diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-11-30 18:30:14 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-11-30 18:43:23 +0100 |
| commit | bdde81f6b1d8b4f12c887b440aad646a0e03c63b (patch) | |
| tree | c6174f1753572e00b9784f8c1c42ece02e65402e /tests | |
| parent | 18ab6ffcb476062379ff46700edf0aaf56c7e240 (diff) | |
| parent | 720fdb1d0dea8c0876772b7f4227d07316fa321c (diff) | |
| download | gnutls-bdde81f6b1d8b4f12c887b440aad646a0e03c63b.tar.gz | |
Merged the FIPS140-2 support code.
Conflicts:
lib/gnutls_global.c
tests/mini-overhead.c
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/Makefile.am | 8 | ||||
| -rwxr-xr-x | tests/cert-tests/aki | 2 | ||||
| -rw-r--r-- | tests/cert-tests/aki-cert.pem | 1 | ||||
| -rw-r--r-- | tests/cert-tests/ca-no-pathlen.pem | 1 | ||||
| -rw-r--r-- | tests/cert-tests/no-ca-or-pathlen.pem | 1 | ||||
| -rwxr-xr-x | tests/cert-tests/pathlen | 4 | ||||
| -rw-r--r-- | tests/cve-2009-1416.c | 5 | ||||
| -rw-r--r-- | tests/fips-test.c | 147 | ||||
| -rw-r--r-- | tests/global-init.c | 113 | ||||
| -rw-r--r-- | tests/mini-overhead.c | 2 | ||||
| -rw-r--r-- | tests/mini-record-2.c | 77 | ||||
| -rw-r--r-- | tests/mini-x509.c | 4 | ||||
| -rw-r--r-- | tests/mini-xssl.c | 9 | ||||
| -rw-r--r-- | tests/mpi.c | 12 | ||||
| -rw-r--r-- | tests/pkcs12-decode/Makefile.am | 2 | ||||
| -rw-r--r-- | tests/pkcs12_encode.c | 9 | ||||
| -rw-r--r-- | tests/pkcs12_simple.c | 6 | ||||
| -rw-r--r-- | tests/priorities.c | 10 | ||||
| -rw-r--r-- | tests/record-sizes.c | 9 | ||||
| -rw-r--r-- | tests/rng-fork.c | 81 | ||||
| -rw-r--r-- | tests/set_pkcs12_cred.c | 7 | ||||
| -rw-r--r-- | tests/slow/Makefile.am | 8 | ||||
| -rw-r--r-- | tests/slow/cipher-test.c | 602 |
23 files changed, 468 insertions, 652 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index ae0a45bd88..b3e141f24b 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -73,16 +73,22 @@ ctests = simple gc set_pkcs12_cred certder certuniqueid \ mini-dtls-heartbeat mini-x509-callbacks key-openssl priorities \ mini-dtls-srtp mini-xssl rsa-encrypt-decrypt mini-loss-time \ mini-record mini-dtls-record mini-handshake-timeout mini-record-range \ - mini-cert-status mini-rsa-psk mini-record-2 + mini-cert-status mini-rsa-psk mini-record-2 global-init + +if ENABLE_FIPS140 +ctests += fips-test +endif if ENABLE_OCSP ctests += ocsp endif if ENABLE_OPENSSL +if !ENABLE_FIPS140 ctests += openssl openssl_LDADD = ../extra/libgnutls-openssl.la $(LDADD) endif +endif mini_xssl_LDADD = $(LDADD) ../lib/libgnutls-xssl.la diff --git a/tests/cert-tests/aki b/tests/cert-tests/aki index e5a5f423fd..33fc60e4bb 100755 --- a/tests/cert-tests/aki +++ b/tests/cert-tests/aki @@ -27,7 +27,7 @@ CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} DIFF=${DIFF:-diff} $CERTTOOL --certificate-info --infile $srcdir/aki-cert.pem \ - --outfile tmp-aki.pem + |grep -v "Algorithm Security Level" > tmp-aki.pem $DIFF $srcdir/aki-cert.pem tmp-aki.pem rc=$? diff --git a/tests/cert-tests/aki-cert.pem b/tests/cert-tests/aki-cert.pem index 69f7c27bb8..e6a71c51a1 100644 --- a/tests/cert-tests/aki-cert.pem +++ b/tests/cert-tests/aki-cert.pem @@ -7,7 +7,6 @@ X.509 Certificate Information: Not After: Sun Mar 24 23:59:59 UTC 2019 Subject: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)09,CN=VeriSign Class 3 Secure Server CA - G2 Subject Public Key Algorithm: RSA - Algorithm Security Level: Legacy (2048 bits) Modulus (bits 2048): 00:d4:56:8f:57:3b:37:28:a6:40:63:d2:95:d5:05:74 da:b5:19:6a:96:d6:71:57:2f:e2:c0:34:8c:a0:95:b3 diff --git a/tests/cert-tests/ca-no-pathlen.pem b/tests/cert-tests/ca-no-pathlen.pem index e3cfbb3792..b12477fe19 100644 --- a/tests/cert-tests/ca-no-pathlen.pem +++ b/tests/cert-tests/ca-no-pathlen.pem @@ -7,7 +7,6 @@ X.509 Certificate Information: Not After: Sat Jan 27 10:00:06 UTC 2007 Subject: O=GnuTLS test certificate Subject Public Key Algorithm: RSA - Algorithm Security Level: Export (512 bits) Modulus (bits 512): 00:a1:63:53:6b:54:95:ac:3c:a4:4b:4b:6a:ba:c0:9c 11:ad:28:dd:03:a8:c0:f4:17:bf:18:cd:9f:b3:5a:d1 diff --git a/tests/cert-tests/no-ca-or-pathlen.pem b/tests/cert-tests/no-ca-or-pathlen.pem index 312e3d7df8..525360968e 100644 --- a/tests/cert-tests/no-ca-or-pathlen.pem +++ b/tests/cert-tests/no-ca-or-pathlen.pem @@ -7,7 +7,6 @@ X.509 Certificate Information: Not After: Fri Aug 25 23:59:59 UTC 2000 Subject: O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98,OU=Persona Not Validated,OU=Digital ID Class 1 - Netscape,CN=Simon Josefsson,EMAIL=simon@josefsson.org Subject Public Key Algorithm: RSA - Algorithm Security Level: Weak (1024 bits) Modulus (bits 1024): 00:c9:0c:ce:8a:fe:71:46:9b:ca:1d:e5:90:12:a5:11 0b:c6:2d:c4:33:c6:19:e8:60:59:4e:3f:64:3d:e4:f7 diff --git a/tests/cert-tests/pathlen b/tests/cert-tests/pathlen index 01af21e2cc..a3d50ab5cf 100755 --- a/tests/cert-tests/pathlen +++ b/tests/cert-tests/pathlen @@ -27,9 +27,9 @@ CERTTOOL=${CERTTOOL:-../../src/certtool$EXEEXT} DIFF=${DIFF:-diff} $CERTTOOL --certificate-info --infile $srcdir/ca-no-pathlen.pem \ - --outfile new-ca-no-pathlen.pem + |grep -v "Algorithm Security Level" > new-ca-no-pathlen.pem $CERTTOOL --certificate-info --infile $srcdir/no-ca-or-pathlen.pem \ - --outfile new-no-ca-or-pathlen.pem + |grep -v "Algorithm Security Level" > new-no-ca-or-pathlen.pem $DIFF $srcdir/ca-no-pathlen.pem new-ca-no-pathlen.pem rc1=$? diff --git a/tests/cve-2009-1416.c b/tests/cve-2009-1416.c index 5bfb43cd7b..128d4abd91 100644 --- a/tests/cve-2009-1416.c +++ b/tests/cve-2009-1416.c @@ -48,6 +48,10 @@ int main(void) { +#ifdef ENABLE_FIPS140 + /* Cannot generate a 512-bit DSA key */ + return 77; +#else gnutls_x509_privkey_t key; gnutls_datum_t p, q, g, y, x; int ret; @@ -81,4 +85,5 @@ int main(void) gnutls_global_deinit(); return 0; +#endif } diff --git a/tests/fips-test.c b/tests/fips-test.c new file mode 100644 index 0000000000..f46a3beae2 --- /dev/null +++ b/tests/fips-test.c @@ -0,0 +1,147 @@ +#include <config.h> +#include <stdint.h> +#include <stdio.h> +#include <string.h> +#include <utils.h> +#include <stdlib.h> +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> +#include <gnutls/abstract.h> +#include <gnutls/x509.h> +#include <gnutls/fips140.h> + +void _gnutls_fips140_simulate_error(void); + +/* This does check the FIPS140 support. + */ + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d>| %s", level, str); +} + +static uint8_t key16[16]; +static uint8_t iv16[16]; + +void doit(void) +{ + int ret; +#ifdef ENABLE_FIPS140 + unsigned int mode; + gnutls_cipher_hd_t ch; + gnutls_hmac_hd_t mh; + gnutls_session_t session; + gnutls_pubkey_t pubkey; + gnutls_x509_privkey_t xprivkey; + gnutls_privkey_t privkey; + gnutls_datum_t key = { key16, sizeof(key16) }; + gnutls_datum_t iv = { iv16, sizeof(iv16) }; + + fprintf(stderr, + "Please note that you need to assure the library's integrity prior to running this test\n"); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + mode = gnutls_fips140_mode_enabled(); + if (mode == 0) { + success("We are not in FIPS140 mode\n"); + exit(77); + } + + ret = global_init(); + if (ret < 0) { + fail("Cannot initialize library\n"); + } + + /* Try crypto.h functionality */ + ret = + gnutls_cipher_init(&ch, GNUTLS_CIPHER_AES_128_CBC, &key, &iv); + if (ret < 0) { + fail("gnutls_cipher_init failed\n"); + } + gnutls_cipher_deinit(ch); + + ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size); + if (ret < 0) { + fail("gnutls_hmac_init failed\n"); + } + gnutls_hmac_deinit(mh, NULL); + + ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16)); + if (ret < 0) { + fail("gnutls_rnd failed\n"); + } + + ret = gnutls_pubkey_init(&pubkey); + if (ret < 0) { + fail("gnutls_pubkey_init failed\n"); + } + gnutls_pubkey_deinit(pubkey); + + ret = gnutls_privkey_init(&privkey); + if (ret < 0) { + fail("gnutls_privkey_init failed\n"); + } + gnutls_privkey_deinit(privkey); + + ret = gnutls_x509_privkey_init(&xprivkey); + if (ret < 0) { + fail("gnutls_privkey_init failed\n"); + } + gnutls_x509_privkey_deinit(xprivkey); + + ret = gnutls_init(&session, 0); + if (ret < 0) { + fail("gnutls_init failed\n"); + } + gnutls_deinit(session); + + /* Test when FIPS140 is set to error state */ + _gnutls_fips140_simulate_error(); + + + /* Try crypto.h functionality */ + ret = + gnutls_cipher_init(&ch, GNUTLS_CIPHER_AES_128_CBC, &key, &iv); + if (ret >= 0) { + fail("gnutls_cipher_init succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size); + if (ret >= 0) { + fail("gnutls_hmac_init succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16)); + if (ret >= 0) { + fail("gnutls_rnd succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_pubkey_init(&pubkey); + if (ret >= 0) { + fail("gnutls_pubkey_init succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_privkey_init(&privkey); + if (ret >= 0) { + fail("gnutls_privkey_init succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_x509_privkey_init(&xprivkey); + if (ret >= 0) { + fail("gnutls_x509_privkey_init succeeded when in FIPS140 error state\n"); + } + + ret = gnutls_init(&session, 0); + if (ret >= 0) { + fail("gnutls_init succeeded when in FIPS140 error state\n"); + } + + gnutls_global_deinit(); + return; +#else + exit(1); /* fail. This script shouldn't be called on this case */ +#endif +} diff --git a/tests/global-init.c b/tests/global-init.c new file mode 100644 index 0000000000..92a6190621 --- /dev/null +++ b/tests/global-init.c @@ -0,0 +1,113 @@ +/* + * Copyright (C) 2008-2012 Free Software Foundation, Inc. + * + * Author: Joe Orton + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from GnuTLS example programs. */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#include <unistd.h> + +#include <gnutls/gnutls.h> + +#include "utils.h" + +void doit(void) +{ + int ret; + +#ifdef ENABLE_FIPS140 + /* In FIPS140 a constructor is being used for MINIMAL so + * the following should succeed. + */ + ret = gnutls_global_init2(GNUTLS_GLOBAL_INIT_PKCS11); + if (ret < 0) { + fail("Could not initialize: %d\n", __LINE__); + } +#else + ret = gnutls_global_init2(GNUTLS_GLOBAL_INIT_PKCS11); + if (ret != GNUTLS_E_INVALID_REQUEST) { + fail("Initialization should have failed: %d\n", __LINE__); + } +#endif + + ret = gnutls_global_init(); + if (ret < 0) { + fail("Could not initialize\n"); + } + + /* That shouldn't crash */ + gnutls_global_deinit(); + gnutls_global_deinit(); + gnutls_global_deinit(); + gnutls_global_deinit(); + + ret = gnutls_global_init(); + if (ret < 0) { + fail("Could not initialize: %d\n", __LINE__); + } + + /* the rest shouldn't cause a leak */ + ret = gnutls_global_init(); + if (ret < 0) { + fail("Could not initialize: %d\n", __LINE__); + } + + ret = gnutls_global_init(); + if (ret < 0) { + fail("Could not initialize: %d\n", __LINE__); + } + + ret = gnutls_global_init2(GNUTLS_GLOBAL_INIT_CRYPTO); + if (ret < 0) { + fail("Could not initialize: %d\n", __LINE__); + } + + ret = gnutls_global_init2(GNUTLS_GLOBAL_INIT_PKCS11); + if (ret < 0) { + fail("Could not initialize: %d\n", __LINE__); + } + + gnutls_global_deinit(); + gnutls_global_deinit(); + gnutls_global_deinit(); + gnutls_global_deinit(); + gnutls_global_deinit(); + + /* This should fail */ + ret = gnutls_global_init2(GNUTLS_GLOBAL_INIT_CRYPTO); + if (ret != GNUTLS_E_INVALID_REQUEST) { + fail("Initialization should have failed: %d\n", __LINE__); + } + + ret = gnutls_global_init2(GNUTLS_GLOBAL_INIT_MINIMAL); + if (ret < 0) { + fail("Could not initialize: %d\n", __LINE__); + } + + gnutls_global_deinit(); +} diff --git a/tests/mini-overhead.c b/tests/mini-overhead.c index a10a6998e5..9a4d5e2bfc 100644 --- a/tests/mini-overhead.c +++ b/tests/mini-overhead.c @@ -335,10 +335,12 @@ void doit(void) start ("NONE:+VERS-DTLS1.0:+AES-128-GCM:+AEAD:+SIGN-ALL:+COMP-NULL:+RSA", 37); +#ifndef ENABLE_FIPS140 /* 13 + 20(tag) */ start ("NONE:+VERS-DTLS1.0:+SALSA20-256:+SHA1:+SIGN-ALL:+COMP-NULL:+RSA", 33); +#endif } #endif /* _WIN32 */ diff --git a/tests/mini-record-2.c b/tests/mini-record-2.c index b6104b42fb..0d5d262116 100644 --- a/tests/mini-record-2.c +++ b/tests/mini-record-2.c @@ -112,9 +112,10 @@ const gnutls_datum_t server_key = { server_key_pem, #define MAX_BUF 24*1024 -static void client(int fd, const char *prio) +static void client(int fd, const char *prio, int ign) { int ret; + unsigned i; char buffer[MAX_BUF + 1]; gnutls_anon_client_credentials_t anoncred; gnutls_certificate_credentials_t x509_cred; @@ -167,6 +168,41 @@ static void client(int fd, const char *prio) gnutls_protocol_get_name (gnutls_protocol_get_version(session))); + /* Test sending */ + for (i = 1; i < 16384; i++) { + do { + ret = gnutls_record_send(session, buffer, i); + } while (ret == GNUTLS_E_AGAIN + || ret == GNUTLS_E_INTERRUPTED); + + if (ret < 0) { + fail("server (%s): Error sending %d byte packet: %s\n", prio, i, gnutls_strerror(ret)); + terminate(); + } + } + + /* Try sending a bit more */ + i = 21056; + do { + ret = gnutls_record_send(session, buffer, i); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret < 0) { + fail("server (%s): Error sending %d byte packet: %s\n", + prio, i, gnutls_strerror(ret)); + exit(1); + } else if (ign == 0 && ret != 16384) { + fail("server (%s): Error sending %d byte packet; sent %d bytes instead of 16384\n", prio, i, ret); + exit(1); + } + + ret = gnutls_alert_send(session, GNUTLS_AL_WARNING, GNUTLS_A_USER_CANCELED); + if (ret < 0) { + fail("server (%s): Error sending alert\n", prio); + exit(1); + } + + /* Test receiving */ do { do { ret = gnutls_record_recv(session, buffer, MAX_BUF); @@ -267,6 +303,30 @@ static void server(int fd, const char *prio, int ign) gnutls_protocol_get_name (gnutls_protocol_get_version(session))); + /* Here we do both a receive and a send test because if valgrind + * detects an error on the peer, the main process will never know. + */ + + /* Test receiving */ + do { + do { + ret = gnutls_record_recv(session, buffer, MAX_BUF); + } while (ret == GNUTLS_E_AGAIN + || ret == GNUTLS_E_INTERRUPTED); + } while (ret > 0); + + if (ret != GNUTLS_E_WARNING_ALERT_RECEIVED || + gnutls_alert_get(session) != GNUTLS_A_USER_CANCELED) { + + if (ret <= 0) { + if (ret != 0) { + fail("client: Error: %s\n", gnutls_strerror(ret)); + exit(1); + } + } + } + + /* Test sending */ for (i = 1; i < 16384; i++) { do { ret = gnutls_record_send(session, buffer, i); @@ -335,7 +395,7 @@ static void start(const char *prio, int ign) kill(child, SIGTERM); } else { close(fd[0]); - client(fd[1], prio); + client(fd[1], prio, ign); exit(0); } } @@ -357,6 +417,9 @@ static void start(const char *prio, int ign) #define ARCFOUR_SHA1_ZLIB "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-DEFLATE:+ANON-ECDH:+CURVE-ALL" #define NEW_ARCFOUR_SHA1_ZLIB "NONE:+VERS-TLS1.0:-CIPHER-ALL:+ARCFOUR-128:+SHA1:+SIGN-ALL:+COMP-DEFLATE:+ANON-ECDH:+CURVE-ALL:%NEW_PADDING" +#define AES_GCM_ZLIB "NONE:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM:+AEAD:+SIGN-ALL:+COMP-DEFLATE:+RSA:+CURVE-ALL" +#define NEW_AES_GCM_ZLIB "NONE:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-GCM:+AEAD:+SIGN-ALL:+COMP-DEFLATE:+RSA:+CURVE-ALL:%NEW_PADDING" + static void ch_handler(int sig) { int status; @@ -377,9 +440,6 @@ void doit(void) { signal(SIGCHLD, ch_handler); - start(NULL_SHA1, 0); - - start(NEW_ARCFOUR_SHA1, 1); start(NEW_AES_CBC, 1); start(NEW_AES_CBC_SHA256, 1); start(NEW_AES_GCM, 1); @@ -388,11 +448,18 @@ void doit(void) start(AES_CBC_SHA256, 1); start(AES_GCM, 0); +#ifndef ENABLE_FIPS140 + start(NULL_SHA1, 0); + start(NEW_ARCFOUR_SHA1, 1); + start(ARCFOUR_SHA1, 0); start(ARCFOUR_MD5, 0); start(ARCFOUR_SHA1_ZLIB, 0); start(NEW_ARCFOUR_SHA1_ZLIB, 1); +#endif + start(AES_GCM_ZLIB, 0); + start(NEW_AES_GCM_ZLIB, 1); } #endif /* _WIN32 */ diff --git a/tests/mini-x509.c b/tests/mini-x509.c index 333d544df9..edd67aa291 100644 --- a/tests/mini-x509.c +++ b/tests/mini-x509.c @@ -107,7 +107,11 @@ void doit(void) gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred); gnutls_priority_set_direct(server, +#ifndef ENABLE_FIPS140 "NORMAL:-CIPHER-ALL:+ARCFOUR-128", +#else + "NORMAL:-CIPHER-ALL:+AES-128-CBC", +#endif NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); diff --git a/tests/mini-xssl.c b/tests/mini-xssl.c index c6d8c82dfc..1834353da7 100644 --- a/tests/mini-xssl.c +++ b/tests/mini-xssl.c @@ -27,7 +27,7 @@ #include <stdio.h> #include <stdlib.h> -#if defined(_WIN32) +#if defined(_WIN32) || !defined(ENABLE_NON_SUITEB_CURVES) int main() { @@ -70,7 +70,7 @@ static time_t mytime(time_t * t) static void server_log_func(int level, const char *str) { -// fprintf (stderr, "server|<%d>| %s", level, str); + fprintf (stderr, "server|<%d>| %s", level, str); } static void client_log_func(int level, const char *str) @@ -257,13 +257,12 @@ static void server(int fd, unsigned vmethod) gnutls_cinput_st aux[6]; unsigned aux_size = 0; - global_init(); - if (debug) { - gnutls_global_set_log_function(client_log_func); + gnutls_global_set_log_function(server_log_func); gnutls_global_set_log_level(7); } + global_init(); aux[aux_size].type = GNUTLS_CINPUT_TYPE_MEM; aux[aux_size].contents = GNUTLS_CINPUT_KEYPAIR; diff --git a/tests/mpi.c b/tests/mpi.c index 40788fd72d..3d2179f321 100644 --- a/tests/mpi.c +++ b/tests/mpi.c @@ -37,10 +37,8 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "|<%d>| %s", level, str); } -#define RND_BITS 510 /* not multiple of 8 */ void doit(void) { - int rc; bigint_t n1, n2, n3, n4; global_init(); @@ -61,13 +59,9 @@ void doit(void) if (n3 == NULL) fail("mpi_set_ui failed\n"); - _gnutls_mpi_randomize(n1, RND_BITS, GNUTLS_RND_NONCE); - - _gnutls_mpi_log("rand:", n1); - - rc = _gnutls_mpi_get_nbits(n1); - if (rc > RND_BITS) - fail("mpi_get_nbits failed... returned %d\n", rc); + n1 = _gnutls_mpi_set_ui(NULL, 12498924); + if (n3 == NULL) + fail("mpi_set_ui failed\n"); n4 = _gnutls_mpi_addm(NULL, n1, n3, n2); if (n4 == NULL) diff --git a/tests/pkcs12-decode/Makefile.am b/tests/pkcs12-decode/Makefile.am index 5da1124f2d..c08e4d9ae2 100644 --- a/tests/pkcs12-decode/Makefile.am +++ b/tests/pkcs12-decode/Makefile.am @@ -24,7 +24,9 @@ EXTRA_DIST = client.p12 noclient.p12 unclient.p12 pkcs12_2certs.p12 \ dist_check_SCRIPTS = pkcs12 +if !ENABLE_FIPS140 TESTS = pkcs12 +endif TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) \ LC_ALL="C" \ diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c index 42a01812d3..b3252dd160 100644 --- a/tests/pkcs12_encode.c +++ b/tests/pkcs12_encode.c @@ -81,7 +81,7 @@ void doit(void) int ret, indx; char outbuf[10240]; size_t size; - int i; + unsigned tests, i; ret = global_init(); if (ret < 0) { @@ -128,7 +128,12 @@ void doit(void) } /* Generate and add PKCS#12 cert bags. */ - for (i = 0; i < 2; i++) { +#ifndef ENABLE_FIPS140 + tests = 2; /* include RC2 */ +#else + tests = 1; +#endif + for (i = 0; i < tests; i++) { ret = gnutls_pkcs12_bag_init(&bag); if (ret < 0) { fprintf(stderr, "bag_init: %d", ret); diff --git a/tests/pkcs12_simple.c b/tests/pkcs12_simple.c index bbfe97d181..f182860aaa 100644 --- a/tests/pkcs12_simple.c +++ b/tests/pkcs12_simple.c @@ -38,13 +38,14 @@ static void tls_log_func(int level, const char *str) void doit(void) { +#ifdef ENABLE_NON_SUITEB_CURVES const char *filename, *password = "1234"; gnutls_pkcs12_t pkcs12; unsigned char *file_data; size_t file_size; gnutls_datum_t data; gnutls_x509_crt_t *chain, *extras; - unsigned int chain_size, extras_size, i; + unsigned int chain_size = 0, extras_size = 0, i; gnutls_x509_privkey_t pkey; int ret; @@ -148,4 +149,7 @@ void doit(void) free(file_data); gnutls_global_deinit(); +#else + exit(77); +#endif } diff --git a/tests/priorities.c b/tests/priorities.c index bf183fe164..7b9de3cc64 100644 --- a/tests/priorities.c +++ b/tests/priorities.c @@ -31,6 +31,14 @@ #include "utils.h" +#ifdef ENABLE_FIPS140 +void doit(void) +{ + exit(77); +} + +#else + static void try_prio(const char *prio, unsigned expected_cs, unsigned expected_ciphers) { @@ -109,3 +117,5 @@ void doit(void) try_prio("SECURE128:+SECURE256:+NORMAL", normal, 10); /* should be the same as NORMAL */ try_prio("SUITEB192", 1, 1); } + +#endif diff --git a/tests/record-sizes.c b/tests/record-sizes.c index 11edde15e1..4f52e54a02 100644 --- a/tests/record-sizes.c +++ b/tests/record-sizes.c @@ -43,6 +43,8 @@ static void tls_log_func(int level, const char *str) /* This test attempts to transfer various sizes using ARCFOUR-128. */ +#ifndef ENABLE_FIPS140 + #define MAX_BUF 16384 static char b1[MAX_BUF + 1]; static char buffer[MAX_BUF + 1]; @@ -156,3 +158,10 @@ void doit(void) gnutls_global_deinit(); } + +#else +void doit(void) +{ + exit(77); +} +#endif diff --git a/tests/rng-fork.c b/tests/rng-fork.c index d2692e2f59..5e7a8d38de 100644 --- a/tests/rng-fork.c +++ b/tests/rng-fork.c @@ -25,6 +25,7 @@ #endif #include <stdio.h> +#include <stdlib.h> #include <unistd.h> #include <sys/types.h> #if !defined(_WIN32) @@ -54,47 +55,53 @@ void doit(void) pid_t pid; int ret; FILE *fp; + unsigned i; global_init(); - pid = fork(); - if (pid == 0) { - fp = fopen(FILENAME, "w"); - if (fp == NULL) - fail("cannot open file"); - - gnutls_rnd(GNUTLS_RND_NONCE, buf1, sizeof(buf1)); - if (debug) - dump("buf1", buf1, sizeof(buf1)); - - fwrite(buf1, 1, sizeof(buf1), fp); - fclose(fp); - } else { - /* daddy */ - gnutls_rnd(GNUTLS_RND_NONCE, buf2, sizeof(buf2)); - if (debug) - dump("buf2", buf2, sizeof(buf2)); - waitpid(pid, NULL, 0); - - fp = fopen(FILENAME, "r"); - if (fp == NULL) - fail("cannot open file"); - - ret = fread(buf1, 1, sizeof(buf1), fp); - - fclose(fp); - remove(FILENAME); - - if (ret != sizeof(buf1)) { - fail("error testing the random generator."); - return; - } - if (memcmp(buf1, buf2, sizeof(buf1)) == 0) { - fail("error in the random generator. Produces same valus after fork()"); - return; + for (i = GNUTLS_RND_NONCE; i <= GNUTLS_RND_KEY; i++) { + pid = fork(); + if (pid == 0) { + fp = fopen(FILENAME, "w"); + if (fp == NULL) + fail("cannot open file"); + + gnutls_rnd(i, buf1, sizeof(buf1)); + if (debug) + dump("buf1", buf1, sizeof(buf1)); + + fwrite(buf1, 1, sizeof(buf1), fp); + fclose(fp); + gnutls_global_deinit(); + exit(0); + } else { + /* daddy */ + gnutls_rnd(i, buf2, sizeof(buf2)); + if (debug) + dump("buf2", buf2, sizeof(buf2)); + waitpid(pid, NULL, 0); + + fp = fopen(FILENAME, "r"); + if (fp == NULL) + fail("cannot open file"); + + ret = fread(buf1, 1, sizeof(buf1), fp); + + fclose(fp); + remove(FILENAME); + + if (ret != sizeof(buf1)) { + fail("error testing the random generator (%u).\n", i); + return; + } + + if (memcmp(buf1, buf2, sizeof(buf1)) == 0) { + fail("error in the random generator (%u). Produces same valus after fork()\n", i); + return; + } + if (debug) + success("success\n"); } - if (debug) - success("success\n"); } gnutls_global_deinit(); diff --git a/tests/set_pkcs12_cred.c b/tests/set_pkcs12_cred.c index 5038a8ef47..9381c3f659 100644 --- a/tests/set_pkcs12_cred.c +++ b/tests/set_pkcs12_cred.c @@ -34,6 +34,7 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "<%d>| %s", level, str); } +#ifndef ENABLE_FIPS140 void doit(void) { gnutls_certificate_credentials_t x509cred; @@ -113,3 +114,9 @@ void doit(void) gnutls_global_deinit(); } +#else +void doit(void) +{ + exit(77); +} +#endif diff --git a/tests/slow/Makefile.am b/tests/slow/Makefile.am index 265588434b..0e4b382a67 100644 --- a/tests/slow/Makefile.am +++ b/tests/slow/Makefile.am @@ -24,7 +24,13 @@ AM_CPPFLAGS = -I$(top_srcdir)/lib/includes \ AM_LDFLAGS = -no-install LDADD = ../libutils.la \ - ../../lib/libgnutls.la $(LTLIBGCRYPT) $(LIBSOCKET) + $(top_builddir)/lib/libgnutls.la $(LTLIBGCRYPT) $(LIBSOCKET) + +if !ENABLE_SELF_CHECKS +cipher_test_CPPFLAGS = $(AM_CPPFLAGS) -I$(top_builddir)/lib/ -I$(top_builddir)/gl/ +else +cipher_test_CPPFLAGS = $(AM_CPPFLAGS) +endif ctests = gendh keygen cipher-test diff --git a/tests/slow/cipher-test.c b/tests/slow/cipher-test.c index bbac05921e..129a7b129b 100644 --- a/tests/slow/cipher-test.c +++ b/tests/slow/cipher-test.c @@ -1,3 +1,4 @@ +#include <config.h> #include <stdint.h> #include <stdio.h> #include <string.h> @@ -11,594 +12,15 @@ * cpu instructions (AES-NI or padlock). */ -struct aes_vectors_st { - const uint8_t *key; - const uint8_t *plaintext; - const uint8_t *ciphertext; -}; - -struct aes_gcm_vectors_st { - const uint8_t *key; - const uint8_t *auth; - unsigned int auth_size; - const uint8_t *plaintext; - unsigned int plaintext_size; - const uint8_t *iv; - const uint8_t *ciphertext; - const uint8_t *tag; -}; - -struct aes_gcm_vectors_st aes_gcm_vectors[] = { -#if 0 - { - .key = (void *) - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", - .auth = NULL, - .auth_size = 0, - .plaintext = NULL, - .plaintext_size = 0, - .ciphertext = NULL, - .iv = (void *) "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", - .tag = (void *) - "\x58\xe2\xfc\xce\xfa\x7e\x30\x61\x36\x7f\x1d\x57\xa4\xe7\x45\x5a"}, -#endif - { - .key = (void *) - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", - .auth = NULL, - .auth_size = 0, - .plaintext = (void *) - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", - .plaintext_size = 16, - .ciphertext = (void *) - "\x03\x88\xda\xce\x60\xb6\xa3\x92\xf3\x28\xc2\xb9\x71\xb2\xfe\x78", - .iv = (void *) "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", - .tag = (void *) - "\xab\x6e\x47\xd4\x2c\xec\x13\xbd\xf5\x3a\x67\xb2\x12\x57\xbd\xdf"}, - { - .key = (void *) - "\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08", - .auth = (void *) - "\xfe\xed\xfa\xce\xde\xad\xbe\xef\xfe\xed\xfa\xce\xde\xad\xbe\xef\xab\xad\xda\xd2", - .auth_size = 20, - .plaintext = (void *) - "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39", - .plaintext_size = 60, - .ciphertext = (void *) - "\x42\x83\x1e\xc2\x21\x77\x74\x24\x4b\x72\x21\xb7\x84\xd0\xd4\x9c\xe3\xaa\x21\x2f\x2c\x02\xa4\xe0\x35\xc1\x7e\x23\x29\xac\xa1\x2e\x21\xd5\x14\xb2\x54\x66\x93\x1c\x7d\x8f\x6a\x5a\xac\x84\xaa\x05\x1b\xa3\x0b\x39\x6a\x0a\xac\x97\x3d\x58\xe0\x91", - .iv = (void *) "\xca\xfe\xba\xbe\xfa\xce\xdb\xad\xde\xca\xf8\x88", - .tag = (void *) - "\x5b\xc9\x4f\xbc\x32\x21\xa5\xdb\x94\xfa\xe9\x5a\xe7\x12\x1a\x47"} -}; - - -struct aes_vectors_st aes_vectors[] = { - { - .key = (uint8_t *) - "\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", - .plaintext = (uint8_t *) - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", - .ciphertext = (uint8_t *) - "\x4b\xc3\xf8\x83\x45\x0c\x11\x3c\x64\xca\x42\xe1\x11\x2a\x9e\x87", - }, - { - .key = (uint8_t *) - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", - .plaintext = (uint8_t *) - "\xf3\x44\x81\xec\x3c\xc6\x27\xba\xcd\x5d\xc3\xfb\x08\xf2\x73\xe6", - .ciphertext = (uint8_t *) - "\x03\x36\x76\x3e\x96\x6d\x92\x59\x5a\x56\x7c\xc9\xce\x53\x7f\x5e", - }, - { - .key = (uint8_t *) - "\x10\xa5\x88\x69\xd7\x4b\xe5\xa3\x74\xcf\x86\x7c\xfb\x47\x38\x59", - .plaintext = (uint8_t *) - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", - .ciphertext = (uint8_t *) - "\x6d\x25\x1e\x69\x44\xb0\x51\xe0\x4e\xaa\x6f\xb4\xdb\xf7\x84\x65", - }, - { - .key = (uint8_t *) - "\xca\xea\x65\xcd\xbb\x75\xe9\x16\x9e\xcd\x22\xeb\xe6\xe5\x46\x75", - .plaintext = (uint8_t *) - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", - .ciphertext = (uint8_t *) - "\x6e\x29\x20\x11\x90\x15\x2d\xf4\xee\x05\x81\x39\xde\xf6\x10\xbb", - }, - { - .key = (uint8_t *) - "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe", - .plaintext = (uint8_t *) - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", - .ciphertext = (uint8_t *) - "\x9b\xa4\xa9\x14\x3f\x4e\x5d\x40\x48\x52\x1c\x4f\x88\x77\xd8\x8e", - }, -}; - -/* AES cipher */ -static int test_aes(void) -{ - gnutls_cipher_hd_t hd; - int ret; - unsigned int i, j; - uint8_t _iv[16]; - uint8_t tmp[128]; - gnutls_datum_t key, iv; - - fprintf(stdout, "Tests on AES Encryption: "); - fflush(stdout); - for (i = 0; i < sizeof(aes_vectors) / sizeof(aes_vectors[0]); i++) { - memset(_iv, 0, sizeof(_iv)); - memset(tmp, 0, sizeof(tmp)); - key.data = (void *) aes_vectors[i].key; - key.size = 16; - - iv.data = _iv; - iv.size = 16; - - ret = - gnutls_cipher_init(&hd, GNUTLS_CIPHER_AES_128_CBC, - &key, &iv); - if (ret < 0) { - fprintf(stderr, "%d: AES test %d failed\n", - __LINE__, i); - return 1; - } - - ret = - gnutls_cipher_encrypt2(hd, aes_vectors[i].plaintext, - 16, tmp, sizeof(tmp)); - if (ret < 0) { - fprintf(stderr, "%d: AES test %d failed\n", - __LINE__, i); - return 1; - } - - gnutls_cipher_deinit(hd); - - if (memcmp(tmp, aes_vectors[i].ciphertext, 16) != 0) { - fprintf(stderr, "AES test vector %d failed!\n", i); - - fprintf(stderr, "Cipher[%d]: ", 16); - for (j = 0; j < 16; j++) - fprintf(stderr, "%.2x:", (int) tmp[j]); - fprintf(stderr, "\n"); - - fprintf(stderr, "Expected[%d]: ", 16); - for (j = 0; j < 16; j++) - fprintf(stderr, "%.2x:", - (int) aes_vectors[i]. - ciphertext[j]); - fprintf(stderr, "\n"); - return 1; - } - } - fprintf(stdout, "ok\n"); - - fprintf(stdout, "Tests on AES Decryption: "); - fflush(stdout); - for (i = 0; i < sizeof(aes_vectors) / sizeof(aes_vectors[0]); i++) { - - memset(_iv, 0, sizeof(_iv)); - memset(tmp, 0x33, sizeof(tmp)); - - key.data = (void *) aes_vectors[i].key; - key.size = 16; - - iv.data = _iv; - iv.size = 16; - - ret = - gnutls_cipher_init(&hd, GNUTLS_CIPHER_AES_128_CBC, - &key, &iv); - if (ret < 0) { - fprintf(stderr, "%d: AES test %d failed\n", - __LINE__, i); - return 1; - } - - ret = - gnutls_cipher_decrypt2(hd, aes_vectors[i].ciphertext, - 16, tmp, sizeof(tmp)); - if (ret < 0) { - fprintf(stderr, "%d: AES test %d failed\n", - __LINE__, i); - return 1; - } - - gnutls_cipher_deinit(hd); - - if (memcmp(tmp, aes_vectors[i].plaintext, 16) != 0) { - fprintf(stderr, "AES test vector %d failed!\n", i); - - fprintf(stderr, "Plain[%d]: ", 16); - for (j = 0; j < 16; j++) - fprintf(stderr, "%.2x:", (int) tmp[j]); - fprintf(stderr, "\n"); - - fprintf(stderr, "Expected[%d]: ", 16); - for (j = 0; j < 16; j++) - fprintf(stderr, "%.2x:", - (int) aes_vectors[i].plaintext[j]); - fprintf(stderr, "\n"); - return 1; - } - } - - fprintf(stdout, "ok\n"); - fprintf(stdout, "\n"); - - fprintf(stdout, "Tests on AES-GCM: "); - fflush(stdout); - for (i = 0; - i < sizeof(aes_gcm_vectors) / sizeof(aes_gcm_vectors[0]); - i++) { - memset(tmp, 0, sizeof(tmp)); - key.data = (void *) aes_gcm_vectors[i].key; - key.size = 16; - - iv.data = (void *) aes_gcm_vectors[i].iv; - iv.size = 12; - - ret = - gnutls_cipher_init(&hd, GNUTLS_CIPHER_AES_128_GCM, - &key, &iv); - if (ret < 0) { - fprintf(stderr, "%d: AES-GCM test %d failed\n", - __LINE__, i); - return 1; - } - - if (aes_gcm_vectors[i].auth_size > 0) { - ret = - gnutls_cipher_add_auth(hd, - aes_gcm_vectors[i].auth, - aes_gcm_vectors[i]. - auth_size); - - if (ret < 0) { - fprintf(stderr, - "%d: AES-GCM test %d failed\n", - __LINE__, i); - return 1; - } - } - - if (aes_gcm_vectors[i].plaintext_size > 0) { - ret = - gnutls_cipher_encrypt2(hd, - aes_gcm_vectors[i]. - plaintext, - aes_gcm_vectors - [i].plaintext_size, tmp, - sizeof(tmp)); - if (ret < 0) { - fprintf(stderr, - "%d: AES-GCM test %d failed: %s\n", - __LINE__, i, gnutls_strerror(ret)); - return 1; - } - } - - - if (aes_gcm_vectors[i].plaintext_size > 0) - if (memcmp - (tmp, aes_gcm_vectors[i].ciphertext, - aes_gcm_vectors[i].plaintext_size) != 0) { - fprintf(stderr, - "AES-GCM test vector %d failed!\n", - i); - - fprintf(stderr, "Cipher[%d]: ", - aes_gcm_vectors[i].plaintext_size); - for (j = 0; - j < aes_gcm_vectors[i].plaintext_size; - j++) - fprintf(stderr, "%.2x:", - (int) tmp[j]); - fprintf(stderr, "\n"); - - fprintf(stderr, "Expected[%d]: ", - aes_gcm_vectors[i].plaintext_size); - for (j = 0; - j < aes_gcm_vectors[i].plaintext_size; - j++) - fprintf(stderr, "%.2x:", - (int) aes_gcm_vectors[i]. - ciphertext[j]); - fprintf(stderr, "\n"); - return 1; - } - - gnutls_cipher_tag(hd, tmp, 16); - if (memcmp(tmp, aes_gcm_vectors[i].tag, 16) != 0) { - fprintf(stderr, - "AES-GCM test vector %d failed (tag)!\n", - i); - - fprintf(stderr, "Tag[%d]: ", 16); - for (j = 0; j < 16; j++) - fprintf(stderr, "%.2x:", (int) tmp[j]); - fprintf(stderr, "\n"); - - fprintf(stderr, "Expected[%d]: ", 16); - for (j = 0; j < 16; j++) - fprintf(stderr, "%.2x:", - (int) aes_gcm_vectors[i].tag[j]); - fprintf(stderr, "\n"); - return 1; - } - - gnutls_cipher_deinit(hd); - - } - fprintf(stdout, "ok\n"); - fprintf(stdout, "\n"); - - - return 0; - -} - -struct hash_vectors_st { - const char *name; - int algorithm; - const uint8_t *key; /* if hmac */ - unsigned int key_size; - const uint8_t *plaintext; - unsigned int plaintext_size; - const uint8_t *output; - unsigned int output_size; -} hash_vectors[] = { - { - .name = "SHA1",.algorithm = GNUTLS_MAC_SHA1,.key = - NULL,.plaintext = - (uint8_t *) "what do ya want for nothing?",. - plaintext_size = - sizeof("what do ya want for nothing?") - 1,.output = - (uint8_t *) - "\x8f\x82\x03\x94\xf9\x53\x35\x18\x20\x45\xda\x24\xf3\x4d\xe5\x2b\xf8\xbc\x34\x32",. - output_size = 20,} - , { - .name = "SHA1",.algorithm = GNUTLS_MAC_SHA1,.key = - NULL,.plaintext = (uint8_t *) - "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",. - plaintext_size = - sizeof - ("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq") - - 1,.output = (uint8_t *) - "\xbe\xae\xd1\x6d\x65\x8e\xc7\x92\x9e\xdf\xd6\x2b\xfa\xfe\xac\x29\x9f\x0d\x74\x4d",. - output_size = 20,} - , { - .name = "SHA256",.algorithm = GNUTLS_MAC_SHA256,.key = - NULL,.plaintext = (uint8_t *) - "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",. - plaintext_size = - sizeof - ("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq") - - 1,.output = (uint8_t *) - "\x24\x8d\x6a\x61\xd2\x06\x38\xb8\xe5\xc0\x26\x93\x0c\x3e\x60\x39\xa3\x3c\xe4\x59\x64\xff\x21\x67\xf6\xec\xed\xd4\x19\xdb\x06\xc1",. - output_size = 32,} - , { - .name = "SHA256",.algorithm = GNUTLS_MAC_SHA256,.key = - NULL,.plaintext = (uint8_t *) - "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",. - plaintext_size = - sizeof - ("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq") - - 1,.output = (uint8_t *) - "\x50\xea\x82\x5d\x96\x84\xf4\x22\x9c\xa2\x9f\x1f\xec\x51\x15\x93\xe2\x81\xe4\x6a\x14\x0d\x81\xe0\x00\x5f\x8f\x68\x86\x69\xa0\x6c",. - output_size = 32,} - , { - .name = "SHA512",.algorithm = GNUTLS_MAC_SHA512,.key = - NULL,.plaintext = (uint8_t *) - "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",. - plaintext_size = - sizeof - ("abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu") - - 1,.output = (uint8_t *) - "\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14\x3f\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88\x90\x18\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4\xb5\x43\x3a\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b\x87\x4b\xe9\x09",. - output_size = 64,} - , { - .name = "HMAC-MD5",.algorithm = GNUTLS_MAC_MD5,.key = - (uint8_t *) "Jefe",.key_size = 4,.plaintext = - (uint8_t *) - "what do ya want for nothing?",.plaintext_size = - sizeof("what do ya want for nothing?") - 1,.output = - (uint8_t *) - "\x75\x0c\x78\x3e\x6a\xb0\xb5\x03\xea\xa8\x6e\x31\x0a\x5d\xb7\x38",. - output_size = 16,} - , - /* from rfc4231 */ - { - .name = "HMAC-SHA2-224",.algorithm = - GNUTLS_MAC_SHA224,.key = (uint8_t *) - "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",. - key_size = 20,.plaintext = - (uint8_t *) "Hi There",.plaintext_size = - sizeof("Hi There") - 1,.output = (uint8_t *) - "\x89\x6f\xb1\x12\x8a\xbb\xdf\x19\x68\x32\x10\x7c\xd4\x9d\xf3\x3f\x47\xb4\xb1\x16\x99\x12\xba\x4f\x53\x68\x4b\x22",. - output_size = 28,} - , { - .name = "HMAC-SHA2-256",.algorithm = - GNUTLS_MAC_SHA256,.key = (uint8_t *) - "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",. - key_size = 20,.plaintext = - (uint8_t *) "Hi There",.plaintext_size = - sizeof("Hi There") - 1,.output = (uint8_t *) - "\xb0\x34\x4c\x61\xd8\xdb\x38\x53\x5c\xa8\xaf\xce\xaf\x0b\xf1\x2b\x88\x1d\xc2\x00\xc9\x83\x3d\xa7\x26\xe9\x37\x6c\x2e\x32\xcf\xf7",. - output_size = 32,} - , { - .name = "HMAC-SHA2-384",.algorithm = - GNUTLS_MAC_SHA384,.key = (uint8_t *) - "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",. - key_size = 20,.plaintext = - (uint8_t *) "Hi There",.plaintext_size = - sizeof("Hi There") - 1,.output = (uint8_t *) - "\xaf\xd0\x39\x44\xd8\x48\x95\x62\x6b\x08\x25\xf4\xab\x46\x90\x7f\x15\xf9\xda\xdb\xe4\x10\x1e\xc6\x82\xaa\x03\x4c\x7c\xeb\xc5\x9c\xfa\xea\x9e\xa9\x07\x6e\xde\x7f\x4a\xf1\x52\xe8\xb2\xfa\x9c\xb6",. - output_size = 48,} - , { - .name = "HMAC-SHA2-512",.algorithm = - GNUTLS_MAC_SHA512,.key = (uint8_t *) - "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",. - key_size = 20,.plaintext = - (uint8_t *) "Hi There",.plaintext_size = - sizeof("Hi There") - 1,.output = (uint8_t *) - "\x87\xaa\x7c\xde\xa5\xef\x61\x9d\x4f\xf0\xb4\x24\x1a\x1d\x6c\xb0\x23\x79\xf4\xe2\xce\x4e\xc2\x78\x7a\xd0\xb3\x05\x45\xe1\x7c\xde\xda\xa8\x33\xb7\xd6\xb8\xa7\x02\x03\x8b\x27\x4e\xae\xa3\xf4\xe4\xbe\x9d\x91\x4e\xeb\x61\xf1\x70\x2e\x69\x6c\x20\x3a\x12\x68\x54",. - output_size = 64,} -,}; - -#define HASH_DATA_SIZE 64 - -/* SHA1 and other hashes */ -static int test_hash(void) -{ - uint8_t data[HASH_DATA_SIZE]; - unsigned int i, j; - int ret; - size_t data_size; - - fprintf(stdout, "Tests on Hashes\n"); - for (i = 0; i < sizeof(hash_vectors) / sizeof(hash_vectors[0]); - i++) { - - fprintf(stdout, "\t%s: ", hash_vectors[i].name); - /* import key */ - if (hash_vectors[i].key != NULL) { -#if 0 - ret = - gnutls_hmac_fast(hash_vectors[i].algorithm, - hash_vectors[i].key, - hash_vectors[i].key_size, - hash_vectors[i].plaintext, - hash_vectors[i]. - plaintext_size, data); - if (ret < 0) { - fprintf(stderr, "Error: %s:%d\n", __func__, - __LINE__); - return 1; - } -#else - gnutls_hmac_hd_t hd; - - ret = - gnutls_hmac_init(&hd, - hash_vectors[i].algorithm, - hash_vectors[i].key, - hash_vectors[i].key_size); - if (ret < 0) { - fprintf(stderr, "Error: %s:%d\n", __func__, - __LINE__); - return 1; - } - - ret = - gnutls_hmac(hd, hash_vectors[i].plaintext, - hash_vectors[i].plaintext_size - - 1); - if (ret < 0) { - fprintf(stderr, "Error: %s:%d\n", __func__, - __LINE__); - return 1; - } - - ret = - gnutls_hmac(hd, - &hash_vectors[i]. - plaintext[hash_vectors[i]. - plaintext_size - 1], 1); - if (ret < 0) { - fprintf(stderr, "Error: %s:%d\n", __func__, - __LINE__); - return 1; - } - - gnutls_hmac_output(hd, data); - gnutls_hmac_deinit(hd, NULL); -#endif - - data_size = - gnutls_hmac_get_len(hash_vectors[i].algorithm); - if (ret < 0) { - fprintf(stderr, "Error: %s:%d\n", __func__, - __LINE__); - return 1; - } - } else { - gnutls_hash_hd_t hd; - ret = - gnutls_hash_init(&hd, - hash_vectors[i].algorithm); - if (ret < 0) { - fprintf(stderr, "Error: %s:%d\n", __func__, - __LINE__); - return 1; - } - - ret = gnutls_hash(hd, - hash_vectors[i].plaintext, 1); - if (ret < 0) { - fprintf(stderr, "Error: %s:%d\n", __func__, - __LINE__); - return 1; - } - - ret = gnutls_hash(hd, - &hash_vectors[i].plaintext[1], - hash_vectors[i].plaintext_size - - 1); - if (ret < 0) { - fprintf(stderr, "Error: %s:%d\n", __func__, - __LINE__); - return 1; - } - - gnutls_hash_output(hd, data); - gnutls_hash_deinit(hd, NULL); - - data_size = - gnutls_hash_get_len(hash_vectors[i].algorithm); - if (ret < 0) { - fprintf(stderr, "Error: %s:%d\n", __func__, - __LINE__); - return 1; - } - } - - if (data_size != hash_vectors[i].output_size || - memcmp(data, hash_vectors[i].output, - hash_vectors[i].output_size) != 0) { - fprintf(stderr, "HASH test vector %d failed!\n", - i); - - fprintf(stderr, "Output[%d]: ", (int) data_size); - for (j = 0; j < data_size; j++) - fprintf(stderr, "%.2x:", (int) data[j]); - fprintf(stderr, "\n"); - - fprintf(stderr, "Expected[%d]: ", - hash_vectors[i].output_size); - for (j = 0; j < hash_vectors[i].output_size; j++) - fprintf(stderr, "%.2x:", - (int) hash_vectors[i].output[j]); - fprintf(stderr, "\n"); - return 1; - } - - fprintf(stdout, "ok\n"); - } - - fprintf(stdout, "\n"); - - return 0; - -} - static void tls_log_func(int level, const char *str) { fprintf(stderr, "<%d>| %s", level, str); } +#ifndef ENABLE_SELF_CHECKS +#include "../../lib/crypto-selftests.c" +#include "../../lib/crypto-selftests-pk.c" +#endif int main(int argc, char **argv) { @@ -608,10 +30,20 @@ int main(int argc, char **argv) global_init(); - if (test_aes()) + /* ciphers */ + if (gnutls_cipher_self_test(1, 0) < 0) + return 1; + + /* message digests */ + if (gnutls_digest_self_test(1, 0) < 0) + return 1; + + /* MAC */ + if (gnutls_mac_self_test(1, 0) < 0) return 1; - if (test_hash()) + /* PK */ + if (gnutls_pk_self_test(1, 0) < 0) return 1; gnutls_global_deinit(); |