diff options
| author | Dmitry Baryshkov <dbaryshkov@gmail.com> | 2020-06-15 20:55:39 +0000 |
|---|---|---|
| committer | Dmitry Baryshkov <dbaryshkov@gmail.com> | 2020-06-15 20:55:39 +0000 |
| commit | 7bfc148a587a69cf7faab4ef090031c91b6bb33a (patch) | |
| tree | 93286d95c71a087f551360e77d35120295de3a69 /tests | |
| parent | 9ec9fe6cc4d0ceab436a418dd1e52132967bb9c7 (diff) | |
| parent | 5c7ec5abb8947795b35b18a91eaaf097ebff4d06 (diff) | |
| download | gnutls-7bfc148a587a69cf7faab4ef090031c91b6bb33a.tar.gz | |
Merge branch 'master' into 'tmp-mark-gost94-as-broken'
# Conflicts:
# lib/crypto-selftests-pk.c
Diffstat (limited to 'tests')
103 files changed, 3413 insertions, 248 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 4e12bc802e..7cdf828e0c 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -32,7 +32,7 @@ SUBDIRS += suite endif EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \ - ocsp-common.h cmocka-common.h virt-time.h \ + ocsp-common.h cmocka-common.h virt-time.h test-chains-issuer.h test-chains-issuer-aia.h \ certs/ca-cert-ecc.pem certs/cert-ecc256.pem certs/cert-ecc521.pem \ certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem hex.h \ certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \ @@ -140,9 +140,11 @@ ctests += tls13/psk-dumbfw ctests += tls13-early-start +ctests += tls13/no-auto-send-ticket + ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniqueid tls-neg-ext-key \ mpi certificate_set_x509_crl dn parse_ca x509-dn x509-dn-decode record-sizes \ - hostname-check cve-2008-4989 pkcs12_s2k chainverify record-sizes-range \ + hostname-check cve-2008-4989 pkcs12_s2k chainverify missingissuer missingissuer_aia record-sizes-range \ crq_key_id x509sign-verify sign-verify cve-2009-1415 cve-2009-1416 \ tls10-server-kx-neg tls11-server-kx-neg tls12-server-kx-neg ssl30-server-kx-neg \ tls12-cipher-neg tls11-cipher-neg tls10-cipher-neg ssl30-cipher-neg \ @@ -217,7 +219,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei tls-record-size-limit-asym dh-compute ecdh-compute sign-verify-data-newapi \ sign-verify-newapi sign-verify-deterministic iov aead-cipher-vec \ tls13-without-timeout-func buffer status-request-revoked \ - set_x509_ocsp_multi_cli + set_x509_ocsp_multi_cli kdf-api keylog-func \ + dtls_hello_random_value tls_hello_random_value x509cert-dntypes if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp @@ -426,7 +429,7 @@ openssl_LDADD = ../extra/libgnutls-openssl.la $(LDADD) endif if HAVE_FORK -ctests += x509self x509dn anonself pskself dhepskself \ +ctests += x509self x509dn anonself pskself pskself2 dhepskself \ setcredcrash tls12-resume-x509 tls12-resume-psk tls12-resume-anon \ tls13-resume-x509 tls13-resume-psk tls13-early-data tls13-early-data-neg \ resume-with-record-size-limit @@ -564,6 +567,7 @@ endif if !WINDOWS indirect_tests += datefudge-check +noinst_PROGRAMS = datefudge-check endif check_PROGRAMS = $(cpptests) $(ctests) $(indirect_tests) diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c index 10e3db8626..6a30a35f7b 100644 --- a/tests/aead-cipher-vec.c +++ b/tests/aead-cipher-vec.c @@ -49,6 +49,7 @@ static void start(const char *name, int algo) giovec_t auth_iov[2]; uint8_t tag[64]; size_t tag_size = 0; + size_t i; key.data = key16; key.size = gnutls_cipher_get_key_size(algo); @@ -82,21 +83,23 @@ static void start(const char *name, int algo) if (ret < 0) fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret)); - ret = gnutls_aead_cipher_encryptv2(ch, - iv.data, iv.size, - auth_iov, 2, - iov, 3, - tag, &tag_size); - if (ret < 0) - fail("could not encrypt data: %s\n", gnutls_strerror(ret)); - - ret = gnutls_aead_cipher_decryptv2(ch, - iv.data, iv.size, - auth_iov, 2, - iov, 3, - tag, tag_size); - if (ret < 0) - fail("could not decrypt data: %s\n", gnutls_strerror(ret)); + for (i = 0; i < 2; i++) { + ret = gnutls_aead_cipher_encryptv2(ch, + iv.data, iv.size, + auth_iov, 2, + iov, i + 1, + tag, &tag_size); + if (ret < 0) + fail("could not encrypt data: %s\n", gnutls_strerror(ret)); + + ret = gnutls_aead_cipher_decryptv2(ch, + iv.data, iv.size, + auth_iov, 2, + iov, i + 1, + tag, tag_size); + if (ret < 0) + fail("could not decrypt data: %s\n", gnutls_strerror(ret)); + } gnutls_aead_cipher_deinit(ch); } @@ -116,6 +119,7 @@ doit(void) } start("aes-128-gcm", GNUTLS_CIPHER_AES_128_GCM); + start("aes-192-gcm", GNUTLS_CIPHER_AES_192_GCM); start("aes-256-gcm", GNUTLS_CIPHER_AES_256_GCM); start("aes-128-ccm", GNUTLS_CIPHER_AES_128_CCM); if (!gnutls_fips140_mode_enabled()) diff --git a/tests/atfork.c b/tests/atfork.c index 42c4851efd..654519dc7c 100644 --- a/tests/atfork.c +++ b/tests/atfork.c @@ -32,7 +32,6 @@ #include <sys/wait.h> #endif -#include "utils.h" #include <gnutls/gnutls.h> #include <gnutls/crypto.h> @@ -46,6 +45,10 @@ void doit(void) #include "../lib/atfork.h" #include "../lib/atfork.c" +/* utils.h must be loaded after gnutls_int.h, as it redefines some + * macros from gnulib */ +#include "utils.h" + void doit(void) { pid_t pid; diff --git a/tests/cert-reencoding.sh b/tests/cert-reencoding.sh index aadd6fd1bd..240d336778 100755 --- a/tests/cert-reencoding.sh +++ b/tests/cert-reencoding.sh @@ -57,7 +57,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge eval "${GETPORT}" # Port for gnutls-serv diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 87d9314363..17886ef7c5 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -101,7 +101,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/cert-with-non-digits-time-ca.pem data/cert-with-non-digits-time.pem \ data/chain-512-leaf.pem data/chain-512-subca.pem data/chain-512-ca.pem \ templates/template-no-ca-honor.tmpl templates/template-no-ca-explicit.tmpl \ - data/crq-cert-no-ca-explicit.pem data/crq-cert-no-ca-honor.pem + data/crq-cert-no-ca-explicit.pem data/crq-cert-no-ca-honor.pem data/commonName.cer dist_check_SCRIPTS = pathlen aki invalid-sig email \ pkcs7 pkcs7-broken-sigs privkey-import name-constraints certtool-long-cn crl provable-privkey \ diff --git a/tests/cert-tests/alt-chain b/tests/cert-tests/alt-chain index b715416cc0..a2261b3809 100755 --- a/tests/cert-tests/alt-chain +++ b/tests/cert-tests/alt-chain @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge OLD_CA_FILE="${srcdir}/data/alt-chain-old-ca.pem" NEW_CA_FILE="${srcdir}/data/alt-chain-new-ca.pem" diff --git a/tests/cert-tests/cert-critical b/tests/cert-tests/cert-critical index 74f335cb87..f923b29fa4 100755 --- a/tests/cert-tests/cert-critical +++ b/tests/cert-tests/cert-critical @@ -36,7 +36,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge "2017-2-28" \ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile ${srcdir}/data/chain-with-critical-on-root.pem diff --git a/tests/cert-tests/cert-non-digits-time b/tests/cert-tests/cert-non-digits-time index 28880b87ac..9c25c396de 100755 --- a/tests/cert-tests/cert-non-digits-time +++ b/tests/cert-tests/cert-non-digits-time @@ -32,7 +32,7 @@ if ! test -z "${VALGRIND}"; then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" fi -check_for_datefudge +skip_if_no_datefudge # Check whether certificates with non-digits time fields are accepted datefudge -s "2019-12-19" \ diff --git a/tests/cert-tests/certtool b/tests/cert-tests/certtool index e604634678..0fd29beea9 100755 --- a/tests/cert-tests/certtool +++ b/tests/cert-tests/certtool @@ -153,13 +153,25 @@ if test $? = 0;then exit 1 fi +${VALGRIND} "${CERTTOOL}" -i --infile "${srcdir}/data/commonName.cer" | grep -v "Not After:" > ${TMPFILE1} +if test $? != 0;then + echo "commonName cert output failed" + exit 1 +fi + +${DIFF} "${srcdir}/data/commonName.cer" ${TMPFILE1} +if test $? != 0;then + exit 1 +fi + + rm -f ${TMPFILE1} ${TMPFILE2} export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge cat "${srcdir}/../certs/cert-ecc256.pem" "${srcdir}/../certs/ca-cert-ecc.pem"|datefudge "2012-11-22" \ ${VALGRIND} "${CERTTOOL}" --verify-chain diff --git a/tests/cert-tests/certtool-eddsa b/tests/cert-tests/certtool-eddsa index c097fbf6c6..7e07822507 100755 --- a/tests/cert-tests/certtool-eddsa +++ b/tests/cert-tests/certtool-eddsa @@ -124,7 +124,7 @@ rm -f "${TMPFILE}" "${TMPFILE2}" rm -f "${KEYFILE}" -check_for_datefudge +skip_if_no_datefudge # Test certificate chain using Ed25519 datefudge "2017-7-6" \ diff --git a/tests/cert-tests/certtool-rsa-pss b/tests/cert-tests/certtool-rsa-pss index aed79ff2e2..654bf34869 100755 --- a/tests/cert-tests/certtool-rsa-pss +++ b/tests/cert-tests/certtool-rsa-pss @@ -210,7 +210,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge "2012-11-22" \ ${VALGRIND} "${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-rsa-pss.pem" --infile "${srcdir}/data/cert-rsa-pss.pem" diff --git a/tests/cert-tests/certtool-verify-profiles b/tests/cert-tests/certtool-verify-profiles index a7ebd711ea..a4d738627e 100755 --- a/tests/cert-tests/certtool-verify-profiles +++ b/tests/cert-tests/certtool-verify-profiles @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge echo "Checking chain with insecure leaf" datefudge -s "2019-12-19" \ diff --git a/tests/cert-tests/crl b/tests/cert-tests/crl index 62b320b2bf..f4f97d757b 100755 --- a/tests/cert-tests/crl +++ b/tests/cert-tests/crl @@ -171,7 +171,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2020-01-20 10:00:00" ${VALGRIND} \ "${CERTTOOL}" --generate-crl --load-ca-privkey "${srcdir}/data/template-test.key" \ diff --git a/tests/cert-tests/crq b/tests/cert-tests/crq index 89099cfc0a..1d64dee27e 100755 --- a/tests/cert-tests/crq +++ b/tests/cert-tests/crq @@ -40,7 +40,7 @@ OUTFILE2=out2.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge ${VALGRIND} "${CERTTOOL}" --inder --crq-info --infile "${srcdir}/data/csr-invalid.der" >"${OUTFILE}" 2>&1 rc=$? diff --git a/tests/cert-tests/data/commonName.cer b/tests/cert-tests/data/commonName.cer new file mode 100644 index 0000000000..91d02fdd85 --- /dev/null +++ b/tests/cert-tests/data/commonName.cer @@ -0,0 +1,52 @@ +X.509 Certificate Information: + Version: 3 + Serial Number (hex): 06376c00aa00648a11cfb8d4aa5c35f4 + Issuer: CN=Root Agency + Validity: + Not Before: Tue May 28 22:02:59 UTC 1996 + Subject: CN=Root Agency + Subject Public Key Algorithm: RSA + Algorithm Security Level: Export (512 bits) + Modulus (bits 512): + 00:81:55:22:b9:8a:a4:6f:ed:d6:e7:d9:66:0f:55:bc + d7:cd:d5:bc:4e:40:02:21:a2:b1:f7:87:30:85:5e:d2 + f2:44:b9:dc:9b:75:b6:fb:46:5f:42:b6:9d:23:36:0b + de:54:0f:cd:bd:1f:99:2a:10:58:11:cb:40:cb:b5:a7 + 41 + Exponent (bits 24): + 01:00:01 + Extensions: + Common Name (not critical): + For Testing Purposes Only Sample Software Publishing Credentials Agency + Unknown extension 2.5.29.1 (not critical): + ASCII: 0>.....-...O..a!..dc..0.1.0...U....Root Agency...7l...d......\5. + Hexdump: 303e801012e4092d061d1d4f008d6121dc166463a1183016311430120603550403130b526f6f74204167656e6379821006376c00aa00648a11cfb8d4aa5c35f4 + Signature Algorithm: RSA-MD5 +warning: signed using a broken signature algorithm that can be forged. + Signature: + 2d:2e:3e:7b:89:42:89:3f:a8:21:17:fa:f0:f5:c3:95 + db:62:69:5b:c9:dc:c1:b3:fa:f0:c4:6f:6f:64:9a:bd + e7:1b:25:68:72:83:67:bd:56:b0:8d:01:bd:2a:f7:cc + 4b:bd:87:a5:ba:87:20:4c:42:11:41:ad:10:17:3b:8c +Other Information: + Fingerprint: + sha1:fee449ee0e3965a5246f000e87fde2a065fd89d4 + sha256:8b13dbb25eb339a630c76c810d14b44b552e68dc10a93e82e754da23f858774a + Public Key ID: + sha1:38596dac2a46c9002309905e1f02c1fb5df724cd + sha256:73a97a992bfd29b91ef23175b367db9c561c516f634f759e3d430230a3d0695c + Public Key PIN: + pin-sha256:c6l6mSv9Kbke8jF1s2fbnFYcUW9jT3WePUMCMKPQaVw= + +-----BEGIN CERTIFICATE----- +MIIByjCCAXSgAwIBAgIQBjdsAKoAZIoRz7jUqlw19DANBgkqhkiG9w0BAQQFADAW +MRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw05NjA1MjgyMjAyNTlaFw0zOTEyMzEy +MzU5NTlaMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MFswDQYJKoZIhvcNAQEBBQAD +SgAwRwJAgVUiuYqkb+3W59lmD1W8183VvE5AAiGisfeHMIVe0vJEudybdbb7Rl9C +tp0jNgveVA/NvR+ZKhBYEctAy7WnQQIDAQABo4GeMIGbMFAGA1UEAwRJE0dGb3Ig +VGVzdGluZyBQdXJwb3NlcyBPbmx5IFNhbXBsZSBTb2Z0d2FyZSBQdWJsaXNoaW5n +IENyZWRlbnRpYWxzIEFnZW5jeTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRj +oRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwDQYJ +KoZIhvcNAQEEBQADQQAtLj57iUKJP6ghF/rw9cOV22JpW8ncwbP68MRvb2Savecb +JWhyg2e9VrCNAb0q98xLvYeluocgTEIRQa0QFzuM +-----END CERTIFICATE----- diff --git a/tests/cert-tests/data/crl-demo3.pem b/tests/cert-tests/data/crl-demo3.pem index 1e04338c67..a91b1f905a 100644 --- a/tests/cert-tests/data/crl-demo3.pem +++ b/tests/cert-tests/data/crl-demo3.pem @@ -1,5 +1,5 @@ X.509 Certificate Revocation List Information: - Version: 1 (default) + Version: 1 Issuer: OU=VeriSign Commercial Software Publishers CA,O=VeriSign\, Inc.,L=Internet Update dates: Issued: Wed Mar 08 09:00:11 UTC 2017 diff --git a/tests/cert-tests/data/full.p7b.out b/tests/cert-tests/data/full.p7b.out index fc200f5e17..c4dd043e33 100644 --- a/tests/cert-tests/data/full.p7b.out +++ b/tests/cert-tests/data/full.p7b.out @@ -3,10 +3,10 @@ Signers: Signer's serial: 4de0b4ca Signature Algorithm: RSA-SHA256 Signed Attributes: - 1.2.840.113549.1.9.15: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128 - 1.2.840.113549.1.9.4: 0420ca23e4b39a242dcece33fc776b6c9195595700f92201de19426d2d505576210f - 1.2.840.113549.1.9.5: 170d3135303630313139323232325a - 1.2.840.113549.1.9.3: 06092a864886f70d010701 + smimeCapabilities: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128 + messageDigest: 0420ca23e4b39a242dcece33fc776b6c9195595700f92201de19426d2d505576210f + signingTime: 170d3135303630313139323232325a + contentType: 06092a864886f70d010701 Number of certificates: 2 diff --git a/tests/cert-tests/data/grfc.crt b/tests/cert-tests/data/grfc.crt index 20f587ea6e..fe7700e3e1 100644 --- a/tests/cert-tests/data/grfc.crt +++ b/tests/cert-tests/data/grfc.crt @@ -37,9 +37,9 @@ X.509 Certificate Information: ASCII: ... Hexdump: 020100 Certificate Policies (not critical): - 1.2.643.100.113.1 - 1.2.643.100.113.2 - 2.5.29.32.0 + 1.2.643.100.113.1 (Russian security class KC1) + 1.2.643.100.113.2 (Russian security class KC2) + 2.5.29.32.0 (anyPolicy) Signature Algorithm: GOSTR341001 warning: signed using a broken signature algorithm that can be forged. Signature: diff --git a/tests/cert-tests/data/long-oids.pem b/tests/cert-tests/data/long-oids.pem index 0306f536b9..15e8b3ed24 100644 --- a/tests/cert-tests/data/long-oids.pem +++ b/tests/cert-tests/data/long-oids.pem @@ -36,6 +36,8 @@ X.509 Certificate Information: Key encipherment. Data encipherment. Authority Key Identifier (not critical): + directoryName: CN=sat-r220-10.lab.eng.rdu2.redhat.com,OU=SomeOrgUnit,O=Katello,L=Raleigh,ST=North Carolina,C=US + serial: 00a4e7caebbe435dcc caca62860405f0f59b38d22c3c8c650fc6baa53c Subject Key Identifier (not critical): 0e8d7b53ba5a9e9244e56458a1db8347053e32d3 diff --git a/tests/cert-tests/data/openssl-keyid.p7b.out b/tests/cert-tests/data/openssl-keyid.p7b.out index 3eefda94c6..de622ea1fe 100644 --- a/tests/cert-tests/data/openssl-keyid.p7b.out +++ b/tests/cert-tests/data/openssl-keyid.p7b.out @@ -2,10 +2,10 @@ Signers: Signer's issuer key ID: 7607584ceab529f52d80068c834a820d09ec93de Signature Algorithm: RSA-SHA256 Signed Attributes: - 1.2.840.113549.1.9.15: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128 - 1.2.840.113549.1.9.4: 0420728be51f7b63dcf73f28ba80d277ce47f8cf5a75a02d4e6770e19baa57a767a4 - 1.2.840.113549.1.9.5: 170d3136313132343135353132375a - 1.2.840.113549.1.9.3: 06092a864886f70d010701 + smimeCapabilities: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128 + messageDigest: 0420728be51f7b63dcf73f28ba80d277ce47f8cf5a75a02d4e6770e19baa57a767a4 + signingTime: 170d3136313132343135353132375a + contentType: 06092a864886f70d010701 Number of certificates: 2 diff --git a/tests/cert-tests/data/openssl.p7b.out b/tests/cert-tests/data/openssl.p7b.out index 6330451477..6d2e69d2ea 100644 --- a/tests/cert-tests/data/openssl.p7b.out +++ b/tests/cert-tests/data/openssl.p7b.out @@ -3,10 +3,10 @@ Signers: Signer's serial: 5838027a15510d5a Signature Algorithm: ECDSA-SHA256 Signed Attributes: - 1.2.840.113549.1.9.15: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128 - 1.2.840.113549.1.9.4: 0420728be51f7b63dcf73f28ba80d277ce47f8cf5a75a02d4e6770e19baa57a767a4 - 1.2.840.113549.1.9.5: 170d3136313132353039333233305a - 1.2.840.113549.1.9.3: 06092a864886f70d010701 + smimeCapabilities: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128 + messageDigest: 0420728be51f7b63dcf73f28ba80d277ce47f8cf5a75a02d4e6770e19baa57a767a4 + signingTime: 170d3136313132353039333233305a + contentType: 06092a864886f70d010701 Number of certificates: 2 diff --git a/tests/cert-tests/data/single-ca.p7b.out b/tests/cert-tests/data/single-ca.p7b.out index 35744628b8..bb7425e285 100644 --- a/tests/cert-tests/data/single-ca.p7b.out +++ b/tests/cert-tests/data/single-ca.p7b.out @@ -3,10 +3,10 @@ Signers: Signer's serial: 00 Signature Algorithm: RSA-SHA256 Signed Attributes: - 1.2.840.113549.1.9.15: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128 - 1.2.840.113549.1.9.4: 0420aadc1955c030f723e9d89ed9d486b4eef5b0d1c6945be0dd6b7b340d42928ec9 - 1.2.840.113549.1.9.5: 170d3135303533313036343633385a - 1.2.840.113549.1.9.3: 06092a864886f70d010701 + smimeCapabilities: 306a300b060960864801650304012a300b0609608648016503040116300b0609608648016503040102300a06082a864886f70d0307300e06082a864886f70d030202020080300d06082a864886f70d0302020140300706052b0e030207300d06082a864886f70d0302020128 + messageDigest: 0420aadc1955c030f723e9d89ed9d486b4eef5b0d1c6945be0dd6b7b340d42928ec9 + signingTime: 170d3135303533313036343633385a + contentType: 06092a864886f70d010701 Number of certificates: 1 diff --git a/tests/cert-tests/inhibit-anypolicy b/tests/cert-tests/inhibit-anypolicy index 7e82a20014..ba5e1100f6 100755 --- a/tests/cert-tests/inhibit-anypolicy +++ b/tests/cert-tests/inhibit-anypolicy @@ -36,7 +36,7 @@ SUBCAFILE=inhibit-subca.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2017-04-22" \ "${CERTTOOL}" --generate-self-signed \ diff --git a/tests/cert-tests/invalid-sig b/tests/cert-tests/invalid-sig index bcebf995cb..58134a4d09 100755 --- a/tests/cert-tests/invalid-sig +++ b/tests/cert-tests/invalid-sig @@ -33,14 +33,16 @@ if ! test -x "${CERTTOOL}"; then exit 77 fi +. ${srcdir}/../scripts/common.sh + #check whether a different PKCS #1 signature than the advertized in certificate is tolerated ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (1) failed" - exit ${rc} + exit 1 fi #check whether a different tbsCertificate than the outer signature algorithm is tolerated @@ -48,9 +50,9 @@ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig2.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (2) failed" - exit ${rc} + exit 1 fi #check whether a different tbsCertificate than the outer signature algorithm is tolerated @@ -58,9 +60,9 @@ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig3.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (3) failed" - exit ${rc} + exit 1 fi #check whether different parameters in tbsCertificate than the outer signature is tolerated @@ -68,9 +70,9 @@ ${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig4.pem" rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (4) failed" - exit ${rc} + exit 1 fi #check whether different RSA-PSS parameters in tbsCertificate than the outer signature is tolerated @@ -78,19 +80,24 @@ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/invalid-sig5.p rc=$? # We're done. -if test "${rc}" = "0"; then +if test $rc = 0; then echo "Verification of invalid signature (5) failed" - exit ${rc} + exit 1 fi -#this was causing a double free; verify that we receive the expected error code -${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem" -rc=$? - -# We're done. -if test "${rc}" != "1"; then - echo "Verification of invalid signature (6) failed" - exit ${rc} +if check_for_datefudge; then + #this was causing a double free; verify that we receive the expected error code + datefudge -s 2020-01-01 \ + ${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem" + rc=$? + + # We're done. + if test $rc != 1; then + echo "Verification of invalid signature (6) failed" + exit 1 + fi +else + echo "Verification of invalid signature (6) skipped" fi exit 0 diff --git a/tests/cert-tests/krb5-test b/tests/cert-tests/krb5-test index 3eca7d7e31..a6e092cc90 100755 --- a/tests/cert-tests/krb5-test +++ b/tests/cert-tests/krb5-test @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge if ! test -z "${VALGRIND}"; then ORIG_VALGRIND=${VALGRIND} diff --git a/tests/cert-tests/md5-test b/tests/cert-tests/md5-test index a9635cc1d8..15d6280b1c 100755 --- a/tests/cert-tests/md5-test +++ b/tests/cert-tests/md5-test @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Test MD5 signatures diff --git a/tests/cert-tests/name-constraints b/tests/cert-tests/name-constraints index f23462117e..3b2370d49a 100755 --- a/tests/cert-tests/name-constraints +++ b/tests/cert-tests/name-constraints @@ -36,7 +36,7 @@ TMPFILE=constraints.$$.pem.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2016-04-22" \ ${VALGRIND} "${CERTTOOL}" --verify-allow-broken -e --infile "${srcdir}/data/name-constraints-ip.pem" diff --git a/tests/cert-tests/othername-test b/tests/cert-tests/othername-test index 38032fee1c..00f93b22dd 100755 --- a/tests/cert-tests/othername-test +++ b/tests/cert-tests/othername-test @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/cert-tests/pkcs1-pad b/tests/cert-tests/pkcs1-pad index 33663a6a0b..c75ab9e09d 100755 --- a/tests/cert-tests/pkcs1-pad +++ b/tests/cert-tests/pkcs1-pad @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge TMPFILE1=pkcs1-pad.$$.tmp TMPFILE2=pkcs1-pad-2.$$.tmp diff --git a/tests/cert-tests/pkcs12-gost b/tests/cert-tests/pkcs12-gost index 2b5b6bfd79..f7c4bba52b 100755 --- a/tests/cert-tests/pkcs12-gost +++ b/tests/cert-tests/pkcs12-gost @@ -29,6 +29,11 @@ if ! test -x "${CERTTOOL}"; then exit 77 fi +if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then + echo "Cannot run in FIPS140-2 mode" + exit 77 +fi + if ! test -z "${VALGRIND}"; then VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=1" fi diff --git a/tests/cert-tests/pkcs7 b/tests/cert-tests/pkcs7 index 5951a7312b..5767e09646 100755 --- a/tests/cert-tests/pkcs7 +++ b/tests/cert-tests/pkcs7 @@ -38,7 +38,7 @@ TMPFILE=tmp-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge if test "${ENABLE_GOST}" = "1" && test "${GNUTLS_FORCE_FIPS_MODE}" != "1" then @@ -265,7 +265,7 @@ if test "${rc}" != "0"; then fi ${VALGRIND} "${CERTTOOL}" --p7-info --infile "${OUTFILE}" >"${OUTFILE2}" -grep '1.2.840.113549.1.9.3: 06092a864886f70d010701' ${OUTFILE2} >/dev/null 2>&1 +grep 'contentType: 06092a864886f70d010701' ${OUTFILE2} >/dev/null 2>&1 if test $? != 0;then echo "Content-Type was not set in attributes" exit 1 diff --git a/tests/cert-tests/pkcs7-cat b/tests/cert-tests/pkcs7-cat index 0f5b82df12..6543397431 100755 --- a/tests/cert-tests/pkcs7-cat +++ b/tests/cert-tests/pkcs7-cat @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2016-10-1" \ ${VALGRIND} "${CERTTOOL}" --verify-allow-broken --p7-verify --inder --infile "${srcdir}/data/pkcs7-cat.p7" --load-ca-certificate "${srcdir}/data/pkcs7-cat-ca.pem" rc=$? diff --git a/tests/cert-tests/pkcs7-constraints b/tests/cert-tests/pkcs7-constraints index 8e5b5345d1..6964d26f09 100755 --- a/tests/cert-tests/pkcs7-constraints +++ b/tests/cert-tests/pkcs7-constraints @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge FILE="signing" diff --git a/tests/cert-tests/pkcs7-constraints2 b/tests/cert-tests/pkcs7-constraints2 index 389071e27b..7d1816a33a 100755 --- a/tests/cert-tests/pkcs7-constraints2 +++ b/tests/cert-tests/pkcs7-constraints2 @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge FILE="signing" diff --git a/tests/cert-tests/pkcs7-eddsa b/tests/cert-tests/pkcs7-eddsa index 3ceee482b2..6f235c512b 100755 --- a/tests/cert-tests/pkcs7-eddsa +++ b/tests/cert-tests/pkcs7-eddsa @@ -36,7 +36,7 @@ OUTFILE2=out2-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge KEY="${srcdir}/../certs/ed25519.pem" CERT="${srcdir}/../certs/cert-ed25519.pem" @@ -97,7 +97,7 @@ if test "${rc}" != "0"; then fi ${VALGRIND} "${CERTTOOL}" --p7-info --infile "${OUTFILE}" >"${OUTFILE2}" -grep '1.2.840.113549.1.9.3: 06092a864886f70d010701' ${OUTFILE2} >/dev/null 2>&1 +grep 'contentType: 06092a864886f70d010701' ${OUTFILE2} >/dev/null 2>&1 if test $? != 0;then echo "Content-Type was not set in attributes" exit 1 diff --git a/tests/cert-tests/pkcs7-list-sign b/tests/cert-tests/pkcs7-list-sign index 1c4e930e5b..5ca04d8005 100755 --- a/tests/cert-tests/pkcs7-list-sign +++ b/tests/cert-tests/pkcs7-list-sign @@ -37,7 +37,7 @@ OUTFILE2=out2-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Test signing FILE="signing-with-cert-list" ${VALGRIND} "${CERTTOOL}" --p7-sign --load-certificate "${srcdir}/data/pkcs7-chain.pem" --load-privkey "${srcdir}/data/pkcs7-chain-endcert-key.pem" --infile "${srcdir}/data/pkcs7-detached.txt" >"${OUTFILE}" diff --git a/tests/cert-tests/rsa-pss-pad b/tests/cert-tests/rsa-pss-pad index d9a05e4e0f..2c87c750fc 100755 --- a/tests/cert-tests/rsa-pss-pad +++ b/tests/cert-tests/rsa-pss-pad @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/cert-tests/sha3-test b/tests/cert-tests/sha3-test index dc3cf8f6ba..a4300672c3 100755 --- a/tests/cert-tests/sha3-test +++ b/tests/cert-tests/sha3-test @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/cert-tests/smime b/tests/cert-tests/smime index dd5514f687..f5e68401cf 100755 --- a/tests/cert-tests/smime +++ b/tests/cert-tests/smime @@ -36,7 +36,7 @@ OUTFILE=out-pkcs7.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # test the --smime-to-p7 functionality ${VAGRLIND} "${CERTTOOL}" --smime-to-p7 --infile "${srcdir}/data/pkcs7.smime" --outfile ${OUTFILE} diff --git a/tests/cert-tests/template-exts-test b/tests/cert-tests/template-exts-test index 32e90f91e3..276ba2f798 100755 --- a/tests/cert-tests/template-exts-test +++ b/tests/cert-tests/template-exts-test @@ -33,7 +33,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge datefudge -s "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test index f7ebefb664..091021315b 100755 --- a/tests/cert-tests/template-test +++ b/tests/cert-tests/template-test @@ -34,7 +34,7 @@ TMPFILE=tmp-tt.pem.$$.tmp . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge echo "Running test for ${ac_cv_sizeof_time_t}-byte time_t" diff --git a/tests/cert-tests/tlsfeature-test b/tests/cert-tests/tlsfeature-test index aadbffc26a..fb26f6225b 100755 --- a/tests/cert-tests/tlsfeature-test +++ b/tests/cert-tests/tlsfeature-test @@ -34,7 +34,7 @@ export TZ="UTC" . ${srcdir}/../scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # # Test certificate generation diff --git a/tests/certtool-pkcs11.sh b/tests/certtool-pkcs11.sh index 9a599e6146..daba535a4d 100755 --- a/tests/certtool-pkcs11.sh +++ b/tests/certtool-pkcs11.sh @@ -68,7 +68,7 @@ exit_error () { exit 1 } -check_for_datefudge +skip_if_no_datefudge # $1: token # $2: PIN diff --git a/tests/data/test1.cat.out b/tests/data/test1.cat.out index 1a0c955228..d5b20765b4 100644 --- a/tests/data/test1.cat.out +++ b/tests/data/test1.cat.out @@ -5,11 +5,11 @@ Signers: Signature Algorithm: RSA-SHA1 Signed Attributes: 1.3.6.1.4.1.311.2.1.12: 3064a030802e004800650077006c006500740074002d005000610063006b00610072006400200043006f006d00700061006e0079a130802e687474703a2f2f7777772e6d6963726f736f66742e636f6d2f776864632f68636c2f64656661756c742e6d737078 - 1.2.840.113549.1.9.4: 04141c448883117564c1fe830b2833c0ef6b83030c0e + messageDigest: 04141c448883117564c1fe830b2833c0ef6b83030c0e 1.3.6.1.4.1.311.2.1.11: 300c060a2b060104018237020115 - 1.2.840.113549.1.9.3: 06092b0601040182370a01 + contentType: 06092b0601040182370a01 Unsigned Attributes: - 1.2.840.113549.1.9.6: 3082021102010130818e3077310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e3121301f060355040313184d6963726f736f66742054696d652d5374616d7020504341021333000000af5347776c1bf1a3020000000000af300906052b0e03021a0500a05d301806092a864886f70d010903310b06092a864886f70d010701301c06092a864886f70d010905310f170d3136303931333231313930395a302306092a864886f70d01090431160414d488cf8097e0d20f170aa7cff5414d9dc2f28f7b300d06092a864886f70d01010505000482010016dcd01f53ac52f8f37898f02352716c9de8dcdee53a2dfb243d503b31f252878e54c5716cd2f2237b82a1269322c50ed304c00a85e50c47b3ce43b2dfff9d1d8032541e28216281e715407b8cbe565fee869aa0e6fb6f421c1c5516c7fead80c1c2117998b0a754bb0683971d78a864707349514121bf2158305d672f8800ea02bd266c198afc22449f4579d7f0db337919accd8f8093539e1d24e5c89c0c1f9734ea8f9bec2ce9ff9f22f9649069b759ba05967742615a3953645572eddb4c5006b6fd4c6226beded0038548ed82d3993b17b473ca75e9891d524be5c39ec422d7a78baaa475bf1aa0e196d7db1858edcacea1ef34b2655772ab8fca3c7766 + countersignature: 3082021102010130818e3077310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e3121301f060355040313184d6963726f736f66742054696d652d5374616d7020504341021333000000af5347776c1bf1a3020000000000af300906052b0e03021a0500a05d301806092a864886f70d010903310b06092a864886f70d010701301c06092a864886f70d010905310f170d3136303931333231313930395a302306092a864886f70d01090431160414d488cf8097e0d20f170aa7cff5414d9dc2f28f7b300d06092a864886f70d01010505000482010016dcd01f53ac52f8f37898f02352716c9de8dcdee53a2dfb243d503b31f252878e54c5716cd2f2237b82a1269322c50ed304c00a85e50c47b3ce43b2dfff9d1d8032541e28216281e715407b8cbe565fee869aa0e6fb6f421c1c5516c7fead80c1c2117998b0a754bb0683971d78a864707349514121bf2158305d672f8800ea02bd266c198afc22449f4579d7f0db337919accd8f8093539e1d24e5c89c0c1f9734ea8f9bec2ce9ff9f22f9649069b759ba05967742615a3953645572eddb4c5006b6fd4c6226beded0038548ed82d3993b17b473ca75e9891d524be5c39ec422d7a78baaa475bf1aa0e196d7db1858edcacea1ef34b2655772ab8fca3c7766 Number of certificates: 4 diff --git a/tests/data/test2.cat.out b/tests/data/test2.cat.out index aead58067c..aec0af9ada 100644 --- a/tests/data/test2.cat.out +++ b/tests/data/test2.cat.out @@ -4,9 +4,9 @@ Signers: Signer's serial: 1656c8b2bf9bb3b24e6f3411cdcff0b5 Signature Algorithm: RSA-SHA1 Signed Attributes: - 1.2.840.113549.1.9.4: 041490608f08aab36bbeef8cb509bef6e60385058afa + messageDigest: 041490608f08aab36bbeef8cb509bef6e60385058afa 1.3.6.1.4.1.311.2.1.11: 300c060a2b060104018237020115 - 1.2.840.113549.1.9.3: 06092b0601040182370a01 + contentType: 06092b0601040182370a01 1.3.6.1.4.1.311.2.1.12: 3000 Number of certificates: 1 diff --git a/tests/dtls_hello_random_value.c b/tests/dtls_hello_random_value.c new file mode 100644 index 0000000000..601c8686bf --- /dev/null +++ b/tests/dtls_hello_random_value.c @@ -0,0 +1,336 @@ +/* + * Copyright (C) 2017-2020 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + */ + +/* This program tests whether the second DTLS client hello contains the same + * random value, and whether it is initialized. + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> + +#if defined(_WIN32) + +/* socketpair isn't supported on Win32. */ +int main(int argc, char **argv) +{ + exit(77); +} + +#else + +#include <string.h> +#include <sys/types.h> +#include <sys/socket.h> +#if !defined(_WIN32) +#include <sys/wait.h> +#include <signal.h> +#endif +#include <unistd.h> +#include <gnutls/gnutls.h> +#include <gnutls/dtls.h> +#include <assert.h> + +#include "utils.h" +#include "cert-common.h" + +const char *side = ""; + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "%s|<%d>| %s", side, level, str); +} + +unsigned char crandom[32]; +static unsigned cb_called = 0; + +static int hello_callback(gnutls_session_t session, unsigned int htype, + unsigned post, unsigned int incoming, const gnutls_datum_t *msg) +{ + unsigned non_zero = 0, i; + + if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && post == GNUTLS_HOOK_POST) { + if (cb_called == 0) { + /* save first value */ + gnutls_datum_t tmp; + gnutls_session_get_random(session, &tmp, NULL); + assert(tmp.size == 32); + + memcpy(crandom, tmp.data, tmp.size); + cb_called++; + + /* check if uninitialized */ + for (i=0;i<32;i++) { + if (crandom[i] != 0) { + non_zero++; + } + } + + if (non_zero <= 8) { + fail("the client random value seems uninitialized\n"); + } + } else { /* verify it is the same */ + gnutls_datum_t tmp; + gnutls_session_get_random(session, &tmp, NULL); + + assert(tmp.size == 32); + if (memcmp(tmp.data, crandom, tmp.size) != 0) { + fail("the random values differ!\n"); + } + cb_called++; + } + } if (htype == GNUTLS_HANDSHAKE_SERVER_HELLO && post == GNUTLS_HOOK_POST) { + gnutls_datum_t tmp; + gnutls_session_get_random(session, NULL, &tmp); + assert(tmp.size == 32); + + for (i=0;i<32;i++) { + if (tmp.data[i] != 0) { + non_zero++; + } + } + if (non_zero <= 8) { + fail("the server random value seems uninitialized\n"); + } + } + + return 0; +} + +static void client(int sd, const char *priority) +{ + int ret; + gnutls_session_t session; + gnutls_certificate_credentials_t clientx509cred; + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + side = "client"; + + gnutls_certificate_allocate_credentials(&clientx509cred); + + assert(gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_DATAGRAM)>=0); + + if (!priority) { + assert(gnutls_set_default_priority(session) >= 0); + } else { + assert(gnutls_priority_set_direct(session, priority, NULL) >= 0); + } + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, + clientx509cred); + + gnutls_transport_set_int(session, sd); + gnutls_dtls_set_mtu(session, 1500); + gnutls_handshake_set_timeout(session, 20 * 1000); + + gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_ANY, + GNUTLS_HOOK_BOTH, hello_callback); + + ret = gnutls_handshake(session); + + if (ret < 0) { + fail("client: Handshake failed: %s\n", gnutls_strerror(ret)); + } else { + if (debug) + success("client: Handshake was completed\n"); + } + + if (cb_called != 2) { + fail("client: the callback was not seen twice!\n"); + } + + gnutls_bye(session, GNUTLS_SHUT_WR); + close(sd); + + gnutls_deinit(session); + + gnutls_certificate_free_credentials(clientx509cred); +} + +#define MAX_BUF 1024 +#define CLI_ADDR (void*)"test" +#define CLI_ADDR_LEN 4 + +static ssize_t +push(gnutls_transport_ptr_t tr, const void *data, size_t len) +{ + int fd = (long int) tr; + + return send(fd, data, len, 0); +} + +static void server(int sd, const char *priority) +{ + int ret, csend = 0; + char buffer[MAX_BUF + 1]; + gnutls_certificate_credentials_t serverx509cred; + gnutls_dtls_prestate_st prestate; + gnutls_session_t session; + gnutls_datum_t cookie_key; + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + side = "server"; + + ret = gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE); + if (ret < 0) { + fail("Cannot generate key: %s\n", gnutls_strerror(ret)); + } + + for (;;) { + ret = recv(sd, buffer, sizeof(buffer), MSG_PEEK); + if (ret < 0) { + fail("Cannot receive data\n"); + } + + memset(&prestate, 0, sizeof(prestate)); + ret = + gnutls_dtls_cookie_verify(&cookie_key, CLI_ADDR, + CLI_ADDR_LEN, buffer, ret, + &prestate); + if (ret < 0) { /* cookie not valid */ + if (debug) + success("Sending hello verify request\n"); + + ret = + gnutls_dtls_cookie_send(&cookie_key, CLI_ADDR, + CLI_ADDR_LEN, + &prestate, + (gnutls_transport_ptr_t) + (long) sd, push); + if (ret < 0) { + fail("Cannot send data\n"); + } + + /* discard peeked data */ + recv(sd, buffer, sizeof(buffer), 0); + csend++; + + if (csend > 2) { + fail("too many cookies sent\n"); + } + + continue; + } + + /* success */ + break; + } + + assert(gnutls_certificate_allocate_credentials(&serverx509cred)>=0); + assert(gnutls_certificate_set_x509_key_mem(serverx509cred, + &server_cert, &server_key, + GNUTLS_X509_FMT_PEM)>=0); + + assert(gnutls_init(&session, GNUTLS_SERVER|GNUTLS_DATAGRAM)>=0); + assert(session != NULL); + + if (!priority) { + assert(gnutls_set_default_priority(session) >= 0); + } else { + assert(gnutls_priority_set_direct(session, priority, NULL) >= 0); + } + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, + serverx509cred); + + gnutls_transport_set_int(session, sd); + gnutls_handshake_set_timeout(session, 20 * 1000); + gnutls_dtls_set_mtu(session, 1500); + + gnutls_dtls_prestate_set(session, &prestate); + + ret = gnutls_handshake(session); + if (ret < 0) { + fail("server: Handshake has failed: %s\n\n", + gnutls_strerror(ret)); + } + if (debug) + success("server: Handshake was completed\n"); + + /* do not wait for the peer to close the connection. + */ + gnutls_bye(session, GNUTLS_SHUT_WR); + close(sd); + gnutls_deinit(session); + + gnutls_certificate_free_credentials(serverx509cred); + gnutls_free(cookie_key.data); + + if (debug) + success("server: finished\n"); +} + +static void start(const char *name, const char *priority) +{ + pid_t child; + int sockets[2]; + int err; + + success("testing: %s\n", name); + cb_called = 0; + + err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) { + perror("socketpair"); + fail("socketpair failed\n"); + return; + } + + child = fork(); + if (child < 0) { + perror("fork"); + fail("fork"); + return; + } + + if (child) { + int status = 0; + /* parent */ + close(sockets[1]); + client(sockets[0], priority); + wait(&status); + check_wait_status(status); + } else { + close(sockets[0]); + server(sockets[1], priority); + exit(0); + } +} + +void doit(void) +{ + signal(SIGPIPE, SIG_IGN); + + start("default", NULL); + start("dtls1.2", "NORMAL:-VERS-ALL:+VERS-DTLS1.2"); + start("dtls1.0", "NORMAL:-VERS-ALL:+VERS-DTLS1.0"); +} + +#endif /* _WIN32 */ diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh index 0ab6069b8f..3351764216 100755 --- a/tests/gnutls-cli-debug.sh +++ b/tests/gnutls-cli-debug.sh @@ -48,7 +48,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem diff --git a/tests/gnutls-cli-invalid-crl.sh b/tests/gnutls-cli-invalid-crl.sh index d7383a555b..1a82bfafd3 100755 --- a/tests/gnutls-cli-invalid-crl.sh +++ b/tests/gnutls-cli-invalid-crl.sh @@ -47,7 +47,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether connecting to a server but with an invalid CRL provided, returns the expected error" diff --git a/tests/gnutls-cli-self-signed.sh b/tests/gnutls-cli-self-signed.sh index 07cd5824b8..fbb5375bf0 100755 --- a/tests/gnutls-cli-self-signed.sh +++ b/tests/gnutls-cli-self-signed.sh @@ -45,7 +45,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether connecting to a self signed certificate returns the expected error" diff --git a/tests/kdf-api.c b/tests/kdf-api.c new file mode 100644 index 0000000000..ec74f44ce8 --- /dev/null +++ b/tests/kdf-api.c @@ -0,0 +1,160 @@ +/* + * Copyright (C) 2020 Red Hat, Inc. + * + * Author: Daiki Ueno + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + * + */ + +#include "config.h" + +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> + +#include <assert.h> +#include <stdint.h> + +#include "utils.h" + +#define MAX_BUF 1024 + +static void +test_hkdf(gnutls_mac_algorithm_t mac, + const char *ikm_hex, + const char *salt_hex, + const char *info_hex, + size_t length, + const char *prk_hex, + const char *okm_hex) +{ + gnutls_datum_t hex; + gnutls_datum_t ikm; + gnutls_datum_t salt; + gnutls_datum_t info; + gnutls_datum_t prk; + gnutls_datum_t okm; + uint8_t buf[MAX_BUF]; + + success("HKDF test with %s\n", gnutls_mac_get_name(mac)); + + /* Test HKDF-Extract */ + hex.data = (void *)ikm_hex; + hex.size = strlen(ikm_hex); + assert(gnutls_hex_decode2(&hex, &ikm) >= 0); + + hex.data = (void *)salt_hex; + hex.size = strlen(salt_hex); + assert(gnutls_hex_decode2(&hex, &salt) >= 0); + + assert(gnutls_hkdf_extract(mac, &ikm, &salt, buf) >= 0); + gnutls_free(ikm.data); + gnutls_free(salt.data); + + prk.data = buf; + prk.size = strlen(prk_hex) / 2; + assert(gnutls_hex_encode2(&prk, &hex) >= 0); + + if (strcmp((char *)hex.data, prk_hex)) + fail("prk doesn't match: %s != %s\n", + (char *)hex.data, prk_hex); + + gnutls_free(hex.data); + + /* Test HKDF-Expand */ + hex.data = (void *)info_hex; + hex.size = strlen(info_hex); + assert(gnutls_hex_decode2(&hex, &info) >= 0); + + assert(gnutls_hkdf_expand(mac, &prk, &info, buf, length) >= 0); + gnutls_free(info.data); + + okm.data = buf; + okm.size = strlen(okm_hex) / 2; + assert(gnutls_hex_encode2(&okm, &hex) >= 0); + + if (strcmp((char *)hex.data, okm_hex)) + fail("okm doesn't match: %s != %s\n", + (char *)hex.data, okm_hex); + + gnutls_free(hex.data); +} + +static void +test_pbkdf2(gnutls_mac_algorithm_t mac, + const char *ikm_hex, + const char *salt_hex, + unsigned iter_count, + size_t length, + const char *okm_hex) +{ + gnutls_datum_t hex; + gnutls_datum_t ikm; + gnutls_datum_t salt; + gnutls_datum_t okm; + uint8_t buf[MAX_BUF]; + + success("PBKDF2 test with %s\n", gnutls_mac_get_name(mac)); + + hex.data = (void *)ikm_hex; + hex.size = strlen(ikm_hex); + assert(gnutls_hex_decode2(&hex, &ikm) >= 0); + + hex.data = (void *)salt_hex; + hex.size = strlen(salt_hex); + assert(gnutls_hex_decode2(&hex, &salt) >= 0); + + assert(gnutls_pbkdf2(mac, &ikm, &salt, iter_count, buf, length) >= 0); + gnutls_free(ikm.data); + gnutls_free(salt.data); + + okm.data = buf; + okm.size = length; + assert(gnutls_hex_encode2(&okm, &hex) >= 0); + + if (strcmp((char *)hex.data, okm_hex)) + fail("okm doesn't match: %s != %s\n", + (char *)hex.data, okm_hex); + + gnutls_free(hex.data); +} + +void +doit(void) +{ + /* Test vector from RFC 5869. More thorough testing is done + * in nettle. */ + test_hkdf(GNUTLS_MAC_SHA256, + "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" + "0b0b0b0b0b0b", + "000102030405060708090a0b0c", + "f0f1f2f3f4f5f6f7f8f9", + 42, + "077709362c2e32df0ddc3f0dc47bba63" + "90b6c73bb50f9c3122ec844ad7c2b3e5", + "3cb25f25faacd57a90434f64d0362f2a" + "2d2d0a90cf1a5a4c5db02d56ecc4c5bf" + "34007208d5b887185865"); + + /* Test vector from RFC 6070. More thorough testing is done + * in nettle. */ + test_pbkdf2(GNUTLS_MAC_SHA1, + "70617373776f7264", /* "password" */ + "73616c74", /* "salt" */ + 4096, + 20, + "4b007901b765489abead49d926f721d065a429c1"); +} diff --git a/tests/keylog-func.c b/tests/keylog-func.c new file mode 100644 index 0000000000..4350698e6b --- /dev/null +++ b/tests/keylog-func.c @@ -0,0 +1,351 @@ +/* + * Copyright (C) 2019 Free Software Foundation, Inc. + * + * Author: Aniketh Girish + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> + +#if !defined(__linux__) || !defined(__GNUC__) + +int main(int argc, char **argv) +{ + exit(77); +} + +#else + +#include <string.h> +#include <sys/types.h> +#include <netinet/in.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <arpa/inet.h> +#include <unistd.h> +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> + +#include "cert-common.h" +#include "utils.h" + +/* This program tests whether a keylog function is called. + */ + +static void terminate(void); + +static void server_log_func(int level, const char *str) +{ + fprintf(stderr, "server|<%d>| %s", level, str); +} + +static void client_log_func(int level, const char *str) +{ + fprintf(stderr, "client|<%d>| %s", level, str); +} + +const char *side = ""; + +/* These are global */ +static pid_t child; +#define MAX_BUF 1024 +#define MSG "Hello TLS" + +static int +keylog_func(gnutls_session_t session, + const char *label, + const gnutls_datum_t *secret) +{ + unsigned int *call_count = gnutls_session_get_ptr(session); + static const char *exp_labels[] = { + "CLIENT_HANDSHAKE_TRAFFIC_SECRET", + "SERVER_HANDSHAKE_TRAFFIC_SECRET", + "EXPORTER_SECRET", + "CLIENT_TRAFFIC_SECRET_0", + "SERVER_TRAFFIC_SECRET_0" + }; + + if (*call_count >= sizeof(exp_labels)/sizeof(exp_labels[0])) + fail("unexpected secret at call count %u\n", + *call_count); + + if (strcmp(label, exp_labels[*call_count]) != 0) + fail("unexpected %s at call count %u\n", + label, *call_count); + else if (debug) + success("received %s at call count %u\n", + label, *call_count); + + (*call_count)++; + return 0; +} + +static void client(int fd, const char *prio, unsigned int exp_call_count) +{ + gnutls_session_t session; + char buffer[MAX_BUF + 1]; + unsigned int call_count = 0; + int ret, ii; + gnutls_certificate_credentials_t clientx509cred; + const char *err; + /* Need to enable anonymous KX specifically. */ + + global_init(); + + if (debug) { + gnutls_global_set_log_function(client_log_func); + gnutls_global_set_log_level(4711); + } + + gnutls_certificate_allocate_credentials(&clientx509cred); + + /* Initialize TLS session + */ + gnutls_init(&session, GNUTLS_CLIENT); + + gnutls_session_set_ptr(session, &call_count); + + /* Use default priorities */ + ret = gnutls_priority_set_direct(session, prio, &err); + if (ret < 0) { + fail("client: priority set failed (%s): %s\n", + gnutls_strerror(ret), err); + exit(1); + } + + ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, + clientx509cred); + if (ret < 0) + exit(1); + + gnutls_transport_set_int(session, fd); + + gnutls_session_set_keylog_function(session, keylog_func); + assert(gnutls_session_get_keylog_function(session) == keylog_func); + + /* Perform the TLS handshake + */ + do { + ret = gnutls_handshake(session); + } + while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + + if (ret < 0) + fail("client: Handshake failed: %s\n", gnutls_strerror(ret)); + else { + if (debug) + success("client: Handshake was completed\n"); + } + + if (debug) + success("client: TLS version is: %s\n", + gnutls_protocol_get_name + (gnutls_protocol_get_version(session))); + + gnutls_record_send(session, MSG, strlen(MSG)); + + do { + ret = gnutls_record_recv(session, buffer, MAX_BUF); + } while (ret == GNUTLS_E_AGAIN); + if (ret == 0) { + if (debug) + success + ("client: Peer has closed the TLS connection\n"); + } else if (ret < 0) { + fail("client: Error: %s\n", gnutls_strerror(ret)); + } + + if (debug) { + printf("- Received %d bytes: ", ret); + for (ii = 0; ii < ret; ii++) { + fputc(buffer[ii], stdout); + } + fputs("\n", stdout); + } + + if (call_count != exp_call_count) + fail("secret hook is not called %u times (%u)\n", + call_count, exp_call_count); + + gnutls_bye(session, GNUTLS_SHUT_WR); + + close(fd); + + gnutls_deinit(session); + + gnutls_certificate_free_credentials(clientx509cred); + + gnutls_global_deinit(); +} + +static void server(int fd, const char *prio, unsigned int exp_call_count) +{ + int ret; + char buffer[MAX_BUF + 1]; + gnutls_session_t session; + unsigned int call_count = 0; + gnutls_certificate_credentials_t serverx509cred; + + /* this must be called once in the program + */ + global_init(); + + if (debug) { + gnutls_global_set_log_function(server_log_func); + gnutls_global_set_log_level(4711); + } + + gnutls_certificate_allocate_credentials(&serverx509cred); + + gnutls_init(&session, GNUTLS_SERVER); + + gnutls_session_set_ptr(session, &call_count); + + /* avoid calling all the priority functions, since the defaults + * are adequate. + */ + ret = gnutls_priority_set_direct(session, + "NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA384:-GROUP-ALL:+GROUP-SECP256R1", NULL); + if (ret < 0) { + fail("server: priority set failed (%s)\n\n", + gnutls_strerror(ret)); + terminate(); + } + + gnutls_certificate_set_x509_key_mem(serverx509cred, + &server_cert, &server_key, + GNUTLS_X509_FMT_PEM); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, + serverx509cred); + + gnutls_transport_set_int(session, fd); + + gnutls_session_set_keylog_function(session, keylog_func); + + do { + ret = gnutls_handshake(session); + } + while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + if (ret < 0) { + close(fd); + gnutls_deinit(session); + fail("server: Handshake has failed (%s)\n\n", + gnutls_strerror(ret)); + terminate(); + } + if (debug) { + success("server: Handshake was completed\n"); + } + if (debug) + success("server: TLS version is: %s\n", + gnutls_protocol_get_name + (gnutls_protocol_get_version(session))); + + memset(buffer, 0, MAX_BUF + 1); + + do { + ret = gnutls_record_recv(session, buffer, MAX_BUF); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret == 0) { + if (debug) + success("server: Peer has closed the GnuTLS connection\n"); + } else if (ret < 0) { + fail("server: Received corrupted data(%d). Closing...\n", ret); + } else if (ret > 0) { + /* echo data back to the client + */ + gnutls_record_send(session, buffer, + strlen(buffer)); + } + + if (call_count != exp_call_count) + fail("secret hook is not called %u times (%u)\n", + call_count, exp_call_count); + + /* do not wait for the peer to close the connection. + */ + gnutls_bye(session, GNUTLS_SHUT_WR); + + close(fd); + gnutls_deinit(session); + + gnutls_certificate_free_credentials(serverx509cred); + + gnutls_global_deinit(); + + if (debug) + success("server: finished\n"); +} + +static void terminate(void) +{ + int status = 0; + + kill(child, SIGTERM); + wait(&status); + exit(1); +} + +static void +run(const char *prio, unsigned int exp_call_count) +{ + int fd[2]; + int ret; + + signal(SIGPIPE, SIG_IGN); + + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); + if (ret < 0) { + perror("socketpair"); + exit(1); + } + + child = fork(); + if (child < 0) { + perror("fork"); + fail("fork"); + exit(1); + } + + if (child) { + int status = 0; + /* parent */ + + server(fd[0], prio, exp_call_count); + wait(&status); + check_wait_status(status); + } else { + close(fd[0]); + client(fd[1], prio, exp_call_count); + exit(0); + } +} + +void doit(void) +{ + run("NORMAL:-VERS-ALL:+VERS-TLS1.3", 5); +} + +#endif /* _WIN32 */ diff --git a/tests/missingissuer.c b/tests/missingissuer.c new file mode 100644 index 0000000000..49fef8f7b3 --- /dev/null +++ b/tests/missingissuer.c @@ -0,0 +1,241 @@ +/* + * Copyright (C) 2008-2014 Free Software Foundation, Inc. + * + * Author: Simon Josefsson, Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <assert.h> + +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#include <gnutls/abstract.h> + +#include "utils.h" +#include "test-chains-issuer.h" + +#define DEFAULT_THEN 1256803113 +static time_t then = DEFAULT_THEN; + +/* GnuTLS internally calls time() to find out the current time when + verifying certificates. To avoid a time bomb, we hard code the + current time. This should work fine on systems where the library + call to time is resolved at run-time. */ +static time_t mytime(time_t * t) +{ + if (t) + *t = then; + + return then; +} + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "|<%d>| %s", level, str); +} + +static int getissuer_callback(gnutls_x509_trust_list_t tlist, + const gnutls_x509_crt_t crt) +{ + gnutls_x509_crt_t issuer; + gnutls_datum_t tmp; + int ret; + + ret = gnutls_x509_crt_init(&issuer); + if (ret < 0) { + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); + return -1; + } + + tmp.data = (unsigned char *)missing_cert_insert; + tmp.size = strlen(missing_cert_insert); + + ret = gnutls_x509_crt_import(issuer, &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); + gnutls_x509_crt_deinit(issuer); + return -1; + } + + /* This transfers the ownership of `issuer` to `tlist`. */ + ret = gnutls_x509_trust_list_add_cas(tlist, &issuer, 1, 0); + if (ret < 0) { + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); + gnutls_x509_crt_deinit(issuer); + return -1; + } + + assert(gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp) >= 0); + + if (debug) + printf("\t Certificate missing issuer is: %.*s\n", + tmp.size, tmp.data); + gnutls_free(tmp.data); + + assert(gnutls_x509_crt_print(issuer, GNUTLS_CRT_PRINT_ONELINE, &tmp) >= 0); + + if (debug) + printf("\t Appended issuer certificate is: %.*s\n", + tmp.size, tmp.data); + gnutls_free(tmp.data); + return 0; + +} + +void doit(void) +{ + int exit_val = 0; + int ret; + gnutls_x509_trust_list_t tl; + unsigned int verify_status; + gnutls_x509_crt_t certs[MAX_CHAIN]; + gnutls_x509_crt_t ca; + gnutls_datum_t tmp; + size_t j; + + /* The overloading of time() seems to work in linux (ELF?) + * systems only. Disable it on windows. + */ +#ifdef _WIN32 + exit(77); +#endif + + ret = global_init(); + if (ret != 0) { + fail("%d: %s\n", ret, gnutls_strerror(ret)); + exit(1); + } + + gnutls_global_set_time_function(mytime); + gnutls_global_set_log_function(tls_log_func); + + if (debug) + gnutls_global_set_log_level(4711); + + for (j = 0; j < MAX_CHAIN; j++) { + if (debug > 2) + printf("\tAdding certificate %d...", (int)j); + + ret = gnutls_x509_crt_init(&certs[j]); + if (ret < 0) { + fprintf(stderr, + "gnutls_x509_crt_init[%d]: %s\n", + (int)j, gnutls_strerror(ret)); + exit(1); + } + + tmp.data = (unsigned char *)missing_issuer_chain[j]; + tmp.size = strlen(missing_issuer_chain[j]); + + ret = + gnutls_x509_crt_import(certs[j], &tmp, + GNUTLS_X509_FMT_PEM); + if (debug > 2) + printf("done\n"); + if (ret < 0) { + fprintf(stderr, + "gnutls_x509_crt_import[%d]: %s\n", + (int)j, + gnutls_strerror(ret)); + exit(1); + } + + gnutls_x509_crt_print(certs[j], + GNUTLS_CRT_PRINT_ONELINE, &tmp); + if (debug) + printf("\tCertificate %d: %.*s\n", (int)j, + tmp.size, tmp.data); + gnutls_free(tmp.data); + } + + if (debug > 2) + printf("\tAdding CA certificate..."); + + ret = gnutls_x509_crt_init(&ca); + if (ret < 0) { + fprintf(stderr, "gnutls_x509_crt_init: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + tmp.data = (unsigned char *)missing_issuer_chain[MAX_CHAIN-1]; + tmp.size = strlen(missing_issuer_chain[MAX_CHAIN-1]); + + ret = gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fprintf(stderr, "gnutls_x509_crt_import: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + if (debug > 2) + printf("done\n"); + + gnutls_x509_crt_print(ca, GNUTLS_CRT_PRINT_ONELINE, &tmp); + if (debug) + printf("\tCA Certificate: %.*s\n", tmp.size, tmp.data); + gnutls_free(tmp.data); + + if (debug) + printf("\tVerifying..."); + + gnutls_x509_trust_list_init(&tl, 0); + + ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0); + if (ret != 1) { + fail("gnutls_x509_trust_list_add_trust_mem\n"); + exit(1); + } + + gnutls_x509_trust_list_set_getissuer_function(tl, getissuer_callback); + + ret = gnutls_x509_trust_list_verify_crt(tl, certs, MAX_CHAIN, + 0, + &verify_status, + NULL); + if (ret < 0) { + fprintf(stderr, + "gnutls_x509_crt_list_verify: %s\n", gnutls_strerror(ret)); + exit(1); + } + + if (debug) + printf("\tCleanup..."); + + gnutls_x509_trust_list_deinit(tl, 1); + + for (j = 0; j < MAX_CHAIN; j++) + gnutls_x509_crt_deinit(certs[j]); + + if (debug) + printf("done\n\n\n"); + + gnutls_global_deinit(); + + if (debug) + printf("Exit status...%d\n", exit_val); + + exit(exit_val); +} diff --git a/tests/missingissuer_aia.c b/tests/missingissuer_aia.c new file mode 100644 index 0000000000..8ed534b24c --- /dev/null +++ b/tests/missingissuer_aia.c @@ -0,0 +1,255 @@ +/* + * Copyright (C) 2008-2014 Free Software Foundation, Inc. + * + * Author: Simon Josefsson, Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <assert.h> + +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#include <gnutls/abstract.h> + +#include "utils.h" +#include "test-chains-issuer-aia.h" + +#define DEFAULT_THEN 1256803113 +static time_t then = DEFAULT_THEN; + +/* GnuTLS internally calls time() to find out the current time when + verifying certificates. To avoid a time bomb, we hard code the + current time. This should work fine on systems where the library + call to time is resolved at run-time. */ +static time_t mytime(time_t * t) +{ + if (t) + *t = then; + + return then; +} + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "|<%d>| %s", level, str); +} + +static int getissuer_callback(gnutls_x509_trust_list_t tlist, + const gnutls_x509_crt_t crt) +{ + int ret; + gnutls_x509_crt_t issuer; + gnutls_datum_t aia; + gnutls_datum_t tmp; + + assert(gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_ONELINE, &tmp) >= 0); + + if (debug) + printf("\t Certificate missing issuer is: %.*s\n", + tmp.size, tmp.data); + gnutls_free(tmp.data); + + ret = gnutls_x509_crt_init(&issuer); + if (ret < 0) { + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); + return -1; + } + + ret = gnutls_x509_crt_get_authority_info_access(crt, 1, + GNUTLS_IA_CAISSUERS_URI, &aia, NULL); + if (ret < 0) { + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); + gnutls_free(aia.data); + return -1; + } + + if (debug) + printf("\t AIA URI from the cert is: %s\n", aia.data); + gnutls_free(aia.data); + + /* Download the cert from the above URI and append it to issuer */ + + tmp.data = (unsigned char *)missing_cert_aia_insert; + tmp.size = strlen(missing_cert_aia_insert); + + ret = gnutls_x509_crt_import(issuer, &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); + gnutls_x509_crt_deinit(issuer); + return -1; + } + + /* This transfers the ownership of `issuer` to `tlist`. */ + ret = gnutls_x509_trust_list_add_cas(tlist, &issuer, 1, 0); + if (ret < 0) { + fprintf(stderr, "error: %s\n", gnutls_strerror(ret)); + gnutls_x509_crt_deinit(issuer); + return -1; + } + + assert(gnutls_x509_crt_print(issuer, GNUTLS_CRT_PRINT_ONELINE, &tmp) >= 0); + + if (debug) + printf("\t Appended missing certificate is: %.*s\n", + tmp.size, tmp.data); + gnutls_free(tmp.data); + return 0; +} + +void doit(void) +{ + int exit_val = 0; + int ret; + gnutls_x509_trust_list_t tl; + unsigned int verify_status; + gnutls_x509_crt_t certs[MAX_CHAIN]; + gnutls_x509_crt_t ca; + gnutls_datum_t tmp; + size_t j; + + /* The overloading of time() seems to work in linux (ELF?) + * systems only. Disable it on windows. + */ +#ifdef _WIN32 + exit(77); +#endif + + ret = global_init(); + if (ret != 0) { + fail("%d: %s\n", ret, gnutls_strerror(ret)); + exit(1); + } + + gnutls_global_set_time_function(mytime); + gnutls_global_set_log_function(tls_log_func); + + if (debug) + gnutls_global_set_log_level(4711); + + for (j = 0; j < MAX_CHAIN; j++) { + if (debug > 2) + printf("\tAdding certificate %d...", (int)j); + + ret = gnutls_x509_crt_init(&certs[j]); + if (ret < 0) { + fprintf(stderr, + "gnutls_x509_crt_init[%d]: %s\n", + (int)j, gnutls_strerror(ret)); + exit(1); + } + + tmp.data = (unsigned char *)missing_cert_aia[j]; + tmp.size = strlen(missing_cert_aia[j]); + + ret = + gnutls_x509_crt_import(certs[j], &tmp, + GNUTLS_X509_FMT_PEM); + if (debug > 2) + printf("done\n"); + if (ret < 0) { + fprintf(stderr, + "gnutls_x509_crt_import[%d]: %s\n", + (int)j, + gnutls_strerror(ret)); + exit(1); + } + + gnutls_x509_crt_print(certs[j], + GNUTLS_CRT_PRINT_ONELINE, &tmp); + if (debug) + printf("\tCertificate %d: %.*s\n", (int)j, + tmp.size, tmp.data); + gnutls_free(tmp.data); + } + + if (debug > 2) + printf("\tAdding CA certificate..."); + + ret = gnutls_x509_crt_init(&ca); + if (ret < 0) { + fprintf(stderr, "gnutls_x509_crt_init: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + tmp.data = (unsigned char *)missing_cert_aia[MAX_CHAIN-1]; + tmp.size = strlen(missing_cert_aia[MAX_CHAIN-1]); + + ret = gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fprintf(stderr, "gnutls_x509_crt_import: %s\n", + gnutls_strerror(ret)); + exit(1); + } + + if (debug > 2) + printf("done\n"); + + gnutls_x509_crt_print(ca, GNUTLS_CRT_PRINT_ONELINE, &tmp); + if (debug) + printf("\tCA Certificate: %.*s\n", tmp.size, tmp.data); + gnutls_free(tmp.data); + + if (debug) + printf("\tVerifying..."); + + gnutls_x509_trust_list_init(&tl, 0); + + ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0); + if (ret != 1) { + fail("gnutls_x509_trust_list_add_trust_mem\n"); + exit(1); + } + + gnutls_x509_trust_list_set_getissuer_function(tl, getissuer_callback); + + ret = gnutls_x509_trust_list_verify_crt(tl, certs, MAX_CHAIN, + 0, + &verify_status, + NULL); + if (ret < 0) { + fprintf(stderr, + "gnutls_x509_crt_list_verify: %s\n", gnutls_strerror(ret)); + exit(1); + } + + if (debug) + printf("\tCleanup..."); + + gnutls_x509_trust_list_deinit(tl, 1); + + for (j = 0; j < MAX_CHAIN; j++) + gnutls_x509_crt_deinit(certs[j]); + + if (debug) + printf("done\n\n\n"); + + gnutls_global_deinit(); + + if (debug) + printf("Exit status...%d\n", exit_val); + + exit(exit_val); +} diff --git a/tests/mpi.c b/tests/mpi.c index 604024622d..65a0dd0516 100644 --- a/tests/mpi.c +++ b/tests/mpi.c @@ -26,12 +26,15 @@ #include <stdio.h> -#include "utils.h" #include "../lib/gnutls_int.h" #include "../lib/mpi.h" #include "../lib/errors.h" #include "../lib/debug.h" +/* utils.h must be loaded after gnutls_int.h, as it redefines some + * macros from gnulib */ +#include "utils.h" + static void tls_log_func(int level, const char *str) { fprintf(stderr, "|<%d>| %s", level, str); diff --git a/tests/ocsp-tests/ocsp-load-chain b/tests/ocsp-tests/ocsp-load-chain index 04de48f7ed..0822bc3d99 100755 --- a/tests/ocsp-tests/ocsp-load-chain +++ b/tests/ocsp-tests/ocsp-load-chain @@ -31,7 +31,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge datefudge -s "2017-06-19" \ "${OCSPTOOL}" -e --load-chain "${srcdir}/ocsp-tests/certs/chain-amazon.com.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-amazon.com.der" --verify-allow-broken diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection index 490cc032f0..49c355dda3 100755 --- a/tests/ocsp-tests/ocsp-must-staple-connection +++ b/tests/ocsp-tests/ocsp-must-staple-connection @@ -53,7 +53,7 @@ fi . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge eval "${GETPORT}" # Port for gnutls-serv diff --git a/tests/ocsp-tests/ocsp-test b/tests/ocsp-tests/ocsp-test index 3730175208..bc2641a22e 100755 --- a/tests/ocsp-tests/ocsp-test +++ b/tests/ocsp-tests/ocsp-test @@ -32,7 +32,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation diff --git a/tests/ocsp-tests/ocsp-tls-connection b/tests/ocsp-tests/ocsp-tls-connection index bcc77ec2d9..870f4ff78b 100755 --- a/tests/ocsp-tests/ocsp-tls-connection +++ b/tests/ocsp-tests/ocsp-tls-connection @@ -54,7 +54,7 @@ export TZ="UTC" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge eval "${GETPORT}" # Port for gnutls-serv diff --git a/tests/pkcs11/pkcs11-ec-privkey-test.c b/tests/pkcs11/pkcs11-ec-privkey-test.c index c256e6b0d9..1b24c8150f 100644 --- a/tests/pkcs11/pkcs11-ec-privkey-test.c +++ b/tests/pkcs11/pkcs11-ec-privkey-test.c @@ -79,6 +79,8 @@ void doit(void) gnutls_privkey_t pkey; gnutls_pubkey_t pubkey; gnutls_pubkey_t pubkey2; + gnutls_pubkey_t pubkey3; + gnutls_pubkey_t pubkey4; unsigned i; bin = softhsm_bin(); @@ -180,8 +182,21 @@ void doit(void) exit(1); } + /* Write pubkey to the card too */ + assert(gnutls_pubkey_init(&pubkey) == 0); + assert(gnutls_pubkey_import_x509(pubkey, crt, 0) == 0); + + ret = gnutls_pkcs11_copy_pubkey(SOFTHSM_URL, pubkey, "cert", NULL, + GNUTLS_KEY_DIGITAL_SIGNATURE | + GNUTLS_KEY_KEY_ENCIPHERMENT, 0); + if (ret < 0) { + fail("gnutls_pkcs11_copy_pubkey: %s\n", + gnutls_strerror(ret)); + } + gnutls_x509_crt_deinit(crt); gnutls_x509_privkey_deinit(key); + gnutls_pubkey_deinit(pubkey); gnutls_pkcs11_set_pin_function(NULL, NULL); assert(gnutls_privkey_init(&pkey) == 0); @@ -192,6 +207,31 @@ void doit(void) exit(1); } + /* Try to read the public key with public key URI */ + assert(gnutls_pubkey_init(&pubkey3) == 0); + + + ret = + gnutls_pubkey_import_pkcs11_url(pubkey3, + SOFTHSM_URL + ";object=cert;object-type=public;pin-value=" + PIN, 0); + if (ret < 0) { + fail("error in gnutls_pubkey_import_pkcs11_url: %s\n", gnutls_strerror(ret)); + } + + /* Try to read the public key with certificate URI */ + assert(gnutls_pubkey_init(&pubkey4) == 0); + + ret = + gnutls_pubkey_import_pkcs11_url(pubkey4, + SOFTHSM_URL + ";object=cert;object-type=cert;pin-value=" + PIN, 0); + if (ret < 0) { + fail("error in gnutls_pubkey_import_pkcs11_url: %s\n", gnutls_strerror(ret)); + } + assert(gnutls_pubkey_init(&pubkey) == 0); assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0); @@ -228,6 +268,8 @@ void doit(void) gnutls_free(s.data); } + gnutls_pubkey_deinit(pubkey4); + gnutls_pubkey_deinit(pubkey3); gnutls_pubkey_deinit(pubkey2); gnutls_pubkey_deinit(pubkey); gnutls_privkey_deinit(pkey); diff --git a/tests/pkcs11/pkcs11-eddsa-privkey-test.c b/tests/pkcs11/pkcs11-eddsa-privkey-test.c index 5bc653e029..44515da3f4 100644 --- a/tests/pkcs11/pkcs11-eddsa-privkey-test.c +++ b/tests/pkcs11/pkcs11-eddsa-privkey-test.c @@ -94,6 +94,8 @@ void doit(void) gnutls_privkey_t pkey; gnutls_pubkey_t pubkey; gnutls_pubkey_t pubkey2; + gnutls_pubkey_t pubkey3; + gnutls_pubkey_t pubkey4; unsigned i, sigalgo; bin = softhsm_bin(); @@ -188,8 +190,21 @@ void doit(void) gnutls_strerror(ret)); } + /* Write pubkey to the card too */ + assert(gnutls_pubkey_init(&pubkey) == 0); + assert(gnutls_pubkey_import_x509(pubkey, crt, 0) == 0); + + ret = gnutls_pkcs11_copy_pubkey(SOFTHSM_URL, pubkey, "cert", NULL, + GNUTLS_KEY_DIGITAL_SIGNATURE | + GNUTLS_KEY_KEY_ENCIPHERMENT, 0); + if (ret < 0) { + fail("gnutls_pkcs11_copy_pubkey: %s\n", + gnutls_strerror(ret)); + } + gnutls_x509_crt_deinit(crt); gnutls_x509_privkey_deinit(key); + gnutls_pubkey_deinit(pubkey); gnutls_pkcs11_set_pin_function(NULL, NULL); assert(gnutls_privkey_init(&pkey) == 0); @@ -203,6 +218,31 @@ void doit(void) fail("error in gnutls_privkey_import_pkcs11_url: %s\n", gnutls_strerror(ret)); } + /* Try to read the public key with public key URI */ + assert(gnutls_pubkey_init(&pubkey3) == 0); + + + ret = + gnutls_pubkey_import_pkcs11_url(pubkey3, + SOFTHSM_URL + ";object=cert;object-type=public;pin-value=" + PIN, 0); + if (ret < 0) { + fail("error in gnutls_pubkey_import_pkcs11_url: %s\n", gnutls_strerror(ret)); + } + + /* Try to read the public key with certificate URI */ + assert(gnutls_pubkey_init(&pubkey4) == 0); + + ret = + gnutls_pubkey_import_pkcs11_url(pubkey4, + SOFTHSM_URL + ";object=cert;object-type=cert;pin-value=" + PIN, 0); + if (ret < 0) { + fail("error in gnutls_pubkey_import_pkcs11_url: %s\n", gnutls_strerror(ret)); + } + assert(gnutls_pubkey_init(&pubkey) == 0); assert(gnutls_pubkey_import_privkey(pubkey, pkey, 0, 0) == 0); @@ -241,6 +281,9 @@ void doit(void) gnutls_free(sig.data); } + /* TODO is there any sensible way to check the pubkeys are the same? */ + gnutls_pubkey_deinit(pubkey4); + gnutls_pubkey_deinit(pubkey3); gnutls_pubkey_deinit(pubkey2); gnutls_pubkey_deinit(pubkey); gnutls_privkey_deinit(pkey); diff --git a/tests/pkcs12_s2k.c b/tests/pkcs12_s2k.c index 7301f293f5..1516afbf35 100644 --- a/tests/pkcs12_s2k.c +++ b/tests/pkcs12_s2k.c @@ -26,11 +26,14 @@ #include <stdio.h> -#include <utils.h> #include "../lib/gnutls_int.h" #include "../lib/x509/x509_int.h" #include "../lib/debug.h" +/* utils.h must be loaded after gnutls_int.h, as it redefines some + * macros from gnulib */ +#include <utils.h> + static void tls_log_func(int level, const char *str) { fprintf(stderr, "|<%d>| %s", level, str); diff --git a/tests/pkcs7-cat.sh b/tests/pkcs7-cat.sh index 2f3b0b0b35..a7a53a431a 100755 --- a/tests/pkcs7-cat.sh +++ b/tests/pkcs7-cat.sh @@ -34,7 +34,7 @@ fi . ${srcdir}/scripts/common.sh -check_for_datefudge +skip_if_no_datefudge #try verification datefudge -s "2010-10-10" \ diff --git a/tests/prf.c b/tests/prf.c index c4c7a0dac2..aa4f36af6a 100644 --- a/tests/prf.c +++ b/tests/prf.c @@ -323,6 +323,12 @@ static void client(int fd) exit(1); } + ret = gnutls_prf_hash_get(session); + if (ret != GNUTLS_DIG_MD5_SHA1) { + fprintf(stderr, "negotiated unexpected hash: %s\n", gnutls_digest_get_name(ret)); + exit(1); + } + check_prfs(session); gnutls_bye(session, GNUTLS_SHUT_WR); diff --git a/tests/psk-file.c b/tests/psk-file.c index 22e744f1a7..703043ec40 100644 --- a/tests/psk-file.c +++ b/tests/psk-file.c @@ -54,6 +54,36 @@ int main(int argc, char **argv) #include "utils.h" +static char hexchar(unsigned int val) +{ + if (val < 10) + return '0' + val; + if (val < 16) + return 'a' + val - 10; + abort(); +} + +static bool hex_encode(const void *buf, size_t bufsize, char *dest, size_t destsize) +{ + size_t used = 0; + + if (destsize < 1) + return false; + + while (used < bufsize) { + unsigned int c = ((const unsigned char *)buf)[used]; + if (destsize < 3) + return false; + *(dest++) = hexchar(c >> 4); + *(dest++) = hexchar(c & 0xF); + used++; + destsize -= 2; + } + *dest = '\0'; + + return used + 1; +} + /* A very basic TLS client, with PSK authentication. */ @@ -67,8 +97,8 @@ static void tls_log_func(int level, const char *str) #define MAX_BUF 1024 #define MSG "Hello TLS" -static void client(int sd, const char *prio, const char *user, const gnutls_datum_t *key, - unsigned expect_hint, int expect_fail, int exp_kx) +static void client(int sd, const char *prio, const gnutls_datum_t *user, const gnutls_datum_t *key, + unsigned expect_hint, int expect_fail, int exp_kx, unsigned binary_user) { int ret, ii, kx; gnutls_session_t session; @@ -84,8 +114,13 @@ static void client(int sd, const char *prio, const char *user, const gnutls_datu side = "client"; gnutls_psk_allocate_client_credentials(&pskcred); - gnutls_psk_set_client_credentials(pskcred, user, key, - GNUTLS_PSK_KEY_HEX); + + if (binary_user) { + gnutls_psk_set_client_credentials2(pskcred, user, key, GNUTLS_PSK_KEY_HEX); + } else { + gnutls_psk_set_client_credentials(pskcred, (const char *) user->data, key, + GNUTLS_PSK_KEY_HEX); + } assert(gnutls_init(&session, GNUTLS_CLIENT|GNUTLS_KEY_SHARE_TOP)>=0); @@ -173,13 +208,14 @@ static void client(int sd, const char *prio, const char *user, const gnutls_datu #define MAX_BUF 1024 -static void server(int sd, const char *prio, const char *user, bool no_cred, - int expect_fail, int exp_kx) +static void server(int sd, const char *prio, const gnutls_datum_t *user, bool no_cred, + int expect_fail, int exp_kx, unsigned binary_user) { gnutls_psk_server_credentials_t server_pskcred; int ret, kx; gnutls_session_t session; const char *pskid; + gnutls_datum_t pskid_binary; char buffer[MAX_BUF + 1]; char *psk_file = getenv("PSK_FILE"); char *desc; @@ -219,7 +255,7 @@ static void server(int sd, const char *prio, const char *user, bool no_cred, gnutls_alert_send_appropriate(session, ret); /* We have to make sure that we do not close connection till - * test client reads our fatal alert, otherwise it migh exit + * test client reads our fatal alert, otherwise it might exit * with GNUTLS_E_PUSH_ERROR instead */ gnutls_session_force_valid(session); while ((gnutls_record_recv_seq(session, buf, sizeof(buf), seq)) >= 0) @@ -281,10 +317,24 @@ static void server(int sd, const char *prio, const char *user, bool no_cred, fail("server: expected failure but connection succeeded!\n"); if (!no_cred) { - pskid = gnutls_psk_server_get_username(session); - if (pskid == NULL || strcmp(pskid, user) != 0) { - fail("server: username (%s), does not match expected (%s)\n", - pskid, user); + if (binary_user) { + char pskid_bin[1024], userdata_bin[1024]; + + if (gnutls_psk_server_get_username2(session, &pskid_binary)) + fail("server: Could not get binary pskid\n"); + + if (memcmp(pskid_binary.data, user->data, user->size) != 0) { + hex_encode(user->data, user->size, userdata_bin, sizeof(userdata_bin)); + hex_encode(pskid_binary.data, pskid_binary.size, pskid_bin, sizeof(pskid_bin)); + fail("server: binary username (%s) does not match expected (%s)\n", + pskid_bin, userdata_bin); + } + } else { + pskid = gnutls_psk_server_get_username(session); + if (pskid == NULL || strcmp(pskid, (const char *) user->data) != 0) { + fail("server: username (%s), does not match expected (%s)\n", + pskid, (const char *) user->data); + } } } @@ -306,9 +356,20 @@ static void server(int sd, const char *prio, const char *user, bool no_cred, success("server: finished\n"); } +static void print_user(const char *caption, const char *prio, const gnutls_datum_t *user, unsigned binary_user) +{ + char hexuser[100]; + + if (binary_user) { + hex_encode(user->data, user->size, hexuser, sizeof(hexuser)); + success("%s %s (user:%s)\n", caption, prio, hexuser); + } else + success("%s %s (user:%s)\n", caption, prio, (const char *) user->data); +} + static -void run_test3(const char *prio, const char *sprio, const char *user, const gnutls_datum_t *key, bool no_cred, - unsigned expect_hint, int exp_kx, int expect_fail_cli, int expect_fail_serv) +void run_test3(const char *prio, const char *sprio, const gnutls_datum_t *user, const gnutls_datum_t *key, bool no_cred, + unsigned expect_hint, int exp_kx, int expect_fail_cli, int expect_fail_serv, unsigned binary_user) { pid_t child; int err; @@ -316,11 +377,10 @@ void run_test3(const char *prio, const char *sprio, const char *user, const gnut signal(SIGPIPE, SIG_IGN); - if (expect_fail_serv || expect_fail_cli) { - success("ntest %s (user:%s)\n", prio, user); - } else { - success("test %s (user:%s)\n", prio, user); - } + if (expect_fail_serv || expect_fail_cli) + print_user("ntest", prio, user, binary_user); + else + print_user("test", prio, user, binary_user); err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets); if (err == -1) { @@ -340,86 +400,155 @@ void run_test3(const char *prio, const char *sprio, const char *user, const gnut close(sockets[1]); int status; /* parent */ - server(sockets[0], sprio?sprio:prio, user, no_cred, expect_fail_serv, exp_kx); + server(sockets[0], sprio?sprio:prio, user, no_cred, expect_fail_serv, exp_kx, binary_user); wait(&status); check_wait_status(status); } else { close(sockets[0]); - client(sockets[1], prio, user, key, expect_hint, expect_fail_cli, exp_kx); + client(sockets[1], prio, user, key, expect_hint, expect_fail_cli, exp_kx, binary_user); exit(0); } } static -void run_test2(const char *prio, const char *sprio, const char *user, const gnutls_datum_t *key, - unsigned expect_hint, int exp_kx, int expect_fail_cli, int expect_fail_serv) +void run_test2(const char *prio, const char *sprio, const gnutls_datum_t *user, const gnutls_datum_t *key, + unsigned expect_hint, int exp_kx, int expect_fail_cli, int expect_fail_serv, unsigned binary_user) { - run_test3(prio, sprio, user, key, 0, expect_hint, exp_kx, expect_fail_cli, expect_fail_serv); + run_test3(prio, sprio, user, key, 0, expect_hint, exp_kx, expect_fail_cli, expect_fail_serv, binary_user); } static -void run_test_ok(const char *prio, const char *user, const gnutls_datum_t *key, unsigned expect_hint, int expect_fail) +void run_test_ok(const char *prio, const gnutls_datum_t *user, const gnutls_datum_t *key, unsigned expect_hint, int expect_fail, unsigned binary_user) { - run_test2(prio, NULL, user, key, expect_hint, GNUTLS_KX_PSK, expect_fail, expect_fail); + run_test2(prio, NULL, user, key, expect_hint, GNUTLS_KX_PSK, expect_fail, expect_fail, binary_user); } static -void run_ectest_ok(const char *prio, const char *user, const gnutls_datum_t *key, unsigned expect_hint, int expect_fail) +void run_ectest_ok(const char *prio, const gnutls_datum_t *user, const gnutls_datum_t *key, unsigned expect_hint, int expect_fail, unsigned binary_user) { - run_test2(prio, NULL, user, key, expect_hint, GNUTLS_KX_ECDHE_PSK, expect_fail, expect_fail); + run_test2(prio, NULL, user, key, expect_hint, GNUTLS_KX_ECDHE_PSK, expect_fail, expect_fail, binary_user); } static -void run_dhtest_ok(const char *prio, const char *user, const gnutls_datum_t *key, unsigned expect_hint, int expect_fail) +void run_dhtest_ok(const char *prio, const gnutls_datum_t *user, const gnutls_datum_t *key, unsigned expect_hint, int expect_fail, unsigned binary_user) { - run_test2(prio, NULL, user, key, expect_hint, GNUTLS_KX_DHE_PSK, expect_fail, expect_fail); + run_test2(prio, NULL, user, key, expect_hint, GNUTLS_KX_DHE_PSK, expect_fail, expect_fail, binary_user); } void doit(void) { + char hexuser[] = { 0xde, 0xad, 0xbe, 0xef }, + nulluser1[] = { 0 }, + nulluser2[] = { 0, 0, 0xaa, 0 }; + const gnutls_datum_t user_jas = { (void *) "jas", strlen("jas") }; + const gnutls_datum_t user_unknown = { (void *) "unknown", strlen("unknown") }; + const gnutls_datum_t user_nonhex = { (void *) "non-hex", strlen("non-hex") }; + const gnutls_datum_t user_hex = { (void *) hexuser, sizeof(hexuser) }; + const gnutls_datum_t user_null_1 = { (void *) nulluser1, sizeof(nulluser1) }; + const gnutls_datum_t user_null_2 = { (void *) nulluser2, sizeof(nulluser2) }; const gnutls_datum_t key = { (void *) "9e32cf7786321a828ef7668f09fb35db", 32 }; const gnutls_datum_t wrong_key = { (void *) "9e31cf7786321a828ef7668f09fb35db", 32 }; - run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", "jas", &key, 1, 0); - run_dhtest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", "jas", &key, 1, 0); - run_ectest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK", "jas", &key, 1, 0); - run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", NULL, "unknown", &key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_DECRYPTION_FAILED); - run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", NULL, "jas", &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_DECRYPTION_FAILED); - run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", NULL, "non-hex", &key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_KEYFILE_ERROR); - - run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", "jas", &key, 1, 0); - run_test_ok("NORMAL:-KX-ALL:+PSK", "jas", &key, 0, 0); - run_test2("NORMAL:+PSK", NULL, "unknown", &key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - run_test2("NORMAL:+PSK", NULL, "jas", &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - run_test2("NORMAL:-KX-ALL:+PSK", NULL, "non-hex", &key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_KEYFILE_ERROR); - - run_dhtest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-EC-ALL", "jas", &key, 0, 0); - run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", "jas", &key, 0, 0); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", &user_jas, &key, 1, 0, 0); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", &user_hex, &key, 1, 0, 1); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", &user_null_1, &key, 1, 0, 1); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", &user_null_2, &key, 1, 0, 1); + run_dhtest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", &user_jas, &key, 1, 0, 0); + run_dhtest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", &user_hex, &key, 1, 0, 1); + run_dhtest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", &user_null_1, &key, 1, 0, 1); + run_dhtest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", &user_null_2, &key, 1, 0, 1); + run_ectest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK", &user_jas, &key, 1, 0, 0); + run_ectest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK", &user_hex, &key, 1, 0, 1); + run_ectest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK", &user_null_1, &key, 1, 0, 1); + run_ectest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK", &user_null_2, &key, 1, 0, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", NULL, &user_unknown, &key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_DECRYPTION_FAILED, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", NULL, &user_jas, &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_DECRYPTION_FAILED, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", NULL, &user_nonhex, &key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_KEYFILE_ERROR, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", NULL, &user_hex, &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_DECRYPTION_FAILED, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", NULL, &user_null_1, &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_DECRYPTION_FAILED, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", NULL, &user_null_2, &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_DECRYPTION_FAILED, 1); + + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", &user_jas, &key, 1, 0, 0); + run_test_ok("NORMAL:-KX-ALL:+PSK", &user_jas, &key, 0, 0, 0); + run_test_ok("NORMAL:-KX-ALL:+PSK", &user_hex, &key, 0, 0, 1); + run_test_ok("NORMAL:-KX-ALL:+PSK", &user_null_1, &key, 0, 0, 1); + run_test_ok("NORMAL:-KX-ALL:+PSK", &user_null_2, &key, 0, 0, 1); + run_test2("NORMAL:+PSK", NULL, &user_unknown, &key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 0); + run_test2("NORMAL:+PSK", NULL, &user_jas, &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 0); + run_test2("NORMAL:+PSK", NULL, &user_hex, &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1); + run_test2("NORMAL:+PSK", NULL, &user_null_1, &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1); + run_test2("NORMAL:+PSK", NULL, &user_null_2, &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1); + run_test2("NORMAL:-KX-ALL:+PSK", NULL, &user_nonhex, &key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_KEYFILE_ERROR, 0); + + run_dhtest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-EC-ALL", &user_jas, &key, 0, 0, 0); + run_dhtest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-EC-ALL", &user_hex, &key, 0, 0, 1); + run_dhtest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-EC-ALL", &user_null_1, &key, 0, 0, 1); + run_dhtest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-EC-ALL", &user_null_2, &key, 0, 0, 1); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", &user_jas, &key, 0, 0, 0); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", &user_hex, &key, 0, 0, 1); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", &user_null_1, &key, 0, 0, 1); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", &user_null_2, &key, 0, 0, 1); /* test priorities of DHE-PSK and PSK */ - run_ectest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+DHE-PSK:+PSK:-GROUP-DH-ALL", "jas", &key, 0, 0); - run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+PSK:+DHE-PSK:-GROUP-DH-ALL", "jas", &key, 0, 0); + run_ectest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+DHE-PSK:+PSK:-GROUP-DH-ALL", &user_jas, &key, 0, 0, 0); + run_ectest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+DHE-PSK:+PSK:-GROUP-DH-ALL", &user_hex, &key, 0, 0, 1); + run_ectest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+DHE-PSK:+PSK:-GROUP-DH-ALL", &user_null_1, &key, 0, 0, 1); + run_ectest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+DHE-PSK:+PSK:-GROUP-DH-ALL", &user_null_2, &key, 0, 0, 1); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+PSK:+DHE-PSK:-GROUP-DH-ALL", &user_jas, &key, 0, 0, 0); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+PSK:+DHE-PSK:-GROUP-DH-ALL", &user_hex, &key, 0, 0, 1); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+PSK:+DHE-PSK:-GROUP-DH-ALL", &user_null_1, &key, 0, 0, 1); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+PSK:+DHE-PSK:-GROUP-DH-ALL", &user_null_2, &key, 0, 0, 1); run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+DHE-PSK:+PSK:-GROUP-DH-ALL", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+PSK:+DHE-PSK:%SERVER_PRECEDENCE:-GROUP-DH-ALL", - "jas", &key, 0, GNUTLS_KX_PSK, 0, 0); + &user_jas, &key, 0, GNUTLS_KX_PSK, 0, 0, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+DHE-PSK:+PSK:-GROUP-DH-ALL", + "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+PSK:+DHE-PSK:%SERVER_PRECEDENCE:-GROUP-DH-ALL", + &user_hex, &key, 0, GNUTLS_KX_PSK, 0, 0, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+DHE-PSK:+PSK:-GROUP-DH-ALL", + "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+PSK:+DHE-PSK:%SERVER_PRECEDENCE:-GROUP-DH-ALL", + &user_null_1, &key, 0, GNUTLS_KX_PSK, 0, 0, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+DHE-PSK:+PSK:-GROUP-DH-ALL", + "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+PSK:+DHE-PSK:%SERVER_PRECEDENCE:-GROUP-DH-ALL", + &user_null_2, &key, 0, GNUTLS_KX_PSK, 0, 0, 1); /* try with PRF that doesn't match binder (SHA256) */ - run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:+PSK:+DHE-PSK", NULL, "jas", &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_CIPHER_SUITES); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:+PSK:+DHE-PSK", NULL, &user_jas, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_CIPHER_SUITES, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:+PSK:+DHE-PSK", NULL, &user_hex, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_CIPHER_SUITES, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:+PSK:+DHE-PSK", NULL, &user_null_1, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_CIPHER_SUITES, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-256-GCM:+PSK:+DHE-PSK", NULL, &user_null_2, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_CIPHER_SUITES, 1); /* try with no groups and PSK */ - run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-GROUP-ALL", "jas", &key, 0, 0); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-GROUP-ALL", &user_jas, &key, 0, 0, 0); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-GROUP-ALL", &user_hex, &key, 0, 0, 1); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-GROUP-ALL", &user_null_1, &key, 0, 0, 1); + run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-GROUP-ALL", &user_null_2, &key, 0, 0, 1); /* try without any groups but DHE-PSK */ - run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:+PSK", "jas", &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_COMMON_KEY_SHARE); - run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:+PSK:-GROUP-ALL", "jas", &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_COMMON_KEY_SHARE); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:+PSK", &user_jas, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_COMMON_KEY_SHARE, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:+PSK:-GROUP-ALL", &user_jas, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_COMMON_KEY_SHARE, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:+PSK", &user_hex, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_COMMON_KEY_SHARE, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:+PSK:-GROUP-ALL", &user_hex, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_COMMON_KEY_SHARE, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:+PSK", &user_null_1, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_COMMON_KEY_SHARE, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:+PSK:-GROUP-ALL", &user_null_1, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_COMMON_KEY_SHARE, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:+PSK", &user_null_2, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_COMMON_KEY_SHARE, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:+PSK:-GROUP-ALL", &user_null_2, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_NO_COMMON_KEY_SHARE, 1); /* if user invalid we continue without PSK */ - run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, "non-hex", &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_KEYFILE_ERROR); - run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, "unknown", &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, "jas", &wrong_key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, &user_nonhex, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_KEYFILE_ERROR, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, &user_unknown, &key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, &user_jas, &wrong_key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, &user_hex, &wrong_key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, &user_null_1, &wrong_key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, &user_null_2, &wrong_key, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, 1); /* try with HelloRetryRequest and PSK */ - run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE4096", "jas", &key, 0, GNUTLS_KX_DHE_PSK, 0, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE4096", &user_jas, &key, 0, GNUTLS_KX_DHE_PSK, 0, 0, 0); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE4096", &user_hex, &key, 0, GNUTLS_KX_DHE_PSK, 0, 0, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE4096", &user_null_1, &key, 0, GNUTLS_KX_DHE_PSK, 0, 0, 1); + run_test2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE4096", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-ALL:+GROUP-FFDHE4096", &user_null_2, &key, 0, GNUTLS_KX_DHE_PSK, 0, 0, 1); /* try without server credentials */ - run_test3("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, "jas", &key, 1, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_INSUFFICIENT_CREDENTIALS); + run_test3("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, &user_jas, &key, 1, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_INSUFFICIENT_CREDENTIALS, 0); + run_test3("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, &user_hex, &key, 1, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1); + run_test3("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, &user_null_1, &key, 1, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1); + run_test3("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:+DHE-PSK", NULL, &user_null_2, &key, 1, 0, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_INSUFFICIENT_CREDENTIALS, 1); } #endif /* _WIN32 */ diff --git a/tests/psk.passwd b/tests/psk.passwd index 3dd998e2dc..db1edbd24f 100644 --- a/tests/psk.passwd +++ b/tests/psk.passwd @@ -1,2 +1,5 @@ jas:9e32cf7786321a828ef7668f09fb35db non-hex:9e32cf7786321a828ef7668f09fb35dbxx +#deadbeef:9e32cf7786321a828ef7668f09fb35db +#00:9e32cf7786321a828ef7668f09fb35db +#0000aa00:9e32cf7786321a828ef7668f09fb35db diff --git a/tests/pskself2.c b/tests/pskself2.c new file mode 100644 index 0000000000..81286a035b --- /dev/null +++ b/tests/pskself2.c @@ -0,0 +1,347 @@ +/* + * Copyright (C) 2004-2012 Free Software Foundation, Inc. + * Copyright (C) 2013 Adam Sampson <ats@offog.org> + * Copyright (C) 2019 Free Software Foundation, Inc. + * + * Author: Simon Josefsson, Ander Juaristi + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from pskself.c. */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> + +#if defined(_WIN32) + +/* socketpair isn't supported on Win32. */ +int main(int argc, char **argv) +{ + exit(77); +} + +#else + +#include <string.h> +#include <sys/types.h> +#include <sys/socket.h> +#if !defined(_WIN32) +#include <sys/wait.h> +#endif +#include <unistd.h> +#include <gnutls/gnutls.h> + +#include "utils.h" +#include "extras/hex.h" + +/* A very basic TLS client, with PSK authentication. + */ + +const char *side = ""; + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "%s|<%d>| %s", side, level, str); +} + +#define MAX_BUF 1024 +#define MSG "Hello TLS" + +static void client(int sd, const char *prio, unsigned exp_hint) +{ + int ret, ii; + gnutls_session_t session; + char buffer[MAX_BUF + 1]; + gnutls_psk_client_credentials_t pskcred; + /* Need to enable anonymous KX specifically. */ + const gnutls_datum_t key = { (void *) "DEADBEEF", 8 }; + gnutls_datum_t user; + const char *hint; + + global_init(); + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + side = "client"; + + user.data = gnutls_malloc(4); + user.data[0] = 0xCA; + user.data[1] = 0xFE; + user.data[2] = 0xCA; + user.data[3] = 0xFE; + user.size = 4; + + gnutls_psk_allocate_client_credentials(&pskcred); + ret = gnutls_psk_set_client_credentials2(pskcred, &user, &key, + GNUTLS_PSK_KEY_HEX); + if (ret < 0) { + fail("client: Could not set PSK\n"); + gnutls_perror(ret); + goto end; + } + + /* Initialize TLS session + */ + gnutls_init(&session, GNUTLS_CLIENT); + + /* Use default priorities */ + gnutls_priority_set_direct(session, prio, NULL); + + /* put the anonymous credentials to the current session + */ + gnutls_credentials_set(session, GNUTLS_CRD_PSK, pskcred); + + gnutls_transport_set_int(session, sd); + + /* Perform the TLS handshake + */ + ret = gnutls_handshake(session); + + if (ret < 0) { + fail("client: Handshake failed\n"); + gnutls_perror(ret); + goto end; + } else { + if (debug) + success("client: Handshake was completed\n"); + } + + /* check the hint */ + if (exp_hint) { + hint = gnutls_psk_client_get_hint(session); + if (hint == NULL || strcmp(hint, "hint") != 0) { + fail("client: hint is not the expected: %s\n", gnutls_psk_client_get_hint(session)); + goto end; + } + } + + gnutls_record_send(session, MSG, strlen(MSG)); + + ret = gnutls_record_recv(session, buffer, MAX_BUF); + if (ret == 0) { + if (debug) + success + ("client: Peer has closed the TLS connection\n"); + goto end; + } else if (ret < 0) { + fail("client: Error: %s\n", gnutls_strerror(ret)); + goto end; + } + + if (debug) { + printf("- Received %d bytes: ", ret); + for (ii = 0; ii < ret; ii++) { + fputc(buffer[ii], stdout); + } + fputs("\n", stdout); + } + + gnutls_bye(session, GNUTLS_SHUT_RDWR); + + end: + + close(sd); + + gnutls_deinit(session); + + gnutls_free(user.data); + gnutls_psk_free_client_credentials(pskcred); + + gnutls_global_deinit(); +} + +/* This is a sample TLS 1.0 echo server, for PSK authentication. + */ + +#define MAX_BUF 1024 + +/* These are global */ + +static int +pskfunc(gnutls_session_t session, const gnutls_datum_t *username, + gnutls_datum_t * key) +{ + if (debug) + printf("psk: Got username with length %d\n", username->size); + + key->data = gnutls_malloc(4); + key->data[0] = 0xDE; + key->data[1] = 0xAD; + key->data[2] = 0xBE; + key->data[3] = 0xEF; + key->size = 4; + + return 0; +} + + +static void server(int sd, const char *prio) +{ + gnutls_psk_server_credentials_t server_pskcred; + int ret; + gnutls_session_t session; + gnutls_datum_t psk_username; + char buffer[MAX_BUF + 1], expected_psk_username[] = { 0xDE, 0xAD, 0xBE, 0xEF }; + + /* this must be called once in the program + */ + global_init(); + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + side = "server"; + + + gnutls_psk_allocate_server_credentials(&server_pskcred); + gnutls_psk_set_server_credentials_hint(server_pskcred, "hint"); + gnutls_psk_set_server_credentials_function2(server_pskcred, pskfunc); + + gnutls_init(&session, GNUTLS_SERVER); + + /* avoid calling all the priority functions, since the defaults + * are adequate. + */ + gnutls_priority_set_direct(session, prio, NULL); + + gnutls_credentials_set(session, GNUTLS_CRD_PSK, server_pskcred); + + gnutls_transport_set_int(session, sd); + ret = gnutls_handshake(session); + if (ret < 0) { + close(sd); + gnutls_deinit(session); + fail("server: Handshake has failed (%s)\n\n", + gnutls_strerror(ret)); + return; + } + + if (debug) { + success("server: Handshake was completed\n"); + + if (gnutls_psk_server_get_username(session)) + fail("server: gnutls_psk_server_get_username() should have returned NULL\n"); + if (gnutls_psk_server_get_username2(session, &psk_username) < 0) + fail("server: Could not get PSK username\n"); + + if (psk_username.size != 4 || memcmp(psk_username.data, expected_psk_username, 4)) + fail("server: Unexpected PSK username\n"); + + success("server: PSK username length: %d\n", psk_username.size); + } + + /* see the Getting peer's information example */ + /* print_info(session); */ + + for (;;) { + memset(buffer, 0, MAX_BUF + 1); + gnutls_record_set_timeout(session, 10000); + ret = gnutls_record_recv(session, buffer, MAX_BUF); + + if (ret == 0) { + if (debug) + success("server: Peer has closed the GnuTLS connection\n"); + break; + } else if (ret < 0) { + fail("server: Received corrupted data(%d). Closing...\n", ret); + break; + } else if (ret > 0) { + /* echo data back to the client + */ + gnutls_record_send(session, buffer, + strlen(buffer)); + } + } + /* do not wait for the peer to close the connection. + */ + gnutls_bye(session, GNUTLS_SHUT_WR); + + close(sd); + gnutls_deinit(session); + + gnutls_psk_free_server_credentials(server_pskcred); + + gnutls_global_deinit(); + + if (debug) + success("server: finished\n"); +} + +static +void run_test(const char *prio, unsigned exp_hint) +{ + pid_t child; + int err; + int sockets[2]; + + success("trying with %s\n", prio); + + err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) { + perror("socketpair"); + fail("socketpair failed\n"); + return; + } + + child = fork(); + if (child < 0) { + perror("fork"); + fail("fork"); + return; + } + + if (child) { + int status; + /* parent */ + close(sockets[1]); + server(sockets[0], prio); + wait(&status); + check_wait_status(status); + } else { + close(sockets[0]); + client(sockets[1], prio, exp_hint); + exit(0); + } +} + +void doit(void) +{ + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", 1); + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-PSK", 1); + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-PSK", 1); + + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:+PSK", 0); + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-FFDHE2048:+DHE-PSK", 0); + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-SECP256R1:+ECDHE-PSK", 0); + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK", 0); + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+DHE-PSK", 0); + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+ECDHE-PSK", 0); + /* the following should work once we support PSK without DH */ + run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+PSK", 0); + + run_test("NORMAL:-KX-ALL:+PSK", 0); + run_test("NORMAL:-KX-ALL:+ECDHE-PSK", 0); + run_test("NORMAL:-KX-ALL:+DHE-PSK", 0); +} + +#endif /* _WIN32 */ diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c index f212b188b9..05c1c90868 100644 --- a/tests/resume-with-previous-stek.c +++ b/tests/resume-with-previous-stek.c @@ -196,8 +196,8 @@ static void server(int fd, unsigned rounds, const char *prio) serverx509cred = NULL; } - if (num_stek_rotations != 2) - fail("STEK should be rotated exactly twice (%d)!\n", num_stek_rotations); + if (num_stek_rotations != 3) + fail("STEK should be rotated exactly three times (%d)!\n", num_stek_rotations); if (serverx509cred) gnutls_certificate_free_credentials(serverx509cred); diff --git a/tests/rsa-md5-collision/rsa-md5-collision.sh b/tests/rsa-md5-collision/rsa-md5-collision.sh index a935804dc0..e319544b73 100755 --- a/tests/rsa-md5-collision/rsa-md5-collision.sh +++ b/tests/rsa-md5-collision/rsa-md5-collision.sh @@ -31,7 +31,7 @@ if ! test -x "${CERTTOOL}"; then fi . ${srcdir}/scripts/common.sh -check_for_datefudge +skip_if_no_datefudge # Disable leak detection ASAN_OPTIONS="detect_leaks=0" diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh index 95f8a5298e..6ae19fa586 100644 --- a/tests/scripts/common.sh +++ b/tests/scripts/common.sh @@ -80,7 +80,12 @@ check_for_datefudge() { TSTAMP=`datefudge -s "2006-09-23" "${top_builddir}/tests/datefudge-check" || true` if test "$TSTAMP" != "1158969600" || test "$WINDOWS" = 1; then - echo $TSTAMP + return 1 + fi +} + +skip_if_no_datefudge() { + if ! check_for_datefudge; then echo "You need datefudge to run this test" exit 77 fi diff --git a/tests/server-multi-keys.sh b/tests/server-multi-keys.sh index 3138fb6888..7737ec9b83 100755 --- a/tests/server-multi-keys.sh +++ b/tests/server-multi-keys.sh @@ -46,7 +46,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether server can utilize multiple keys" diff --git a/tests/server-weak-keys.sh b/tests/server-weak-keys.sh index 31c51a80bc..1fa14711fb 100755 --- a/tests/server-weak-keys.sh +++ b/tests/server-weak-keys.sh @@ -46,7 +46,7 @@ SERV="${SERV} -q" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge echo "Checking whether a client will refuse weak but trusted keys" diff --git a/tests/sign-is-secure.c b/tests/sign-is-secure.c index 3c2d18d93a..64e0836963 100644 --- a/tests/sign-is-secure.c +++ b/tests/sign-is-secure.c @@ -87,7 +87,7 @@ void doit(void) CHECK_INSECURE_SIG(GNUTLS_SIGN_RSA_MD2); CHECK_INSECURE_SIG(GNUTLS_SIGN_GOST_94); - for (i=1;i<GNUTLS_SIGN_MAX;i++) { + for (i=1;i<=GNUTLS_SIGN_MAX;i++) { #ifndef ALLOW_SHA1 if (i==GNUTLS_SIGN_RSA_SHA1||i==GNUTLS_SIGN_DSA_SHA1||i==GNUTLS_SIGN_ECDSA_SHA1) continue; diff --git a/tests/slow/cipher-api-test.c b/tests/slow/cipher-api-test.c index a29963aa5a..17872b7a43 100644 --- a/tests/slow/cipher-api-test.c +++ b/tests/slow/cipher-api-test.c @@ -266,8 +266,10 @@ void start(const char *name, int algo, unsigned aead) void doit(void) { start("aes128-gcm", GNUTLS_CIPHER_AES_128_GCM, 1); + start("aes192-gcm", GNUTLS_CIPHER_AES_192_GCM, 1); start("aes256-gcm", GNUTLS_CIPHER_AES_256_GCM, 1); start("aes128-cbc", GNUTLS_CIPHER_AES_128_CBC, 0); + start("aes192-cbc", GNUTLS_CIPHER_AES_192_CBC, 0); start("aes256-cbc", GNUTLS_CIPHER_AES_256_CBC, 0); start("3des-cbc", GNUTLS_CIPHER_3DES_CBC, 0); if (!gnutls_fips140_mode_enabled()) { diff --git a/tests/slow/cipher-openssl-compat.c b/tests/slow/cipher-openssl-compat.c index 64adf25a45..3d55131e52 100644 --- a/tests/slow/cipher-openssl-compat.c +++ b/tests/slow/cipher-openssl-compat.c @@ -195,6 +195,7 @@ void doit(void) /* ciphers */ cipher_test("aes-128-gcm", GNUTLS_CIPHER_AES_128_GCM, 16); + cipher_test("aes-192-gcm", GNUTLS_CIPHER_AES_192_GCM, 16); cipher_test("aes-256-gcm", GNUTLS_CIPHER_AES_256_GCM, 16); #if OPENSSL_VERSION_NUMBER >= 0x10100000L if (!gnutls_fips140_mode_enabled()) { diff --git a/tests/slow/hash-large.c b/tests/slow/hash-large.c index 33dc1df0da..71312ef369 100644 --- a/tests/slow/hash-large.c +++ b/tests/slow/hash-large.c @@ -139,7 +139,7 @@ void doit(void) /* SHA1 */ err = - gnutls_hash_fast(GNUTLS_MAC_SHA1, buf, size, + gnutls_hash_fast(GNUTLS_DIG_SHA1, buf, size, digest); if (err < 0) fail("gnutls_hash_fast(SHA1) failed: %d\n", err); diff --git a/tests/srp.c b/tests/srp.c index e659f22163..607e52ae46 100644 --- a/tests/srp.c +++ b/tests/srp.c @@ -131,7 +131,7 @@ static void client(int fd, const char *prio, const char *user, const char *pass, /* Use default priorities */ assert(gnutls_priority_set_direct(session, prio, NULL)>=0); - gnutls_handshake_set_timeout(session, 40 * 1000); + gnutls_handshake_set_timeout(session, 100 * 1000); /* put the anonymous credentials to the current session */ @@ -229,7 +229,7 @@ static void server(int fd, const char *prio) s_x509_cred); gnutls_transport_set_int(session, fd); - gnutls_handshake_set_timeout(session, 40 * 1000); + gnutls_handshake_set_timeout(session, 100 * 1000); do { ret = gnutls_handshake(session); @@ -329,21 +329,21 @@ const char *tpasswd_conf_file = void doit(void) { - FILE *fd; + FILE *fp; - fd = fopen("tpasswd.conf", "w"); - if (fd == NULL) + fp = fopen("tpasswd.conf", "w"); + if (fp == NULL) exit(1); - fwrite(tpasswd_conf_file, 1, strlen(tpasswd_conf_file), fd); - fclose(fd); + fwrite(tpasswd_conf_file, 1, strlen(tpasswd_conf_file), fp); + fclose(fp); - fd = fopen("tpasswd", "w"); - if (fd == NULL) + fp = fopen("tpasswd", "w"); + if (fp == NULL) exit(1); - fwrite(tpasswd_file, 1, strlen(tpasswd_file), fd); - fclose(fd); + fwrite(tpasswd_file, 1, strlen(tpasswd_file), fp); + fclose(fp); start("tls1.2 srp-1024", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test", "test", 0); start("tls1.2 srp-1536", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+SRP", "test2", "test2", 0); diff --git a/tests/status-request-revoked.c b/tests/status-request-revoked.c index b4033214cb..0268934647 100644 --- a/tests/status-request-revoked.c +++ b/tests/status-request-revoked.c @@ -65,6 +65,16 @@ static void client_log_func(int level, const char *str) fprintf(stderr, "client|<%d>| %s", level, str); } +static time_t mytime(time_t * t) +{ + time_t then = 1586000000; + + if (t) + *t = then; + + return then; +} + static unsigned char server_cert_pem[] = "-----BEGIN CERTIFICATE-----\n" "MIIEKjCCAhKgAwIBAgIIRiBQA6KFBj0wDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" @@ -252,6 +262,7 @@ static int cert_verify_callback(gnutls_session_t session) unsigned int status; int ret; + gnutls_global_set_time_function(mytime); ret = gnutls_certificate_verify_peers2(session, &status); if (ret < 0) return -1; diff --git a/tests/suite/multi-ticket-reception.sh b/tests/suite/multi-ticket-reception.sh index 63de24e904..d84367703c 100755 --- a/tests/suite/multi-ticket-reception.sh +++ b/tests/suite/multi-ticket-reception.sh @@ -48,10 +48,10 @@ KEY1=${srcdir}/tls-fuzzer/tlslite-ng/tests/serverX509Key.pem CERT1=${srcdir}/tls-fuzzer/tlsfuzzer/tests/serverX509Cert.pem #create links necessary for tlslite to function -pushd "${srcdir}/tls-fuzzer/tlsfuzzer" -test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa -test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null -popd +test -L "${srcdir}/tls-fuzzer/tlsfuzzer/ecdsa" || \ + ln -s ../python-ecdsa/src/ecdsa "${srcdir}/tls-fuzzer/tlsfuzzer/" +test -L "${srcdir}/tls-fuzzer/tlsfuzzer/tlslite" || \ + ln -s ../tlslite-ng/tlslite "${srcdir}/tls-fuzzer/tlsfuzzer/" echo "Checking whether receiving 1 ticket succeeds (sanity)" diff --git a/tests/suite/prime-check.c b/tests/suite/prime-check.c index 3d6429c6e1..1e3ef7538b 100644 --- a/tests/suite/prime-check.c +++ b/tests/suite/prime-check.c @@ -21,7 +21,6 @@ */ #include <nettle/bignum.h> -#include <gmp.h> #include <gnutls/gnutls.h> #include <assert.h> diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl index 197243086a..9c50a652b5 100755 --- a/tests/suite/testcompat-main-openssl +++ b/tests/suite/testcompat-main-openssl @@ -74,7 +74,6 @@ NO_TLS1_2=$? test $NO_TLS1_2 != 0 && echo "Disabling interop tests for TLS 1.2" - ${SERV} version|grep -e '[1-9]\.[1-9]\.[0-9]' >/dev/null 2>&1 if test $? = 0;then NO_DH_PARAMS=0 @@ -82,18 +81,8 @@ else NO_DH_PARAMS=1 fi -# Do not use DSS or curves <=256 bits in 1.1.1+ because these -# are not accepted by openssl on debian. -${SERV} version|grep -e '[1-9]\.[1-9]\.[1-9]' >/dev/null 2>&1 -if test $? = 0;then - NO_DSS=1 - FIPS_CURVES=1 -else - ${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 - NO_DSS=$? -fi - -test $FIPS_CURVES = 1 && echo "Running with FIPS140-2 enabled curves enabled" +${SERV} ciphers -v ALL 2>&1|grep -e DHE-DSS >/dev/null 2>&1 +NO_DSS=$? if test $NO_DSS != 0;then echo "Disabling interop tests for DSS ciphersuites" @@ -121,6 +110,10 @@ NO_NULL=$? test $NO_NULL != 0 && echo "Disabling interop tests for NULL ciphersuites" +${SERV} ecparam -list_curves 2>&1|grep -e prime192v1 >/dev/null 2>&1 +NO_PRIME192v1=$? + +test $NO_PRIME192v1 != 0 && echo "Disabling interop tests for prime192v1 ecparam" if test "${NO_DH_PARAMS}" = 0;then OPENSSL_DH_PARAMS_OPT="" @@ -218,7 +211,7 @@ run_client_suite() { #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -cipher "ALL" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -267,9 +260,9 @@ run_client_suite() { kill ${PID} wait - if test "${FIPS_CURVES}" != 1; then + if test "${FIPS_CURVES}" != 1 && test "${NO_PRIME192v1}" != 1; then eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${RSA_KEY}" -cert "${RSA_CERT}" -named_curve prime192v1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -283,7 +276,7 @@ run_client_suite() { #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC224_KEY}" -cert "${ECC224_CERT}" -Verify 1 -named_curve secp224r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -298,7 +291,7 @@ run_client_suite() { #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC384_KEY}" -cert "${ECC384_CERT}" -Verify 1 -named_curve secp384r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -312,7 +305,7 @@ run_client_suite() { #-cipher ECDHE-ECDSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem -cipher 'DEFAULT:@SECLEVEL=1' -tls1 -key "${ECC521_KEY}" -cert "${ECC521_CERT}" -Verify 1 -named_curve secp521r1 -CAfile "${CA_ECC_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -326,7 +319,7 @@ run_client_suite() { #-cipher PSK eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher PSK -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -tls1 -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -cipher 'PSK:@SECLEVEL=1' -psk 9e32cf7786321a828ef7668f09fb35db >/dev/null PID=$! wait_server ${PID} @@ -341,7 +334,7 @@ run_client_suite() { # Tests requiring openssl 1.0.1 - TLS 1.2 #-cipher RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -www -accept "${PORT}" -keyform pem -certform pem -tls1_2 ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_server ${PID} @@ -442,7 +435,7 @@ run_client_suite() { wait eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -455,7 +448,7 @@ run_client_suite() { wait eval "${GETPORT}" - launch_bare_server $$ s_server -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -469,7 +462,7 @@ run_client_suite() { if test "${NO_DSS}" = 0; then eval "${GETPORT}" - launch_bare_server $$ s_server -cipher "ALL" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher "ALL:@SECLEVEL=1" -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -483,7 +476,7 @@ run_client_suite() { fi eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher 'ALL:@SECLEVEL=1' -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -495,7 +488,7 @@ run_client_suite() { wait eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -508,7 +501,7 @@ run_client_suite() { wait eval "${GETPORT}" - launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -Verify 1 -CAfile "${CA_CERT}" >/dev/null PID=$! wait_udp_server ${PID} @@ -628,7 +621,7 @@ run_server_suite() { PID=$! wait_server ${PID} - ${OPENSSL_CLI} s_client -cipher DHE -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -cipher DHE:@SECLEVEL=1 -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -641,7 +634,7 @@ run_server_suite() { PID=$! wait_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -cipher ALL -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -655,7 +648,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-RSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -669,7 +662,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -683,7 +676,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC256_CERT}" -key "${ECC256_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -696,7 +689,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC384_CERT}" -key "${ECC384_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -710,7 +703,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" -cert "${ECC521_CERT}" -key "${ECC521_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -724,7 +717,7 @@ run_server_suite() { wait_server ${PID} #-cipher PSK-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ + ${OPENSSL_CLI} s_client -host localhost -psk_identity Client_identity -psk 9e32cf7786321a828ef7668f09fb35db -cipher ALL:@SECLEVEL=1 -tls1 -port "${PORT}" crt_file="${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep ":error:" && \ fail ${PID} "Failed" kill ${PID} @@ -763,7 +756,7 @@ run_server_suite() { PID=$! wait_server ${PID} - ${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher ALL -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -cipher DHE -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -port "${PORT}" -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -805,7 +798,7 @@ run_server_suite() { wait_server ${PID} #-cipher ECDHE-ECDSA-AES128-SHA - ${OPENSSL_CLI} s_client -host localhost -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -cipher 'ALL:@SECLEVEL=1' -tls1_2 -named_curve secp224r1 -port "${PORT}" -cert "${ECC224_CERT}" -key "${ECC224_KEY}" -CAfile "${CA_ECC_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -875,7 +868,7 @@ run_server_suite() { PID=$! wait_udp_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -889,7 +882,7 @@ run_server_suite() { wait_udp_server ${PID} - ${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} @@ -903,7 +896,7 @@ run_server_suite() { wait_udp_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher ALL -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -cipher 'ALL:@SECLEVEL=1' -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" kill ${PID} diff --git a/tests/suite/testcompat-oldgnutls.sh b/tests/suite/testcompat-oldgnutls.sh index 2ec96b20c2..937bf57050 100755 --- a/tests/suite/testcompat-oldgnutls.sh +++ b/tests/suite/testcompat-oldgnutls.sh @@ -54,7 +54,7 @@ LDPATH=/usr/local/OLDGNUTLS/lib/x86_64-linux-gnu:/usr/local/OLDGNUTLS/usr/lib/x8 . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge . "${srcdir}/testcompat-common" diff --git a/tests/suite/testcompat-openssl.sh b/tests/suite/testcompat-openssl.sh index bfc59c09ac..b932a599c9 100755 --- a/tests/suite/testcompat-openssl.sh +++ b/tests/suite/testcompat-openssl.sh @@ -54,7 +54,7 @@ export TZ="UTC" # Check for datefudge . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge timeout 1800 datefudge "2012-09-2" "${srcdir}/testcompat-main-openssl" diff --git a/tests/suite/testcompat-polarssl.sh b/tests/suite/testcompat-polarssl.sh index 1af0099dca..2197a94bf7 100755 --- a/tests/suite/testcompat-polarssl.sh +++ b/tests/suite/testcompat-polarssl.sh @@ -42,7 +42,7 @@ fi # Check for datefudge . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge cat /proc/cpuinfo|grep "model name"|grep "VIA Esther" >/dev/null 2>&1 if test $? = 0; then diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh index 128873ab23..bc198a02b6 100755 --- a/tests/suite/testcompat-tls13-openssl.sh +++ b/tests/suite/testcompat-tls13-openssl.sh @@ -49,7 +49,7 @@ fi . "${srcdir}/../scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge . "${srcdir}/testcompat-common" diff --git a/tests/suite/tls-fuzzer/gnutls-cert.json b/tests/suite/tls-fuzzer/gnutls-cert.json index 7a5af26e53..6f5874c095 100644 --- a/tests/suite/tls-fuzzer/gnutls-cert.json +++ b/tests/suite/tls-fuzzer/gnutls-cert.json @@ -91,6 +91,8 @@ "-c", "tests/clientX509Cert.pem", "-e", "fuzz empty certificate - overall 7, certs 4, cert 1", "-e", "fuzz empty certificate - overall 8, certs 5, cert 2", + "-e", "sanity - empty client cert", + "-e", "Correct cert followed by an empty one", "-p", "@PORT@"] } ] diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json index 0bf5be4bea..3b6404c045 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json @@ -53,9 +53,7 @@ {"name" : "test-tls13-count-tickets.py", "arguments": ["-p", "@PORT@", "-t", "2"]}, {"name" : "test-tls13-dhe-shared-secret-padding.py", - "comment": "We do not support x448", "arguments": ["-p", "@PORT@", - "-e", "TLS 1.3 with x448", "-n", "4"]}, {"name" : "test-tls13-ecdhe-curves.py", "arguments": ["-p", "@PORT@"]}, @@ -81,19 +79,24 @@ {"name" : "test-tls13-hrr.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-invalid-ciphers.py", - "arguments": ["-p", "@PORT@"]}, + "arguments": ["-p", "@PORT@", + "-n", "5"]}, {"name" : "test-tls13-keyshare-omitted.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-keyupdate.py", "comment" : "we have limits that prohibit the running multiple messages test; app data split timeouts waiting for new session ticket", "arguments": ["-p", "@PORT@", + "-n", "5", "-e", "app data split, conversation with KeyUpdate msg", "-e", "multiple KeyUpdate messages"]}, {"name" : "test-tls13-large-number-of-extensions.py", "comment" : "This test assumes that 22 (EtM) is unassigned which is incorrect - see #632", "arguments": ["-p", "@PORT@", - "-e", "empty unassigned extensions, ids in range from 2 to 4118", - "-e", "unassigned extensions with random payload, ids in range from 2 to 1046"]}, + "-n", "5", + "--exc", "11", + "--exc", "12", + "--exc", "22", + "--exc", "23"]}, {"name" : "test-tls13-legacy-version.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-nociphers.py", @@ -113,7 +116,7 @@ "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-serverhello-random.py", "arguments": ["-p", "@PORT@", - "-e", "TLS 1.3 with x448"]}, + "-n", "5"]}, {"name" : "test-tls13-signature-algorithms.py", "comment" : "gnutls doesn't handle well duplicated signature algorithms; this is not an issue in practice", "arguments": ["-p", "@PORT@", @@ -123,7 +126,8 @@ "-e", "23752 invalid schemes", "-e", "32715 invalid schemes"]}, {"name" : "test-tls13-symetric-ciphers.py", - "arguments": ["-p", "@PORT@"]}, + "arguments": ["-p", "@PORT@", + "-n", "5"]}, {"name" : "test-tls13-unrecognised-groups.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-version-negotiation.py", diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer -Subproject ca536d11ac14da2deacbde95f3f0a70a5ce4211 +Subproject 477b22683238fc540f512dd0c09963fa467ddef diff --git a/tests/suite/tls-fuzzer/tlslite-ng b/tests/suite/tls-fuzzer/tlslite-ng -Subproject bff8773e4309cc43dd6acf0a6d4623949f911fd +Subproject 7c6fbf93beff6bffa9a2a0e6bd214fd229fce90 diff --git a/tests/suppressions.valgrind b/tests/suppressions.valgrind index 6f2f7dd0ce..1dc5454921 100644 --- a/tests/suppressions.valgrind +++ b/tests/suppressions.valgrind @@ -289,3 +289,10 @@ fun:fillin_rpath ... } +{ + gnutls-false-positive + Memcheck:Cond + fun:decode_complex_string.isra.0 + fun:_gnutls_x509_dn_to_string + ... +} diff --git a/tests/system-override-profiles.sh b/tests/system-override-profiles.sh index 88ec631798..516ce57e71 100755 --- a/tests/system-override-profiles.sh +++ b/tests/system-override-profiles.sh @@ -41,7 +41,7 @@ fi . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge CERT="${srcdir}/certs/cert-ecc256.pem" KEY="${srcdir}/certs/ecc256.pem" diff --git a/tests/system-override-tls.sh b/tests/system-override-tls.sh index 6114d76282..54bc190dd9 100755 --- a/tests/system-override-tls.sh +++ b/tests/system-override-tls.sh @@ -40,7 +40,7 @@ fi . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge CERT="${srcdir}/certs/cert-ecc256.pem" KEY="${srcdir}/certs/ecc256.pem" diff --git a/tests/test-chains-issuer-aia.h b/tests/test-chains-issuer-aia.h new file mode 100644 index 0000000000..ca75fd3b7c --- /dev/null +++ b/tests/test-chains-issuer-aia.h @@ -0,0 +1,107 @@ +/* + * Copyright (C) 2008-2014 Free Software Foundation, Inc. + * Copyright (C) 2017 Red Hat, Inc. + * + * Authors: Simon Josefsson, Nikos Mavrogiannopoulos, Martin Ukrop + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + */ + +#ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_AIA_H +#define GNUTLS_TESTS_TEST_CHAINS_ISSUER_AIA_H + +/* *INDENT-OFF* */ + +#define MAX_CHAIN 1 + +static const char *missing_cert_aia[] = { + "-----BEGIN CERTIFICATE-----\n" + "MIIGqDCCBZCgAwIBAgIQCvBs2jemC2QTQvCh6x1Z/TANBgkqhkiG9w0BAQsFADBN\n" + "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E\n" + "aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwMzIzMDAwMDAwWhcN\n" + "MjIwNTE3MTIwMDAwWjBuMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p\n" + "YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRwwGgYDVQQKExNMdWNhcyBHYXJyb24g\n" + "VG9ycmVzMRUwEwYDVQQDDAwqLmJhZHNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUA\n" + "A4IBDwAwggEKAoIBAQDCBOz4jO4EwrPYUNVwWMyTGOtcqGhJsCK1+ZWesSssdj5s\n" + "wEtgTEzqsrTAD4C2sPlyyYYC+VxBXRMrf3HES7zplC5QN6ZnHGGM9kFCxUbTFocn\n" + "n3TrCp0RUiYhc2yETHlV5NFr6AY9SBVSrbMo26r/bv9glUp3aznxJNExtt1NwMT8\n" + "U7ltQq21fP6u9RXSM0jnInHHwhR6bCjqN0rf6my1crR+WqIW3GmxV0TbChKr3sMP\n" + "R3RcQSLhmvkbk+atIgYpLrG6SRwMJ56j+4v3QHIArJII2YxXhFOBBcvm/mtUmEAn\n" + "hccQu3Nw72kYQQdFVXz5ZD89LMOpfOuTGkyG0cqFAgMBAAGjggNhMIIDXTAfBgNV\n" + "HSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUne7Be4ELOkdp\n" + "cRh9ETeTvKUbP/swIwYDVR0RBBwwGoIMKi5iYWRzc2wuY29tggpiYWRzc2wuY29t\n" + "MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw\n" + "awYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Et\n" + "c2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2Nh\n" + "LXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUH\n" + "AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIDMHwGCCsG\n" + "AQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t\n" + "MEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl\n" + "cnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEE\n" + "AdZ5AgQCBIIBbgSCAWoBaAB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaO\n" + "HtGFAAABcQhGXioAAAQDAEcwRQIgDfWVBXEuUZC2YP4Si3AQDidHC4U9e5XTGyG7\n" + "SFNDlRkCIQCzikrA1nf7boAdhvaGu2Vkct3VaI+0y8p3gmonU5d9DwB2ACJFRQdZ\n" + "VSRWlj+hL/H3bYbgIyZjrcBLf13Gg1xu4g8CAAABcQhGXlsAAAQDAEcwRQIhAMWi\n" + "Vsi2vYdxRCRsu/DMmCyhY0iJPKHE2c6ejPycIbgqAiAs3kSSS0NiUFiHBw7QaQ/s\n" + "GO+/lNYvjExlzVUWJbgNLwB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7U\n" + "iwXlAAABcQhGXnoAAAQDAEcwRQIgKsntiBqt8Au8DAABFkxISELhP3U/wb5lb76p\n" + "vfenWL0CIQDr2kLhCWP/QUNxXqGmvr1GaG9EuokTOLEnGPhGv1cMkDANBgkqhkiG\n" + "9w0BAQsFAAOCAQEA0RGxlwy3Tl0lhrUAn2mIi8LcZ9nBUyfAcCXCtYyCdEbjIP64\n" + "xgX6pzTt0WJoxzlT+MiK6fc0hECZXqpkTNVTARYtGkJoljlTK2vAdHZ0SOpm9OT4\n" + "RLfjGnImY0hiFbZ/LtsvS2Zg7cVJecqnrZe/za/nbDdljnnrll7C8O5naQuKr4te\n" + "uice3e8a4TtviFwS/wdDnJ3RrE83b1IljILbU5SV0X1NajyYkUWS7AnOmrFUUByz\n" + "MwdGrM6kt0lfJy/gvGVsgIKZocHdedPeECqAtq7FAJYanOsjNN9RbBOGhbwq0/FP\n" + "CC01zojqS10nGowxzOiqyB4m6wytmzf0QwjpMw==\n" + "-----END CERTIFICATE-----\n" +}; + +static const char *missing_cert_aia_insert = { + "-----BEGIN CERTIFICATE-----\n" + "MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh\n" + "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" + "d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n" + "QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT\n" + "MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg\n" + "U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n" + "ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83\n" + "nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd\n" + "KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f\n" + "/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX\n" + "kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0\n" + "/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C\n" + "AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY\n" + "aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6\n" + "Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1\n" + "oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD\n" + "QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v\n" + "d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh\n" + "xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB\n" + "CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl\n" + "5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA\n" + "8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC\n" + "2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit\n" + "c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0\n" + "j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz\n" + "-----END CERTIFICATE-----\n" +}; + +#if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) +# pragma GCC diagnostic pop +#endif + +/* *INDENT-ON* */ + +#endif /* GNUTLS_TESTS_TEST_CHAINS_ISSUER_AIA_H */ diff --git a/tests/test-chains-issuer.h b/tests/test-chains-issuer.h new file mode 100644 index 0000000000..730a31fed4 --- /dev/null +++ b/tests/test-chains-issuer.h @@ -0,0 +1,179 @@ +/* + * Copyright (C) 2008-2014 Free Software Foundation, Inc. + * Copyright (C) 2017 Red Hat, Inc. + * + * Authors: Simon Josefsson, Nikos Mavrogiannopoulos, Martin Ukrop + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + */ + +#ifndef GNUTLS_TESTS_TEST_CHAINS_ISSUER_H +#define GNUTLS_TESTS_TEST_CHAINS_ISSUER_H + +/* *INDENT-OFF* */ + +#define MAX_CHAIN 6 + +static const char *missing_issuer_chain[] = { + "-----BEGIN CERTIFICATE-----\n" + "MIIDATCCAbmgAwIBAgIUQdvdegP8JFszFHLfV4+lrEdafzAwPQYJKoZIhvcNAQEK\n" + "MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n" + "AUAwDzENMAsGA1UEAxMEQ0EtNTAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIz\n" + "NTk1OVowEzERMA8GA1UEAxMIc2VydmVyLTYwgZswEAYHKoZIzj0CAQYFK4EEACMD\n" + "gYYABAHZ3W5jpYq15WI7tVZxWCT3YtYMEj4xJSdO/ubHV0NnrlQ7+Q95R32qcA2w\n" + "4gyPif+M/Au4Towr/RA+b+qgMvD0fQFmNeWkNB/TSW2RNm7uHQU7N66tbrNWvjyS\n" + "BZeLB/V03ZWe+rO4cfrPiqtBv9N08k9uMNNCeMlatJNqj0BoFRxhBaN3MHUwDAYD\n" + "VR0TAQH/BAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweA\n" + "ADAdBgNVHQ4EFgQUMnSJQI2iHiVoxE1XSByQ9QFrG0owHwYDVR0jBBgwFoAUu9ao\n" + "G/58Y/+czHPyWo3C+vs9pFkwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGh\n" + "GjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEBAAfhLT1jQsc9yk4k\n" + "myAAMIXYD1THMkasGZiIv2TLJSLeKc4Rvzvrb/iywwrMdaBHs5sJoyk7amMwemc7\n" + "WA2+A2uTeLeDG3ev4r5stNRLyL0HSOr7da+BshUiHJgeihp1Qglm0AUqV5X69i5t\n" + "5woB5KENnYfoAWaYmXa1EPRh2xb2XDI0uCHg1bPljg61/T2cJZ4VfkOvsKgFAI4p\n" + "lAKQCZSKbEY1oWDdDhVcSipYu2E88RXczvcnEQV3C3p6CGcf8xclZdZIwMAyXYAK\n" + "oNccbSIfDlN4iD+2bztCRWHD6hWL1NJsFqmv3Ts8eYU8z8J8NdhtCXr76lFkFmDx\n" + "+lfZEv4=\n" + "-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\n" + "MIIDojCCAlqgAwIBAgIUHRb3xJ2ZGqqgdC/pBq/sDtAwvtowPQYJKoZIhvcNAQEK\n" + "MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n" + "AUAwDzENMAsGA1UEAxMEQ0EtNDAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIz\n" + "NTk1OVowDzENMAsGA1UEAxMEQ0EtNTCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n" + "hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC\n" + "AQoCggEBAMZqQ7I1HAxkxuwGQBch/jZTWLXRUtWBjlpREnp0wFt+quJOZkKNYrlL\n" + "9sngiRknsbEIfJMB2XfoK6m9SwRN/qoxewOrnK9YONG9dj0p30qiseshXIs6ZoMl\n" + "v9fZA77UraCtTbX6Xwk/+Or6SuSK2lyz0R5O14xBa5ubpm2Q8XTE9A1SAGx61ofC\n" + "Dzfvefp+m3QCy+3K+Yn05VKPxswznuVwM/oJDGzJJhD6/uNPpm5CZoPtcW14Eitu\n" + "ip51Ej1VE4lJRBHAtUSOrd3Hks6YasK7Uvu0HjpqW7PqaIhJIR7ofzbXX2vBwVj2\n" + "Qlwozk4cVCP7XO3VrVu/GCdSL+G3RAUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB\n" + "/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBS71qgb/nxj/5zMc/JajcL6+z2k\n" + "WTAfBgNVHSMEGDAWgBQPB7C8f3nco30et23Lhw7QMTaLYzA9BgkqhkiG9w0BAQow\n" + "MKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIB\n" + "QAOCAQEAl90uQvD0lne4jseHNfu8XCIZmCSxaNhF3SD73TwlGERbRjtIKz34Y6hC\n" + "z5bZ4tCGnkKAtdHLIGwOnaLSXDvzmUSkQmJmG0QMaDGsVpVXEZD/7+yyIxOcV1iK\n" + "XveeQysCKsDEfdrfn1mACQj8eC4lL9KJcHptHdTSLfa58MV2Qe5smCIByXxendO5\n" + "UQHZy5UrzWAdtO7y75vXeXynsXAqcE4TTNjdFiCnn6Q5/pVyW14kepfjaOzQFP7H\n" + "QlnHtgQDRAlQuB1aGseb6jn2Joy33itpBthvtgBosZIqsMyPoX5YzjqZUSjfPZOP\n" + "/aOd/5HR4ZPDWfHdIWbXogYX0ndhNg==\n" + "-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\n" + "MIIDojCCAlqgAwIBAgIUGybZZ1e/iFUKafPdh8xUbh7YVnwwPQYJKoZIhvcNAQEK\n" + "MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n" + "AUAwDzENMAsGA1UEAxMEQ0EtMzAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIz\n" + "NTk1OVowDzENMAsGA1UEAxMEQ0EtNDCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n" + "hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC\n" + "AQoCggEBAM0vsCM3XxZVHmxOdY2ndCoUHnrlLameRZcEupa77oAXBw9J2ysTIY1v\n" + "uP7GbBru4JnBhdem1xL37z0/a5O9+5Rw4SNHNw8Z2jPtWSJd+XwfBshQnX66IvSv\n" + "M0etutgO/lZwFq7E4yGI7LS1sGWvVhmjMLT1Yb3j/b8SXeSHyp9J0NdJ1spjjekg\n" + "bdiMUOo6Tt1gnZsgLdH6Cbmw4sm/+EGjsPOYdBI0kHW5qqLnIzW/io0NMnRsDBEk\n" + "HgXNEMhXZL/qEQfrcSCxjlqB126aALHIvN5TKBrssfE6zn9m96A9qCRJuKGP9NPm\n" + "4AFkV1yylCUTUkIRkbqPlI4i1vf8jfcCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB\n" + "/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBQPB7C8f3nco30et23Lhw7QMTaL\n" + "YzAfBgNVHSMEGDAWgBRjNOT1/2J+aAVCl/aO+EQke/8oETA9BgkqhkiG9w0BAQow\n" + "MKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIB\n" + "QAOCAQEAsKDivFD4DflylFdG4zijGrtq/zfSKTiNWxZsLKbMwLoG+Km3dy0HWfUq\n" + "TUETPEfQlpXc2Tg1tGxFepAPavVeMIy/MV3SsmjRA3f+PNWjaZUxa9+Jd1y6ONwK\n" + "wQ7s/JNNk/SZt4bKjX9GrTscZmOVtrwpZ6uQBHITScsr4V431G6wojZ09iEG0yFQ\n" + "ZD8ECn2ZOPVQXIswa75NelcGKup838HoDIjQ3vIvrx8rqf5HRg4t9mXzjECzXHVy\n" + "8wDamoE3fLAZZX2RxOWnHfjI8qB83qYyR5kN002EFJ/e060SPia1rTHyLqLngRtq\n" + "xgR9bRjZf++h/dg6L87b26J5KdDafw==\n" + "-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\n" + "MIIDojCCAlqgAwIBAgIUVd3TT33d1fy/8INiIKhudYmRE5swPQYJKoZIhvcNAQEK\n" + "MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n" + "AUAwDzENMAsGA1UEAxMEQ0EtMTAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIz\n" + "NTk1OVowDzENMAsGA1UEAxMEQ0EtMjCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n" + "hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC\n" + "AQoCggEBANN3n02MYdl70xAq39SUtcMcNR9Zpe6m4SkHcL/1T4YEpWxqqez1tDW3\n" + "1My9Std/sE1e63Q+XJdZhKz1v2KM48iMMeEtJRtriSMxp3KyHQwOxV5L/C5yudYG\n" + "3DW0XwrIFL5uXn0z27vYTJ+63RFD4K6Np3ROa2EnHuTcb1pAlrGK1erUzuD8gg7m\n" + "mIwxfS7KSeUSmZiXVACNVGmAekClRIf1kMjMqNL6eQ2laNcg7W7RCaIghk58E4Ej\n" + "/dyNWTgUUoHla8X4Za/JNXDVHdj5VKIfK8xQkc6aN8Ip5rm9J94yLay27QZdHPQn\n" + "AlHEW6IAyRgj/lo+yk1RUigjko62t+0CAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB\n" + "/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBTVuTCwy3TqMVX2Bvdj/wcoYSTG\n" + "/zAfBgNVHSMEGDAWgBS/OulsZ80Bb9MpqM/M1lCC8bO2AzA9BgkqhkiG9w0BAQow\n" + "MKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIB\n" + "QAOCAQEAfi/KKbJUsdvS/XDqR6T8VHNhX8lMOGdzHltjBdXdxsWlr2mRolILhyZf\n" + "1/wf58b1OE4AlxbwH+S/vWrQ2KVwBfWxtTJXqAMSvHIF3Tq8bIghvhK8CmZG/I49\n" + "FTYE+42MFBr6f5SNp9Q+ZUcjSK5DO7yNiyKDFfNffFGxHmnmGj2LhgyrvYA/aNyB\n" + "2ichlfihcKkExGBN44ODoK+8/W8oiMt541AvPyJxTJjxWjeJ42EBXO+J5k8wRuCu\n" + "nXCW5OjnEIExXGKZLlieH4t8kUyHlrTlHO7spiqA/QM7GUtBQfJTLdPFmvHU3Jtw\n" + "qGN2PrhXyLoaUfIpNbWO9Jmj2GYaWg==\n" + "-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\n" + "MIICxjCCAiegAwIBAgIUKnsCQlR0jpxEnpzqxbi+Y2rqwpMwCgYIKoZIzj0EAwQw\n" + "DzENMAsGA1UEAxMEQ0EtMDAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIzNTk1\n" + "OVowDzENMAsGA1UEAxMEQ0EtMTCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglghkgB\n" + "ZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCCAQoC\n" + "ggEBAOqrWIctrZ7mabfoFuMsT/B2kK4vWAGX32SGQdoDKdy+O0jGJN8/vGnbaOWN\n" + "k6sR/eNx+13LahbiLl3dzyecdJ6BeDBokjiRXtDzZN3IdrR6KZ5NjqcMiVBgztoq\n" + "gkOglhcixU2cMlSFYCozfvf3i4YElJzSP4XdJbLaPcsHmywny52s06vf64SbNhQy\n" + "GucRYO0VqRUVCNpvPyyGlkODlDQuzNsd5nIQZ5WR1bQLTYsVoHVfpLx+Su7BAV05\n" + "D5XiGQVGw7kkp4VKHrMhQ0VY+34xmahQvnoqfPEBG9jjfy6psI0oa52JS3FBWF8u\n" + "psUiFD2iqQy+efQX44gAdrrnkt0CAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAP\n" + "BgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBS/OulsZ80Bb9MpqM/M1lCC8bO2AzAf\n" + "BgNVHSMEGDAWgBRBWngghShY2X+P7m45LPH1V4p5czAKBggqhkjOPQQDBAOBjAAw\n" + "gYgCQgHnvF1Dq32xBBEME4UlVsVeOflvGw5Sr/hVhbUZ1KfAQIV2ZuBuvJNMBrj8\n" + "Pzi/nhRuV8vH5xabyQb9RYVcJ8oilQJCAdduIVVvL6DmUBOJfz1znsxPA5JCBBY2\n" + "pAOhFZBrNXE2zZrgttgR6TG4Obst1fQzL3RsmqAYAuWSpKPNz6Hdq+kl\n" + "-----END CERTIFICATE-----\n", + "-----BEGIN CERTIFICATE-----\n" + "MIIB7TCCAU6gAwIBAgIUWmldb3tGP48wFh5P/cmVytYv5JcwCgYIKoZIzj0EAwQw\n" + "DzENMAsGA1UEAxMEQ0EtMDAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIzNTk1\n" + "OVowDzENMAsGA1UEAxMEQ0EtMDCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAarU\n" + "aZXDJBYLdRdjV43Nq+slYxPPn877UBJ63K6GQF1poMaSFFJ7qSXi4lJngh7ueCVq\n" + "mJvNH54KbqkPryfCKjUbAZnIQa/8zpPbrZ4iAP6d+Mb6qIkX8j3BP1f6Ap0WTmQk\n" + "s5QHCkJFGNqqljut/RQgnbTUbQcGHCNmUx4g0BZv03+Qo0MwQTAPBgNVHRMBAf8E\n" + "BTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFEFaeCCFKFjZf4/ubjks\n" + "8fVXinlzMAoGCCqGSM49BAMEA4GMADCBiAJCAcmtP2IVnOTF2wHhfUn13qsUpqyc\n" + "3kCI1ueg75NgR7xgpL9JQ1CnPaUbCp+5ROKf5IHn8f1jjZIu45WpiWhnZDkkAkIA\n" + "pCTZn7t7memhMJUqrHGywx2gR9fgID/REZUZdVe9KcTzWvwSrbffDMCcf10SpM6C\n" + "/YXiDLiWNiK+WV8Z557eWKI=\n" + "-----END CERTIFICATE-----\n" +}; + +static const char *missing_cert_insert = { + "-----BEGIN CERTIFICATE-----\n" + "MIIDojCCAlqgAwIBAgIUHRkWa8ZOaRrqjxigoEhxJHMLM2UwPQYJKoZIhvcNAQEK\n" + "MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n" + "AUAwDzENMAsGA1UEAxMEQ0EtMjAgFw0yMDA0MjAxMTI2NDFaGA85OTk5MTIzMTIz\n" + "NTk1OVowDzENMAsGA1UEAxMEQ0EtMzCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n" + "hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCAUADggEPADCC\n" + "AQoCggEBAMNSjDqpdcx+02E2vKRB78Z6rYRTuYHeXZGIsVz3LXHxplNYtSlM0MN4\n" + "cj0mHj2Rctxk7o6vsQm37ayvO4mquvgPiwtivq+qPv98ZTIuVYkPE4NEPru7Uec+\n" + "HQO3faRym4VAzpH+CllMraeaSjQLfAKqXw60UHF+b+ovJXKWbb+keahXT6lWxuxY\n" + "pm5vbcDg0Ez++9TJcA0MiPKtk4SMgnmr+2vXAE0tE5PRX9NS7AWPyEg82q+ph2kj\n" + "zu5VWoqZp/EwMI6VfLJeemY726LyyOpIqBGWwsUXPn5NdxLla58zHDFggd7/Z/l9\n" + "aBfozSdrqW3sWeYzgGxeZmnc5Vm/r6ECAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB\n" + "/zAPBgNVHQ8BAf8EBQMDB4QAMB0GA1UdDgQWBBRjNOT1/2J+aAVCl/aO+EQke/8o\n" + "ETAfBgNVHSMEGDAWgBTVuTCwy3TqMVX2Bvdj/wcoYSTG/zA9BgkqhkiG9w0BAQow\n" + "MKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIB\n" + "QAOCAQEAbIw3qtl/QAMJ7OmBPqSMtZv9TaLxfUh7FrqfsKjXBQGVX6/7heO+wCwJ\n" + "/1vi2yFUc7uoB3ivEKzUQvtP7Nu6WMM64pAfYadGIk4TYV+tgXF4FJ8FHjTek+Lv\n" + "jTu7jvLbRSHkBQFimWorPfgf15nlXSCBtejEwvDLXlptLbKEa3q7VFXDzCyeiKGb\n" + "IHRozrAP5qiyIjYFJevXrZ/7bWDwMcJrB0uSQN9TD2mJjNXTCHu3GYnEmnu7KRpb\n" + "M3OdswIyjIFYvwlYGe2+GbigSaMZY9KCHR7vkJ1JGdxfh+CADcbL4fwj3kOpyEoe\n" + "TTqtWQ93AfQnd2Vm3/SAr/+jSuMbSA==\n" + "-----END CERTIFICATE-----\n" +}; + +#if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) +# pragma GCC diagnostic pop +#endif + +/* *INDENT-ON* */ + +#endif /* GNUTLS_TESTS_TEST_CHAINS_ISSUER_H */ diff --git a/tests/test-chains.h b/tests/test-chains.h index b0e44c8e17..cf8198e8c5 100644 --- a/tests/test-chains.h +++ b/tests/test-chains.h @@ -3995,6 +3995,117 @@ static const char *rsa_512[] = { NULL }; +static const char *ed448[] = { + "-----BEGIN CERTIFICATE-----\n" + "MIIBhDCCAQSgAwIBAgIUIWKQV5hisum31Z2Fw+PeZ80wqnkwBQYDK2VxMBkxFzAV\n" + "BgNVBAMTDkdudVRMUyB0ZXN0IENBMCAXDTIwMDMxNjA5MTY1M1oYDzk5OTkxMjMx\n" + "MjM1OTU5WjAZMRcwFQYDVQQDEw5HbnVUTFMgdGVzdCBDQTBDMAUGAytlcQM6AFsM\n" + "fQUL5TonNaVrBB7H4UtwnVlolZatMXceHZiWnzMKXOZXlIabi0nTGkvSFu9ed6JJ\n" + "L7EWarjRAKNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0G\n" + "A1UdDgQWBBRMwtFQ9T9Ndw63UP2QGAuIFoYb6TAFBgMrZXEDcwB8hbYLw7KMlb3a\n" + "Q2YAXiugWt2WcAMtvKgqzjXzUt2jilaDA72d3MCAWQQsMmQfRNSthDIao5CksoDk\n" + "Xc8qFzckmdBiF7W+UNT3OMisE9yIxF4iA1Sxsji3C0WDUq2jen5Uv9E99H+r47L8\n" + "U955wKxWJAA=\n" + "-----END CERTIFICATE-----\n", + NULL +}; + +/* This contains an expired intermediate CA, which should be superseded. */ +static const char *superseding[] = { + "-----BEGIN CERTIFICATE-----" + "MIIDrzCCAmegAwIBAgIUcozIBhMJvM/rd1PVI7LOq7Kscs8wDQYJKoZIhvcNAQEL" + "BQAwJjEkMCIGA1UEAxMbR251VExTIHRlc3QgaW50ZXJtZWRpYXRlIENBMCAXDTIw" + "MDUzMTEyMTczN1oYDzk5OTkxMjMxMjM1OTU5WjA3MRgwFgYDVQQDEw90ZXN0Lmdu" + "dXRscy5vcmcxGzAZBgNVBAoTEkdudVRMUyB0ZXN0IHNlcnZlcjCCASAwCwYJKoZI" + "hvcNAQEKA4IBDwAwggEKAoIBAQCd2PBnWn+b0FsIMbG+f/K+og2iK/BoLCsJD3j9" + "yRNSHD6wTifYwNTbe1LF/8BzxcwVRCD0zpbpFQawbjxbmBSzrXqQlUFFG11DvNBa" + "w58rgHGo3TYCrtFIBfLbziyB1w/vWeX0xHvv8MMJ1iRSdY+7Y36a2cV+s85PdO4B" + "TpZlLfy8LPP6p6+dgVoC+9tTu2H1wARYOVog+jt9A3Hx0L1xxVWTedFoiK2sVouz" + "fLRjfp5cOwuRHSD2qbpGOAeNVVaOE88Bv3pIGPguMw0qAdEDo20hRYH23LIyvBwB" + "oCnyFNnAViMtLa2QlXSliV9a9BKOXYjWzAeso2SF4pdHcvd5AgMBAAGjgZMwgZAw" + "DAYDVR0TAQH/BAIwADAaBgNVHREEEzARgg90ZXN0LmdudXRscy5vcmcwEwYDVR0l" + "BAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUan6mlccq" + "Uy1Z64wvRv3xxg4h2ykwHwYDVR0jBBgwFoAUSCM0UwqJMThKWurKttKm3s4dKxgw" + "DQYJKoZIhvcNAQELBQADggExAKAOMyMLpk0u2UTwwFWtr1hfx7evo2J7dgco410I" + "DN/QWoe2Xlcxcp1h5R9rX1I3KU2WGFtdXqiMsllCLnrDEKZmlks0uz76bCpKmM99" + "/1MDlY7mGCr/2PPx53USK5J5JTiqgp6r7qAcDAnpYvrPH45kk7iqwh02DhAxRnGR" + "CW7KWK8h7uu0Az9iBT2YfV372g4fRDK3fqYzJofQwbhSiUuJ7wyZCRhGOoxMMmDb" + "KBbc1wAYXW+tlv2cSbfzRvSxMR+CzkyH2tGDxeN//aZUfGmQ8IzWUQ7UtK5z+Q0E" + "fL6fZtm2SdGabGpV1UYoGpwOtOngK+m0i9SqrMD7g5+SMhc1VuvVuTtxjr5Cha8l" + "X0HEZtxgFrkdfMD4yLAqiguaCBngtbRmELF5VpebmJbiLVU=" + "-----END CERTIFICATE-----", + "-----BEGIN CERTIFICATE-----" + "MIIDkTCCAkmgAwIBAgIUY9cJ4NLNFEaojJHdP1I4Q7OHNJwwDQYJKoZIhvcNAQEL" + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwHhcNMTgxMjMxMjMwMDAwWhcN" + "MjAwNTMwMjIwMDAwWjAmMSQwIgYDVQQDExtHbnVUTFMgdGVzdCBpbnRlcm1lZGlh" + "dGUgQ0EwggFSMA0GCSqGSIb3DQEBAQUAA4IBPwAwggE6AoIBMQC0ayeYJa/B/x7K" + "sH702LztQ4ZnVF3atB7CkF+DPAIR/BNyhbKIpGVBC3ZfI76Kn/55S3M7LsdLPL8W" + "yZdVNRfzoXJLMMLgJ5QS81YA5s6CSxFdpB6b+vq5GypNGLW6peYMx6iooW2qiITc" + "lg6ybBw1qufHlD351cfCog1Ls2569whfxQnNFZMa95jfKkxmiSTtH9AWY4FlpVg7" + "oc0lYpuZgVQIFxjsfC8IojsoVzKdF0cKhvtisUGZ5vveqOogfvMb7rrqmiFkKZLy" + "rXPlGQWdN1PiEZ8YXyK64osNAIyeL6eHPUC+SqKlkggMLmHAWHyameHWrIM5Jc8+" + "G+3ro22dy8U43sHHbps0FL4wPoKQHrlKmnbk7zMMRqIxcvbDYQv4qmeJ9KXldjeh" + "KZ+Aeap1AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcE" + "ADAdBgNVHQ4EFgQUSCM0UwqJMThKWurKttKm3s4dKxgwHwYDVR0jBBgwFoAUHncj" + "bWcxH5EHm5Yv7PzIRv6M4QMwDQYJKoZIhvcNAQELBQADggExAHP1UAQ/nvuQtRZF" + "Q4b96yxVwCjMjn7knLyLNtyYGE3466xvE/ofvx5lgaR06ez/G17XP+Ok5SLJNUVc" + "mplTERCv5CgnX7R5VdGJkkD1repaYxaTtwyJz0AfYEMRUj3jfaeLaiUKJvEW5RRs" + "I3solY18sy/m/xGrH2X0GTNfKM9BURENABsppt07jxH719nF9m9SynV/Z2hE5hlv" + "5e5vyPt4wyRPIJLUI3TKAlvb1s40zz3ua7ZTgQL/cOxfY4f9pRKW9CMB3uF69OP9" + "COAxrmHVZsImmDZ6qO1qQrbY1KN/cX5kG4pKg7Ium723aOlwcWzEDXKumD960fN1" + "5g+HrjNs6kW+r9Q5QS8qV5s8maZNcxTrMvQ1fF2AKBNI3Z3U7vmtrSeqxIXp3rGH" + "iJwOKIk=" + "-----END CERTIFICATE-----", + NULL +}; + +static const char *superseding_ca[] = { + "-----BEGIN CERTIFICATE-----" + "MIIDkzCCAkugAwIBAgIUIs7jB4Q4sFcdCmzWVHbJLESC3T4wDQYJKoZIhvcNAQEL" + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMzEwWhgP" + "OTk5OTEyMzEyMzU5NTlaMCYxJDAiBgNVBAMTG0dudVRMUyB0ZXN0IGludGVybWVk" + "aWF0ZSBDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/" + "HsqwfvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8" + "vxbJl1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqI" + "hNyWDrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWl" + "WDuhzSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQp" + "kvKtc+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzkl" + "zz4b7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2" + "N6Epn4B5qnUCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD" + "BwQAMB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDAfBgNVHSMEGDAWgBQe" + "dyNtZzEfkQebli/s/MhG/ozhAzANBgkqhkiG9w0BAQsFAAOCATEAcF9R9VGQxTwW" + "aOjeIeQ9ZJxybaj0BaXC8xR4b9uZloS9d/RBFTjgRbQ82yqaj7f80mgUtabKRfTA" + "ltV2MgTbJdOjwGzEDtKGhClBbovnEGrYTbPBT9rgfYPt0q7SMBr6AzGAPt+ltwI7" + "9yntV81qvTxvW5MEEo0j2MuA3NT3oqe+w1rUKNQCWhnN2TUhJGkTlaaMozcgNFaE" + "Dplop4dtvCGtupxOjC3Nf6FWq1k7iZQxX70AFBYVMpuF7qGh6qDp+T1hmTCSVzxP" + "SfDQIBjhKgy4clhkuR5SRxhN74RX+/5eiQyVLxzr+eIhqzJhPqUCmVnCLcqYdNRi" + "hpHic4uJm0wGOKYTI7EG8rb4ZP4Jz6k4iN9CnL/+kiiW5otSl3YyCAuao5VKdDq9" + "izchzb9eow==" + "-----END CERTIFICATE-----", + "-----BEGIN CERTIFICATE-----" + "MIIDZTCCAh2gAwIBAgIULcrECQOBgPaePBfBHXcyZiU0IiYwDQYJKoZIhvcNAQEL" + "BQAwGTEXMBUGA1UEAxMOR251VExTIHRlc3QgQ0EwIBcNMjAwNTMxMTIxMTQzWhgP" + "OTk5OTEyMzEyMzU5NTlaMBkxFzAVBgNVBAMTDkdudVRMUyB0ZXN0IENBMIIBUjAN" + "BgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKCATEAnORCsX1unl//fy2d1054XduIg/3C" + "qVBaT3Hca65SEoDwh0KiPtQoOgZLdKY2cobGs/ojYtOjcs0KnlPYdmtjEh6WEhuJ" + "U95v4TQdC4OLMiE56eIGq252hZAbHoTL84Q14DxQWGuzQK830iml7fbw2WcIcRQ8" + "vFGs8SzfXw63+MI6Fq6iMAQIqP08WzGmRRzL5wvCiPhCVkrPmwbXoABub6AAsYwW" + "PJB91M9/lx5gFH5k9/iPfi3s2Kg3F8MOcppqFYjxDSnsfiz6eMh1+bYVIAo367vG" + "VYHigXMEZC2FezlwIHaZzpEoFlY3a7LFJ00yrjQ910r8UE+CEMTYzE40D0olCMo7" + "FA9RCjeO3bUIoYaIdVTUGWEGHWSeoxGei9Gkm6u+ASj8f+i0jxdD2qXsewIDAQAB" + "o0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYE" + "FB53I21nMR+RB5uWL+z8yEb+jOEDMA0GCSqGSIb3DQEBCwUAA4IBMQAeMSzMyuTy" + "FjXTjxAUv010bsr6e6fI9txq/S1tXmWWJV/8aeARthuOFZO5Jjy3C5aMbac2HDV4" + "Otu0+JLaoEMSXvorAhValVuq06i5cmaPzvJBcxMWzlEAXfavSwHv5Q+kqNU3z81S" + "WnjEpMHcl9OyER7o9IhF55Xom2BXY5XL83QOzQ4C3bpKrNevZC7i7zS8NoYRGP+8" + "w21JseXkWQW4o2hkFqbCcRE1dlMW02iJE28RZ5aBFDIm2Y6zuLaXZIkaO7E41CAw" + "IUyhowm/S1HcmQnhruAGKJvQtB6jvnhZb7pgnuSkhIvAQgw93CLE985KEua1ifY2" + "p1d/6ho2TWotHHqDnDkB8pC0Wzai8R+63z18Kt0gROX2QItCyFksjNJqYPbgwZgt" + "eh1COrLsOJo+" + "-----END CERTIFICATE-----", + NULL +}; + #if defined __clang__ || __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) # pragma GCC diagnostic push # pragma GCC diagnostic ignored "-Wunused-variable" @@ -4163,6 +4274,9 @@ static struct #endif { "rsa-512 - not ok (due to profile)", rsa_512, &rsa_512[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_MEDIUM), GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID, NULL, 1576759855, 1}, + { "ed448 - ok", ed448, &ed448[0], GNUTLS_PROFILE_TO_VFLAGS(GNUTLS_PROFILE_ULTRA), + 0, NULL, 1584352960, 1}, + { "superseding - ok", superseding, superseding_ca, 0, 0, 0, 1590928011 }, { NULL, NULL, NULL, 0, 0} }; diff --git a/tests/tls-session-ext-register.c b/tests/tls-session-ext-register.c index 7e907f5e96..6e44b9e60e 100644 --- a/tests/tls-session-ext-register.c +++ b/tests/tls-session-ext-register.c @@ -152,6 +152,7 @@ static void client(int sd, const char *name, const char *prio, unsigned flags, u int ret; gnutls_session_t session; gnutls_certificate_credentials_t clientx509cred; + const char *ext_name; void *p; side = "client"; @@ -179,6 +180,14 @@ static void client(int sd, const char *name, const char *prio, unsigned flags, u if (ret < 0) myfail("client: register extension\n"); + ext_name = gnutls_ext_get_name2(session, TLSEXT_TYPE_IGN, GNUTLS_EXT_ANY); + if (ext_name == NULL || strcmp(ext_name, "ext_ign")) + myfail("client: retrieve name of extension %u\n", TLSEXT_TYPE_IGN); + + ext_name = gnutls_ext_get_name2(session, TLSEXT_TYPE_IGN, GNUTLS_EXT_APPLICATION); + if (ext_name) + myfail("client: retrieve name of extension %u (expected none)\n", TLSEXT_TYPE_IGN); + ret = gnutls_session_ext_register(session, "ext_client", TLSEXT_TYPE_SAMPLE, GNUTLS_EXT_TLS, ext_recv_client_params, ext_send_client_params, NULL, NULL, NULL, flags); if (ret < 0) myfail("client: register extension\n"); diff --git a/tests/tls13/anti_replay.c b/tests/tls13/anti_replay.c index e0aea00385..506c11596a 100644 --- a/tests/tls13/anti_replay.c +++ b/tests/tls13/anti_replay.c @@ -24,11 +24,14 @@ #include <assert.h> #include <stdint.h> -#include "utils.h" #include "virt-time.h" #include "../../lib/tls13/anti_replay.h" #include "../../lib/system.h" +/* utils.h must be loaded after gnutls_int.h, as it redefines some + * macros from gnulib */ +#include "utils.h" + #define MAX_CLIENT_HELLO_RECORDED 10 struct storage_st { diff --git a/tests/tls13/no-auto-send-ticket.c b/tests/tls13/no-auto-send-ticket.c new file mode 100644 index 0000000000..2602f178a1 --- /dev/null +++ b/tests/tls13/no-auto-send-ticket.c @@ -0,0 +1,314 @@ +/* + * Copyright (C) 2017-2020 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos, Daiki Ueno + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> + +#if defined(_WIN32) + +int main() +{ + exit(77); +} + +#else + +#include <string.h> +#include <sys/types.h> +#include <netinet/in.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <arpa/inet.h> +#include <unistd.h> +#include <gnutls/gnutls.h> +#include <signal.h> +#include <assert.h> + +#include "../lib/handshake-defs.h" +#include "cert-common.h" +#include "utils.h" + +/* This program tests whether the certificate seen in Post Handshake Auth + * is found in a resumed session under TLS 1.3. + */ + +static void server_log_func(int level, const char *str) +{ + fprintf(stderr, "server|<%d>| %s", level, str); +} + +static void client_log_func(int level, const char *str) +{ + fprintf(stderr, "client|<%d>| %s", level, str); +} + +static unsigned tickets_seen = 0; +static int ticket_callback(gnutls_session_t session, unsigned int htype, + unsigned post, unsigned int incoming, const gnutls_datum_t *msg) +{ + gnutls_datum *d; + int ret; + + assert(htype == GNUTLS_HANDSHAKE_NEW_SESSION_TICKET); + + d = gnutls_session_get_ptr(session); + + if (post == GNUTLS_HOOK_POST) { + tickets_seen++; + if (d->data) + gnutls_free(d->data); + ret = gnutls_session_get_data2(session, d); + assert(ret >= 0); + assert(d->size > 4); + + return 0; + } + + return 0; +} + +static void client(int fd, unsigned flags, unsigned tickets) +{ + int ret; + gnutls_session_t session; + unsigned try = 0; + gnutls_datum_t session_data = {NULL, 0}; + gnutls_certificate_credentials_t x509_cred; + + global_init(); + tickets_seen = 0; + + if (debug) { + gnutls_global_set_log_function(client_log_func); + gnutls_global_set_log_level(7); + } + + assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); + + retry: + /* Initialize TLS session + */ + assert(gnutls_init(&session, GNUTLS_CLIENT|flags)>=0); + + gnutls_handshake_set_timeout(session, 20 * 1000); + + ret = gnutls_priority_set_direct(session, "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.0", NULL); + if (ret < 0) + fail("cannot set TLS 1.3 priorities\n"); + + + if (try == 0) { + gnutls_session_set_ptr(session, &session_data); + gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, + GNUTLS_HOOK_BOTH, + ticket_callback); + } else { + assert(gnutls_session_set_data(session, session_data.data, session_data.size) >= 0); + } + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); + + gnutls_transport_set_int(session, fd); + + /* Perform the TLS handshake + */ + do { + ret = gnutls_handshake(session); + } + while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + + if (ret != 0) + fail("handshake failed: %s\n", gnutls_strerror(ret)); + + do { + ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); + } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret != 0) { + fail("error in recv: %s\n", gnutls_strerror(ret)); + } + + if (tickets_seen != tickets) + fail("unexpected number of tickets received: %u != %u", + tickets_seen, tickets); + + gnutls_deinit(session); + + if (tickets > 0 && try == 0) { + try++; + goto retry; + } + + close(fd); + gnutls_free(session_data.data); + + gnutls_global_deinit(); +} + +static void server(int fd, unsigned flags, + unsigned tickets_sent, unsigned tickets_expected) +{ + int ret; + gnutls_session_t session; + gnutls_certificate_credentials_t x509_cred; + gnutls_datum_t skey; + + /* this must be called once in the program + */ + global_init(); + + assert(gnutls_session_ticket_key_generate(&skey)>=0); + + if (debug) { + gnutls_global_set_log_function(server_log_func); + gnutls_global_set_log_level(4711); + } + + gnutls_certificate_allocate_credentials(&x509_cred); + gnutls_certificate_set_x509_key_mem(x509_cred, &server_cert, + &server_key, + GNUTLS_X509_FMT_PEM); + + assert(gnutls_init(&session, GNUTLS_SERVER|flags)>=0); + + assert(gnutls_session_ticket_enable_server(session, &skey) >= 0); + gnutls_handshake_set_timeout(session, 20 * 1000); + + assert(gnutls_priority_set_direct(session, "NORMAL:+VERS-TLS1.3", NULL)>=0); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); + + gnutls_transport_set_int(session, fd); + + do { + ret = gnutls_handshake(session); + } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + + if (ret != 0) + fail("handshake failed: %s\n", gnutls_strerror(ret)); + + if (tickets_sent > 0) { + do { + ret = gnutls_session_ticket_send(session, tickets_sent, 0); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + } + + do { + ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); + } while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + gnutls_deinit(session); + + if (tickets_expected > 0) { + /* resume session + */ + assert(gnutls_init(&session, GNUTLS_SERVER|flags)>=0); + + assert(gnutls_session_ticket_enable_server(session, &skey) >= 0); + gnutls_handshake_set_timeout(session, 20 * 1000); + assert(gnutls_priority_set_direct(session, "NORMAL:+VERS-TLS1.3", NULL)>=0); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); + + gnutls_transport_set_int(session, fd); + + do { + ret = gnutls_handshake(session); + } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + + if (ret != 0) + fail("handshake failed: %s\n", gnutls_strerror(ret)); + + assert(gnutls_session_is_resumed(session) != 0); + + gnutls_bye(session, GNUTLS_SHUT_RDWR); + gnutls_deinit(session); + } + + gnutls_free(skey.data); + close(fd); + gnutls_certificate_free_credentials(x509_cred); + + gnutls_global_deinit(); + + if (debug) + success("server: client/server hello were verified\n"); +} + +static void ch_handler(int sig) +{ + int status = 0; + wait(&status); + check_wait_status(status); + return; +} + +static void start(const char *name, + unsigned flags, + unsigned tickets_sent, + unsigned tickets_expected) +{ + int fd[2]; + int ret; + pid_t child; + + success("testing: %s\n", name); + + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); + if (ret < 0) { + perror("socketpair"); + exit(1); + } + + child = fork(); + if (child < 0) { + perror("fork"); + fail("fork"); + exit(1); + } + + if (child) { + /* parent */ + close(fd[1]); + server(fd[0], flags, tickets_sent, tickets_expected); + kill(child, SIGTERM); + } else { + close(fd[0]); + client(fd[1], flags, tickets_expected); + exit(0); + } + +} + +void doit(void) +{ + signal(SIGCHLD, ch_handler); + signal(SIGPIPE, SIG_IGN); + + start("auto send ticket 0", 0, 0, TLS13_TICKETS_TO_SEND); + start("auto send ticket 1", 0, 1, TLS13_TICKETS_TO_SEND + 1); + start("no auto send ticket 0", GNUTLS_NO_AUTO_SEND_TICKET, 0, 0); + start("no auto send ticket 1", GNUTLS_NO_AUTO_SEND_TICKET, 1, 1); +} +#endif /* _WIN32 */ diff --git a/tests/tls13/prf-early.c b/tests/tls13/prf-early.c index 414b1db5ea..bc3196248f 100644 --- a/tests/tls13/prf-early.c +++ b/tests/tls13/prf-early.c @@ -123,10 +123,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size) } \ } -#define KEY_EXP_VALUE "\xc0\x1e\xc2\xa4\xb7\xb4\x04\xaa\x91\x5d\xaf\xe8\xf7\x4d\x19\xdf\xd0\xe6\x08\xd6\xb4\x3b\xcf\xca\xc9\x32\x75\x3b\xe3\x11\x19\xb1\xac\x68" -#define HELLO_VALUE "\x77\xdb\x10\x0b\xe8\xd0\xb9\x38\xbc\x49\xe6\xbe\xf2\x47\x2a\xcc\x6b\xea\xce\x85\x04\xd3\x9e\xd8\x06\x16\xad\xff\xcd\xbf\x4b" -#define CONTEXT_VALUE "\xf2\x17\x9f\xf2\x66\x56\x87\x66\xf9\x5c\x8a\xd7\x4e\x1d\x46\xee\x0e\x44\x41\x4c\xcd\xac\xcb\xc0\x31\x41\x2a\xb6\xd7\x01\x62" -#define NULL_CONTEXT_VALUE "\xcd\x79\x07\x93\xeb\x96\x07\x3e\xec\x78\x90\x89\xf7\x16\x42\x6d\x27\x87\x56\x7c\x7b\x60\x2b\x20\x44\xd1\xea\x0c\x89\xfb\x8b" +#define KEY_EXP_VALUE "\xc1\x6b\x6c\xb9\x88\x33\xd5\x28\x80\xec\x27\x87\xa2\x6f\x4b\xd0\x01\x5e\x7f\xca\xd7\xd4\x8a\x3f\xe2\x48\x92\xef\x02\x14\xfb\x81\x90\x04" +#define HELLO_VALUE "\x2a\x73\xd9\x74\x04\x4e\x0a\x5f\x41\x8a\x09\xcb\x45\x33\x1a\xec\xd3\xfc\xdc\x1b\x2c\x67\x26\xe4\x9c\xfe\x1f\xa5\x74\xf1\x4f" +#define CONTEXT_VALUE "\x87\xf6\x88\xe3\xd7\xf2\x05\xbc\xa4\x10\xa3\x48\x9f\xf5\xcf\x97\x06\x22\x4e\xfd\x18\x32\x52\x1d\xbd\x26\xf5\x5b\x21\x20\xec" +#define NULL_CONTEXT_VALUE "\xf9\xca\xfe\x45\x44\x96\xdb\xc5\x41\x8f\x7e\x8e\xd7\xb0\x7d\x19\x45\xaf\x09\xbc\x1e\x82\x94\xac\x55\xe5\xb9\xb4\x3b\xe8\xc0" static int handshake_callback_called; diff --git a/tests/tls13/prf-early.sh b/tests/tls13/prf-early.sh index b19da4cb65..7f62aba8d8 100755 --- a/tests/tls13/prf-early.sh +++ b/tests/tls13/prf-early.sh @@ -23,7 +23,7 @@ builddir="${builddir:-.}" . "${srcdir}/scripts/common.sh" -check_for_datefudge +skip_if_no_datefudge datefudge -s 2019-04-12 "${builddir}/tls13/prf-early" "$@" exit $? diff --git a/tests/tls13/prf.c b/tests/tls13/prf.c index a8a529bcb8..c9c9f80b7b 100644 --- a/tests/tls13/prf.c +++ b/tests/tls13/prf.c @@ -234,6 +234,12 @@ static void client(int fd) exit(1); } + ret = gnutls_prf_hash_get(session); + if (ret != GNUTLS_DIG_SHA384) { + fprintf(stderr, "negotiated unexpected hash: %s\n", gnutls_digest_get_name(ret)); + exit(1); + } + check_prfs(session); gnutls_bye(session, GNUTLS_SHUT_WR); diff --git a/tests/tls_hello_random_value.c b/tests/tls_hello_random_value.c new file mode 100644 index 0000000000..8841d2e2cc --- /dev/null +++ b/tests/tls_hello_random_value.c @@ -0,0 +1,267 @@ +/* + * Copyright (C) 2017-2020 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + */ + +/* This program tests whether the second DTLS client hello contains the same + * random value, and whether it is initialized. + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> + +#if defined(_WIN32) + +/* socketpair isn't supported on Win32. */ +int main(int argc, char **argv) +{ + exit(77); +} + +#else + +#include <string.h> +#include <sys/types.h> +#include <sys/socket.h> +#if !defined(_WIN32) +#include <sys/wait.h> +#include <signal.h> +#endif +#include <unistd.h> +#include <gnutls/gnutls.h> +#include <assert.h> + +#include "utils.h" +#include "cert-common.h" + +const char *side = ""; + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "%s|<%d>| %s", side, level, str); +} + +static unsigned cb_called = 0; + +static int hello_callback(gnutls_session_t session, unsigned int htype, + unsigned post, unsigned int incoming, const gnutls_datum_t *msg) +{ + unsigned non_zero = 0, i; + + if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO && post == GNUTLS_HOOK_POST) { + if (cb_called == 0) { + unsigned char crandom[32]; + gnutls_datum_t tmp; + gnutls_session_get_random(session, &tmp, NULL); + assert(tmp.size == 32); + + memcpy(crandom, tmp.data, tmp.size); + cb_called++; + + /* check if uninitialized */ + for (i=0;i<32;i++) { + if (crandom[i] != 0) { + non_zero++; + } + } + if (non_zero <= 8) { + fail("the client random value seems uninitialized\n"); + } + } else { + cb_called++; + } + } else if (htype == GNUTLS_HANDSHAKE_SERVER_HELLO && post == GNUTLS_HOOK_POST) { + unsigned char crandom[32]; + gnutls_datum_t tmp; + gnutls_session_get_random(session, NULL, &tmp); + assert(tmp.size == 32); + + memcpy(crandom, tmp.data, tmp.size); + + /* check if uninitialized */ + for (i=0;i<32;i++) { + if (crandom[i] != 0) { + non_zero++; + } + } + if (non_zero <= 8) { + fail("the server random value seems uninitialized\n"); + } + } + + return 0; +} + +static void client(int sd, const char *priority) +{ + int ret; + gnutls_session_t session; + gnutls_certificate_credentials_t clientx509cred; + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + side = "client"; + + gnutls_certificate_allocate_credentials(&clientx509cred); + + assert(gnutls_init(&session, GNUTLS_CLIENT)>=0); + + if (!priority) { + assert(gnutls_set_default_priority(session) >= 0); + } else { + assert(gnutls_priority_set_direct(session, priority, NULL) >= 0); + } + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, + clientx509cred); + + gnutls_transport_set_int(session, sd); + gnutls_handshake_set_timeout(session, 20 * 1000); + + gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_ANY, + GNUTLS_HOOK_BOTH, hello_callback); + + ret = gnutls_handshake(session); + + if (ret < 0) { + fail("client: Handshake failed: %s\n", gnutls_strerror(ret)); + } else { + if (debug) + success("client: Handshake was completed\n"); + } + + if (cb_called != 1) { + fail("client: the callback was not seen (%d)!\n", cb_called); + } + + gnutls_bye(session, GNUTLS_SHUT_WR); + close(sd); + + gnutls_deinit(session); + + gnutls_certificate_free_credentials(clientx509cred); +} + +static void server(int sd, const char *priority) +{ + int ret; + gnutls_certificate_credentials_t serverx509cred; + gnutls_session_t session; + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(4711); + + side = "server"; + + assert(gnutls_certificate_allocate_credentials(&serverx509cred)>=0); + assert(gnutls_certificate_set_x509_key_mem(serverx509cred, + &server_cert, &server_key, + GNUTLS_X509_FMT_PEM)>=0); + + assert(gnutls_init(&session, GNUTLS_SERVER)>=0); + assert(session != NULL); + + if (!priority) { + assert(gnutls_set_default_priority(session) >= 0); + } else { + assert(gnutls_priority_set_direct(session, priority, NULL) >= 0); + } + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, + serverx509cred); + + gnutls_transport_set_int(session, sd); + gnutls_handshake_set_timeout(session, 20 * 1000); + + ret = gnutls_handshake(session); + if (ret < 0) { + fail("server: Handshake has failed: %s\n\n", + gnutls_strerror(ret)); + } + if (debug) + success("server: Handshake was completed\n"); + + /* do not wait for the peer to close the connection. + */ + gnutls_bye(session, GNUTLS_SHUT_WR); + close(sd); + gnutls_deinit(session); + + gnutls_certificate_free_credentials(serverx509cred); + + if (debug) + success("server: finished\n"); +} + +static void start(const char *name, const char *priority) +{ + pid_t child; + int sockets[2]; + int err; + + success("testing: %s\n", name); + cb_called = 0; + + err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) { + perror("socketpair"); + fail("socketpair failed\n"); + return; + } + + child = fork(); + if (child < 0) { + perror("fork"); + fail("fork"); + return; + } + + if (child) { + int status = 0; + /* parent */ + close(sockets[1]); + client(sockets[0], priority); + wait(&status); + check_wait_status(status); + } else { + close(sockets[0]); + server(sockets[1], priority); + exit(0); + } +} + +void doit(void) +{ + signal(SIGPIPE, SIG_IGN); + + start("default", NULL); + start("tls1.3", "NORMAL:-VERS-ALL:+VERS-TLS1.3"); + start("tls1.2", "NORMAL:-VERS-ALL:+VERS-TLS1.2"); + start("tls1.1", "NORMAL:-VERS-ALL:+VERS-TLS1.1"); + start("tls1.0", "NORMAL:-VERS-ALL:+VERS-TLS1.0"); +} + +#endif /* _WIN32 */ diff --git a/tests/utils.h b/tests/utils.h index 61d6dc9f9e..935368088a 100644 --- a/tests/utils.h +++ b/tests/utils.h @@ -41,13 +41,13 @@ # error tests cannot be compiled with NDEBUG defined #endif -#if _GNUTLS_GCC_VERSION >= 70100 -#define FALLTHROUGH __attribute__ ((fallthrough)) -#endif - #ifndef FALLTHROUGH +#if _GNUTLS_GCC_VERSION >= 70100 +# define FALLTHROUGH __attribute__ ((fallthrough)) +#else # define FALLTHROUGH #endif +#endif /* number of elements within an array */ #define countof(a) (sizeof(a)/sizeof(*(a))) diff --git a/tests/x509cert-dntypes.c b/tests/x509cert-dntypes.c new file mode 100644 index 0000000000..10d795012d --- /dev/null +++ b/tests/x509cert-dntypes.c @@ -0,0 +1,134 @@ +/* + * Copyright (C) 2020 Pierre Ossman for Cendio AB + * + * Author: Pierre Ossman + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#include <unistd.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#include "utils.h" + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d>| %s", level, str); +} + +/* the issuer/subject connection between the server cert and the CA + * cert uses different ASN.1 types, which is uncommon but allowed */ + +static unsigned char server_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIDZTCCAc2gAwIBAgIUB7aVTQvtbBpOEtKELkBkLViM0eIwDQYJKoZIhvcNAQEL\n" + "BQAwEjEQMA4GA1UEAwwHVGVzdCBDQTAeFw0yMDAzMjYxMDE4NTdaFw0yMTAzMjYx\n" + "MDE4NTdaMBYxFDASBgNVBAMMC1Rlc3QgY2xpZW50MIIBIjANBgkqhkiG9w0BAQEF\n" + "AAOCAQ8AMIIBCgKCAQEAviqj5S/xe39agbMnq/oPAQmdIhalB17Ewc3AZlD8n+zQ\n" + "scPDNvnk4gxSeSXePtXmh0OaGcBKbMAkjiyo2gPBmV3ay34LQuk97nJxE2TUAWMm\n" + "S8yFwP3yoE+GZ5eYjv+HGQxeAP9uHLjho/jHjVGgUOCVv1QjsKyRx8Tuvy9TH3ON\n" + "DuMPw3Jmnq0OhLy2+SjU0ug5jxfWJvnfeGoFzRgalmWGyoAQsH9bqha/D44QSen+\n" + "Zbbt/A4uNIILAENYuHXEfvpmBuZPpocOb6h2huGbp6iHZfdZUHso37UmWT6PXh+2\n" + "dASPaCpAr3bURBhnEsQM43njb8METZewMeoQxwZC0QIDAQABoy8wLTAMBgNVHRMB\n" + "Af8EAjAAMB0GA1UdDgQWBBSb3h7ZbajS/2RWx2a7hTVSkur0FDANBgkqhkiG9w0B\n" + "AQsFAAOCAYEAPfwyvOwNEjIvlifjBVhiWmrtZAS2YaY9jqFnaA2PvYY2FVyC3AMu\n" + "3BGAorau/4DL3P92/9SlygEmBQpqCq+AJnQRH6WKFT4avAOmw3yc0++st+DhGK0I\n" + "6Cr69WccVi0Kmxi1XP4dpPDWSuVCOP6rGc3ulgEH83xF4ZL+3qVA9Fihsie3ZZme\n" + "7mqWOznVO1MZHLDFIUEoRdOSin5bIkl7FPOCZqMsWRM41GuA1h4aX/X5dLeqRW1c\n" + "mJ5CNRWwPIPcwgqeldFnx07svCv9QseUDaIw+C9vZOlgfIgp0qeYoR6fsD38WcUC\n" + "eJPsOUwhdhMcw+/PM16iwzd89dI+PCecFY9FeLh9YeihZm0DnG8L0To1Y2ry+WRf\n" + "w5knR3FReHPcelymvSKZSEG0d/KKHXBeKWgcrCrdnn4ya71eblsNzO3vnxB5k0Zj\n" + "WcQ3wfeftQKDEIuaRHUP6B4zx2teJWMWvJLcXuavoqo0z3L5EN74RztCpnP9ykSH\n" + "ZsYWoJ3aelFv\n" + "-----END CERTIFICATE-----\n"; + +static unsigned char ca_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIID5DCCAkygAwIBAgIUB4lnLAeQ20wlYbqt5ykgvWOPNzgwDQYJKoZIhvcNAQEL\n" + "BQAwEjEQMA4GA1UEAxMHVGVzdCBDQTAeFw0yMDAzMjYxMDI0MjhaFw0yMDAzMjcx\n" + "MDI0MjhaMBIxEDAOBgNVBAMTB1Rlc3QgQ0EwggGiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "jwAwggGKAoIBgQCt9z/noU7qCPquzzgwNvu/rwXyIvxmqdWhpfpBOmVq8wpgUDUU\n" + "cQ94F65UfTo3EcYXCoDs43E4Wo8KmF5YQM2xK+LrH28XmpL3z+NoQGaZoUVrMWp6\n" + "rbIeoGZvITaaGn2uEbGT7iRkBUdS4wOjUT13IxpG8cM4d0i0DIsqSlUPnQCfyMqf\n" + "jsVhO9IQsn7qMo0+2nNCI5JqblEXRvL39hHzJMOsq1NRqZO1Zjt9HCIB7m7Q42Jx\n" + "e8zm7RzTiBFVKecxb5h4mmt3tUZQ0Kjd94yE6ARSE0rULmO+6H7hgI6sU8vqfSFe\n" + "DimQ5mPReumBRDcErX+c7bRGPRul41kAB8XvPmAHG8xCepjH8xrgY/FeVBQT74xm\n" + "MEYQaxdGpa8Azx6MZCrZOI0rzu+zI0CBQGE1h1Xk8HBozrn/G2OOAZcXyzHzq56R\n" + "Z52zEQYFZmKH9tHTDI6fMfo8clr7esb/wmgEOt/lJYE9IMJrzUh+IwWuowdYaDVj\n" + "nMrboUBVepmBKSUCAwEAAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU\n" + "rhkYiczAkbCcVfNr67VGGaqilbgwDQYJKoZIhvcNAQELBQADggGBAGYiUTKdYBXk\n" + "lZFIhZkCc33/lCgJw2mSrdAd+xJmJonRPy3qmYy3HniOmQdRVqResLALubz89VjJ\n" + "dSeokujFrlNtb4CygojseqTsxWgeZlKjLU3tJ/Xn+DFIiP7k9+WPW7KFIIW0fq61\n" + "MAI0lKjqpC8sJTlXoJemDw9MW/380nKr+K1YY3arRzsSHEIeA54xOggKEwvgz11A\n" + "47xT83WoLwFQ4e9LZfCsL/M51lsLHAlJzDKyTTeSxCi/C6kUIzx8QyxHKYgBuNxz\n" + "8vVLY/YzUv/l5ELYQ9gkAX0vZWdw7pqASUY8yvbzImrWqjFAHeN3zK687Ke9uppS\n" + "dmjvPwvTK+SKm++NR8YCwb3xqHQHMYHV3lxjlOhaN6rxBW0l4gtvb2FMlhcljiZ+\n" + "tF2ObVwEs6nqJSGrzubp0os+WmnbVSCaHz9jnRWb68C87mXCZkbA7FTSKJOVuqRM\n" + "vVTcHQ7jwGQ2/SvikndFQ53zi2j9o/jTOiFv29rEOeHu67UAiFSi2A==\n" + "-----END CERTIFICATE-----\n"; + +const gnutls_datum_t server = { server_pem, sizeof(server_pem)-1 }; +const gnutls_datum_t ca = { ca_pem, sizeof(ca_pem)-1 }; + +void doit(void) +{ + int ret; + gnutls_x509_crt_t server_crt, ca_crt; + + /* this must be called once in the program + */ + global_init(); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + gnutls_x509_crt_init(&server_crt); + + ret = + gnutls_x509_crt_import(server_crt, &server, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("gnutls_x509_crt_import"); + + gnutls_x509_crt_init(&ca_crt); + + ret = + gnutls_x509_crt_import(ca_crt, &ca, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("gnutls_x509_crt_import"); + + ret = gnutls_x509_crt_check_issuer(server_crt, ca_crt); + if (!ret) + fail("gnutls_x509_crt_check_issuer"); + + gnutls_x509_crt_deinit(ca_crt); + gnutls_x509_crt_deinit(server_crt); + + gnutls_global_deinit(); + + if (debug) + success("success"); +} |