---
Tests for OpenSSL for EAL3 certification Copyright (C) 2003
International Business Machines, Inc.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

OpenSSL Test Environment Requirements
Author: Michael A. Halcrow <mike@halcrow.us>

Purpose: To perform a set of functional tests on the OpenSSL libraries
to help satisfy the requirements of the Common Critaria Evaluation
Assurance Levels certification at level 3.  These tests comprise
mainly of the tests contained within the OpenSSL source code package,
slightly modified and extended to integrate with the Linux Test
Project.  Scripts perform various functional operations in order to
verify the expected behavior of the OpenSSL libraries and utilities.

Test Notes: Some of these tests, in order to have merit, must be run
against a ``known good'' reference platform implementation of SSL.
The reference platform must have a test user account on it, and one
must be able to perform an SSH login into that user's account on the
reference machine from the client on which the tests are being run.
The username and passward of this account can be set in environment
variables that are defined in the file ``environment_variables.txt''.
Also in this file is a variable definition for the reference platform
hostname.

In the event that a reference platform is not available, the test will
run against the client's own intallation of SSL, but the relevant test
results will have only verified that the OpenSSL implementation of SSL
was able to communicate with itself.

The test process involves creating a local test account (which may or
may not be used in the testing, depending on whether or not the
reference platform has been specified in the environment variables),
verifying that the system date is within the validity window of the
pre-generated certificates in the test, running the DES tests, running
the RSA tests, running the DSA tests, running the Diffie-Hellman
tests, running the SHA-1 tests, running the random number generation
tests, running the RC4 tests, running the RSA certificate
authentication tests, running the password tests, and then deleting
temporary accounts and (if necessary) restoring the system time.

---

I am told that the Common Criteria folks have decided that stunnel is
the best mechanism whereby to perform a basic functional test of the
OpenSSL libraries for EAL3.  In order to so this, I have chosen to use
a basic client/server dialog to perform the test.  An SSL handshake,
followed by a request and a response through the SSL channel take
place.  This requires some setup in the test environment.  I have
written a script to do this automatically.  Of course, the script is
completely agnostic as to what you have already done to set up your
system, and so it may not be the best approach.  For those who prefer
to have more control over what is happening on their system, I list
the requisite packages and their respective configurations in this
document.

Test environment requirements:

 - OpenSSL >=0.9.6g
 - Perl >=5.8.0
 - expect >=5.34
 - stunnel >=3.14
  - /etc/default/stunnel needs to contain this line:

ENABLE=1

  - /etc/stunnel/stunnel.conf needs to contain line:

cert = /etc/ssl/certs/stunnel_server_rsa.pem

  - Self-signed certificates must exist in /etc/ssl/certs

Run these shell commands to create stunnel's RSA certificates:

cd /etc/ssl/certs
openssl req -new -x509 -nodes -days 3700 -out stunnel_server_rsa.pem -keyout stunnel_server_rsa.pem
openssl req -new -x509 -nodes -days 3700 -out stunnel_client_rsa.pem -keyout stunnel_client_rsa.pem
chmod 600 stunnel_server_rsa.pem
chmod 600 stunnel_client_rsa.pem
dd if=/dev/urandom of=temp_file count=2
openssl dhparam -rand temp_file 512 >> stunnel_server_rsa.pem
dd if=/dev/urandom of=temp_file count=2
openssl dhparam -rand temp_file 512 >> stunnel_client_rsa.pem
rm -f temp_file
ln -sf stunnel_server_rsa.pem `openssl x509 -noout -hash < stunnel_server_rsa.pem`.0
ln -sf stunnel_client_rsa.pem `openssl x509 -noout -hash < stunnel_client_rsa.pem`.0

 - See the ``environment_variables.txt'' file for a list of
   environment variables that may be set for the tests.

 - Note that stunnel does not yet support certificates signed with a DSA key.


RUNNING SSL HANDSHAKE AND DATA EXCHANGE TEST WITH REMOTE SERVER

By default, the LTP OpenSSL test will run everything locally.  However,
it is possible to run the SSL handshake and data exchange test with
a remote peer.  That peer is known as the ``reference platform'' in the
code and documentation.  The procedure for running this test between
remote machines is as follows:

 - Perform the full test installation procedure on both machines.  This
   basically involves running ``make; make install; ./install.sh'' as 
   the root user in testcases/openssl directory.
 - On the server machine:
   - Run ``stunnel -v 2 -d 42422 -r 42423 -p /etc/ssl/certs/stunnel_server_rsa.pem -A /etc/ssl/certs/stunnel_client_rsa.pem''
   - Enter the testcases/bin directory
   - Run ``./server''
 - On the client machine:
   - Run ``stunnel -c -d 42421 -r server.hostname:42422 -p /etc/ssl/certs/stunnel_client_rsa.pem'', substituting the real hostname or IP address for ``server.hostname''
   - Enter the testcases/bin directory
   - Run ``./client''
 - A success result occurs if you see the string ``Goodbye'' on the client machine
 - You can clean up both machines by running ``killall stunnel'' on each

Note that stunnel links against the libssl that you have available on
your machine.  As long as the API for that SSL library is correct,
stunnel will be able to use that SSL implementation in the exchange.

