diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-21 14:07:22 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-22 08:46:04 +0100 |
commit | 7386509fb36bd0290355dd0af9dbef61af9b6499 (patch) | |
tree | 16f7e361586c62d39931a4d1e60e957aff336338 | |
parent | 6ef0944c12a9ea3f5e841aea76f433d6e1cd353c (diff) | |
download | gnutls-7386509fb36bd0290355dd0af9dbef61af9b6499.tar.gz |
tests: added unit test of gnutls_pubkey_verify_data2 override flags
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | tests/Makefile.am | 2 | ||||
-rw-r--r-- | tests/privkey-verify-broken.c | 141 |
2 files changed, 142 insertions, 1 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index e33acc2607..144c95dc0e 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -90,7 +90,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred cert certuniqueid \ long-session-id mini-x509-callbacks-intr mini-dtls-lowmtu \ crlverify mini-dtls-discard init_fds mini-record-failure \ tls-rehandshake-cert-2 custom-urls set_x509_key_mem set_x509_key_file \ - mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu \ + mini-chain-unsorted x509-verify-with-crl mini-dtls-mtu privkey-verify-broken \ mini-dtls-record-asym openpgp-callback key-import-export \ mini-dtls-fork mini-dtls-pthread mini-key-material x509cert-invalid \ strict-der tls-ext-register tls-supplemental mini-dtls0-9 \ diff --git a/tests/privkey-verify-broken.c b/tests/privkey-verify-broken.c new file mode 100644 index 0000000000..098a511bf4 --- /dev/null +++ b/tests/privkey-verify-broken.c @@ -0,0 +1,141 @@ +/* + * Copyright (C) 2017 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#include <gnutls/abstract.h> +#include <assert.h> + +#include "utils.h" +#include "cert-common.h" + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "|<%d>| %s", level, str); +} + +const gnutls_datum_t raw_data = { + (void *) "hello there", + 11 +}; + +static int sign_verify_data(gnutls_x509_privkey_t pkey, unsigned algo, unsigned vflags) +{ + int ret; + gnutls_privkey_t privkey; + gnutls_pubkey_t pubkey; + gnutls_datum_t signature; + + /* sign arbitrary data */ + assert(gnutls_privkey_init(&privkey) >= 0); + + ret = gnutls_privkey_import_x509(privkey, pkey, 0); + if (ret < 0) + fail("gnutls_pubkey_import_x509\n"); + + ret = gnutls_privkey_sign_data(privkey, algo, 0, + &raw_data, &signature); + if (ret < 0) { + ret = -1; + goto cleanup; + } + + /* verify data */ + assert(gnutls_pubkey_init(&pubkey) >= 0); + + ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0); + if (ret < 0) + fail("gnutls_pubkey_import_privkey\n"); + + ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm(pubkey, NULL),algo), + vflags, &raw_data, &signature); + if (ret < 0) { + ret = -1; + goto cleanup; + } + + ret = 0; + cleanup: + gnutls_pubkey_deinit(pubkey); + gnutls_privkey_deinit(privkey); + gnutls_free(signature.data); + + return ret; +} + +void doit(void) +{ + gnutls_x509_privkey_t pkey; + int ret; + + ret = global_init(); + if (ret < 0) + fail("global_init: %d\n", ret); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + ret = gnutls_x509_privkey_init(&pkey); + if (ret < 0) { + fail("gnutls_x509_privkey_init: %d\n", ret); + } + + ret = gnutls_x509_privkey_import(pkey, &key_dat, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("gnutls_privkey_generate: %s\n", gnutls_strerror(ret)); + } + + if (sign_verify_data(pkey, GNUTLS_DIG_SHA1, GNUTLS_VERIFY_ALLOW_BROKEN) < 0) + fail("failed verification with SHA1 and override flags2!\n"); + + if (sign_verify_data(pkey, GNUTLS_DIG_MD5, 0) >= 0) + fail("succeeded verification with SHA1!\n"); + + if (!gnutls_fips140_mode_enabled()) { + if (sign_verify_data(pkey, GNUTLS_DIG_MD5, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5) < 0) + fail("failed verification with MD5 and override flags!\n"); + + if (sign_verify_data(pkey, GNUTLS_DIG_MD5, GNUTLS_VERIFY_ALLOW_BROKEN) < 0) + fail("failed verification with MD5 and override flags2!\n"); + } + + if (sign_verify_data(pkey, GNUTLS_DIG_SHA256, 0) < 0) + fail("failed verification with SHA256!\n"); + + if (sign_verify_data(pkey, GNUTLS_DIG_SHA512, 0) < 0) + fail("failed verification with SHA512!\n"); + + if (sign_verify_data(pkey, GNUTLS_DIG_SHA3_256, 0) < 0) + fail("failed verification with SHA3-256!\n"); + + gnutls_x509_privkey_deinit(pkey); + + gnutls_global_deinit(); +} |