diff options
author | Daiki Ueno <ueno@gnu.org> | 2021-11-29 14:20:48 +0000 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2021-11-29 14:20:48 +0000 |
commit | d8be349fb196d569309f90f5070d7f3958128bce (patch) | |
tree | 01e4cc019a6b7520d59499b31226beabeb54f57c /tests | |
parent | 155926489c0950e40355523043773a782a8d986a (diff) | |
parent | 0ecce7191dfd78387f2994253d37ed1df50d563d (diff) | |
download | gnutls-d8be349fb196d569309f90f5070d7f3958128bce.tar.gz |
Merge branch 'wip/dueno/config-allowlisting' into 'master'
priority: support allowlisting in configuration file
Closes #1172
See merge request gnutls/gnutls!1427
Diffstat (limited to 'tests')
-rw-r--r-- | tests/Makefile.am | 6 | ||||
-rwxr-xr-x | tests/system-override-curves-allowlist.sh | 113 | ||||
-rwxr-xr-x | tests/system-override-hash-allowlist.sh | 41 | ||||
-rwxr-xr-x | tests/system-override-sig-allowlist.sh | 43 | ||||
-rwxr-xr-x | tests/system-override-special-allowlist.sh | 177 | ||||
-rwxr-xr-x | tests/system-override-versions-allowlist.sh | 109 |
6 files changed, 489 insertions, 0 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index d15595a657..b7fee50488 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -523,6 +523,12 @@ dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \ system-override-curves.sh system-override-profiles.sh system-override-tls.sh \ system-override-kx.sh system-override-default-priority-string.sh \ system-override-sig-tls.sh system-override-hash-filters-prf.sh + +dist_check_SCRIPTS += system-override-sig-allowlist.sh \ + system-override-hash-allowlist.sh \ + system-override-versions-allowlist.sh \ + system-override-curves-allowlist.sh \ + system-override-special-allowlist.sh endif dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh diff --git a/tests/system-override-curves-allowlist.sh b/tests/system-override-curves-allowlist.sh new file mode 100755 index 0000000000..08f3e2ca94 --- /dev/null +++ b/tests/system-override-curves-allowlist.sh @@ -0,0 +1,113 @@ +#!/bin/sh + +# Copyright (C) 2019 Red Hat, Inc. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/> + +: ${srcdir=.} +: ${SERV=../src/gnutls-serv${EXEEXT}} +: ${CLI=../src/gnutls-cli${EXEEXT}} +TMPFILE=config.$$.tmp +TMPFILE2=log.$$.tmp +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/scripts/common.sh" + +# This test doesn't work in FIPS mode +if test -n "${GNUTLS_FORCE_FIPS_MODE}" && test "${GNUTLS_FORCE_FIPS_MODE}" != 0; then + exit 77 +fi + +# We intentionally add stray spaces and tabs to check our parser +cat <<_EOF_ > ${TMPFILE} +[global] +override-mode = allowlist + +[overrides] +enabled-curve = secp384r1 +_EOF_ + +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" +export GNUTLS_DEBUG_LEVEL=3 + +"${CLI}" --list|grep ^Groups >${TMPFILE2} +cat ${TMPFILE2} +if grep -i "SECP256R1" ${TMPFILE2} || grep -i "SECP521R1" ${TMPFILE2};then + echo "Found disabled curve with --list" + exit 1 +fi + +if ! grep -i "SECP384R1" ${TMPFILE2};then + echo "Could not found secp384r1" + exit 1 +fi + +# Try whether a client connection with a disabled curve will succeed. + +KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem +CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem + +unset GNUTLS_SYSTEM_PRIORITY_FILE + +eval "${GETPORT}" +launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1} +PID=$! +wait_server ${PID} + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null || + fail "expected connection to succeed (1)" + +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1 --insecure --logfile ${TMPFILE2} </dev/null >/dev/null && + fail "expected connection to fail (2)" + +kill ${PID} +wait + +# Try whether a server connection with a disabled curve will succeed. + +KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem +CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem + +eval "${GETPORT}" +launch_server --echo --priority "NORMAL" --x509keyfile ${KEY1} --x509certfile ${CERT1} +PID=$! +wait_server ${PID} + +unset GNUTLS_SYSTEM_PRIORITY_FILE + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-CURVE-ALL:+CURVE-SECP256R1:+CURVE-SECP521R1" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null && + fail "expected connection to fail (2)" + +kill ${PID} +wait + +exit 0 diff --git a/tests/system-override-hash-allowlist.sh b/tests/system-override-hash-allowlist.sh new file mode 100755 index 0000000000..651a596461 --- /dev/null +++ b/tests/system-override-hash-allowlist.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +# Copyright (C) 2019 Nikos Mavrogiannopoulos +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +: ${builddir=.} +TMPFILE=c.$$.tmp +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 + +cat <<_EOF_ > ${TMPFILE} +[global] +override-mode = allowlist + +[overrides] +secure-hash = sha384 +secure-sig = rsa-pss-sha384 +_EOF_ + +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" + +"${builddir}/system-override-hash" +rc=$? +rm ${TMPFILE} +exit $rc diff --git a/tests/system-override-sig-allowlist.sh b/tests/system-override-sig-allowlist.sh new file mode 100755 index 0000000000..70b02f14cb --- /dev/null +++ b/tests/system-override-sig-allowlist.sh @@ -0,0 +1,43 @@ +#!/bin/sh + +# Copyright (C) 2019 Nikos Mavrogiannopoulos +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +: ${builddir=.} +TMPFILE=c.$$.tmp +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 + +cat <<_EOF_ > ${TMPFILE} +[global] +override-mode = allowlist + +[overrides] +secure-hash = sha256 +secure-sig = rsa-sha256 +secure-hash = sha384 +secure-sig = rsa-pss-sha384 +_EOF_ + +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" + +"${builddir}/system-override-sig" +rc=$? +rm ${TMPFILE} +exit $rc diff --git a/tests/system-override-special-allowlist.sh b/tests/system-override-special-allowlist.sh new file mode 100755 index 0000000000..47e838e580 --- /dev/null +++ b/tests/system-override-special-allowlist.sh @@ -0,0 +1,177 @@ +#!/bin/sh + +# Copyright (C) 2021 Red Hat, Inc. +# +# Author: Alexander Sosedkin +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +: ${srcdir=.} +: ${CLI=../src/gnutls-cli${EXEEXT}} +: ${GREP=grep} +: ${DIFF=diff} +: ${SED=sed} + +if ! test -x "${CLI}"; then + exit 77 +fi + +TMPCFGFILE=cfg.$$.tmp +TMPREFFILE=ref.$$.tmp +TMPCMPFILE=cmp.$$.tmp +TMPOUTFILE=out.$$.tmp +TMPSPECIAL=spc.$$.tmp + +# extract the list of %SPECIALs from the sources + +< ${srcdir}/../lib/priority_options.gperf \ + ${SED} -ne '/\([A-Z_0-9]\{1,\}\), .*/p' | \ + ${SED} -e 's/\([A-Z_0-9]\{1,\}\), .*/\1/' > "${TMPSPECIAL}" + +if ! ${GREP} -Fqx STATELESS_COMPRESSION "${TMPSPECIAL}"; then + cat "${TMPSPECIAL}" + echo 'source-extracted list of %SPECIALs has no %STATELESS_COMPRESSION' + exit 1 +fi + +# Set up a configuration file using allowlisting +# allowing for both TLS 1.2 and TLS 1.3 +# (so that %NO_EXTENSIONS later caps that just TLS 1.2) + +cat <<_EOF_ > ${TMPCFGFILE} +[global] +override-mode = allowlist + +[overrides] +secure-hash = SHA256 +tls-enabled-mac = AEAD +tls-enabled-group = GROUP-FFDHE3072 +secure-sig = RSA-SHA256 +tls-enabled-cipher = AES-128-GCM +tls-enabled-kx = RSA +enabled-version = TLS1.3 +enabled-version = TLS1.2 +_EOF_ +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPCFGFILE}" +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 + +# Smoke --list, @SYSTEM + +${CLI} --list -d 4 --priority @SYSTEM &>"${TMPOUTFILE}" +if test $? != 0; then + cat "${TMPOUTFILE}" + echo 'fails with just @SYSTEM' + exit 1 +fi +if ! ${GREP} -Fqx 'Protocols: VERS-TLS1.3, VERS-TLS1.2' \ + "${TMPOUTFILE}"; then + cat "${TMPOUTFILE}" + echo 'unexpected protocol list with @SYSTEM' + exit 1 +fi +if ! ${GREP} -Fq TLS_AES_128_GCM_SHA256 "${TMPOUTFILE}"; then + cat "${TMPOUTFILE}" + echo 'no TLS_AES_128_GCM_SHA256 with just @SYSTEM' + exit 1 +fi +if ! ${GREP} -q TLS_RSA_AES_128_GCM_SHA256 "${TMPOUTFILE}"; then + cat "${TMPOUTFILE}" + echo 'no TLS_RSA_AES_128_GCM_SHA256 with just @SYSTEM' + exit 1 +fi +${SED} 's/for @SYSTEM/for ---PRIORITY---/' "${TMPOUTFILE}" > "${TMPREFFILE}" + +# Smoke-test a no-op %STATELESS_COMPRESSION, expect --list to stay the same + +${CLI} --list -d 4 --priority @SYSTEM:%STATELESS_COMPRESSION &>"${TMPOUTFILE}" +if test $? != 0; then + cat "${TMPOUTFILE}" + echo 'fails with %STATELESS_COMPRESSION' + exit 1 +fi +${SED} 's/for @SYSTEM:%STATELESS_COMPRESSION/for ---PRIORITY---/' \ + "${TMPOUTFILE}" > "${TMPCMPFILE}" +if ! ${DIFF} "${TMPCMPFILE}" "${TMPREFFILE}"; then + echo '%STATELESS_COMPRESSION has changed the output' + exit 1 +fi + +# Smoke-test %NONEXISTING_OPTION, expect a syntax error + +${CLI} --list -d 4 --priority @SYSTEM:%NONEXISTING_OPTION &>"${TMPOUTFILE}" +if test $? = 0; then + cat "${TMPOUTFILE}" + echo 'unknown option was not caught' + exit 1 +fi +if ! ${GREP} -Fq 'Syntax error at: @SYSTEM:%NONEXISTING_OPTION' "${TMPOUTFILE}" +then + cat "${TMPOUTFILE}" + echo 'unknown option was not errored upon' + exit 1 +fi + +# Test impact-less %SPECIALs, expect --list to stay the same + +while read special; do + if test "$special" = NO_EXTENSIONS; then + continue # see below + fi + prio="@SYSTEM:%$special" + ${CLI} --list -d 4 --priority "$prio" &>"${TMPOUTFILE}" + if test $? != 0; then + cat "${TMPOUTFILE}" + echo "fails with $prio" + exit 1 + fi + ${SED} "s/for $prio/for ---PRIORITY---/" "${TMPOUTFILE}" \ + > "${TMPCMPFILE}" + if ! ${DIFF} "${TMPCMPFILE}" "${TMPREFFILE}"; then + echo "$special has changed the output" + exit 1 + fi +done < "${TMPSPECIAL}" + +# Check that %NO_EXTENSIONS changes the output, capping it to TLS 1.2 + +${CLI} --list -d 4 --priority @SYSTEM:%NO_EXTENSIONS &>"${TMPOUTFILE}" +if test $? != 0; then + cat "${TMPOUTFILE}" + echo 'fails with just @SYSTEM' + exit 1 +fi +if ! ${GREP} -Fqx 'Protocols: VERS-TLS1.2' \ + "${TMPOUTFILE}"; then + cat "${TMPOUTFILE}" + echo 'unexpected protocol list with @SYSTEM:%NO_EXTENSIONS' + exit 1 +fi +if ${GREP} -Fq TLS_AES_128_GCM_SHA256 "${TMPOUTFILE}"; then + cat "${TMPOUTFILE}" + echo 'TLS_AES_128_GCM_SHA256 present with @SYSTEM:%NO_EXTENSIONS' + exit 1 +fi +if ! ${GREP} -q TLS_RSA_AES_128_GCM_SHA256 "${TMPOUTFILE}"; then + cat "${TMPOUTFILE}" + echo 'no TLS_RSA_AES_128_GCM_SHA256 with @SYSTEM:%NO_EXTENSIONS' + exit 1 +fi + +rm "${TMPCFGFILE}" "${TMPREFFILE}" "${TMPCMPFILE}" "${TMPOUTFILE}" +rm "${TMPSPECIAL}" + +exit 0 diff --git a/tests/system-override-versions-allowlist.sh b/tests/system-override-versions-allowlist.sh new file mode 100755 index 0000000000..b708c8c7e4 --- /dev/null +++ b/tests/system-override-versions-allowlist.sh @@ -0,0 +1,109 @@ +#!/bin/sh + +# Copyright (C) 2019 Red Hat, Inc. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +: ${srcdir=.} +: ${SERV=../src/gnutls-serv${EXEEXT}} +: ${CLI=../src/gnutls-cli${EXEEXT}} +TMPFILE=config.$$.tmp +TMPFILE2=log.$$.tmp +export GNUTLS_SYSTEM_PRIORITY_FAIL_ON_INVALID=1 + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +. "${srcdir}/scripts/common.sh" + +cat <<_EOF_ > ${TMPFILE} +[global] +override-mode = allowlist + +[overrides] +enabled-version = tls1.1 +_EOF_ + +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" +export GNUTLS_DEBUG_LEVEL=3 + +"${CLI}" --list --priority=@SYSTEM | grep Protocols >${TMPFILE2} +cat ${TMPFILE2} +if grep 'VERS-TLS1\.[23]' ${TMPFILE2}; then + echo "Found disabled protocol with --list" + exit 1 +fi + +PRIO=@SYSTEM:+CIPHER-ALL:+MAC-ALL:+GROUP-ALL + +"${CLI}" --priority "$PRIO" --list | grep Protocols >${TMPFILE2} +cat ${TMPFILE2} +if grep 'VERS-TLS1\.[23]' ${TMPFILE2}; then + echo "Found disabled protocol with --list --priority $PRIO" + exit 1 +fi + +# Try whether a client connection with these protocols will succeed. + +KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem +CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem + +unset GNUTLS_SYSTEM_PRIORITY_FILE + +eval "${GETPORT}" +launch_server --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --x509keyfile ${KEY1} --x509certfile ${CERT1} +PID=$! +wait_server ${PID} + +export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority "$PRIO" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null && + fail "expected connection to fail (1)" + +kill ${PID} +wait + +# Try whether a server connection with these protocols will succeed. + +KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem +CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem + +eval "${GETPORT}" +launch_server --echo --priority "$PRIO" --x509keyfile ${KEY1} --x509certfile ${CERT1} +PID=$! +wait_server ${PID} + +unset GNUTLS_SYSTEM_PRIORITY_FILE + +"${CLI}" -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" --insecure --logfile ${TMPFILE2} </dev/null >/dev/null && + fail "expected connection to fail (2)" + +kill ${PID} +wait + +exit 0 |