1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
#! /usr/bin/env perl
# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test;
use OpenSSL::Test::Utils;
setup("test_gendhparam");
my @testdata = (
{
algorithm => 'DHX',
pkeyopts => [ "type:fips186_4", 'digest:SHA256', 'gindex:1' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'gindex:', 'pcounter:', 'SEED:' ],
message => 'DH fips186_4 param gen with verifiable g',
},
{
algorithm => 'DH',
pkeyopts => [ "type:fips186_4", 'digest:SHA256', 'gindex:1' ],
expect => [ 'ERROR' ],
message => 'fips186_4 param gen should fail if DHX is not used',
},
{
algorithm => 'DHX',
pkeyopts => [ "type:fips186_4", 'digest:SHA512-224', 'gindex:1' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'gindex:', 'pcounter:', 'SEED:' ],
message => 'DH fips186_4 param gen with verifiable g and truncated digest',
},
{
algorithm => 'DHX',
pkeyopts => [ 'type:fips186_2', 'pbits:1024', 'qbits:160' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'h:', 'pcounter:', 'SEED:' ],
message => 'DHX fips186_2 param gen with a selected p and q size with unverifyable g',
},
{
algorithm => 'DHX',
pkeyopts => [ 'type:fips186_2', 'dh_paramgen_prime_len:1024', 'dh_paramgen_subprime_len:160' ],
message => 'DHX fips186_2 param gen with a selected p and q size using aliased',
expect => [ "BEGIN X9.42 DH PARAMETERS" ],
},
{
algorithm => 'DH',
pkeyopts => [ 'type:fips186_2', 'dh_paramgen_prime_len:1024', 'dh_paramgen_subprime_len:160' ],
message => 'DH fips186_2 param gen with a selected p and q size using aliases should fail',
expect => [ "ERROR" ],
},
{
algorithm => 'DH',
pkeyopts => [ 'group:ffdhe2048'],
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
message => 'DH named group ffdhe selection',
},
{
algorithm => 'DH',
pkeyopts => [ 'dh_param:ffdhe8192'],
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
message => 'DH named group ffdhe selection using alias',
},
{
algorithm => 'DH',
pkeyopts => [ 'group:modp_3072'],
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:' ],
message => 'DH named group modp selection',
},
{
algorithm => 'DH',
pkeyopts => [ 'dh_param:modp_4096'],
message => 'DH named group modp selection using alias',
expect => [ 'BEGIN DH PARAMETERS', 'GROUP:'],
},
{
algorithm => 'DHX',
pkeyopts => [ 'group:dh_2048_256' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
message => 'DHX RFC5114 named group selection',
},
{
algorithm => 'DHX',
pkeyopts => [ 'dh_param:dh_2048_224' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
message => 'DHX RFC5114 named group selection using alias',
},
{
algorithm => 'DHX',
pkeyopts => [ 'dh_rfc5114:2'],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
message => 'DHX RFC5114 named group selection using an id',
},
{
algorithm => 'DHX',
pkeyopts => [ 'dh_rfc5114:1', 'dh_paramgen_type:1' ],
expect => [ 'BEGIN X9.42 DH PARAMETERS', 'GROUP:' ],
message => 'DHX paramgen_type is ignored if the group is set',
},
{
algorithm => 'DH',
pkeyopts => [ 'dh_rfc5114:1', 'dh_paramgen_type:1' ],
expect => [ 'ERROR' ],
message => "Setting dh_paramgen_type to fips186 should fail for DH keys",
},
# These tests using the safeprime generator were removed as they are slow..
# {
# algorithm => 'DH',
# pkeyopts => [ 'type:generator', 'safeprime-generator:5'],
# expect => [ 'BEGIN DH PARAMETERS', 'G: 5' ],
# message => 'DH safe prime generator',
# },
# {
# algorithm => 'DH',
# pkeyopts => [ 'dh_paramgen_type:0', 'dh_paramgen_generator:5'],
# expect => [ 'BEGIN DH PARAMETERS', 'G: 5' ],
# message => 'DH safe prime generator using an alias',
# },
{
algorithm => 'DHX',
pkeyopts => [ 'type:generator', 'safeprime-generator:5'],
expect => [ 'ERROR' ],
message => 'safe prime generator should fail for DHX',
}
);
plan skip_all => "DH isn't supported in this build" if disabled("dh");
plan tests => scalar @testdata;
foreach my $test (@testdata) {
my $alg = $test->{algorithm};
my $msg = $test->{message};
my @testargs = @{ $test->{pkeyopts} };
my @expected = @{ $test->{expect} };
my @pkeyopts= ();
foreach (@testargs) {
push(@pkeyopts, '-pkeyopt');
push(@pkeyopts, $_);
}
my @lines;
if ($expected[0] eq 'ERROR') {
@lines = run(app(['openssl', 'genpkey', '-genparam',
'-algorithm', $alg, '-text', @pkeyopts],
stderr => undef),
capture => 1);
} else {
@lines = run(app(['openssl', 'genpkey', '-genparam',
'-algorithm', $alg, '-text', @pkeyopts]),
capture => 1);
}
ok(compareline(\@lines, \@expected), $msg);
}
# Check that the stdout output matches the expected value.
sub compareline {
my ($ref_lines, $ref_expected) = @_;
my @lines = @$ref_lines;
my @expected = @$ref_expected;
if (@lines == 0 and $expected[0] eq 'ERROR') {
return 1;
}
print "-----------------\n";
foreach (@lines) {
print "# ".$_;
}
print "-----------------\n";
foreach my $ex (@expected) {
if ( !grep { index($_, $ex) >= 0 } @lines) {
print "ERROR: Cannot find: $ex\n";
return 0;
}
}
return 1;
}
|
