diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-22 10:35:13 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-22 10:35:13 +0200 |
| commit | 46679c46a97592715c67c64a6d1210925b56a36c (patch) | |
| tree | 56303cfdc0f603d23d3c622c250e83b1e31faef4 | |
| parent | 846b05e80b642f1a37a8a4d7e17b4a533c3654d5 (diff) | |
| download | gnutls-46679c46a97592715c67c64a6d1210925b56a36c.tar.gz | |
tests: added check for server-side ECDSA keys
These tests check whether a server ECDSA key will be rejected by
the client in case the client has no ECDSA signature algorithms
available.
| -rw-r--r-- | tests/Makefile.am | 2 | ||||
| -rw-r--r-- | tests/cert-common.h | 37 | ||||
| -rw-r--r-- | tests/server_ecdsa_key.c | 101 | ||||
| -rw-r--r-- | tests/utils-adv.c | 27 | ||||
| -rw-r--r-- | tests/utils.h | 6 |
5 files changed, 166 insertions, 7 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index c2118e3da4..f0b4885d3c 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -113,7 +113,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \ rsa-illegal-import set_x509_key_file_ocsp_multi set_key set_x509_key_file_ocsp_multi2 \ set_key_utf8 set_x509_key_utf8 insecure_key handshake-large-packet \ - client_dsa_key + client_dsa_key server_ecdsa_key if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/cert-common.h b/tests/cert-common.h index 9b35d04ba5..98163301a3 100644 --- a/tests/cert-common.h +++ b/tests/cert-common.h @@ -30,6 +30,7 @@ * TLS client: cli_ca3_cert, cli_ca3_key * IPv6 server: server_ca3_localhost6_cert, server_ca3_key * IPv4 server: server_ca3_localhost_cert, server_ca3_key + * IPv4 server: server_ca3_localhost_ecc_cert, server_ca3_ecc_key * IPv4 server: server_ca3_localhost_utf8_cert, server_ca3_key - UTF8 names * IPv4 server: insecure key: server_ca3_localhost_insecure_key, server_ca3_localhost_insecure_cert */ @@ -421,6 +422,7 @@ static char ca3_cert_pem[] = "fD9yskUMFPBhfj8BvXg=\n" "-----END CERTIFICATE-----\n"; + static char ca3_key_pem[] = "-----BEGIN RSA PRIVATE KEY-----\n" "MIIG4gIBAAKCAYEAtt3GeIb7bA/8415l+9HsAlqRWjl14UogdVOKIFbCGD4dKN3i\n" @@ -727,6 +729,17 @@ const gnutls_datum_t clidsa_ca3_cert = { (void*)clidsa_ca3_cert_pem, sizeof(clidsa_ca3_cert_pem)-1 }; +static char server_ca3_ecc_key_pem[] = + "-----BEGIN EC PRIVATE KEY-----\n" + "MHgCAQEEIQDn1XFX7QxTKXl2ekfSrEARsq+06ySEeeOB+N0igwcNLqAKBggqhkjO\n" + "PQMBB6FEA0IABG1J5VZy+PMTNJSuog4R3KmhbmIejOZZgPNtxkJcIubJIIO68kkd\n" + "GK04pl/ReivZAwibv+85lpT4sm/9RBVhLZM=\n" + "-----END EC PRIVATE KEY-----\n"; + +const gnutls_datum_t server_ca3_ecc_key = { (void*)server_ca3_ecc_key_pem, + sizeof(server_ca3_ecc_key_pem)-1 +}; + static char server_ca3_key_pem[] = "-----BEGIN RSA PRIVATE KEY-----\n" "MIIG5AIBAAKCAYEA2T14maos98C7s/geGZybgqYSxF+5NeTXKWpi9/vXmuIF8n3h\n" @@ -895,6 +908,30 @@ const gnutls_datum_t server_ca3_localhost_utf8_cert = { (void*)server_localhost_ sizeof(server_localhost_utf8_ca3_cert_pem)-1 }; +/* server_ca3_ecc_key */ +static char server_localhost_ca3_ecc_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIC8zCCAVugAwIBAgIIV+OO5zqFDkowDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" + "AxMEQ0EtMzAgFw0xNjA5MjIwNzU3MjhaGA85OTk5MTIzMTIzNTk1OVowHTEbMBkG\n" + "A1UEAxMSc2VydmVyIGNlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\n" + "QgAEbUnlVnL48xM0lK6iDhHcqaFuYh6M5lmA823GQlwi5skgg7rySR0YrTimX9F6\n" + "K9kDCJu/7zmWlPiyb/1EFWEtk6OBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQN\n" + "MAuCCWxvY2FsaG9zdDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMD\n" + "B4AAMB0GA1UdDgQWBBTaH7JGYwVXx31AqONpQsb3l20EqDAfBgNVHSMEGDAWgBT5\n" + "qIYZY7akFBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEATWsYCToPsxxU\n" + "f1zJv3+FKcIGI+8U7akTlnJEk3l9/Gkmkp0tsudtpZb+//rXIem9XVMKDYBEzRxQ\n" + "du3YleqR0Yj13S7piDHPl52PHJGvSHtLg4ooU74ZQcPFxoRxxNahYPb2Mhn0XqKh\n" + "Yc7JHkW53UVusanRmBCQIxI6tVuDO3rB/tQM4ygD9wDeT16xnDhfwemKaskHKM44\n" + "SMJJ9pY2zK1MvX5AZePTikMQqvc3aVfoE8Lv+4SGE/GyzvzaDOSzlwzNM6KBxerw\n" + "1qwnVO/lphUG09X4oXXtOqlAHaIfUmRMqgMPZEtWMszIQo9XimPfoLW3xKVqDWjN\n" + "EhHRLE0CCA/ip3lQ1bUt5EXhC1efPiOdEEYS5mHW7WAMAVi5aS1TzNLoJ4nahBwu\n" + "EeGtmSH4rDZlHTNsiXwvxV3XqWc39TqlgY+NGToyU1tA4+tVtalJ08Q37sFxSUvJ\n" + "Li9LPzU70EyX6WF+9FM45E4/Gt9Oh8btrYyjbyH/K2VI8qPRz5cW\n" + "-----END CERTIFICATE-----\n"; + +const gnutls_datum_t server_ca3_localhost_ecc_cert = { (void*)server_localhost_ca3_ecc_cert_pem, + sizeof(server_localhost_ca3_ecc_cert_pem)-1}; + /* shares server_ca3 key */ static char server_localhost_ca3_cert_pem[] = "-----BEGIN CERTIFICATE-----\n" diff --git a/tests/server_ecdsa_key.c b/tests/server_ecdsa_key.c new file mode 100644 index 0000000000..3a8848f90c --- /dev/null +++ b/tests/server_ecdsa_key.c @@ -0,0 +1,101 @@ +/* + * Copyright (C) 2016 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#if !defined(_WIN32) +#include <netinet/in.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <arpa/inet.h> +#endif +#include <unistd.h> +#include <assert.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#include "utils.h" +#include "cert-common.h" + +/* Test for correct operation when a server uses an ECDSA key when the + * client has ECDSA signatures disabled. + * + */ + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d>| %s", level, str); +} + +void doit(void) +{ + gnutls_certificate_credentials_t serv_cred; + gnutls_certificate_credentials_t cli_cred; + int ret; + + /* this must be called once in the program + */ + global_init(); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + assert(gnutls_certificate_allocate_credentials(&cli_cred) >= 0); + + ret = gnutls_certificate_set_x509_trust_mem(cli_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + + + /* test gnutls_certificate_flags() */ + gnutls_certificate_allocate_credentials(&serv_cred); + + ret = gnutls_certificate_set_x509_trust_mem(serv_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + + ret = gnutls_certificate_set_x509_key_mem(serv_cred, &server_ca3_localhost_ecc_cert, + &server_ca3_ecc_key, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("error in error code\n"); + exit(1); + } + + test_cli_serv_expect(serv_cred, cli_cred, "NORMAL", "NORMAL:-SIGN-ALL", NULL, GNUTLS_E_AGAIN, GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); + test_cli_serv_expect(serv_cred, cli_cred, "NORMAL", "NORMAL:-SIGN-ECDSA-SHA224:-SIGN-ECDSA-SHA1:-SIGN-ECDSA-SHA256:-SIGN-ECDSA-SHA384:-SIGN-ECDSA-SHA512", NULL, GNUTLS_E_UNKNOWN_PK_ALGORITHM, GNUTLS_E_AGAIN); + + gnutls_certificate_free_credentials(serv_cred); + gnutls_certificate_free_credentials(cli_cred); + + gnutls_global_deinit(); + + if (debug) + success("success"); +} diff --git a/tests/utils-adv.c b/tests/utils-adv.c index 9889f8fa26..b78611892b 100644 --- a/tests/utils-adv.c +++ b/tests/utils-adv.c @@ -49,7 +49,9 @@ _test_cli_serv(gnutls_certificate_credentials_t server_cred, const char *host, void *priv, callback_func *client_cb, callback_func *server_cb, unsigned expect_verification_failure, - unsigned require_cert) + unsigned require_cert, + int serv_err, + int cli_err) { int exit_code = EXIT_SUCCESS; int ret; @@ -98,7 +100,11 @@ _test_cli_serv(gnutls_certificate_credentials_t server_cred, gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); - HANDSHAKE(client, server); + if (cli_err == 0 && serv_err == 0) { + HANDSHAKE(client, server); + } else { + HANDSHAKE_EXPECT(client, server, cli_err, serv_err); + } /* check the number of certificates received and verify */ if (host) { @@ -180,15 +186,24 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred, const char *prio, const char *host, void *priv, callback_func *client_cb, callback_func *server_cb) { - _test_cli_serv(server_cred, client_cred, prio, prio, host, priv, client_cb, server_cb, 0, 0); + _test_cli_serv(server_cred, client_cred, prio, prio, host, priv, client_cb, server_cb, 0, 0, 0, 0); } void test_cli_serv_cert(gnutls_certificate_credentials_t server_cred, gnutls_certificate_credentials_t client_cred, - const char *cli_prio, const char *serv_prio, const char *host) + const char *serv_prio, const char *cli_prio, const char *host) +{ + _test_cli_serv(server_cred, client_cred, serv_prio, cli_prio, host, NULL, NULL, NULL, 0, 1, 0, 0); +} + +void +test_cli_serv_expect(gnutls_certificate_credentials_t server_cred, + gnutls_certificate_credentials_t client_cred, + const char *serv_prio, const char *cli_prio, const char *host, + int serv_err, int cli_err) { - _test_cli_serv(server_cred, client_cred, cli_prio, serv_prio, host, NULL, NULL, NULL, 0, 1); + _test_cli_serv(server_cred, client_cred, serv_prio, cli_prio, host, NULL, NULL, NULL, 0, 0, serv_err, cli_err); } /* An expected to fail verification run. Returns verification status */ @@ -197,5 +212,5 @@ test_cli_serv_vf(gnutls_certificate_credentials_t server_cred, gnutls_certificate_credentials_t client_cred, const char *prio, const char *host) { - return _test_cli_serv(server_cred, client_cred, prio, prio, host, NULL, NULL, NULL, 1, 0); + return _test_cli_serv(server_cred, client_cred, prio, prio, host, NULL, NULL, NULL, 1, 0, 0, 0); } diff --git a/tests/utils.h b/tests/utils.h index e35e10ab0e..81871add1b 100644 --- a/tests/utils.h +++ b/tests/utils.h @@ -89,6 +89,12 @@ test_cli_serv_cert(gnutls_certificate_credentials_t server_cred, gnutls_certificate_credentials_t client_cred, const char *serv_prio, const char *cli_prio, const char *host); +void +test_cli_serv_expect(gnutls_certificate_credentials_t server_cred, + gnutls_certificate_credentials_t client_cred, + const char *serv_prio, const char *cli_prio, const char *host, + int serv_err, int cli_err); + unsigned test_cli_serv_vf(gnutls_certificate_credentials_t server_cred, gnutls_certificate_credentials_t client_cred, |