Commit 29a90816 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Update key sizes to 2048 bits.

Only build ssltest with fipsld.

Include FIPS mode test for ssltest.
parent 4bea4540
Loading
Loading
Loading
Loading
+1 −1
Original line number Diff line number Diff line
@@ -7,7 +7,7 @@ RANDFILE = ./.rnd

####################################################################
[ req ]
default_bits		= 512
default_bits		= 2048
default_keyfile 	= keySS.pem
distinguished_name	= req_distinguished_name
encrypt_rsa_key		= no
+13 −1
Original line number Diff line number Diff line
@@ -275,6 +275,9 @@ test_engine:
test_ssl: keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \
		intP1.ss intP2.ss
	@echo "test SSL protocol"
	@if [ -n "$(FIPSCANLIB)" ]; then \
	  sh ./testfipsssl keyU.ss certU.ss certCA.ss; \
	fi
	../util/shlib_wrap.sh ./$(SSLTEST) -test_cipherlist
	@sh ./testssl keyU.ss certU.ss certCA.ss
	@sh ./testsslproxy keyP1.ss certP1.ss intP1.ss
@@ -344,6 +347,15 @@ BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
		shlib_target="$(SHLIB_TARGET)"; \
	fi; \
	LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
	$(MAKE) -f $(TOP)/Makefile.shared -e \
		CC="$${CC}" APPNAME=$$target$(EXE_EXT) OBJECTS="$$target.o" \
		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
		link_app.$${shlib_target}

FIPS_BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
		shlib_target="$(SHLIB_TARGET)"; \
	fi; \
	LIBRARIES="$(LIBSSL) $(LIBCRYPTO) $(LIBKRB5)"; \
	if [ -z "$(SHARED_LIBS)" -a -n "$(FIPSCANLIB)" ] ; then \
		FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)bin/fipsld; export CC FIPSLD_CC; \
	fi; \
@@ -431,7 +443,7 @@ $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
	@target=$(METHTEST); $(BUILD_CMD)

$(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
	@target=$(SSLTEST); $(BUILD_CMD)
	@target=$(SSLTEST); $(FIPS_BUILD_CMD)

$(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
	@target=$(ENGINETEST); $(BUILD_CMD)
+2 −2
Original line number Diff line number Diff line
@@ -7,11 +7,11 @@ RANDFILE = ./.rnd

####################################################################
[ req ]
default_bits		= 512
default_bits		= 2048
default_keyfile 	= keySS.pem
distinguished_name	= req_distinguished_name
encrypt_rsa_key		= no
default_md		= md2
default_md		= sha256

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)

test/testfipsssl

0 → 100644
+113 −0
Original line number Diff line number Diff line
#!/bin/sh

if [ "$1" = "" ]; then
  key=../apps/server.pem
else
  key="$1"
fi
if [ "$2" = "" ]; then
  cert=../apps/server.pem
else
  cert="$2"
fi

ciphers="DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA"

ssltest="../util/shlib_wrap.sh ./ssltest -F -key $key -cert $cert -c_key $key -c_cert $cert -cipher $ciphers"

if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
  dsa_cert=YES
else
  dsa_cert=NO
fi

if [ "$3" = "" ]; then
  CA="-CApath ../certs"
else
  CA="-CAfile $3"
fi

if [ "$4" = "" ]; then
  extra=""
else
  extra="$4"
fi

#############################################################################

echo test ssl3 is forbidden in FIPS mode
$ssltest -ssl3 $extra && exit 1

echo test ssl2 is forbidden in FIPS mode
$ssltest -ssl2 $extra && exit 1

echo test tls1
$ssltest -tls1 $extra || exit 1

echo test tls1 with server authentication
$ssltest -tls1 -server_auth $CA $extra || exit 1

echo test tls1 with client authentication
$ssltest -tls1 -client_auth $CA $extra || exit 1

echo test tls1 with both client and server authentication
$ssltest -tls1 -server_auth -client_auth $CA $extra || exit 1

echo test tls1 via BIO pair
$ssltest -bio_pair -tls1 $extra || exit 1

echo test tls1 with server authentication via BIO pair
$ssltest -bio_pair -tls1 -server_auth $CA $extra || exit 1

echo test tls1 with client authentication via BIO pair
$ssltest -bio_pair -tls1 -client_auth $CA $extra || exit 1

echo test tls1 with both client and server authentication via BIO pair
$ssltest -bio_pair -tls1 -server_auth -client_auth $CA $extra || exit 1

# note that all the below actually choose TLS...

if [ $dsa_cert = NO ]; then
  echo test sslv2/sslv3 w/o DHE via BIO pair
  $ssltest -bio_pair -no_dhe $extra || exit 1
fi

echo test sslv2/sslv3 with 1024bit DHE via BIO pair
$ssltest -bio_pair -dhe1024dsa -v $extra || exit 1

echo test sslv2/sslv3 with server authentication
$ssltest -bio_pair -server_auth $CA $extra || exit 1

echo test sslv2/sslv3 with client authentication via BIO pair
$ssltest -bio_pair -client_auth $CA $extra || exit 1

echo test sslv2/sslv3 with both client and server authentication via BIO pair
$ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1

echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1

#############################################################################

if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
  echo skipping anonymous DH tests
else
  echo test tls1 with 1024bit anonymous DH, multiple handshakes
  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
fi

if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  echo skipping RSA tests
else
  echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
  ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1

  if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
    echo skipping RSA+DHE tests
  else
    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
    ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
  fi
fi

exit 0