Skip to content

Commit 835abd6

Browse files
drwetterdrwetter
authored
Merge pull request #1870 from dcooper16/fix_ossl30
Improve compatibility with OpenSSL 3.0
2 parents 52ed92c + c0f29f6 commit 835abd6

1 file changed

Lines changed: 34 additions & 7 deletions

File tree

testssl.sh

Lines changed: 34 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -10468,7 +10468,7 @@ get_pub_key_size() {
1046810468
"$HAS_PKEY" || return 1
1046910469

1047010470
# OpenSSL displays the number of bits for RSA and ECC
10471-
pubkeybits=$($OPENSSL x509 -noout -pubkey -in $HOSTCERT 2>>$ERRFILE | $OPENSSL pkey -pubin -text 2>>$ERRFILE | awk -F'(' '/Public-Key/ { print $2 }')
10471+
pubkeybits=$($OPENSSL x509 -noout -pubkey -in $HOSTCERT 2>>$ERRFILE | $OPENSSL pkey -pubin -text_pub 2>>$ERRFILE | awk -F'(' '/Public-Key/ { print $2 }')
1047210472
if [[ -n $pubkeybits ]]; then
1047310473
# remainder e.g. "256 bit)"
1047410474
pubkeybits="${pubkeybits//\)/}"
@@ -12748,9 +12748,18 @@ parse_tls_serverhello() {
1274812748
esac
1274912749
[[ -z "$key_bitstring" ]] && named_curve=0 && named_curve_str=""
1275012750
if "$HAS_PKEY" && [[ $named_curve -ne 0 ]] && [[ "${TLS13_KEY_SHARES[named_curve]}" =~ BEGIN ]]; then
12751-
ephemeral_param="$($OPENSSL pkey -pubin -text -noout 2>>$ERRFILE <<< "$key_bitstring" | grep -EA 1000 "prime:|prime P:")"
12752-
rfc7919_param="$($OPENSSL pkey -text -noout 2>>$ERRFILE <<< "${TLS13_KEY_SHARES[named_curve]}" | grep -EA 1000 "prime:|prime P:")"
12753-
[[ "$ephemeral_param" != "$rfc7919_param" ]] && named_curve_str=""
12751+
ephemeral_param="$($OPENSSL pkey -pubin -text_pub -noout 2>>$ERRFILE <<< "$key_bitstring")"
12752+
# OpenSSL 3.0.0 outputs the group name rather than the actual parameter values for some named groups.
12753+
if [[ "$ephemeral_param" =~ GROUP: ]]; then
12754+
ephemeral_param="${ephemeral_param#*GROUP: }"
12755+
rfc7919_param="${named_curve_str# }"
12756+
rfc7919_param="${rfc7919_param%,}"
12757+
[[ "$ephemeral_param" =~ $rfc7919_param ]] || named_curve_str=""
12758+
else
12759+
ephemeral_param="$(grep -EA 1000 "prime:|P:" <<< "$ephemeral_param")"
12760+
rfc7919_param="$($OPENSSL pkey -text_pub -noout 2>>$ERRFILE <<< "${TLS13_KEY_SHARES[named_curve]}" | grep -EA 1000 "prime:|P:")"
12761+
[[ "$ephemeral_param" != "$rfc7919_param" ]] && named_curve_str=""
12762+
fi
1275412763
fi
1275512764

1275612765
[[ $DEBUG -ge 3 ]] && [[ $dh_bits -ne 0 ]] && echo -e " dh_bits: DH,$named_curve_str $dh_bits bits\n"
@@ -15170,13 +15179,31 @@ get_common_prime() {
1517015179
local jsonID2="$1"
1517115180
local key_bitstring="$2"
1517215181
local spaces="$3"
15173-
local dh_p=""
15182+
local pubkey dh_p=""
1517415183
local -i subret=0
1517515184
local common_primes_file="$TESTSSL_INSTALL_DIR/etc/common-primes.txt"
1517615185
local -i lineno_matched=0
1517715186

1517815187
"$HAS_PKEY" || return 2
15179-
dh_p="$($OPENSSL pkey -pubin -text -noout 2>>$ERRFILE <<< "$key_bitstring" | awk '/prime:|prime P:/,/generator:|generator G:/' | grep -Ev "prime|generator")"
15188+
pubkey="$($OPENSSL pkey -pubin -text_pub -noout 2>>$ERRFILE <<< "$key_bitstring")"
15189+
if [[ "$pubkey" =~ GROUP: ]]; then
15190+
DH_GROUP_OFFERED="${pubkey#*GROUP: }"
15191+
case "$DH_GROUP_OFFERED" in
15192+
modp_1536) DH_GROUP_OFFERED="RFC3526/Oakley Group 5" ;;
15193+
modp_2048) DH_GROUP_OFFERED="RFC3526/Oakley Group 14" ;;
15194+
modp_3072) DH_GROUP_OFFERED="RFC3526/Oakley Group 15" ;;
15195+
modp_4096) DH_GROUP_OFFERED="RFC3526/Oakley Group 16" ;;
15196+
modp_6144) DH_GROUP_OFFERED="RFC3526/Oakley Group 17" ;;
15197+
modp_8192) DH_GROUP_OFFERED="RFC3526/Oakley Group 18" ;;
15198+
dh_1024_160) DH_GROUP_OFFERED="RFC5114/1024-bit DSA group with 160-bit prime order subgroup" ;;
15199+
dh_2048_224) DH_GROUP_OFFERED="RFC5114/2048-bit DSA group with 224-bit prime order subgroup" ;;
15200+
dh_2048_256) DH_GROUP_OFFERED="RFC5114/2048-bit DSA group with 256-bit prime order subgroup" ;;
15201+
esac
15202+
pubkey="$(awk -F'(' '/Public-Key/ { print $2 }' <<< "$pubkey")"
15203+
DH_GROUP_LEN_P="${pubkey%% bit*}"
15204+
return 0
15205+
fi
15206+
dh_p="$(awk '/prime:|P:/,/generator:|G:/' <<< "$pubkey" | grep -Ev "prime|P:|generator|G:")"
1518015207
dh_p="$(strip_spaces "$(colon_to_spaces "$(newline_to_spaces "$dh_p")")")"
1518115208
[[ "${dh_p:0:2}" == "00" ]] && dh_p="${dh_p:2}"
1518215209
DH_GROUP_LEN_P="$((4*${#dh_p}))"
@@ -16621,7 +16648,7 @@ run_robot() {
1662116648
# <random> should be a length that makes total length of $padded_pms
1662216649
# the same as the length of the public key. <random> should contain no 00 bytes.
1662316650
pubkeybits="$($OPENSSL x509 -noout -pubkey -in $HOSTCERT 2>>$ERRFILE | \
16624-
$OPENSSL pkey -pubin -text 2>>$ERRFILE | awk -F'(' '/Public-Key/ { print $2 }')"
16651+
$OPENSSL pkey -pubin -text_pub 2>>$ERRFILE | awk -F'(' '/Public-Key/ { print $2 }')"
1662516652
pubkeybits="${pubkeybits%%bit*}"
1662616653
pubkeybytes=$pubkeybits/8
1662716654
[[ $((pubkeybits%8)) -ne 0 ]] && pubkeybytes+=1

0 commit comments

Comments
 (0)