diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2013-11-12 12:46:10 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2013-11-27 11:41:42 +0100 |
commit | 21d4cd5acdc6dc88b339724f484cec1521c8be46 (patch) | |
tree | 8fa5c75bacade8a98de2541e2906abff8df8c5e5 /tests/fips-test.c | |
parent | f965513341aa5fc5c40c8711cfea3d3fe9dfe5d0 (diff) | |
download | gnutls-21d4cd5acdc6dc88b339724f484cec1521c8be46.tar.gz |
Updated FIPS140 initialization and added a self test for it.
Diffstat (limited to 'tests/fips-test.c')
-rw-r--r-- | tests/fips-test.c | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/tests/fips-test.c b/tests/fips-test.c new file mode 100644 index 0000000000..cbe3dbb79f --- /dev/null +++ b/tests/fips-test.c @@ -0,0 +1,142 @@ +#include <config.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <utils.h> +#include <stdlib.h> +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> +#include <gnutls/abstract.h> +#include <gnutls/x509.h> +#include <gnutls/fips140.h> + +void _gnutls_fips140_simulate_error(void); + +/* This does check the FIPS140 support. + */ + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d>| %s", level, str); +} + +static char key16[16]; +static char iv16[16]; + +void doit(void) +{ +int ret; +#ifdef ENABLE_FIPS140 + gnutls_cipher_hd_t ch; + gnutls_hmac_hd_t mh; + gnutls_session_t session; + gnutls_pubkey_t pubkey; + gnutls_x509_privkey_t xprivkey; + gnutls_privkey_t privkey; + gnutls_datum_t key = { key16, sizeof(key16) }; + gnutls_datum_t iv = { iv16, sizeof(iv16) }; + + fprintf(stderr, "Please note that you need to assure the library's integrity prior to running this test\n"); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + ret = gnutls_fips140_mode_enabled(); + if (ret == 0) { + fail("We are not in FIPS140 mode\n"); + } + + ret = global_init(); + if (ret < 0) { + fail("Cannot initialize library\n"); + } + + /* Try crypto.h functionality */ + ret = gnutls_cipher_init(&ch, GNUTLS_CIPHER_AES_128_CBC, &key, &iv); + if (ret < 0) { + fail("gnutls_cipher_init failed\n"); + } + gnutls_cipher_deinit(ch); + + ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size); + if (ret < 0) { + fail("gnutls_hmac_init failed\n"); + } + gnutls_hmac_deinit(mh, NULL); + + ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16)); + if (ret < 0) { + fail("gnutls_rnd failed\n"); + } + + ret = gnutls_pubkey_init(&pubkey); + if (ret < 0) { + fail("gnutls_pubkey_init failed\n"); + } + gnutls_pubkey_deinit(pubkey); + + ret = gnutls_privkey_init(&privkey); + if (ret < 0) { + fail("gnutls_privkey_init failed\n"); + } + gnutls_privkey_deinit(privkey); + + ret = gnutls_x509_privkey_init(&xprivkey); + if (ret < 0) { + fail("gnutls_privkey_init failed\n"); + } + gnutls_x509_privkey_deinit(xprivkey); + + ret = gnutls_init(&session, 0); + if (ret < 0) { + fail("gnutls_init failed\n"); + } + gnutls_deinit(session); + + /* Test when FIPS140 is set to error state */ + _gnutls_fips140_simulate_error(); + + + /* Try crypto.h functionality */ + ret = gnutls_cipher_init(&ch, GNUTLS_CIPHER_AES_128_CBC, &key, &iv); + if (ret >= 0) { + fail("gnutls_cipher_init succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size); + if (ret >= 0) { + fail("gnutls_hmac_init succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16)); + if (ret >= 0) { + fail("gnutls_rnd succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_pubkey_init(&pubkey); + if (ret >= 0) { + fail("gnutls_pubkey_init succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_privkey_init(&privkey); + if (ret >= 0) { + fail("gnutls_privkey_init succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_x509_privkey_init(&xprivkey); + if (ret >= 0) { + fail("gnutls_x509_privkey_init succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_init(&session, 0); + if (ret >= 0) { + fail("gnutls_init succeeded when in FIPS140 error state\n"); + } + + gnutls_global_deinit(); + return 0; +#else + return 1; /* fail. This script shouldn't be called on this case */ +#endif +} |