mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
f1ffaaeece
Fix dh_rfc5114 option in genpkey. Fixes #14145 Fixes #13956 Fixes #13952 Fixes #13871 Fixes #14054 Fixes #14444 Updated documentation for app to indicate what options are available for DH and DHX keys. DH and DHX now have different keymanager gen_set_params() methods. Added CHANGES entry to indicate the breaking change. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14883)
171 lines
5.7 KiB
Perl
171 lines
5.7 KiB
Perl
#! /usr/bin/env perl
|
|
# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
# in the file LICENSE in the source distribution or at
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use OpenSSL::Test;
|
|
use OpenSSL::Test::Utils;
|
|
|
|
setup("test_gendhparam");
|
|
|
|
my @testdata = (
|
|
{
|
|
algorithm => 'DHX',
|
|
pkeyopts => [ "type:fips186_4", 'digest:SHA256', 'gindex:1' ],
|
|
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'gindex:', 'pcounter:', 'SEED:' ],
|
|
message => 'DH fips186_4 param gen with verifiable g',
|
|
},
|
|
{
|
|
algorithm => 'DH',
|
|
pkeyopts => [ "type:fips186_4", 'digest:SHA256', 'gindex:1' ],
|
|
expect => [ 'ERROR' ],
|
|
message => 'fips186_4 param gen should fail if DHX is not used',
|
|
},
|
|
{
|
|
algorithm => 'DHX',
|
|
pkeyopts => [ "type:fips186_4", 'digest:SHA512-224', 'gindex:1' ],
|
|
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'gindex:', 'pcounter:', 'SEED:' ],
|
|
message => 'DH fips186_4 param gen with verifiable g and truncated digest',
|
|
},
|
|
{
|
|
algorithm => 'DHX',
|
|
pkeyopts => [ 'type:fips186_2', 'pbits:1024', 'qbits:160' ],
|
|
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'h:', 'pcounter:', 'SEED:' ],
|
|
message => 'DHX fips186_2 param gen with a selected p and q size with unverifyable g',
|
|
},
|
|
{
|
|
algorithm => 'DHX',
|
|
pkeyopts => [ 'type:fips186_2', 'dh_paramgen_prime_len:1024', 'dh_paramgen_subprime_len:160' ],
|
|
message => 'DHX fips186_2 param gen with a selected p and q size using aliased',
|
|
expect => [ "BEGIN X9.42 DH PARAMETERS" ],
|
|
},
|
|
{
|
|
algorithm => 'DH',
|
|
pkeyopts => [ 'type:fips186_2', 'dh_paramgen_prime_len:1024', 'dh_paramgen_subprime_len:160' ],
|
|
message => 'DH fips186_2 param gen with a selected p and q size using aliases should fail',
|
|
expect => [ "ERROR" ],
|
|
},
|
|
{
|
|
algorithm => 'DH',
|
|
pkeyopts => [ 'group:ffdhe2048'],
|
|
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
|
|
message => 'DH named group ffdhe selection',
|
|
},
|
|
{
|
|
algorithm => 'DH',
|
|
pkeyopts => [ 'dh_param:ffdhe8192'],
|
|
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
|
|
message => 'DH named group ffdhe selection using alias',
|
|
},
|
|
{
|
|
algorithm => 'DH',
|
|
pkeyopts => [ 'group:modp_3072'],
|
|
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
|
|
message => 'DH named group modp selection',
|
|
},
|
|
{
|
|
algorithm => 'DH',
|
|
pkeyopts => [ 'dh_param:modp_4096'],
|
|
message => 'DH named group modp selection using alias',
|
|
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:'],
|
|
},
|
|
{
|
|
algorithm => 'DHX',
|
|
pkeyopts => [ 'group:dh_2048_256' ],
|
|
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
|
|
message => 'DHX RFC5114 named group selection',
|
|
},
|
|
{
|
|
algorithm => 'DHX',
|
|
pkeyopts => [ 'dh_param:dh_2048_224' ],
|
|
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
|
|
message => 'DHX RFC5114 named group selection using alias',
|
|
},
|
|
{
|
|
algorithm => 'DHX',
|
|
pkeyopts => [ 'dh_rfc5114:2'],
|
|
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
|
|
message => 'DHX RFC5114 named group selection using an id',
|
|
},
|
|
{
|
|
algorithm => 'DHX',
|
|
pkeyopts => [ 'dh_rfc5114:1', 'dh_paramgen_type:1' ],
|
|
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
|
|
message => 'DHX paramgen_type is ignored if the group is set',
|
|
},
|
|
{
|
|
algorithm => 'DH',
|
|
pkeyopts => [ 'dh_rfc5114:1', 'dh_paramgen_type:1' ],
|
|
expect => [ 'ERROR' ],
|
|
message => "Setting dh_paramgen_type to fips186 should fail for DH keys",
|
|
},
|
|
# These tests using the safeprime generator were removed as they are slow..
|
|
# {
|
|
# algorithm => 'DH',
|
|
# pkeyopts => [ 'type:generator', 'safeprime-generator:5'],
|
|
# expect => [ 'BEGIN DH PARAMETERS', 'G: 5' ],
|
|
# message => 'DH safe prime generator',
|
|
# },
|
|
# {
|
|
# algorithm => 'DH',
|
|
# pkeyopts => [ 'dh_paramgen_type:0', 'dh_paramgen_generator:5'],
|
|
# expect => [ 'BEGIN DH PARAMETERS', 'G: 5' ],
|
|
# message => 'DH safe prime generator using an alias',
|
|
# },
|
|
{
|
|
algorithm => 'DHX',
|
|
pkeyopts => [ 'type:generator', 'safeprime-generator:5'],
|
|
expect => [ 'ERROR' ],
|
|
message => 'safe prime generator should fail for DHX',
|
|
},
|
|
);
|
|
|
|
plan skip_all => "DH isn't supported in this build" if disabled("dh");
|
|
|
|
plan tests => scalar @testdata;
|
|
|
|
foreach my $test (@testdata) {
|
|
my $alg = $test->{algorithm};
|
|
my $msg = $test->{message};
|
|
my @testargs = @{ $test->{pkeyopts} };
|
|
my @expected = @{ $test->{expect} };
|
|
my @pkeyopts= ();
|
|
foreach (@testargs) {
|
|
push(@pkeyopts, '-pkeyopt');
|
|
push(@pkeyopts, $_);
|
|
}
|
|
my @lines = run(app(['openssl', 'genpkey', '-genparam',
|
|
'-algorithm', $alg, '-text', @pkeyopts]),
|
|
capture => 1);
|
|
ok(compareline(\@lines, \@expected), $msg);
|
|
}
|
|
|
|
# Check that the stdout output matches the expected value.
|
|
sub compareline {
|
|
my ($ref_lines, $ref_expected) = @_;
|
|
my @lines = @$ref_lines;
|
|
my @expected = @$ref_expected;
|
|
|
|
if (@lines == 0 and $expected[0] eq 'ERROR') {
|
|
return 1;
|
|
}
|
|
print "-----------------\n";
|
|
foreach (@lines) {
|
|
print $_;
|
|
}
|
|
print "-----------------\n";
|
|
foreach my $ex (@expected) {
|
|
if ( !grep { index($_, $ex) >= 0 } @lines) {
|
|
print "ERROR: Cannot find: $ex\n";
|
|
return 0;
|
|
}
|
|
}
|
|
return 1;
|
|
}
|