diff options
| -rw-r--r-- | configure.ac | 6 | ||||
| -rw-r--r-- | tests/Makefile.am | 3 | ||||
| -rw-r--r-- | tests/key-tests/Makefile.am | 8 | ||||
| -rw-r--r-- | tests/key-tests/data/key-illegal.pem | 97 | ||||
| -rw-r--r-- | tests/key-tests/data/p8key-illegal.pem | 17 | ||||
| -rwxr-xr-x | tests/key-tests/illegal-rsa | 50 | ||||
| -rw-r--r-- | tests/rsa-illegal-import.c | 167 |
7 files changed, 345 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac index d933ff5de4..0ba22300e0 100644 --- a/configure.ac +++ b/configure.ac @@ -456,6 +456,12 @@ AC_ARG_WITH(idn, AS_HELP_STRING([--without-idn], try_libidn="$withval", try_libidn=yes) +with_old_nettle=no +if ! $PKG_CONFIG --atleast-version=3.3 nettle; then + with_old_nettle=yes +fi +AM_CONDITIONAL(WITH_OLD_NETTLE, test "$with_old_nettle" != "no") + if test "$try_libidn" = yes;then PKG_CHECK_MODULES(LIBIDN, libidn >= 0.5.6, [with_libidn=yes], [with_libidn=no]) if test "$with_libidn" != "no";then diff --git a/tests/Makefile.am b/tests/Makefile.am index c0dfa4e028..6aff107146 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -112,7 +112,8 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \ set_x509_key_file_ocsp client-fastopen rng-sigint srp \ safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \ - safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 + safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \ + rsa-illegal-import if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/key-tests/Makefile.am b/tests/key-tests/Makefile.am index a61a65d198..ad48712711 100644 --- a/tests/key-tests/Makefile.am +++ b/tests/key-tests/Makefile.am @@ -28,12 +28,16 @@ EXTRA_DIST = README data/key-ca.pem data/key-user.pem \ data/openssl-aes128.p8.txt data/openssl-aes256.p8 data/openssl-aes256.p8.txt \ data/cert.dsa.1024.pem data/cert.dsa.2048.pem data/cert.dsa.3072.pem \ data/dsa.1024.pem data/dsa.2048.pem data/dsa.3072.pem data/dsa-pubkey-1018.pem \ - data/bad-key.pem + data/bad-key.pem data/p8key-illegal.pem data/key-illegal.pem -dist_check_SCRIPTS = key-id pkcs8 pkcs8-decode dsa ecdsa +dist_check_SCRIPTS = key-id pkcs8 pkcs8-decode dsa ecdsa illegal-rsa TESTS = key-id pkcs8 pkcs8-decode ecdsa +if !WITH_OLD_NETTLE +TESTS += illegal-rsa +endif + if !WINDOWS TESTS += dsa endif diff --git a/tests/key-tests/data/key-illegal.pem b/tests/key-tests/data/key-illegal.pem new file mode 100644 index 0000000000..75c7679d03 --- /dev/null +++ b/tests/key-tests/data/key-illegal.pem @@ -0,0 +1,97 @@ +Public Key Info: + Public Key Algorithm: RSA + Key Security Level: Low (1024 bits) + +modulus: + 00:a9:4e:b1:2b:17:a2:9e:1d:f6:92:05:f4:17:2e:4c + 36:02:4a:ed:78:41:5c:6b:f8:db:5a:4d:92:d1:d7:f9 + 71:1a:ec:b8:2f:91:9e:ba:47:9e:4e:29:ac:92:12:55 + 06:73:17:eb:39:aa:0c:ee:96:f4:5a:30:3d:2f:9e:50 + 83:28:f8:c3:81:12:e4:17:28:93:de:95:b9:25:92:6a + 4c:a8:88:2d:00:70:cf:aa:ea:95:03:bb:51:65:aa:7a + d7:3f:82:5f:52:1d:3a:bf:bd:7e:42:0d:b0:39:37:17 + 3d:1c:92:e4:3d:7e:57:97:7c:00:d7:63:c0:62:6a:da + ba: + +public exponent: + 01:00:01: + +private exponent: + 04:c8:d0:80:e3:3e:19:31:c7:92:00:d1:11:06:a1:e8 + b4:cf:e1:3e:10:ba:c7:e2:54:70:8c:d8:a5:4d:71:23 + 1d:1b:ab:68:cc:b8:ab:92:f2:8a:4a:eb:31:85:8b:19 + 8f:8f:11:7a:a3:af:91:de:7a:31:42:43:b8:60:c4:ed + a4:2a:86:ca:c3:9d:38:13:9e:86:07:ed:d1:52:63:a6 + 9c:52:e7:23:e4:5e:b2:7a:2a:dc:16:d8:78:95:19:28 + d3:d1:ca:67:91:5d:d6:78:2c:b4:f5:37:e4:6b:1e:91 + 43:2a:f2:f6:87:0e:b4:73:95:ec:9d:a7:e6:79:94:c1 + + +prime1: + 00:cf:fd:cc:ba:f0:9b:7b:b4:c6:53:a1:04:0b:86:c7 + 5d:ca:84:06:fb:62:62:5b:3d:cf:4f:d3:fd:77:95:9d + 90:ca:b3:39:8b:7a:00:36:76:9b:c1:e9:98:c7:2f:df + 62:d0:1e:da:e2:4b:1c:bb:26:a5:d6:de:e4:a7:a3:09 + 04: + +prime2: + 00:d0:63:0e:5e:f5:7f:f1:09:d6:29:4d:bf:6f:2a:77 + 1d:50:d0:3f:9e:d5:ab:f3:37:ec:18:4c:6f:1a:19:0c + 01:c2:68:8c:fb:bf:c9:36:0f:b5:01:41:d4:de:89:4b + 26:ea:01:49:d7:e1:3a:60:29:e6:4f:17:4f:45:5b:8d + e9: + +coefficient: + 12:67:c7:6f:f1:53:5c:46:de:2b:a8:5e:cb:99:0e:43 + c6:b2:ec:bc:73:0a:f1:0c:7e:8a:80:ba:47:05:0a:a7 + 2f:aa:2f:8e:41:0a:bb:8c:f8:da:4b:bd:ea:21:56:6d + 3d:0a:06:b5:78:fc:44:53:00:ef:8e:6d:f2:f6:b1:51 + + +exp1: + 00:ac:e7:b2:47:95:ef:f9:1e:d5:28:e1:f5:d4:4e:8b + c3:93:6b:b2:cc:8b:5f:bb:9d:e9:15:75:9c:7d:3c:39 + e8:ce:2c:40:d2:81:09:54:25:1d:f4:69:93:24:c5:50 + 25:c2:bf:b2:15:19:bd:31:b0:c3:46:c3:5d:e8:67:92 + d4: + +exp2: + 1b:45:ab:7e:d0:00:63:8a:57:05:e6:cf:f3:fb:89:c5 + 43:6b:4d:b8:3a:dc:9b:23:29:79:f0:9e:e5:ba:7b:70 + cb:81:a5:59:d9:3a:bb:21:89:1d:d6:00:c6:f3:0e:eb + d3:da:41:50:c8:80:3c:4f:9f:7d:a0:5e:56:84:69:e9 + + + +Public Key ID: 23:91:CE:75:3C:67:B5:29:2B:D9:F4:4E:3B:0A:40:4B:61:1D:2C:1A +Public key's random art: ++--[ RSA 1024]----+ +| oo.. . | +| Eo.oo . o | +| oo+.+ = o | +| o.= o B + | +| + S o o o | +| . o . o . | +| . + | +| . . . | +| . | ++-----------------+ + + +** Private key parameters validation failed ** + +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQCpTrErF6KeHfaSBfQXLkw2AkrteEFca/jbWk2S0df5cRrsuC+R +nrpHnk4prJISVQZzF+s5qgzulvRaMD0vnlCDKPjDgRLkFyiT3pW5JZJqTKiILQBw +z6rqlQO7UWWqetc/gl9SHTq/vX5CDbA5Nxc9HJLkPX5Xl3wA12PAYmraugIDAQAB +AoGABMjQgOM+GTHHkgDREQah6LTP4T4QusfiVHCM2KVNcSMdG6tozLirkvKKSusx +hYsZj48ReqOvkd56MUJDuGDE7aQqhsrDnTgTnoYH7dFSY6acUucj5F6yeircFth4 +lRko09HKZ5Fd1ngstPU35GsekUMq8vaHDrRzleydp+Z5lMECQQDP/cy68Jt7tMZT +oQQLhsddyoQG+2JiWz3PT9P9d5WdkMqzOYt6ADZ2m8HpmMcv32LQHtriSxy7JqXW +3uSnowkEAkEA0GMOXvV/8QnWKU2/byp3HVDQP57Vq/M37BhMbxoZDAHCaIz7v8k2 +D7UBQdTeiUsm6gFJ1+E6YCnmTxdPRVuN6QJBALLLOQAGL5Jy/v4K7yA9dwpgOYiK +9rMYPhUFSXWdI+cz/Zt9vzFcF3V0RYhaRfgYLqg7retTqFoVSgBg0OxuUSMCQBtF +q37QAGOKVwXmz/P7icVDa024OtybIyl58J7luntwy4GlWdk6uyGJHdYAxvMO69Pa +QVDIgDxPn32gXlaEaekCQQCVhXc3zc+VX3nM4iCpXhlET2N75ULzsR+r6CdvtwSB +vXMBcuCE1aJHZDxqRx8XFZDZl+Ij/jrBMmtI15ebDuzH +-----END RSA PRIVATE KEY----- diff --git a/tests/key-tests/data/p8key-illegal.pem b/tests/key-tests/data/p8key-illegal.pem new file mode 100644 index 0000000000..a247c3c944 --- /dev/null +++ b/tests/key-tests/data/p8key-illegal.pem @@ -0,0 +1,17 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIICojAcBgoqhkiG9w0BDAEDMA4ECDxZ1/EW+8XWAgIUYASCAoBR6R3Z341vSRvs +/LMErKcKkAQ3THTZBpmYgR2mrJUjJBivzOuRTCRpgtjuQ4ht2Q7KV943mJXsqAFI +Jly5fuVQ5YmRGLW+LE5sv+AGwmsii/PvGfGa9al56tHLDSeXV2VH4fly45bQ7ipr +PZBiEgBToF/jqDFWleH2GTCnSLpc4B2cKkMO2c5RYrCCGNRK/jr1xVUDVzeiXZwE +dbdDaV2UG/Oeo7F48UmvuWgS9YSFSUJ4fKG1KLlAQMKtAQKX+B4oL6Jbeb1jwSCX +Q1H9hHXHTXbPGaIncPugotZNArwwrhesTszFE4NFMbg3QNKL1fabJJFIcOYIktwL +7HG3pSiU2rqUZgS59OMJgL4jJm1lipo8ruNIl/YCpZTombOAV2Wbvq/I0SbRRXbX +12lco8bQO1dgSkhhe58Vrs+ChaNajtNi8SjLS+Pi1tYYAVQjcQdxCGh4q8aZUhDv +5yRp/TUOMaZqkY6YzRAlERb9jzVeh97EsOURzLu8pQgVjcNDOUAZF67KSqlSGMh7 +PdqknM/j8KaWmVMAUn4+PuWohkyjd1/1QhCnEtFZ1lbIfWrKXV76U7zyy0OTvFKw +qemHUbryOJu0dQHziWmdtJpS7abSuhoMnrByZD+jDfQoSX7BzmdmCQGinltITYY1 +3iChqWC7jY02CiKZqTcdwkImvmDtDYOBr0uQSgBa4eh7nYmmcpdY4I6V5qAdo30w +oXNEMqM53Syx36Fp70/Vmy0KmK8+2T4UgxGVJEgTDsEhiwJtTXxdzgxc5npbTePa +abhFyIXIpqoUYZ9GPU8UjNEuF//wPY6klBp6VP0ixO6RqQKzbwr85EXbzoceBrLo +eng1/Czj +-----END ENCRYPTED PRIVATE KEY----- diff --git a/tests/key-tests/illegal-rsa b/tests/key-tests/illegal-rsa new file mode 100755 index 0000000000..6e7aeb80aa --- /dev/null +++ b/tests/key-tests/illegal-rsa @@ -0,0 +1,50 @@ +#!/bin/sh + +# Copyright (C) 2016 Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" +CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" +GREP="${GREP:-grep}" + +TMPFILE=tmp-key.$$.p8 + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=1" +fi + +${VALGRIND} "${CERTTOOL}" -k --password 1234 --infile "${srcdir}/data/p8key-illegal.pem" 2>/dev/null +rc=$? +# We're done. +if test "${rc}" != "1"; then + echo "Error in importing illegal PKCS#8 key" + exit ${rc} +fi + +#check invalid RSA pem key. The key has even prime factor. +${VALGRIND} "${CERTTOOL}" -k --infile "${srcdir}/data/key-illegal.pem" 2>/dev/null +rc=$? +# We're done. +if test "${rc}" != "1"; then + echo "Error in importing illegal RSA key" + exit ${rc} +fi + +rm -f $TMPFILE + +exit 0 diff --git a/tests/rsa-illegal-import.c b/tests/rsa-illegal-import.c new file mode 100644 index 0000000000..009b291929 --- /dev/null +++ b/tests/rsa-illegal-import.c @@ -0,0 +1,167 @@ +/* + * Copyright (C) 2016 Red Hat, Inc. + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdarg.h> +#include <stdlib.h> +#include <string.h> +#include <utils.h> + +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#include <gnutls/abstract.h> +#include <nettle/version.h> + +/* Checks whether the output of the import functions is the expected one, + * on illegal key input */ + +static unsigned char rsa_key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXQIBAAKBgQCpTrErF6KeHfaSBfQXLkw2AkrteEFca/jbWk2S0df5cRrsuC+R\n" + "nrpHnk4prJISVQZzF+s5qgzulvRaMD0vnlCDKPjDgRLkFyiT3pW5JZJqTKiILQBw\n" + "z6rqlQO7UWWqetc/gl9SHTq/vX5CDbA5Nxc9HJLkPX5Xl3wA12PAYmraugIDAQAB\n" + "AoGABMjQgOM+GTHHkgDREQah6LTP4T4QusfiVHCM2KVNcSMdG6tozLirkvKKSusx\n" + "hYsZj48ReqOvkd56MUJDuGDE7aQqhsrDnTgTnoYH7dFSY6acUucj5F6yeircFth4\n" + "lRko09HKZ5Fd1ngstPU35GsekUMq8vaHDrRzleydp+Z5lMECQQDP/cy68Jt7tMZT\n" + "oQQLhsddyoQG+2JiWz3PT9P9d5WdkMqzOYt6ADZ2m8HpmMcv32LQHtriSxy7JqXW\n" + "3uSnowkEAkEA0GMOXvV/8QnWKU2/byp3HVDQP57Vq/M37BhMbxoZDAHCaIz7v8k2\n" + "D7UBQdTeiUsm6gFJ1+E6YCnmTxdPRVuN6QJBALLLOQAGL5Jy/v4K7yA9dwpgOYiK\n" + "9rMYPhUFSXWdI+cz/Zt9vzFcF3V0RYhaRfgYLqg7retTqFoVSgBg0OxuUSMCQBtF\n" + "q37QAGOKVwXmz/P7icVDa024OtybIyl58J7luntwy4GlWdk6uyGJHdYAxvMO69Pa\n" + "QVDIgDxPn32gXlaEaekCQQCVhXc3zc+VX3nM4iCpXhlET2N75ULzsR+r6CdvtwSB\n" + "vXMBcuCE1aJHZDxqRx8XFZDZl+Ij/jrBMmtI15ebDuzH\n" + "-----END RSA PRIVATE KEY-----\n"; + +const gnutls_datum_t rsa_key = { rsa_key_pem, + sizeof(rsa_key_pem)-1 +}; + +static unsigned char p8_rsa_pem[] = + "-----BEGIN ENCRYPTED PRIVATE KEY-----\n" + "MIICojAcBgoqhkiG9w0BDAEDMA4ECDxZ1/EW+8XWAgIUYASCAoBR6R3Z341vSRvs\n" + "/LMErKcKkAQ3THTZBpmYgR2mrJUjJBivzOuRTCRpgtjuQ4ht2Q7KV943mJXsqAFI\n" + "Jly5fuVQ5YmRGLW+LE5sv+AGwmsii/PvGfGa9al56tHLDSeXV2VH4fly45bQ7ipr\n" + "PZBiEgBToF/jqDFWleH2GTCnSLpc4B2cKkMO2c5RYrCCGNRK/jr1xVUDVzeiXZwE\n" + "dbdDaV2UG/Oeo7F48UmvuWgS9YSFSUJ4fKG1KLlAQMKtAQKX+B4oL6Jbeb1jwSCX\n" + "Q1H9hHXHTXbPGaIncPugotZNArwwrhesTszFE4NFMbg3QNKL1fabJJFIcOYIktwL\n" + "7HG3pSiU2rqUZgS59OMJgL4jJm1lipo8ruNIl/YCpZTombOAV2Wbvq/I0SbRRXbX\n" + "12lco8bQO1dgSkhhe58Vrs+ChaNajtNi8SjLS+Pi1tYYAVQjcQdxCGh4q8aZUhDv\n" + "5yRp/TUOMaZqkY6YzRAlERb9jzVeh97EsOURzLu8pQgVjcNDOUAZF67KSqlSGMh7\n" + "PdqknM/j8KaWmVMAUn4+PuWohkyjd1/1QhCnEtFZ1lbIfWrKXV76U7zyy0OTvFKw\n" + "qemHUbryOJu0dQHziWmdtJpS7abSuhoMnrByZD+jDfQoSX7BzmdmCQGinltITYY1\n" + "3iChqWC7jY02CiKZqTcdwkImvmDtDYOBr0uQSgBa4eh7nYmmcpdY4I6V5qAdo30w\n" + "oXNEMqM53Syx36Fp70/Vmy0KmK8+2T4UgxGVJEgTDsEhiwJtTXxdzgxc5npbTePa\n" + "abhFyIXIpqoUYZ9GPU8UjNEuF//wPY6klBp6VP0ixO6RqQKzbwr85EXbzoceBrLo\n" + "eng1/Czj\n" + "-----END ENCRYPTED PRIVATE KEY-----\n"; + +const gnutls_datum_t p8_rsa_key = { p8_rsa_pem, + sizeof(p8_rsa_pem)-1 +}; + +static +int check_x509_privkey(void) +{ + gnutls_x509_privkey_t key; + int ret; + + global_init(); + + ret = gnutls_x509_privkey_init(&key); + if (ret < 0) + fail("error: %s\n", gnutls_strerror(ret)); + + ret = gnutls_x509_privkey_import(key, &rsa_key, GNUTLS_X509_FMT_PEM); + if (ret != GNUTLS_E_ILLEGAL_PARAMETER) + fail("error: %s\n", gnutls_strerror(ret)); + + gnutls_x509_privkey_deinit(key); + + return 0; +} + +static +int check_pkcs8_privkey1(void) +{ + gnutls_x509_privkey_t key; + int ret; + + global_init(); + + ret = gnutls_x509_privkey_init(&key); + if (ret < 0) + fail("error: %s\n", gnutls_strerror(ret)); + + ret = gnutls_x509_privkey_import_pkcs8(key, &p8_rsa_key, GNUTLS_X509_FMT_PEM, "1234", 0); + if (ret != GNUTLS_E_ILLEGAL_PARAMETER) + fail("error: %s\n", gnutls_strerror(ret)); + + gnutls_x509_privkey_deinit(key); + + return 0; +} + +static +int check_pkcs8_privkey2(void) +{ + gnutls_privkey_t key; + int ret; + + global_init(); + + ret = gnutls_privkey_init(&key); + if (ret < 0) + fail("error: %s\n", gnutls_strerror(ret)); + + ret = gnutls_privkey_import_x509_raw(key, &p8_rsa_key, GNUTLS_X509_FMT_PEM, "1234", 0); + if (ret != GNUTLS_E_ILLEGAL_PARAMETER) + fail("error: %s\n", gnutls_strerror(ret)); + + gnutls_privkey_deinit(key); + + return 0; +} + +void doit(void) +{ +#if NETTLE_VERSION_MAJOR < 3 || (NETTLE_VERSION_MAJOR == 3 && NETTLE_VERSION_MINOR <= 2) + /* These checks are enforced only on new versions of nettle */ + exit(77); +#else + if (check_x509_privkey() != 0) { + fail("error in privkey check\n"); + exit(1); + } + + if (check_pkcs8_privkey1() != 0) { + fail("error in pkcs8 privkey check 1\n"); + exit(1); + } + + if (check_pkcs8_privkey2() != 0) { + fail("error in pkcs8 privkey check 2\n"); + exit(1); + } +#endif +} |