../apps/openssl no-ec >/dev/null; then
+ echo skipping ECDSA/ECDH certificate creation
+else
+ echo make an ECDSA/ECDH user cert request
+ ../util/shlib_wrap.sh ../apps/openssl ecparam -name P-256 -out ecp.ss || exit 1
+ CN2="ECDSA Certificate" $reqcmd -config $Uconf -out $Ereq -keyout $Ekey -newkey ec:ecp.ss >err.ss || exit 1
+
+ echo sign ECDSA/ECDH user cert request
+ $x509cmd -CAcreateserial -in $Ereq -days 30 -req -out $Ecert -CA $CAcert -CAkey $CAkey -CAserial $CAserial -extfile $Uconf -extensions v3_ee_ec >err.ss || exit 1
+ $verifycmd -CAfile $CAcert $Ecert || exit 1
+
+ echo ECDSA Certificate details
+ $x509cmd -subject -issuer -startdate -enddate -noout -in $Ecert || exit 1
+
+fi
+
echo make a proxy cert request
$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss || exit 1
diff --git a/test/testssl b/test/testssl
index 81b8a93..d41a4bd 100644
--- a/test/testssl
+++ b/test/testssl
@@ -10,7 +10,7 @@ if [ "$2" = "" ]; then
else
cert="$2"
fi
-ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
+ssltest="../util/shlib_wrap.sh ./ssltest -s_key $key -s_cert $cert -c_key $key -c_cert $cert"
if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
dsa_cert=YES
@@ -124,7 +124,8 @@ test_cipher() {
if [ $2 = "SSLv3" ] ; then
prot="-ssl3"
fi
- $ssltest -cipher $_cipher $prot
+ _exarg=$3
+ $ssltest $_exarg -cipher $_cipher $prot
if [ $? -ne 0 ] ; then
echo "Failed $_cipher"
exit 1
@@ -132,17 +133,31 @@ test_cipher() {
}
echo "Testing ciphersuites"
+exkeys=""
+ciphers="-EXP:-PSK:-SRP:-kDH:-kECDHe"
+if ../util/shlib_wrap.sh ../apps/openssl no-dhparam >/dev/null; then
+ echo "skipping DHE tests"
+ ciphers="$ciphers:-kDHE"
+fi
+if ../util/shlib_wrap.sh ../apps/openssl no-dsa >/dev/null; then
+ echo "skipping DSA tests"
+ ciphers="$ciphers:-aDSA"
+else
+ exkeys="$exkeys -s_cert certD.ss -s_key keyD.ss"
+fi
+
+if ../util/shlib_wrap.sh ../apps/openssl no-ec >/dev/null; then
+ echo "skipping EC tests"
+ ciphers="$ciphers:!aECDSA:!kECDH"
+else
+ exkeys="$exkeys -s_cert certE.ss -s_key keyE.ss"
+fi
+
for protocol in TLSv1.2 SSLv3; do
echo "Testing ciphersuites for $protocol"
- for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
- test_cipher $cipher $protocol
+ for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "$protocol:$ciphers" | tr ':' ' '`; do
+ test_cipher $cipher $protocol "$exkeys"
done
- if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then
- echo "skipping RSA+DHE tests"
- else
- for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
- test_cipher $cipher $protocol
- done
echo "testing connection with weak DH, expecting failure"
if [ $protocol = "SSLv3" ] ; then
$ssltest -s_cipher "EDH" -c_cipher "EDH:@SECLEVEL=1" -dhe512 -ssl3
@@ -153,14 +168,6 @@ for protocol in TLSv1.2 SSLv3; do
echo "FAIL: connection with weak DH succeeded"
exit 1
fi
- fi
- if ../util/shlib_wrap.sh ../apps/openssl no-ec; then
- echo "skipping RSA+ECDHE tests"
- else
- for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EECDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
- test_cipher $cipher $protocol
- done
- fi
done
#############################################################################
@@ -176,13 +183,13 @@ if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
echo skipping RSA tests
else
echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
- ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
+ ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -s_cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then
echo skipping RSA+DHE tests
else
echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
- ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+ ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -s_cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
fi
fi
More information about the openssl-commits
mailing list