diff options
author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2019-04-04 15:45:02 +0200 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2019-09-26 12:28:07 +0200 |
commit | cfb37fd2fcb87151d130e949364820825926dca7 (patch) | |
tree | cc7db0cdcf624d8623194853a0bd379231de3b70 | |
parent | 5f178a40b3add7a0f43748ecf2a376a15663cf2d (diff) | |
download | gnutls-cfb37fd2fcb87151d130e949364820825926dca7.tar.gz |
crypto-selftests-pk.c: Fix test_known_sig
Previously a new signature was generated only for deterministic
algorithms (i.e. only RSA). With this, a new signature is always
generated (and compared with a stored signature for deterministic
algorithms). The signature verification is tested for both generated
and stored signatures.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-rw-r--r-- | lib/crypto-selftests-pk.c | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c index 0233e6b9f3..ba8f5e3768 100644 --- a/lib/crypto-selftests-pk.c +++ b/lib/crypto-selftests-pk.c @@ -475,19 +475,17 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, goto cleanup; } - /* Test if the signature we generate matches the stored */ + ret = gnutls_privkey_sign_data(key, dig, 0, &signed_data, &sig); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + /* Test if the generated signature matches the stored */ ssig.data = (void *) stored_sig; ssig.size = stored_sig_size; if (deterministic_sigs != 0) { /* do not compare against stored signature if not provided */ - ret = - gnutls_privkey_sign_data(key, dig, 0, &signed_data, - &sig); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - if (sig.size != ssig.size || memcmp(sig.data, ssig.data, sig.size) != 0) { ret = GNUTLS_E_SELF_TEST_ERROR; @@ -507,7 +505,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, } } - /* Test if we can verify the signature */ + /* Test if we can verify the generated signature */ ret = gnutls_pubkey_import_privkey(pub, key, 0, 0); if (ret < 0) { @@ -517,6 +515,17 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, ret = gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, + &signed_data, &sig); + if (ret < 0) { + ret = GNUTLS_E_SELF_TEST_ERROR; + gnutls_assert(); + goto cleanup; + } + + /* Test if we can verify the stored signature */ + + ret = + gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, &signed_data, &ssig); if (ret < 0) { ret = GNUTLS_E_SELF_TEST_ERROR; @@ -528,7 +537,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, ret = gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, - &bad_data, &ssig); + &bad_data, &sig); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) { ret = GNUTLS_E_SELF_TEST_ERROR; |