Cross Reference: /netbsd-current/crypto/external/bsd/openssl/dist/test/verify_extra

Deleted Added

sdiff udiff text old ( 1.1.1.3 ) new ( 1.1.1.1 )

full compact

verify_extra_test.c (1.1.1.3)	verify_extra_test.c (1.1.1.1)
1/*	1/*
2 * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.	2 * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdio.h> 11#include <openssl/crypto.h> 12#include <openssl/bio.h> 13#include <openssl/x509.h> 14#include <openssl/pem.h> 15#include <openssl/err.h>	3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdio.h> 11#include <openssl/crypto.h> 12#include <openssl/bio.h> 13#include <openssl/x509.h> 14#include <openssl/pem.h> 15#include <openssl/err.h>
16#include "testutil.h"
17	16
18static const char roots_f; 19static const char untrusted_f; 20static const char *bad_f; 21
22static STACK_OF(X509) load_certs_from_file(const char filename) 23{ 24 STACK_OF(X509) certs; 25 BIO bio; 26 X509 x; 27 28 bio = BIO_new_file(filename, "r"); 29 --- 52 unchanged lines hidden* (view full) --- 82 * (roots.pem) 83 * leaf and subinterCA are in the untrusted list (untrusted.pem) 84 * bad is the certificate being verified (bad.pem) 85 * 86 * Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has 87 * CA=FALSE, and will therefore incorrectly verify bad 88 * 89 */	17static STACK_OF(X509) load_certs_from_file(const char filename) 18{ 19 STACK_OF(X509) certs; 20 BIO bio; 21 X509 x; 22 23 bio = BIO_new_file(filename, "r"); 24 --- 52 unchanged lines hidden* (view full) --- 77 * (roots.pem) 78 * leaf and subinterCA are in the untrusted list (untrusted.pem) 79 * bad is the certificate being verified (bad.pem) 80 * 81 * Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has 82 * CA=FALSE, and will therefore incorrectly verify bad 83 * 84 */
90static int test_alt_chains_cert_forgery(void)	85static int test_alt_chains_cert_forgery(const char roots_f, 86 const char untrusted_f, 87 const char *bad_f)
91{ 92 int ret = 0; 93 int i; 94 X509 x = NULL; 95 STACK_OF(X509) untrusted = NULL; 96 BIO bio = NULL; 97 X509_STORE_CTX sctx = NULL; 98 X509_STORE store = NULL; 99 X509_LOOKUP lookup = NULL; 100 101 store = X509_STORE_new(); 102 if (store == NULL) 103 goto err; 104 105 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); 106 if (lookup == NULL) 107 goto err;	88{ 89 int ret = 0; 90 int i; 91 X509 x = NULL; 92 STACK_OF(X509) untrusted = NULL; 93 BIO bio = NULL; 94 X509_STORE_CTX sctx = NULL; 95 X509_STORE store = NULL; 96 X509_LOOKUP lookup = NULL; 97 98 store = X509_STORE_new(); 99 if (store == NULL) 100 goto err; 101 102 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); 103 if (lookup == NULL) 104 goto err;
108 if (!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM))	105 if(!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM))
109 goto err; 110 111 untrusted = load_certs_from_file(untrusted_f); 112 113 if ((bio = BIO_new_file(bad_f, "r")) == NULL) 114 goto err; 115	106 goto err; 107 108 untrusted = load_certs_from_file(untrusted_f); 109 110 if ((bio = BIO_new_file(bad_f, "r")) == NULL) 111 goto err; 112
116 if ((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL)	113 if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL)
117 goto err; 118 119 sctx = X509_STORE_CTX_new(); 120 if (sctx == NULL) 121 goto err; 122 123 if (!X509_STORE_CTX_init(sctx, store, x, untrusted)) 124 goto err; --- 5 unchanged lines hidden (view full) --- 130 ret = 1; 131 } 132 err: 133 X509_STORE_CTX_free(sctx); 134 X509_free(x); 135 BIO_free(bio); 136 sk_X509_pop_free(untrusted, X509_free); 137 X509_STORE_free(store);	114 goto err; 115 116 sctx = X509_STORE_CTX_new(); 117 if (sctx == NULL) 118 goto err; 119 120 if (!X509_STORE_CTX_init(sctx, store, x, untrusted)) 121 goto err; --- 5 unchanged lines hidden (view full) --- 127 ret = 1; 128 } 129 err: 130 X509_STORE_CTX_free(sctx); 131 X509_free(x); 132 BIO_free(bio); 133 sk_X509_pop_free(untrusted, X509_free); 134 X509_STORE_free(store);
	135 if (ret != 1) 136 ERR_print_errors_fp(stderr);
138 return ret; 139} 140	137 return ret; 138} 139
141static int test_store_ctx(void)	140int main(int argc, char **argv)
142{	141{
143 X509_STORE_CTX sctx = NULL; 144* X509 x = NULL; 145* BIO bio = NULL; 146* int testresult = 0, ret;	142 CRYPTO_set_mem_debug(1); 143 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
147	144
148 bio = BIO_new_file(bad_f, "r"); 149 if (bio == NULL) 150 goto err; 151 152 x = PEM_read_bio_X509(bio, NULL, 0, NULL); 153 if (x == NULL) 154 goto err; 155 156 sctx = X509_STORE_CTX_new(); 157 if (sctx == NULL) 158 goto err; 159 160 if (!X509_STORE_CTX_init(sctx, NULL, x, NULL)) 161 goto err; 162 163 /* Verifying a cert where we have no trusted certs should fail / 164* ret = X509_verify_cert(sctx); 165 166 if (ret == 0) { 167 /* This is the result we were expecting: Test passed / 168* testresult = 1;	145 if (argc != 4) { 146 fprintf(stderr, "usage: verify_extra_test roots.pem untrusted.pem bad.pem\n"); 147 return 1;
169 } 170	148 } 149
171 err: 172 X509_STORE_CTX_free(sctx); 173 X509_free(x); 174 BIO_free(bio); 175 return testresult; 176} 177 178int setup_tests(void) 179{ 180 if (!TEST_ptr(roots_f = test_get_argument(0)) 181 \|\| !TEST_ptr(untrusted_f = test_get_argument(1)) 182 \|\| !TEST_ptr(bad_f = test_get_argument(2))) { 183 TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem\n"); 184 return 0;	150 if (!test_alt_chains_cert_forgery(argv[1], argv[2], argv[3])) { 151 fprintf(stderr, "Test alt chains cert forgery failed\n"); 152 return 1;
185 } 186	153 } 154
187 ADD_TEST(test_alt_chains_cert_forgery); 188 ADD_TEST(test_store_ctx); 189 return 1;	155#ifndef OPENSSL_NO_CRYPTO_MDEBUG 156 if (CRYPTO_mem_leaks_fp(stderr) <= 0) 157 return 1; 158#endif 159 160 printf("PASS\n"); 161 return 0;
190}	162}