tests: added check for insecure key

That is, a check which verified whether a connection to a server with
a very small key will fail the certificate verification check.

5 files changed, 198 insertions, 5 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index a5adb73146..060956cbec 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -112,7 +112,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid	\
 	 safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
 	 safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
 	 rsa-illegal-import set_x509_key_file_ocsp_multi set_key set_x509_key_file_ocsp_multi2 \
-	 set_key_utf8 set_x509_key_utf8
+	 set_key_utf8 set_x509_key_utf8 insecure_key
 
 if HAVE_SECCOMP_TESTS
 ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
diff --git a/tests/cert-common.h b/tests/cert-common.h
index 5290d6a18f..2c16daf388 100644
--- a/tests/cert-common.h
+++ b/tests/cert-common.h
@@ -31,6 +31,7 @@
  * IPv6 server: server_ca3_localhost6_cert, server_ca3_key
  * IPv4 server: server_ca3_localhost_cert, server_ca3_key
  * IPv4 server: server_ca3_localhost_utf8_cert, server_ca3_key - UTF8 names
+ * IPv4 server: insecure key: server_ca3_localhost_insecure_key, server_ca3_localhost_insecure_cert
  */
 
 
@@ -934,6 +935,50 @@ const gnutls_datum_t server_ca3_localhost_cert_chain = {
 	sizeof(server_localhost_ca3_cert_chain_pem)-1
 };
 
+/* shares server_ca3 key */
+static char server_localhost_insecure_ca3_cert_pem[] =
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIDFzCCAX+gAwIBAgIIV90eOyTzpOcwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n"
+	"AxMEQ0EtMzAgFw0xNjA5MTcxMDQzMDhaGA85OTk5MTIzMTIzNTk1OVowHjEcMBoG\n"
+	"A1UEAxMTSW5zZWN1cmUgKDc2OCBiaXRzKTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgC\n"
+	"YQCuxKP0RG8KHAp7HnqaFpcWnPVl72vmkLvBgC0h3gnVUO3a41//kkLOG0HGUOi6\n"
+	"77cLNOzRRll9NPi1RwMNTKayA0cv+pJBsoNq/byOeWKJkKOgwTZD6Vi6X3MDtj7e\n"
+	"3SECAwEAAaOBjTCBijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9z\n"
+	"dDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQW\n"
+	"BBS4eSAgXUnLYP8HfA9SmoXjOAYLoDAfBgNVHSMEGDAWgBT5qIYZY7akFBNgdg8B\n"
+	"mjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAFa7J4+vJ7V+4y+CaaATD/WATc9ZV\n"
+	"ZUITpI6irjWneRPz0u0/3BLprKoCbO0m5QjoBaji1wUbVWpJir+N7QS577ufjwh0\n"
+	"ViGFn1b3eU0wGPgz8n0B0vo6NifaQl1Df5PBN3Mfa+r0aUK3QYxnlHsXxanYaKzj\n"
+	"9lpXUq57fpJJFSFASSzGSwkg8xiwlFBre/9jJ8sf1Blhu8M50NkOCdRdwpg/rbMI\n"
+	"Oukh0pvJQYQfQsgxc/hySWfEtN0TThXLRFMRRcFFeRHK2LXyAo/sNzWJMIou7hBQ\n"
+	"p1LNlCoUc3TGRKMQToEi+GIgjJx17zADze+1hHHE3aEEVGU9n3Gkj+hxy46LN5ke\n"
+	"hDox4AzBf4+KaA/vdHGRvZjzhajaMdL6w8FJgmUc26L+kH/rsTuev+PrvqXuuy1W\n"
+	"c2QqW3gu7oUy+g99TQFeXgyJHqv/cu/M0vhUV9wwHQJdj1bFCEaFW40MmQArXz5D\n"
+	"F92lL9akoGYmyehqQHeRQsrVRKcCOiv8lgVF\n"
+	"-----END CERTIFICATE-----\n";
+
+const gnutls_datum_t server_ca3_localhost_insecure_cert = { (void*)server_localhost_insecure_ca3_cert_pem,
+	sizeof(server_localhost_insecure_ca3_cert_pem)-1
+};
+
+static char server_ca3_localhost_insecure_key_pem[] =
+	"-----BEGIN RSA PRIVATE KEY-----\n"
+	"MIIBywIBAAJhAK7Eo/REbwocCnseepoWlxac9WXva+aQu8GALSHeCdVQ7drjX/+S\n"
+	"Qs4bQcZQ6Lrvtws07NFGWX00+LVHAw1MprIDRy/6kkGyg2r9vI55YomQo6DBNkPp\n"
+	"WLpfcwO2Pt7dIQIDAQABAmBd9Md0Dcpoc/TKhfNBnb1yYcWoHJQ0q0DVYXRiDb3Z\n"
+	"mZ2WHMFCY75YkdzFoj/MKAyrl+n6SJy5V2gwqEEW84pHH2AaAseWsF16rSRz958b\n"
+	"7seVpNi304tOk4PS7B6+RAUCMQDXiT23wggUir6uVrx0UfHJUcsRltK0qco6Q7o3\n"
+	"b+uwrIAbaNNg+aAqAXXU5XWdBpcCMQDPlBKn42C/XkAZ11zflbzjrq22ie0gaLKZ\n"
+	"j92rCaU0/qX4VR8KK6J9PL6ZLoTWqQcCMQCzazhoLmoBh5nBkMxh3BD08FSluLJ/\n"
+	"19NS+ywZl95P/NjLeFB1qnbsYLjQ1443f9MCMDE/w3FbzC97MCAxbZKKl0c5wXNG\n"
+	"pCEFViKC9KfI4Q6CwGP75iJmmeW2zM3RMKkxbwIxAIAViD0cQjNL9keUVjtN68pK\n"
+	"dD2lxHfq5Q1QxCSjl8EnBnjnbFJN9WmK9ztkK00Avg==\n"
+	"-----END RSA PRIVATE KEY-----\n";
+
+const gnutls_datum_t server_ca3_localhost_insecure_key = { (void*)server_ca3_localhost_insecure_key_pem,
+	sizeof(server_ca3_localhost_insecure_key_pem)-1
+};
+
 static char unknown_ca_cert_pem[] =
 	"-----BEGIN CERTIFICATE-----\n"
 	"MIID4DCCAkigAwIBAgIIVyG62RARjncwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE\n"
diff --git a/tests/insecure_key.c b/tests/insecure_key.c
new file mode 100644
index 0000000000..3a95460d66
--- /dev/null
+++ b/tests/insecure_key.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2016 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+/* Parts copied from GnuTLS example programs. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#if !defined(_WIN32)
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <arpa/inet.h>
+#endif
+#include <unistd.h>
+#include <assert.h>
+#include <time.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/abstract.h>
+#include <gnutls/x509.h>
+
+#include "cert-common.h"
+#include "utils.h"
+
+/* Test for detection of certificates with insecure keys (too small)
+ *
+ */
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "<%d>| %s", level, str);
+}
+
+static time_t mytime(time_t * t)
+{
+	time_t then = 1474109119;
+	if (t)
+		*t = then;
+
+	return then;
+}
+
+void doit(void)
+{
+	gnutls_certificate_credentials_t x509_cred;
+	gnutls_certificate_credentials_t clicred;
+	int ret;
+	unsigned status;
+
+	/* this must be called once in the program
+	 */
+	global_init();
+
+	gnutls_global_set_time_function(mytime);
+
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(6);
+
+	assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
+	assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
+
+	ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
+	if (ret < 0)
+		fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
+
+	ret = gnutls_certificate_set_x509_key_mem2(x509_cred, &server_ca3_localhost_insecure_cert, &server_ca3_localhost_insecure_key, GNUTLS_X509_FMT_PEM, NULL, 0);
+	if (ret < 0)
+		fail("%s\n", gnutls_strerror(ret));
+
+	ret = gnutls_certificate_set_x509_key_mem2(x509_cred, &server_ca3_localhost6_cert_chain, &server_ca3_key, GNUTLS_X509_FMT_PEM, NULL, 0);
+	if (ret < 0)
+		fail("%s\n", gnutls_strerror(ret));
+
+	test_cli_serv(x509_cred, clicred, "NORMAL", "localhost6", NULL, NULL, NULL);
+	status = test_cli_serv_vf(x509_cred, clicred, "NORMAL", "localhost");
+
+	assert(status == (GNUTLS_CERT_INVALID|GNUTLS_CERT_INSECURE_ALGORITHM));
+
+	gnutls_certificate_free_credentials(x509_cred);
+	gnutls_certificate_free_credentials(clicred);
+
+	gnutls_global_deinit();
+
+	if (debug)
+		success("success");
+}
+
diff --git a/tests/utils-adv.c b/tests/utils-adv.c
index 8592f93e31..f19fad2d76 100644
--- a/tests/utils-adv.c
+++ b/tests/utils-adv.c
@@ -42,11 +42,12 @@ int _gnutls_server_name_set_raw(gnutls_session_t session,
 const char *side = NULL;
 
 /* if @host is NULL certificate check is skipped */
-void
-test_cli_serv(gnutls_certificate_credentials_t server_cred,
+static int
+_test_cli_serv(gnutls_certificate_credentials_t server_cred,
 	      gnutls_certificate_credentials_t client_cred,
-	      const char *prio, const char *host, 
-	      void *priv, callback_func *client_cb, callback_func *server_cb)
+	      const char *prio, const char *host,
+	      void *priv, callback_func *client_cb, callback_func *server_cb,
+	      unsigned expect_verification_failure)
 {
 	int exit_code = EXIT_SUCCESS;
 	int ret;
@@ -113,6 +114,13 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred,
 			exit(1);
 		}
 
+		if (expect_verification_failure && status != 0) {
+			ret = status;
+			goto cleanup;
+		} else if (expect_verification_failure && status == 0) {
+			fail("expected verification failure but verification succeeded!\n");
+		}
+
 		if (status != 0) {
 			gnutls_datum_t t;
 			assert(gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509, &t, 0)>=0);
@@ -137,6 +145,8 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred,
 		}
 	}
 
+	ret = 0;
+ cleanup:
 	if (client_cb)
 		client_cb(client, priv);
 	if (server_cb)
@@ -154,4 +164,25 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred,
 		else
 			puts("Self-test failed");
 	}
+
+	return ret;
+}
+
+/* An expected to succeed run */
+void
+test_cli_serv(gnutls_certificate_credentials_t server_cred,
+	      gnutls_certificate_credentials_t client_cred,
+	      const char *prio, const char *host,
+	      void *priv, callback_func *client_cb, callback_func *server_cb)
+{
+	_test_cli_serv(server_cred, client_cred, prio, host, priv, client_cb, server_cb, 0);
+}
+
+/* An expected to fail verification run. Returns verification status */
+unsigned
+test_cli_serv_vf(gnutls_certificate_credentials_t server_cred,
+	      gnutls_certificate_credentials_t client_cred,
+	      const char *prio, const char *host)
+{
+	return _test_cli_serv(server_cred, client_cred, prio, host, NULL, NULL, NULL, 1);
 }
diff --git a/tests/utils.h b/tests/utils.h
index 965a341dd0..213f5834c1 100644
--- a/tests/utils.h
+++ b/tests/utils.h
@@ -77,6 +77,11 @@ void test_cli_serv(gnutls_certificate_credentials_t server_cred,
 		   void *priv,
 		   callback_func * client_cb, callback_func * server_cb);
 
+unsigned
+test_cli_serv_vf(gnutls_certificate_credentials_t server_cred,
+	      gnutls_certificate_credentials_t client_cred,
+	      const char *prio, const char *host);
+
 #define TMPNAME_SIZE 128
 char *get_tmpname(char s[TMPNAME_SIZE]);
 void track_temp_files(void);