Revision 1bb01b1b5f27a7de33e7a67946b8c001b54e09e9 authored by Emilia Kasper on 05 September 2014, 12:47:33 UTC, committed by Emilia Kasper on 24 September 2014, 14:41:55 UTC
Do the final padding check in EVP_DecryptFinal_ex in constant time to avoid a timing leak from padding failure. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit b55ff319f880adc874b8c95957adf2003117d42b) Conflicts: crypto/evp/Makefile crypto/evp/evp_enc.c
1 parent 699d78c
test.sh
#!/bin/sh
HTTP="localhost:8080"
CLIENT_PORT="9020"
SERVER_PORT="9021"
sub_test ()
{
echo "STARTING - $VER $CIPHER"
./tunala -listen localhost:$CLIENT_PORT -proxy localhost:$SERVER_PORT \
-cacert CA.pem -cert A-client.pem -server 0 \
-dh_special standard -v_peer -v_strict \
$VER -cipher $CIPHER 1> tc1.txt 2> tc2.txt &
./tunala -listen localhost:$SERVER_PORT -proxy $HTTP \
-cacert CA.pem -cert A-server.pem -server 1 \
-dh_special standard -v_peer -v_strict \
$VER -cipher $CIPHER 1> ts1.txt 2> ts2.txt &
# Wait for the servers to be listening before starting the wget test
DONE="no"
while [ "$DONE" != "yes" ]; do
L1=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$CLIENT_PORT"`
L2=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$SERVER_PORT"`
if [ "x$L1" != "x" ]; then
DONE="yes"
elif [ "x$L2" != "x" ]; then
DONE="yes"
else
sleep 1
fi
done
HTML=`wget -O - -T 1 http://localhost:$CLIENT_PORT 2> /dev/null | grep "<HTML>"`
if [ "x$HTML" != "x" ]; then
echo "OK - $CIPHER ($VER)"
else
echo "FAIL - $CIPHER ($VER)"
killall tunala
exit 1
fi
killall tunala
# Wait for the servers to stop before returning - otherwise the next
# test my fail to start ... (fscking race conditions)
DONE="yes"
while [ "$DONE" != "no" ]; do
L1=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$CLIENT_PORT"`
L2=`netstat -a | egrep "LISTEN[\t ]*$" | grep ":$SERVER_PORT"`
if [ "x$L1" != "x" ]; then
DONE="yes"
elif [ "x$L2" != "x" ]; then
DONE="yes"
else
DONE="no"
fi
done
exit 0
}
run_test ()
{
(sub_test 1> /dev/null) || exit 1
}
run_ssl_test ()
{
killall tunala 1> /dev/null 2> /dev/null
echo ""
echo "Starting all $PRETTY tests"
if [ "$PRETTY" != "SSLv2" ]; then
if [ "$PRETTY" != "SSLv3" ]; then
export VER="-no_ssl2 -no_ssl3"
export OSSL="-tls1"
else
export VER="-no_ssl2 -no_tls1"
export OSSL="-ssl3"
fi
else
export VER="-no_ssl3 -no_tls1"
export OSSL="-ssl2"
fi
LIST="`../../apps/openssl ciphers $OSSL | sed -e 's/:/ /g'`"
#echo "$LIST"
for i in $LIST; do \
DSS=`echo "$i" | grep "DSS"`
if [ "x$DSS" != "x" ]; then
echo "---- skipping $i (no DSA cert/keys) ----"
else
export CIPHER=$i
run_test
echo "SUCCESS: $i"
fi
done;
}
# Welcome the user
echo "Tests will assume an http server running at $HTTP"
# TLSv1 test
export PRETTY="TLSv1"
run_ssl_test
# SSLv3 test
export PRETTY="SSLv3"
run_ssl_test
# SSLv2 test
export PRETTY="SSLv2"
run_ssl_test
Computing file changes ...
