From 5144e059d1b6d0f6657a792ae9fe8df62ffda7d4 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 17 Oct 2017 15:23:06 +0200 Subject: tests: check operation of gnutls_certificate_set_ocsp_status_request_function3 That is, check whether the callback for OCSP responses is run, when the server provides its certificate via a callback instead of statically. Signed-off-by: Nikos Mavrogiannopoulos --- tests/Makefile.am | 2 +- tests/x509-cert-callback-ocsp.c | 239 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+), 1 deletion(-) create mode 100644 tests/x509-cert-callback-ocsp.c diff --git a/tests/Makefile.am b/tests/Makefile.am index 037b996a7f..cda3b722e0 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -130,7 +130,7 @@ ctests += mini-record-2 simple gc set_pkcs12_cred cert certuniqueid tls-neg-ext- tls-ext-register tls-supplemental mini-dtls0-9 duplicate-extensions \ mini-record-retvals mini-server-name tls-etm x509-cert-callback \ client-sign-md5-rep tls12-invalid-key-exchanges session-rdn-read \ - tls13-cert-key-exchange \ + tls13-cert-key-exchange x509-cert-callback-ocsp \ server-sign-md5-rep privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \ x509sign-verify-rsa x509sign-verify-ecdsa mini-alignment oids atfork prf psk-file \ status-request status-request-ok status-request-missing sign-verify-ext \ diff --git a/tests/x509-cert-callback-ocsp.c b/tests/x509-cert-callback-ocsp.c new file mode 100644 index 0000000000..db41b0c3aa --- /dev/null +++ b/tests/x509-cert-callback-ocsp.c @@ -0,0 +1,239 @@ +/* + * Copyright (C) 2015-2017 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see + */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include "utils.h" +#include "eagain-common.h" +#include "cert-common.h" + +/* This tests gnutls_certificate_set_x509_key() */ + +const char *side; + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "%s|<%d>| %s", side, level, str); +} + +static gnutls_privkey_t server_pkey = NULL; +static gnutls_pcert_st *server_pcert = NULL; + +static int +server_cert_callback(gnutls_session_t session, + const gnutls_datum_t * req_ca_rdn, int nreqs, + const gnutls_pk_algorithm_t * sign_algos, + int sign_algos_length, gnutls_pcert_st ** pcert, + unsigned int *pcert_length, gnutls_privkey_t * pkey) +{ + int ret; + gnutls_pcert_st *p; + gnutls_privkey_t lkey; + gnutls_x509_crt_t *certs; + unsigned certs_size, i; + + if (server_pkey == NULL) { + p = gnutls_malloc(2 * sizeof(*p)); + if (p == NULL) + return -1; + + ret = gnutls_x509_crt_list_import2(&certs, &certs_size, + &server_ca3_localhost_cert_chain, + GNUTLS_X509_FMT_PEM, 0); + if (ret < 0) + return -1; + ret = gnutls_pcert_import_x509_list(p, certs, &certs_size, 0); + if (ret < 0) + return -1; + for (i = 0; i < certs_size; i++) + gnutls_x509_crt_deinit(certs[i]); + gnutls_free(certs); + + ret = gnutls_privkey_init(&lkey); + if (ret < 0) + return -1; + + ret = + gnutls_privkey_import_x509_raw(lkey, &server_ca3_key, + GNUTLS_X509_FMT_PEM, NULL, + 0); + if (ret < 0) + return -1; + + server_pcert = p; + server_pkey = lkey; + + *pcert = p; + *pcert_length = 2; + *pkey = lkey; + } else { + *pcert = server_pcert; + *pcert_length = 2; + *pkey = server_pkey; + } + + return 0; +} + +#define OCSP_SIZE 16 +#define OCSP_DATA "\xff\xff\xf0\xf0\xff\xff\xf0\xf0\xff\xff\xf0\xf0\xff\xff\xf0\xf0" +static int ocsp_func(gnutls_session_t session, const gnutls_cert_info_st *cinfo, + void *ptr, gnutls_datum_t *response) +{ + response->size = OCSP_SIZE; + response->data = gnutls_malloc(response->size); + assert(response->data != NULL); + + memcpy(response->data, OCSP_DATA, response->size); + + return 0; +} + +static void start(const char *prio) +{ + int exit_code = EXIT_SUCCESS; + int ret; + /* Server stuff. */ + gnutls_certificate_credentials_t scred; + gnutls_session_t server; + gnutls_datum_t response; + int sret = GNUTLS_E_AGAIN; + /* Client stuff. */ + gnutls_certificate_credentials_t ccred; + gnutls_session_t client; + int cret = GNUTLS_E_AGAIN; + + success("testing %s\n", prio); + + /* General init. */ + global_init(); + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(2); + + /* Init server */ + gnutls_certificate_allocate_credentials(&scred); + + gnutls_certificate_set_retrieve_function2(scred, + server_cert_callback); + + assert(gnutls_certificate_set_ocsp_status_request_function3(scred, 0, + ocsp_func, NULL, 0) == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + assert(gnutls_certificate_set_ocsp_status_request_function3(scred, 0, + ocsp_func, NULL, GNUTLS_OCSP_CB_GLOBAL_SET) == 0); + + gnutls_init(&server, GNUTLS_SERVER); + gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred); + assert(gnutls_priority_set_direct(server, + prio, NULL) >= 0); + gnutls_transport_set_push_function(server, server_push); + gnutls_transport_set_pull_function(server, server_pull); + gnutls_transport_set_ptr(server, server); + gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST); + + /* Init client */ + ret = gnutls_certificate_allocate_credentials(&ccred); + if (ret < 0) + exit(1); + + gnutls_certificate_set_verify_flags(ccred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS); + + ret = + gnutls_certificate_set_x509_trust_mem(ccred, &ca3_cert, + GNUTLS_X509_FMT_PEM); + if (ret < 0) + exit(1); + + ret = gnutls_init(&client, GNUTLS_CLIENT); + if (ret < 0) + exit(1); + + ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, + ccred); + if (ret < 0) + exit(1); + + assert(gnutls_priority_set_direct(client, prio, NULL)>=0); + gnutls_transport_set_push_function(client, client_push); + gnutls_transport_set_pull_function(client, client_pull); + gnutls_transport_set_ptr(client, client); + + HANDSHAKE(client, server); + + ret = gnutls_ocsp_status_request_get(client, &response); + if (ret != 0) + fail("no response was found: %s\n", gnutls_strerror(ret)); + + assert(response.size == OCSP_SIZE); + assert(memcmp(response.data, OCSP_DATA, OCSP_SIZE) == 0); + + if (gnutls_protocol_get_version(client) == GNUTLS_TLS1_3) { + ret = gnutls_ocsp_status_request_get2(client, 1, &response); + if (ret != 0) + fail("no response was found for 1: %s\n", gnutls_strerror(ret)); + + assert(response.size == OCSP_SIZE); + assert(memcmp(response.data, OCSP_DATA, OCSP_SIZE) == 0); + } + + ret = gnutls_ocsp_status_request_get2(client, 2, &response); + if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { + fail("found response in index 1: %s\n", gnutls_strerror(ret)); + } + + gnutls_bye(client, GNUTLS_SHUT_WR); + gnutls_bye(server, GNUTLS_SHUT_WR); + + gnutls_deinit(client); + gnutls_deinit(server); + + gnutls_certificate_free_credentials(scred); + gnutls_certificate_free_credentials(ccred); + + gnutls_global_deinit(); + + if (debug > 0) { + if (exit_code == 0) + puts("Self-test successful"); + else + puts("Self-test failed"); + } + + reset_buffers(); +} + +void doit(void) +{ + start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3"); + start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"); + start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1"); +} -- cgit v1.2.1