diff --git a/CHANGES b/CHANGES index ae01a2c90f..c87a7d437c 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,9 @@ Changes between 0.9.5 and 0.9.5a [XX XXX 2000] + *) Update test suite so that 'make test' succeeds in 'no-rsa' configuration. + [Bodo Moeller] + *) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE is set; it will be thrown away anyway because each handshake creates its own key. diff --git a/crypto/asn1/t_req.c b/crypto/asn1/t_req.c index 81dd6355a8..ea1af092db 100644 --- a/crypto/asn1/t_req.c +++ b/crypto/asn1/t_req.c @@ -119,7 +119,7 @@ int X509_REQ_print(BIO *bp, X509_REQ *x) pkey=X509_REQ_get_pubkey(x); #ifndef NO_RSA - if (pkey->type == EVP_PKEY_RSA) + if (pkey != NULL && pkey->type == EVP_PKEY_RSA) { BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","", BN_num_bits(pkey->pkey.rsa->n)); @@ -128,7 +128,7 @@ int X509_REQ_print(BIO *bp, X509_REQ *x) else #endif #ifndef NO_DSA - if (pkey->type == EVP_PKEY_DSA) + if (pkey != NULL && pkey->type == EVP_PKEY_DSA) { BIO_printf(bp,"%12sDSA Public Key:\n",""); DSA_print(bp,pkey->pkey.dsa,16); @@ -137,7 +137,8 @@ int X509_REQ_print(BIO *bp, X509_REQ *x) #endif BIO_printf(bp,"%12sUnknown Public Key:\n",""); - EVP_PKEY_free(pkey); + if (pkey != NULL) + EVP_PKEY_free(pkey); /* may not be */ sprintf(str,"%8sAttributes:\n",""); diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 76d1521399..2548c8abc5 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -140,6 +140,7 @@ static void sv_usage(void) fprintf(stderr," -CApath arg - PEM format directory of CA's\n"); fprintf(stderr," -CAfile arg - PEM format file of CA's\n"); fprintf(stderr," -cert arg - Certificate file\n"); + fprintf(stderr," -key arg - Key file\n"); fprintf(stderr," -s_cert arg - Just the server certificate file\n"); fprintf(stderr," -c_cert arg - Just the client certificate file\n"); fprintf(stderr," -cipher arg - The cipher list\n"); @@ -202,7 +203,9 @@ int main(int argc, char *argv[]) int client_auth=0; int server_auth=0,i; char *server_cert=TEST_SERVER_CERT; + char *server_key=NULL; char *client_cert=TEST_CLIENT_CERT; + char *client_key=NULL; SSL_CTX *s_ctx=NULL; SSL_CTX *c_ctx=NULL; SSL_METHOD *meth=NULL; @@ -282,11 +285,26 @@ int main(int argc, char *argv[]) if (--argc < 1) goto bad; server_cert= *(++argv); } + else if (strcmp(*argv,"-key") == 0) + { + if (--argc < 1) goto bad; + server_key= *(++argv); + } + else if (strcmp(*argv,"-s_key") == 0) + { + if (--argc < 1) goto bad; + server_key= *(++argv); + } else if (strcmp(*argv,"-c_cert") == 0) { if (--argc < 1) goto bad; client_cert= *(++argv); } + else if (strcmp(*argv,"-c_key") == 0) + { + if (--argc < 1) goto bad; + client_key= *(++argv); + } else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; @@ -416,8 +434,8 @@ bad: { ERR_print_errors(bio_err); } - else if (!SSL_CTX_use_PrivateKey_file(s_ctx,server_cert, - SSL_FILETYPE_PEM)) + else if (!SSL_CTX_use_PrivateKey_file(s_ctx, + (server_key?server_key:server_cert), SSL_FILETYPE_PEM)) { ERR_print_errors(bio_err); goto end; @@ -427,7 +445,8 @@ bad: { SSL_CTX_use_certificate_file(c_ctx,client_cert, SSL_FILETYPE_PEM); - SSL_CTX_use_PrivateKey_file(c_ctx,client_cert, + SSL_CTX_use_PrivateKey_file(c_ctx, + (client_key?client_key:client_cert), SSL_FILETYPE_PEM); } diff --git a/test/Makefile.ssl b/test/Makefile.ssl index a3386d9a7e..02945de5f9 100644 --- a/test/Makefile.ssl +++ b/test/Makefile.ssl @@ -206,17 +206,21 @@ test_gen: @echo "Generate and verify a certificate request" @sh ./testgen -test_ss: +test_ss keyU.ss certU.ss certCA.ss: @echo "Generate and certify a test certificate" @sh ./testss -test_ssl: +test_ssl: keyU.ss certU.ss certCA.ss @echo "test SSL protocol" - @sh ./testssl + @sh ./testssl keyU.ss certU.ss certCA.ss test_ca: - @echo "Generate and certify a test certificate via the 'ca' program" - @sh ./testca + @if ../apps/openssl list-standard-commands | grep '^rsa$$' >/dev/null; then \ + echo "Generate and certify a test certificate via the 'ca' program"; \ + sh ./testca; \ + else \ + echo "skipping CA.sh test -- requires RSA"; \ + fi lint: lint -DLINT $(INCLUDES) $(SRC)>fluff diff --git a/test/testgen b/test/testgen index c5f61b582b..f2db42cb24 100644 --- a/test/testgen +++ b/test/testgen @@ -11,13 +11,19 @@ export PATH echo "generating certificate request" -echo "There should be a 2 sequences of .'s and some +'s." -echo "There should not be more that at most 80 per line" -echo "This could take some time." - echo "string to make the random number generator think it has entropy" >> ./.rnd -../apps/openssl req -config test.cnf -new -out testreq.pem +if ../apps/openssl list-standard-commands | grep '^rsa$' >/dev/null; then + req_new='-new' + echo "There should be a 2 sequences of .'s and some +'s." + echo "There should not be more that at most 80 per line" +else + req_new='-newkey dsa:../apps/dsa512.pem' +fi + +echo "This could take some time." + +../apps/openssl req -config test.cnf $req_new -out testreq.pem if [ $? != 0 ]; then echo problems creating request exit 1 diff --git a/test/testss b/test/testss index da62997a5f..fc27c83fa7 100644 --- a/test/testss +++ b/test/testss @@ -19,7 +19,14 @@ Ucert="certU.ss" echo echo "make a certificate request using 'req'" -$reqcmd -config $CAconf -out $CAreq -keyout $CAkey -new #>err.ss + +if ../apps/openssl list-standard-commands | grep '^rsa$' >/dev/null; then + req_new='-new' +else + req_new='-newkey dsa:../apps/dsa512.pem' +fi + +$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new #>err.ss if [ $? != 0 ]; then echo "error using 'req' to generate a certificate request" exit 1 @@ -60,7 +67,7 @@ fi echo echo "make another certificate request using 'req'" -$reqcmd -config $Uconf -out $Ureq -keyout $Ukey -new >err.ss +$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss if [ $? != 0 ]; then echo "error using 'req' to generate a certificate request" exit 1 diff --git a/test/testssl b/test/testssl index e256e38b41..413a14e4cb 100644 --- a/test/testssl +++ b/test/testssl @@ -1,86 +1,123 @@ #!/bin/sh +if [ "$1" = "" ]; then + key=../apps/server.pem +else + key="$1" +fi +if [ "$2" = "" ]; then + cert=../apps/server.pem +else + cert="$2" +fi +ssltest="./ssltest -key $1 -cert $2 -c_key $1 -c_cert $2" + +if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key'; then + dsa_cert=YES +else + dsa_cert=NO +fi + +if [ "$3" = "" ]; then + CA="-CApath ../certs" +else + CA="-CAfile $3" +fi + +############################################################################# + echo test sslv2 -./ssltest -ssl2 || exit 1 +$ssltest -ssl2 || exit 1 echo test sslv2 with server authentication -./ssltest -ssl2 -server_auth -CApath ../certs || exit 1 +$ssltest -ssl2 -server_auth $CA || exit 1 -echo test sslv2 with client authentication -./ssltest -ssl2 -client_auth -CApath ../certs || exit 1 +if [ $dsa_cert = NO ]; then + echo test sslv2 with client authentication + $ssltest -ssl2 -client_auth $CA || exit 1 -echo test sslv2 with both client and server authentication -./ssltest -ssl2 -server_auth -client_auth -CApath ../certs || exit 1 + echo test sslv2 with both client and server authentication + $ssltest -ssl2 -server_auth -client_auth $CA || exit 1 +fi echo test sslv3 -./ssltest -ssl3 || exit 1 +$ssltest -ssl3 || exit 1 echo test sslv3 with server authentication -./ssltest -ssl3 -server_auth -CApath ../certs || exit 1 +$ssltest -ssl3 -server_auth $CA || exit 1 echo test sslv3 with client authentication -./ssltest -ssl3 -client_auth -CApath ../certs || exit 1 +$ssltest -ssl3 -client_auth $CA || exit 1 echo test sslv3 with both client and server authentication -./ssltest -ssl3 -server_auth -client_auth -CApath ../certs || exit 1 +$ssltest -ssl3 -server_auth -client_auth $CA || exit 1 echo test sslv2/sslv3 -./ssltest || exit 1 +$ssltest || exit 1 echo test sslv2/sslv3 with server authentication -./ssltest -server_auth -CApath ../certs || exit 1 +$ssltest -server_auth $CA || exit 1 echo test sslv2/sslv3 with client authentication -./ssltest -client_auth -CApath ../certs || exit 1 +$ssltest -client_auth $CA || exit 1 echo test sslv2/sslv3 with both client and server authentication -./ssltest -server_auth -client_auth -CApath ../certs || exit 1 +$ssltest -server_auth -client_auth $CA || exit 1 echo test sslv2 via BIO pair -./ssltest -bio_pair -ssl2 || exit 1 +$ssltest -bio_pair -ssl2 || exit 1 echo test sslv2 with server authentication via BIO pair -./ssltest -bio_pair -ssl2 -server_auth -CApath ../certs || exit 1 +$ssltest -bio_pair -ssl2 -server_auth $CA || exit 1 -echo test sslv2 with client authentication via BIO pair -./ssltest -bio_pair -ssl2 -client_auth -CApath ../certs || exit 1 +if [ $dsa_cert = NO ]; then + echo test sslv2 with client authentication via BIO pair + $ssltest -bio_pair -ssl2 -client_auth $CA || exit 1 -echo test sslv2 with both client and server authentication via BIO pair -./ssltest -bio_pair -ssl2 -server_auth -client_auth -CApath ../certs || exit 1 + echo test sslv2 with both client and server authentication via BIO pair + $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA || exit 1 +fi echo test sslv3 via BIO pair -./ssltest -bio_pair -ssl3 || exit 1 +$ssltest -bio_pair -ssl3 || exit 1 echo test sslv3 with server authentication via BIO pair -./ssltest -bio_pair -ssl3 -server_auth -CApath ../certs || exit 1 +$ssltest -bio_pair -ssl3 -server_auth $CA || exit 1 echo test sslv3 with client authentication via BIO pair -./ssltest -bio_pair -ssl3 -client_auth -CApath ../certs || exit 1 +$ssltest -bio_pair -ssl3 -client_auth $CA || exit 1 echo test sslv3 with both client and server authentication via BIO pair -./ssltest -bio_pair -ssl3 -server_auth -client_auth -CApath ../certs || exit 1 +$ssltest -bio_pair -ssl3 -server_auth -client_auth $CA || exit 1 echo test sslv2/sslv3 via BIO pair -./ssltest || exit 1 +$ssltest || exit 1 -echo test sslv2/sslv3 w/o DHE via BIO pair -./ssltest -bio_pair -no_dhe || exit 1 +if [ $dsa_cert = NO ]; then + echo test sslv2/sslv3 w/o DHE via BIO pair + $ssltest -bio_pair -no_dhe || exit 1 +fi echo test sslv2/sslv3 with 1024bit DHE via BIO pair -./ssltest -bio_pair -dhe1024dsa -v || exit 1 +$ssltest -bio_pair -dhe1024dsa -v || exit 1 echo test sslv2/sslv3 with server authentication -./ssltest -bio_pair -server_auth -CApath ../certs || exit 1 +$ssltest -bio_pair -server_auth $CA || exit 1 echo test sslv2/sslv3 with client authentication via BIO pair -./ssltest -bio_pair -client_auth -CApath ../certs || exit 1 +$ssltest -bio_pair -client_auth $CA || exit 1 echo test sslv2/sslv3 with both client and server authentication via BIO pair -./ssltest -bio_pair -server_auth -client_auth -CApath ../certs || exit 1 +$ssltest -bio_pair -server_auth -client_auth $CA || exit 1 -echo test tls1 with 1024bit RSA, no DHE, multiple handshakes -./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time || exit 1 +############################################################################# + +if ../apps/openssl list-standard-commands | grep '^rsa$' >/dev/null; then + echo test tls1 with 1024bit RSA, no DHE, multiple handshakes + ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time || exit 1 + + echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes + ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time || exit 1 +fi -echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes -./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time || exit 1 exit 0 diff --git a/test/treq b/test/treq index 0464c9d902..9f5eb7eea5 100644 --- a/test/treq +++ b/test/treq @@ -11,6 +11,11 @@ else t=testreq.pem fi +if $cmd -in $t -inform p -noout -text | fgrep 'Unknown Public Key'; then + echo "skipping req conversion test for $t" + exit 0 +fi + echo testing req conversions cp $t fff.p