Cross Reference: /netbsd-current/crypto/external/bsd/openssl/dist/test/verify_extra

Deleted Added

sdiff udiff text old ( 1.1.1.4 ) new ( 1.1.1.1 )

full compact

verify_extra_test.c (1.1.1.4)	verify_extra_test.c (1.1.1.1)
1/*	1/*
2 * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.	2 * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdio.h> 11#include <openssl/crypto.h> 12#include <openssl/bio.h> 13#include <openssl/x509.h> 14#include <openssl/pem.h> 15#include <openssl/err.h>	3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdio.h> 11#include <openssl/crypto.h> 12#include <openssl/bio.h> 13#include <openssl/x509.h> 14#include <openssl/pem.h> 15#include <openssl/err.h>
16#include "testutil.h"
17	16
18static const char roots_f; 19static const char untrusted_f; 20static const char bad_f; 21static const char good_f; 22 23static X509 load_cert_pem(const char file) 24{ 25 X509 cert = NULL; 26 BIO bio = NULL; 27 28 if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) 29 return NULL; 30 if (TEST_int_gt(BIO_read_filename(bio, file), 0)) 31 (void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)); 32 33 BIO_free(bio); 34 return cert; 35} 36
37static STACK_OF(X509) load_certs_from_file(const char filename) 38{ 39 STACK_OF(X509) certs; 40 BIO bio; 41 X509 x; 42 43 bio = BIO_new_file(filename, "r"); 44 --- 23 unchanged lines hidden* (view full) --- 68 } 69 } while (x != NULL); 70 71 BIO_free(bio); 72 73 return certs; 74} 75	17static STACK_OF(X509) load_certs_from_file(const char filename) 18{ 19 STACK_OF(X509) certs; 20 BIO bio; 21 X509 x; 22 23 bio = BIO_new_file(filename, "r"); 24 --- 23 unchanged lines hidden* (view full) --- 48 } 49 } while (x != NULL); 50 51 BIO_free(bio); 52 53 return certs; 54} 55
76/*-	56/*
77 * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) 78 * 79 * Chain is as follows: 80 * 81 * rootCA (self-signed) 82 * \| 83 * interCA 84 * \| --- 12 unchanged lines hidden (view full) --- 97 * (roots.pem) 98 * leaf and subinterCA are in the untrusted list (untrusted.pem) 99 * bad is the certificate being verified (bad.pem) 100 * 101 * Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has 102 * CA=FALSE, and will therefore incorrectly verify bad 103 * 104 */	57 * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) 58 * 59 * Chain is as follows: 60 * 61 * rootCA (self-signed) 62 * \| 63 * interCA 64 * \| --- 12 unchanged lines hidden (view full) --- 77 * (roots.pem) 78 * leaf and subinterCA are in the untrusted list (untrusted.pem) 79 * bad is the certificate being verified (bad.pem) 80 * 81 * Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has 82 * CA=FALSE, and will therefore incorrectly verify bad 83 * 84 */
105static int test_alt_chains_cert_forgery(void)	85static int test_alt_chains_cert_forgery(const char roots_f, 86 const char untrusted_f, 87 const char *bad_f)
106{ 107 int ret = 0; 108 int i; 109 X509 x = NULL; 110* STACK_OF(X509) untrusted = NULL; 111* BIO bio = NULL; 112* X509_STORE_CTX sctx = NULL; 113* X509_STORE store = NULL; 114* X509_LOOKUP lookup = NULL; 115* 116 store = X509_STORE_new(); 117 if (store == NULL) 118 goto err; 119 120 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); 121 if (lookup == NULL) 122 goto err;	88{ 89 int ret = 0; 90 int i; 91 X509 x = NULL; 92 STACK_OF(X509) untrusted = NULL; 93 BIO bio = NULL; 94 X509_STORE_CTX sctx = NULL; 95 X509_STORE store = NULL; 96 X509_LOOKUP lookup = NULL; 97 98 store = X509_STORE_new(); 99 if (store == NULL) 100 goto err; 101 102 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); 103 if (lookup == NULL) 104 goto err;
123 if (!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM))	105 if(!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM))
124 goto err; 125 126 untrusted = load_certs_from_file(untrusted_f); 127 128 if ((bio = BIO_new_file(bad_f, "r")) == NULL) 129 goto err; 130	106 goto err; 107 108 untrusted = load_certs_from_file(untrusted_f); 109 110 if ((bio = BIO_new_file(bad_f, "r")) == NULL) 111 goto err; 112
131 if ((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL)	113 if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL)
132 goto err; 133 134 sctx = X509_STORE_CTX_new(); 135 if (sctx == NULL) 136 goto err; 137 138 if (!X509_STORE_CTX_init(sctx, store, x, untrusted)) 139 goto err; --- 5 unchanged lines hidden (view full) --- 145 ret = 1; 146 } 147 err: 148 X509_STORE_CTX_free(sctx); 149 X509_free(x); 150 BIO_free(bio); 151 sk_X509_pop_free(untrusted, X509_free); 152 X509_STORE_free(store);	114 goto err; 115 116 sctx = X509_STORE_CTX_new(); 117 if (sctx == NULL) 118 goto err; 119 120 if (!X509_STORE_CTX_init(sctx, store, x, untrusted)) 121 goto err; --- 5 unchanged lines hidden (view full) --- 127 ret = 1; 128 } 129 err: 130 X509_STORE_CTX_free(sctx); 131 X509_free(x); 132 BIO_free(bio); 133 sk_X509_pop_free(untrusted, X509_free); 134 X509_STORE_free(store);
	135 if (ret != 1) 136 ERR_print_errors_fp(stderr);
153 return ret; 154} 155	137 return ret; 138} 139
156static int test_store_ctx(void)	140int main(int argc, char **argv)
157{	141{
158 X509_STORE_CTX sctx = NULL; 159* X509 x = NULL; 160* BIO bio = NULL; 161* int testresult = 0, ret;	142 CRYPTO_set_mem_debug(1); 143 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
162	144
163 bio = BIO_new_file(bad_f, "r"); 164 if (bio == NULL) 165 goto err;	145 if (argc != 4) { 146 fprintf(stderr, "usage: verify_extra_test roots.pem untrusted.pem bad.pem\n"); 147 return 1; 148 }
166	149
167 x = PEM_read_bio_X509(bio, NULL, 0, NULL); 168 if (x == NULL) 169 goto err; 170 171 sctx = X509_STORE_CTX_new(); 172 if (sctx == NULL) 173 goto err; 174 175 if (!X509_STORE_CTX_init(sctx, NULL, x, NULL)) 176 goto err; 177 178 /* Verifying a cert where we have no trusted certs should fail / 179* ret = X509_verify_cert(sctx); 180 181 if (ret == 0) { 182 /* This is the result we were expecting: Test passed / 183* testresult = 1;	150 if (!test_alt_chains_cert_forgery(argv[1], argv[2], argv[3])) { 151 fprintf(stderr, "Test alt chains cert forgery failed\n"); 152 return 1;
184 } 185	153 } 154
186 err: 187 X509_STORE_CTX_free(sctx); 188 X509_free(x); 189 BIO_free(bio); 190 return testresult; 191}	155#ifndef OPENSSL_NO_CRYPTO_MDEBUG 156 if (CRYPTO_mem_leaks_fp(stderr) <= 0) 157 return 1; 158#endif
192	159
193static int test_self_signed(const char filename, int expected) 194{ 195* X509 cert = load_cert_pem(filename); 196* STACK_OF(X509) trusted = sk_X509_new_null(); 197* X509_STORE_CTX ctx = X509_STORE_CTX_new(); 198* int ret; 199 200 ret = TEST_ptr(cert) 201 && TEST_true(sk_X509_push(trusted, cert)) 202 && TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL)); 203 X509_STORE_CTX_set0_trusted_stack(ctx, trusted); 204 ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected); 205 206 X509_STORE_CTX_free(ctx); 207 sk_X509_free(trusted); 208 X509_free(cert); 209 return ret;	160 printf("PASS\n"); 161 return 0;
210}	162}
211 212static int test_self_signed_good(void) 213{ 214 return test_self_signed(good_f, 1); 215} 216 217static int test_self_signed_bad(void) 218{ 219 return test_self_signed(bad_f, 0); 220} 221 222int setup_tests(void) 223{ 224 if (!TEST_ptr(roots_f = test_get_argument(0)) 225 \|\| !TEST_ptr(untrusted_f = test_get_argument(1)) 226 \|\| !TEST_ptr(bad_f = test_get_argument(2)) 227 \|\| !TEST_ptr(good_f = test_get_argument(3))) { 228 TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem good.pem\n"); 229 return 0; 230 } 231 232 ADD_TEST(test_alt_chains_cert_forgery); 233 ADD_TEST(test_store_ctx); 234 ADD_TEST(test_self_signed_good); 235 ADD_TEST(test_self_signed_bad); 236 return 1; 237}