diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-12-08 14:04:07 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-12-08 14:56:51 +0100 |
commit | 437161502558c4c43bb8d74a2a8cbd697b668a1b (patch) | |
tree | b27b69d25104308eed11ed50c82242a0b266d98a | |
parent | 3f639a0f0bc607e8f4b3c33b68f29e3950da7a3a (diff) | |
download | gnutls-437161502558c4c43bb8d74a2a8cbd697b668a1b.tar.gz |
tests: split and enhanced UTF-8 name checks from hostname-check
That is, added checks to ensure that non-ASCII DNS names in certificates
fail, and that properly encoded IDNA2003 names, succeed.
-rw-r--r-- | tests/Makefile.am | 3 | ||||
-rw-r--r-- | tests/hostname-check-utf8.c | 216 | ||||
-rw-r--r-- | tests/hostname-check.c | 77 |
3 files changed, 218 insertions, 78 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 2e92bebc8e..8cac65788f 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -116,7 +116,8 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ multi-alerts naked-alerts pkcs7-cat-parse set_known_dh_params_x509 \ set_known_dh_params_anon set_known_dh_params_psk session-tickets-ok \ session-tickets-missing set_x509_key_file_legacy status-request-ext \ - rng-no-onload dtls1-2-mtu-check crl_apis cert_verify_inv_utf8 + rng-no-onload dtls1-2-mtu-check crl_apis cert_verify_inv_utf8 \ + hostname-check-utf8 if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/hostname-check-utf8.c b/tests/hostname-check-utf8.c new file mode 100644 index 0000000000..4f521c5690 --- /dev/null +++ b/tests/hostname-check-utf8.c @@ -0,0 +1,216 @@ +/* + * Copyright (C) 2016 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <string.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> +#ifdef ENABLE_OPENPGP +#include <gnutls/openpgp.h> +#endif + +#include "utils.h" + +/* + A self-test of the RFC 2818 hostname matching algorithm for UTF-8 + certificates. +*/ + +char pem_inv_utf8_dns[] = "\n" + " Subject Alternative Name (not critical):\n" + " DNSname: γγγ.τόστ.gr\n" + " DNSname: τέστ.gr\n" + " DNSname: *.teχ.gr\n" + "-----BEGIN CERTIFICATE-----\n" + "MIIDWzCCAkOgAwIBAgIMU/SjEDp2nsS3kX9vMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n" + "BgNVBAMTBENBLTAwIhgPMjAxNDA4MjAxMzMwNTZaGA85OTk5MTIzMTIzNTk1OVow\n" + "EzERMA8GA1UEAxMIc2VydmVyLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n" + "AoIBAQDggz41h9PcOjL7UOqx0FfZNtqoRhYQn6bVQqCehwERMDlR4QOqK3LRqE2B\n" + "cYyVlcdS63tnNFjYCLCz3/CV4rcJBNI3hfFZHUza70iFQ72xMvcgFPyl7UmXqIne\n" + "8swJ9jLMKou350ztPhshhXORqKxaDHBMcgD/Ade3Yxo2N1smsyINK+riged7A4QD\n" + "O9IgR9eERQbFrHGz+WgUUgoLFLF4DN1ANpWuZcOV1f9bRB8ADPyKo1yZY1sJj1gE\n" + "JRRsiOZLSLZ9D/1MLM7BXPuxWmWlJAGfNvrcXX/7FHe6QxC5gi1C6ZUEIZCne+Is\n" + "HpDNoz/A9vDn6iXZJBFXKyijNpVfAgMBAAGjga4wgaswDAYDVR0TAQH/BAIwADA1\n" + "BgNVHREELjAsghLOs86zzrMuz4TPjM+Dz4QuZ3KCC8+Ezq3Pg8+ELmdyggkqLnRl\n" + "z4cuZ3IwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAwegADAdBgNV\n" + "HQ4EFgQUvjD8gT+By/Xj/n+SGCVvL/KVElMwHwYDVR0jBBgwFoAUhU7w94kERpAh\n" + "6DEIh3nEVJnwSaUwDQYJKoZIhvcNAQELBQADggEBAIKuSREAd6ZdcS+slbx+hvew\n" + "IRBz5QGlCCjR4Oj5arIwFGnh0GdvAgzPa3qn6ReG1gvpe8k3X6Z2Yevw+DubLZNG\n" + "9CsfLfDIg2wUm05cuQdQG+gTSBVqw56jWf/JFXXwzhnbjX3c2QtepFsvkOnlWGFE\n" + "uVX6AiPfiNChVxnb4e1xpxOt6W/su19ar5J7rdDrdyVVm/ioSKvXhbBXI4f8NF2x\n" + "wTEzbtl99HyjbLIRRCWpUU277khHLr8SSFqdSr100zIkdiB72LfPXAHVld1onV2z\n" + "PPFYVMsnY+fuxIsTVErX3bLj6v67Bs3BNzagFUlyJl5rBGwn73UafNWz3BYDyxY=\n" + "-----END CERTIFICATE-----\n"; + +char pem_utf8_dns[] = + "Subject Alternative Name (not critical):\n" + " DNSname: xn--oxaaa.xn--4xabb4a.gr (γγγ.τόστ.gr)\n" + " DNSname: xn--ixa8bbc.gr (τέστ.gr)\n" + " DNSname: *.xn--te-8bc.gr (*.teχ.gr)\n" + "\n" + "-----BEGIN CERTIFICATE-----\n" + "MIIEFTCCAn2gAwIBAgIMWElZgiWN43F5pluiMA0GCSqGSIb3DQEBCwUAMA0xCzAJ\n" + "BgNVBAYTAkdSMB4XDTA0MDIyOTE1MjE0MloXDTI0MDIyOTE1MjE0MVowDTELMAkG\n" + "A1UEBhMCR1IwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC23cZ4hvts\n" + "D/zjXmX70ewCWpFaOXXhSiB1U4ogVsIYPh0o3eJ3w2vr8k7f8CHZXT9T64g9UYoH\n" + "PM+vPkcT6RnwHNfe6SpSqTtPCNC9UQyp4wVq+HxnQsxOrmf2bClYn6CGaXQvDNiG\n" + "KQCDGoxLZx+d12dYUxL4l07J3rogk7Wqe9znkpC+9UqyDJIAZgF9e4H190sRY0FM\n" + "zrOkDDDmt/vBlu0SPhP0sktUJDjvOtHY/V2IDp0y9tImxnFhdl5k4kAEiPiph72C\n" + "QjSRf/Kb5siUcgRxmTvN9GgWNPg3EtmyynMjIlnzicO1p6Wju80hAuVhYKOI3aq6\n" + "FAUHY0DQkkna7dcmKwJdUo9jzMWBV+B+eOT69rDKcAvQJz5PfrrnE9SJ4/eteam7\n" + "l4BcIZIKSuaZz48ymh6exEpSY+P3SD05oZbeQVfgi4e7Ui81S63XRlPqLPCYp0+N\n" + "q2nSeVedR59AtQhyGhQLgQneV0R17aym+1nJ8AjsZXL7sfYef/OOxeMCAwEAAaN1\n" + "MHMwDAYDVR0TAQH/BAIwADBEBgNVHREEPTA7ghh4bi0tb3hhYWEueG4tLTR4YWJi\n" + "NGEuZ3KCDnhuLS1peGE4YmJjLmdygg8qLnhuLS10ZS04YmMuZ3IwHQYDVR0OBBYE\n" + "FPmohhljtqQUE2B2DwGaNTbv8bSvMA0GCSqGSIb3DQEBCwUAA4IBgQAOAECgc096\n" + "3WH7G83bRmVDooGATNP0v3cmYebVu3RL77/vlCO3UOS9lVxEwlF/6V1u3OqEqwUy\n" + "EzGInEAmqR/VIoubIVrFqzaMMjfCHdKPuyWeCb3ylp0o2lxRKbC9m/Bu8Iv5rZdN\n" + "fTZVyJbp1Ddw4GhM0UZ/IK3h8J8UtarSijhha0UX9EwQo4wi1NRpc2nxRGy7xUHG\n" + "GqUCFBe6cgKBEBRWh3Gha5UgwqkapA9eGGmb7CRzOHZA0raIcxwb2w2Htf7ziE1G\n" + "UBdo0ZtpVYq/EDggP4XIvqHb8bJVFuOiu2xf71JoPgjg4+1CEj+vgkI4j/RGDjZ/\n" + "bQ66XHY2EbCjhSLoCGpY924frilrFL3cMofdMguxtsONwUotYmCF6VI/EtELvIdf\n" + "NbdaPqI2524oBDlD98DTJa5mGoaFUyJGotcK3e9fniIxbVW8/Ykwhqbj+9wKjYEP\n" + "ywY/9UOj+wjwULkIxK9g91yGLRDAO/6xzCF5ly5i4oXBqKLAKZ7vBTU=\n" + "-----END CERTIFICATE-----\n"; + +void doit(void) +{ + gnutls_x509_crt_t x509; + gnutls_datum_t data; + int ret; + + ret = global_init(); + if (ret < 0) + fail("global_init: %d\n", ret); + + ret = gnutls_x509_crt_init(&x509); + if (ret < 0) + fail("gnutls_x509_crt_init: %d\n", ret); + + if (debug) + success("Testing pem_invalid_utf8_dns...\n"); + data.data = (unsigned char *) pem_inv_utf8_dns; + data.size = strlen(pem_inv_utf8_dns); + + ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "example.com"); + if (ret) + fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "τεστ.gr"); + if (ret) + fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "τoστ.gr"); + if (ret) + fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "γαβ.τόστ.gr"); + if (ret) + fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "www.in.teχ.gr"); + if (ret) + fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "www.teχ.gr"); + if (ret) + fail("%d: Invalid hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "γγγ.τόστ.gr"); + if (ret) + fail("%d: Invalid hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "γΓγ.τόΣτ.gr"); + if (ret) + fail("%d: Invalid hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "τέστ.gr"); + if (ret) + fail("%d: Invalid hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "ΤΈΣΤ.gr"); + if (ret) + fail("%d: Invalid hostname incorrectly matches (%d)\n", __LINE__, ret); + + + if (debug) + success("Testing pem_utf8_dns...\n"); + data.data = (unsigned char *) pem_utf8_dns; + data.size = strlen(pem_utf8_dns); + + ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "example.com"); + if (ret) + fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "τεστ.gr"); + if (ret) + fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "τoστ.gr"); + if (ret) + fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "γαβ.τόστ.gr"); + if (ret) + fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "www.in.teχ.gr"); + if (ret) + fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); + +#ifdef HAVE_LIBIDN + ret = gnutls_x509_crt_check_hostname(x509, "www.teχ.gr"); + if (!ret) + fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "γγγ.τόστ.gr"); + if (!ret) + fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "γΓγ.τόΣτ.gr"); + if (!ret) + fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "τέστ.gr"); + if (!ret) + fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); + + ret = gnutls_x509_crt_check_hostname(x509, "ΤΈΣΤ.gr"); + if (!ret) + fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); +#endif + + gnutls_x509_crt_deinit(x509); + + gnutls_global_deinit(); +} diff --git a/tests/hostname-check.c b/tests/hostname-check.c index 4c0ff93d40..2a79915704 100644 --- a/tests/hostname-check.c +++ b/tests/hostname-check.c @@ -785,32 +785,6 @@ char multi_cns[] = "\n" "MUjE\n" "-----END CERTIFICATE-----\n"; -char pem_utf8_dns[] = "\n" - " Subject Alternative Name (not critical):\n" - " DNSname: γγγ.τόστ.gr\n" - " DNSname: τέστ.gr\n" - " DNSname: *.teχ.gr\n" - "-----BEGIN CERTIFICATE-----\n" - "MIIDWzCCAkOgAwIBAgIMU/SjEDp2nsS3kX9vMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n" - "BgNVBAMTBENBLTAwIhgPMjAxNDA4MjAxMzMwNTZaGA85OTk5MTIzMTIzNTk1OVow\n" - "EzERMA8GA1UEAxMIc2VydmVyLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n" - "AoIBAQDggz41h9PcOjL7UOqx0FfZNtqoRhYQn6bVQqCehwERMDlR4QOqK3LRqE2B\n" - "cYyVlcdS63tnNFjYCLCz3/CV4rcJBNI3hfFZHUza70iFQ72xMvcgFPyl7UmXqIne\n" - "8swJ9jLMKou350ztPhshhXORqKxaDHBMcgD/Ade3Yxo2N1smsyINK+riged7A4QD\n" - "O9IgR9eERQbFrHGz+WgUUgoLFLF4DN1ANpWuZcOV1f9bRB8ADPyKo1yZY1sJj1gE\n" - "JRRsiOZLSLZ9D/1MLM7BXPuxWmWlJAGfNvrcXX/7FHe6QxC5gi1C6ZUEIZCne+Is\n" - "HpDNoz/A9vDn6iXZJBFXKyijNpVfAgMBAAGjga4wgaswDAYDVR0TAQH/BAIwADA1\n" - "BgNVHREELjAsghLOs86zzrMuz4TPjM+Dz4QuZ3KCC8+Ezq3Pg8+ELmdyggkqLnRl\n" - "z4cuZ3IwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0PAQH/BAUDAwegADAdBgNV\n" - "HQ4EFgQUvjD8gT+By/Xj/n+SGCVvL/KVElMwHwYDVR0jBBgwFoAUhU7w94kERpAh\n" - "6DEIh3nEVJnwSaUwDQYJKoZIhvcNAQELBQADggEBAIKuSREAd6ZdcS+slbx+hvew\n" - "IRBz5QGlCCjR4Oj5arIwFGnh0GdvAgzPa3qn6ReG1gvpe8k3X6Z2Yevw+DubLZNG\n" - "9CsfLfDIg2wUm05cuQdQG+gTSBVqw56jWf/JFXXwzhnbjX3c2QtepFsvkOnlWGFE\n" - "uVX6AiPfiNChVxnb4e1xpxOt6W/su19ar5J7rdDrdyVVm/ioSKvXhbBXI4f8NF2x\n" - "wTEzbtl99HyjbLIRRCWpUU277khHLr8SSFqdSr100zIkdiB72LfPXAHVld1onV2z\n" - "PPFYVMsnY+fuxIsTVErX3bLj6v67Bs3BNzagFUlyJl5rBGwn73UafNWz3BYDyxY=\n" - "-----END CERTIFICATE-----\n"; - void doit(void) { gnutls_x509_crt_t x509; @@ -1118,57 +1092,6 @@ void doit(void) if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); - if (debug) - success("Testing pem_utf8_dns...\n"); - data.data = (unsigned char *) pem_utf8_dns; - data.size = strlen(pem_utf8_dns); - - ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); - if (ret < 0) - fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); - - ret = gnutls_x509_crt_check_hostname(x509, "example.com"); - if (ret) - fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); - - ret = gnutls_x509_crt_check_hostname(x509, "τεστ.gr"); - if (ret) - fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); - - ret = gnutls_x509_crt_check_hostname(x509, "τoστ.gr"); - if (ret) - fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); - - ret = gnutls_x509_crt_check_hostname(x509, "γαβ.τόστ.gr"); - if (ret) - fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); - - ret = gnutls_x509_crt_check_hostname(x509, "www.in.teχ.gr"); - if (ret) - fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); - -#ifdef HAVE_LIBIDN - ret = gnutls_x509_crt_check_hostname(x509, "www.teχ.gr"); - if (!ret) - fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); - - ret = gnutls_x509_crt_check_hostname(x509, "γγγ.τόστ.gr"); - if (!ret) - fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); - - ret = gnutls_x509_crt_check_hostname(x509, "γΓγ.τόΣτ.gr"); - if (!ret) - fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); - - ret = gnutls_x509_crt_check_hostname(x509, "τέστ.gr"); - if (!ret) - fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); - - ret = gnutls_x509_crt_check_hostname(x509, "ΤΈΣΤ.gr"); - if (!ret) - fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); -#endif - #ifdef ENABLE_OPENPGP if (debug) success("Testing pem11...\n"); |