2
0
mirror of https://github.com/openssl/openssl.git synced 2024-12-21 06:09:35 +08:00
openssl/test/recipes/15-test_gendhparam.t
Shane Lontis f1ffaaeece Fixes related to separation of DH and DHX types
Fix dh_rfc5114 option in genpkey.

Fixes 
Fixes 
Fixes 
Fixes 
Fixes 
Fixes 

Updated documentation for app to indicate what options are available for
DH and DHX keys.

DH and DHX now have different keymanager gen_set_params() methods.

Added CHANGES entry to indicate the breaking change.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14883)
2021-04-26 19:52:11 +02:00

171 lines
5.7 KiB
Perl

#! /usr/bin/env perl
# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test;
use OpenSSL::Test::Utils;
setup("test_gendhparam");
my @testdata = (
{
algorithm => 'DHX',
pkeyopts => [ "type:fips186_4", 'digest:SHA256', 'gindex:1' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'gindex:', 'pcounter:', 'SEED:' ],
message => 'DH fips186_4 param gen with verifiable g',
},
{
algorithm => 'DH',
pkeyopts => [ "type:fips186_4", 'digest:SHA256', 'gindex:1' ],
expect => [ 'ERROR' ],
message => 'fips186_4 param gen should fail if DHX is not used',
},
{
algorithm => 'DHX',
pkeyopts => [ "type:fips186_4", 'digest:SHA512-224', 'gindex:1' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'gindex:', 'pcounter:', 'SEED:' ],
message => 'DH fips186_4 param gen with verifiable g and truncated digest',
},
{
algorithm => 'DHX',
pkeyopts => [ 'type:fips186_2', 'pbits:1024', 'qbits:160' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'h:', 'pcounter:', 'SEED:' ],
message => 'DHX fips186_2 param gen with a selected p and q size with unverifyable g',
},
{
algorithm => 'DHX',
pkeyopts => [ 'type:fips186_2', 'dh_paramgen_prime_len:1024', 'dh_paramgen_subprime_len:160' ],
message => 'DHX fips186_2 param gen with a selected p and q size using aliased',
expect => [ "BEGIN X9.42 DH PARAMETERS" ],
},
{
algorithm => 'DH',
pkeyopts => [ 'type:fips186_2', 'dh_paramgen_prime_len:1024', 'dh_paramgen_subprime_len:160' ],
message => 'DH fips186_2 param gen with a selected p and q size using aliases should fail',
expect => [ "ERROR" ],
},
{
algorithm => 'DH',
pkeyopts => [ 'group:ffdhe2048'],
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
message => 'DH named group ffdhe selection',
},
{
algorithm => 'DH',
pkeyopts => [ 'dh_param:ffdhe8192'],
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
message => 'DH named group ffdhe selection using alias',
},
{
algorithm => 'DH',
pkeyopts => [ 'group:modp_3072'],
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
message => 'DH named group modp selection',
},
{
algorithm => 'DH',
pkeyopts => [ 'dh_param:modp_4096'],
message => 'DH named group modp selection using alias',
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:'],
},
{
algorithm => 'DHX',
pkeyopts => [ 'group:dh_2048_256' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
message => 'DHX RFC5114 named group selection',
},
{
algorithm => 'DHX',
pkeyopts => [ 'dh_param:dh_2048_224' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
message => 'DHX RFC5114 named group selection using alias',
},
{
algorithm => 'DHX',
pkeyopts => [ 'dh_rfc5114:2'],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
message => 'DHX RFC5114 named group selection using an id',
},
{
algorithm => 'DHX',
pkeyopts => [ 'dh_rfc5114:1', 'dh_paramgen_type:1' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
message => 'DHX paramgen_type is ignored if the group is set',
},
{
algorithm => 'DH',
pkeyopts => [ 'dh_rfc5114:1', 'dh_paramgen_type:1' ],
expect => [ 'ERROR' ],
message => "Setting dh_paramgen_type to fips186 should fail for DH keys",
},
# These tests using the safeprime generator were removed as they are slow..
# {
# algorithm => 'DH',
# pkeyopts => [ 'type:generator', 'safeprime-generator:5'],
# expect => [ 'BEGIN DH PARAMETERS', 'G: 5' ],
# message => 'DH safe prime generator',
# },
# {
# algorithm => 'DH',
# pkeyopts => [ 'dh_paramgen_type:0', 'dh_paramgen_generator:5'],
# expect => [ 'BEGIN DH PARAMETERS', 'G: 5' ],
# message => 'DH safe prime generator using an alias',
# },
{
algorithm => 'DHX',
pkeyopts => [ 'type:generator', 'safeprime-generator:5'],
expect => [ 'ERROR' ],
message => 'safe prime generator should fail for DHX',
},
);
plan skip_all => "DH isn't supported in this build" if disabled("dh");
plan tests => scalar @testdata;
foreach my $test (@testdata) {
my $alg = $test->{algorithm};
my $msg = $test->{message};
my @testargs = @{ $test->{pkeyopts} };
my @expected = @{ $test->{expect} };
my @pkeyopts= ();
foreach (@testargs) {
push(@pkeyopts, '-pkeyopt');
push(@pkeyopts, $_);
}
my @lines = run(app(['openssl', 'genpkey', '-genparam',
'-algorithm', $alg, '-text', @pkeyopts]),
capture => 1);
ok(compareline(\@lines, \@expected), $msg);
}
# Check that the stdout output matches the expected value.
sub compareline {
my ($ref_lines, $ref_expected) = @_;
my @lines = @$ref_lines;
my @expected = @$ref_expected;
if (@lines == 0 and $expected[0] eq 'ERROR') {
return 1;
}
print "-----------------\n";
foreach (@lines) {
print $_;
}
print "-----------------\n";
foreach my $ex (@expected) {
if ( !grep { index($_, $ex) >= 0 } @lines) {
print "ERROR: Cannot find: $ex\n";
return 0;
}
}
return 1;
}