[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Sun Jan 8 19:45:26 UTC 2017
The branch master has been updated
via 9c4319bd03f17fc87ae63b6231c87c678e5cabd1 (commit)
via b93ad05dba3e3d2ceb79799a883ae43d42ba16e2 (commit)
from c82bafc52e4a22c91a0871436727e7a3fd45d75b (commit)
- Log -----------------------------------------------------------------
commit 9c4319bd03f17fc87ae63b6231c87c678e5cabd1
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Jan 8 19:36:20 2017 +0000
Add server temp key type checks
Reviewed-by: Kurt Roeckx <kurt at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2191)
commit b93ad05dba3e3d2ceb79799a883ae43d42ba16e2
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sun Jan 8 00:09:08 2017 +0000
Add new ssl_test option.
Add option ExpectedTmpKeyType to test the temporary key the server
sends is of the correct type.
Reviewed-by: Kurt Roeckx <kurt at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2191)
-----------------------------------------------------------------------
Summary of changes:
test/README.ssltest.md | 2 ++
test/handshake_helper.c | 14 ++++++++++++++
test/handshake_helper.h | 2 ++
test/ssl-tests/14-curves.conf | 29 +++++++++++++++++++++++++++++
test/ssl-tests/14-curves.conf.in | 5 ++++-
test/ssl_test.c | 12 ++++++++++++
test/ssl_test_ctx.c | 25 +++++++++++++++++++++++++
test/ssl_test_ctx.h | 2 ++
8 files changed, 90 insertions(+), 1 deletion(-)
diff --git a/test/README.ssltest.md b/test/README.ssltest.md
index e28d4b0..c1edda5 100644
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@@ -87,6 +87,8 @@ handshake.
* ExpectedNPNProtocol, ExpectedALPNProtocol - NPN and ALPN expectations.
+* ExpectedTmpKeyType - the expected algorithm or curve of server temp key
+
## Configuring the client and server
The client and server configurations can be any valid `SSL_CTX`
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 24ea26f..bf647f1 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -879,6 +879,7 @@ static HANDSHAKE_RESULT *do_handshake_internal(
const unsigned char *proto = NULL;
/* API dictates unsigned int rather than size_t. */
unsigned int proto_len = 0;
+ EVP_PKEY *tmp_key;
memset(&server_ctx_data, 0, sizeof(server_ctx_data));
memset(&server2_ctx_data, 0, sizeof(server2_ctx_data));
@@ -1038,6 +1039,19 @@ static HANDSHAKE_RESULT *do_handshake_internal(
if (session_out != NULL)
*session_out = SSL_get1_session(client.ssl);
+ if (SSL_get_server_tmp_key(client.ssl, &tmp_key)) {
+ int nid = EVP_PKEY_id(tmp_key);
+
+#ifndef OPENSSL_NO_EC
+ if (nid == EVP_PKEY_EC) {
+ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(tmp_key);
+ nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+ }
+#endif
+ EVP_PKEY_free(tmp_key);
+ ret->tmp_key_type = nid;
+ }
+
ctx_data_free_data(&server_ctx_data);
ctx_data_free_data(&server2_ctx_data);
ctx_data_free_data(&client_ctx_data);
diff --git a/test/handshake_helper.h b/test/handshake_helper.h
index 8425b2a..4f70592 100644
--- a/test/handshake_helper.h
+++ b/test/handshake_helper.h
@@ -43,6 +43,8 @@ typedef struct handshake_result {
/* Was the handshake resumed? */
int client_resumed;
int server_resumed;
+ /* Temporary key type */
+ int tmp_key_type;
} HANDSHAKE_RESULT;
HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
diff --git a/test/ssl-tests/14-curves.conf b/test/ssl-tests/14-curves.conf
index 17d00b5..83911b0 100644
--- a/test/ssl-tests/14-curves.conf
+++ b/test/ssl-tests/14-curves.conf
@@ -55,6 +55,7 @@ VerifyMode = Peer
[test-0]
ExpectedResult = Success
+ExpectedTmpKeyType = sect163k1
# ===========================================================
@@ -81,6 +82,7 @@ VerifyMode = Peer
[test-1]
ExpectedResult = Success
+ExpectedTmpKeyType = sect163r1
# ===========================================================
@@ -107,6 +109,7 @@ VerifyMode = Peer
[test-2]
ExpectedResult = Success
+ExpectedTmpKeyType = sect163r2
# ===========================================================
@@ -133,6 +136,7 @@ VerifyMode = Peer
[test-3]
ExpectedResult = Success
+ExpectedTmpKeyType = sect193r1
# ===========================================================
@@ -159,6 +163,7 @@ VerifyMode = Peer
[test-4]
ExpectedResult = Success
+ExpectedTmpKeyType = sect193r2
# ===========================================================
@@ -185,6 +190,7 @@ VerifyMode = Peer
[test-5]
ExpectedResult = Success
+ExpectedTmpKeyType = sect233k1
# ===========================================================
@@ -211,6 +217,7 @@ VerifyMode = Peer
[test-6]
ExpectedResult = Success
+ExpectedTmpKeyType = sect233r1
# ===========================================================
@@ -237,6 +244,7 @@ VerifyMode = Peer
[test-7]
ExpectedResult = Success
+ExpectedTmpKeyType = sect239k1
# ===========================================================
@@ -263,6 +271,7 @@ VerifyMode = Peer
[test-8]
ExpectedResult = Success
+ExpectedTmpKeyType = sect283k1
# ===========================================================
@@ -289,6 +298,7 @@ VerifyMode = Peer
[test-9]
ExpectedResult = Success
+ExpectedTmpKeyType = sect283r1
# ===========================================================
@@ -315,6 +325,7 @@ VerifyMode = Peer
[test-10]
ExpectedResult = Success
+ExpectedTmpKeyType = sect409k1
# ===========================================================
@@ -341,6 +352,7 @@ VerifyMode = Peer
[test-11]
ExpectedResult = Success
+ExpectedTmpKeyType = sect409r1
# ===========================================================
@@ -367,6 +379,7 @@ VerifyMode = Peer
[test-12]
ExpectedResult = Success
+ExpectedTmpKeyType = sect571k1
# ===========================================================
@@ -393,6 +406,7 @@ VerifyMode = Peer
[test-13]
ExpectedResult = Success
+ExpectedTmpKeyType = sect571r1
# ===========================================================
@@ -419,6 +433,7 @@ VerifyMode = Peer
[test-14]
ExpectedResult = Success
+ExpectedTmpKeyType = secp160k1
# ===========================================================
@@ -445,6 +460,7 @@ VerifyMode = Peer
[test-15]
ExpectedResult = Success
+ExpectedTmpKeyType = secp160r1
# ===========================================================
@@ -471,6 +487,7 @@ VerifyMode = Peer
[test-16]
ExpectedResult = Success
+ExpectedTmpKeyType = secp160r2
# ===========================================================
@@ -497,6 +514,7 @@ VerifyMode = Peer
[test-17]
ExpectedResult = Success
+ExpectedTmpKeyType = secp192k1
# ===========================================================
@@ -523,6 +541,7 @@ VerifyMode = Peer
[test-18]
ExpectedResult = Success
+ExpectedTmpKeyType = prime192v1
# ===========================================================
@@ -549,6 +568,7 @@ VerifyMode = Peer
[test-19]
ExpectedResult = Success
+ExpectedTmpKeyType = secp224k1
# ===========================================================
@@ -575,6 +595,7 @@ VerifyMode = Peer
[test-20]
ExpectedResult = Success
+ExpectedTmpKeyType = secp224r1
# ===========================================================
@@ -601,6 +622,7 @@ VerifyMode = Peer
[test-21]
ExpectedResult = Success
+ExpectedTmpKeyType = secp256k1
# ===========================================================
@@ -627,6 +649,7 @@ VerifyMode = Peer
[test-22]
ExpectedResult = Success
+ExpectedTmpKeyType = prime256v1
# ===========================================================
@@ -653,6 +676,7 @@ VerifyMode = Peer
[test-23]
ExpectedResult = Success
+ExpectedTmpKeyType = secp384r1
# ===========================================================
@@ -679,6 +703,7 @@ VerifyMode = Peer
[test-24]
ExpectedResult = Success
+ExpectedTmpKeyType = secp521r1
# ===========================================================
@@ -705,6 +730,7 @@ VerifyMode = Peer
[test-25]
ExpectedResult = Success
+ExpectedTmpKeyType = brainpoolP256r1
# ===========================================================
@@ -731,6 +757,7 @@ VerifyMode = Peer
[test-26]
ExpectedResult = Success
+ExpectedTmpKeyType = brainpoolP384r1
# ===========================================================
@@ -757,6 +784,7 @@ VerifyMode = Peer
[test-27]
ExpectedResult = Success
+ExpectedTmpKeyType = brainpoolP512r1
# ===========================================================
@@ -783,5 +811,6 @@ VerifyMode = Peer
[test-28]
ExpectedResult = Success
+ExpectedTmpKeyType = X25519
diff --git a/test/ssl-tests/14-curves.conf.in b/test/ssl-tests/14-curves.conf.in
index dec2be2..6e98b5a 100644
--- a/test/ssl-tests/14-curves.conf.in
+++ b/test/ssl-tests/14-curves.conf.in
@@ -35,7 +35,10 @@ sub generate_tests() {
"CipherString" => "ECDHE",
"Curves" => $curve
},
- test => { "ExpectedResult" => "Success" },
+ test => {
+ "ExpectedTmpKeyType" => $curve,
+ "ExpectedResult" => "Success"
+ },
};
}
}
diff --git a/test/ssl_test.c b/test/ssl_test.c
index 2003fd7..61850eb 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -187,6 +187,17 @@ static int check_resumption(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
return 1;
}
+static int check_tmp_key(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
+{
+ if (test_ctx->expected_tmp_key_type == 0
+ || test_ctx->expected_tmp_key_type == result->tmp_key_type)
+ return 1;
+ fprintf(stderr, "Tmp key type mismatch, %s vs %s\n",
+ OBJ_nid2ln(test_ctx->expected_tmp_key_type),
+ OBJ_nid2ln(result->tmp_key_type));
+ return 0;
+}
+
/*
* This could be further simplified by constructing an expected
* HANDSHAKE_RESULT, and implementing comparison methods for
@@ -207,6 +218,7 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
#endif
ret &= check_alpn(result, test_ctx);
ret &= check_resumption(result, test_ctx);
+ ret &= check_tmp_key(result, test_ctx);
}
return ret;
}
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index e8f2943..2c5ba1e 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -432,6 +432,30 @@ IMPLEMENT_SSL_TEST_INT_OPTION(SSL_TEST_CTX, test, app_data_size)
IMPLEMENT_SSL_TEST_INT_OPTION(SSL_TEST_CTX, test, max_fragment_size)
+/***********************/
+/* ExpectedTmpKeyType */
+/***********************/
+
+__owur static int parse_expected_tmp_key_type(SSL_TEST_CTX *test_ctx,
+ const char *value)
+{
+ int nid;
+
+ if (value == NULL)
+ return 0;
+ nid = OBJ_sn2nid(value);
+ if (nid == NID_undef)
+ nid = OBJ_ln2nid(value);
+#ifndef OPENSSL_NO_EC
+ if (nid == NID_undef)
+ nid = EC_curve_nist2nid(value);
+#endif
+ if (nid == NID_undef)
+ return 0;
+ test_ctx->expected_tmp_key_type = nid;
+ return 1;
+}
+
/*************************************************************/
/* Known test options and their corresponding parse methods. */
/*************************************************************/
@@ -456,6 +480,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
{ "ResumptionExpected", &parse_test_resumption_expected },
{ "ApplicationData", &parse_test_app_data_size },
{ "MaxFragmentSize", &parse_test_max_fragment_size },
+ { "ExpectedTmpKeyType", &parse_expected_tmp_key_type },
};
/* Nested client options. */
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h
index 14acaff..995d518 100644
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -159,6 +159,8 @@ typedef struct {
char *expected_alpn_protocol;
/* Whether the second handshake is resumed or a full handshake (boolean). */
int resumption_expected;
+ /* Expected temporary key type */
+ int expected_tmp_key_type;
} SSL_TEST_CTX;
const char *ssl_test_result_name(ssl_test_result_t result);
More information about the openssl-commits
mailing list