[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

[Richard Levitte]

The branch OpenSSL_1_1_0-stable has been updated
       via  ec46830f8a4ce62c0c8ee7677b1eb8e53ee16df1 (commit)
      from  2a479a86bd5eca8792a75a08c836b405f3cef4d6 (commit)


- Log -----------------------------------------------------------------
commit ec46830f8a4ce62c0c8ee7677b1eb8e53ee16df1
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Mar 26 11:08:12 2018 +0200

    test/recipes/test_genrsa.t : don't fail because of size limit changes
    
    There is a test to check that 'genrsa' doesn't accept absurdly low
    number of bits.  Apart from that, this test is designed to check the
    working functionality of 'openssl genrsa', so instead of having a hard
    coded lower limit on the size key, let's figure out what it is.
    
    Partially fixes #5751
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/5754)

-----------------------------------------------------------------------

Summary of changes:
 test/recipes/15-test_genrsa.t | 37 +++++++++++++++++++++++++++++++++----
 1 file changed, 33 insertions(+), 4 deletions(-)

diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t
index cc74e30..270c2cc 100644
--- a/test/recipes/15-test_genrsa.t
+++ b/test/recipes/15-test_genrsa.t
@@ -18,9 +18,38 @@ setup("test_genrsa");
 
 plan tests => 5;
 
+# We want to know that an absurdly small number of bits isn't support
 is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8");
-ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '16'])), "genrsa -3 16");
-ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout'])), "rsa -check");
-ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', '16'])), "genrsa -f4 16");
-ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout'])), "rsa -check");
+
+# Depending on the shared library, we might have different lower limits.
+# Let's find it!  This is a simple binary search
+# ------------------------------------------------------------
+# NOTE: $good may need an update in the future
+# ------------------------------------------------------------
+note "Looking for lowest amount of bits";
+my $bad = 3;                    # Log2 of number of bits (2 << 3  == 8)
+my $good = 11;                  # Log2 of number of bits (2 << 11 == 2048)
+while ($good > $bad + 1) {
+    my $checked = int(($good + $bad + 1) / 2);
+    if (run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem',
+                  2 ** $checked ], stderr => undef))) {
+        note 2 ** $checked, " bits is good";
+        $good = $checked;
+    } else {
+        note 2 ** $checked, " bits is bad";
+        $bad = $checked;
+    }
+}
+$good++ if $good == $bad;
+$good = 2 ** $good;
+note "Found lowest allowed amount of bits to be $good";
+
+ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', $good ])),
+   "genrsa -3 $good");
+ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
+   "rsa -check");
+ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])),
+   "genrsa -f4 $good");
+ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
+   "rsa -check");
 unlink 'genrsatest.pem';