summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore1
-rw-r--r--README.md4
-rw-r--r--configure.ac6
-rw-r--r--tests/slow/Makefile.am13
-rw-r--r--tests/slow/cipher-openssl-compat.c117
-rw-r--r--[-rwxr-xr-x]tests/slow/test-ciphers-common.sh (renamed from tests/slow/test-ciphers)3
-rwxr-xr-xtests/slow/test-ciphers-openssl.sh27
-rwxr-xr-xtests/slow/test-ciphers.sh27
8 files changed, 191 insertions, 7 deletions
diff --git a/.gitignore b/.gitignore
index eb3251f369..136127b23a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -873,3 +873,4 @@ tests/pkcs11/pkcs11-pubkey-import-ecdsa
tests/pkcs11/pkcs11-pubkey-import-rsa
tests/softhsm-*.db/
tests/status-request-missing
+tests/slow/cipher-openssl-compat
diff --git a/README.md b/README.md
index 8fea08d053..2faa19bd0b 100644
--- a/README.md
+++ b/README.md
@@ -77,13 +77,13 @@ and polarssl.
Debian/Ubuntu:
```
-apt-get install -y valgrind libasan1 nodejs softhsm datefudge lcov
+apt-get install -y valgrind libasan1 nodejs softhsm datefudge lcov libssl-dev
apt-get install -y dieharder libpolarssl-runtime openssl abi-compliance-checker
```
Fedora/RHEL:
```
-yum install -y valgrind libasan nodejs softhsm datefudge lcov
+yum install -y valgrind libasan nodejs softhsm datefudge lcov openssl-devel
yum install -y dieharder mbedtls-utils openssl abi-compliance-checker
```
diff --git a/configure.ac b/configure.ac
index b6653d1c37..226fd7432f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -255,6 +255,12 @@ AM_CONDITIONAL(HAVE_SECCOMP_TESTS, test "$seccomp_tests" = "yes")
AC_LIB_HAVE_LINKFLAGS(seccomp,, [#include <seccomp.h>
], [seccomp_init(0);])
+# check for libcrypto - used in test programs
+AC_LIB_HAVE_LINKFLAGS(crypto,, [#include <openssl/evp.h>
+], [EVP_CIPHER_CTX_init(NULL);])
+
+AM_CONDITIONAL(HAVE_LIBCRYPTO, test "$HAVE_LIBCRYPTO" = "yes")
+
AC_LIB_HAVE_LINKFLAGS(rt,, [#include <time.h>
#include <signal.h>
], [timer_create (0,0,0);])
diff --git a/tests/slow/Makefile.am b/tests/slow/Makefile.am
index 302b9067ba..0582b52664 100644
--- a/tests/slow/Makefile.am
+++ b/tests/slow/Makefile.am
@@ -47,9 +47,18 @@ cipher_override_LDFLAGS = $(NETTLE_LIBS) $(HOGWEED_LIBS) $(GMP_LIBS) $(LDADD)
mac_override_LDFLAGS = $(NETTLE_LIBS) $(HOGWEED_LIBS) $(GMP_LIBS) $(LDADD)
endif
-dist_check_SCRIPTS = test-ciphers override-ciphers test-hash-large
+
+dist_check_SCRIPTS = test-ciphers.sh override-ciphers test-hash-large test-ciphers-common.sh
check_PROGRAMS = $(ctests) cipher-test cipher-override mac-override cipher-override2 hash-large
-TESTS = $(ctests) test-ciphers override-ciphers test-hash-large
+TESTS = $(ctests) test-ciphers.sh override-ciphers test-hash-large
+
+if HAVE_LIBCRYPTO
+cipher_openssl_compat_LDFLAGS = $(LDADD) $(LIBCRYPTO)
+
+dist_check_SCRIPTS += test-ciphers-openssl.sh
+check_PROGRAMS += cipher-openssl-compat
+TESTS += test-ciphers-openssl.sh
+endif
EXTRA_DIST = README
diff --git a/tests/slow/cipher-openssl-compat.c b/tests/slow/cipher-openssl-compat.c
new file mode 100644
index 0000000000..e2b9b28360
--- /dev/null
+++ b/tests/slow/cipher-openssl-compat.c
@@ -0,0 +1,117 @@
+#include <config.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <utils.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include <openssl/evp.h>
+
+/* This does check the AES and CHACHA20 implementations for compatibility
+ * with openssl.
+ */
+
+#define BSIZE (64*1024+12)
+#define B2SIZE (1024+7)
+static unsigned char buffer_auth[B2SIZE];
+static unsigned char orig_plain_data[BSIZE];
+static unsigned char enc_data[BSIZE+32]; /* allow for tag */
+static unsigned char dec_data[BSIZE];
+
+static int cipher_test(const char *ocipher, gnutls_cipher_algorithm_t gcipher, unsigned tag_size)
+{
+ int ret;
+ gnutls_aead_cipher_hd_t hd;
+ gnutls_datum_t dkey, dnonce;
+ unsigned char key[32];
+ unsigned char nonce[32];
+ size_t enc_data_size, dec_data_size;
+ int dec_data_size2;
+ EVP_CIPHER_CTX ctx;
+ const EVP_CIPHER *evp_cipher;
+ unsigned char tag[64];
+
+ assert(gnutls_rnd(GNUTLS_RND_NONCE, orig_plain_data, sizeof(orig_plain_data)) >= 0);
+ assert(gnutls_rnd(GNUTLS_RND_NONCE, buffer_auth, sizeof(buffer_auth)) >= 0);
+ assert(gnutls_rnd(GNUTLS_RND_NONCE, key, sizeof(key)) >= 0);
+ assert(gnutls_rnd(GNUTLS_RND_NONCE, nonce, sizeof(nonce)) >= 0);
+
+ dkey.data = (void*)key;
+ dkey.size = gnutls_cipher_get_key_size(gcipher);
+ assert(gnutls_aead_cipher_init(&hd, gcipher, &dkey) >= 0);
+
+ dnonce.data = (void*)nonce;
+ dnonce.size = gnutls_cipher_get_iv_size(gcipher);
+
+ enc_data_size = sizeof(enc_data);
+ assert(gnutls_aead_cipher_encrypt(hd, dnonce.data, dnonce.size,
+ buffer_auth, sizeof(buffer_auth), tag_size, orig_plain_data, sizeof(orig_plain_data),
+ enc_data, &enc_data_size) >= 0);
+
+ if (debug)
+ success("encrypted %d bytes, to %d\n", (int)sizeof(orig_plain_data), (int)enc_data_size);
+
+ dec_data_size = sizeof(dec_data);
+ ret = gnutls_aead_cipher_decrypt(hd, dnonce.data, dnonce.size,
+ buffer_auth, sizeof(buffer_auth), tag_size, enc_data, enc_data_size,
+ dec_data, &dec_data_size);
+ if (ret < 0) {
+ fail("error in gnutls_aead_cipher_decrypt for %s: %s\n", ocipher, gnutls_strerror(ret));
+ }
+
+ if (dec_data_size != sizeof(orig_plain_data) || memcmp(dec_data, orig_plain_data, sizeof(orig_plain_data)) != 0) {
+ fail("gnutls encrypt-decrypt failed (got: %d, expected: %d)\n", (int)dec_data_size, (int)sizeof(orig_plain_data));
+ }
+
+ gnutls_aead_cipher_deinit(hd);
+
+ /* decrypt with openssl */
+ evp_cipher = EVP_get_cipherbyname(ocipher);
+ if (!evp_cipher)
+ fail("EVP_get_cipherbyname failed for %s\n", ocipher);
+
+ EVP_CIPHER_CTX_init(&ctx);
+ assert(EVP_CipherInit_ex(&ctx, evp_cipher, NULL, key, nonce, 0) > 0);
+
+ EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, tag_size, enc_data+enc_data_size-tag_size);
+
+ dec_data_size2 = sizeof(dec_data);
+ assert(EVP_CipherUpdate(&ctx, NULL, &dec_data_size2, buffer_auth, sizeof(buffer_auth)) > 0);
+ dec_data_size2 = sizeof(dec_data);
+ assert(EVP_CipherUpdate(&ctx, dec_data, &dec_data_size2, enc_data, enc_data_size-tag_size) > 0);
+
+ dec_data_size = dec_data_size2;
+ dec_data_size2 = tag_size;
+ assert(EVP_CipherFinal_ex(&ctx, tag, &dec_data_size2) > 0);
+
+ if (dec_data_size != sizeof(orig_plain_data) || memcmp(dec_data, orig_plain_data, sizeof(orig_plain_data)) != 0) {
+ fail("openssl decrypt failed for %s\n", ocipher);
+ }
+
+ return 0;
+}
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "<%d>| %s", level, str);
+}
+
+void doit(void)
+{
+ gnutls_global_set_log_function(tls_log_func);
+ if (debug)
+ gnutls_global_set_log_level(4711);
+
+ global_init();
+ OpenSSL_add_all_algorithms();
+
+ /* ciphers */
+ cipher_test("aes-128-gcm", GNUTLS_CIPHER_AES_128_GCM, 16);
+ cipher_test("aes-256-gcm", GNUTLS_CIPHER_AES_256_GCM, 16);
+
+ gnutls_global_deinit();
+ return;
+}
+
diff --git a/tests/slow/test-ciphers b/tests/slow/test-ciphers-common.sh
index 280f60d066..e5e2d51ac8 100755..100644
--- a/tests/slow/test-ciphers
+++ b/tests/slow/test-ciphers-common.sh
@@ -1,5 +1,3 @@
-#!/bin/sh
-
# Copyright (C) 2014 Red Hat, Inc.
#
# Author: Nikos Mavrogiannopoulos
@@ -20,7 +18,6 @@
# along with GnuTLS; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-PROG=./cipher-test${EXEEXT}
unset RETCODE
if ! test -z "${VALGRIND}"; then
VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}"
diff --git a/tests/slow/test-ciphers-openssl.sh b/tests/slow/test-ciphers-openssl.sh
new file mode 100755
index 0000000000..b025fcc600
--- /dev/null
+++ b/tests/slow/test-ciphers-openssl.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) 2016 Nikos Mavrogiannopoulos
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+PROG=./cipher-openssl-compat${EXEEXT}
+
+. "${srcdir}/test-ciphers-common.sh"
+
diff --git a/tests/slow/test-ciphers.sh b/tests/slow/test-ciphers.sh
new file mode 100755
index 0000000000..abc020be6b
--- /dev/null
+++ b/tests/slow/test-ciphers.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# Copyright (C) 2014 Red Hat, Inc.
+#
+# Author: Nikos Mavrogiannopoulos
+#
+# This file is part of GnuTLS.
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir="${srcdir:-.}"
+PROG=./cipher-test${EXEEXT}
+
+. "${srcdir}/test-ciphers-common.sh"
+