mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 00:25:26 +00:00
More precise testing of dhm_min_len
An SSL client can be configured to insist on a minimum size for the Diffie-Hellman (DHM) parameters sent by the server. Add several test cases where the server sends parameters with exactly the minimum size (must be accepted) or parameters that are one bit too short (must be rejected). Make sure that there are test cases both where the boundary is byte-aligned and where it isn't. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
parent
384a0880c4
commit
3e7b61c42b
|
@ -1052,6 +1052,16 @@ cert_md5.crt: cert_md5.csr
|
||||||
$(MBEDTLS_CERT_WRITE) request_file=$< serial=6 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=MD5 version=3 output_file=$@
|
$(MBEDTLS_CERT_WRITE) request_file=$< serial=6 issuer_crt=$(test_ca_crt) issuer_key=$(test_ca_key_file_rsa) issuer_pwd=$(test_ca_pwd_rsa) not_before=20190210144406 not_after=20290210144406 md=MD5 version=3 output_file=$@
|
||||||
all_final += cert_md5.crt
|
all_final += cert_md5.crt
|
||||||
|
|
||||||
|
################################################################
|
||||||
|
#### Diffie-Hellman parameters
|
||||||
|
################################################################
|
||||||
|
|
||||||
|
dh.998.pem:
|
||||||
|
$(OPENSSL) dhparam -out $@ -text 998
|
||||||
|
|
||||||
|
dh.999.pem:
|
||||||
|
$(OPENSSL) dhparam -out $@ -text 999
|
||||||
|
|
||||||
################################################################
|
################################################################
|
||||||
#### Meta targets
|
#### Meta targets
|
||||||
################################################################
|
################################################################
|
||||||
|
|
17
tests/data_files/dh.998.pem
Normal file
17
tests/data_files/dh.998.pem
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
DH Parameters: (998 bit)
|
||||||
|
prime:
|
||||||
|
39:5f:30:c0:7b:06:b7:6a:49:c6:c0:81:1f:39:77:
|
||||||
|
b3:35:e2:8d:66:fc:6a:6e:94:f3:df:97:f2:89:31:
|
||||||
|
6c:75:39:08:16:d1:a4:b8:0c:68:c5:63:21:61:eb:
|
||||||
|
48:2d:77:99:08:1d:67:38:37:0a:cd:cf:39:b6:3c:
|
||||||
|
9d:8a:e5:85:3c:71:e3:4b:3e:1e:b9:80:e3:cc:7a:
|
||||||
|
fd:84:05:b0:df:36:15:29:4e:3e:23:3b:c3:ae:6b:
|
||||||
|
c7:11:b9:64:43:40:75:c7:4a:ef:a7:2d:00:e2:62:
|
||||||
|
8f:93:78:96:8f:2c:25:8d:7d:1f:eb:5c:3c:bf:51:
|
||||||
|
de:f8:08:25:db
|
||||||
|
generator: 2 (0x2)
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIGCAn05XzDAewa3aknGwIEfOXezNeKNZvxqbpTz35fyiTFsdTkIFtGkuAxoxWMh
|
||||||
|
YetILXeZCB1nODcKzc85tjydiuWFPHHjSz4euYDjzHr9hAWw3zYVKU4+IzvDrmvH
|
||||||
|
EblkQ0B1x0rvpy0A4mKPk3iWjywljX0f61w8v1He+Agl2wIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
17
tests/data_files/dh.999.pem
Normal file
17
tests/data_files/dh.999.pem
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
DH Parameters: (999 bit)
|
||||||
|
prime:
|
||||||
|
4f:b8:d2:d8:3c:b3:02:c9:64:f5:99:fe:61:cc:b3:
|
||||||
|
69:1c:ba:bb:a2:33:db:38:2f:85:87:b7:12:fb:69:
|
||||||
|
6e:a5:32:3e:ff:24:df:c4:61:07:0c:e1:88:72:fa:
|
||||||
|
14:d4:22:65:18:66:09:7e:43:35:c4:5a:62:f7:0a:
|
||||||
|
69:be:45:71:6e:ac:c5:56:d8:22:9e:c4:9c:23:2b:
|
||||||
|
bd:6d:3b:b6:02:4f:5d:12:a7:ac:90:b8:9e:be:93:
|
||||||
|
82:bc:09:7c:cd:e1:09:21:1e:3d:69:2a:76:41:00:
|
||||||
|
68:6d:b7:e8:e8:df:d6:1b:82:93:d9:21:4a:ea:71:
|
||||||
|
f2:e6:c4:94:03
|
||||||
|
generator: 2 (0x2)
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIGCAn1PuNLYPLMCyWT1mf5hzLNpHLq7ojPbOC+Fh7cS+2lupTI+/yTfxGEHDOGI
|
||||||
|
cvoU1CJlGGYJfkM1xFpi9wppvkVxbqzFVtginsScIyu9bTu2Ak9dEqeskLievpOC
|
||||||
|
vAl8zeEJIR49aSp2QQBobbfo6N/WG4KT2SFK6nHy5sSUAwIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
|
@ -3960,6 +3960,20 @@ run_test "DHM size: server 1024, client default, OK" \
|
||||||
0 \
|
0 \
|
||||||
-C "DHM prime too short:"
|
-C "DHM prime too short:"
|
||||||
|
|
||||||
|
run_test "DHM size: server 999, client 999, OK" \
|
||||||
|
"$P_SRV dhm_file=data_files/dh.999.pem" \
|
||||||
|
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
|
||||||
|
debug_level=1 dhmlen=999" \
|
||||||
|
0 \
|
||||||
|
-C "DHM prime too short:"
|
||||||
|
|
||||||
|
run_test "DHM size: server 1000, client 1000, OK" \
|
||||||
|
"$P_SRV dhm_file=data_files/dh.1000.pem" \
|
||||||
|
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
|
||||||
|
debug_level=1 dhmlen=1000" \
|
||||||
|
0 \
|
||||||
|
-C "DHM prime too short:"
|
||||||
|
|
||||||
run_test "DHM size: server 1000, client default, rejected" \
|
run_test "DHM size: server 1000, client default, rejected" \
|
||||||
"$P_SRV dhm_file=data_files/dh.1000.pem" \
|
"$P_SRV dhm_file=data_files/dh.1000.pem" \
|
||||||
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
|
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
|
||||||
|
@ -3967,6 +3981,27 @@ run_test "DHM size: server 1000, client default, rejected" \
|
||||||
1 \
|
1 \
|
||||||
-c "DHM prime too short:"
|
-c "DHM prime too short:"
|
||||||
|
|
||||||
|
run_test "DHM size: server 1000, client 1001, rejected" \
|
||||||
|
"$P_SRV dhm_file=data_files/dh.1000.pem" \
|
||||||
|
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
|
||||||
|
debug_level=1 dhmlen=1001" \
|
||||||
|
1 \
|
||||||
|
-c "DHM prime too short:"
|
||||||
|
|
||||||
|
run_test "DHM size: server 999, client 1000, rejected" \
|
||||||
|
"$P_SRV dhm_file=data_files/dh.999.pem" \
|
||||||
|
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
|
||||||
|
debug_level=1 dhmlen=1000" \
|
||||||
|
1 \
|
||||||
|
-c "DHM prime too short:"
|
||||||
|
|
||||||
|
run_test "DHM size: server 998, client 999, rejected" \
|
||||||
|
"$P_SRV dhm_file=data_files/dh.998.pem" \
|
||||||
|
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
|
||||||
|
debug_level=1 dhmlen=999" \
|
||||||
|
1 \
|
||||||
|
-c "DHM prime too short:"
|
||||||
|
|
||||||
run_test "DHM size: server default, client 2049, rejected" \
|
run_test "DHM size: server default, client 2049, rejected" \
|
||||||
"$P_SRV" \
|
"$P_SRV" \
|
||||||
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
|
"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
|
||||||
|
|
Loading…
Reference in a new issue