Mercurial > trustbridge
view ui/tests/binverifytest.cpp @ 1400:e18fccc081f1
(issue182) Document applying the patch for CVE-2015-1182
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Tue, 27 Jan 2015 15:15:19 +0100 |
parents | 948f03bb5254 |
children |
line wrap: on
line source
/* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik * Software engineering by Intevation GmbH * * This file is Free Software under the GNU GPL (v>=2) * and comes with ABSOLUTELY NO WARRANTY! * See LICENSE.txt for details. */ #include "binverify.h" #include "binverifytest.h" #include "createinstallerdialog.h" #include "common.h" #include "mainwindow.h" #include <QtTest> #include <QSettings> #include <QTemporaryFile> #ifdef Q_OS_WIN # define EXE_SUFFIX ".exe" #else # define EXE_SUFFIX "" #endif #ifdef Q_OS_WIN Q_IMPORT_PLUGIN(QWindowsIntegrationPlugin) #else Q_IMPORT_PLUGIN(QXcbIntegrationPlugin) #endif /* Some general robustness checks */ void BinVerifyTest::testMiscErrors() { QVERIFY (verify_binary (NULL, 10).result != VerifyValid); QVERIFY (verify_binary ("foo", 10).result != VerifyValid); QVERIFY (verify_binary ("bar", -1).result!= VerifyValid); /* On windows the next line will check that a valid microsoft * signed executable is not valid for us (pinning). On linux * it will just fail with a read error which we tested above */ #ifdef Q_OS_WIN QVERIFY (verify_binary ("c:\\Windows\\System32\\mmc.exe", strlen("c:\\Windows\\System32\\mmc.exe")).result != VerifyInvalidCertificate); #endif QVERIFY (verify_binary ("/dev/null", strlen("/dev/null")).result != VerifyValid); } /* Check that a signature with only a different key (of the same size) * is not validated (Invalid signature because key and cert don't match)*/ void BinVerifyTest::testOtherKey() { QVERIFY(VerifyInvalidSignature == verify_binary ("fakeinst-other-key" EXE_SUFFIX, strlen("fakeinst-other-key" EXE_SUFFIX)).result); } /* Check that an invalid signature is not validated */ void BinVerifyTest::testInvalidSig() { bin_verify_result res = verify_binary ("fakeinst-invalid" EXE_SUFFIX, strlen("fakeinst-invalid" EXE_SUFFIX)); QVERIFY(VerifyValid != res.result); QVERIFY(res.fptr == NULL); } #ifdef Q_OS_WIN /* Check that a signature with a different (valid) certificate is not validated * on Linux only the key is checked not the certificate */ void BinVerifyTest::testOtherCert() { QVERIFY(VerifyInvalidCertificate == verify_binary ("fakeinst-other-cert" EXE_SUFFIX, strlen("fakeinst-other-cert" EXE_SUFFIX)).result); } #endif /* Check that no signature is not validated */ void BinVerifyTest::testNoSignature() { bin_verify_result res = verify_binary ("fakeinst" EXE_SUFFIX, strlen("fakeinst" EXE_SUFFIX)); QVERIFY(VerifyValid != res.result); QVERIFY(res.fptr == NULL); } /* Check that a valid signed executable is verified */ void BinVerifyTest::testValidBinary() { bin_verify_result res = verify_binary ("fakeinst-signed" EXE_SUFFIX, strlen("fakeinst-signed" EXE_SUFFIX)); QVERIFY (VerifyValid == res.result); QFile thefile ("fakeinst-signed" EXE_SUFFIX); #ifdef WIN32 /* Verifies the deny write open mode. But on linux we dont have it. */ QVERIFY (!thefile.open(QIODevice::ReadWrite)); #endif QVERIFY (res.fptr != NULL); fclose(res.fptr); QVERIFY (thefile.open(QIODevice::ReadWrite)); QVERIFY (res.sig_time != 0 && res.sig_time != -1); QDateTime sigDt = QDateTime::fromTime_t(res.sig_time); QVERIFY (sigDt.isValid()); qDebug() << "Signature time: " << sigDt; thefile.close(); } void BinVerifyTest::testSignatureCreation() { QSettings testsettings; testsettings.setValue("CodeSignCert", SOURCE_DIR"/data/codesign/codesigning-combined.pem"); testsettings.sync(); CreateInstallerDialog *theDialog = new CreateInstallerDialog(NULL); QString garbage = getRandomDataFile(21*1024*1024); QTemporaryFile outfile; outfile.open(); outfile.close(); bool ret = theDialog->appendTextSignatureToFile (garbage, outfile.fileName()); QVERIFY(QFile::remove(garbage)); QVERIFY(ret == true); bin_verify_result res = verify_binary (outfile.fileName().toUtf8().constData(), outfile.fileName().toUtf8().size()); QVERIFY(VerifyValid == res.result); } bool g_debug = true; QTEST_MAIN (BinVerifyTest);