From 3ffcff8ddf994e94c6c9c693be0a520ea825fa91 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 30 May 2017 10:59:53 +0200 Subject: tests: modify tests to allow signatures with SHA1 There were several tests that were utilizing SHA1 signatures but were not failing due to the bug in gnutls_pubkey_verify_hash2(). Signed-off-by: Nikos Mavrogiannopoulos --- tests/client_dsa_key.c | 1 + tests/openpgpself.c | 7 +++++-- tests/suite/testcompat-main-openssl | 4 ++-- tests/suite/tls-fuzzer/tls-fuzzer-cert.sh | 4 ++-- tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh | 4 ++-- tests/x509sign-verify-common.h | 16 +++++++++------- tests/x509sign-verify.c | 15 ++++++++------- 7 files changed, 29 insertions(+), 22 deletions(-) diff --git a/tests/client_dsa_key.c b/tests/client_dsa_key.c index a1bfb85f3e..eb2794ea81 100644 --- a/tests/client_dsa_key.c +++ b/tests/client_dsa_key.c @@ -84,6 +84,7 @@ void doit(void) /* test gnutls_certificate_flags() */ gnutls_certificate_allocate_credentials(&serv_cred); gnutls_certificate_set_flags(serv_cred, GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH); + gnutls_certificate_set_verify_flags(serv_cred, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1); ret = gnutls_certificate_set_x509_trust_mem(serv_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) diff --git a/tests/openpgpself.c b/tests/openpgpself.c index d255a80704..22b2e183c0 100644 --- a/tests/openpgpself.c +++ b/tests/openpgpself.c @@ -174,7 +174,7 @@ static void client(int sds[]) /* Use default priorities */ gnutls_priority_set_direct(session, - "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256", NULL); + "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256:%VERIFY_ALLOW_SIGN_WITH_SHA1", NULL); /* put the x509 credentials to the current session */ @@ -182,6 +182,7 @@ static void client(int sds[]) xcred); gnutls_transport_set_int(session, sd); + gnutls_handshake_set_timeout(session, 20 * 1000); /* Perform the TLS handshake */ @@ -258,7 +259,7 @@ static gnutls_session_t initialize_tls_session(void) /* avoid calling all the priority functions, since the defaults * are adequate. */ - gnutls_priority_set_direct(session, "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256", NULL); + gnutls_priority_set_direct(session, "NORMAL:+CTYPE-OPENPGP:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256:%VERIFY_ALLOW_SIGN_WITH_SHA1", NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, pgp_cred); @@ -517,6 +518,8 @@ static void server(int sds[]) session = initialize_tls_session(); gnutls_transport_set_int(session, sd); + gnutls_handshake_set_timeout(session, 20 * 1000); + ret = gnutls_handshake(session); if (ret < 0) { close(sd); diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl index 28461de569..6845642021 100755 --- a/tests/suite/testcompat-main-openssl +++ b/tests/suite/testcompat-main-openssl @@ -302,7 +302,7 @@ run_client_suite() { if test "${NO_DSS}" != 1; then echo "${PREFIX}Checking TLS 1.2 with DHE-DSS..." - ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-DSA-SHA256${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" /dev/null || \ fail ${PID} "Failed" fi @@ -650,7 +650,7 @@ run_server_suite() { if test "${NO_DSS}" != 1; then echo "${PREFIX}Check TLS 1.2 with DHE-DSS ciphersuite" eval "${GETPORT}" - launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" + launch_server $$ --priority "NONE:+CIPHER-ALL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-DSS:+SIGN-DSA-SHA1:+SIGN-DSA-SHA256${ADD}" --x509certfile "${SERV_DSA_CERT}" --x509keyfile "${SERV_DSA_KEY}" --dhparams "${DH_PARAMS}" PID=$! wait_server ${PID} diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh index dc6280eef9..30cfe25c38 100755 --- a/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh +++ b/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh @@ -49,10 +49,10 @@ wait_for_free_port $PORT retval=0 -PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0" +PRIORITY="NORMAL:+ARCFOUR-128:%VERIFY_ALLOW_SIGN_WITH_SHA1:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0" ${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1 if test $? != 0;then - PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0" + PRIORITY="NORMAL:+ARCFOUR-128:%VERIFY_ALLOW_SIGN_WITH_SHA1:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0" fi TLS_PY=./tlslite-ng/scripts/tls.py diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh index 8231b9c2c5..62d75344f7 100755 --- a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh +++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh @@ -49,10 +49,10 @@ wait_for_free_port $PORT retval=0 -PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0" +PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0" ${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1 if test $? != 0;then - PRIORITY="NORMAL:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0" + PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0" fi TLS_PY=./tlslite-ng/scripts/tls.py diff --git a/tests/x509sign-verify-common.h b/tests/x509sign-verify-common.h index 1aaf3dce65..9f87229403 100644 --- a/tests/x509sign-verify-common.h +++ b/tests/x509sign-verify-common.h @@ -71,10 +71,12 @@ void test_sig(gnutls_pk_algorithm_t pk, unsigned hash, unsigned bits) const gnutls_datum_t *hash_data; int ret; unsigned j; + unsigned vflags = 0; - if (hash == GNUTLS_DIG_SHA1) + if (hash == GNUTLS_DIG_SHA1) { hash_data = &sha1_data; - else if (hash == GNUTLS_DIG_SHA256) + vflags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1; + } else if (hash == GNUTLS_DIG_SHA256) hash_data = &sha256_data; else abort(); @@ -108,7 +110,7 @@ void test_sig(gnutls_pk_algorithm_t pk, unsigned hash, unsigned bits) ret = gnutls_pubkey_verify_hash2(pubkey, - sign_algo, 0, + sign_algo, vflags, hash_data, &signature); if (ret < 0) { print_keys(privkey, pubkey); @@ -118,7 +120,7 @@ void test_sig(gnutls_pk_algorithm_t pk, unsigned hash, unsigned bits) /* should fail */ ret = gnutls_pubkey_verify_hash2(pubkey, - sign_algo, 0, + sign_algo, vflags, &invalid_hash_data, &signature); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) { @@ -131,14 +133,14 @@ void test_sig(gnutls_pk_algorithm_t pk, unsigned hash, unsigned bits) (pubkey, NULL), hash); ret = - gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0, + gnutls_pubkey_verify_hash2(pubkey, sign_algo, vflags, hash_data, &signature); if (ret < 0) ERR; /* should fail */ ret = - gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0, + gnutls_pubkey_verify_hash2(pubkey, sign_algo, vflags, &invalid_hash_data, &signature); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) { @@ -168,7 +170,7 @@ void test_sig(gnutls_pk_algorithm_t pk, unsigned hash, unsigned bits) ret = gnutls_pubkey_verify_hash2(pubkey, sign_algo, - GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA, + vflags|GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA, hash_data, &signature); if (ret < 0) { diff --git a/tests/x509sign-verify.c b/tests/x509sign-verify.c index c945bdee35..69b004f427 100644 --- a/tests/x509sign-verify.c +++ b/tests/x509sign-verify.c @@ -209,22 +209,23 @@ void doit(void) testfail("gnutls_x509_pubkey_import\n"); ret = - gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, 0, hash_data, + gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, hash_data, &signature); if (ret < 0) testfail("gnutls_x509_pubkey_verify_hash2\n"); ret = - gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, 0, hash_data, + gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, hash_data, &signature2); if (ret < 0) testfail("gnutls_x509_pubkey_verify_hash-1 (hashed data)\n"); /* should fail */ ret = - gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, 0, - invalid_hash_data, - &signature2); + gnutls_pubkey_verify_hash2(pubkey, tests[i].sigalgo, + GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, + invalid_hash_data, + &signature2); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) testfail("gnutls_x509_pubkey_verify_hash-2 (hashed data)\n"); @@ -233,14 +234,14 @@ void doit(void) (pubkey, NULL), tests[i].digest); ret = - gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0, + gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, hash_data, &signature2); if (ret < 0) testfail("gnutls_x509_pubkey_verify_hash2-1 (hashed data)\n"); /* should fail */ ret = - gnutls_pubkey_verify_hash2(pubkey, sign_algo, 0, + gnutls_pubkey_verify_hash2(pubkey, sign_algo, GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1, invalid_hash_data, &signature2); if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) -- cgit v1.2.1