mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-15 06:01:37 +08:00
Code Issues Packages Projects Releases Wiki Activity
c6df354c2a
openssl/test/recipes/30-test_evp.t
Shane Lontis 46eee7104d Add domain parameter match check for DH and ECDH key exchange. 
Fixes #14808

Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever
checking that the domain parameters were consistent between the 2
parties. It now checks the parameters match as well as validating the
peers public key.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14823)
2021-04-14 16:01:13 +10:00

184 lines
6.1 KiB
Perl
Raw Blame History

#! /usr/bin/env perl
# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test qw(:DEFAULT data_file bldtop_dir srctop_file srctop_dir bldtop_file);
use OpenSSL::Test::Utils;
BEGIN {
setup("test_evp");
}
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
my $no_legacy = disabled('legacy') || ($ENV{NO_LEGACY} // 0);
my $no_dh = disabled("dh");
my $no_dsa = disabled("dsa");
my $no_ec = disabled("ec");
my $no_gost = disabled("gost");
my $no_sm2 = disabled("sm2");
# Default config depends on if the legacy module is built or not
my $defaultcnf = $no_legacy ? 'default.cnf' : 'default-and-legacy.cnf';
my @configs = ( $defaultcnf );
# Only add the FIPS config if the FIPS module has been built
push @configs, 'fips-and-base.cnf' unless $no_fips;
# A list of tests that run with both the default and fips provider.
my @files = qw(
evpciph_aes_ccm_cavs.txt
evpciph_aes_common.txt
evpciph_aes_cts.txt
evpciph_aes_wrap.txt
evpciph_des3_common.txt
evpkdf_hkdf.txt
evpkdf_pbkdf2.txt
evpkdf_ss.txt
evpkdf_ssh.txt
evpkdf_tls12_prf.txt
evpkdf_x942.txt
evpkdf_x963.txt
evpmac_common.txt
evpmd_sha.txt
evppbe_pbkdf2.txt
evppkey_kdf_hkdf.txt
evppkey_rsa_common.txt
evprand.txt
);
push @files, qw(
evppkey_ffdhe.txt
evppkey_dh.txt
) unless $no_dh;
push @files, qw(evppkey_dsa.txt) unless $no_dsa;
push @files, qw(evppkey_ecx.txt) unless $no_ec;
push @files, qw(
evppkey_ecc.txt
evppkey_ecdh.txt
evppkey_ecdsa.txt
evppkey_kas.txt
evppkey_mismatch.txt
) unless $no_ec || $no_gost;
# A list of tests that only run with the default provider
# (i.e. The algorithms are not present in the fips provider)
my @defltfiles = qw(
evpciph_aes_ocb.txt
evpciph_aes_siv.txt
evpciph_aria.txt
evpciph_bf.txt
evpciph_camellia.txt
evpciph_cast5.txt
evpciph_chacha.txt
evpciph_des.txt
evpciph_idea.txt
evpciph_rc2.txt
evpciph_rc4.txt
evpciph_rc5.txt
evpciph_seed.txt
evpciph_sm4.txt
evpencod.txt
evpkdf_krb5.txt
evpkdf_scrypt.txt
evpkdf_tls11_prf.txt
evpmac_blake.txt
evpmac_poly1305.txt
evpmac_siphash.txt
evpmd_blake.txt
evpmd_md.txt
evpmd_mdc2.txt
evpmd_ripemd.txt
evpmd_sm3.txt
evpmd_whirlpool.txt
evppbe_scrypt.txt
evppbe_pkcs12.txt
evppkey_kdf_scrypt.txt
evppkey_kdf_tls1_prf.txt
evppkey_rsa.txt
);
push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec;
push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2;
plan tests =>
+ (scalar(@configs) * scalar(@files))
+ scalar(@defltfiles)
+ 3; # error output tests
foreach (@configs) {
my $conf = srctop_file("test", $_);
foreach my $f ( @files ) {
ok(run(test(["evp_test",
"-config", $conf,
data_file("$f")])),
"running evp_test -config $conf $f");
}
}
my $conf = srctop_file("test", $defaultcnf);
foreach my $f ( @defltfiles ) {
ok(run(test(["evp_test",
"-config", $conf,
data_file("$f")])),
"running evp_test -config $conf $f");
}
# test_errors OPTIONS
#
# OPTIONS may include:
#
# key => "filename" # expected to be found in $SRCDIR/test/certs
# out => "filename" # file to write error strings to
# args => [ ... extra openssl pkey args ... ]
# expected => regexps to match error lines against
sub test_errors { # actually tests diagnostics of OSSL_STORE
my %opts = @_;
my $infile = srctop_file('test', 'certs', $opts{key});
my @args = ( qw(openssl pkey -in), $infile, @{$opts{args} // []} );
my $res = !run(app([@args], stderr => $opts{out}));
my $found = !exists $opts{expected};
open(my $in, '<', $opts{out}) or die "Could not open file $opts{out}";
while(my $errline = <$in>) {
print $errline; # this may help debugging
# output must not include ASN.1 parse errors
$res &&= $errline !~ m/asn1 encoding/;
# output must include what is expressed in $opts{$expected}
$found = 1
if exists $opts{expected} && $errline =~ m/$opts{expected}/;
}
close $in;
# $tmpfile is kept to help with investigation in case of failure
return $res && $found;
}
SKIP: {
skip "DSA not disabled", 2 if !disabled("dsa");
ok(test_errors(key => 'server-dsa-key.pem',
out => 'server-dsa-key.err'),
"expected error loading unsupported dsa private key");
ok(test_errors(key => 'server-dsa-pubkey.pem',
out => 'server-dsa-pubkey.err',
args => [ '-pubin' ],
expected => 'unsupported algorithm'),
"expected error loading unsupported dsa public key");
}
SKIP: {
skip "SM2 not disabled", 1 if !disabled("sm2");
ok(test_errors(key => 'sm2.key', out => 'sm2.err'),
"expected error loading unsupported sm2 private key");
}
Reference in New Issue View Git Blame Copy Permalink