diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-04-20 11:07:38 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2020-04-20 11:07:38 +1000 |
commit | 738ee1819e3bb94723701fb505ce2971afe47a9b (patch) | |
tree | 2fd8588534087594f2371060c20bc6890d39a33a /test | |
parent | 9e537cd2ad01b172f2700a670e9269075078a426 (diff) | |
download | openssl-new-738ee1819e3bb94723701fb505ce2971afe47a9b.tar.gz |
Fix DH_get_nid() so that it does not cache values.
DH_set0_pqg() is now responsible for caching the nid, q and length.
DH with or without named safe prime groups now default to using the maximum private key length (BN_num_bits(q) - 1)
when generating a DH private key. The code is now shared between fips and non fips mode for DH key generation.
The OSSL_PKEY_PARAM_DH_PRIV_LEN parameter can be used during keygen to override the maximum private key length to be
in the range (2 * strength ... bits(q) - 1). Where the strength depends on the length of p.
Added q = (p - 1) / 2 safe prime BIGNUMS so that the code is data driven (To simplify adding new names).
The BIGNUMS were code generated.
Fix error in documented return value for DH_get_nid
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11562)
Diffstat (limited to 'test')
-rw-r--r-- | test/evp_pkey_provided_test.c | 6 | ||||
-rw-r--r-- | test/ffc_internal_test.c | 8 | ||||
-rw-r--r-- | test/recipes/15-test_gendh.t | 19 |
3 files changed, 25 insertions, 8 deletions
diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index 7b61cbe11f..1ded0d9f9e 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c @@ -408,7 +408,8 @@ static int test_fromdata_dh_named_group(void) /* * DH key data was generated using the following: - * openssl genpkey -algorithm DH -pkeyopt group:ffdhe2048 -text + * openssl genpkey -algorithm DH -pkeyopt group:ffdhe2048 + * -pkeyopt priv_len:224 -text */ static const unsigned char priv_data[] = { 0x88, 0x85, 0xe7, 0x9f, 0xee, 0x6d, 0xc5, 0x7c, 0x78, 0xaf, 0x63, 0x5d, @@ -547,7 +548,8 @@ static int test_fromdata_dh_fips186_4(void) /* * DH key data was generated using the following: - * openssl genpkey -algorithm DH -pkeyopt group:ffdhe2048 -text + * openssl genpkey -algorithm DH + * -pkeyopt group:ffdhe2048 -pkeyopt priv_len:224 -text */ static const unsigned char priv_data[] = { 0x88, 0x85, 0xe7, 0x9f, 0xee, 0x6d, 0xc5, 0x7c, 0x78, 0xaf, 0x63, 0x5d, diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c index e74dc1bd0f..c0b8e67871 100644 --- a/test/ffc_internal_test.c +++ b/test/ffc_internal_test.c @@ -600,19 +600,19 @@ static int ffc_private_gen_test(int index) N = BN_num_bits(params->q); /* Fail since N < 2*s - where s = 112*/ - if (!TEST_false(ffc_generate_private_key_fips(ctx, params, 220, 112, priv))) + if (!TEST_false(ffc_generate_private_key(ctx, params, 220, 112, priv))) goto err; /* fail since N > len(q) */ - if (!TEST_false(ffc_generate_private_key_fips(ctx, params, N + 1, 112, priv))) + if (!TEST_false(ffc_generate_private_key(ctx, params, N + 1, 112, priv))) goto err; /* pass since 2s <= N <= len(q) */ - if (!TEST_true(ffc_generate_private_key_fips(ctx, params, N, 112, priv))) + if (!TEST_true(ffc_generate_private_key(ctx, params, N, 112, priv))) goto err; /* pass since N = len(q) */ if (!TEST_true(ffc_validate_private_key(params->q, priv, &res))) goto err; /* pass since 2s <= N < len(q) */ - if (!TEST_true(ffc_generate_private_key_fips(ctx, params, N / 2, 112, priv))) + if (!TEST_true(ffc_generate_private_key(ctx, params, N / 2, 112, priv))) goto err; if (!TEST_true(ffc_validate_private_key(params->q, priv, &res))) goto err; diff --git a/test/recipes/15-test_gendh.t b/test/recipes/15-test_gendh.t index 87ddac96f7..a2ef8dab9f 100644 --- a/test/recipes/15-test_gendh.t +++ b/test/recipes/15-test_gendh.t @@ -18,7 +18,7 @@ setup("test_gendh"); plan skip_all => "This test is unsupported in a no-dh build" if disabled("dh"); -plan tests => 9; +plan tests => 13; ok(run(app([ 'openssl', 'genpkey', '-genparam', '-algorithm', 'DH', @@ -80,4 +80,19 @@ ok(run(app([ 'openssl', 'genpkey', ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'DH'])), "genpkey DH with no params should fail"); -
\ No newline at end of file + + ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt', + 'group:ffdhe3072', '-pkeyopt', 'priv_len:255', '-text'])), + 'genpkey DH with a small private len should fail'); + + ok(!run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt', + 'group:ffdhe3072', '-pkeyopt', 'priv_len:3072', '-text'])), + 'genpkey DH with a large private len should fail'); + + ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt', + 'group:ffdhe3072', '-pkeyopt', 'priv_len:256', '-text'])), + 'genpkey DH with a minimum strength private len'); + + ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'DH', '-pkeyopt', + 'group:ffdhe2048', '-pkeyopt', 'priv_len:224', '-text'])), + 'genpkey 2048 DH with a minimum strength private len'); |