Add test for CVE-2015-1793

CFLAGS= $(INCLUDES) $(CFLAG)

GENERAL=Makefile README

TEST=

TEST=verify_extra_test.c

APPS=

LIB=$(TOP)/libcrypto.a

/*

 * Written by Matt Caswell for the OpenSSL project.

 */

/* ====================================================================

 * Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 *

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer.

 *

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in

 *    the documentation and/or other materials provided with the

 *    distribution.

 *

 * 3. All advertising materials mentioning features or use of this

 *    software must display the following acknowledgment:

 *    "This product includes software developed by the OpenSSL Project

 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

 *

 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

 *    endorse or promote products derived from this software without

 *    prior written permission. For written permission, please contact

 *    openssl-core@openssl.org.

 *

 * 5. Products derived from this software may not be called "OpenSSL"

 *    nor may "OpenSSL" appear in their names without prior written

 *    permission of the OpenSSL Project.

 *

 * 6. Redistributions of any form whatsoever must retain the following

 *    acknowledgment:

 *    "This product includes software developed by the OpenSSL Project

 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

 *

 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

 * OF THE POSSIBILITY OF SUCH DAMAGE.

 * ====================================================================

 *

 * This product includes cryptographic software written by Eric Young

 * (eay@cryptsoft.com).  This product includes software written by Tim

 * Hudson (tjh@cryptsoft.com).

 *

 */

#include <stdio.h>

#include <openssl/crypto.h>

#include <openssl/bio.h>

#include <openssl/x509.h>

#include <openssl/pem.h>

#include <openssl/err.h>

static STACK_OF(X509) *load_certs_from_file(const char *filename)

{

    STACK_OF(X509) *certs;

    BIO *bio;

    X509 *x;

    bio = BIO_new_file(filename, "r");

    if (bio == NULL) {

        return NULL;

    }

    certs = sk_X509_new_null();

    if (certs == NULL) {

        BIO_free(bio);

        return NULL;

    }

    ERR_set_mark();

    do {

        x = PEM_read_bio_X509(bio, NULL, 0, NULL);

        if (x != NULL && !sk_X509_push(certs, x)) {

            sk_X509_pop_free(certs, X509_free);

            BIO_free(bio);

            return NULL;

        } else if (x == NULL) {

            /*

             * We probably just ran out of certs, so ignore any errors

             * generated

             */

            ERR_pop_to_mark();

        }

    } while (x != NULL);

    BIO_free(bio);

    return certs;

}

/*

 * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery)

 *

 * Chain is as follows:

 *

 * rootCA (self-signed)

 *   |

 * interCA

 *   |

 * subinterCA       subinterCA (self-signed)

 *   |                   |

 * leaf ------------------

 *   |

 * bad

 *

 * rootCA, interCA, subinterCA, subinterCA (ss) all have CA=TRUE

 * leaf and bad have CA=FALSE

 *

 * subinterCA and subinterCA (ss) have the same subject name and keys

 *

 * interCA (but not rootCA) and subinterCA (ss) are in the trusted store

 * (roots.pem)

 * leaf and subinterCA are in the untrusted list (untrusted.pem)

 * bad is the certificate being verified (bad.pem)

 *

 * Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has

 * CA=FALSE, and will therefore incorrectly verify bad

 *

 */

static int test_alt_chains_cert_forgery(void)

{

    int ret = 0;

    int i;

    X509 *x = NULL;

    STACK_OF(X509) *untrusted = NULL;

    BIO *bio = NULL;

    X509_STORE_CTX *sctx = NULL;

    X509_STORE *store = NULL;

    X509_LOOKUP *lookup = NULL;

    store = X509_STORE_new();

    if (store == NULL)

        goto err;

    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());

    if (lookup == NULL)

        goto err;

    if(!X509_LOOKUP_load_file(lookup, "certs/roots.pem", X509_FILETYPE_PEM))

        goto err;

    untrusted = load_certs_from_file("certs/untrusted.pem");

    if ((bio = BIO_new_file("certs/bad.pem", "r")) == NULL)

        goto err;

    if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL)

        goto err;

    sctx = X509_STORE_CTX_new();

    if (sctx == NULL)

        goto err;

    if (!X509_STORE_CTX_init(sctx, store, x, untrusted))

        goto err;

    i = X509_verify_cert(sctx);

    if(i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) {

        /* This is the result we were expecting: Test passed */

        ret = 1;

    }

 err:

    X509_STORE_CTX_free(sctx);

    X509_free(x);

    BIO_free(bio);

    sk_X509_pop_free(untrusted, X509_free);

    X509_STORE_free(store);

    if (ret != 1)

        ERR_print_errors_fp(stderr);

    return ret;

}

int main(void)

{

    CRYPTO_malloc_debug_init();

    CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);

    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

    ERR_load_crypto_strings();

    OpenSSL_add_all_digests();

    if (!test_alt_chains_cert_forgery()) {

        fprintf(stderr, "Test alt chains cert forgery failed\n");

        return 1;

    }

    EVP_cleanup();

    CRYPTO_cleanup_all_ex_data();

    ERR_remove_thread_state(NULL);

    ERR_free_strings();

    CRYPTO_mem_leaks_fp(stderr);

    printf("PASS\n");

    return 0;

}

ASN1TEST=	asn1test

HEARTBEATTEST=  heartbeat_test

CONSTTIMETEST=  constant_time_test

VERIFYEXTRATEST=	verify_extra_test

TESTS=		alltests

	$(RANDTEST)$(EXE_EXT) $(DHTEST)$(EXE_EXT) $(ENGINETEST)$(EXE_EXT) \

	$(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) $(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \

	$(EVPTEST)$(EXE_EXT) $(EVPEXTRATEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \

	$(ASN1TEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) $(CONSTTIMETEST)$(EXE_EXT)

	$(ASN1TEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) $(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT)

# $(METHTEST)$(EXE_EXT)

	$(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \

	$(BFTEST).o  $(SSLTEST).o  $(DSATEST).o  $(EXPTEST).o $(RSATEST).o \

	$(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o \

	$(HEARTBEATTEST).o $(CONSTTIMETEST).o

	$(HEARTBEATTEST).o $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o

SRC=	$(BNTEST).c $(ECTEST).c  $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \

	$(MD2TEST).c  $(MD4TEST).c $(MD5TEST).c \

	$(RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \

	$(BFTEST).c  $(SSLTEST).c $(DSATEST).c   $(EXPTEST).c $(RSATEST).c \

	$(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \

	$(HEARTBEATTEST).c $(CONSTTIMETEST).c

	$(HEARTBEATTEST).c $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c

EXHEADER= 

HEADER=	$(EXHEADER)

	test_enc test_x509 test_rsa test_crl test_sid \

	test_gen test_req test_pkcs7 test_verify test_dh test_dsa \

	test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \

	test_jpake test_srp test_cms test_heartbeat test_constant_time

	test_jpake test_srp test_cms test_heartbeat test_constant_time test_verify_extra

test_evp:

	../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt

	@echo "Test constant time utilites"

	../util/shlib_wrap.sh ./$(CONSTTIMETEST)

test_verify_extra: $(VERIFYEXTRATEST)$(EXE_EXT)

	@echo $(START) $@

	../util/shlib_wrap.sh ./$(VERIFYEXTRATEST)

lint:

	lint -DLINT $(INCLUDES) $(SRC)>fluff

$(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o

	@target=$(CONSTTIMETEST) $(BUILD_CMD)

$(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o

	@target=$(VERIFYEXTRATEST) $(BUILD_CMD)

#$(AESTEST).o: $(AESTEST).c

#	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c

ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h

ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h

ssltest.o: ../include/openssl/x509v3.h ssltest.c

verify_extra_test.o: ../include/openssl/asn1.h ../include/openssl/bio.h

verify_extra_test.o: ../include/openssl/buffer.h ../include/openssl/crypto.h

verify_extra_test.o: ../include/openssl/e_os2.h ../include/openssl/ec.h

verify_extra_test.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h

verify_extra_test.o: ../include/openssl/err.h ../include/openssl/evp.h

verify_extra_test.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h

verify_extra_test.o: ../include/openssl/objects.h

verify_extra_test.o: ../include/openssl/opensslconf.h

verify_extra_test.o: ../include/openssl/opensslv.h

verify_extra_test.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h

verify_extra_test.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h

verify_extra_test.o: ../include/openssl/safestack.h ../include/openssl/sha.h

verify_extra_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h

verify_extra_test.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h

verify_extra_test.o: verify_extra_test.c

wp_test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h

wp_test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h

wp_test.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h

-----BEGIN RSA PRIVATE KEY-----

MIIEogIBAAKCAQEAwTqNko5vQiQ5BQohPJ3sySrjT6JedjsKtt1OZ8ndR2C1asUi

HgpVO8QDHKID88Qklx6UCieeKAwIY0VzqWzTyZWTwdqTU9t8arHHJu7IcFlmWsAL

fwTmARWJmpY+K8fGnQx1Kxfi6nQJ8Whq4bcAqJ2HXzG69Wjs3Ki70ScNbQ9RUwXJ

n/FeNrsphKAv5K22zBqjWAQdYMg6vtKZAXCET8jw6OkPVnUb/QvyoBEijWt0+HBh

7wLkSUvMj/7fc88+xtvGqZPyG2Py4DdWW1stpgiZ3TTohEk84t1u5L3qQaRQmVE6

y5RMImyVY8hegC4zc6aGZDFRv8MR+gk6prcuUwIDAQABAoIBAEkz4YZwJ34rMt7R

452PRrE/ajY1EQxBeeGlHZr8QrRT0ubMIAy5ZWjq7TLfvhePaz1E/FiMgcIyLMtO

+G5rKCDqZbu/DqlqMUxKZWQ+efj2JWyj7LcGKAypGCRUXuE/IeNFYO4ecnzX0Rx/

rl4scjdu1mYd9PIb+f/ufJjT7qYtykmwlb0MbEJ25yjTC4iHzacvFLJgdXrPp8b9

ZGlVBKyuk9ZrZDC8/a4QrKt7Hp2SqqO4WqaTgM1G+cQFYuVBmj74bQhJHMmQ+Opr

5KXwBKEHMtJkq1GPVZ34W90V82d+8MJAxymuPomwRXKl1dKgnvny+0eobXkiBDcF

XCBCmIECgYEA8c/fE7Sa1vLZriw0Meq+TxU5hru4YM6OmQ+idc6diCp2U9lW+KJr

YrIRTZFcmhEGmRjAEZrdK0oFY7h5RhsZ+gTftmNZuL8WJCK9+y2DE9dB++md3oVC

PK0d4SmQKsivOTTeiK/VYFGoLc8t8Ud/anu2Q1kFdC+7cH/TrRseV4MCgYEAzJDw

MTil055rYlrAAH8ePEuONomu2MoZRRCX/tWuVvz+eIzA35mryW3OR45l5qNluQoZ

AdpVE68kBak2wIrF2oyWcF1s8VzSbAJCoqK42lKiSGVDVnr6jb69WUujCkYUZIwR

Q20QYBUUQu0JiFBU22tRgILIAK+rRah37EP4RPECgYBN3hKH1fDGpw1R+QoVyPHf

pYYQzQJiqiFhSJeYOCCiaIoSFjrbdfH+pjjMMbMQKctmIYI4KRZvijaSFiV3XeLP

kCI6KWQLCf2nRUjISa+cBAVLib88mMzrnROyHiA+psFGOrAuc/DSQ3lUxxKUT+HH

+G6I4XHQKE7Du2X+qGzs4QKBgBZyJNjRxWhF7rR5Dq4/RHsLM0yKqPPCoSkx2+ur

WJjU47sofpVKUE4mzUaOumGnNicqk3nfkgw54HL6kTZpQ7JqUKt9pNGLBM+zI8qi

njPec04MRmo7zjg1YKNmqDodXGl38QD7+5r/VRzO04fwgI8e5G98aiOhIuLezGHR

R3GRAoGAAyhwtKoC87fSGrpyZQ16UAYuqNy0fVAQtrDgRgP5Nu4esr9QxS/hWjcR

8s2P82wsR4gZna6l6vSz4awGVG4PGKnVjteAtZxok3nBHxPmRke5o7IpdObPjpQP

RJNZYbJ9G/PbYDhciEoTjVyig6Ol5BRe9stSbO7+JIxEYr7VSpA=

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

MIIDdzCCAl+gAwIBAgIJAJgwOOciuxjSMA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNV

BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX

aWRnaXRzIFB0eSBMdGQxDTALBgNVBAMTBGxlYWYwHhcNMTUwNzAyMTMyMDQ2WhcN

MzUwNzAyMTMyMDQ2WjBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0

ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNi

YWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBOo2Sjm9CJDkFCiE8

nezJKuNPol52Owq23U5nyd1HYLVqxSIeClU7xAMcogPzxCSXHpQKJ54oDAhjRXOp

bNPJlZPB2pNT23xqsccm7shwWWZawAt/BOYBFYmalj4rx8adDHUrF+LqdAnxaGrh

twConYdfMbr1aOzcqLvRJw1tD1FTBcmf8V42uymEoC/krbbMGqNYBB1gyDq+0pkB

cIRPyPDo6Q9WdRv9C/KgESKNa3T4cGHvAuRJS8yP/t9zzz7G28apk/IbY/LgN1Zb

Wy2mCJndNOiESTzi3W7kvepBpFCZUTrLlEwibJVjyF6ALjNzpoZkMVG/wxH6CTqm

ty5TAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFJoH29IULbskIG8BwYp4

9yD+q7wbMB8GA1UdIwQYMBaAFBwdxP7xJUYhGU31hO4z2uXPtRl/MA0GCSqGSIb3

DQEBCwUAA4IBAQBl0tHkWMBHW6r3ywBlWWFdok04xlt2QD8eA4ywwz97t/8JgLht

OpuHO1bQtrZR6bxAgYT1+yHQnYBTfjKxFq+S9EP6nxBe94mEgizLmMv9pf7x5q+H

pfT8ejcY54E/oXlFXSbLDE1BDpfgkWll2/TIsTRJNoM2n8mytEdPqzRburwWnoFR

VchcfO968asdc9/8glSLJSNO+Wh9vQlbtcPzfbd4ZVE5E/P6drQzSwNjWvHQdswJ

ujkY1zkTP2rtVBGN4OyOfkE6enVKpt5lN6AqjEMhJ5i/yFM/jDndTrgd/JkAvyUJ

O2ELtifCd8DeSYNA9Qm8/MEUYq1xXQrGJHCE

-----END CERTIFICATE-----