diff options
| author | inoguchi <> | 2020-05-17 08:14:26 +0000 |
|---|---|---|
| committer | inoguchi <> | 2020-05-17 08:14:26 +0000 |
| commit | ff7d072c818bd71588f3c1a4b98b5f5abb1c8ca9 (patch) | |
| tree | ea62c5c3ae67f3f4b9912de1b0ff6f7d61a06535 /src/regress/usr.bin/openssl | |
| parent | 9852350d8f1c3ae6afd90fc8a6c646a36af3fcab (diff) | |
| download | openbsd-ff7d072c818bd71588f3c1a4b98b5f5abb1c8ca9.tar.gz openbsd-ff7d072c818bd71588f3c1a4b98b5f5abb1c8ca9.tar.bz2 openbsd-ff7d072c818bd71588f3c1a4b98b5f5abb1c8ca9.zip | |
Add GOST certificate test in appstest.sh
Enabled by -g option, and default to disabled (RSA certificate is used)
Diffstat (limited to 'src/regress/usr.bin/openssl')
| -rwxr-xr-x | src/regress/usr.bin/openssl/appstest.sh | 133 |
1 files changed, 107 insertions, 26 deletions
diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh index 44b13438f7..dd32d058b4 100755 --- a/src/regress/usr.bin/openssl/appstest.sh +++ b/src/regress/usr.bin/openssl/appstest.sh | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | #!/bin/sh | 1 | #!/bin/sh |
| 2 | # | 2 | # |
| 3 | # $OpenBSD: appstest.sh,v 1.39 2020/05/17 04:43:16 inoguchi Exp $ | 3 | # $OpenBSD: appstest.sh,v 1.40 2020/05/17 08:14:26 inoguchi Exp $ |
| 4 | # | 4 | # |
| 5 | # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org> | 5 | # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org> |
| 6 | # | 6 | # |
| @@ -58,7 +58,7 @@ function check_exit_status { | |||
| 58 | } | 58 | } |
| 59 | 59 | ||
| 60 | function usage { | 60 | function usage { |
| 61 | echo "usage: appstest.sh [-iq]" | 61 | echo "usage: appstest.sh [-egiq]" |
| 62 | } | 62 | } |
| 63 | 63 | ||
| 64 | function test_usage_lists_others { | 64 | function test_usage_lists_others { |
| @@ -691,6 +691,8 @@ __EOF__ | |||
| 691 | # --- server-admin operations (generate server key and csr) --- | 691 | # --- server-admin operations (generate server key and csr) --- |
| 692 | section_message "server-admin operations (generate server key and csr)" | 692 | section_message "server-admin operations (generate server key and csr)" |
| 693 | 693 | ||
| 694 | # RSA certificate | ||
| 695 | |||
| 694 | server_key=$server_dir/server_key.pem | 696 | server_key=$server_dir/server_key.pem |
| 695 | server_csr=$server_dir/server_csr.pem | 697 | server_csr=$server_dir/server_csr.pem |
| 696 | server_pass=test-server-pass | 698 | server_pass=test-server-pass |
| @@ -724,6 +726,8 @@ __EOF__ | |||
| 724 | 726 | ||
| 725 | start_message "req ... generate server csr#2 (interactive mode)" | 727 | start_message "req ... generate server csr#2 (interactive mode)" |
| 726 | 728 | ||
| 729 | # RSA certificate (for revoke test) | ||
| 730 | |||
| 727 | revoke_key=$server_dir/revoke_key.pem | 731 | revoke_key=$server_dir/revoke_key.pem |
| 728 | revoke_csr=$server_dir/revoke_csr.pem | 732 | revoke_csr=$server_dir/revoke_csr.pem |
| 729 | revoke_pass=test-revoke-pass | 733 | revoke_pass=test-revoke-pass |
| @@ -737,6 +741,8 @@ revoke.test_dummy.com | |||
| 737 | __EOF__ | 741 | __EOF__ |
| 738 | check_exit_status $? | 742 | check_exit_status $? |
| 739 | 743 | ||
| 744 | # ECDSA certificate | ||
| 745 | |||
| 740 | ecdsa_key=$server_dir/ecdsa_key.pem | 746 | ecdsa_key=$server_dir/ecdsa_key.pem |
| 741 | ecdsa_csr=$server_dir/ecdsa_csr.pem | 747 | ecdsa_csr=$server_dir/ecdsa_csr.pem |
| 742 | ecdsa_pass=test-ecdsa-pass | 748 | ecdsa_pass=test-ecdsa-pass |
| @@ -768,6 +774,40 @@ __EOF__ | |||
| 768 | -out $ecdsa_csr.verify.out | 774 | -out $ecdsa_csr.verify.out |
| 769 | check_exit_status $? | 775 | check_exit_status $? |
| 770 | 776 | ||
| 777 | # GOST certificate | ||
| 778 | |||
| 779 | gost_key=$server_dir/gost_key.pem | ||
| 780 | gost_csr=$server_dir/gost_csr.pem | ||
| 781 | gost_pass=test-gost-pass | ||
| 782 | |||
| 783 | if [ $mingw = 0 ] ; then | ||
| 784 | subj='/C=JP/ST=Tokyo/O=TEST_DUMMY_COMPANY/CN=gost.test_dummy.com/' | ||
| 785 | else | ||
| 786 | subj='//C=JP\ST=Tokyo\O=TEST_DUMMY_COMPANY\CN=gost.test_dummy.com\' | ||
| 787 | fi | ||
| 788 | |||
| 789 | start_message "genpkey ... generate server key#4" | ||
| 790 | |||
| 791 | $openssl_bin genpkey -algorithm GOST2001 -pkeyopt paramset:A \ | ||
| 792 | -pkeyopt dgst:streebog512 -out $gost_key | ||
| 793 | check_exit_status $? | ||
| 794 | |||
| 795 | start_message "req ... generate server csr#4" | ||
| 796 | |||
| 797 | $openssl_bin req -new -subj $subj -streebog512 \ | ||
| 798 | -key $gost_key -keyform pem -passin pass:$gost_pass \ | ||
| 799 | -addext 'subjectAltName = DNS:gost.test_dummy.com' \ | ||
| 800 | -out $gost_csr -outform pem | ||
| 801 | check_exit_status $? | ||
| 802 | |||
| 803 | start_message "req ... verify server csr#4" | ||
| 804 | |||
| 805 | $openssl_bin req -verify -in $gost_csr -inform pem \ | ||
| 806 | -newhdr -noout -pubkey -subject -modulus -text \ | ||
| 807 | -nameopt multiline -reqopt compatible \ | ||
| 808 | -out $gost_csr.verify.out | ||
| 809 | check_exit_status $? | ||
| 810 | |||
| 771 | #---------#---------#---------#---------#---------#---------#--------- | 811 | #---------#---------#---------#---------#---------#---------#--------- |
| 772 | 812 | ||
| 773 | # --- CA operations (issue cert for server) --- | 813 | # --- CA operations (issue cert for server) --- |
| @@ -794,7 +834,14 @@ __EOF__ | |||
| 794 | 834 | ||
| 795 | ecdsa_cert=$server_dir/ecdsa_cert.pem | 835 | ecdsa_cert=$server_dir/ecdsa_cert.pem |
| 796 | $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ | 836 | $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ |
| 797 | -in $ecdsa_csr -out $ecdsa_cert > $ecdsa_cert 2>&1 | 837 | -in $ecdsa_csr -out $ecdsa_cert > $ecdsa_cert.log 2>&1 |
| 838 | check_exit_status $? | ||
| 839 | |||
| 840 | start_message "ca ... issue cert for server csr#4" | ||
| 841 | |||
| 842 | gost_cert=$server_dir/gost_cert.pem | ||
| 843 | $openssl_bin ca -batch -cert $ca_cert -keyfile $ca_key -key $ca_pass \ | ||
| 844 | -in $gost_csr -out $gost_cert > $gost_cert.log 2>&1 | ||
| 798 | check_exit_status $? | 845 | check_exit_status $? |
| 799 | 846 | ||
| 800 | #---------#---------#---------#---------#---------#---------#--------- | 847 | #---------#---------#---------#---------#---------#---------#--------- |
| @@ -1322,9 +1369,14 @@ function test_pkcs { | |||
| 1322 | } | 1369 | } |
| 1323 | 1370 | ||
| 1324 | function test_sc_by_protocol_version { | 1371 | function test_sc_by_protocol_version { |
| 1325 | cid=$1 | 1372 | sc=$1 |
| 1326 | ver=$2 | 1373 | ver=$2 |
| 1327 | msg=$3 | 1374 | msg=$3 |
| 1375 | cid=$4 | ||
| 1376 | |||
| 1377 | if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then | ||
| 1378 | return | ||
| 1379 | fi | ||
| 1328 | 1380 | ||
| 1329 | s_client_out=$user1_dir/s_client_${sc}_${ver}.out | 1381 | s_client_out=$user1_dir/s_client_${sc}_${ver}.out |
| 1330 | 1382 | ||
| @@ -1349,6 +1401,10 @@ function test_sc_all_cipher { | |||
| 1349 | sc=$1 | 1401 | sc=$1 |
| 1350 | ver=$2 | 1402 | ver=$2 |
| 1351 | 1403 | ||
| 1404 | if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then | ||
| 1405 | return | ||
| 1406 | fi | ||
| 1407 | |||
| 1352 | copt=cipher | 1408 | copt=cipher |
| 1353 | ciphers=$user1_dir/ciphers_${sc}_${ver} | 1409 | ciphers=$user1_dir/ciphers_${sc}_${ver} |
| 1354 | 1410 | ||
| @@ -1367,10 +1423,12 @@ function test_sc_all_cipher { | |||
| 1367 | s_ciph=$server_dir/s_ciph_${sc}_${ver} | 1423 | s_ciph=$server_dir/s_ciph_${sc}_${ver} |
| 1368 | cipher_string="" | 1424 | cipher_string="" |
| 1369 | if [ $s_id = "0" ] ; then | 1425 | if [ $s_id = "0" ] ; then |
| 1370 | if [ $ecdsa_tests = 0 ] ; then | 1426 | if [ $ecdsa_tests = 1 ] ; then |
| 1371 | cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" | ||
| 1372 | else | ||
| 1373 | cipher_string="ECDSA+TLSv1.2:!TLSv1.3" | 1427 | cipher_string="ECDSA+TLSv1.2:!TLSv1.3" |
| 1428 | elif [ $gost_tests = 1 ] ; then | ||
| 1429 | cipher_string="kGOST:!NULL:!TLSv1.3" | ||
| 1430 | else | ||
| 1431 | cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" | ||
| 1374 | fi | 1432 | fi |
| 1375 | fi | 1433 | fi |
| 1376 | $s_bin ciphers -v $cipher_string | awk '{print $1}' > $s_ciph | 1434 | $s_bin ciphers -v $cipher_string | awk '{print $1}' > $s_ciph |
| @@ -1378,10 +1436,12 @@ function test_sc_all_cipher { | |||
| 1378 | c_ciph=$user1_dir/c_ciph_${sc}_${ver} | 1436 | c_ciph=$user1_dir/c_ciph_${sc}_${ver} |
| 1379 | cipher_string="" | 1437 | cipher_string="" |
| 1380 | if [ $c_id = "0" ] ; then | 1438 | if [ $c_id = "0" ] ; then |
| 1381 | if [ $ecdsa_tests = 0 ] ; then | 1439 | if [ $ecdsa_tests = 1 ] ; then |
| 1382 | cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" | ||
| 1383 | else | ||
| 1384 | cipher_string="ECDSA+TLSv1.2:!TLSv1.3" | 1440 | cipher_string="ECDSA+TLSv1.2:!TLSv1.3" |
| 1441 | elif [ $gost_tests = 1 ] ; then | ||
| 1442 | cipher_string="kGOST:!NULL:!TLSv1.3" | ||
| 1443 | else | ||
| 1444 | cipher_string="ALL:!ECDSA:!kGOST:!TLSv1.3" | ||
| 1385 | fi | 1445 | fi |
| 1386 | fi | 1446 | fi |
| 1387 | $c_bin ciphers -v $cipher_string | awk '{print $1}' > $c_ciph | 1447 | $c_bin ciphers -v $cipher_string | awk '{print $1}' > $c_ciph |
| @@ -1413,6 +1473,11 @@ function test_sc_all_cipher { | |||
| 1413 | function test_sc_session_reuse { | 1473 | function test_sc_session_reuse { |
| 1414 | sc=$1 | 1474 | sc=$1 |
| 1415 | ver=$2 | 1475 | ver=$2 |
| 1476 | |||
| 1477 | if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then | ||
| 1478 | return | ||
| 1479 | fi | ||
| 1480 | |||
| 1416 | sess_dat=$user1_dir/s_client_${sc}_${ver}_sess.dat | 1481 | sess_dat=$user1_dir/s_client_${sc}_${ver}_sess.dat |
| 1417 | 1482 | ||
| 1418 | # Get session ticket to reuse | 1483 | # Get session ticket to reuse |
| @@ -1460,6 +1525,10 @@ function test_sc_verify { | |||
| 1460 | sc=$1 | 1525 | sc=$1 |
| 1461 | ver=$2 | 1526 | ver=$2 |
| 1462 | 1527 | ||
| 1528 | if [ $gost_tests = 1 ] && [ $ver = "tls1_3" -o $sc != 00 ] ; then | ||
| 1529 | return | ||
| 1530 | fi | ||
| 1531 | |||
| 1463 | # invalid verification pattern | 1532 | # invalid verification pattern |
| 1464 | 1533 | ||
| 1465 | s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_invalid.out | 1534 | s_client_out=$user1_dir/s_client_${sc}_${ver}_tls_invalid.out |
| @@ -1508,16 +1577,21 @@ function test_server_client { | |||
| 1508 | port=4433 | 1577 | port=4433 |
| 1509 | s_server_out=$server_dir/s_server_${sc}_tls.out | 1578 | s_server_out=$server_dir/s_server_${sc}_tls.out |
| 1510 | 1579 | ||
| 1511 | if [ $ecdsa_tests = 0 ] ; then | 1580 | if [ $ecdsa_tests = 1 ] ; then |
| 1512 | echo "Using RSA certificate" | ||
| 1513 | crt=$server_cert | ||
| 1514 | key=$server_key | ||
| 1515 | pwd=$server_pass | ||
| 1516 | else | ||
| 1517 | echo "Using ECDSA certificate" | 1581 | echo "Using ECDSA certificate" |
| 1518 | crt=$ecdsa_cert | 1582 | crt=$ecdsa_cert |
| 1519 | key=$ecdsa_key | 1583 | key=$ecdsa_key |
| 1520 | pwd=$ecdsa_pass | 1584 | pwd=$ecdsa_pass |
| 1585 | elif [ $gost_tests = 1 ] ; then | ||
| 1586 | echo "Using GOST certificate" | ||
| 1587 | crt=$gost_cert | ||
| 1588 | key=$gost_key | ||
| 1589 | pwd=$gost_pass | ||
| 1590 | else | ||
| 1591 | echo "Using RSA certificate" | ||
| 1592 | crt=$server_cert | ||
| 1593 | key=$server_key | ||
| 1594 | pwd=$server_pass | ||
| 1521 | fi | 1595 | fi |
| 1522 | 1596 | ||
| 1523 | $s_bin version | grep 'OpenSSL 1.1.1' > /dev/null | 1597 | $s_bin version | grep 'OpenSSL 1.1.1' > /dev/null |
| @@ -1539,10 +1613,10 @@ function test_server_client { | |||
| 1539 | sleep 1 | 1613 | sleep 1 |
| 1540 | 1614 | ||
| 1541 | # test by protocol version | 1615 | # test by protocol version |
| 1542 | test_sc_by_protocol_version $c_id tls1 'Protocol : TLSv1$' | 1616 | test_sc_by_protocol_version $sc tls1 'Protocol : TLSv1$' $c_id |
| 1543 | test_sc_by_protocol_version $c_id tls1_1 'Protocol : TLSv1\.1$' | 1617 | test_sc_by_protocol_version $sc tls1_1 'Protocol : TLSv1\.1$' $c_id |
| 1544 | test_sc_by_protocol_version $c_id tls1_2 'Protocol : TLSv1\.2$' | 1618 | test_sc_by_protocol_version $sc tls1_2 'Protocol : TLSv1\.2$' $c_id |
| 1545 | test_sc_by_protocol_version $c_id tls1_3 'Protocol : TLSv1\.3$' | 1619 | test_sc_by_protocol_version $sc tls1_3 'Protocol : TLSv1\.3$' $c_id |
| 1546 | 1620 | ||
| 1547 | # all available ciphers with random order | 1621 | # all available ciphers with random order |
| 1548 | test_sc_all_cipher $sc tls1_2 | 1622 | test_sc_all_cipher $sc tls1_2 |
| @@ -1556,10 +1630,12 @@ function test_server_client { | |||
| 1556 | test_sc_verify $sc tls1_3 | 1630 | test_sc_verify $sc tls1_3 |
| 1557 | 1631 | ||
| 1558 | # s_time | 1632 | # s_time |
| 1559 | start_message "s_time ... connect to TLS/SSL test server" | 1633 | if [ $gost_tests != 1 ] ; then |
| 1560 | $c_bin s_time -connect $host:$port -CApath $ca_dir -time 1 \ | 1634 | start_message "s_time ... connect to TLS/SSL test server" |
| 1561 | > $server_dir/s_time_${sc}.log | 1635 | $c_bin s_time -connect $host:$port -CApath $ca_dir -time 1 \ |
| 1562 | check_exit_status $? | 1636 | > $server_dir/s_time_${sc}.log |
| 1637 | check_exit_status $? | ||
| 1638 | fi | ||
| 1563 | 1639 | ||
| 1564 | stop_s_server | 1640 | stop_s_server |
| 1565 | } | 1641 | } |
| @@ -1592,14 +1668,19 @@ openssl_bin=${OPENSSL:-/usr/bin/openssl} | |||
| 1592 | other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl11} | 1668 | other_openssl_bin=${OTHER_OPENSSL:-/usr/local/bin/eopenssl11} |
| 1593 | 1669 | ||
| 1594 | ecdsa_tests=0 | 1670 | ecdsa_tests=0 |
| 1671 | gost_tests=0 | ||
| 1595 | interop_tests=0 | 1672 | interop_tests=0 |
| 1596 | no_long_tests=0 | 1673 | no_long_tests=0 |
| 1597 | 1674 | ||
| 1598 | while [ "$1" != "" ]; do | 1675 | while [ "$1" != "" ]; do |
| 1599 | case $1 in | 1676 | case $1 in |
| 1600 | -e | --ecdsa) | 1677 | -e | --ecdsa) shift |
| 1601 | shift | ||
| 1602 | ecdsa_tests=1 | 1678 | ecdsa_tests=1 |
| 1679 | gost_tests=0 | ||
| 1680 | ;; | ||
| 1681 | -g | --gost) shift | ||
| 1682 | gost_tests=1 | ||
| 1683 | ecdsa_tests=0 | ||
| 1603 | ;; | 1684 | ;; |
| 1604 | -i | --interop) shift | 1685 | -i | --interop) shift |
| 1605 | interop_tests=1 | 1686 | interop_tests=1 |