diff options
| author | Parménides GV <parmegv@sdf.org> | 2014-11-04 20:45:42 +0100 |
|---|---|---|
| committer | Parménides GV <parmegv@sdf.org> | 2014-11-04 20:45:42 +0100 |
| commit | 5304543ebd60778ad46123cd63142e27627fa150 (patch) | |
| tree | b07723b530e20b23ae83de822387f6551ea7f9f4 /ics-openvpn-stripped/main/openssl/android.testssl | |
| parent | 713c3a98f53a6bd1ad94e90f28d3e37d20abfab9 (diff) | |
Update ics-openvpn to rev 906.
Diffstat (limited to 'ics-openvpn-stripped/main/openssl/android.testssl')
5 files changed, 422 insertions, 0 deletions
diff --git a/ics-openvpn-stripped/main/openssl/android.testssl/CAss.cnf b/ics-openvpn-stripped/main/openssl/android.testssl/CAss.cnf new file mode 100644 index 00000000..77c01c30 --- /dev/null +++ b/ics-openvpn-stripped/main/openssl/android.testssl/CAss.cnf @@ -0,0 +1,76 @@ +# +# SSLeay example configuration file. +# This is mostly being used for generation of certificate requests. +# + +RANDFILE = /sdcard/android.testssl/.rnd + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = keySS.pem +distinguished_name = req_distinguished_name +encrypt_rsa_key = no +default_md = sha1 + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_value = AU + +organizationName = Organization Name (eg, company) +organizationName_value = Dodgy Brothers + +commonName = Common Name (eg, YOUR name) +commonName_value = Dodgy CA + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = v3_ca # The extentions to add to the cert + +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = md5 # which md to use. +preserve = no # keep passed DN ordering + +policy = policy_anything + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + + + +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +basicConstraints = CA:true,pathlen:1 +keyUsage = cRLSign, keyCertSign +issuerAltName=issuer:copy diff --git a/ics-openvpn-stripped/main/openssl/android.testssl/Uss.cnf b/ics-openvpn-stripped/main/openssl/android.testssl/Uss.cnf new file mode 100644 index 00000000..317ab6de --- /dev/null +++ b/ics-openvpn-stripped/main/openssl/android.testssl/Uss.cnf @@ -0,0 +1,36 @@ +# +# SSLeay example configuration file. +# This is mostly being used for generation of certificate requests. +# + +RANDFILE = /sdcard/android.testssl/.rnd + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = keySS.pem +distinguished_name = req_distinguished_name +encrypt_rsa_key = no +default_md = sha256 + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_value = AU + +organizationName = Organization Name (eg, company) +organizationName_value = Dodgy Brothers + +0.commonName = Common Name (eg, YOUR name) +0.commonName_value = Brother 1 + +1.commonName = Common Name (eg, YOUR name) +1.commonName_value = Brother 2 + +[ v3_ee ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +issuerAltName=issuer:copy + diff --git a/ics-openvpn-stripped/main/openssl/android.testssl/server2.pem b/ics-openvpn-stripped/main/openssl/android.testssl/server2.pem new file mode 100644 index 00000000..a3927cf7 --- /dev/null +++ b/ics-openvpn-stripped/main/openssl/android.testssl/server2.pem @@ -0,0 +1,52 @@ +subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert #2 +issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA +-----BEGIN CERTIFICATE----- +MIID6jCCAtKgAwIBAgIJALnu1NlVpZ60MA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV +BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT +VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt +ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZzELMAkG +A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU +RVNUSU5HIFBVUlBPU0VTIE9OTFkxHDAaBgNVBAMME1Rlc3QgU2VydmVyIENlcnQg +IzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrdi7j9yctG+L4EjBy +gjPmEqZzOJEQba26MoQGzglU7e5Xf59Rb/hgVQuKAoiZe7/R8rK4zJ4W7iXdXw0L +qBpyG8B5aGKeI32w+A9TcBApoXXL2CrYQEQjZwUIpLlYBIi2NkJj3nVkq5dgl1gO +ALiQ+W8jg3kzg5Ec9rimp9r93N8wsSL3awsafurmYCvOf7leHaMP1WJ/zDRGUNHG +/WtDjXc8ZUG1+6EXU9Jc2Fs+2Omf7fcN0l00AK/wPg8OaNS0rKyGq9JdIT9FRGV1 +bXe/rx58FaE5CItdwCSYhJvF/O95LWQoxJXye5bCFLmvDTEyVq9FMSCptfsmbXjE +ZGsXAgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJ +YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud +DgQWBBR52UaWWTKzZGDH/X4mWNcuqeQVazAfBgNVHSMEGDAWgBQ2w2yI55X+sL3s +zj49hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEANBW+XYLlHBqVY/31ie+3gRlS +LPfy4SIqn0t3RJjagT29MXprblBO2cbMO8VGjkQdKGpmMXjxbht2arOOUXRHX4n/ +XTyn/QHEf0bcwIITMReO3DZUPAEw8hSjn9xEOM0IRVOCP+mH5fi74QzzQaZVCyYg +5VtLKdww/+sc0nCbKl2KWgDluriH0nfVx95qgW3mg9dhXRr0zmf1w2zkBHYpARYL +Dew6Z8EE4tS3HJu8/qM6meWzNtrfonQ3eiiMxjZBxzV46jchBwa2z9XYhP6AmpPb +oeTSzcQNbWsxaGYzWo46oLDUZmJOwSBawbS31bZNMCoPIY6ukoesCzFSsUKZww== +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA63Yu4/cnLRvi+BIwcoIz5hKmcziREG2tujKEBs4JVO3uV3+f +UW/4YFULigKImXu/0fKyuMyeFu4l3V8NC6gachvAeWhiniN9sPgPU3AQKaF1y9gq +2EBEI2cFCKS5WASItjZCY951ZKuXYJdYDgC4kPlvI4N5M4ORHPa4pqfa/dzfMLEi +92sLGn7q5mArzn+5Xh2jD9Vif8w0RlDRxv1rQ413PGVBtfuhF1PSXNhbPtjpn+33 +DdJdNACv8D4PDmjUtKyshqvSXSE/RURldW13v68efBWhOQiLXcAkmISbxfzveS1k +KMSV8nuWwhS5rw0xMlavRTEgqbX7Jm14xGRrFwIDAQABAoIBAHLsTPihIfLnYIE5 +x4GsQQ5zXeBw5ITDM37ktwHnQDC+rIzyUl1aLD1AZRBoKinXd4lOTqLZ4/NHKx4A +DYr58mZtWyUmqLOMmQVuHXTZBlp7XtYuXMMNovQwjQlp9LicBeoBU6gQ5PVMtubD +F4xGF89Sn0cTHW3iMkqTtQ5KcR1j57OcJO0FEb1vPvk2MXI5ZyAatUYE7YacbEzd +rg02uIwx3FqNSkuSI79uz4hMdV5TPtuhxx9nTwj9aLUhXFeZ0mn2PVgVzEnnMoJb ++znlsZDgzDlJqdaD744YGWh8Z3OEssB35KfzFcdOeO6yH8lmv2Zfznk7pNPT7LTb +Lae9VgkCgYEA92p1qnAB3NtJtNcaW53i0S5WJgS1hxWKvUDx3lTB9s8X9fHpqL1a +E94fDfWzp/hax6FefUKIvBOukPLQ6bYjTMiFoOHzVirghAIuIUoMI5VtLhwD1hKs +Lr7l/dptMgKb1nZHyXoKHRBthsy3K4+udsPi8TzMvYElgEqyQIe/Rk0CgYEA86GL +8HC6zLszzKERDPBxrboRmoFvVUCTQDhsfj1M8aR3nQ8V5LkdIJc7Wqm/Ggfk9QRf +rJ8M2WUMlU5CNnCn/KCrKzCNZIReze3fV+HnKdbcXGLvgbHPrhnz8yYehUFG+RGq +bVyDWRU94T38izy2s5qMYrMJWZEYyXncSPbfcPMCgYAtaXfxcZ+V5xYPQFARMtiX +5nZfggvDoJuXgx0h3tK/N2HBfcaSdzbaYLG4gTmZggc/jwnl2dl5E++9oSPhUdIG +3ONSFUbxsOsGr9PBvnKd8WZZyUCXAVRjPBzAzF+whzQNWCZy/5htnz9LN7YDI9s0 +5113Q96cheDZPFydZY0hHQKBgQDVbEhNukM5xCiNcu+f2SaMnLp9EjQ4h5g3IvaP +5B16daw/Dw8LzcohWboqIxeAsze0GD/D1ZUJAEd0qBjC3g+a9BjefervCjKOzXng +38mEUm+6EwVjJSQcjSmycEs+Sr/kwr/8i5WYvU32+jk4tFgMoC+o6tQe/Uesf68k +z/dPVwKBgGbF7Vv1/3SmhlOy+zYyvJ0CrWtKxH9QP6tLIEgEpd8x7YTSuCH94yok +kToMXYA3sWNPt22GbRDZ+rcp4c7HkDx6I6vpdP9aQEwJTp0EPy0sgWr2XwYmreIQ +NFmkk8Itn9EY2R9VBaP7GLv5kvwxDdLAnmwGmzVtbmaVdxCaBwUk +-----END RSA PRIVATE KEY----- diff --git a/ics-openvpn-stripped/main/openssl/android.testssl/testssl b/ics-openvpn-stripped/main/openssl/android.testssl/testssl new file mode 100755 index 00000000..5ff48604 --- /dev/null +++ b/ics-openvpn-stripped/main/openssl/android.testssl/testssl @@ -0,0 +1,181 @@ +#!/bin/sh + +if [ "$1" = "" ]; then + key=../apps/server.pem +else + key="$1" +fi +if [ "$2" = "" ]; then + cert=../apps/server.pem +else + cert="$2" +fi +ssltest="adb shell /system/bin/ssltest -key $key -cert $cert -c_key $key -c_cert $cert" + +if adb shell /system/bin/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then + dsa_cert=YES +else + dsa_cert=NO +fi + +if [ "$3" = "" ]; then + CA="-CApath ../certs" +else + CA="-CAfile $3" +fi + +if [ "$4" = "" ]; then + extra="" +else + extra="$4" +fi + +############################################################################# + +echo test sslv2 +$ssltest -ssl2 $extra || exit 1 + +echo test sslv2 with server authentication +$ssltest -ssl2 -server_auth $CA $extra || exit 1 + +if [ $dsa_cert = NO ]; then + echo test sslv2 with client authentication + $ssltest -ssl2 -client_auth $CA $extra || exit 1 + + echo test sslv2 with both client and server authentication + $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1 +fi + +echo test sslv3 +$ssltest -ssl3 $extra || exit 1 + +echo test sslv3 with server authentication +$ssltest -ssl3 -server_auth $CA $extra || exit 1 + +echo test sslv3 with client authentication +$ssltest -ssl3 -client_auth $CA $extra || exit 1 + +echo test sslv3 with both client and server authentication +$ssltest -ssl3 -server_auth -client_auth $CA $extra || exit 1 + +echo test sslv2/sslv3 +$ssltest $extra || exit 1 + +echo test sslv2/sslv3 with server authentication +$ssltest -server_auth $CA $extra || exit 1 + +echo test sslv2/sslv3 with client authentication +$ssltest -client_auth $CA $extra || exit 1 + +echo test sslv2/sslv3 with both client and server authentication +$ssltest -server_auth -client_auth $CA $extra || exit 1 + +echo test sslv2/sslv3 with both client and server authentication and handshake cutthrough +$ssltest -server_auth -client_auth -cutthrough $CA $extra || exit 1 + +echo test sslv2 via BIO pair +$ssltest -bio_pair -ssl2 $extra || exit 1 + +echo test sslv2 with server authentication via BIO pair +$ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1 + +if [ $dsa_cert = NO ]; then + echo test sslv2 with client authentication via BIO pair + $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1 + + echo test sslv2 with both client and server authentication via BIO pair + $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1 +fi + +echo test sslv3 via BIO pair +$ssltest -bio_pair -ssl3 $extra || exit 1 + +echo test sslv3 with server authentication via BIO pair +$ssltest -bio_pair -ssl3 -server_auth $CA $extra || exit 1 + +echo test sslv3 with client authentication via BIO pair +$ssltest -bio_pair -ssl3 -client_auth $CA $extra || exit 1 + +echo test sslv3 with both client and server authentication via BIO pair +$ssltest -bio_pair -ssl3 -server_auth -client_auth $CA $extra || exit 1 + +echo test sslv2/sslv3 via BIO pair +$ssltest $extra || exit 1 + +if [ $dsa_cert = NO ]; then + echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair' + $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1 +fi + +echo test sslv2/sslv3 with 1024bit DHE via BIO pair +$ssltest -bio_pair -dhe1024dsa -v $extra || exit 1 + +echo test sslv2/sslv3 with server authentication +$ssltest -bio_pair -server_auth $CA $extra || exit 1 + +echo test sslv2/sslv3 with client authentication via BIO pair +$ssltest -bio_pair -client_auth $CA $extra || exit 1 + +echo test sslv2/sslv3 with both client and server authentication via BIO pair +$ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1 + +echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify +$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 + +echo "Testing ciphersuites" +for protocol in TLSv1.2 SSLv3; do + echo "Testing ciphersuites for $protocol" + for cipher in `adb shell /system/bin/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do + echo "Testing $cipher" + prot="" + if [ $protocol = "SSLv3" ] ; then + prot="-ssl3" + fi + $ssltest -cipher $cipher $prot + if [ $? -ne 0 ] ; then + echo "Failed $cipher" + exit 1 + fi + done +done + +############################################################################# + +if [ `adb shell /system/bin/openssl no-dh` = no-dh ]; then + echo skipping anonymous DH tests +else + echo test tls1 with 1024bit anonymous DH, multiple handshakes + $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 +fi + +if [ `adb shell /system/bin/openssl no-rsa` = no-dh ]; then + echo skipping RSA tests +else + echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes' + adb shell /system/bin/ssltest -v -bio_pair -tls1 -cert /sdcard/android.testssl/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1 + + if [ `adb shell /system/bin/openssl no-dh` = no-dh ]; then + echo skipping RSA+DHE tests + else + echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes + adb shell /system/bin/ssltest -v -bio_pair -tls1 -cert /sdcard/android.testssl/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 + fi +fi + +echo test tls1 with PSK +$ssltest -tls1 -cipher PSK -psk abc123 $extra || exit 1 + +echo test tls1 with PSK via BIO pair +$ssltest -bio_pair -tls1 -cipher PSK -psk abc123 $extra || exit 1 + +if adb shell /system/bin/openssl no-srp; then + echo skipping SRP tests +else + echo test tls1 with SRP + $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123 + + echo test tls1 with SRP via BIO pair + $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123 +fi + +exit 0 diff --git a/ics-openvpn-stripped/main/openssl/android.testssl/testssl.sh b/ics-openvpn-stripped/main/openssl/android.testssl/testssl.sh new file mode 100755 index 00000000..cd560928 --- /dev/null +++ b/ics-openvpn-stripped/main/openssl/android.testssl/testssl.sh @@ -0,0 +1,77 @@ +#!/bin/bash +# +# Copyright (C) 2010 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# +# Android testssl.sh driver script for openssl's testssl +# +# based on openssl's test/testss script and test/Makefile's test_ssl target +# + +set -e +trap "echo Exiting on unexpected error." ERR + +device=/sdcard/android.testssl + +digest='-sha1' +reqcmd="adb shell /system/bin/openssl req" +x509cmd="adb shell /system/bin/openssl x509 $digest" + +CAkey="$device/keyCA.ss" +CAcert="$device/certCA.ss" +CAreq="$device/reqCA.ss" +CAconf="$device/CAss.cnf" + +Uconf="$device/Uss.cnf" +Ureq="$device/reqU.ss" +Ukey="$device/keyU.ss" +Ucert="$device/certU.ss" + +echo +echo "setting up" +adb remount +adb shell rm -r $device +adb shell mkdir $device + +echo +echo "pushing test files to device" +adb push . $device + +echo +echo "make a certificate request using 'req'" +adb shell "echo \"string to make the random number generator think it has entropy\" >> $device/.rnd" +req_new='-new' +$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new + +echo +echo "convert the certificate request into a self signed certificate using 'x509'" +$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca + +echo +echo "make a user certificate request using 'req'" +$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new + +echo +echo "sign user certificate request with the just created CA via 'x509'" +$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee + +echo +echo "running testssl" +./testssl $Ukey $Ucert $CAcert + +echo +echo "cleaning up" +adb shell rm -r $device |