[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Fri Feb 17 18:39:09 UTC 2017
The branch master has been updated
via 5a8916d985f9bb1ae106223ab4ee7e8e6b5c0c81 (commit)
via 7a08b764cca8f1a4a04384b708468c9c5d648659 (commit)
via 7a02661ac1e42afd36b0fc7d52ddbd509a36ec95 (commit)
via 0c8736f42e57f5f7bcafd73250b7becd33f008b6 (commit)
via 31b238ad05ac2b0c637bb5347c5862aa1eb97576 (commit)
from aa402e2ba408254c052b5750b14e7f01e48bced1 (commit)
- Log -----------------------------------------------------------------
commit 5a8916d985f9bb1ae106223ab4ee7e8e6b5c0c81
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Feb 17 16:08:19 2017 +0000
Explicitly disallow DSA for TLS 1.3
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2667)
commit 7a08b764cca8f1a4a04384b708468c9c5d648659
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Feb 17 15:28:36 2017 +0000
add DSA cert tests
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2667)
commit 7a02661ac1e42afd36b0fc7d52ddbd509a36ec95
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Feb 17 14:36:06 2017 +0000
Add DH parameters, DSA cert and key
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2667)
commit 0c8736f42e57f5f7bcafd73250b7becd33f008b6
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Feb 17 14:44:59 2017 +0000
Add DSA support to mkcert.sh
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2667)
commit 31b238ad05ac2b0c637bb5347c5862aa1eb97576
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Feb 16 15:27:49 2017 +0000
Add and use function test_pem to work out test filenames.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2667)
-----------------------------------------------------------------------
Summary of changes:
ssl/t1_lib.c | 17 +++++---
test/certs/dhp2048.pem | 8 ++++
test/certs/mkcert.sh | 1 +
test/certs/server-dsa-cert.pem | 31 +++++++++++++
test/certs/server-dsa-key.pem | 15 +++++++
test/ssl-tests/04-client_auth.conf.in | 14 +++---
test/ssl-tests/17-renegotiate.conf.in | 14 +++---
test/ssl-tests/18-dtls-renegotiate.conf.in | 14 +++---
test/ssl-tests/20-cert-select.conf | 32 +++++++++++++-
test/ssl-tests/20-cert-select.conf.in | 70 ++++++++++++++++++++++++------
test/ssl-tests/ssltests_base.pm | 13 ++++--
11 files changed, 181 insertions(+), 48 deletions(-)
create mode 100644 test/certs/dhp2048.pem
create mode 100644 test/certs/server-dsa-cert.pem
create mode 100644 test/certs/server-dsa-key.pem
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index fc9ae68..243cef5 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -896,9 +896,16 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
/* Should never happen */
if (pkeyid == -1)
return -1;
- /* Only allow PSS for TLS 1.3 */
- if (SSL_IS_TLS13(s) && pkeyid == EVP_PKEY_RSA)
- pkeyid = EVP_PKEY_RSA_PSS;
+ if (SSL_IS_TLS13(s)) {
+ /* Disallow DSA for TLS 1.3 */
+ if (pkeyid == EVP_PKEY_DSA) {
+ SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
+ return 0;
+ }
+ /* Only allow PSS for TLS 1.3 */
+ if (pkeyid == EVP_PKEY_RSA)
+ pkeyid = EVP_PKEY_RSA_PSS;
+ }
lu = tls1_lookup_sigalg(sig);
/*
* Check sigalgs is known and key type is consistent with signature:
@@ -2291,8 +2298,8 @@ int tls_choose_sigalg(SSL *s, int *al)
for (i = 0; i < s->cert->shared_sigalgslen; i++) {
lu = s->cert->shared_sigalgs[i];
- /* Skip RSA if not PSS */
- if (lu->sig == EVP_PKEY_RSA)
+ /* Skip DSA and RSA if not PSS */
+ if (lu->sig == EVP_PKEY_DSA || lu->sig == EVP_PKEY_RSA)
continue;
if (ssl_md(lu->hash_idx) == NULL)
continue;
diff --git a/test/certs/dhp2048.pem b/test/certs/dhp2048.pem
new file mode 100644
index 0000000..9ee474b
--- /dev/null
+++ b/test/certs/dhp2048.pem
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAoI0V5HKAcsG4LlAnVJhYnnl2ErOcdvz7WN4n+LoSkZVkfPcPExAF
+uXnT6v16rYfxCgZDPB/tSYaRhOxpJgaAHGA9PrfwprM4xQm9HLIWtidyIGtkgynQ
+rrtxaCculbPOMxc1od7V0jw8/Sj4pdKjijmdvY3VsvuQPu6Lo7qV94u3pYN+WSP9
+ESPcY0lvIV0s0eYxzU5LOU7FZRv6gpe658yxnpaQf13M3sFBqcQEnw+vIjNyaBBK
+Nm4jVFeKCN3aIz+yJL8y14HEnV/tnhtIrr33MAJvsG1qFBY7iFvbvlx/gKDW7qyk
+V0/iN2uElrJZIGxD2uPMZNXO+dci+EriMwIBAg==
+-----END DH PARAMETERS-----
diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh
index ee31bf0..e547274 100755
--- a/test/certs/mkcert.sh
+++ b/test/certs/mkcert.sh
@@ -48,6 +48,7 @@ key() {
rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
ec) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
+ dsa) args=(-paramfile "$bits");;
*) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
esac
stderr_onerror \
diff --git a/test/certs/server-dsa-cert.pem b/test/certs/server-dsa-cert.pem
new file mode 100644
index 0000000..0ea1894
--- /dev/null
+++ b/test/certs/server-dsa-cert.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFQzCCBCugAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE3MDIxNzE0MDgxOVoYDzIxMTcwMjE4MTQwODE5WjAVMRMwEQYDVQQD
+DApTZXJ2ZXIgRFNBMIIDSDCCAjoGByqGSM44BAEwggItAoIBAQD+P3LcpaA+AYu9
+M1gSsHi8fixl7VPCsKK96oaH7/ZJqvOD0TdASkn+4Td8SPvkc+KG2bBbmp39FCxG
+pa4d8CRLKVbIHAFtaKHIDFuMlPuFnsiaU0uWN/s3lROhAHWrTiODhehFM+NiPrAO
+JmtXQURBoeQ07t4HoyKz7sUyTF2qotw1JDvBRb6JXw+13Z2a1iZGJopLZN3Ricvo
+Hee3rYEsM5AHMS3cntYX2NhQUHjiQ451iL2OkFJtVeaUoX5JV6KYSzz4lzNlYwJf
+F/Tzac/+l1aFA1NDbNFcQ1UC0JXscKeT/J2Wo8kRwpx042UKaayw5jkOv3GndgKC
+OaCe29UrAiEAh8hMJV/kKTLolNr6kV87KV8eTaJfrnSRS2E3ToOhWH0CggEBAOd/
+YKl8svYqvJtThaOsmVETeXwEvz/MLqpj4hZr029Oqps7z6OmeZ2er7aldxC5+BKM
+xCfPlhFo0iQ9XITp+J7UqS3qrRZqAnxMjd6VmEGXKWOoeAc0CpEzR1QNkjKodzgs
+tQj5oYbiiPG0SgCtBV4I1b/IuKzkjcLxQaF+8Rob/lzLBwA6pFjZNa6FcDjthmtH
+2pC+zI760sv05rbZGcXDj8G0SLsvbkrfiRIn/8LkgBpoTWpKfa8BmvYtt9WI/CYk
+beQYIwM9sXUPwRSD1VONSg5bXTW3Sxmzy3Yfy9RYt+suMKzi78oSv81e5BoL1D2H
+tfxSAFQbiJU3kipxvhsDggEGAAKCAQEArDidnkCegHb/itBTFeyGsebv+I8Z93V3
+jGcKPOs3s1wqB/+HRL5ERlhQOq/lfYPigUFKhfC8tlCVAM+MtUDqXCzqAkomw0yX
+8oVkp9plswxHKlqjzKr6PWLOJGp/NDBAL1ZcUzHB1omvmkUHy9pYiapVVNUuUdL2
+Z5EvDze8jQoiR0k9zgMKiH+MyCfV0tLo8W8djFJPlIM9Ypa7DH4fazcEfRuzq1jv
+K/uX4+HWmg3Nswdh5eysb++RqtJSUBtGT3tAQY59WjBf2nXMG0nkZGkT7TCJ6icv
+NdbSl1AlAGMV/nZN3PFsFH17L8uMUYS7V5PWiqQTxe5COHqpGumo9KN5MHcwHQYD
+VR0OBBYEFDrWNm+9we7UIIpUiKJ8aOrCviIUMB8GA1UdIwQYMBaAFHB/Lq6DaFmY
+BCMqzes+F80k3QFJMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFQYD
+VR0RBA4wDIIKU2VydmVyIERTQTANBgkqhkiG9w0BAQsFAAOCAQEAsKn2puy5BLfg
+eVnxJiDOxYeHHB82GBZjzG4kmroWqP/yKGLQa0CWw/GNcP2zVNKZ12fzQJRRhiHd
+MohKKSHJlmKwP/6qXhRConlIVzVHdAQHxIS6rr/hwctUpX1lFvxd7hUOnwyOlvvq
+Qu0R8OIYZVmCdQuoM+nFek25TxUI160/6H7UhY4t2Y0iry+QjQCBLw/yHb2a3iQE
+Ho84MDYGNWauDK/rohSRm/CzPSqfZaFyykwRRE47x4XOmtQPRZCIaHSA7LsNqJ42
+OJRAv3kePiW4XSWAbVJ8gRHRFg9wjrMV8zBL00durls1mZVNbh81I3Bdu62y0lY0
+L6LYw0U7GQ==
+-----END CERTIFICATE-----
diff --git a/test/certs/server-dsa-key.pem b/test/certs/server-dsa-key.pem
new file mode 100644
index 0000000..fdd1da2
--- /dev/null
+++ b/test/certs/server-dsa-key.pem
@@ -0,0 +1,15 @@
+-----BEGIN PRIVATE KEY-----
+MIICZQIBADCCAjoGByqGSM44BAEwggItAoIBAQD+P3LcpaA+AYu9M1gSsHi8fixl
+7VPCsKK96oaH7/ZJqvOD0TdASkn+4Td8SPvkc+KG2bBbmp39FCxGpa4d8CRLKVbI
+HAFtaKHIDFuMlPuFnsiaU0uWN/s3lROhAHWrTiODhehFM+NiPrAOJmtXQURBoeQ0
+7t4HoyKz7sUyTF2qotw1JDvBRb6JXw+13Z2a1iZGJopLZN3RicvoHee3rYEsM5AH
+MS3cntYX2NhQUHjiQ451iL2OkFJtVeaUoX5JV6KYSzz4lzNlYwJfF/Tzac/+l1aF
+A1NDbNFcQ1UC0JXscKeT/J2Wo8kRwpx042UKaayw5jkOv3GndgKCOaCe29UrAiEA
+h8hMJV/kKTLolNr6kV87KV8eTaJfrnSRS2E3ToOhWH0CggEBAOd/YKl8svYqvJtT
+haOsmVETeXwEvz/MLqpj4hZr029Oqps7z6OmeZ2er7aldxC5+BKMxCfPlhFo0iQ9
+XITp+J7UqS3qrRZqAnxMjd6VmEGXKWOoeAc0CpEzR1QNkjKodzgstQj5oYbiiPG0
+SgCtBV4I1b/IuKzkjcLxQaF+8Rob/lzLBwA6pFjZNa6FcDjthmtH2pC+zI760sv0
+5rbZGcXDj8G0SLsvbkrfiRIn/8LkgBpoTWpKfa8BmvYtt9WI/CYkbeQYIwM9sXUP
+wRSD1VONSg5bXTW3Sxmzy3Yfy9RYt+suMKzi78oSv81e5BoL1D2HtfxSAFQbiJU3
+kipxvhsEIgIgFadGQ61c3i/D01zXhSsKyE0/BerqJmTrrlVK1o0ZFu8=
+-----END PRIVATE KEY-----
diff --git a/test/ssl-tests/04-client_auth.conf.in b/test/ssl-tests/04-client_auth.conf.in
index be601a9..8b92836 100644
--- a/test/ssl-tests/04-client_auth.conf.in
+++ b/test/ssl-tests/04-client_auth.conf.in
@@ -19,8 +19,6 @@ push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2");
our @tests = ();
-my $dir_sep = $^O ne "VMS" ? "/" : "";
-
sub generate_tests() {
foreach (0..$#protocols) {
@@ -77,7 +75,7 @@ sub generate_tests() {
server => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
- "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require",
},
client => {
@@ -97,14 +95,14 @@ sub generate_tests() {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
"ClientSignatureAlgorithms" => $clisigalgs,
- "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Request",
},
client => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
- "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
- "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
+ "Certificate" => test_pem("ee-client-chain.pem"),
+ "PrivateKey" => test_pem("ee-key.pem"),
},
test => { "ExpectedResult" => "Success",
"ExpectedClientCertType" => "RSA",
@@ -124,8 +122,8 @@ sub generate_tests() {
client => {
"MinProtocol" => $protocol,
"MaxProtocol" => $protocol,
- "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
- "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem",
+ "Certificate" => test_pem("ee-client-chain.pem"),
+ "PrivateKey" => test_pem("ee-key.pem"),
},
test => {
"ExpectedResult" => "ServerFail",
diff --git a/test/ssl-tests/17-renegotiate.conf.in b/test/ssl-tests/17-renegotiate.conf.in
index 77264c4..1efba84 100644
--- a/test/ssl-tests/17-renegotiate.conf.in
+++ b/test/ssl-tests/17-renegotiate.conf.in
@@ -14,8 +14,6 @@ use warnings;
package ssltests;
-my $dir_sep = $^O ne "VMS" ? "/" : "";
-
our @tests = (
{
name => "renegotiate-client-no-resume",
@@ -76,12 +74,12 @@ our @tests = (
server => {
"Options" => "NoResumptionOnRenegotiation",
"MaxProtocol" => "TLSv1.2",
- "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require",
},
client => {
- "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
- "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem"
+ "Certificate" => test_pem("ee-client-chain.pem"),
+ "PrivateKey" => test_pem("ee-key.pem"),
},
test => {
"Method" => "TLS",
@@ -95,12 +93,12 @@ our @tests = (
server => {
"Options" => "NoResumptionOnRenegotiation",
"MaxProtocol" => "TLSv1.2",
- "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Once",
},
client => {
- "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
- "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem"
+ "Certificate" => test_pem("ee-client-chain.pem"),
+ "PrivateKey" => test_pem("ee-key.pem"),
},
test => {
"Method" => "TLS",
diff --git a/test/ssl-tests/18-dtls-renegotiate.conf.in b/test/ssl-tests/18-dtls-renegotiate.conf.in
index 43046e3..c7020f0 100644
--- a/test/ssl-tests/18-dtls-renegotiate.conf.in
+++ b/test/ssl-tests/18-dtls-renegotiate.conf.in
@@ -14,8 +14,6 @@ use warnings;
package ssltests;
-my $dir_sep = $^O ne "VMS" ? "/" : "";
-
our @tests = (
{
name => "renegotiate-client-no-resume",
@@ -64,12 +62,12 @@ our @tests = (
{
name => "renegotiate-client-auth-require",
server => {
- "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require",
},
client => {
- "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
- "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem"
+ "Certificate" => test_pem("ee-client-chain.pem"),
+ "PrivateKey" => test_pem("ee-key.pem"),
},
test => {
"Method" => "DTLS",
@@ -81,12 +79,12 @@ our @tests = (
{
name => "renegotiate-client-auth-once",
server => {
- "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Once",
},
client => {
- "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
- "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem"
+ "Certificate" => test_pem("ee-client-chain.pem"),
+ "PrivateKey" => test_pem("ee-key.pem"),
},
test => {
"Method" => "DTLS",
diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf
index 72ce425..1598dad 100644
--- a/test/ssl-tests/20-cert-select.conf
+++ b/test/ssl-tests/20-cert-select.conf
@@ -1,6 +1,6 @@
# Generated with generate_ssl_tests.pl
-num_tests = 8
+num_tests = 9
test-0 = 0-ECDSA CipherString Selection
test-1 = 1-RSA CipherString Selection
@@ -10,6 +10,7 @@ test-4 = 4-ECDSA Signature Algorithm Selection SHA384
test-5 = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate
test-6 = 6-RSA Signature Algorithm Selection
test-7 = 7-RSA-PSS Signature Algorithm Selection
+test-8 = 8-TLS 1.2 DSA Certificate Test
# ===========================================================
[0-ECDSA CipherString Selection]
@@ -235,3 +236,32 @@ ExpectedServerSignHash = SHA256
ExpectedServerSignType = RSA-PSS
+# ===========================================================
+
+[8-TLS 1.2 DSA Certificate Test]
+ssl_conf = 8-TLS 1.2 DSA Certificate Test-ssl
+
+[8-TLS 1.2 DSA Certificate Test-ssl]
+server = 8-TLS 1.2 DSA Certificate Test-server
+client = 8-TLS 1.2 DSA Certificate Test-client
+
+[8-TLS 1.2 DSA Certificate Test-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = ALL
+DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem
+DSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-dsa-cert.pem
+DSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-dsa-key.pem
+MaxProtocol = TLSv1.2
+MinProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[8-TLS 1.2 DSA Certificate Test-client]
+CipherString = ALL
+SignatureAlgorithms = DSA+SHA256:DSA+SHA1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-8]
+ExpectedResult = Success
+
+
diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in
index 3d36a0e..7edfed6 100644
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -9,13 +9,9 @@ use warnings;
package ssltests;
use OpenSSL::Test::Utils;
-my $dir_sep = $^O ne "VMS" ? "/" : "";
-
-my $cert_dir = "\${ENV::TEST_CERTS_DIR}${dir_sep}";
-
my $server = {
- "ECDSA.Certificate" => "${cert_dir}server-ecdsa-cert.pem",
- "ECDSA.PrivateKey" => "${cert_dir}server-ecdsa-key.pem",
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
"MaxProtocol" => "TLSv1.2"
};
@@ -124,17 +120,17 @@ our @tests = (
my $server_tls_1_3 = {
- "ECDSA.Certificate" => "${cert_dir}server-ecdsa-cert.pem",
- "ECDSA.PrivateKey" => "${cert_dir}server-ecdsa-key.pem",
+ "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3"
};
my $client_tls_1_3 = {
- "RSA.Certificate" => "${cert_dir}ee-client-chain.pem",
- "RSA.PrivateKey" => "${cert_dir}ee-key.pem",
- "ECDSA.Certificate" => "${cert_dir}ee-ecdsa-client-chain.pem",
- "ECDSA.PrivateKey" => "${cert_dir}ee-ecdsa-key.pem",
+ "RSA.Certificate" => test_pem("ee-client-chain.pem"),
+ "RSA.PrivateKey" => test_pem("ee-key.pem"),
+ "ECDSA.Certificate" => test_pem("ee-ecdsa-client-chain.pem"),
+ "ECDSA.PrivateKey" => test_pem("ee-ecdsa-key.pem"),
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3"
};
@@ -219,7 +215,7 @@ my @tests_tls_1_3 = (
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
server => {
"ClientSignatureAlgorithms" => "PSS+SHA256",
- "VerifyCAFile" => "${cert_dir}root-cert.pem",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
@@ -234,7 +230,7 @@ my @tests_tls_1_3 = (
name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
server => {
"ClientSignatureAlgorithms" => "ECDSA+SHA256",
- "VerifyCAFile" => "${cert_dir}root-cert.pem",
+ "VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
@@ -248,3 +244,49 @@ my @tests_tls_1_3 = (
);
push @tests, @tests_tls_1_3 unless disabled("tls1_3");
+
+my @tests_dsa_tls_1_2 = (
+ {
+ name => "TLS 1.2 DSA Certificate Test",
+ server => {
+ "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
+ "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
+ "DHParameters" => test_pem("dhp2048.pem"),
+ "MinProtocol" => "TLSv1.2",
+ "MaxProtocol" => "TLSv1.2",
+ "CipherString" => "ALL",
+ },
+ client => {
+ "SignatureAlgorithms" => "DSA+SHA256:DSA+SHA1",
+ "CipherString" => "ALL",
+ },
+ test => {
+ "ExpectedResult" => "Success"
+ },
+ },
+);
+
+my @tests_dsa_tls_1_3 = (
+ {
+ name => "TLS 1.3 DSA Certificate Test",
+ server => {
+ "DSA.Certificate" => test_pem("server-dsa-cert.pem"),
+ "DSA.PrivateKey" => test_pem("server-dsa-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3",
+ "CipherString" => "ALL",
+ },
+ client => {
+ "SignatureAlgorithms" => "DSA+SHA1:DSA+SHA256",
+ "CipherString" => "ALL",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+);
+
+if (!disabled("dsa")) {
+ push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
+ push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
+}
diff --git a/test/ssl-tests/ssltests_base.pm b/test/ssl-tests/ssltests_base.pm
index 303224a..dc81642 100644
--- a/test/ssl-tests/ssltests_base.pm
+++ b/test/ssl-tests/ssltests_base.pm
@@ -10,16 +10,21 @@
package ssltests;
-my $dir_sep = $^O ne "VMS" ? "/" : "";
+sub test_pem
+{
+ my ($file) = @_;
+ my $dir_sep = $^O ne "VMS" ? "/" : "";
+ return "\${ENV::TEST_CERTS_DIR}" . $dir_sep . $file,
+}
our %base_server = (
- "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}servercert.pem",
- "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}serverkey.pem",
+ "Certificate" => test_pem("servercert.pem"),
+ "PrivateKey" => test_pem("serverkey.pem"),
"CipherString" => "DEFAULT",
);
our %base_client = (
- "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}rootcert.pem",
+ "VerifyCAFile" => test_pem("rootcert.pem"),
"VerifyMode" => "Peer",
"CipherString" => "DEFAULT",
);
More information about the openssl-commits
mailing list