diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-22 09:54:12 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-09-22 10:31:07 +0200 |
commit | 846b05e80b642f1a37a8a4d7e17b4a533c3654d5 (patch) | |
tree | aca963cd931812ed15cf16b28b32a669f7a8e714 | |
parent | b514618b8ff6591f718bb46035ef1a0fd7200fd4 (diff) | |
download | gnutls-846b05e80b642f1a37a8a4d7e17b4a533c3654d5.tar.gz |
tests: added check for client-side DSA key
This checks whether a client can use and send a DSA key, even
if DSA is not enabled (which should prohibit the server from providing
a DSA certificate).
-rw-r--r-- | tests/Makefile.am | 3 | ||||
-rw-r--r-- | tests/cert-common.h | 49 | ||||
-rw-r--r-- | tests/client_dsa_key.c | 109 | ||||
-rw-r--r-- | tests/utils-adv.c | 25 | ||||
-rw-r--r-- | tests/utils.h | 5 |
5 files changed, 184 insertions, 7 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 6744c7d907..c2118e3da4 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -112,7 +112,8 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \ safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \ rsa-illegal-import set_x509_key_file_ocsp_multi set_key set_x509_key_file_ocsp_multi2 \ - set_key_utf8 set_x509_key_utf8 insecure_key handshake-large-packet + set_key_utf8 set_x509_key_utf8 insecure_key handshake-large-packet \ + client_dsa_key if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/cert-common.h b/tests/cert-common.h index 2c16daf388..9b35d04ba5 100644 --- a/tests/cert-common.h +++ b/tests/cert-common.h @@ -678,6 +678,55 @@ const gnutls_datum_t cli_ca3_cert_chain = { (void*)cli_ca3_cert_chain_pem, sizeof(cli_ca3_cert_chain_pem)-1 }; +static char clidsa_ca3_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIEMzCCApugAwIBAgIIV+OL0jeIUYkwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n" + "AxMEQ0EtMzAgFw0xNjA5MjIwNzQ0MjBaGA85OTk5MTIzMTIzNTk1OVowFTETMBEG\n" + "A1UEAxMKRFNBIGNsaWVudDCCAbcwggErBgcqhkjOOAQBMIIBHgKBgQD6BQw6J3GB\n" + "Lv8xjTjq6flgCLUYf9wNQO1osjl8F3mP3P0ggZd101pwDG34Kdffby+PTB5rpe8Z\n" + "SUx83ozzCiCcxf+kM4B0B0JP7mlqLrdTyPbWTap8sCMtabKnuR7UWdhsB8WU2Ct9\n" + "/IcCEG2dYcmzzWXE6/Pdo45iCd7lv+fl/wIVAM8gQzNh7394wHpNStxbGq9Xe+7z\n" + "AoGAJuUzfmL64dwFgQDmow8BjA5jI4mPiXc9+HDlUG0xXT65tUqHyg5fTSVm8p+q\n" + "WaklZeWTvuDc7KYofGZolG3LxhBKvIXHiUrD5hJ/cE/qcx89oczD7mChHG8k4a+Y\n" + "sr9/gXMFp8/TUsiTXrPLvEedBiAL9isDGC+ibRswfFYqGKYDgYUAAoGBAOFzLEe4\n" + "9nHYysKSgx6o7LadjsWAcLLHvI4EcmRZf7cHW/S/FCHgpnMn7GvnD4xiaysDFA8A\n" + "XEh9QJutRiLcpp14bVkPd0E+1z3v3LDhwVaJ1DofWEMnAsGoRVkAuEBkND6aNoKI\n" + "AuUMvFlnpU8SD5SZrUQkP22jyMj+mxsJntK9o3YwdDAMBgNVHRMBAf8EAjAAMBMG\n" + "A1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFCnQ\n" + "ScP7Ao3G+SjKY0a5DEmNF5X+MB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv\n" + "8bSvMA0GCSqGSIb3DQEBCwUAA4IBgQArAfKJgKd6Sz7BW0m46T4DxXWsrlYVc76M\n" + "metxnSBDZdWzRbP6dGXGkKH1J2Oftv3kVrRL8amDz7DLRE6pBAUDx+5Es/dheTNA\n" + "juIVZuKzSYoRPtuiO1gHvRPvyV/2HUpnLl+w2qW/Df4ZWlHz6ujuYFzhdWueon+t\n" + "7/JtabcuBxK6gFyNs+A0fHjszpWtZxUXuik1t4y9IcEV6Ig+vWk+GNwVAs5lQenv\n" + "7IhIg1EWxBNiRF3yKINAiyFkM4FcFEPqlbijX9xDorCK2Xn4HLIN2oUQJFYDqVOV\n" + "KGg0rMmeJ8rRZI0ELK89SdPyALe4HQzKnQtzxy45oq+Vv7A8B0lorTMPIq3WKxo4\n" + "mXJdEF2aYxeUsMYBDZOOslBc8UMaUAF8ncrk6eNqJoDZCxElfgDXx4CfM8Lh0V2c\n" + "MDBXeiNUf1HWcCkvnMPGLXZXez/5abnhNIFqDsmRxuhUqlTbarq3CxjAWMjQRb9c\n" + "SWUGHPlOkmEGRv5JB6djjpRFRwtHLNc=\n" + "-----END CERTIFICATE-----\n"; + +static char clidsa_ca3_key_pem[] = + "-----BEGIN DSA PRIVATE KEY-----\n" + "MIIBuwIBAAKBgQD6BQw6J3GBLv8xjTjq6flgCLUYf9wNQO1osjl8F3mP3P0ggZd1\n" + "01pwDG34Kdffby+PTB5rpe8ZSUx83ozzCiCcxf+kM4B0B0JP7mlqLrdTyPbWTap8\n" + "sCMtabKnuR7UWdhsB8WU2Ct9/IcCEG2dYcmzzWXE6/Pdo45iCd7lv+fl/wIVAM8g\n" + "QzNh7394wHpNStxbGq9Xe+7zAoGAJuUzfmL64dwFgQDmow8BjA5jI4mPiXc9+HDl\n" + "UG0xXT65tUqHyg5fTSVm8p+qWaklZeWTvuDc7KYofGZolG3LxhBKvIXHiUrD5hJ/\n" + "cE/qcx89oczD7mChHG8k4a+Ysr9/gXMFp8/TUsiTXrPLvEedBiAL9isDGC+ibRsw\n" + "fFYqGKYCgYEA4XMsR7j2cdjKwpKDHqjstp2OxYBwsse8jgRyZFl/twdb9L8UIeCm\n" + "cyfsa+cPjGJrKwMUDwBcSH1Am61GItymnXhtWQ93QT7XPe/csOHBVonUOh9YQycC\n" + "wahFWQC4QGQ0Ppo2gogC5Qy8WWelTxIPlJmtRCQ/baPIyP6bGwme0r0CFDUW6VNf\n" + "FgAdB5hhtag7oTw45a72\n" + "-----END DSA PRIVATE KEY-----\n"; + +const gnutls_datum_t clidsa_ca3_key = { (void*)clidsa_ca3_key_pem, + sizeof(clidsa_ca3_key_pem)-1 +}; + +const gnutls_datum_t clidsa_ca3_cert = { (void*)clidsa_ca3_cert_pem, + sizeof(clidsa_ca3_cert_pem)-1 +}; + static char server_ca3_key_pem[] = "-----BEGIN RSA PRIVATE KEY-----\n" "MIIG5AIBAAKCAYEA2T14maos98C7s/geGZybgqYSxF+5NeTXKWpi9/vXmuIF8n3h\n" diff --git a/tests/client_dsa_key.c b/tests/client_dsa_key.c new file mode 100644 index 0000000000..a1bfb85f3e --- /dev/null +++ b/tests/client_dsa_key.c @@ -0,0 +1,109 @@ +/* + * Copyright (C) 2016 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#if !defined(_WIN32) +#include <netinet/in.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <arpa/inet.h> +#endif +#include <unistd.h> +#include <assert.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#include "utils.h" +#include "cert-common.h" + +/* Test for correct operation when a client uses a DSA key when the server + * has DSA signatures enabled but not the client. + * + */ + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d>| %s", level, str); +} + +void doit(void) +{ + gnutls_certificate_credentials_t serv_cred; + gnutls_certificate_credentials_t cli_cred; + int ret; + + /* this must be called once in the program + */ + global_init(); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + assert(gnutls_certificate_allocate_credentials(&cli_cred) >= 0); + + ret = gnutls_certificate_set_x509_trust_mem(cli_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + + + ret = gnutls_certificate_set_x509_key_mem(cli_cred, &clidsa_ca3_cert, + &clidsa_ca3_key, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("error in error code: %s\n", gnutls_strerror(ret)); + exit(1); + } + + /* test gnutls_certificate_flags() */ + gnutls_certificate_allocate_credentials(&serv_cred); + gnutls_certificate_set_flags(serv_cred, GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH); + + ret = gnutls_certificate_set_x509_trust_mem(serv_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + + ret = gnutls_certificate_set_x509_key_mem(serv_cred, &server_ca3_localhost_cert_chain, + &server_ca3_key, + GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("error in error code\n"); + exit(1); + } + + test_cli_serv_cert(serv_cred, cli_cred, "NORMAL:+DHE-DSS:+SIGN-DSA-SHA1", "NORMAL:-DHE-DSS:-SIGN-DSA-SHA1", "localhost"); + + gnutls_certificate_free_credentials(serv_cred); + gnutls_certificate_free_credentials(cli_cred); + + gnutls_global_deinit(); + + if (debug) + success("success"); +} diff --git a/tests/utils-adv.c b/tests/utils-adv.c index f19fad2d76..9889f8fa26 100644 --- a/tests/utils-adv.c +++ b/tests/utils-adv.c @@ -45,9 +45,11 @@ const char *side = NULL; static int _test_cli_serv(gnutls_certificate_credentials_t server_cred, gnutls_certificate_credentials_t client_cred, - const char *prio, const char *host, + const char *serv_prio, const char *cli_prio, + const char *host, void *priv, callback_func *client_cb, callback_func *server_cb, - unsigned expect_verification_failure) + unsigned expect_verification_failure, + unsigned require_cert) { int exit_code = EXIT_SUCCESS; int ret; @@ -65,11 +67,14 @@ _test_cli_serv(gnutls_certificate_credentials_t server_cred, gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, server_cred); - gnutls_priority_set_direct(server, prio, NULL); + gnutls_priority_set_direct(server, serv_prio, NULL); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); + if (require_cert) + gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUIRE); + ret = gnutls_init(&client, GNUTLS_CLIENT); if (ret < 0) exit(1); @@ -88,7 +93,7 @@ _test_cli_serv(gnutls_certificate_credentials_t server_cred, if (ret < 0) exit(1); - gnutls_priority_set_direct(client, prio, NULL); + gnutls_priority_set_direct(client, cli_prio, NULL); gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); @@ -175,7 +180,15 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred, const char *prio, const char *host, void *priv, callback_func *client_cb, callback_func *server_cb) { - _test_cli_serv(server_cred, client_cred, prio, host, priv, client_cb, server_cb, 0); + _test_cli_serv(server_cred, client_cred, prio, prio, host, priv, client_cb, server_cb, 0, 0); +} + +void +test_cli_serv_cert(gnutls_certificate_credentials_t server_cred, + gnutls_certificate_credentials_t client_cred, + const char *cli_prio, const char *serv_prio, const char *host) +{ + _test_cli_serv(server_cred, client_cred, cli_prio, serv_prio, host, NULL, NULL, NULL, 0, 1); } /* An expected to fail verification run. Returns verification status */ @@ -184,5 +197,5 @@ test_cli_serv_vf(gnutls_certificate_credentials_t server_cred, gnutls_certificate_credentials_t client_cred, const char *prio, const char *host) { - return _test_cli_serv(server_cred, client_cred, prio, host, NULL, NULL, NULL, 1); + return _test_cli_serv(server_cred, client_cred, prio, prio, host, NULL, NULL, NULL, 1, 0); } diff --git a/tests/utils.h b/tests/utils.h index c8efe49b3a..e35e10ab0e 100644 --- a/tests/utils.h +++ b/tests/utils.h @@ -84,6 +84,11 @@ void test_cli_serv(gnutls_certificate_credentials_t server_cred, void *priv, callback_func * client_cb, callback_func * server_cb); +void +test_cli_serv_cert(gnutls_certificate_credentials_t server_cred, + gnutls_certificate_credentials_t client_cred, + const char *serv_prio, const char *cli_prio, const char *host); + unsigned test_cli_serv_vf(gnutls_certificate_credentials_t server_cred, gnutls_certificate_credentials_t client_cred, |