diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-06-19 14:59:33 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-06-21 06:58:49 +0200 |
commit | c64bd9db8463c62035c66e4f0aecb384f3623e9e (patch) | |
tree | 457bde2dc29d295116e6d4c017d7c3a71dd45ee5 | |
parent | 74d0907584d9e0fc4073b9360a8ee4e39a12d3be (diff) | |
download | gnutls-tmp-supplemental-no-tls13.tar.gz |
tests: updated supplemental tests for TLS1.3tmp-supplemental-no-tls13
This includes tests that verify that TLS1.3 is not negotiated
when supplemental data are set in client and/or server side.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/libgnutls.map | 1 | ||||
-rw-r--r-- | tests/tls-session-supplemental.c | 63 | ||||
-rw-r--r-- | tests/tls-supplemental.c | 180 |
3 files changed, 119 insertions, 125 deletions
diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 2067bca5c9..f95fe0a846 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1280,6 +1280,7 @@ GNUTLS_PRIVATE_3_4 { _gnutls_mpi_release; # Internal symbols needed by tests/: + _gnutls_supplemental_deinit; _gnutls_record_overhead; _gnutls_cipher_to_entry; _gnutls_pkcs11_token_get_url; diff --git a/tests/tls-session-supplemental.c b/tests/tls-session-supplemental.c index 36f99102aa..411c45a651 100644 --- a/tests/tls-session-supplemental.c +++ b/tests/tls-session-supplemental.c @@ -15,9 +15,8 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with GnuTLS; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> */ /* This tests the supplemental data extension under TLS1.2 */ @@ -59,12 +58,12 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "%s|<%d>| %s", side, level, str); } -#define TLS_SUPPLEMENTALDATATYPE_SAMPLE 0xBABE +#define TLS_SUPPLEMENTALDATATYPE_SAMPLE 0xBABE -static int TLS_SUPPLEMENTALDATA_client_sent = 0; -static int TLS_SUPPLEMENTALDATA_client_received = 0; -static int TLS_SUPPLEMENTALDATA_server_sent = 0; -static int TLS_SUPPLEMENTALDATA_server_received = 0; +static int TLS_SUPPLEMENTALDATA_client_sent = 0; +static int TLS_SUPPLEMENTALDATA_client_received = 0; +static int TLS_SUPPLEMENTALDATA_server_sent = 0; +static int TLS_SUPPLEMENTALDATA_server_received = 0; static const unsigned char supp_data[] = { @@ -116,7 +115,7 @@ int supp_server_send_func(gnutls_session_t session, gnutls_buffer_t buf) return GNUTLS_E_SUCCESS; } -static void client(int sd, const char *prio) +static void client(int sd, const char *prio, unsigned server_only) { int ret; gnutls_session_t session; @@ -145,10 +144,12 @@ static void client(int sd, const char *prio) gnutls_transport_set_int(session, sd); - gnutls_supplemental_recv(session, 1); - gnutls_supplemental_send(session, 1); + if (!server_only) { + gnutls_supplemental_recv(session, 1); + gnutls_supplemental_send(session, 1); - gnutls_session_supplemental_register(session, "supplemental_client", TLS_SUPPLEMENTALDATATYPE_SAMPLE, supp_client_recv_func, supp_client_send_func, 0); + gnutls_session_supplemental_register(session, "supplemental_client", TLS_SUPPLEMENTALDATATYPE_SAMPLE, supp_client_recv_func, supp_client_send_func, 0); + } /* Perform the TLS handshake */ @@ -163,8 +164,14 @@ static void client(int sd, const char *prio) success("client: Handshake was completed\n"); } - if (TLS_SUPPLEMENTALDATA_client_sent != 1 || TLS_SUPPLEMENTALDATA_client_received != 1) - fail("client: extension not properly sent/received\n"); + if (!server_only) { + if (TLS_SUPPLEMENTALDATA_client_sent != 1 || TLS_SUPPLEMENTALDATA_client_received != 1) + fail("client: extension not properly sent/received\n"); + } else { + /* we expect TLS1.2 handshake as TLS1.3 is not (yet) defined + * with supplemental data */ + assert(gnutls_protocol_get_version(session) == GNUTLS_TLS1_2); + } gnutls_bye(session, GNUTLS_SHUT_RDWR); @@ -178,7 +185,7 @@ end: gnutls_global_deinit(); } -static void server(int sd, const char *prio) +static void server(int sd, const char *prio, unsigned server_only) { int ret; gnutls_session_t session; @@ -206,8 +213,10 @@ static void server(int sd, const char *prio) gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, serverx509cred); - gnutls_supplemental_recv(session, 1); - gnutls_supplemental_send(session, 1); + if (!server_only) { + gnutls_supplemental_recv(session, 1); + gnutls_supplemental_send(session, 1); + } gnutls_session_supplemental_register(session, "supplemental_server", TLS_SUPPLEMENTALDATATYPE_SAMPLE, supp_server_recv_func, supp_server_send_func, 0); @@ -223,8 +232,10 @@ static void server(int sd, const char *prio) if (debug) success("server: Handshake was completed\n"); - if (TLS_SUPPLEMENTALDATA_server_sent != 1 || TLS_SUPPLEMENTALDATA_server_received != 1) - fail("server: extension not properly sent/received\n"); + if (!server_only) { + if (TLS_SUPPLEMENTALDATA_server_sent != 1 || TLS_SUPPLEMENTALDATA_server_received != 1) + fail("server: extension not properly sent/received\n"); + } /* do not wait for the peer to close the connection. */ @@ -242,7 +253,7 @@ static void server(int sd, const char *prio) } static -void start(const char *prio) +void start(const char *prio, unsigned server_only) { pid_t child; int sockets[2], err; @@ -272,17 +283,23 @@ void start(const char *prio) if (child) { int status; /* parent */ - server(sockets[0], prio); + server(sockets[0], prio, server_only); wait(&status); check_wait_status(status); } else { - client(sockets[1], prio); + client(sockets[1], prio, server_only); exit(0); } } void doit(void) { - start("NORMAL:-VERS-ALL:+VERS-TLS1.2"); + start("NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2", 0); + start("NORMAL:-VERS-ALL:+VERS-TLS1.2", 0); + start("NORMAL", 0); + /* try setting supplemental only in server side, it should + * lead to normal authentication */ + start("NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2", 1); + start("NORMAL", 1); } #endif /* _WIN32 */ diff --git a/tests/tls-supplemental.c b/tests/tls-supplemental.c index d60186fd8e..c0385cbc39 100644 --- a/tests/tls-supplemental.c +++ b/tests/tls-supplemental.c @@ -15,9 +15,8 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with GnuTLS; if not, write to the Free Software Foundation, - * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/> */ /* Parts copied from GnuTLS example programs. */ @@ -28,6 +27,7 @@ #include <stdio.h> #include <stdlib.h> +#include <assert.h> #if defined(_WIN32) @@ -49,10 +49,13 @@ int main(int argc, char **argv) #include <gnutls/gnutls.h> #include "utils.h" +#include "cert-common.h" /* A very basic TLS client, with supplemental data */ +extern void _gnutls_supplemental_deinit(void); + const char *side = ""; static void tls_log_func(int level, const char *str) @@ -60,12 +63,12 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "%s|<%d>| %s", side, level, str); } -#define TLS_SUPPLEMENTALDATATYPE_SAMPLE 0xBABE +#define TLS_SUPPLEMENTALDATATYPE_SAMPLE 0xBABE -static int TLS_SUPPLEMENTALDATA_client_sent = 0; -static int TLS_SUPPLEMENTALDATA_client_received = 0; -static int TLS_SUPPLEMENTALDATA_server_sent = 0; -static int TLS_SUPPLEMENTALDATA_server_received = 0; +static int TLS_SUPPLEMENTALDATA_client_sent = 0; +static int TLS_SUPPLEMENTALDATA_client_received = 0; +static int TLS_SUPPLEMENTALDATA_server_sent = 0; +static int TLS_SUPPLEMENTALDATA_server_received = 0; static const unsigned char supp_data[] = { @@ -117,40 +120,34 @@ int supp_server_send_func(gnutls_session_t session, gnutls_buffer_t buf) return GNUTLS_E_SUCCESS; } -static void client(int sd) +static void client(int sd, const char *prio, unsigned server_only) { int ret; gnutls_session_t session; gnutls_certificate_credentials_t clientx509cred; - global_init(); - gnutls_global_set_log_function(tls_log_func); - if (debug) - gnutls_global_set_log_level(4711); + if (!server_only) { + assert(gnutls_supplemental_register("supplemental_client", TLS_SUPPLEMENTALDATATYPE_SAMPLE, supp_client_recv_func, supp_client_send_func)>=0); + } side = "client"; gnutls_certificate_allocate_credentials(&clientx509cred); - /* Initialize TLS session - */ - gnutls_init(&session, GNUTLS_CLIENT); + assert(gnutls_init(&session, GNUTLS_CLIENT)>=0); /* Use default priorities */ - gnutls_priority_set_direct(session, "PERFORMANCE:+ANON-ECDH:+ANON-DH", - NULL); + gnutls_priority_set_direct(session, prio, NULL); - /* put the anonymous credentials to the current session - */ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, clientx509cred); gnutls_transport_set_int(session, sd); - gnutls_supplemental_recv(session, 1); - gnutls_supplemental_send(session, 1); - - gnutls_supplemental_register("supplemental_client", TLS_SUPPLEMENTALDATATYPE_SAMPLE, supp_client_recv_func, supp_client_send_func); + if (!server_only) { + gnutls_supplemental_recv(session, 1); + gnutls_supplemental_send(session, 1); + } /* Perform the TLS handshake */ @@ -165,8 +162,15 @@ static void client(int sd) success("client: Handshake was completed\n"); } - if (TLS_SUPPLEMENTALDATA_client_sent != 1 || TLS_SUPPLEMENTALDATA_client_received != 1) - fail("client: extension not properly sent/received\n"); + if (!server_only) { + if (TLS_SUPPLEMENTALDATA_client_sent != 1 || TLS_SUPPLEMENTALDATA_client_received != 1) + fail("client: extension not properly sent/received (%d.%d)\n", + TLS_SUPPLEMENTALDATA_client_sent, TLS_SUPPLEMENTALDATA_client_received); + } else { + /* we expect TLS1.2 handshake as TLS1.3 is not (yet) defined + * with supplemental data */ + assert(gnutls_protocol_get_version(session) == GNUTLS_TLS1_2); + } gnutls_bye(session, GNUTLS_SHUT_RDWR); @@ -176,72 +180,22 @@ end: gnutls_deinit(session); gnutls_certificate_free_credentials(clientx509cred); - - gnutls_global_deinit(); } -/* This is a sample TLS 1.0 server, for extension - */ - -static unsigned char server_cert_pem[] = - "-----BEGIN CERTIFICATE-----\n" - "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" - "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" - "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" - "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" - "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" - "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" - "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" - "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" - "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" - "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" - "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" - "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" - "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; - -const gnutls_datum_t server_cert = { server_cert_pem, - sizeof(server_cert_pem) -}; - -static unsigned char server_key_pem[] = - "-----BEGIN RSA PRIVATE KEY-----\n" - "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" - "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" - "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" - "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" - "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" - "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" - "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" - "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" - "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" - "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" - "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" - "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" - "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" - "-----END RSA PRIVATE KEY-----\n"; - -const gnutls_datum_t server_key = { server_key_pem, - sizeof(server_key_pem) -}; - -int err, ret; -char topbuf[512]; -gnutls_session_t session; -int optval = 1; - -static void server(int sd) +static void server(int sd, const char *prio, unsigned server_only) { gnutls_certificate_credentials_t serverx509cred; - - /* this must be called once in the program - */ - global_init(); - gnutls_global_set_log_function(tls_log_func); - if (debug) - gnutls_global_set_log_level(4711); + int ret; + gnutls_session_t session; + static unsigned registered = 0; side = "server"; + if (!registered) { + assert(gnutls_supplemental_register("supplemental_server", TLS_SUPPLEMENTALDATATYPE_SAMPLE, supp_server_recv_func, supp_server_send_func)>=0); + registered = 0; + } + gnutls_certificate_allocate_credentials(&serverx509cred); gnutls_certificate_set_x509_key_mem(serverx509cred, &server_cert, &server_key, @@ -249,19 +203,15 @@ static void server(int sd) gnutls_init(&session, GNUTLS_SERVER); - /* avoid calling all the priority functions, since the defaults - * are adequate. - */ - gnutls_priority_set_direct(session, "PERFORMANCE:+ANON-ECDH:+ANON-DH", - NULL); + assert(gnutls_priority_set_direct(session, prio, NULL) >= 0); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, serverx509cred); - gnutls_supplemental_recv(session, 1); - gnutls_supplemental_send(session, 1); - - gnutls_supplemental_register("supplemental_server", TLS_SUPPLEMENTALDATATYPE_SAMPLE, supp_server_recv_func, supp_server_send_func); + if (!server_only) { + gnutls_supplemental_recv(session, 1); + gnutls_supplemental_send(session, 1); + } gnutls_transport_set_int(session, sd); ret = gnutls_handshake(session); @@ -275,8 +225,10 @@ static void server(int sd) if (debug) success("server: Handshake was completed\n"); - if (TLS_SUPPLEMENTALDATA_server_sent != 1 || TLS_SUPPLEMENTALDATA_server_received != 1) - fail("server: extension not properly sent/received\n"); + if (!server_only) { + if (TLS_SUPPLEMENTALDATA_server_sent != 1 || TLS_SUPPLEMENTALDATA_server_received != 1) + fail("server: extension not properly sent/received\n"); + } /* do not wait for the peer to close the connection. */ @@ -287,16 +239,24 @@ static void server(int sd) gnutls_certificate_free_credentials(serverx509cred); - gnutls_global_deinit(); - if (debug) success("server: finished\n"); + + _gnutls_supplemental_deinit(); } -void doit(void) +static +void start(const char *prio, unsigned server_only) { pid_t child; - int sockets[2]; + int sockets[2], err; + + TLS_SUPPLEMENTALDATA_client_sent = 0; + TLS_SUPPLEMENTALDATA_client_received = 0; + TLS_SUPPLEMENTALDATA_server_sent = 0; + TLS_SUPPLEMENTALDATA_server_received = 0; + + success("running with %s\n", prio); err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets); if (err == -1) { @@ -316,14 +276,30 @@ void doit(void) int status; /* parent */ close(sockets[1]); - server(sockets[0]); + server(sockets[0], prio, server_only); wait(&status); check_wait_status(status); } else { close(sockets[0]); - client(sockets[1]); + client(sockets[1], prio, server_only); exit(0); } } +void doit(void) +{ + signal(SIGPIPE, SIG_IGN); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + + start("NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2", 0); + start("NORMAL:-VERS-ALL:+VERS-TLS1.2", 0); + start("NORMAL", 0); + start("NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2", 1); + start("NORMAL", 1); +} + #endif /* _WIN32 */ |