|
Packit Service |
4684c1 |
#include <config.h>
|
|
Packit Service |
4684c1 |
#include <stdint.h>
|
|
Packit Service |
4684c1 |
#include <stdio.h>
|
|
Packit Service |
4684c1 |
#include <string.h>
|
|
Packit Service |
4684c1 |
#include <utils.h>
|
|
Packit Service |
4684c1 |
#include <stdlib.h>
|
|
Packit Service |
4684c1 |
#include <gnutls/gnutls.h>
|
|
Packit Service |
4684c1 |
#include <gnutls/crypto.h>
|
|
Packit Service |
4684c1 |
#include <gnutls/abstract.h>
|
|
Packit Service |
4684c1 |
#include <gnutls/x509.h>
|
|
Packit Service |
4684c1 |
#include <assert.h>
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
unsigned audit_called = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* This does check the FIPS140 override support with
|
|
Packit Service |
4684c1 |
* gnutls_fips140_set_mode().
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void tls_log_func(int level, const char *str)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
fprintf(stderr, "<%d>| %s", level, str);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void audit_log_func(gnutls_session_t session, const char *str)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
audit_called = 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void try_crypto(void)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
static uint8_t key16[16];
|
|
Packit Service |
4684c1 |
static uint8_t iv16[16];
|
|
Packit Service |
4684c1 |
gnutls_datum_t key = { key16, sizeof(key16) };
|
|
Packit Service |
4684c1 |
gnutls_datum_t iv = { iv16, sizeof(iv16) };
|
|
Packit Service |
4684c1 |
gnutls_cipher_hd_t ch;
|
|
Packit Service |
4684c1 |
gnutls_hmac_hd_t mh;
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_x509_privkey_t privkey;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
gnutls_cipher_init(&ch, GNUTLS_CIPHER_ARCFOUR_128, &key, &iv;;
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fail("gnutls_cipher_init failed\n");
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
gnutls_cipher_deinit(ch);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
gnutls_cipher_init(&ch, GNUTLS_CIPHER_AES_128_CBC, &key, &iv;;
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fail("gnutls_cipher_init failed\n");
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
gnutls_cipher_deinit(ch);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_hmac_init(&mh, GNUTLS_MAC_MD5, key.data, key.size);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fail("gnutls_hmac_init failed\n");
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
gnutls_hmac_deinit(mh, NULL);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fail("gnutls_hmac_init failed\n");
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
gnutls_hmac_deinit(mh, NULL);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16));
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fail("gnutls_rnd failed\n");
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
assert(gnutls_x509_privkey_init(&privkey) == 0);
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_privkey_generate(privkey, GNUTLS_PK_RSA, 512, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fail("gnutls_x509_privkey_generate failed for 512-bit key\n");
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
gnutls_x509_privkey_deinit(privkey);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
void doit(void)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
unsigned int mode;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
fprintf(stderr,
|
|
Packit Service |
4684c1 |
"Please note that if in FIPS140 mode, you need to assure the library's integrity prior to running this test\n");
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_global_set_log_function(tls_log_func);
|
|
Packit Service |
4684c1 |
gnutls_global_set_audit_log_function(audit_log_func);
|
|
Packit Service |
4684c1 |
if (debug)
|
|
Packit Service |
4684c1 |
gnutls_global_set_log_level(4711);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
mode = gnutls_fips140_mode_enabled();
|
|
Packit Service |
4684c1 |
if (mode == 0) {
|
|
Packit Service |
4684c1 |
success("We are not in FIPS140 mode\n");
|
|
Packit Service |
4684c1 |
exit(77);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = global_init();
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fail("Cannot initialize library\n");
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* switch to lax mode and check whether forbidden algorithms are accessible */
|
|
Packit Service |
4684c1 |
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, 0);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
try_crypto();
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* check whether audit log was called */
|
|
Packit Service |
4684c1 |
if (audit_called) {
|
|
Packit Service |
4684c1 |
fail("the audit function was called in lax mode!\n");
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_fips140_set_mode(GNUTLS_FIPS140_LOG, 0);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
try_crypto();
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* check whether audit log was called */
|
|
Packit Service |
4684c1 |
if (!audit_called) {
|
|
Packit Service |
4684c1 |
fail("the audit function was not called in log mode!\n");
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_fips140_set_mode(GNUTLS_FIPS140_SELFTESTS, 0);
|
|
Packit Service |
4684c1 |
if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_STRICT)
|
|
Packit Service |
4684c1 |
fail("switching to selftests didn't switch the lib to the expected mode\n");
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_fips140_set_mode(532, 0);
|
|
Packit Service |
4684c1 |
if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_STRICT)
|
|
Packit Service |
4684c1 |
fail("switching to unknown mode didn't switch the lib to the expected mode\n");
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_FIPS140_SET_LAX_MODE();
|
|
Packit Service |
4684c1 |
if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_LAX)
|
|
Packit Service |
4684c1 |
fail("switching to lax mode did not succeed!\n");
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNUTLS_FIPS140_SET_STRICT_MODE();
|
|
Packit Service |
4684c1 |
if (gnutls_fips140_mode_enabled() != GNUTLS_FIPS140_STRICT)
|
|
Packit Service |
4684c1 |
fail("switching to strict mode did not succeed!\n");
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_global_deinit();
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
}
|