diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | README.md | 4 | ||||
-rw-r--r-- | configure.ac | 6 | ||||
-rw-r--r-- | tests/slow/Makefile.am | 13 | ||||
-rw-r--r-- | tests/slow/cipher-openssl-compat.c | 117 | ||||
-rw-r--r--[-rwxr-xr-x] | tests/slow/test-ciphers-common.sh (renamed from tests/slow/test-ciphers) | 3 | ||||
-rwxr-xr-x | tests/slow/test-ciphers-openssl.sh | 27 | ||||
-rwxr-xr-x | tests/slow/test-ciphers.sh | 27 |
8 files changed, 191 insertions, 7 deletions
diff --git a/.gitignore b/.gitignore index eb3251f369..136127b23a 100644 --- a/.gitignore +++ b/.gitignore @@ -873,3 +873,4 @@ tests/pkcs11/pkcs11-pubkey-import-ecdsa tests/pkcs11/pkcs11-pubkey-import-rsa tests/softhsm-*.db/ tests/status-request-missing +tests/slow/cipher-openssl-compat @@ -77,13 +77,13 @@ and polarssl. Debian/Ubuntu: ``` -apt-get install -y valgrind libasan1 nodejs softhsm datefudge lcov +apt-get install -y valgrind libasan1 nodejs softhsm datefudge lcov libssl-dev apt-get install -y dieharder libpolarssl-runtime openssl abi-compliance-checker ``` Fedora/RHEL: ``` -yum install -y valgrind libasan nodejs softhsm datefudge lcov +yum install -y valgrind libasan nodejs softhsm datefudge lcov openssl-devel yum install -y dieharder mbedtls-utils openssl abi-compliance-checker ``` diff --git a/configure.ac b/configure.ac index b6653d1c37..226fd7432f 100644 --- a/configure.ac +++ b/configure.ac @@ -255,6 +255,12 @@ AM_CONDITIONAL(HAVE_SECCOMP_TESTS, test "$seccomp_tests" = "yes") AC_LIB_HAVE_LINKFLAGS(seccomp,, [#include <seccomp.h> ], [seccomp_init(0);]) +# check for libcrypto - used in test programs +AC_LIB_HAVE_LINKFLAGS(crypto,, [#include <openssl/evp.h> +], [EVP_CIPHER_CTX_init(NULL);]) + +AM_CONDITIONAL(HAVE_LIBCRYPTO, test "$HAVE_LIBCRYPTO" = "yes") + AC_LIB_HAVE_LINKFLAGS(rt,, [#include <time.h> #include <signal.h> ], [timer_create (0,0,0);]) diff --git a/tests/slow/Makefile.am b/tests/slow/Makefile.am index 302b9067ba..0582b52664 100644 --- a/tests/slow/Makefile.am +++ b/tests/slow/Makefile.am @@ -47,9 +47,18 @@ cipher_override_LDFLAGS = $(NETTLE_LIBS) $(HOGWEED_LIBS) $(GMP_LIBS) $(LDADD) mac_override_LDFLAGS = $(NETTLE_LIBS) $(HOGWEED_LIBS) $(GMP_LIBS) $(LDADD) endif -dist_check_SCRIPTS = test-ciphers override-ciphers test-hash-large + +dist_check_SCRIPTS = test-ciphers.sh override-ciphers test-hash-large test-ciphers-common.sh check_PROGRAMS = $(ctests) cipher-test cipher-override mac-override cipher-override2 hash-large -TESTS = $(ctests) test-ciphers override-ciphers test-hash-large +TESTS = $(ctests) test-ciphers.sh override-ciphers test-hash-large + +if HAVE_LIBCRYPTO +cipher_openssl_compat_LDFLAGS = $(LDADD) $(LIBCRYPTO) + +dist_check_SCRIPTS += test-ciphers-openssl.sh +check_PROGRAMS += cipher-openssl-compat +TESTS += test-ciphers-openssl.sh +endif EXTRA_DIST = README diff --git a/tests/slow/cipher-openssl-compat.c b/tests/slow/cipher-openssl-compat.c new file mode 100644 index 0000000000..e2b9b28360 --- /dev/null +++ b/tests/slow/cipher-openssl-compat.c @@ -0,0 +1,117 @@ +#include <config.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <utils.h> +#include <stdlib.h> +#include <assert.h> +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> +#include <openssl/evp.h> + +/* This does check the AES and CHACHA20 implementations for compatibility + * with openssl. + */ + +#define BSIZE (64*1024+12) +#define B2SIZE (1024+7) +static unsigned char buffer_auth[B2SIZE]; +static unsigned char orig_plain_data[BSIZE]; +static unsigned char enc_data[BSIZE+32]; /* allow for tag */ +static unsigned char dec_data[BSIZE]; + +static int cipher_test(const char *ocipher, gnutls_cipher_algorithm_t gcipher, unsigned tag_size) +{ + int ret; + gnutls_aead_cipher_hd_t hd; + gnutls_datum_t dkey, dnonce; + unsigned char key[32]; + unsigned char nonce[32]; + size_t enc_data_size, dec_data_size; + int dec_data_size2; + EVP_CIPHER_CTX ctx; + const EVP_CIPHER *evp_cipher; + unsigned char tag[64]; + + assert(gnutls_rnd(GNUTLS_RND_NONCE, orig_plain_data, sizeof(orig_plain_data)) >= 0); + assert(gnutls_rnd(GNUTLS_RND_NONCE, buffer_auth, sizeof(buffer_auth)) >= 0); + assert(gnutls_rnd(GNUTLS_RND_NONCE, key, sizeof(key)) >= 0); + assert(gnutls_rnd(GNUTLS_RND_NONCE, nonce, sizeof(nonce)) >= 0); + + dkey.data = (void*)key; + dkey.size = gnutls_cipher_get_key_size(gcipher); + assert(gnutls_aead_cipher_init(&hd, gcipher, &dkey) >= 0); + + dnonce.data = (void*)nonce; + dnonce.size = gnutls_cipher_get_iv_size(gcipher); + + enc_data_size = sizeof(enc_data); + assert(gnutls_aead_cipher_encrypt(hd, dnonce.data, dnonce.size, + buffer_auth, sizeof(buffer_auth), tag_size, orig_plain_data, sizeof(orig_plain_data), + enc_data, &enc_data_size) >= 0); + + if (debug) + success("encrypted %d bytes, to %d\n", (int)sizeof(orig_plain_data), (int)enc_data_size); + + dec_data_size = sizeof(dec_data); + ret = gnutls_aead_cipher_decrypt(hd, dnonce.data, dnonce.size, + buffer_auth, sizeof(buffer_auth), tag_size, enc_data, enc_data_size, + dec_data, &dec_data_size); + if (ret < 0) { + fail("error in gnutls_aead_cipher_decrypt for %s: %s\n", ocipher, gnutls_strerror(ret)); + } + + if (dec_data_size != sizeof(orig_plain_data) || memcmp(dec_data, orig_plain_data, sizeof(orig_plain_data)) != 0) { + fail("gnutls encrypt-decrypt failed (got: %d, expected: %d)\n", (int)dec_data_size, (int)sizeof(orig_plain_data)); + } + + gnutls_aead_cipher_deinit(hd); + + /* decrypt with openssl */ + evp_cipher = EVP_get_cipherbyname(ocipher); + if (!evp_cipher) + fail("EVP_get_cipherbyname failed for %s\n", ocipher); + + EVP_CIPHER_CTX_init(&ctx); + assert(EVP_CipherInit_ex(&ctx, evp_cipher, NULL, key, nonce, 0) > 0); + + EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, tag_size, enc_data+enc_data_size-tag_size); + + dec_data_size2 = sizeof(dec_data); + assert(EVP_CipherUpdate(&ctx, NULL, &dec_data_size2, buffer_auth, sizeof(buffer_auth)) > 0); + dec_data_size2 = sizeof(dec_data); + assert(EVP_CipherUpdate(&ctx, dec_data, &dec_data_size2, enc_data, enc_data_size-tag_size) > 0); + + dec_data_size = dec_data_size2; + dec_data_size2 = tag_size; + assert(EVP_CipherFinal_ex(&ctx, tag, &dec_data_size2) > 0); + + if (dec_data_size != sizeof(orig_plain_data) || memcmp(dec_data, orig_plain_data, sizeof(orig_plain_data)) != 0) { + fail("openssl decrypt failed for %s\n", ocipher); + } + + return 0; +} + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d>| %s", level, str); +} + +void doit(void) +{ + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + global_init(); + OpenSSL_add_all_algorithms(); + + /* ciphers */ + cipher_test("aes-128-gcm", GNUTLS_CIPHER_AES_128_GCM, 16); + cipher_test("aes-256-gcm", GNUTLS_CIPHER_AES_256_GCM, 16); + + gnutls_global_deinit(); + return; +} + diff --git a/tests/slow/test-ciphers b/tests/slow/test-ciphers-common.sh index 280f60d066..e5e2d51ac8 100755..100644 --- a/tests/slow/test-ciphers +++ b/tests/slow/test-ciphers-common.sh @@ -1,5 +1,3 @@ -#!/bin/sh - # Copyright (C) 2014 Red Hat, Inc. # # Author: Nikos Mavrogiannopoulos @@ -20,7 +18,6 @@ # along with GnuTLS; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -PROG=./cipher-test${EXEEXT} unset RETCODE if ! test -z "${VALGRIND}"; then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" diff --git a/tests/slow/test-ciphers-openssl.sh b/tests/slow/test-ciphers-openssl.sh new file mode 100755 index 0000000000..b025fcc600 --- /dev/null +++ b/tests/slow/test-ciphers-openssl.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) 2016 Nikos Mavrogiannopoulos +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" +PROG=./cipher-openssl-compat${EXEEXT} + +. "${srcdir}/test-ciphers-common.sh" + diff --git a/tests/slow/test-ciphers.sh b/tests/slow/test-ciphers.sh new file mode 100755 index 0000000000..abc020be6b --- /dev/null +++ b/tests/slow/test-ciphers.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +# Copyright (C) 2014 Red Hat, Inc. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" +PROG=./cipher-test${EXEEXT} + +. "${srcdir}/test-ciphers-common.sh" + |