diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-05-04 10:29:10 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-05-04 10:29:10 +0000 |
commit | 79cf63e60e01484e548f7b106c440d4dc833587b (patch) | |
tree | 29f460990f351b104c8535f4724c9ef8bce532c8 | |
parent | 17b18ae08db7c31cb9aa48a3accf4a0d8152973c (diff) | |
parent | 2a0b8b4acb4e1e44d0f2a4e9bde415e874cb14d6 (diff) | |
download | gnutls-79cf63e60e01484e548f7b106c440d4dc833587b.tar.gz |
Merge branch 'tmp-openssl-suite' into 'master'
Added testsuite for TLS1.3 interoperability with openssl
Closes #228 and #427
See merge request gnutls/gnutls!621
31 files changed, 1040 insertions, 198 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index cbfd269121..b32f3f1cbc 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -130,6 +130,30 @@ no-SSL-3.0.Fedora.x86_64: - build/tests/*/*.log - build/tests/suite/*/*.log +TLS1.3/interop: + stage: stage1-testing + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD + script: + - git submodule update --init --no-fetch + - make autoreconf + - dash ./configure --disable-gcc-warnings --cache-file ./cache/config.cache --disable-ssl3-support --disable-ssl2-support --disable-full-test-suite --enable-seccomp-tests --disable-doc --disable-guile && + make -j$(nproc) + - cd devel/openssl && ./config enable-tls1_3 && make -j$(nproc) && cd ../.. + - make -C tests/suite TESTS=testcompat-tls13-openssl.sh check + tags: + - shared + except: + - tags + artifacts: + expire_in: 1 week + when: on_failure + paths: + - build/guile/tests/*.log + - build/tests/*.log + - build/*.log + - build/tests/*/*.log + - build/tests/suite/*/*.log + FIPS140-2.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD diff --git a/devel/openssl b/devel/openssl -Subproject 6b02b586c35359e338cfa151341e49aeb01590d +Subproject 25642ad29e6a2c15c10ceb5e4f029638f73a879 diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 811f84db6c..c775f4b2c1 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1788,7 +1788,11 @@ A server which wants to instruct the client to re-authenticate, should call @funcref{gnutls_rehandshake} and wait for the client to re-authenticate. It is recommended to only request re-handshake when safe renegotiation is enabled for that session (see @funcref{gnutls_safe_renegotiation_status} and -the discussion in @ref{Safe renegotiation}). +the discussion in @ref{Safe renegotiation}). A server could also encounter +the GNUTLS_E_REHANDSHAKE error code while receiving data. That indicates +a client-initiated re-handshake request. In that case the server could +ignore that request, perform handshake (unsafe when done generally), or +even drop the connection. @showfuncdesc{gnutls_rehandshake} diff --git a/doc/credentials/psk-passwd.txt b/doc/credentials/psk-passwd.txt index 81b63011e8..8ebe849d35 100644 --- a/doc/credentials/psk-passwd.txt +++ b/doc/credentials/psk-passwd.txt @@ -1,2 +1,3 @@ jas:9e32cf7786321a828ef7668f09fb35db test:8a7759b3f26983c453e448060bde8981 +test32:8a7759b3f26983c453e448060bde89818a7759b3f26983c453e448060bde8981 diff --git a/doc/credentials/x509/cert-ed25519.pem b/doc/credentials/x509/cert-ed25519.pem new file mode 100644 index 0000000000..4e82cdcba9 --- /dev/null +++ b/doc/credentials/x509/cert-ed25519.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICZzCCAR+gAwIBAgIIWtnbDCIn9iYwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE +AxMOR251VExTIFRlc3QgQ0EwIBcNMTgwNDIwMTIyMDI5WhgPOTk5OTEyMzEyMzU5 +NTlaMAAwKjAFBgMrZXADIQDzBfvpcyyM38gl9L9AeyyGm2Vmf3Xj1vR3sSG1t7WJ +h6OBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA +ATATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQW +BBTjUkpznRi86b98TXHIvGYiiqs8qjAfBgNVHSMEGDAWgBRNVrdqAFjxZ5L0pnVV +G45TAQPvzzANBgkqhkiG9w0BAQsFAAOCATEAkltD//26CvEfkpjCu+2Ol8hbg6/U +1saz3vyBx+5QAaaAu8bTxj2b1LmnSgmrGf/N1JmEA2QDb3Cal8lXlVgt02MIXyAk +SvUMyc5HiOWe6Km0+LW3pb2m+ADDDlHIWQ+j/3ot3DHClXwfqVT+QUnDgvLLKUWk +vKGsAHIzIMbuRzA+Pqdkrx57cGlLdgw52PhKEYfalOEPSgxZNrYDW1cMO/0ls4+d +WWKypJy+XE5svImmO2Zh9QvSeYQMewJXv94vYjhcH0dVZ2aFywdb62wtwEUR4JnP +0FwJOCEJiY4cKBR0IyRBKl56ZKPYn8Gjxl3snwhdTsTzw0aY6TrjnZL3u3W1SSwK +mtJv2hGr9szpuS0UiY+pZgYQdwY8vNVMVhsKxevyY8nllPAl6OMJM0fc/A== +-----END CERTIFICATE----- diff --git a/doc/credentials/x509/clicert-ed25519.pem b/doc/credentials/x509/clicert-ed25519.pem new file mode 100644 index 0000000000..9eec2effcf --- /dev/null +++ b/doc/credentials/x509/clicert-ed25519.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICYjCCARqgAwIBAgIIWtncvB3mnBcwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE +AxMOR251VExTIFRlc3QgQ0EwIBcNMTgwNDIwMTIyNzQxWhgPOTk5OTEyMzEyMzU5 +NTlaMBkxFzAVBgNVBAMTDmVkMjU1MTkgY2xpZW50MCowBQYDK2VwAyEAt+PcuzkT +FosMmInrJTIh3lNYNGKvmeXYGanDrmPiqRGjdjB0MAwGA1UdEwEB/wQCMAAwEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQU5RHy +9vhAqVaB91nr7aHKyxW4984wHwYDVR0jBBgwFoAUTVa3agBY8WeS9KZ1VRuOUwED +788wDQYJKoZIhvcNAQELBQADggExAI8l0gXW5nUG3ykmvxvLlLkx2j3bMAuAG2jn +6CtmWBLFSoEYlCWlUWbrvK2GRZSFc5HGvhH/+GbM4ietrfmW+Xfgy2fDBp2pH4xh +iZgceDkCF9NI02+tyi/i+0iZxrobcfKoI2oK+WZ658+aM+IHVsLIIn5rs62sv5i3 +ak2ZBOHHYUzyszbzBz28eh169skl+pFd2RtySv+TwfX1m9e7jwiuXhFNtaegZvXa +yfiV3htHkVLf6eZiOSIAqni1cgStSc65kS3vswHxfSJkajYhQaAqSxaBv+/zbiJc +Le9sqsJGlWsXya2XL4bFhmct+pQ51F/oJ9iMmheZPWkYvRxznBcSBmLNCmg+LSX7 +NCsTPJ+wTg5jdK/1vIu1lV3pK3xj9DmuVyy+E8f+b2Kg7AuWYpI= +-----END CERTIFICATE----- diff --git a/doc/credentials/x509/clicert-rsa-pss.pem b/doc/credentials/x509/clicert-rsa-pss.pem new file mode 100644 index 0000000000..de2d3a6a51 --- /dev/null +++ b/doc/credentials/x509/clicert-rsa-pss.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUjCCAgqgAwIBAgIIWtncgib1CYYwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE +AxMOR251VExTIFRlc3QgQ0EwIBcNMTgwNDIwMTIyNjQzWhgPOTk5OTEyMzEyMzU5 +NTlaMBExDzANBgNVBAMTBmNsaWVudDCCASAwCwYJKoZIhvcNAQEKA4IBDwAwggEK +AoIBAQCzjpTr0Kg/EjW9yVmSrCOlQ2R2s4RTnDsedZddp1JAc3Smjoe2M7ZD16LF +nu21VhLC3V7joX7xCeO4c719DD5naYNB9JKeepmZiBkPpuY4faDH2VSTkcQQOVBc +W48kcY4yglvVSpj/NtW5i+EYp4zJTo0e7xZMNIl5XjzgeRTcL65Ni5A3brmLKVop +T+Q3mn/UHDGN42T9pyba8vMCzP6EJ1oFK9ZZE5mvICXIAtx2fUqNv0BtdLRDcZNO +AgcN5uhvvZgDNIBxe25adUGZE5FIVbHnpzjB8r/3Xzev6eniANDhXmN/eyhHTE7E +VRGKQGLp8Bgjf+mc4cwNVdVUIuk5AgMBAAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUn90q +PpdDpwr6eLHYKX48ls2+Lm4wHwYDVR0jBBgwFoAUTVa3agBY8WeS9KZ1VRuOUwED +788wDQYJKoZIhvcNAQELBQADggExAJCDSEb3/qGFjS/OGiWtoVu+vwyQCfK4t/V5 +L25nPOHHZX3FuyKKomHqF+T+ueZt6fRxQ3uGyUie0MfIUcRP17hAtAsrzV+34uvP +05bmvOmKIvOeyWVfkqtuD2pXnzJXSfr3pcs6LwUyZIJedMCMVfL3T2C9YFQ/GmPk +O3pIK0SN+TkBRnBDbg5emiDCtqzgMnhjMN+dG0jpqt0+e1579QxRruLunbBX/4Xu +AgauWUskaJxqQsbomKFy1mLUgteDytykaEBhQdJwEPSH8USqWBxvV8p+VsE5Mrvu +bwHyP9dV4e6aZaAs25zWIJFOJCR2a2gbdoZvTufIRpj9IDBipQFVLYsrvDPQbehE +A8+7mm0NIzK8YCFEPEMSS7R/J0u/2ic57ePxWBGf/Elh6kOk2xc= +-----END CERTIFICATE----- diff --git a/doc/credentials/x509/clikey-ed25519.pem b/doc/credentials/x509/clikey-ed25519.pem new file mode 100644 index 0000000000..40e1bc28dc --- /dev/null +++ b/doc/credentials/x509/clikey-ed25519.pem @@ -0,0 +1,25 @@ +Public Key Info: + Public Key Algorithm: EdDSA (Ed25519) + Key Security Level: High (256 bits) + +curve: Ed25519 +private key: + 83:a7:5b:8d:98:cc:ba:ef:ae:59:8e:ae:fe:6f:57:6c + 5d:1a:3c:21:86:bd:72:94:c9:9a:ae:0a:3b:bc:ac:36 + + +x: + b7:e3:dc:bb:39:13:16:8b:0c:98:89:eb:25:32:21:de + 53:58:34:62:af:99:e5:d8:19:a9:c3:ae:63:e2:a9:11 + + + +Public Key PIN: + pin-sha256:kL6CIOI8mjyxqGxH125s4iip1eA8AGbystEwB6Qop1o= +Public Key ID: + sha256:90be8220e23c9a3cb1a86c47d76e6ce228a9d5e03c0066f2b2d13007a428a75a + sha1:e511f2f6f840a95681f759ebeda1cacb15b8f7ce + +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIIOnW42YzLrvrlmOrv5vV2xdGjwhhr1ylMmargo7vKw2 +-----END PRIVATE KEY----- diff --git a/doc/credentials/x509/clikey-rsa-pss.pem b/doc/credentials/x509/clikey-rsa-pss.pem new file mode 100644 index 0000000000..e22878f40d --- /dev/null +++ b/doc/credentials/x509/clikey-rsa-pss.pem @@ -0,0 +1,139 @@ +Public Key Info: + Public Key Algorithm: RSA-PSS + Key Security Level: Medium (2048 bits) + +modulus: + 00:b3:8e:94:eb:d0:a8:3f:12:35:bd:c9:59:92:ac:23 + a5:43:64:76:b3:84:53:9c:3b:1e:75:97:5d:a7:52:40 + 73:74:a6:8e:87:b6:33:b6:43:d7:a2:c5:9e:ed:b5:56 + 12:c2:dd:5e:e3:a1:7e:f1:09:e3:b8:73:bd:7d:0c:3e + 67:69:83:41:f4:92:9e:7a:99:99:88:19:0f:a6:e6:38 + 7d:a0:c7:d9:54:93:91:c4:10:39:50:5c:5b:8f:24:71 + 8e:32:82:5b:d5:4a:98:ff:36:d5:b9:8b:e1:18:a7:8c + c9:4e:8d:1e:ef:16:4c:34:89:79:5e:3c:e0:79:14:dc + 2f:ae:4d:8b:90:37:6e:b9:8b:29:5a:29:4f:e4:37:9a + 7f:d4:1c:31:8d:e3:64:fd:a7:26:da:f2:f3:02:cc:fe + 84:27:5a:05:2b:d6:59:13:99:af:20:25:c8:02:dc:76 + 7d:4a:8d:bf:40:6d:74:b4:43:71:93:4e:02:07:0d:e6 + e8:6f:bd:98:03:34:80:71:7b:6e:5a:75:41:99:13:91 + 48:55:b1:e7:a7:38:c1:f2:bf:f7:5f:37:af:e9:e9:e2 + 00:d0:e1:5e:63:7f:7b:28:47:4c:4e:c4:55:11:8a:40 + 62:e9:f0:18:23:7f:e9:9c:e1:cc:0d:55:d5:54:22:e9 + 39: + +public exponent: + 01:00:01: + +private exponent: + 1a:c2:6a:11:46:d4:7c:29:d3:96:88:36:70:34:75:4f + 80:de:ad:0e:0d:ef:83:fe:0f:89:08:d8:ed:41:c5:d7 + 2f:10:4f:77:8c:40:e2:ad:f3:aa:0f:77:a3:07:7e:5f + 67:69:24:66:1a:40:57:dd:d8:71:39:d6:88:97:55:89 + 85:e1:08:e8:51:1d:8b:39:ee:f6:a8:7d:7b:ab:1d:ca + 23:37:05:7d:a4:4c:7a:02:cc:f7:db:fb:cd:36:6a:31 + fd:f7:0d:86:99:0a:7a:26:8a:ed:8f:1a:29:d9:76:92 + dd:c1:0c:56:27:65:8e:02:da:f2:9f:71:f8:b9:92:22 + cc:da:41:55:be:c8:3e:7d:1c:85:33:64:dd:92:14:0a + d9:a5:cb:a1:d7:2c:f1:d2:70:b2:a1:9b:7e:c5:5c:fd + 56:1e:46:3d:d3:bd:70:2f:8b:4d:ff:e3:e7:c1:a6:09 + bd:7e:47:07:52:ed:71:47:44:b5:30:fc:15:1c:5d:8f + 36:fd:bc:fa:c1:27:9c:97:ee:18:7a:50:80:83:d4:5c + a6:10:34:e1:c3:17:db:a0:99:41:bf:26:d8:34:4d:99 + 7a:30:af:b9:d7:d7:4d:f6:5f:8c:d6:c3:bc:a6:75:90 + 37:9b:d1:0c:3b:27:e6:3d:99:9f:53:9e:3f:a5:33:bd + + +prime1: + 00:e9:f6:a0:ca:5d:68:b5:b7:a4:46:17:7e:17:a5:57 + a7:06:a8:ae:f5:e8:ff:37:bf:6a:22:58:3c:8f:1e:6f + 09:d8:c0:85:1b:e6:ae:db:01:82:9a:fd:20:55:77:59 + fa:23:a4:49:95:1e:1f:b4:79:55:3e:8b:d0:6b:14:e4 + ae:7c:44:46:43:3c:2a:46:8f:d5:ae:c7:81:46:3d:cf + 42:af:ff:9d:a5:64:02:bc:de:eb:45:eb:07:e3:d7:01 + 1c:e3:8b:c5:86:24:0e:fa:22:7c:91:a5:3a:3d:0c:5f + f5:24:a7:44:37:4f:0b:42:b1:02:b6:5a:83:ad:48:ff + 9b: + +prime2: + 00:c4:78:18:4d:04:68:0f:e6:6a:e2:be:48:c5:3b:da + c4:1a:ad:60:44:65:af:01:7f:8f:ec:d5:94:21:d4:5c + d2:01:57:34:34:af:20:90:7a:b9:f7:10:c0:d9:4f:41 + cc:ca:48:68:49:34:50:9d:d8:ff:ab:b5:22:38:98:9d + 46:12:7b:7e:df:2e:f9:f0:53:3d:dd:b4:47:3c:0c:98 + 0b:d2:63:b5:f8:4a:7e:d1:6d:7c:be:4f:b5:1e:a7:d0 + 18:53:eb:35:c6:39:73:1a:e3:2a:9b:10:c7:56:8b:4a + 7c:5d:91:5c:a2:ed:37:1e:1a:3f:b5:91:e2:68:17:49 + bb: + +coefficient: + 00:a5:84:6d:e2:ff:0c:ab:d4:79:a8:c6:4a:43:4e:d4 + cf:82:78:aa:ee:87:3f:a5:6f:5a:63:20:56:b9:6f:6e + ea:73:49:64:c3:47:5d:a8:04:1c:b9:c9:c7:39:40:08 + 7b:fe:f0:b5:ec:11:87:58:92:46:5f:bd:0c:44:49:b8 + b2:fa:f6:ee:d3:e8:60:b1:db:4a:bc:3a:46:fb:e9:10 + 4c:2c:9e:bf:7c:3a:eb:d7:f7:cc:e2:63:7e:40:97:71 + 14:b1:00:7f:a9:78:89:cf:95:e6:48:5a:77:56:27:40 + 28:50:69:fe:dd:80:a9:f0:80:8b:ba:a4:dd:53:6c:46 + 28: + +exp1: + 00:a3:4e:9c:03:44:da:1e:e5:35:4c:1b:7f:cf:1f:81 + 24:3b:f8:a8:4f:4b:b8:41:80:61:a3:e1:75:3b:ec:e1 + 52:bd:31:fc:77:72:38:a0:f3:d7:e7:39:42:45:85:ce + 8f:54:2b:8b:95:03:76:db:f1:49:38:24:3d:71:51:1f + 22:4f:e9:14:26:40:2b:be:1f:0d:e7:36:a8:9c:8f:ee + 48:bd:32:ae:26:50:bd:bc:79:d9:3d:6f:85:8d:5a:79 + 13:62:1d:20:dd:b5:f3:a2:53:4a:22:1b:73:a0:43:30 + 03:9b:f7:09:1d:96:15:e5:12:4b:33:5f:d0:c3:b6:cd + 7b: + +exp2: + 3b:cf:4f:9e:8a:9b:df:53:46:f0:b5:fa:d3:48:50:65 + e8:b5:25:1c:4d:54:44:81:7f:e0:1a:78:d8:ff:9c:2e + 36:48:44:d5:51:06:f9:d4:d2:ae:1b:04:8a:63:2d:65 + d9:a2:c7:54:99:bf:7c:fe:25:7f:31:4a:34:ae:89:1a + 5e:e0:07:94:8b:e9:7c:b6:ea:9b:86:99:34:f7:a4:85 + dc:cb:8c:07:05:2e:ac:34:c7:87:ec:1d:f8:32:20:10 + 77:e3:9f:e0:33:77:0e:15:5f:d0:0b:00:94:21:1d:50 + d4:ef:3e:a3:3e:d1:cb:b1:33:f9:e3:6a:68:43:c6:a7 + + +Validation parameters: + Hash: SHA384 + Seed: 158ff315e310b156af4aea0d458569e4edbbb8594bdc787cad6342e60e58557a + +Public Key PIN: + pin-sha256:6+wU+clGtIweqv1JStyZVU3ySSAl/K9K0Cj+CpALWwE= +Public Key ID: + sha256:ebec14f9c946b48c1eaafd494adc99554df2492025fcaf4ad028fe0a900b5b01 + sha1:9fdd2a3e9743a70afa78b1d8297e3c96cdbe2e6e + +-----BEGIN PRIVATE KEY----- +MIIE/QIBADALBgkqhkiG9w0BAQoEggSoMIIEpAIBAAKCAQEAs46U69CoPxI1vclZ +kqwjpUNkdrOEU5w7HnWXXadSQHN0po6HtjO2Q9eixZ7ttVYSwt1e46F+8QnjuHO9 +fQw+Z2mDQfSSnnqZmYgZD6bmOH2gx9lUk5HEEDlQXFuPJHGOMoJb1UqY/zbVuYvh +GKeMyU6NHu8WTDSJeV484HkU3C+uTYuQN265iylaKU/kN5p/1BwxjeNk/acm2vLz +Asz+hCdaBSvWWROZryAlyALcdn1Kjb9AbXS0Q3GTTgIHDebob72YAzSAcXtuWnVB +mRORSFWx56c4wfK/9183r+np4gDQ4V5jf3soR0xOxFURikBi6fAYI3/pnOHMDVXV +VCLpOQIDAQABAoIBABrCahFG1Hwp05aINnA0dU+A3q0ODe+D/g+JCNjtQcXXLxBP +d4xA4q3zqg93owd+X2dpJGYaQFfd2HE51oiXVYmF4QjoUR2LOe72qH17qx3KIzcF +faRMegLM99v7zTZqMf33DYaZCnomiu2PGinZdpLdwQxWJ2WOAtryn3H4uZIizNpB +Vb7IPn0chTNk3ZIUCtmly6HXLPHScLKhm37FXP1WHkY9071wL4tN/+PnwaYJvX5H +B1LtcUdEtTD8FRxdjzb9vPrBJ5yX7hh6UICD1FymEDThwxfboJlBvybYNE2ZejCv +udfXTfZfjNbDvKZ1kDeb0Qw7J+Y9mZ9Tnj+lM70CgYEA6fagyl1otbekRhd+F6VX +pwaorvXo/ze/aiJYPI8ebwnYwIUb5q7bAYKa/SBVd1n6I6RJlR4ftHlVPovQaxTk +rnxERkM8KkaP1a7HgUY9z0Kv/52lZAK83utF6wfj1wEc44vFhiQO+iJ8kaU6PQxf +9SSnRDdPC0KxArZag61I/5sCgYEAxHgYTQRoD+Zq4r5IxTvaxBqtYERlrwF/j+zV +lCHUXNIBVzQ0ryCQern3EMDZT0HMykhoSTRQndj/q7UiOJidRhJ7ft8u+fBTPd20 +RzwMmAvSY7X4Sn7RbXy+T7Uep9AYU+s1xjlzGuMqmxDHVotKfF2RXKLtNx4aP7WR +4mgXSbsCgYEAo06cA0TaHuU1TBt/zx+BJDv4qE9LuEGAYaPhdTvs4VK9Mfx3cjig +89fnOUJFhc6PVCuLlQN22/FJOCQ9cVEfIk/pFCZAK74fDec2qJyP7ki9Mq4mUL28 +edk9b4WNWnkTYh0g3bXzolNKIhtzoEMwA5v3CR2WFeUSSzNf0MO2zXsCgYA7z0+e +ipvfU0bwtfrTSFBl6LUlHE1URIF/4Bp42P+cLjZIRNVRBvnU0q4bBIpjLWXZosdU +mb98/iV/MUo0rokaXuAHlIvpfLbqm4aZNPekhdzLjAcFLqw0x4fsHfgyIBB345/g +M3cOFV/QCwCUIR1Q1O8+oz7Ry7Ez+eNqaEPGpwKBgQClhG3i/wyr1HmoxkpDTtTP +gniq7oc/pW9aYyBWuW9u6nNJZMNHXagEHLnJxzlACHv+8LXsEYdYkkZfvQxESbiy ++vbu0+hgsdtKvDpG++kQTCyev3w669f3zOJjfkCXcRSxAH+peInPleZIWndWJ0Ao +UGn+3YCp8ICLuqTdU2xGKKA/MD0GCisGAQQBkggSCAExLzAtBglghkgBZQMEAgIE +IBWP8xXjELFWr0rqDUWFaeTtu7hZS9x4fK1jQuYOWFV6 +-----END PRIVATE KEY----- diff --git a/doc/credentials/x509/key-ed25519.pem b/doc/credentials/x509/key-ed25519.pem new file mode 100644 index 0000000000..7fedbd79bd --- /dev/null +++ b/doc/credentials/x509/key-ed25519.pem @@ -0,0 +1,25 @@ +Public Key Info: + Public Key Algorithm: EdDSA (Ed25519) + Key Security Level: High (256 bits) + +curve: Ed25519 +private key: + e5:c3:25:73:94:e8:9e:97:75:7c:78:59:f7:32:3c:82 + cf:60:90:c7:e5:b4:5f:9b:d7:a6:f8:36:0c:92:59:70 + + +x: + f3:05:fb:e9:73:2c:8c:df:c8:25:f4:bf:40:7b:2c:86 + 9b:65:66:7f:75:e3:d6:f4:77:b1:21:b5:b7:b5:89:87 + + + +Public Key PIN: + pin-sha256:7DW50qkZrEKqSrB29HkLvRoiuQAtHaaLAZKLE9s/VZ4= +Public Key ID: + sha256:ec35b9d2a919ac42aa4ab076f4790bbd1a22b9002d1da68b01928b13db3f559e + sha1:e3524a739d18bce9bf7c4d71c8bc66228aab3caa + +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIOXDJXOU6J6XdXx4WfcyPILPYJDH5bRfm9em+DYMkllw +-----END PRIVATE KEY----- diff --git a/lib/algorithms/ciphersuites.c b/lib/algorithms/ciphersuites.c index ef31a05afd..dbfcbb0c90 100644 --- a/lib/algorithms/ciphersuites.c +++ b/lib/algorithms/ciphersuites.c @@ -1487,9 +1487,7 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session, if (session->internals.hsk_flags & HSK_PSK_SELECTED) { if (session->key.proto.tls13.binder_prf->id != session->internals.priorities->cs.entry[j]->prf) continue; - } - - if (cred_type == GNUTLS_CRD_CERTIFICATE) { + } else if (cred_type == GNUTLS_CRD_CERTIFICATE) { ret = _gnutls_server_select_cert(session, peer_clist->entry[i]); if (ret < 0) { /* couldn't select cert with this ciphersuite */ @@ -1532,9 +1530,7 @@ _gnutls_figure_common_ciphersuite(gnutls_session_t session, if (session->internals.hsk_flags & HSK_PSK_SELECTED) { if (session->key.proto.tls13.binder_prf->id != session->internals.priorities->cs.entry[j]->prf) break; - } - - if (cred_type == GNUTLS_CRD_CERTIFICATE) { + } else if (cred_type == GNUTLS_CRD_CERTIFICATE) { ret = _gnutls_server_select_cert(session, peer_clist->entry[i]); if (ret < 0) { /* couldn't select cert with this ciphersuite */ diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c index f1cf4784a9..21dd6069c7 100644 --- a/lib/ext/pre_shared_key.c +++ b/lib/ext/pre_shared_key.c @@ -30,17 +30,13 @@ #include <ext/pre_shared_key.h> #include <assert.h> -typedef struct { - uint16_t selected_identity; -} psk_ext_st; - static int compute_binder_key(const mac_entry_st *prf, const uint8_t *key, size_t keylen, void *out) { int ret; - char label[] = "ext_binder"; + char label[] = "ext binder"; size_t label_len = sizeof(label) - 1; uint8_t tmp_key[MAX_HASH_SIZE]; @@ -100,23 +96,30 @@ compute_psk_binder(unsigned entity, _gnutls_write_uint16(exts_length + binders_length + 2, &handshake_buf.data[extensions_len_pos]); } else { - gnutls_buffer_append_data(&handshake_buf, - (const void *) client_hello->data, - client_hello->size - binders_length - 3); + if (unlikely(client_hello->size <= binders_length)) + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + + ret = gnutls_buffer_append_data(&handshake_buf, + (const void *) client_hello->data, + client_hello->size - binders_length); + if (ret < 0) { + gnutls_assert(); + goto error; + } } ret = compute_binder_key(prf, - psk->data, psk->size, - binder_key); + psk->data, psk->size, + binder_key); if (ret < 0) { gnutls_assert(); goto error; } - ret = _gnutls13_compute_finished(prf, - binder_key, hash_size, - &handshake_buf, - out); + ret = _gnutls13_compute_finished(prf, binder_key, + hash_size, + &handshake_buf, + out); if (ret < 0) { gnutls_assert(); goto error; @@ -311,7 +314,7 @@ static int server_recv_params(gnutls_session_t session, /* Compute the binder value for this PSK */ prf = pskcred->binder_algo; hash_size = prf->output_size; - ret = compute_psk_binder(GNUTLS_SERVER, prf, hash_size, hash_size, 0, 0, + ret = compute_psk_binder(GNUTLS_SERVER, prf, psk_parser.binder_len+2, hash_size, 0, 0, &key, &full_client_hello, binder_value); if (ret < 0) { @@ -353,6 +356,7 @@ static int server_recv_params(gnutls_session_t session, memcpy(info->username, psk.identity.data, psk.identity.size); info->username[psk.identity.size] = 0; + _gnutls_handshake_log("EXT[%p]: Selected PSK identity: %s\n", session, info->username); } session->internals.hsk_flags |= HSK_PSK_SELECTED; diff --git a/lib/ext/psk_ke_modes.c b/lib/ext/psk_ke_modes.c index 872fec9fa3..4427f552c9 100644 --- a/lib/ext/psk_ke_modes.c +++ b/lib/ext/psk_ke_modes.c @@ -152,6 +152,8 @@ psk_ke_modes_recv_params(gnutls_session_t session, else if (data[i] == PSK_KE) cli_psk_pos = i; + _gnutls_handshake_log("EXT[%p]: PSK KE mode %.2x received\n", + session, (unsigned)data[i]); if (cli_psk_pos != MAX_POS && cli_dhpsk_pos != MAX_POS) break; } diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index cae9d7aec7..9c9fb1533a 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1213,7 +1213,6 @@ typedef struct { #define HSK_HRR_SENT (1<<3) #define HSK_HRR_RECEIVED (1<<4) #define HSK_CRT_REQ_SENT (1<<5) -#define HSK_CRT_REQ_GOT_SIG_ALGO (1<<6) #define HSK_KEY_UPDATE_ASKED (1<<7) /* flag is not used during handshake */ #define HSK_FALSE_START_USED (1<<8) /* TLS1.2 only */ #define HSK_HAVE_FFDHE (1<<9) /* whether the peer has advertized at least an FFDHE group */ diff --git a/lib/handshake.c b/lib/handshake.c index a530fb9a8c..18c0974ca4 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -1801,22 +1801,10 @@ read_server_hello(gnutls_session_t session, if (*comp_pos != 0) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - if (vers->tls13_sem) { - /* TLS 1.3 Early Secret */ - ret = _tls13_init_secret(session, NULL, 0); - if (ret < 0) - return gnutls_assert_val(ret); - - ret = _tls13_derive_secret(session, DERIVED_LABEL, sizeof(DERIVED_LABEL)-1, - NULL, 0, session->key.proto.tls13.temp_secret, - session->key.proto.tls13.temp_secret); - if (ret < 0) - return gnutls_assert_val(ret); - + if (vers->tls13_sem) ext_parse_flag |= GNUTLS_EXT_FLAG_TLS13_SERVER_HELLO; - } else { + else ext_parse_flag |= GNUTLS_EXT_FLAG_TLS12_SERVER_HELLO; - } /* Parse extensions in order. */ @@ -1852,8 +1840,8 @@ read_server_hello(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); + /* Calculate TLS 1.3 Early Secret */ if (vers->tls13_sem) { - /* TLS 1.3 Early Secret */ if (session->internals.hsk_flags & HSK_PSK_SELECTED) { psk = session->key.psk.data; psk_size = session->key.psk.size; diff --git a/lib/tls13-sig.c b/lib/tls13-sig.c index 334052df2c..1c5bc34c61 100644 --- a/lib/tls13-sig.c +++ b/lib/tls13-sig.c @@ -142,7 +142,7 @@ _gnutls13_handshake_sign_data(gnutls_session_t session, gnutls_datum_t p; int ret; gnutls_buffer_st buf; - uint8_t prefix[PREFIX_SIZE]; + uint8_t tmp[MAX_HASH_SIZE]; if (unlikely(se == NULL || se->tls13_ok == 0)) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); @@ -151,17 +151,20 @@ _gnutls13_handshake_sign_data(gnutls_session_t session, return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); _gnutls_handshake_log - ("HSK[%p]: signing TLS 1.3 handshake data: using %s\n", session, se->name); + ("HSK[%p]: signing TLS 1.3 handshake data: using %s and PRF: %s\n", session, se->name, + session->security_parameters.prf->name); _gnutls_buffer_init(&buf); - memset(prefix, 0x20, sizeof(prefix)); - ret = _gnutls_buffer_append_data(&buf, prefix, sizeof(prefix)); + ret = _gnutls_buffer_resize(&buf, PREFIX_SIZE); if (ret < 0) { gnutls_assert(); goto cleanup; } + memset(buf.data, 0x20, PREFIX_SIZE); + buf.length += PREFIX_SIZE; + ret = _gnutls_buffer_append_data(&buf, context->data, context->size); if (ret < 0) { gnutls_assert(); @@ -177,13 +180,13 @@ _gnutls13_handshake_sign_data(gnutls_session_t session, ret = gnutls_hash_fast(session->security_parameters.prf->id, session->internals.handshake_hash_buffer.data, session->internals.handshake_hash_buffer.length, - prefix); + tmp); if (ret < 0) { gnutls_assert(); goto cleanup; } - ret = _gnutls_buffer_append_data(&buf, prefix, session->security_parameters.prf->output_size); + ret = _gnutls_buffer_append_data(&buf, tmp, session->security_parameters.prf->output_size); if (ret < 0) { gnutls_assert(); goto cleanup; diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c index d4abd58702..52c485aaa4 100644 --- a/lib/tls13/certificate.c +++ b/lib/tls13/certificate.c @@ -50,7 +50,7 @@ int _gnutls13_recv_certificate(gnutls_session_t session) optional = 1; } - ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_CERTIFICATE_PKT, optional, &buf); + ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_CERTIFICATE_PKT, 0, &buf); if (ret < 0) { if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET && session->internals.send_cert_req) return gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND); @@ -58,8 +58,10 @@ int _gnutls13_recv_certificate(gnutls_session_t session) return gnutls_assert_val(ret); } - if (buf.length == 0 && optional) { - return 0; + if (buf.length == 0) { + gnutls_assert(); + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto cleanup; } if (session->internals.initial_negotiation_completed && @@ -97,6 +99,8 @@ int _gnutls13_recv_certificate(gnutls_session_t session) ret = parse_cert_list(session, buf.data, buf.length); if (ret < 0) { + if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND && optional) + ret = 0; gnutls_assert(); goto cleanup; } @@ -186,9 +190,9 @@ int append_status_request(void *_ctx, gnutls_buffer_st *buf) int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) { int ret; - gnutls_pcert_st *apr_cert_list; - gnutls_privkey_t apr_pkey; - int apr_cert_list_length; + gnutls_pcert_st *apr_cert_list = NULL; + gnutls_privkey_t apr_pkey = NULL; + int apr_cert_list_length = 0; mbuffer_st *bufel = NULL; gnutls_buffer_st buf; unsigned pos_mark, ext_pos_mark; @@ -207,19 +211,16 @@ int _gnutls13_send_certificate(gnutls_session_t session, unsigned again) return GNUTLS_E_INSUFFICIENT_CREDENTIALS; } + if (session->security_parameters.entity == GNUTLS_CLIENT && + !(session->internals.hsk_flags & HSK_CRT_ASKED)) { + return 0; + } + ret = _gnutls_get_selected_cert(session, &apr_cert_list, &apr_cert_list_length, &apr_pkey); if (ret < 0) return gnutls_assert_val(ret); - if (session->security_parameters.entity == GNUTLS_CLIENT) { - /* if we didn't get a cert request there will not be any */ - if (apr_cert_list_length == 0 || - !(session->internals.hsk_flags & HSK_CRT_ASKED)) { - return 0; - } - } - ret = _gnutls_buffer_init_handshake_mbuffer(&buf); if (ret < 0) return gnutls_assert_val(ret); @@ -375,9 +376,8 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) } if (data == NULL || data_size == 0) { - gnutls_assert(); /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); } info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); @@ -391,17 +391,16 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) if (size != dsize) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - if (size == 0) { - gnutls_assert(); - /* no certificate was sent */ - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } + if (size == 0) + return gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND); i = dsize; while (i > 0) { DECR_LEN(dsize, 3); len = _gnutls_read_uint24(p); + if (len == 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); DECR_LEN(dsize, len); p += len + 3; @@ -420,10 +419,10 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) if (dsize != 0) return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - if (nentries == 0) { - gnutls_assert(); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } + /* this is unnecessary - keeping to avoid a regression due to a re-org + * of the loop above */ + if (nentries == 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); npeer_ocsp = 0; npeer_certs = 0; @@ -482,6 +481,15 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) /* The OCSP entries match the certificate entries, although * the contents of each OCSP entry may be NULL. */ + for(j=0;j<info->ncerts;j++) + gnutls_free(info->raw_certificate_list[j].data); + gnutls_free(info->raw_certificate_list); + + for(j=0;j<info->nocsp;j++) + gnutls_free(info->raw_ocsp_list[j].data); + gnutls_free(info->raw_ocsp_list); + + info->raw_certificate_list = peer_certs; info->ncerts = npeer_certs; diff --git a/lib/tls13/certificate_request.c b/lib/tls13/certificate_request.c index 293cc38dcf..09fb56d0bd 100644 --- a/lib/tls13/certificate_request.c +++ b/lib/tls13/certificate_request.c @@ -37,6 +37,7 @@ typedef struct crt_req_ctx_st { gnutls_session_t session; + unsigned got_sig_algo; gnutls_pk_algorithm_t pk_algos[MAX_ALGOS]; unsigned pk_algos_length; const uint8_t *rdn; /* pointer inside the message buffer */ @@ -71,10 +72,10 @@ int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t *data, unsig /* signature algorithms; let's use it to decide the certificate to use */ unsigned i; - if (session->internals.hsk_flags & HSK_CRT_REQ_GOT_SIG_ALGO) + if (ctx->got_sig_algo) return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION); - session->internals.hsk_flags |= HSK_CRT_REQ_GOT_SIG_ALGO; + ctx->got_sig_algo = 1; if (data_size < 2) return gnutls_assert_val(GNUTLS_E_TLS_PACKET_DECODING_ERROR); @@ -167,6 +168,10 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff goto cleanup; } + /* The "signature_algorithms" extension MUST be specified */ + if (!ctx.got_sig_algo) + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION); + session->internals.hsk_flags |= HSK_CRT_ASKED; ret = _gnutls_select_client_cert(session, ctx.rdn, ctx.rdn_size, diff --git a/lib/tls13/certificate_verify.c b/lib/tls13/certificate_verify.c index 33318ca1cf..0a3fe7e9de 100644 --- a/lib/tls13/certificate_verify.c +++ b/lib/tls13/certificate_verify.c @@ -35,6 +35,11 @@ static const gnutls_datum_t srv_ctx = { (void*)SRV_CTX, sizeof(SRV_CTX)-1 }; +#define CLI_CTX "TLS 1.3, client CertificateVerify" +static const gnutls_datum_t cli_ctx = { + (void*)CLI_CTX, sizeof(CLI_CTX)-1 +}; + int _gnutls13_recv_certificate_verify(gnutls_session_t session) { int ret; @@ -45,6 +50,7 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) unsigned vflags; gnutls_pcert_st peer_cert; cert_auth_info_t info = _gnutls_get_auth_info(session, GNUTLS_CRD_CERTIFICATE); + bool server = 0; memset(&peer_cert, 0, sizeof(peer_cert)); @@ -53,6 +59,9 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) if (!(session->internals.hsk_flags & HSK_CRT_VRFY_EXPECTED)) return 0; + if (session->security_parameters.entity == GNUTLS_SERVER) + server = 1; + cred = (gnutls_certificate_credentials_t) _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE); if (unlikely(cred == NULL)) @@ -79,10 +88,10 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) goto cleanup; } - if (session->security_parameters.entity == GNUTLS_CLIENT) - gnutls_sign_algorithm_set_server(session, se->id); - else + if (server) gnutls_sign_algorithm_set_client(session, se->id); + else + gnutls_sign_algorithm_set_server(session, se->id); buf.data+=2; buf.length-=2; @@ -110,7 +119,9 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) vflags = cred->verify_flags | session->internals.additional_verify_flags; - ret = _gnutls13_handshake_verify_data(session, vflags, &peer_cert, &srv_ctx, &sig_data, se); + ret = _gnutls13_handshake_verify_data(session, vflags, &peer_cert, + server?(&cli_ctx):(&srv_ctx), + &sig_data, se); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -140,18 +151,22 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) gnutls_datum_t sig = {NULL, 0}; gnutls_sign_algorithm_t algo; const gnutls_sign_entry_st *se; + bool server = 0; if (again == 0) { if (session->internals.hsk_flags & HSK_PSK_SELECTED) return 0; + if (session->security_parameters.entity == GNUTLS_SERVER) + server = 1; + ret = _gnutls_get_selected_cert(session, &apr_cert_list, &apr_cert_list_length, &apr_pkey); if (ret < 0) return gnutls_assert_val(ret); if (apr_cert_list_length == 0) { - if (session->security_parameters.entity == GNUTLS_SERVER) { + if (server) { return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS); } else { /* if we didn't get a cert request there will not be any */ @@ -166,14 +181,16 @@ int _gnutls13_send_certificate_verify(gnutls_session_t session, unsigned again) if (algo == GNUTLS_SIGN_UNKNOWN) return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY); - if (session->security_parameters.entity == GNUTLS_SERVER) + if (server) gnutls_sign_algorithm_set_server(session, algo); else gnutls_sign_algorithm_set_client(session, algo); se = _gnutls_sign_to_entry(algo); - ret = _gnutls13_handshake_sign_data(session, &apr_cert_list[0], apr_pkey, &srv_ctx, &sig, se); + ret = _gnutls13_handshake_sign_data(session, &apr_cert_list[0], apr_pkey, + server?(&srv_ctx):(&cli_ctx), + &sig, se); if (ret < 0) return gnutls_assert_val(ret); diff --git a/lib/tls13/post_handshake.c b/lib/tls13/post_handshake.c index 39ae680ab9..9543ca896e 100644 --- a/lib/tls13/post_handshake.c +++ b/lib/tls13/post_handshake.c @@ -204,7 +204,9 @@ int _gnutls13_reauth_server(gnutls_session_t session) * @flags: must be zero * * This function performs the post-handshake authentication - * for TLS 1.3. + * for TLS 1.3. The post-handshake authentication is initiated by the server + * by calling this function. Clients respond when %GNUTLS_E_REAUTH_REQUEST + * has been seen while receiving data. * * The non-fatal errors expected by this function are: * %GNUTLS_E_INTERRUPTED, %GNUTLS_E_AGAIN, as well as diff --git a/src/cli-args.c.bak b/src/cli-args.c.bak index 9544d88290..71fa75cc4a 100644 --- a/src/cli-args.c.bak +++ b/src/cli-args.c.bak @@ -63,7 +63,7 @@ extern FILE * option_usage_fp; /** * static const strings for gnutls-cli options */ -static char const gnutls_cli_opt_strs[4929] = +static char const gnutls_cli_opt_strs[5090] = /* 0 */ "gnutls-cli @VERSION@\n" "Copyright (C) 2000-@YEAR@ Free Software Foundation, and others, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" @@ -234,34 +234,40 @@ static char const gnutls_cli_opt_strs[4929] = /* 3994 */ "Disable all the TLS extensions\0" /* 4025 */ "DISABLE_EXTENSIONS\0" /* 4044 */ "disable-extensions\0" -/* 4063 */ "Inline commands of the form ^<cmd>^\0" -/* 4099 */ "INLINE_COMMANDS\0" -/* 4115 */ "inline-commands\0" -/* 4131 */ "Change the default delimiter for inline commands.\0" -/* 4181 */ "INLINE_COMMANDS_PREFIX\0" -/* 4204 */ "inline-commands-prefix\0" -/* 4227 */ "Specify the PKCS #11 provider library\0" -/* 4265 */ "PROVIDER\0" -/* 4274 */ "provider\0" -/* 4283 */ "Reports the status of the FIPS140-2 mode in gnutls library\0" -/* 4342 */ "FIPS140_MODE\0" -/* 4355 */ "fips140-mode\0" -/* 4368 */ "display extended usage information and exit\0" -/* 4412 */ "help\0" -/* 4417 */ "extended usage information passed thru pager\0" -/* 4462 */ "more-help\0" -/* 4472 */ "output version information and exit\0" -/* 4508 */ "version\0" -/* 4516 */ "GNUTLS_CLI\0" -/* 4527 */ "gnutls-cli - GnuTLS client\n" +/* 4063 */ "Send a single key share under TLS1.3\0" +/* 4100 */ "SINGLE_KEY_SHARE\0" +/* 4117 */ "single-key-share\0" +/* 4134 */ "Enable post-handshake authentication under TLS1.3\0" +/* 4184 */ "POST_HANDSHAKE_AUTH\0" +/* 4204 */ "post-handshake-auth\0" +/* 4224 */ "Inline commands of the form ^<cmd>^\0" +/* 4260 */ "INLINE_COMMANDS\0" +/* 4276 */ "inline-commands\0" +/* 4292 */ "Change the default delimiter for inline commands.\0" +/* 4342 */ "INLINE_COMMANDS_PREFIX\0" +/* 4365 */ "inline-commands-prefix\0" +/* 4388 */ "Specify the PKCS #11 provider library\0" +/* 4426 */ "PROVIDER\0" +/* 4435 */ "provider\0" +/* 4444 */ "Reports the status of the FIPS140-2 mode in gnutls library\0" +/* 4503 */ "FIPS140_MODE\0" +/* 4516 */ "fips140-mode\0" +/* 4529 */ "display extended usage information and exit\0" +/* 4573 */ "help\0" +/* 4578 */ "extended usage information passed thru pager\0" +/* 4623 */ "more-help\0" +/* 4633 */ "output version information and exit\0" +/* 4669 */ "version\0" +/* 4677 */ "GNUTLS_CLI\0" +/* 4688 */ "gnutls-cli - GnuTLS client\n" "Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [hostname]\n\0" -/* 4623 */ "@PACKAGE_BUGREPORT@\0" -/* 4643 */ "\n\0" -/* 4645 */ "Simple client program to set up a TLS connection to some other computer. It\n" +/* 4784 */ "@PACKAGE_BUGREPORT@\0" +/* 4804 */ "\n\0" +/* 4806 */ "Simple client program to set up a TLS connection to some other computer. It\n" "sets up a TLS connection and forwards data from the standard input to the\n" "secured socket and vice versa.\n\0" -/* 4828 */ "gnutls-cli @VERSION@\0" -/* 4849 */ "Usage: gnutls-cli [options] hostname\n" +/* 4989 */ "gnutls-cli @VERSION@\0" +/* 5010 */ "Usage: gnutls-cli [options] hostname\n" "gnutls-cli --help for usage instructions.\n"; /** @@ -935,14 +941,38 @@ static int const aListCantList[] = { #define DISABLE_EXTENSIONS_FLAGS (OPTST_DISABLED) /** + * single-key-share option description: + */ +/** Descriptive text for the single-key-share option */ +#define SINGLE_KEY_SHARE_DESC (gnutls_cli_opt_strs+4063) +/** Upper-cased name for the single-key-share option */ +#define SINGLE_KEY_SHARE_NAME (gnutls_cli_opt_strs+4100) +/** Name string for the single-key-share option */ +#define SINGLE_KEY_SHARE_name (gnutls_cli_opt_strs+4117) +/** Compiled in flag settings for the single-key-share option */ +#define SINGLE_KEY_SHARE_FLAGS (OPTST_DISABLED) + +/** + * post-handshake-auth option description: + */ +/** Descriptive text for the post-handshake-auth option */ +#define POST_HANDSHAKE_AUTH_DESC (gnutls_cli_opt_strs+4134) +/** Upper-cased name for the post-handshake-auth option */ +#define POST_HANDSHAKE_AUTH_NAME (gnutls_cli_opt_strs+4184) +/** Name string for the post-handshake-auth option */ +#define POST_HANDSHAKE_AUTH_name (gnutls_cli_opt_strs+4204) +/** Compiled in flag settings for the post-handshake-auth option */ +#define POST_HANDSHAKE_AUTH_FLAGS (OPTST_DISABLED) + +/** * inline-commands option description: */ /** Descriptive text for the inline-commands option */ -#define INLINE_COMMANDS_DESC (gnutls_cli_opt_strs+4063) +#define INLINE_COMMANDS_DESC (gnutls_cli_opt_strs+4224) /** Upper-cased name for the inline-commands option */ -#define INLINE_COMMANDS_NAME (gnutls_cli_opt_strs+4099) +#define INLINE_COMMANDS_NAME (gnutls_cli_opt_strs+4260) /** Name string for the inline-commands option */ -#define INLINE_COMMANDS_name (gnutls_cli_opt_strs+4115) +#define INLINE_COMMANDS_name (gnutls_cli_opt_strs+4276) /** Compiled in flag settings for the inline-commands option */ #define INLINE_COMMANDS_FLAGS (OPTST_DISABLED) @@ -950,11 +980,11 @@ static int const aListCantList[] = { * inline-commands-prefix option description: */ /** Descriptive text for the inline-commands-prefix option */ -#define INLINE_COMMANDS_PREFIX_DESC (gnutls_cli_opt_strs+4131) +#define INLINE_COMMANDS_PREFIX_DESC (gnutls_cli_opt_strs+4292) /** Upper-cased name for the inline-commands-prefix option */ -#define INLINE_COMMANDS_PREFIX_NAME (gnutls_cli_opt_strs+4181) +#define INLINE_COMMANDS_PREFIX_NAME (gnutls_cli_opt_strs+4342) /** Name string for the inline-commands-prefix option */ -#define INLINE_COMMANDS_PREFIX_name (gnutls_cli_opt_strs+4204) +#define INLINE_COMMANDS_PREFIX_name (gnutls_cli_opt_strs+4365) /** Compiled in flag settings for the inline-commands-prefix option */ #define INLINE_COMMANDS_PREFIX_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) @@ -963,11 +993,11 @@ static int const aListCantList[] = { * provider option description: */ /** Descriptive text for the provider option */ -#define PROVIDER_DESC (gnutls_cli_opt_strs+4227) +#define PROVIDER_DESC (gnutls_cli_opt_strs+4388) /** Upper-cased name for the provider option */ -#define PROVIDER_NAME (gnutls_cli_opt_strs+4265) +#define PROVIDER_NAME (gnutls_cli_opt_strs+4426) /** Name string for the provider option */ -#define PROVIDER_name (gnutls_cli_opt_strs+4274) +#define PROVIDER_name (gnutls_cli_opt_strs+4435) /** Compiled in flag settings for the provider option */ #define PROVIDER_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_FILE)) @@ -976,22 +1006,22 @@ static int const aListCantList[] = { * fips140-mode option description: */ /** Descriptive text for the fips140-mode option */ -#define FIPS140_MODE_DESC (gnutls_cli_opt_strs+4283) +#define FIPS140_MODE_DESC (gnutls_cli_opt_strs+4444) /** Upper-cased name for the fips140-mode option */ -#define FIPS140_MODE_NAME (gnutls_cli_opt_strs+4342) +#define FIPS140_MODE_NAME (gnutls_cli_opt_strs+4503) /** Name string for the fips140-mode option */ -#define FIPS140_MODE_name (gnutls_cli_opt_strs+4355) +#define FIPS140_MODE_name (gnutls_cli_opt_strs+4516) /** Compiled in flag settings for the fips140-mode option */ #define FIPS140_MODE_FLAGS (OPTST_DISABLED) /* * Help/More_Help/Version option descriptions: */ -#define HELP_DESC (gnutls_cli_opt_strs+4368) -#define HELP_name (gnutls_cli_opt_strs+4412) +#define HELP_DESC (gnutls_cli_opt_strs+4529) +#define HELP_name (gnutls_cli_opt_strs+4573) #ifdef HAVE_WORKING_FORK -#define MORE_HELP_DESC (gnutls_cli_opt_strs+4417) -#define MORE_HELP_name (gnutls_cli_opt_strs+4462) +#define MORE_HELP_DESC (gnutls_cli_opt_strs+4578) +#define MORE_HELP_name (gnutls_cli_opt_strs+4623) #define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT) #else #define MORE_HELP_DESC HELP_DESC @@ -1004,8 +1034,8 @@ static int const aListCantList[] = { # define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \ OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT) #endif -#define VER_DESC (gnutls_cli_opt_strs+4472) -#define VER_name (gnutls_cli_opt_strs+4508) +#define VER_DESC (gnutls_cli_opt_strs+4633) +#define VER_name (gnutls_cli_opt_strs+4669) /** * Declare option callback procedures */ @@ -1638,8 +1668,32 @@ static tOptDesc optDesc[OPTION_CT] = { /* desc, NAME, name */ DISABLE_EXTENSIONS_DESC, DISABLE_EXTENSIONS_NAME, DISABLE_EXTENSIONS_name, /* disablement strs */ NULL, NULL }, - { /* entry idx, value */ 51, VALUE_OPT_INLINE_COMMANDS, - /* equiv idx, value */ 51, VALUE_OPT_INLINE_COMMANDS, + { /* entry idx, value */ 51, VALUE_OPT_SINGLE_KEY_SHARE, + /* equiv idx, value */ 51, VALUE_OPT_SINGLE_KEY_SHARE, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ SINGLE_KEY_SHARE_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --single-key-share */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ SINGLE_KEY_SHARE_DESC, SINGLE_KEY_SHARE_NAME, SINGLE_KEY_SHARE_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 52, VALUE_OPT_POST_HANDSHAKE_AUTH, + /* equiv idx, value */ 52, VALUE_OPT_POST_HANDSHAKE_AUTH, + /* equivalenced to */ NO_EQUIVALENT, + /* min, max, act ct */ 0, 1, 0, + /* opt state flags */ POST_HANDSHAKE_AUTH_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --post-handshake-auth */ + /* arg list/cookie */ NULL, + /* must/cannot opts */ NULL, NULL, + /* option proc */ NULL, + /* desc, NAME, name */ POST_HANDSHAKE_AUTH_DESC, POST_HANDSHAKE_AUTH_NAME, POST_HANDSHAKE_AUTH_name, + /* disablement strs */ NULL, NULL }, + + { /* entry idx, value */ 53, VALUE_OPT_INLINE_COMMANDS, + /* equiv idx, value */ 53, VALUE_OPT_INLINE_COMMANDS, /* equivalenced to */ NO_EQUIVALENT, /* min, max, act ct */ 0, 1, 0, /* opt state flags */ INLINE_COMMANDS_FLAGS, 0, @@ -1650,8 +1704,8 @@ static tOptDesc optDesc[OPTION_CT] = { /* desc, NAME, name */ INLINE_COMMANDS_DESC, INLINE_COMMANDS_NAME, INLINE_COMMANDS_name, /* disablement strs */ NULL, NULL }, - { /* entry idx, value */ 52, VALUE_OPT_INLINE_COMMANDS_PREFIX, - /* equiv idx, value */ 52, VALUE_OPT_INLINE_COMMANDS_PREFIX, + { /* entry idx, value */ 54, VALUE_OPT_INLINE_COMMANDS_PREFIX, + /* equiv idx, value */ 54, VALUE_OPT_INLINE_COMMANDS_PREFIX, /* equivalenced to */ NO_EQUIVALENT, /* min, max, act ct */ 0, 1, 0, /* opt state flags */ INLINE_COMMANDS_PREFIX_FLAGS, 0, @@ -1662,8 +1716,8 @@ static tOptDesc optDesc[OPTION_CT] = { /* desc, NAME, name */ INLINE_COMMANDS_PREFIX_DESC, INLINE_COMMANDS_PREFIX_NAME, INLINE_COMMANDS_PREFIX_name, /* disablement strs */ NULL, NULL }, - { /* entry idx, value */ 53, VALUE_OPT_PROVIDER, - /* equiv idx, value */ 53, VALUE_OPT_PROVIDER, + { /* entry idx, value */ 55, VALUE_OPT_PROVIDER, + /* equiv idx, value */ 55, VALUE_OPT_PROVIDER, /* equivalenced to */ NO_EQUIVALENT, /* min, max, act ct */ 0, 1, 0, /* opt state flags */ PROVIDER_FLAGS, 0, @@ -1674,8 +1728,8 @@ static tOptDesc optDesc[OPTION_CT] = { /* desc, NAME, name */ PROVIDER_DESC, PROVIDER_NAME, PROVIDER_name, /* disablement strs */ NULL, NULL }, - { /* entry idx, value */ 54, VALUE_OPT_FIPS140_MODE, - /* equiv idx, value */ 54, VALUE_OPT_FIPS140_MODE, + { /* entry idx, value */ 56, VALUE_OPT_FIPS140_MODE, + /* equiv idx, value */ 56, VALUE_OPT_FIPS140_MODE, /* equivalenced to */ NO_EQUIVALENT, /* min, max, act ct */ 0, 1, 0, /* opt state flags */ FIPS140_MODE_FLAGS, 0, @@ -1728,21 +1782,21 @@ static tOptDesc optDesc[OPTION_CT] = { /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /** Reference to the upper cased version of gnutls-cli. */ -#define zPROGNAME (gnutls_cli_opt_strs+4516) +#define zPROGNAME (gnutls_cli_opt_strs+4677) /** Reference to the title line for gnutls-cli usage. */ -#define zUsageTitle (gnutls_cli_opt_strs+4527) +#define zUsageTitle (gnutls_cli_opt_strs+4688) /** There is no gnutls-cli configuration file. */ #define zRcName NULL /** There are no directories to search for gnutls-cli config files. */ #define apzHomeList NULL /** The gnutls-cli program bug email address. */ -#define zBugsAddr (gnutls_cli_opt_strs+4623) +#define zBugsAddr (gnutls_cli_opt_strs+4784) /** Clarification/explanation of what gnutls-cli does. */ -#define zExplain (gnutls_cli_opt_strs+4643) +#define zExplain (gnutls_cli_opt_strs+4804) /** Extra detail explaining what gnutls-cli does. */ -#define zDetail (gnutls_cli_opt_strs+4645) +#define zDetail (gnutls_cli_opt_strs+4806) /** The full version string for gnutls-cli. */ -#define zFullVersion (gnutls_cli_opt_strs+4828) +#define zFullVersion (gnutls_cli_opt_strs+4989) /* extracted from optcode.tlib near line 364 */ #if defined(ENABLE_NLS) @@ -1754,7 +1808,7 @@ static tOptDesc optDesc[OPTION_CT] = { #endif /* ENABLE_NLS */ #define gnutls_cli_full_usage (NULL) -#define gnutls_cli_short_usage (gnutls_cli_opt_strs+4849) +#define gnutls_cli_short_usage (gnutls_cli_opt_strs+5010) #endif /* not defined __doxygen__ */ @@ -2013,7 +2067,7 @@ tOptions gnutls_cliOptions = { NO_EQUIVALENT, /* '-#' option index */ NO_EQUIVALENT /* index of default opt */ }, - 58 /* full option count */, 55 /* user option count */, + 60 /* full option count */, 57 /* user option count */, gnutls_cli_full_usage, gnutls_cli_short_usage, NULL, NULL, PKGDATADIR, gnutls_cli_packager_info @@ -2322,6 +2376,12 @@ changed")); puts(_("Disable all the TLS extensions")); /* referenced via gnutls_cliOptions.pOptDesc->pzText */ + puts(_("Send a single key share under TLS1.3")); + + /* referenced via gnutls_cliOptions.pOptDesc->pzText */ + puts(_("Enable post-handshake authentication under TLS1.3")); + + /* referenced via gnutls_cliOptions.pOptDesc->pzText */ puts(_("Inline commands of the form ^<cmd>^")); /* referenced via gnutls_cliOptions.pOptDesc->pzText */ diff --git a/src/cli-args.def b/src/cli-args.def index e883320c61..89d4361dc4 100644 --- a/src/cli-args.def +++ b/src/cli-args.def @@ -368,6 +368,19 @@ flag = { }; flag = { + name = single-key-share; + descrip = "Send a single key share under TLS1.3"; + doc = "This option switches the default mode of sending multiple +key shares, to send a single one (the top one)."; +}; + +flag = { + name = post-handshake-auth; + descrip = "Enable post-handshake authentication under TLS1.3"; + doc = "This option enables post-handshake authentication when under TLS1.3."; +}; + +flag = { name = inline-commands; descrip = "Inline commands of the form ^<cmd>^"; doc = "Enable inline commands of the form ^<cmd>^. The inline commands are expected to be in a line by themselves. The available commands are: resume and renegotiate."; diff --git a/src/cli-args.h.bak b/src/cli-args.h.bak index ccd5d997d3..549e687c6f 100644 --- a/src/cli-args.h.bak +++ b/src/cli-args.h.bak @@ -117,16 +117,18 @@ typedef enum { INDEX_OPT_RECORDSIZE = 48, INDEX_OPT_DISABLE_SNI = 49, INDEX_OPT_DISABLE_EXTENSIONS = 50, - INDEX_OPT_INLINE_COMMANDS = 51, - INDEX_OPT_INLINE_COMMANDS_PREFIX = 52, - INDEX_OPT_PROVIDER = 53, - INDEX_OPT_FIPS140_MODE = 54, - INDEX_OPT_VERSION = 55, - INDEX_OPT_HELP = 56, - INDEX_OPT_MORE_HELP = 57 + INDEX_OPT_SINGLE_KEY_SHARE = 51, + INDEX_OPT_POST_HANDSHAKE_AUTH = 52, + INDEX_OPT_INLINE_COMMANDS = 53, + INDEX_OPT_INLINE_COMMANDS_PREFIX = 54, + INDEX_OPT_PROVIDER = 55, + INDEX_OPT_FIPS140_MODE = 56, + INDEX_OPT_VERSION = 57, + INDEX_OPT_HELP = 58, + INDEX_OPT_MORE_HELP = 59 } teOptIndex; /** count of all options for gnutls-cli */ -#define OPTION_CT 58 +#define OPTION_CT 60 /** gnutls-cli version */ #define GNUTLS_CLI_VERSION "@VERSION@" /** Full gnutls-cli version text */ @@ -240,10 +242,12 @@ typedef enum { #define OPT_VALUE_RECORDSIZE (DESC(RECORDSIZE).optArg.argInt) #define VALUE_OPT_DISABLE_SNI 0x1029 #define VALUE_OPT_DISABLE_EXTENSIONS 0x102A -#define VALUE_OPT_INLINE_COMMANDS 0x102B -#define VALUE_OPT_INLINE_COMMANDS_PREFIX 0x102C -#define VALUE_OPT_PROVIDER 0x102D -#define VALUE_OPT_FIPS140_MODE 0x102E +#define VALUE_OPT_SINGLE_KEY_SHARE 0x102B +#define VALUE_OPT_POST_HANDSHAKE_AUTH 0x102C +#define VALUE_OPT_INLINE_COMMANDS 0x102D +#define VALUE_OPT_INLINE_COMMANDS_PREFIX 0x102E +#define VALUE_OPT_PROVIDER 0x102F +#define VALUE_OPT_FIPS140_MODE 0x1030 /** option flag (value) for help-value option */ #define VALUE_OPT_HELP 'h' /** option flag (value) for more-help-value option */ @@ -116,7 +116,7 @@ static gnutls_certificate_credentials_t xcred; /* prototypes */ -static void check_rehandshake(socket_st * socket, int ret); +static void check_server_cmd(socket_st * socket, int ret); static void init_global_tls_stuff(void); static int cert_verify_ocsp(gnutls_session_t session); @@ -714,7 +714,7 @@ static int handle_error(socket_st * hd, int err) printf("*** Received alert [%d]: %s\n", alert, str); } - check_rehandshake(hd, err); + check_server_cmd(hd, err); return ret; } @@ -805,6 +805,23 @@ static int try_rehandshake(socket_st * hd) } } +static int try_rekey(socket_st * hd) +{ + int ret; + + do { + ret = gnutls_session_key_update(hd->session, GNUTLS_KU_PEER); + } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret < 0) { + fprintf(stderr, "*** Rekey has failed: %s\n", gnutls_strerror(ret)); + return ret; + } else { + printf("- Rekey was completed\n"); + return 0; + } +} + static int try_resume(socket_st * hd) { int ret, socket_flags = 0; @@ -962,6 +979,8 @@ int run_inline_command(inline_cmds_st * cmd, socket_st * hd) switch (cmd->cmd_found) { case INLINE_COMMAND_RESUME: return try_resume(hd); + case INLINE_COMMAND_REKEY: + return try_rekey(hd); case INLINE_COMMAND_RENEGOTIATE: return try_rehandshake(hd); default: @@ -1462,6 +1481,12 @@ static void cmd_parser(int argc, char **argv) if (disable_extensions) init_flags |= GNUTLS_NO_EXTENSIONS; + if (HAVE_OPT(SINGLE_KEY_SHARE)) + init_flags |= GNUTLS_KEY_SHARE_TOP; + + if (HAVE_OPT(POST_HANDSHAKE_AUTH)) + init_flags |= GNUTLS_POST_HANDSHAKE_AUTH; + inline_commands = HAVE_OPT(INLINE_COMMANDS); if (HAVE_OPT(INLINE_COMMANDS_PREFIX)) { if (strlen(OPT_ARG(INLINE_COMMANDS_PREFIX)) > 1) { @@ -1554,23 +1579,35 @@ static void cmd_parser(int argc, char **argv) } } -static void check_rehandshake(socket_st * socket, int ret) +static void check_server_cmd(socket_st * socket, int ret) { - if (socket->secure && ret == GNUTLS_E_REHANDSHAKE) { - /* There is a race condition here. If application - * data is sent after the rehandshake request, - * the server thinks we ignored his request. - * This is a bad design of this client. - */ - printf("*** Received rehandshake request\n"); - /* gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_NO_RENEGOTIATION); */ + if (socket->secure) { + if (ret == GNUTLS_E_REHANDSHAKE) { + /* There is a race condition here. If application + * data is sent after the rehandshake request, + * the server thinks we ignored his request. + * This is a bad design of this client. + */ + printf("*** Received rehandshake request\n"); + /* gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_NO_RENEGOTIATION); */ + + ret = do_handshake(socket); - ret = do_handshake(socket); + if (ret == 0) { + printf("*** Rehandshake was performed.\n"); + } else { + printf("*** Rehandshake Failed: %s\n", gnutls_strerror(ret)); + } + } else if (ret == GNUTLS_E_REAUTH_REQUEST) { + do { + ret = gnutls_reauth(socket->session, 0); + } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); - if (ret == 0) { - printf("*** Rehandshake was performed.\n"); - } else { - printf("*** Rehandshake Failed.\n"); + if (ret == 0) { + printf("*** Re-auth was performed.\n"); + } else { + printf("*** Re-auth failed: %s\n", gnutls_strerror(ret)); + } } } } diff --git a/src/common.c b/src/common.c index a29f558cb0..5e1b1a5582 100644 --- a/src/common.c +++ b/src/common.c @@ -929,6 +929,20 @@ int check_command(gnutls_session_t session, const char *str) "*** Sending rehandshake request\n"); gnutls_rehandshake(session); return 1; + } else if (strncmp + (str, "**REAUTH**", + sizeof("**REAUTH**") - 1) == 0) { + fprintf(stderr, + "*** Sending re-auth request\n"); + do { + ret = gnutls_reauth(session, 0); + } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + if (ret < 0) { + fprintf(stderr, "reauth: %s\n", + gnutls_strerror(ret)); + exit(1); + } + return 1; } else if (strncmp (str, "**HEARTBEAT**", diff --git a/src/inline_cmds.h b/src/inline_cmds.h index 5cff93362a..fd3dc48d28 100755 --- a/src/inline_cmds.h +++ b/src/inline_cmds.h @@ -40,7 +40,8 @@ */ typedef enum INLINE_COMMAND { INLINE_COMMAND_NONE, INLINE_COMMAND_RESUME, - INLINE_COMMAND_RENEGOTIATE + INLINE_COMMAND_RENEGOTIATE, + INLINE_COMMAND_REKEY } inline_command_t; #define NUM_INLINE_COMMANDS 2 @@ -66,5 +67,6 @@ struct inline_command_definitions { /* All inline commands will contain a trailing LF */ struct inline_command_definitions inline_commands_def[] = { {INLINE_COMMAND_RESUME, "^resume^\n"}, + {INLINE_COMMAND_REKEY, "^rekey^\n"}, {INLINE_COMMAND_RENEGOTIATE, "^renegotiate^\n"}, }; diff --git a/src/serv.c b/src/serv.c index b2de3dcc28..ab1a6e6c65 100644 --- a/src/serv.c +++ b/src/serv.c @@ -380,9 +380,9 @@ gnutls_session_t initialize_session(int dtls) priorities = "NORMAL"; if (dtls) - gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM); + gnutls_init(&session, GNUTLS_SERVER | GNUTLS_DATAGRAM | GNUTLS_POST_HANDSHAKE_AUTH); else - gnutls_init(&session, GNUTLS_SERVER); + gnutls_init(&session, GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH); /* allow the use of private ciphersuites. */ @@ -944,8 +944,12 @@ get_response(gnutls_session_t session, char *request, strip(request); fprintf(stderr, "received: %s\n", request); if (check_command(session, request)) { - *response = NULL; - *response_length = 0; + *response = strdup("Successfully executed command\n"); + if (*response == NULL) { + fprintf(stderr, "Memory error\n"); + exit(1); + } + *response_length = strlen(*response); return; } *response = strdup(request); diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index 90ac5d00ae..582eeea674 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -86,7 +86,8 @@ nodist_libecore_la_SOURCES = ecore/src/lib/ecore_anim.c \ EXTRA_DIST += testcompat-main-polarssl testcompat-main-openssl testcompat-common -nodist_check_SCRIPTS = chain.sh \ + +scripts_to_test = chain.sh \ testrng.sh testcompat-polarssl.sh testcompat-openssl.sh \ testrandom.sh tls-fuzzer/tls-fuzzer-nocert.sh \ tls-fuzzer/tls-fuzzer-cert.sh tls-fuzzer/tls-fuzzer-alpn.sh @@ -108,7 +109,7 @@ TESTS_ENVIRONMENT += ENABLE_SSL3=1 endif if ENABLE_DANE -nodist_check_SCRIPTS += testdane.sh +scripts_to_test += testdane.sh endif if !MACOSX @@ -121,11 +122,13 @@ nodist_eagain_cli_SOURCES = mini-eagain2.c noinst_PROGRAMS = eagain-cli mini-record-timing -nodist_check_SCRIPTS += eagain.sh +scripts_to_test += eagain.sh endif endif -TESTS = $(nodist_check_SCRIPTS) prime-check +nodist_check_SCRIPTS = $(scripts_to_test) testcompat-tls13-openssl.sh + +TESTS = $(scripts_to_test) prime-check prime_check_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS) diff --git a/tests/suite/testcompat-common b/tests/suite/testcompat-common index 9028b4a400..c351662319 100644 --- a/tests/suite/testcompat-common +++ b/tests/suite/testcompat-common @@ -30,13 +30,31 @@ DSA_CERT="${srcdir}/../cert-tests/data/cert.dsa.1024.pem" DSA_KEY="${srcdir}/../cert-tests/data/dsa.1024.pem" -RSA_CERT="${srcdir}/../certs/cert-rsa-2432.pem" -RSA_KEY="${srcdir}/../certs/rsa-2432.pem" - CA_CERT="${srcdir}/../../doc/credentials/x509/ca.pem" CLI_CERT="${srcdir}/../../doc/credentials/x509/clicert.pem" CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey.pem" +ECC_CLI_CERT="${srcdir}/../../doc/credentials/x509/clicert-ecdsa.pem" +ECC_CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey-ecdsa.pem" + +RSA_PSS_CLI_CERT="${srcdir}/../../doc/credentials/x509/clicert-rsa-pss.pem" +RSA_PSS_CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey-rsa-pss.pem" + +ED25519_CLI_CERT="${srcdir}/../../doc/credentials/x509/clicert-ed25519.pem" +ED25519_CLI_KEY="${srcdir}/../../doc/credentials/x509/clikey-ed25519.pem" + +RSA_PSS_CERT="${srcdir}/../../doc/credentials/x509/cert-rsa-pss.pem" +RSA_PSS_KEY="${srcdir}/../../doc/credentials/x509/key-rsa-pss.pem" + +RSA_CERT="${srcdir}/../../doc/credentials/x509/cert-rsa.pem" +RSA_KEY="${srcdir}/../../doc/credentials/x509/key-rsa.pem" + +ED25519_CERT="${srcdir}/../../doc/credentials/x509/cert-ed25519.pem" +ED25519_KEY="${srcdir}/../../doc/credentials/x509/key-ed25519.pem" + +ECC_CERT="${srcdir}/../../doc/credentials/x509/cert-ecc.pem" +ECC_KEY="${srcdir}/../../doc/credentials/x509/key-ecc.pem" + CA_ECC_CERT="${srcdir}/../certs/ca-cert-ecc.pem" ECC224_CERT="${srcdir}/../certs/cert-ecc.pem" ECC224_KEY="${srcdir}/../certs/ecc.pem" @@ -58,3 +76,6 @@ SERV_DSA_KEY="${srcdir}/../../doc/credentials/x509/key-dsa.pem" SERV_PSK="${srcdir}/../../doc/credentials/psk-passwd.txt" DH_PARAMS="${srcdir}/params.dh" + +PSKID=test32 +PSKKEY=8a7759b3f26983c453e448060bde89818a7759b3f26983c453e448060bde8981 diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh new file mode 100755 index 0000000000..b03e6a2111 --- /dev/null +++ b/tests/suite/testcompat-tls13-openssl.sh @@ -0,0 +1,382 @@ +#!/bin/bash + +# Copyright (c) 2010-2016, Free Software Foundation, Inc. +# Copyright (c) 2012-2018, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +abs_top_srcdir="${abs_top_srcdir:-$(pwd)/../../}" +srcdir="${srcdir:-.}" +CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" +unset RETCODE + +if ! test -x "${CLI}"; then + exit 77 +fi + +# Check for datefudge +TSTAMP=`datefudge "2006-09-23 00:00 UTC" date -u +%s 2>/dev/null` +if test "${TSTAMP}" != "1158969600"; then + echo "You need datefudge to run this test" + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/../scripts/common.sh" + +. "${srcdir}/testcompat-common" + +PORT="${PORT:-${RPORT}}" + +export LD_LIBRARY_PATH=${abs_top_srcdir}/devel/openssl +echo LD_LIBRARY_PATH=$LD_LIBRARY_PATH +SERV=../../devel/openssl/apps/openssl +OPENSSL_CLI="$SERV" + +if test -z "$OUTPUT";then +OUTPUT=/dev/null +fi + +>${OUTPUT} + +echo_cmd() { + tee -a ${OUTPUT} <<<$(echo $1) +} + +echo_cmd "Compatibility checks using "`${SERV} version` + +echo_cmd "#################################################" +echo_cmd "# Client mode tests (gnutls cli-openssl server) #" +echo_cmd "#################################################" + +OCIPHERSUITES="TLS_AES_128_CCM_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256" + +run_client_suite() { + ADD=$1 + PREFIX="" + if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " + fi + + + eval "${GETPORT}" + launch_bare_server $$ s_server -ciphersuites ${OCIPHERSUITES} -groups 'X25519:P-256:X448:P-521:P-384' -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" + PID=$! + wait_server ${PID} + + #AES-128-CCM + for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + done + + for i in GROUP-X25519 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1;do + echo_cmd "${PREFIX}Checking TLS 1.3 with $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + done + + echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure --inline-commands <<<$(echo "^rekey^") >>${OUTPUT} || \ + fail ${PID} "Failed" + + # Try hello retry request + echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --single-key-share --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096:+GROUP-SECP256R1${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + + #test PSK ciphersuites + # disabled as I do not seem to be able to connect to openssl s_server with PSK + eval "${GETPORT}" + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -psk_identity ${PSKID} -psk ${PSKKEY} -nocert + PID=$! + wait_server ${PID} + +# by default only SHA256 is supported under PSK as PRF, so we cannot try all +# ciphers; only the ones which use SHA256 PRF. + for i in AES-128-GCM;do +# plain PSK with (EC)DHE not supported by openssl +# echo_cmd "${PREFIX}Checking TLS 1.3 with PSK with ${i}..." +# ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null || \ +# fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with DHE-PSK with ${i}..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+DHE-PSK:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --pskusername ${PSKID} --pskkey ${PSKKEY} </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + done + + kill ${PID} + wait + + #test client certificates + eval "${GETPORT}" + launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + for i in GROUP-SECP256R1;do + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ECC_CLI_CERT}" --x509keyfile "${ECC_CLI_KEY}" </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${ED25519_CLI_CERT}" --x509keyfile "${ED25519_CLI_KEY}" </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client cert and $i..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --insecure --x509certfile "${RSA_PSS_CLI_CERT}" --x509keyfile "${RSA_PSS_CLI_KEY}" </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + done + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..." + eval "${GETPORT}" + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ED25519_KEY}" -cert "${ED25519_CERT}" -CAfile "${CA_CERT}" + PID=$! + wait_server ${PID} + + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..." + eval "${GETPORT}" + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${ECC_KEY}" -cert "${ECC_CERT}" -CAfile "${CA_CERT}" + PID=$! + wait_server ${PID} + +# ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509cafile "${CA_CERT}" </dev/null >>${OUTPUT} || \ + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..." + eval "${GETPORT}" + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_PSS_KEY}" -cert "${RSA_PSS_CERT}" -CAfile "${CA_CERT}" + PID=$! + wait_server ${PID} + +# ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509cafile "${CA_CERT}" </dev/null >>${OUTPUT} || \ + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --insecure </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + +} + +run_client_suite + +echo_cmd "${PREFIX}Client mode tests were successfully completed" +echo_cmd "${PREFIX}" +echo_cmd "${PREFIX}###############################################" +echo_cmd "${PREFIX}# Server mode tests (gnutls server-openssl cli#" +echo_cmd "${PREFIX}###############################################" +SERV="../../src/gnutls-serv${EXEEXT} -q" + +# Note that openssl s_client does not return error code on failure + +run_server_suite() { + ADD=$1 + PREFIX="" + if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " + fi + + #AES-128-CCM + for i in AES-128-GCM AES-256-GCM CHACHA20-POLY1305 AES-128-CCM AES-128-CCM-8;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -ciphersuites ${OCIPHERSUITES} -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + done + + for i in GROUP-X25519 GROUP-SECP256R1 GROUP-SECP384R1 GROUP-SECP521R1;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+${i}${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + done + + echo_cmd "${PREFIX}Checking TLS 1.3 with HRR..." + + eval "${GETPORT}" + launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP384R1${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -groups 'X25519:P-256:X448:P-521:P-384' -host localhost -port "${PORT}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with rekey..." + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" <<<$(echo "***REKEY***") 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + # client certificates + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --require-client-cert --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA client certificate..." + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS client certificate..." + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${RSA_PSS_CLI_CERT}" -key "${RSA_PSS_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 client certificate..." + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${ECC_CLI_CERT}" -key "${ECC_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 client certificate..." + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${ED25519_CLI_CERT}" -key "${ED25519_CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with post handshake auth..." + + eval "${GETPORT}" + launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -force_pha -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" <<<$(echo "***REAUTH***") 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + + echo_cmd "${PREFIX}Checking TLS 1.3 with Ed25519 certificate..." + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ED25519_CERT}" --x509keyfile "${ED25519_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with secp256r1 certificate..." + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${ECC_CERT}" --x509keyfile "${ECC_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo_cmd "${PREFIX}Checking TLS 1.3 with RSA-PSS certificate..." + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_PSS_CERT}" --x509keyfile "${RSA_PSS_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + + # openssl doesn't support PSK + for i in DHE-PSK;do + echo_cmd "${PREFIX}Checking TLS 1.3 with ${i}..." + + eval "${GETPORT}" + launch_server $$ --pskpasswd "${SERV_PSK}" --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+${i}${ADD}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -psk_identity "${PSKID}" -psk "${PSKKEY}" </dev/null >>${OUTPUT} || \ + fail ${PID} "Failed" + + kill ${PID} + wait + done + +} + +run_server_suite + +exit 0 diff --git a/tests/tls13/post-handshake-with-cert.c b/tests/tls13/post-handshake-with-cert.c index 22e4376e80..88ed470153 100644 --- a/tests/tls13/post-handshake-with-cert.c +++ b/tests/tls13/post-handshake-with-cert.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017 Red Hat, Inc. + * Copyright (C) 2017-2018 Red Hat, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -50,6 +50,8 @@ int main() #include "tls13/ext-parse.h" #include "utils.h" +#define MAX_AUTHS 4 + /* This program tests whether the Post Handshake Auth extension is * present in the client hello, and whether it is missing from server * hello. In addition it contains basic functionality test for @@ -74,6 +76,7 @@ static void client(int fd) gnutls_certificate_credentials_t x509_cred; gnutls_session_t session; char buf[64]; + unsigned i; global_init(); @@ -116,21 +119,24 @@ static void client(int fd) fail("handshake failed: %s\n", gnutls_strerror(ret)); success("client handshake completed\n"); - do { - ret = gnutls_record_recv(session, buf, sizeof(buf)); - } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + for (i=0;i<MAX_AUTHS;i++) { + do { + ret = gnutls_record_recv(session, buf, sizeof(buf)); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); - if (ret != GNUTLS_E_REAUTH_REQUEST) { - fail("recv: unexpected error: %s\n", gnutls_strerror(ret)); - } + if (ret != GNUTLS_E_REAUTH_REQUEST) { + fail("recv: unexpected error: %s\n", gnutls_strerror(ret)); + } - success("received reauth request\n"); - do { - ret = gnutls_reauth(session, 0); - } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + success("received reauth request\n"); + do { + ret = gnutls_reauth(session, 0); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret != 0) + fail("client: gnutls_reauth did not succeed as expected: %s\n", gnutls_strerror(ret)); + } - if (ret != 0) - fail("client: gnutls_reauth did not succeed as expected: %s\n", gnutls_strerror(ret)); close(fd); @@ -182,6 +188,7 @@ static void server(int fd) char buffer[MAX_BUF + 1]; gnutls_session_t session; gnutls_certificate_credentials_t x509_cred; + unsigned i; /* this must be called once in the program */ @@ -231,13 +238,16 @@ static void server(int fd) success("server handshake completed\n"); gnutls_certificate_server_set_request(session, GNUTLS_CERT_REQUIRE); - /* ask peer for re-authentication */ - do { - ret = gnutls_reauth(session, 0); - } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); - if (ret != 0) - fail("server: gnutls_reauth did not succeed as expected: %s\n", gnutls_strerror(ret)); + for (i=0;i<MAX_AUTHS;i++) { + /* ask peer for re-authentication */ + do { + ret = gnutls_reauth(session, 0); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret != 0) + fail("server: gnutls_reauth did not succeed as expected: %s\n", gnutls_strerror(ret)); + } close(fd); gnutls_deinit(session); |