diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-12 11:59:37 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-12 14:07:18 +0200 |
commit | 2dc84c06534d71890737bcdea5380a9dd810a681 (patch) | |
tree | 87d1530018e8e31ec4fab1bf530d15e2ffcebd95 | |
parent | b2efbe7ddd0fdbf2547a84b4ee4225bff5d2f3f5 (diff) | |
download | gnutls-idna-server.tar.gz |
tests: added checks to verify server understanding of UTF8 hostnamesidna-server
This verifies whether a server can understand and serve requests
which contain UTF-8 server names.
-rw-r--r-- | tests/Makefile.am | 3 | ||||
-rw-r--r-- | tests/cert-common.h | 36 | ||||
-rw-r--r-- | tests/set_key_utf8.c | 157 | ||||
-rw-r--r-- | tests/set_x509_key_utf8.c | 185 | ||||
-rw-r--r-- | tests/utils-adv.c | 15 |
5 files changed, 393 insertions, 3 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index a9dba1046b..a5adb73146 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -111,7 +111,8 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ set_x509_key_file_ocsp client-fastopen rng-sigint srp \ safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \ safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \ - rsa-illegal-import set_x509_key_file_ocsp_multi set_key set_x509_key_file_ocsp_multi2 + rsa-illegal-import set_x509_key_file_ocsp_multi set_key set_x509_key_file_ocsp_multi2 \ + set_key_utf8 set_x509_key_utf8 if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/cert-common.h b/tests/cert-common.h index 0dcc24a5b2..5290d6a18f 100644 --- a/tests/cert-common.h +++ b/tests/cert-common.h @@ -30,6 +30,7 @@ * TLS client: cli_ca3_cert, cli_ca3_key * IPv6 server: server_ca3_localhost6_cert, server_ca3_key * IPv4 server: server_ca3_localhost_cert, server_ca3_key + * IPv4 server: server_ca3_localhost_utf8_cert, server_ca3_key - UTF8 names */ @@ -800,15 +801,50 @@ static char server_localhost6_ca3_cert_chain_pem[] = "frzYSQw6BB85CurB6iou3Q+eM4o4g/+xGEuDo0Ne/8ir\n" "-----END CERTIFICATE-----\n"; + const gnutls_datum_t server_ca3_localhost6_cert = { (void*)server_localhost6_ca3_cert_pem, sizeof(server_localhost6_ca3_cert_pem)-1 }; + const gnutls_datum_t server_ca3_localhost6_cert_chain = { (void*)server_localhost6_ca3_cert_chain_pem, sizeof(server_localhost6_ca3_cert_chain_pem)-1 }; + +/* shares server_ca3 key */ +static char server_localhost_utf8_ca3_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIEQDCCAqigAwIBAgIMV9ZyrTt30lJ2pYe6MA0GCSqGSIb3DQEBCwUAMA8xDTAL\n" + "BgNVBAMTBENBLTMwHhcNMDQwMjI5MTUyMTQyWhcNMjQwMjI5MTUyMTQxWjANMQsw\n" + "CQYDVQQGEwJHUjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANk9eJmq\n" + "LPfAu7P4Hhmcm4KmEsRfuTXk1ylqYvf715riBfJ94VIdtJqKE9q4FRwMxVsv/B+S\n" + "HFiIlEJfvCociQkrgSfloTNIMNrqkj8IjmVJuJd00MZsUuHlvwa6+F/PLLyUOMU0\n" + "3LdpuR9TbvS2fMVjmaRjBiCO439GA+qHRvwxxP7FR433Hg+5JdeYwLWve/vLgm4z\n" + "ETxnMYOFbZpArkizpBi/RYQtLmFW8HwZ0/ldDBMnDgcfmL9gRLtMQ1XZEHLNFjyE\n" + "VD1JsrlgccaizNUkiUi7Gbm/w3YiDVxbq3u3cee5lsNhEMIREyISKAHPy8RlnIWw\n" + "wuDlnsmI0pIb9/4RH0LMMlceDEFy1X0QRzYqZFPU/0l4j/FlQ6X2UqWNz63ybRSb\n" + "cCzHl25abi1xmbsV5ydomJNcP+0QbripMpa0O6gjv5f0yMd7mW9/aAglPcKgpbbh\n" + "Gfo7V9z2gIKdUCLRXoUszhdobnRf00LrrpFUQWReKHxMcDWAL2b00kysPQIDAQAB\n" + "o4GdMIGaMAwGA1UdEwEB/wQCMAAwSgYDVR0RBEMwQYISd3d3Ls69zq/Ous6/z4Iu\n" + "Y29tghvnroDkvZPkuK3mlocuzrXOvs+Ez4HOsS5jb22CDmxvY2FsaG9zdC11dGY4\n" + "MB0GA1UdDgQWBBQzneEn04vV/OsF/LXHgWlPXjvZ1jAfBgNVHSMEGDAWgBT5qIYZ\n" + "Y7akFBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAkUgmFO2bdws049Nz\n" + "w55UaF7XxG8ER7kKzLCWgw8tuYjcIDKQ+/gD0hUuKBxCbuISdT32gfZTf+ZNKtEg\n" + "7f9Lhr935ZoDCvyYnal1ploqAOu0ZDEXz+cU+OzreJ58J95LYX2we1lPqCYz0qo0\n" + "6FeWrP6H6+azis2ee5XN+b20l/nRl3bNGZDnkl6+b3wPR6rIFaILcEZDl15SMgiW\n" + "PlzJ0s97szWAO2ywLvNPdB66ugOvJY34ivTQOkCDi9css5faN1LcwmqDAeAq4DZt\n" + "mZ8/504D1AUD9szneb2UgD9ZnPr4r45+qzE3lCtvmFGEddJ3c9zQVjnqEKljgG6S\n" + "FdlAVVfxbwoAc24kN6UUEpLiabFoL071pZt1WoHOFA68yBxnC6CO/3vfVSF9Ftg3\n" + "oUPldkvMs8+33YhojDKYXP5USoES2OPdofmq8LnTZj7c6ex+SvlRdOgHg4pd9lX2\n" + "Efwe6rFJaNbKv9C9tWpPIPHRk/YkUIe29VUQR2m7UUpToBca\n" + "-----END CERTIFICATE-----\n"; + +const gnutls_datum_t server_ca3_localhost_utf8_cert = { (void*)server_localhost_utf8_ca3_cert_pem, + sizeof(server_localhost_utf8_ca3_cert_pem)-1 +}; + /* shares server_ca3 key */ static char server_localhost_ca3_cert_pem[] = "-----BEGIN CERTIFICATE-----\n" diff --git a/tests/set_key_utf8.c b/tests/set_key_utf8.c new file mode 100644 index 0000000000..23ee662c5e --- /dev/null +++ b/tests/set_key_utf8.c @@ -0,0 +1,157 @@ +/* + * Copyright (C) 2016 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from GnuTLS example programs. */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#if !defined(_WIN32) +#include <netinet/in.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <arpa/inet.h> +#endif +#include <unistd.h> +#include <assert.h> +#include <time.h> +#include <gnutls/gnutls.h> +#include <gnutls/abstract.h> +#include <gnutls/x509.h> + +#include "cert-common.h" +#include "utils.h" + +/* Test for gnutls_certificate_set_key() + * + */ + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d>| %s", level, str); +} + +static time_t mytime(time_t * t) +{ + time_t then = 1473674242; + if (t) + *t = then; + + return then; +} + +static void auto_parse(void) +{ + gnutls_certificate_credentials_t x509_cred, clicred; + gnutls_pcert_st pcert_list[16]; + gnutls_privkey_t key; + gnutls_pcert_st second_pcert[2]; + gnutls_privkey_t second_key; + unsigned pcert_list_size; + int ret; + + /* this must be called once in the program + */ + global_init(); + + gnutls_global_set_time_function(mytime); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); + assert(gnutls_privkey_init(&key)>=0); + + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + + pcert_list_size = sizeof(pcert_list)/sizeof(pcert_list[0]); + ret = gnutls_pcert_list_import_x509_raw(pcert_list, &pcert_list_size, + &server_ca3_localhost_cert_chain, GNUTLS_X509_FMT_PEM, 0); + if (ret < 0) { + fail("error in gnutls_pcert_list_import_x509_raw: %s\n", gnutls_strerror(ret)); + } + + ret = gnutls_privkey_import_x509_raw(key, &server_ca3_key, GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) { + fail("error in key import: %s\n", gnutls_strerror(ret)); + } + + ret = gnutls_certificate_set_key(x509_cred, NULL, 0, pcert_list, + pcert_list_size, key); + if (ret < 0) { + fail("error in gnutls_certificate_set_key: %s\n", gnutls_strerror(ret)); + exit(1); + } + + /* set the key with UTF8 names */ + assert(gnutls_privkey_init(&second_key)>=0); + + pcert_list_size = 2; + ret = gnutls_pcert_list_import_x509_raw(second_pcert, &pcert_list_size, + &server_ca3_localhost_utf8_cert, GNUTLS_X509_FMT_PEM, 0); + if (ret < 0) { + fail("error in gnutls_pcert_list_import_x509_raw: %s\n", gnutls_strerror(ret)); + } + + ret = gnutls_privkey_import_x509_raw(second_key, &server_ca3_key, GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) { + fail("error in key import: %s\n", gnutls_strerror(ret)); + } + + ret = gnutls_certificate_set_key(x509_cred, NULL, 0, second_pcert, + 1, second_key); + if (ret < 0) { + fail("error in gnutls_certificate_set_key: %s\n", gnutls_strerror(ret)); + exit(1); + } + + test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); /* the DNS name of the first cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "www.νίκος.com", NULL, NULL, NULL); /* the DNS name of second cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "raw:www.νίκος.com", NULL, NULL, NULL); /* the DNS name of second cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "www.xn--kxawhku.com", NULL, NULL, NULL); /* the previous name in IDNA format */ + test_cli_serv(x509_cred, clicred, "NORMAL", "简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "raw:简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "xn--fiqu1az03c18t.xn--mxah1amo.com", NULL, NULL, NULL); /* its IDNA equivalent */ + + gnutls_certificate_free_credentials(x509_cred); + gnutls_certificate_free_credentials(clicred); + + gnutls_global_deinit(); + + if (debug) + success("success"); +} + +void doit(void) +{ + auto_parse(); +} diff --git a/tests/set_x509_key_utf8.c b/tests/set_x509_key_utf8.c new file mode 100644 index 0000000000..a5452ffee9 --- /dev/null +++ b/tests/set_x509_key_utf8.c @@ -0,0 +1,185 @@ +/* + * Copyright (C) 2016 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from GnuTLS example programs. */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#if !defined(_WIN32) +#include <netinet/in.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <arpa/inet.h> +#endif +#include <unistd.h> +#include <assert.h> +#include <time.h> +#include <gnutls/gnutls.h> +#include <gnutls/abstract.h> +#include <gnutls/x509.h> + +#include "cert-common.h" +#include "utils.h" +#define MIN(x,y) (((x)<(y))?(x):(y)) + +/* Test for gnutls_certificate_set_x509_key() + * + */ + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d>| %s", level, str); +} + +static time_t mytime(time_t * t) +{ + time_t then = 1473674242; + if (t) + *t = then; + + return then; +} + +static void compare(const gnutls_datum_t *der, const void *ipem) +{ + gnutls_datum_t pem = {(void*)ipem, strlen((char*)ipem)}; + gnutls_datum_t new_der; + int ret; + + ret = gnutls_pem_base64_decode2("CERTIFICATE", &pem, &new_der); + if (ret < 0) { + fail("error: %s\n", gnutls_strerror(ret)); + } + + if (der->size != new_der.size || memcmp(der->data, new_der.data, der->size) != 0) { + fail("error in %d: %s\n", __LINE__, "cert don't match"); + exit(1); + } + gnutls_free(new_der.data); + return; +} + +static int import_key(gnutls_certificate_credentials_t xcred, const gnutls_datum_t *skey, const gnutls_datum_t *cert) +{ + gnutls_x509_privkey_t key; + gnutls_x509_crt_t *crt_list; + unsigned crt_list_size, idx, i; + gnutls_datum_t tcert; + int ret; + + assert(gnutls_x509_privkey_init(&key)>=0); + + ret = gnutls_x509_crt_list_import2(&crt_list, &crt_list_size, cert, GNUTLS_X509_FMT_PEM, 0); + if (ret < 0) { + fail("error in gnutls_x509_crt_list_import2: %s\n", gnutls_strerror(ret)); + } + + ret = gnutls_x509_privkey_import(key, skey, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("error in key import: %s\n", gnutls_strerror(ret)); + } + + ret = gnutls_certificate_set_x509_key(xcred, crt_list, + crt_list_size, key); + if (ret < 0) { + success("error in gnutls_certificate_set_x509_key: %s\n", gnutls_strerror(ret)); + idx = ret; + goto cleanup; + } + + /* return index */ + idx = ret; + + /* verify whether the stored certificate match the ones we have */ + for (i=0;i<MIN(2, crt_list_size);i++) { + ret = gnutls_certificate_get_crt_raw(xcred, idx, i, &tcert); + if (ret < 0) { + fail("error in %d: cert: %d: %s\n", __LINE__, i, gnutls_strerror(ret)); + exit(1); + } + + compare(&tcert, cert->data+i); + } + + cleanup: + gnutls_x509_privkey_deinit(key); + for (i=0;i<crt_list_size;i++) { + gnutls_x509_crt_deinit(crt_list[i]); + } + gnutls_free(crt_list); + + return idx; +} + +void doit(void) +{ + gnutls_certificate_credentials_t x509_cred; + gnutls_certificate_credentials_t clicred; + int ret; + unsigned idx; + + /* this must be called once in the program + */ + global_init(); + + gnutls_global_set_time_function(mytime); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); + + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + + idx = import_key(x509_cred, &server_ca3_key, &server_ca3_localhost_cert_chain); + assert(idx == 0); + + idx = import_key(x509_cred, &server_ca3_key, &server_ca3_localhost_utf8_cert); + assert(idx == 1); + + test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); + test_cli_serv(x509_cred, clicred, "NORMAL", "www.νίκος.com", NULL, NULL, NULL); /* the DNS name of second cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "raw:www.νίκος.com", NULL, NULL, NULL); /* the DNS name of second cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "www.xn--kxawhku.com", NULL, NULL, NULL); /* the previous name in IDNA format */ + test_cli_serv(x509_cred, clicred, "NORMAL", "简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "raw:简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "xn--fiqu1az03c18t.xn--mxah1amo.com", NULL, NULL, NULL); /* its IDNA equivalent */ + + gnutls_certificate_free_credentials(x509_cred); + gnutls_certificate_free_credentials(clicred); + + gnutls_global_deinit(); + + if (debug) + success("success"); +} + diff --git a/tests/utils-adv.c b/tests/utils-adv.c index 69f46c8441..8592f93e31 100644 --- a/tests/utils-adv.c +++ b/tests/utils-adv.c @@ -34,6 +34,11 @@ #include "utils.h" #include "eagain-common.h" +/* internal function */ +int _gnutls_server_name_set_raw(gnutls_session_t session, + gnutls_server_name_type_t type, + const void *name, size_t name_length); + const char *side = NULL; /* if @host is NULL certificate check is skipped */ @@ -68,8 +73,14 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred, if (ret < 0) exit(1); - if (host) - assert(gnutls_server_name_set(client, GNUTLS_NAME_DNS, host, strlen(host))>=0); + if (host) { + if (strncmp(host, "raw:", 4) == 0) { + assert(_gnutls_server_name_set_raw(client, GNUTLS_NAME_DNS, host+4, strlen(host+4))>=0); + host += 4; + } else { + assert(gnutls_server_name_set(client, GNUTLS_NAME_DNS, host, strlen(host))>=0); + } + } ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, client_cred); |