Fix ssltest to use 1024-bit DHE parameters (b6f33dce) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/ssltest.c

+11 −9

Original line number	Diff line number	Diff line
		@@ -692,7 +692,9 @@ static void sv_usage(void)
		" -bytes <val> - number of bytes to swap between client/server\n");
		#ifndef OPENSSL_NO_DH
		fprintf(stderr,
		" -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
		" -dhe512 - use 512 bit key for DHE (to test failure)\n");
		fprintf(stderr,
		" -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
		fprintf(stderr,
		" -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
		fprintf(stderr, " -no_dhe - disable DHE\n");
		@@ -901,7 +903,7 @@ int main(int argc, char *argv[])
		long bytes = 256L;
		#ifndef OPENSSL_NO_DH
		DH *dh;
		int dhe1024 = 0, dhe1024dsa = 0;
		int dhe512 = 0, dhe1024dsa = 0;
		#endif
		#ifndef OPENSSL_NO_ECDH
		EC_KEY *ecdh = NULL;
		@@ -981,19 +983,19 @@ int main(int argc, char *argv[])
		debug = 1;
		else if (strcmp(*argv, "-reuse") == 0)
		reuse = 1;
		else if (strcmp(*argv, "-dhe1024") == 0) {
		else if (strcmp(*argv, "-dhe512") == 0) {
		#ifndef OPENSSL_NO_DH
		dhe1024 = 1;
		dhe512 = 1;
		#else
		fprintf(stderr,
		"ignoring -dhe1024, since I'm compiled without DH\n");
		"ignoring -dhe512, since I'm compiled without DH\n");
		#endif
		} else if (strcmp(*argv, "-dhe1024dsa") == 0) {
		#ifndef OPENSSL_NO_DH
		dhe1024dsa = 1;
		#else
		fprintf(stderr,
		"ignoring -dhe1024, since I'm compiled without DH\n");
		"ignoring -dhe1024dsa, since I'm compiled without DH\n");
		#endif
		} else if (strcmp(*argv, "-no_dhe") == 0)
		no_dhe = 1;
		@@ -1318,10 +1320,10 @@ int main(int argc, char *argv[])
		*/
		SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
		dh = get_dh1024dsa();
		} else if (dhe1024)
		dh = get_dh1024();
		else
		} else if (dhe512)
		dh = get_dh512();
		else
		dh = get_dh1024();
		SSL_CTX_set_tmp_dh(s_ctx, dh);
		DH_free(dh);
		}

test/testssl

+34 −4

Original line number	Diff line number	Diff line
		@@ -145,10 +145,9 @@ $ssltest -bio_pair -server_auth -client_auth $CA $extra \|\| exit 1
		echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
		$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra \|\| exit 1

		echo "Testing ciphersuites"
		for protocol in TLSv1.2 SSLv3; do
		echo "Testing ciphersuites for $protocol"
		for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" \| tr ':' ' '`; do
		test_cipher() {
		local cipher=$1
		local protocol=$2
		echo "Testing $cipher"
		prot=""
		if [ $protocol = "SSLv3" ] ; then
		@@ -159,7 +158,38 @@ for protocol in TLSv1.2 SSLv3; do
		echo "Failed $cipher"
		exit 1
		fi
		}

		echo "Testing ciphersuites"
		for protocol in TLSv1.2 SSLv3; do
		echo "Testing ciphersuites for $protocol"
		for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" \| tr ':' ' '`; do
		test_cipher $cipher $protocol
		done
		if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
		echo "skipping RSA+DHE tests"
		else
		for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" \| tr ':' ' '`; do
		test_cipher $cipher $protocol
		done
		echo "testing connection with weak DH, expecting failure"
		if [ $protocol = "SSLv3" ] ; then
		$ssltest -cipher EDH -dhe512 -ssl3
		else
		$ssltest -cipher EDH -dhe512
		fi
		if [ $? -eq 0 ]; then
		echo "FAIL: connection with weak DH succeeded"
		exit 1
		fi
		fi
		if ../util/shlib_wrap.sh ../apps/openssl no-ec; then
		echo "skipping RSA+ECDHE tests"
		else
		for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EECDH+aRSA+$protocol:-EXP" \| tr ':' ' '`; do
		test_cipher $cipher $protocol
		done
		fi
		done

		#############################################################################