diff options
author | Heikki Toivonen <heikki@heikkitoivonen.net> | 2009-07-22 18:31:08 +0000 |
---|---|---|
committer | Heikki Toivonen <heikki@heikkitoivonen.net> | 2009-07-22 18:31:08 +0000 |
commit | 06ccede8b94472bafd2fd07508b4aed3378ba7e0 (patch) | |
tree | b79424cb3b033e9be4386ea29fdd161df164f9d2 | |
parent | f03002846f0909b1432e284e446975f85963483a (diff) | |
download | m2crypto-06ccede8b94472bafd2fd07508b4aed3378ba7e0.tar.gz |
Bug 12742, better fix for FIPS mode issues by Miloslav Trmac.
git-svn-id: http://svn.osafoundation.org/m2crypto/trunk@692 2715db39-9adf-0310-9c64-84f055769b4b
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | tests/dhparams.pem | 5 | ||||
-rw-r--r-- | tests/dsa.param.pem | 11 | ||||
-rw-r--r-- | tests/dsa.priv.pem | 17 | ||||
-rw-r--r-- | tests/dsa.pub.pem | 16 | ||||
-rw-r--r-- | tests/rsa.priv.pem | 25 | ||||
-rw-r--r-- | tests/rsa.priv2.pem | 32 | ||||
-rw-r--r-- | tests/rsa.pub.pem | 6 | ||||
-rw-r--r-- | tests/test_bio.py | 27 | ||||
-rw-r--r-- | tests/test_dh.py | 10 | ||||
-rw-r--r-- | tests/test_dsa.py | 8 | ||||
-rw-r--r-- | tests/test_evp.py | 50 | ||||
-rw-r--r-- | tests/test_rsa.py | 22 | ||||
-rw-r--r-- | tests/test_ssl.py | 34 | ||||
-rw-r--r-- | tests/test_x509.py | 12 |
15 files changed, 164 insertions, 115 deletions
@@ -1,7 +1,7 @@ 0.20 ---- - Deprecated M2Crypto.PGP subpackage since nobody seems to be using it nor - is it being maintained + is it being maintained (if you do use it, please let me know) - Added fedora_setup.sh to help work around differences on Fedora Core -based distributions (RedHat, CentOS, ...); thanks to Miloslav Trmac - Added X509.load_request_bio and load_request_string, by Hartmut Goebel and @@ -38,6 +38,8 @@ - SMIME.load_pkcs7, load_pkcs7_bio, smime_load_pkcs7, smime_load_pkcs7_bio, text_crlf, text_crlf_bio fixed to raise BIO.BIOError, SMIME.PKCS7_Error and SMIME.SMIME_Error as appropriate instead of str +- Added FIPS mode to unit tests, and used FIPS-compliant key sizes in other + tests, by Miloslav Trmac. Note that tests run much slower because of this! - Unit tests cover 80% of the code 0.19.1 - 2008-10-12 diff --git a/tests/dhparams.pem b/tests/dhparams.pem index 6b585b5..edb320a 100644 --- a/tests/dhparams.pem +++ b/tests/dhparams.pem @@ -1,4 +1,5 @@ -----BEGIN DH PARAMETERS----- -MEYCQQDvbktzmJLagQnfNMxqrcFWw4nbxV1fQ1VvnEnqYn3qWfYAn1VZRptEcS3G -f18KD5t1693IXcXn6n3e6wcJpa6LAgEC +MIGHAoGBAIgAcu3gpJeO8aS6N+sTMa655BMzBNlK66q62VH9RqmHwFJSjjCs3ZsF +aVsTkO3Mt0gULn1drXsK6Lc6pA8s0eQN8ggyEPVr6ND0jN2jr2qc1XlqD7jxzdxe +igB66pLvrWvAulrGxg4QMsQjqcpwZZ2ndRpYSmErIi4M1r19nTgjAgEC -----END DH PARAMETERS----- diff --git a/tests/dsa.param.pem b/tests/dsa.param.pem index 906871c..6300c4f 100644 --- a/tests/dsa.param.pem +++ b/tests/dsa.param.pem @@ -1,6 +1,9 @@ -----BEGIN DSA PARAMETERS----- -MIGcAkEA5UAz0VLdCTWWn8avPHMjsgrO5HIPxa3TV8AexcFFgyZ+bO1tGXzUTLbG -kgHEkLYVfr2Q6GkeoFlHSXjbj9OImwIVAISRjD+YqAYmH4VuZhVc+5CxKxy/AkA4 -6Lkjsc3BP1px1IR3+dLJ08EWh/d7/X6/RWfEd2vr9JfpnycmRtRTsVW46frHL3HY -Ts35avQRXpqapoyHUCBV +MIIBHgKBgQDqYu3smvs8KHBx4XX8otDHQUdtCyWKIRC52eQUSYeWejvdaqm11rIq +QMFBJDnvicM4avyOIU2d/ZOfLzN7aXFw3Ep67amsLpj82N+n4lASUJwKdOJyzyLG +9IS41RRek8B3lRAs/zqk1U6P5EaE/uIG4+avYmkSDpB4kmnRGhTYeQIVALKQpdTy +uat9aoq9mFm8dVA2VxAhAoGAausAkdN4Hj6S5nfPMjJTnwV4u7hVY6b6eAZTJmxs +ykr3XlKqM3PS0hKhjatp7f+mRNFxYvGrWPLAwnPOIp/iNn7lM7U41ceUj1O3KrD/ +Cg4LQ/bADvY48eytdjMLZDpL3Jwootfs4i8WIb0RnIxg8nClhkY2K2/+4voft+Xi +DlA= -----END DSA PARAMETERS----- diff --git a/tests/dsa.priv.pem b/tests/dsa.priv.pem index 8d5d97f..cd5578c 100644 --- a/tests/dsa.priv.pem +++ b/tests/dsa.priv.pem @@ -1,8 +1,9 @@ ------BEGIN DSA PRIVATE KEY----- -MIH4AgEAAkEA0NGZ0GRXdPLh/0c980Ot8ZbfV/DvJ19ZzsDhKXRxNNw36Ms4lb9Y -ZMnJ1CliIDkpHx8sXEak0vkdeB2efGGBPQIVAJY7PF7CiA+jj+t3EyHf/sgVagPP -AkEApkvDehftx8Kt+3GRsYkEgcKqsU6tue+QQOFOFYsCbMq/3rxIEKk0q1PqHfid -+BsMiEY4FFmF5BqmgGAf6+V9twJATbbgPKi/EboVrtBdkTM52LSCQHPa/CEcj322 -0s5Ix1dwojdQaNpq6HhCm6+g9SXPENy9I/PK85YnawI4A6w1pQIULRB2HSm1X14c -+guvmhIobv6wE50= ------END DSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIBSgIBADCCASsGByqGSM44BAEwggEeAoGBAOpi7eya+zwocHHhdfyi0MdBR20L +JYohELnZ5BRJh5Z6O91qqbXWsipAwUEkOe+Jwzhq/I4hTZ39k58vM3tpcXDcSnrt +qawumPzY36fiUBJQnAp04nLPIsb0hLjVFF6TwHeVECz/OqTVTo/kRoT+4gbj5q9i +aRIOkHiSadEaFNh5AhUAspCl1PK5q31qir2YWbx1UDZXECECgYBq6wCR03gePpLm +d88yMlOfBXi7uFVjpvp4BlMmbGzKSvdeUqozc9LSEqGNq2nt/6ZE0XFi8atY8sDC +c84in+I2fuUztTjVx5SPU7cqsP8KDgtD9sAO9jjx7K12MwtkOkvcnCii1+ziLxYh +vRGcjGDycKWGRjYrb/7i+h+35eIOUAQWAhQ/vK8oLKHdEu7W77fbZ3+jQvvt6Q== +-----END PRIVATE KEY----- diff --git a/tests/dsa.pub.pem b/tests/dsa.pub.pem index 4fe3dd9..34c8d45 100644 --- a/tests/dsa.pub.pem +++ b/tests/dsa.pub.pem @@ -1,8 +1,12 @@ -----BEGIN PUBLIC KEY----- -MIHxMIGpBgcqhkjOOAQBMIGdAkEA0NGZ0GRXdPLh/0c980Ot8ZbfV/DvJ19ZzsDh -KXRxNNw36Ms4lb9YZMnJ1CliIDkpHx8sXEak0vkdeB2efGGBPQIVAJY7PF7CiA+j -j+t3EyHf/sgVagPPAkEApkvDehftx8Kt+3GRsYkEgcKqsU6tue+QQOFOFYsCbMq/ -3rxIEKk0q1PqHfid+BsMiEY4FFmF5BqmgGAf6+V9twNDAAJATbbgPKi/EboVrtBd -kTM52LSCQHPa/CEcj3220s5Ix1dwojdQaNpq6HhCm6+g9SXPENy9I/PK85YnawI4 -A6w1pQ== +MIIBtzCCASsGByqGSM44BAEwggEeAoGBAOpi7eya+zwocHHhdfyi0MdBR20LJYoh +ELnZ5BRJh5Z6O91qqbXWsipAwUEkOe+Jwzhq/I4hTZ39k58vM3tpcXDcSnrtqawu +mPzY36fiUBJQnAp04nLPIsb0hLjVFF6TwHeVECz/OqTVTo/kRoT+4gbj5q9iaRIO +kHiSadEaFNh5AhUAspCl1PK5q31qir2YWbx1UDZXECECgYBq6wCR03gePpLmd88y +MlOfBXi7uFVjpvp4BlMmbGzKSvdeUqozc9LSEqGNq2nt/6ZE0XFi8atY8sDCc84i +n+I2fuUztTjVx5SPU7cqsP8KDgtD9sAO9jjx7K12MwtkOkvcnCii1+ziLxYhvRGc +jGDycKWGRjYrb/7i+h+35eIOUAOBhQACgYEAmYO4Qss7pYq3vAEj5qj35A1gsOeC +rGxvu8w9Dj8jACuz0IHOTq+vFbnB6p30rdloMU7Ci4NHPWqOVmWCFcXxkFgJMJld +sBbkdbGnhPI80sWJGouUYofHFG4pK0QoMeDZKgg7OgwH8EnmQM+W9KDZYJRSuU4+ +6F6hQkmkwAKAXkU= -----END PUBLIC KEY----- diff --git a/tests/rsa.priv.pem b/tests/rsa.priv.pem index ed34db6..0b8b163 100644 --- a/tests/rsa.priv.pem +++ b/tests/rsa.priv.pem @@ -1,9 +1,16 @@ ------BEGIN RSA PRIVATE KEY----- -MIIBOwIBAAJBANQNY7RD9BarYRsmMazM1hd7a+u3QeMPFZQ7Ic+BmmeWHvvVP4Yj -yu1t6vAut7mKkaDeKbT3yiGVUgAEUaWMXqECAwEAAQJAIHCz8h37N4ScZHThYJgt -oIYHKpZsg/oIyRaKw54GKxZq5f7YivcWoZ8j7IQ65lHVH3gmaqKOvqdAVVt5imKZ -KQIhAPPsr9i3FxU+Mac0pvQKhFVJUzAFfKiG3ulVUdHgAaw/AiEA3ozHKzfZWKxH -gs8v8ZQ/FnfI7DwYYhJC0YsXb6NSvR8CIHymwLo73mTxsogjBQqDcVrwLL3GoAyz -V6jf+/8HvXMbAiEAj1b3FVQEboOQD6WoyJ1mQO9n/xf50HjYhqRitOnp6ZsCIQDS -AvkvYKc6LG8IANmVv93g1dyKZvU/OQkAZepqHZB2MQ== ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAM1lIRXaaLVgzlvW +F2S6OMFJsfG+coZLx9qzmNb2gK6qjyGa71HeaLvFmQFv60dPjpuaGPs2uhL88hcN +JAChGiD8LxNpVW0EEw+RRH6/CBlDGuKjkSaPz8zzpEhSZq/yGb0F4zaau1HINnwo +rYPyRXWyRUzfpEB/7mx8/FUD24knAgMBAAECgYAaInsSP8dBBP9c+iHh5DwihBEL +VJNX+T6F2oJhH96B2xv5R7CZ9zXWZq8wWqBSY5IexH3XQUBt+BeJzVc+aUFcpKLM +D1O3OZ8NwC9HGIY0sLeX+uawYdFAPJfF8BZ8x3LMxWA8jdJM+4/P3C3jh2EvyzLT +HQ1rXBPrLkH45xJQSQJBAPPfSiObRvbeJvkgE0z5SqdbQjTGxeAX5qt1e2LtTwdU +gAxpYnYPz9CFCcIpa0j9UejlGninXasQvhpdwytBLk0CQQDXm/2kKh9BuWzemIu/ +QcLSgc7VrGgZnGQ27fp3bXDSOV3Bev9VywLQ5VDBJcRSkMTC0V/+iHZbMl9EpwHN +8ZdDAkBJHtAZ8PrMFjvVQnrG/5AUsdYeAONfl4sAKc9/D+w8JGfoUMjG4WLMALe2 +UbjrP5kJnXfcaUI6gmCdgzN7iqWZAkAvJbpKOrfJDH4lEuCEOyIaHC6ZhPDioNM9 +O77ofLMOFWNOGtJY9WKxQWPuSI7sqyGLpHNEWpzfBl3UylxXp3u3AkEAzCzGUMfM +0qw/TFlVLzCHhrkP13SrJohdD693w9nuhYM2u27R32qJlF1OvN9NxEV7ZoOSGJxi +CGTjWcXUGgYQgQ== +-----END PRIVATE KEY----- diff --git a/tests/rsa.priv2.pem b/tests/rsa.priv2.pem index e2b93a1..013ab5e 100644 --- a/tests/rsa.priv2.pem +++ b/tests/rsa.priv2.pem @@ -1,15 +1,17 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-CBC,244DDAFE6F991A53 - -h1/NnMxq2ku9UkBG2tfM7hCFWmOvwMbVQBYgS4jLm3ENvWRgkm7pCqjCug99Uo5o -r+NhzqyvSBH+eX3ojVAfpMxkL0TIjMrogRq2TD75v6hTGu/fd4Yrw7vZaKRbLzoh -rG6m7zdbiQwNyh0bTbbo3WmQ07FXkXrDqihLaZTJOvHNLS1lKwRjIS0MqtyhOfPj -NNwuNEs6AFz4k6UxNMRXhyU2SXn5SOgZZB12SCIsYA034rwKFKqNRoneaLSlhtut -1z/BlJaLiZDHJmtxtgz5h3Ss9fQ9J0pLnybx+EM70TPM3hz47/8cQiEYIVg7+QFW -jNYaGIA6IOcyB7fwX5e/zFy5yXAsmuIw/iP0sYa29hdUG++T8Mp2knrBBwQO77OS -WRz219dMQQRyyn2jpN5x23AZyz4gHj4YKMm3KO06Y2k= ------END RSA PRIVATE KEY----- - -This is the same key as rsa.priv.pem. Passphrase is 'qwerty'. - +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIq+j6kBSOkTkCAggA +MBQGCCqGSIb3DQMHBAin1qbPaI3dAQSCAoAwb9BTWY6+o9GAZk9ZUJHAHL0Yb7C/ +Hkm8Kh+YBqIEHbTzzSzIO3pFFnLrLLSVbWuYX3bBJRDSUfmV9JaZu0YYJ/TzBtb5 +epgD+sZ83E11NM0L3rJTI9GOUm8b9U15N94X+gnQj0JSK8Ex0dJpJ3rwHPd1zAOe +0SjXViOCCuHeu4Mnz3P9B42FR5C/53GLkqtSZCsznSBsbPGZ/mb6eEGjgYtxFm15 +17Px7ezDjjr5knBozYua3OehCfI6lN1W+yyTvHGF4lpWkm7Pj24uHHh6yagFQuvB +RgE8eFLLPLBBa3kHWTn6hAPL4pfPIaPiDtX69IshSv2LVcbUPp6pTkji7mo3EFpN +Jigd3msMCf6w5Wh4I2k8Hb6eSkfsModIru05xq0fuTYi1nTh2l/M3FEGeOuBmpbD +AYzpT6J1+373rshkdqmv1C/REsnnrACGwbM7JN6K3sKnJZesI3iiHY5tnumypyv3 +f7wMaRcIq0QOi/WUIKzU0B4f9WxgjDuFwWyYlEBl2IYZ8wxD0P2s968puc7RRwrc +11Tn0a993122gBAHaa24iAW2ig2hGktLtxY1EvY6Sfd/migu2iVA6bwdVz68kKBj +tYfJQEoMGJhR+NqSDYvgJYgoNljOIf6Wq++L9/zqgtYkiL7xRLqSvths2NWaxGmc +RvjWFeq2sTiVXFn36jzO9YfJ4BFqgt5UoBRSw8jYQwm+W5TUhgWGQxQTTrCUs/36 +5oQXOwpRol+ivO/VtMdDShg6sKHEjQ/FhHqNpPccVLg/g81HbJyfmEmeqYu6rtOd +xBe9lVFW+86wObsYl1WCHYUQuBUlPv+uEDLqC92/6zLdCtDYYRYvdLF8 +-----END ENCRYPTED PRIVATE KEY----- diff --git a/tests/rsa.pub.pem b/tests/rsa.pub.pem index 42379aa..e4f13e0 100644 --- a/tests/rsa.pub.pem +++ b/tests/rsa.pub.pem @@ -1,4 +1,6 @@ -----BEGIN PUBLIC KEY----- -MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANQNY7RD9BarYRsmMazM1hd7a+u3QeMP -FZQ7Ic+BmmeWHvvVP4Yjyu1t6vAut7mKkaDeKbT3yiGVUgAEUaWMXqECAwEAAQ== +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNZSEV2mi1YM5b1hdkujjBSbHx +vnKGS8fas5jW9oCuqo8hmu9R3mi7xZkBb+tHT46bmhj7NroS/PIXDSQAoRog/C8T +aVVtBBMPkUR+vwgZQxrio5Emj8/M86RIUmav8hm9BeM2mrtRyDZ8KK2D8kV1skVM +36RAf+5sfPxVA9uJJwIDAQAB -----END PUBLIC KEY----- diff --git a/tests/test_bio.py b/tests/test_bio.py index 56c3da8..1d7b0c3 100644 --- a/tests/test_bio.py +++ b/tests/test_bio.py @@ -12,6 +12,8 @@ Author: Heikki Toivonen import unittest from M2Crypto import BIO, Rand +from fips import fips_mode + class CipherStreamTestCase(unittest.TestCase): def try_algo(self, algo): enc = 1 @@ -43,17 +45,20 @@ class CipherStreamTestCase(unittest.TestCase): assert data == data2, '%s algorithm cipher test failed' % algo def test_ciphers(self): - ciphers=['bf_ecb', 'bf_cbc', 'bf_cfb', 'bf_ofb',\ - #'idea_ecb', 'idea_cbc', 'idea_cfb', 'idea_ofb',\ - 'cast5_ecb', 'cast5_cbc', 'cast5_cfb', 'cast5_ofb',\ - #'rc5_ecb', 'rc5_cbc', 'rc5_cfb', 'rc5_ofb',\ - 'des_ecb', 'des_cbc', 'des_cfb', 'des_ofb',\ - 'des_ede_ecb', 'des_ede_cbc', 'des_ede_cfb', 'des_ede_ofb',\ - 'des_ede3_ecb', 'des_ede3_cbc', 'des_ede3_cfb', 'des_ede3_ofb',\ - 'aes_128_ecb', 'aes_128_cbc', 'aes_128_cfb', 'aes_128_ofb',\ - 'aes_192_ecb', 'aes_192_cbc', 'aes_192_cfb', 'aes_192_ofb',\ - 'aes_256_ecb', 'aes_256_cbc', 'aes_256_cfb', 'aes_256_ofb',\ - 'rc4', 'rc2_40_cbc'] + ciphers=[ + 'des_ede_ecb', 'des_ede_cbc', 'des_ede_cfb', 'des_ede_ofb', + 'des_ede3_ecb', 'des_ede3_cbc', 'des_ede3_cfb', 'des_ede3_ofb', + 'aes_128_ecb', 'aes_128_cbc', 'aes_128_cfb', 'aes_128_ofb', + 'aes_192_ecb', 'aes_192_cbc', 'aes_192_cfb', 'aes_192_ofb', + 'aes_256_ecb', 'aes_256_cbc', 'aes_256_cfb', 'aes_256_ofb'] + nonfips_ciphers=['bf_ecb', 'bf_cbc', 'bf_cfb', 'bf_ofb', + #'idea_ecb', 'idea_cbc', 'idea_cfb', 'idea_ofb', + 'cast5_ecb', 'cast5_cbc', 'cast5_cfb', 'cast5_ofb', + #'rc5_ecb', 'rc5_cbc', 'rc5_cfb', 'rc5_ofb', + 'des_ecb', 'des_cbc', 'des_cfb', 'des_ofb', + 'rc4', 'rc2_40_cbc'] + if not fips_mode: # Forbidden ciphers + ciphers += nonfips_ciphers for i in ciphers: self.try_algo(i) diff --git a/tests/test_dh.py b/tests/test_dh.py index fffbe94..0e66c89 100644 --- a/tests/test_dh.py +++ b/tests/test_dh.py @@ -21,19 +21,19 @@ class DHTestCase(unittest.TestCase): self.assertRaises(TypeError, DH.DH, 'junk') def test_gen_params(self): - a = DH.gen_params(128, 2, self.genparam_callback) + a = DH.gen_params(1024, 2, self.genparam_callback) assert a.check_params() == 0 def test_gen_params_bad_cb(self): - a = DH.gen_params(128, 2, self.genparam_callback2) + a = DH.gen_params(1024, 2, self.genparam_callback2) assert a.check_params() == 0 def test_print_params(self): - a = DH.gen_params(128, 2, self.genparam_callback) + a = DH.gen_params(1024, 2, self.genparam_callback) bio = BIO.MemoryBuffer() a.print_params(bio) params = bio.read() - assert params.find('(128 bit)') + assert params.find('(1024 bit)') assert params.find('generator: 2 (0x2)') def test_load_params(self): @@ -48,7 +48,7 @@ class DHTestCase(unittest.TestCase): ak = a.compute_key(b.pub) bk = b.compute_key(a.pub) assert ak == bk - self.assertEqual(len(a), 64) + self.assertEqual(len(a), 128) self.assertRaises(DH.DHError, setattr, a, 'p', 1) self.assertRaises(DH.DHError, setattr, a, 'priv', 1) diff --git a/tests/test_dsa.py b/tests/test_dsa.py index d2ad00e..7823f50 100644 --- a/tests/test_dsa.py +++ b/tests/test_dsa.py @@ -26,7 +26,7 @@ class DSATestCase(unittest.TestCase): def test_loadkey(self): dsa = DSA.load_key(self.privkey) - assert len(dsa) == 512 + assert len(dsa) == 1024 self.assertRaises(AttributeError, getattr, dsa, 'foobar') for k in ('p', 'q', 'g', 'priv', 'pub'): self.assertRaises(DSA.DSAError, setattr, dsa, k, 1) @@ -35,7 +35,7 @@ class DSATestCase(unittest.TestCase): self.assertRaises(DSA.DSAError, DSA.load_key, self.param) dsa = DSA.load_params(self.param) assert not dsa.check_key() - assert len(dsa) == 512 + assert len(dsa) == 1024 def test_sign(self): dsa = DSA.load_key(self.privkey) @@ -75,8 +75,8 @@ class DSATestCase(unittest.TestCase): self.assertRaises(AssertionError, dsa2.verify, self.data, r, s) def test_genparam_setparam_genkey(self): - dsa = DSA.gen_params(256, self.callback) - assert len(dsa) == 512 + dsa = DSA.gen_params(1024, self.callback) + assert len(dsa) == 1024 p = dsa.p q = dsa.q g = dsa.g diff --git a/tests/test_evp.py b/tests/test_evp.py index c173dae..ba09092 100644 --- a/tests/test_evp.py +++ b/tests/test_evp.py @@ -13,6 +13,8 @@ from binascii import hexlify, unhexlify from M2Crypto import EVP, RSA, util, Rand, m2, BIO from M2Crypto.util import h2b +from fips import fips_mode + class EVPTestCase(unittest.TestCase): def _gen_callback(self, *args): pass @@ -21,7 +23,7 @@ class EVPTestCase(unittest.TestCase): return 'foobar' def _assign_rsa(self): - rsa = RSA.gen_key(512, 3, callback=self._gen_callback) + rsa = RSA.gen_key(1024, 3, callback=self._gen_callback) pkey = EVP.PKey() pkey.assign_rsa(rsa, capture=0) # capture=1 should cause crash return rsa @@ -31,7 +33,7 @@ class EVPTestCase(unittest.TestCase): rsa.check_key() def test_pem(self): - rsa = RSA.gen_key(512, 3, callback=self._gen_callback) + rsa = RSA.gen_key(1024, 3, callback=self._gen_callback) pkey = EVP.PKey() pkey.assign_rsa(rsa) assert pkey.as_pem(callback=self._pass_callback) != pkey.as_pem(cipher=None) @@ -43,12 +45,12 @@ class EVPTestCase(unittest.TestCase): Test DER encoding the PKey instance after assigning a RSA key to it. """ - rsa = RSA.gen_key(512, 3, callback=self._gen_callback) + rsa = RSA.gen_key(1024, 3, callback=self._gen_callback) pkey = EVP.PKey() pkey.assign_rsa(rsa) der_blob = pkey.as_der() #A quick but not thorough sanity check - assert len(der_blob) == 92 + assert len(der_blob) == 160 def test_MessageDigest(self): @@ -62,25 +64,26 @@ class EVPTestCase(unittest.TestCase): Test DER encoding the PKey instance after assigning a RSA key to it. Have the PKey instance capture the RSA key. """ - rsa = RSA.gen_key(512, 3, callback=self._gen_callback) + rsa = RSA.gen_key(1024, 3, callback=self._gen_callback) pkey = EVP.PKey() pkey.assign_rsa(rsa, 1) der_blob = pkey.as_der() #A quick but not thorough sanity check - assert len(der_blob) == 92 + assert len(der_blob) == 160 def test_size(self): - rsa = RSA.gen_key(512, 3, callback=self._gen_callback) + rsa = RSA.gen_key(1024, 3, callback=self._gen_callback) pkey = EVP.PKey() pkey.assign_rsa(rsa) size = pkey.size() - assert size == 64 + assert size == 128 def test_hmac(self): assert util.octx_to_num(EVP.hmac('key', 'data')) == 92800611269186718152770431077867383126636491933, util.octx_to_num(EVP.hmac('key', 'data')) - assert util.octx_to_num(EVP.hmac('key', 'data', algo='md5')) == 209168838103121722341657216703105225176, util.octx_to_num(EVP.hmac('key', 'data', algo='md5')) - assert util.octx_to_num(EVP.hmac('key', 'data', algo='ripemd160')) == 1176807136224664126629105846386432860355826868536, util.octx_to_num(EVP.hmac('key', 'data', algo='ripemd160')) - + if not fips_mode: # Disabled algorithms + assert util.octx_to_num(EVP.hmac('key', 'data', algo='md5')) == 209168838103121722341657216703105225176, util.octx_to_num(EVP.hmac('key', 'data', algo='md5')) + assert util.octx_to_num(EVP.hmac('key', 'data', algo='ripemd160')) == 1176807136224664126629105846386432860355826868536, util.octx_to_num(EVP.hmac('key', 'data', algo='ripemd160')) + if m2.OPENSSL_VERSION_NUMBER >= 0x90800F: assert util.octx_to_num(EVP.hmac('key', 'data', algo='sha224')) == 2660082265842109788381286338540662430962855478412025487066970872635, util.octx_to_num(EVP.hmac('key', 'data', algo='sha224')) assert util.octx_to_num(EVP.hmac('key', 'data', algo='sha256')) == 36273358097036101702192658888336808701031275731906771612800928188662823394256, util.octx_to_num(EVP.hmac('key', 'data', algo='sha256')) @@ -112,7 +115,7 @@ class EVPTestCase(unittest.TestCase): digest = sha.sha(message).digest() assert rsa.sign(digest) == rsa2.sign(digest) - rsa3 = RSA.gen_key(512, 3, callback=self._gen_callback) + rsa3 = RSA.gen_key(1024, 3, callback=self._gen_callback) assert rsa.sign(digest) != rsa3.sign(digest) def test_get_rsa_fail(self): @@ -209,15 +212,20 @@ class CipherTestCase(unittest.TestCase): assert otxt == ptxt, '%s algorithm cipher test failed' % algo def test_ciphers(self): - ciphers=['bf_ecb', 'bf_cbc', 'bf_cfb', 'bf_ofb',\ - 'cast5_ecb', 'cast5_cbc', 'cast5_cfb', 'cast5_ofb',\ - 'des_ecb', 'des_cbc', 'des_cfb', 'des_ofb',\ - 'des_ede_ecb', 'des_ede_cbc', 'des_ede_cfb', 'des_ede_ofb',\ - 'des_ede3_ecb', 'des_ede3_cbc', 'des_ede3_cfb', 'des_ede3_ofb',\ - 'aes_128_ecb', 'aes_128_cbc', 'aes_128_cfb', 'aes_128_ofb',\ - 'aes_192_ecb', 'aes_192_cbc', 'aes_192_cfb', 'aes_192_ofb',\ - 'aes_256_ecb', 'aes_256_cbc', 'aes_256_cfb', 'aes_256_ofb',\ - 'rc4', 'rc2_40_cbc'] + ciphers=[ + 'des_ede_ecb', 'des_ede_cbc', 'des_ede_cfb', 'des_ede_ofb', + 'des_ede3_ecb', 'des_ede3_cbc', 'des_ede3_cfb', 'des_ede3_ofb', + 'aes_128_ecb', 'aes_128_cbc', 'aes_128_cfb', 'aes_128_ofb', + 'aes_192_ecb', 'aes_192_cbc', 'aes_192_cfb', 'aes_192_ofb', + 'aes_256_ecb', 'aes_256_cbc', 'aes_256_cfb', 'aes_256_ofb'] + nonfips_ciphers=['bf_ecb', 'bf_cbc', 'bf_cfb', 'bf_ofb', + #'idea_ecb', 'idea_cbc', 'idea_cfb', 'idea_ofb', + 'cast5_ecb', 'cast5_cbc', 'cast5_cfb', 'cast5_ofb', + #'rc5_ecb', 'rc5_cbc', 'rc5_cfb', 'rc5_ofb', + 'des_ecb', 'des_cbc', 'des_cfb', 'des_ofb', + 'rc4', 'rc2_40_cbc'] + if not fips_mode: # Disabled algorithms + ciphers += nonfips_ciphers for i in ciphers: self.try_algo(i) diff --git a/tests/test_rsa.py b/tests/test_rsa.py index 30b4f30..e23a2fb 100644 --- a/tests/test_rsa.py +++ b/tests/test_rsa.py @@ -41,7 +41,7 @@ class RSATestCase(unittest.TestCase): def test_loadkey_pp(self): rsa = RSA.load_key(self.privkey2, self.pp_callback) - assert len(rsa) == 512 + assert len(rsa) == 1024 assert rsa.e == '\000\000\000\003\001\000\001' # aka 65537 aka 0xf4 assert rsa.check_key() == 1 @@ -50,28 +50,28 @@ class RSATestCase(unittest.TestCase): def test_loadkey(self): rsa = RSA.load_key(self.privkey) - assert len(rsa) == 512 + assert len(rsa) == 1024 assert rsa.e == '\000\000\000\003\001\000\001' # aka 65537 aka 0xf4 - self.assertEqual(rsa.n, '\x00\x00\x00A\x00\xd4\rc\xb4C\xf4\x16\xaba\x1b&1\xac\xcc\xd6\x17{k\xeb\xb7A\xe3\x0f\x15\x94;!\xcf\x81\x9ag\x96\x1e\xfb\xd5?\x86#\xca\xedm\xea\xf0.\xb7\xb9\x8a\x91\xa0\xde)\xb4\xf7\xca!\x95R\x00\x04Q\xa5\x8c^\xa1') + self.assertEqual(rsa.n, "\x00\x00\x00\x81\x00\xcde!\x15\xdah\xb5`\xce[\xd6\x17d\xba8\xc1I\xb1\xf1\xber\x86K\xc7\xda\xb3\x98\xd6\xf6\x80\xae\xaa\x8f!\x9a\xefQ\xdeh\xbb\xc5\x99\x01o\xebGO\x8e\x9b\x9a\x18\xfb6\xba\x12\xfc\xf2\x17\r$\x00\xa1\x1a \xfc/\x13iUm\x04\x13\x0f\x91D~\xbf\x08\x19C\x1a\xe2\xa3\x91&\x8f\xcf\xcc\xf3\xa4HRf\xaf\xf2\x19\xbd\x05\xe36\x9a\xbbQ\xc86|(\xad\x83\xf2Eu\xb2EL\xdf\xa4@\x7f\xeel|\xfcU\x03\xdb\x89'") self.assertRaises(AttributeError, getattr, rsa, 'nosuchprop') assert rsa.check_key() == 1 def test_loadkey_bio(self): keybio = BIO.MemoryBuffer(open(self.privkey).read()) rsa = RSA.load_key_bio(keybio) - assert len(rsa) == 512 + assert len(rsa) == 1024 assert rsa.e == '\000\000\000\003\001\000\001' # aka 65537 aka 0xf4 assert rsa.check_key() == 1 def test_keygen(self): - rsa = RSA.gen_key(512, 65537, self.gen_callback) - assert len(rsa) == 512 + rsa = RSA.gen_key(1024, 65537, self.gen_callback) + assert len(rsa) == 1024 assert rsa.e == '\000\000\000\003\001\000\001' # aka 65537 aka 0xf4 assert rsa.check_key() == 1 def test_keygen_bad_cb(self): - rsa = RSA.gen_key(512, 65537, self.gen2_callback) - assert len(rsa) == 512 + rsa = RSA.gen_key(1024, 65537, self.gen2_callback) + assert len(rsa) == 1024 assert rsa.e == '\000\000\000\003\001\000\001' # aka 65537 aka 0xf4 assert rsa.check_key() == 1 @@ -113,7 +113,7 @@ class RSATestCase(unittest.TestCase): def test_loadpub(self): rsa = RSA.load_pub_key(self.pubkey) - assert len(rsa) == 512 + assert len(rsa) == 1024 assert rsa.e == '\000\000\000\003\001\000\001' # aka 65537 aka 0xf4 self.assertRaises(RSA.RSAError, setattr, rsa, 'e', '\000\000\000\003\001\000\001') self.assertRaises(RSA.RSAError, rsa.private_encrypt, 1) @@ -144,7 +144,7 @@ class RSATestCase(unittest.TestCase): old = RSA.load_pub_key(self.pubkey) new = RSA.new_pub_key(old.pub()) assert new.check_key() - assert len(new) == 512 + assert len(new) == 1024 assert new.e == '\000\000\000\003\001\000\001' # aka 65537 aka 0xf4 def test_sign_and_verify(self): @@ -242,7 +242,7 @@ class RSATestCase(unittest.TestCase): """ rsa = RSA.load_key(self.privkey) digest = """This string should be long enough to warrant an error in - RSA_sign""" + RSA_sign""" * 2 self.assertRaises(RSA.RSAError, rsa.sign, digest) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 658e8a6..84df258 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -20,6 +20,8 @@ Others: import os, socket, string, sys, tempfile, thread, time, unittest from M2Crypto import Rand, SSL, m2, Err +from fips import fips_mode + srv_host = 'localhost' srv_port = 64000 @@ -340,6 +342,8 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): self.failIf(string.find(data, 's_server -quiet -www') == -1) def test_tls1_nok(self): + if fips_mode: # TLS is required in FIPS mode + return self.args.append('-no_tls1') pid = self.start_server(self.args) try: @@ -367,6 +371,8 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): self.failIf(string.find(data, 's_server -quiet -www') == -1) def test_sslv23_no_v2(self): + if fips_mode: # TLS is required in FIPS mode + return self.args.append('-no_tls1') pid = self.start_server(self.args) try: @@ -379,6 +385,8 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): self.stop_server(pid) def test_sslv23_no_v2_no_service(self): + if fips_mode: # TLS is required in FIPS mode + return self.args = self.args + ['-no_tls1', '-no_ssl3'] pid = self.start_server(self.args) try: @@ -390,6 +398,8 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): self.stop_server(pid) def test_sslv23_weak_crypto(self): + if fips_mode: # TLS is required in FIPS mode + return self.args = self.args + ['-no_tls1', '-no_ssl3'] pid = self.start_server(self.args) try: @@ -402,12 +412,12 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): self.stop_server(pid) def test_cipher_mismatch(self): - self.args = self.args + ['-cipher', 'EXP-RC4-MD5'] + self.args = self.args + ['-cipher', 'AES256-SHA'] pid = self.start_server(self.args) try: ctx = SSL.Context() s = SSL.Connection(ctx) - s.set_cipher_list('EXP-RC2-CBC-MD5') + s.set_cipher_list('AES128-SHA') try: s.connect(self.srv_addr) except SSL.SSLError, e: @@ -417,7 +427,7 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): self.stop_server(pid) def test_no_such_cipher(self): - self.args = self.args + ['-cipher', 'EXP-RC4-MD5'] + self.args = self.args + ['-cipher', 'AES128-SHA'] pid = self.start_server(self.args) try: ctx = SSL.Context() @@ -432,6 +442,8 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): self.stop_server(pid) def test_no_weak_cipher(self): + if fips_mode: # Weak ciphers are prohibited + return self.args = self.args + ['-cipher', 'EXP'] pid = self.start_server(self.args) try: @@ -446,6 +458,8 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): self.stop_server(pid) def test_use_weak_cipher(self): + if fips_mode: # Weak ciphers are prohibited + return self.args = self.args + ['-cipher', 'EXP'] pid = self.start_server(self.args) try: @@ -459,30 +473,30 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): self.failIf(string.find(data, 's_server -quiet -www') == -1) def test_cipher_ok(self): - self.args = self.args + ['-cipher', 'EXP-RC4-MD5'] + self.args = self.args + ['-cipher', 'AES128-SHA'] pid = self.start_server(self.args) try: ctx = SSL.Context() s = SSL.Connection(ctx) - s.set_cipher_list('EXP-RC4-MD5') + s.set_cipher_list('AES128-SHA') s.connect(self.srv_addr) data = self.http_get(s) - assert s.get_cipher().name() == 'EXP-RC4-MD5', s.get_cipher().name() + assert s.get_cipher().name() == 'AES128-SHA', s.get_cipher().name() cipher_stack = s.get_ciphers() - assert cipher_stack[0].name() == 'EXP-RC4-MD5', cipher_stack[0].name() + assert cipher_stack[0].name() == 'AES128-SHA', cipher_stack[0].name() self.assertRaises(IndexError, cipher_stack.__getitem__, 2) # For some reason there are 2 entries in the stack #assert len(cipher_stack) == 1, len(cipher_stack) - assert s.get_cipher_list() == 'EXP-RC4-MD5', s.get_cipher_list() + assert s.get_cipher_list() == 'AES128-SHA', s.get_cipher_list() # Test Cipher_Stack iterator i = 0 for cipher in cipher_stack: i += 1 - assert cipher.name() == 'EXP-RC4-MD5', '"%s"' % cipher.name() - self.assertEqual('EXP-RC4-MD5-40', str(cipher)) + assert cipher.name() == 'AES128-SHA', '"%s"' % cipher.name() + self.assertEqual('AES128-SHA-128', str(cipher)) # For some reason there are 2 entries in the stack #assert i == 1, i self.assertEqual(i, len(cipher_stack)) diff --git a/tests/test_x509.py b/tests/test_x509.py index 3904741..49df9c4 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -36,7 +36,7 @@ class X509TestCase(unittest.TestCase): extstack.push(ext2) x.add_extensions(extstack) self.assertRaises(ValueError, x.sign, pk, 'sha513') - x.sign(pk,'md5') + x.sign(pk,'sha1') assert x.verify(pk) pk2 = x.get_pubkey() assert x.verify(pk2) @@ -148,7 +148,7 @@ class X509TestCase(unittest.TestCase): self.assert_(n[10]) def test_mkreq(self): - (req, _) = self.mkreq(512) + (req, _) = self.mkreq(1024) req.save_pem('tests/tmp_request.pem') req2 = X509.load_request('tests/tmp_request.pem') os.remove('tests/tmp_request.pem') @@ -176,7 +176,7 @@ class X509TestCase(unittest.TestCase): def test_mkcert(self): - req, pk = self.mkreq(512) + req, pk = self.mkreq(1024) pkey = req.get_pubkey() assert(req.verify(pkey)) sub = req.get_subject() @@ -229,7 +229,7 @@ class X509TestCase(unittest.TestCase): self.assertRaises(AttributeError, cert.check_ca) def mkcacert(self): - req, pk = self.mkreq(512, ca=1) + req, pk = self.mkreq(1024, ca=1) pkey = req.get_pubkey() sub = req.get_subject() cert = X509.X509() @@ -272,7 +272,7 @@ class X509TestCase(unittest.TestCase): def test_mkproxycert(self): cacert, pk1, pkey = self.mkcacert() - end_entity_cert_req, pk2 = self.mkreq(512) + end_entity_cert_req, pk2 = self.mkreq(1024) end_entity_cert = self.make_eecert(cacert) end_entity_cert.set_subject(end_entity_cert_req.get_subject()) end_entity_cert.set_pubkey(end_entity_cert_req.get_pubkey()) @@ -303,7 +303,7 @@ class X509TestCase(unittest.TestCase): def make_proxycert(self, eecert): proxycert = X509.X509() pk2 = EVP.PKey() - proxykey = RSA.gen_key(512, 65537, self.callback) + proxykey = RSA.gen_key(1024, 65537, self.callback) pk2.assign_rsa(proxykey) proxycert.set_pubkey(pk2) proxycert.set_version(2) |