diff options
author | Daiki Ueno <ueno@gnu.org> | 2020-01-24 07:31:54 +0000 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2020-01-24 07:31:54 +0000 |
commit | 0f285237b82e99a59a90bd0c22b746c748b63ffb (patch) | |
tree | d5455cd66eec64672da0fbbabffb2939503420db /tests | |
parent | 564756ee10eae57fe23e8a31a463e30e89208217 (diff) | |
parent | 3cadae8ec935443f4d645168c56b662cfd380d99 (diff) | |
download | gnutls-0f285237b82e99a59a90bd0c22b746c748b63ffb.tar.gz |
Merge branch 'tmp-ed448' into 'master'
algorithms: implement X448 key exchange and Ed448 signature scheme
See merge request gnutls/gnutls!984
Diffstat (limited to 'tests')
-rw-r--r-- | tests/gnutls-strcodes.c | 2 | ||||
-rw-r--r-- | tests/privkey-keygen.c | 32 | ||||
-rw-r--r-- | tests/suite/testcompat-common | 6 | ||||
-rwxr-xr-x | tests/suite/testcompat-tls13-openssl.sh | 32 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert-tls13.json | 11 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert.json | 19 |
6 files changed, 54 insertions, 48 deletions
diff --git a/tests/gnutls-strcodes.c b/tests/gnutls-strcodes.c index 0d3f14b600..952fc5fbb4 100644 --- a/tests/gnutls-strcodes.c +++ b/tests/gnutls-strcodes.c @@ -129,6 +129,8 @@ void doit(void) check_unique_non_null(gnutls_ecc_curve_get_name(i)); if (i == GNUTLS_ECC_CURVE_X25519) continue; /* no oid yet */ + if (i == GNUTLS_ECC_CURVE_X448) + continue; /* no oid yet */ check_unique_non_null(gnutls_ecc_curve_get_oid(i)); } diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c index 7491e3cf33..31634bd095 100644 --- a/tests/privkey-keygen.c +++ b/tests/privkey-keygen.c @@ -65,36 +65,29 @@ static void sign_verify_data(gnutls_pk_algorithm_t algorithm, gnutls_x509_privke gnutls_datum_t signature; gnutls_digest_algorithm_t digest; - if (algorithm == GNUTLS_PK_EDDSA_ED25519) - digest = GNUTLS_DIG_SHA512; - else if (algorithm == GNUTLS_PK_GOST_01) - digest = GNUTLS_DIG_GOSTR_94; - else if (algorithm == GNUTLS_PK_GOST_12_256) - digest = GNUTLS_DIG_STREEBOG_256; - else if (algorithm == GNUTLS_PK_GOST_12_512) - digest = GNUTLS_DIG_STREEBOG_512; - else - digest = GNUTLS_DIG_SHA256; - - /* sign arbitrary data */ assert(gnutls_privkey_init(&privkey) >= 0); ret = gnutls_privkey_import_x509(privkey, pkey, 0); if (ret < 0) fail("gnutls_privkey_import_x509\n"); - ret = gnutls_privkey_sign_data(privkey, digest, 0, - &raw_data, &signature); - if (ret < 0) - fail("gnutls_x509_privkey_sign_data\n"); - - /* verify data */ assert(gnutls_pubkey_init(&pubkey) >= 0); ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0); if (ret < 0) fail("gnutls_pubkey_import_privkey\n"); + ret = gnutls_pubkey_get_preferred_hash_algorithm (pubkey, &digest, NULL); + if (ret < 0) + fail("gnutls_pubkey_get_preferred_hash_algorithm\n"); + + /* sign arbitrary data */ + ret = gnutls_privkey_sign_data(privkey, digest, 0, + &raw_data, &signature); + if (ret < 0) + fail("gnutls_privkey_sign_data\n"); + + /* verify data */ ret = gnutls_pubkey_verify_data2(pubkey, gnutls_pk_to_sign(gnutls_pubkey_get_pk_algorithm(pubkey, NULL),digest), 0, &raw_data, &signature); if (ret < 0) @@ -122,7 +115,8 @@ void doit(void) for (algorithm = GNUTLS_PK_RSA; algorithm <= GNUTLS_PK_MAX; algorithm++) { if (algorithm == GNUTLS_PK_DH || - algorithm == GNUTLS_PK_ECDH_X25519) + algorithm == GNUTLS_PK_ECDH_X25519 || + algorithm == GNUTLS_PK_ECDH_X448) continue; if (algorithm == GNUTLS_PK_GOST_01 || diff --git a/tests/suite/testcompat-common b/tests/suite/testcompat-common index c351662319..6ed5dba27f 100644 --- a/tests/suite/testcompat-common +++ b/tests/suite/testcompat-common @@ -43,6 +43,9 @@ RSA_PSS_CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey-rsa-pss.pem" ED25519_CLI_CERT="${srcdir}/../../doc/credentials/x509/clicert-ed25519.pem" ED25519_CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey-ed25519.pem" +ED448_CLI_CERT="${srcdir}/../../doc/credentials/x509/clicert-ed448.pem" +ED448_CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey-ed448.pem" + RSA_PSS_CERT="${srcdir}/../../doc/credentials/x509/cert-rsa-pss.pem" RSA_PSS_KEY="${srcdir}/../../doc/credentials/x509/key-rsa-pss.pem" @@ -52,6 +55,9 @@ RSA_KEY="${srcdir}/../../doc/credentials/x509/key-rsa.pem" ED25519_CERT="${srcdir}/../../doc/credentials/x509/cert-ed25519.pem" ED25519_KEY="${srcdir}/../../doc/credentials/x509/key-ed25519.pem" +ED448_CERT="${srcdir}/../../doc/credentials/x509/cert-ed448.pem" +ED448_KEY="${srcdir}/../../doc/credentials/x509/key-ed448.pem" + ECC_CERT="${srcdir}/../../doc/credentials/x509/cert-ecc.pem" ECC_KEY="${srcdir}/../../doc/credentials/x509/key-ecc.pem" diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh index 6d17941b8e..128873ab23 100755 --- a/tests/suite/testcompat-tls13-openssl.sh +++ b/tests/suite/testcompat-tls13-openssl.sh @@ -177,6 +177,18 @@ run_client_suite() { kill ${PID} wait + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..." + eval "${GETPORT}" + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED448_KEY}" -cert "${ED448_CERT}" -CAfile "${CA_CERT}" + PID=$! + wait_server ${PID} + + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait + echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..." eval "${GETPORT}" launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ECC_KEY}" -cert "${ECC_CERT}" -CAfile "${CA_CERT}" @@ -324,7 +336,8 @@ run_server_suite() { wait done - for i in GROUP-X25519 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1;do + GROUPS="GROUP-X25519 GROUP-X448 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1" + for i in $GROUPS;do echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." eval "${GETPORT}" @@ -395,6 +408,10 @@ _EOF_ ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${ED25519_CLI_CERT}" -key "${ED25519_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 client certificate..." + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${ED448_CLI_CERT}" -key "${ED448_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + kill ${PID} wait @@ -452,6 +469,19 @@ _EOF_ kill ${PID} wait + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed448 certificate..." + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED448_CERT}" --x509keyfile "${ED448_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..." eval "${GETPORT}" diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json index 31f63e5398..e293b1ce78 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json @@ -43,16 +43,7 @@ {"name" : "test-tls13-ccs.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-crfg-curves.py", - "comment": "We do not support x448", - "arguments": ["-p", "@PORT@", - "-e", "empty x448 key share", - "-e", "sanity x448 with compression ansiX962_compressed_char2", - "-e", "sanity x448 with compression ansiX962_compressed_prime", - "-e", "sanity x448 with compression uncompressed", - "-e", "too big x448 key share", - "-e", "too small x448 key share", - "-e", "x448 key share of \"1\"", - "-e", "all zero x448 key share"]}, + "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-conversation.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-count-tickets.py", diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json index bc3c7a88b2..bef461789f 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert.json @@ -42,15 +42,7 @@ "arguments" : ["-p", "@PORT@", "-e", "Encrypt-then-MAC renegotiation crash"]}, {"name" : "test-x25519.py", - "comment" : "x448 is not supported", - "arguments" : ["-p", "@PORT@", - "-e", "all zero x448 key share", - "-e", "empty x448 key share", - "-e", "sanity - negotiate x448", - "-e", "too big x448 key share", - "-e", "too small x448 key share", - "-e", "x448 key share of \"1\"" - ]}, + "arguments" : ["-p", "@PORT@"]}, {"name" : "test-cve-2016-7054.py", "arguments" : ["-p", "@PORT@", "-e", "sanity"]}, @@ -130,9 +122,6 @@ "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", - "-e", "Protocol (3, 1) with x448 group", - "-e", "Protocol (3, 2) with x448 group", - "-e", "Protocol (3, 3) with x448 group", "-e", "Protocol (3, 0)", "-z", "-n", "6"]}, @@ -144,9 +133,6 @@ "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", - "-e", "Protocol (3, 1) with x448 group", - "-e", "Protocol (3, 2) with x448 group", - "-e", "Protocol (3, 3) with x448 group", "-e", "Protocol (3, 0)", "-z", "-n", "6"]}, @@ -263,9 +249,6 @@ {"name" : "test-serverhello-random.py", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", - "-e", "Protocol (3, 1) with x448 group", - "-e", "Protocol (3, 2) with x448 group", - "-e", "Protocol (3, 3) with x448 group", "-e", "Protocol (3, 0)", "-z", "-n", "6"]}, |