diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-07-09 04:16:10 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-07-09 04:16:10 +0000 |
commit | 3be35aa23bd98d7ce8013866919494e0e64c1f67 (patch) | |
tree | 0d2b20467c1331a94f86a56316318c9f06ee3d93 | |
parent | b50f6c63189043ab2cce2fba641c1512fe61da7b (diff) | |
parent | a8455890377528976073ea1c3468112898dffe2b (diff) | |
download | gnutls-3be35aa23bd98d7ce8013866919494e0e64c1f67.tar.gz |
Merge branch 'tmp-fix-ocsp' into 'master'
Improve the OCSP (status request) and interop testing
See merge request gnutls/gnutls!1024
-rw-r--r-- | tests/Makefile.am | 4 | ||||
-rw-r--r-- | tests/cert-common.h | 32 | ||||
-rw-r--r-- | tests/rfc7633-missing.c (renamed from tests/status-request-missing.c) | 40 | ||||
-rw-r--r-- | tests/rfc7633-ok.c | 347 | ||||
-rw-r--r-- | tests/status-request-ext.c | 36 | ||||
-rw-r--r-- | tests/status-request-ok.c | 14 | ||||
-rw-r--r-- | tests/status-request.c | 14 | ||||
-rwxr-xr-x | tests/suite/testcompat-main-openssl | 91 |
8 files changed, 507 insertions, 71 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 61c5a537b2..53f36dd717 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -175,8 +175,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei server-sign-md5-rep privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \ x509sign-verify-rsa x509sign-verify-ecdsa x509sign-verify-gost \ mini-alignment oids atfork prf psk-file priority-init2 post-client-hello-change-prio \ - status-request status-request-ok status-request-missing sign-verify-ext \ - fallback-scsv pkcs8-key-decode urls dtls-rehandshake-cert \ + status-request status-request-ok rfc7633-missing sign-verify-ext \ + fallback-scsv pkcs8-key-decode urls dtls-rehandshake-cert rfc7633-ok \ key-usage-rsa key-usage-ecdhe-rsa mini-session-verify-function auto-verify \ record-timeouts mini-dtls-hello-verify-48 set-default-prio \ tls12-anon-upgrade global-init-override tlsext-decoding rsa-psk-cb \ diff --git a/tests/cert-common.h b/tests/cert-common.h index 5ccae43ccc..0fd02f7e7c 100644 --- a/tests/cert-common.h +++ b/tests/cert-common.h @@ -41,6 +41,7 @@ * IPv4 server (GOST R 34.10-2001, SAN: localhost): server_ca3_gost01_cert, server_ca3_gost01_key * IPv4 server (GOST R 34.10-2012-256, SAN: localhost): server_ca3_gost12-256_cert, server_ca3_gost12-256_key * IPv4 server (GOST R 34.10-2012-512, SAN: localhost): server_ca3_gost12-512_cert, server_ca3_gost12-512_key + * IPv6 server: server_ca3_tlsfeat_cert, server_ca3_key * IPv6 server: server_ca3_localhost6_cert, server_ca3_key * IPv4 server: server_ca3_localhost_cert, server_ca3_key * IPv4 server: server_ca3_localhost_ecc_cert, server_ca3_ecc_key @@ -1489,6 +1490,34 @@ static char server_localhost_ca3_cert_pem[] = "6TXY44pCGHMFO6Kr\n" "-----END CERTIFICATE-----\n"; +/* shares server_ca3 key with tlsfeature=5 */ +static char server_ca3_tlsfeat_cert_pem[] = + "-----BEGIN CERTIFICATE-----" + "MIIEOjCCAqKgAwIBAgIUYBRfAcvgBUU4jCb8W89sQcPLqswwDQYJKoZIhvcNAQEL" + "BQAwDzENMAsGA1UEAxMEQ0EtMzAgFw0xOTA2MDcyMTA4NDFaGA85OTk5MTIzMTIz" + "NTk1OVowIjEgMB4GA1UEAxMXR251VExTIHRlc3QgY2VydGlmaWNhdGUwggGiMA0G" + "CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDZPXiZqiz3wLuz+B4ZnJuCphLEX7k1" + "5NcpamL3+9ea4gXyfeFSHbSaihPauBUcDMVbL/wfkhxYiJRCX7wqHIkJK4En5aEz" + "SDDa6pI/CI5lSbiXdNDGbFLh5b8Guvhfzyy8lDjFNNy3abkfU270tnzFY5mkYwYg" + "juN/RgPqh0b8McT+xUeN9x4PuSXXmMC1r3v7y4JuMxE8ZzGDhW2aQK5Is6QYv0WE" + "LS5hVvB8GdP5XQwTJw4HH5i/YES7TENV2RByzRY8hFQ9SbK5YHHGoszVJIlIuxm5" + "v8N2Ig1cW6t7t3HnuZbDYRDCERMiEigBz8vEZZyFsMLg5Z7JiNKSG/f+ER9CzDJX" + "HgxBctV9EEc2KmRT1P9JeI/xZUOl9lKljc+t8m0Um3Asx5duWm4tcZm7FecnaJiT" + "XD/tEG64qTKWtDuoI7+X9MjHe5lvf2gIJT3CoKW24Rn6O1fc9oCCnVAi0V6FLM4X" + "aG50X9NC666RVEFkXih8THA1gC9m9NJMrD0CAwEAAaN5MHcwEQYIKwYBBQUHARgE" + "BTADAgEFMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MB0GA1Ud" + "DgQWBBQzneEn04vV/OsF/LXHgWlPXjvZ1jAfBgNVHSMEGDAWgBT5qIYZY7akFBNg" + "dg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEASMVR+C1x3pBRSRaaIYbFTC0X" + "VXc66iQWDfpTSokLIEN/UVZzLsQw5p1PntPqnRRudDnXS77rNQSZcc4NTFYrzSqW" + "WwdhIXtl3igLg5HMxU80dsr3LfGkzJ1iDS1RR0EGSvFjOE9ZUK0IBdsUvINqpj+l" + "6qxL36yfxamuELIxvgmecIMvLzbe7tUjRXneNvLGsLAJcq5QQmNMCWiyywtHbFa0" + "zbpxKMJmHMk0SbgZHUuFaASlAqVez19rJdzqQcJiw/YrMbbj/b2me1duLQ64dqGL" + "5gKTyDMhk5td53R5uPnr7F6+1u8zRzqA6mBvTfEk4wJ6YmvqdBfC47xT+Ksba6dX" + "Ugz+So2iu0rQxaLEBTZJ/gTXJEUafxUN4wF1ZOnUyltoqLJymhQoceoSwjYobOal" + "FUZEJgFNA7j8tR7J3MtFUaJqFosuPtxhF8/CCPukKV7bRokqh7zK+F21iaQOYvJn" + "AfuOg2g0ZMurGyS/yg8mVsGjh4bho9zPOlhPtFNM" + "-----END CERTIFICATE-----"; + /* Marked as decrypt-only */ static char server_localhost_ca3_rsa_decrypt_cert_pem[] = "-----BEGIN CERTIFICATE-----\n" @@ -1607,6 +1636,9 @@ const gnutls_datum_t server_ca3_localhost_rsa_decrypt_cert = { (unsigned char*)s const gnutls_datum_t server_ca3_localhost_rsa_sign_cert = { (unsigned char*)server_localhost_ca3_rsa_sign_cert_pem, sizeof(server_localhost_ca3_rsa_sign_cert_pem)-1}; +const gnutls_datum_t server_ca3_tlsfeat_cert = { (unsigned char*)server_ca3_tlsfeat_cert_pem, + sizeof(server_ca3_tlsfeat_cert_pem)-1}; + const gnutls_datum_t server_ca3_localhost_cert_chain = { (unsigned char*)server_localhost_ca3_cert_chain_pem, sizeof(server_localhost_ca3_cert_chain_pem)-1 diff --git a/tests/status-request-missing.c b/tests/rfc7633-missing.c index f55f3ac469..0101c17bc8 100644 --- a/tests/status-request-missing.c +++ b/tests/rfc7633-missing.c @@ -50,8 +50,6 @@ int main() #include "utils.h" -static void terminate(void); - /* This program tests that handshakes fail if the server does not include the * requested certificate status with the server certificate having * TLS feature 5 (status request). @@ -133,7 +131,7 @@ static int handshake_callback(gnutls_session_t session, unsigned int htype, #define MAX_BUF 1024 -static void client(int fd) +static void client(int fd, const char *prio) { int ret; unsigned int status; @@ -156,7 +154,7 @@ static void client(int fd) gnutls_init(&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL); + gnutls_priority_set_direct(session, prio, NULL); gnutls_handshake_set_hook_function(session, GNUTLS_HANDSHAKE_CERTIFICATE_STATUS, GNUTLS_HOOK_POST, @@ -182,7 +180,6 @@ static void client(int fd) if (ret < 0) { fail("client: Handshake failed: %s\n", gnutls_strerror(ret)); - terminate(); } else { if (debug) success("client: Handshake was completed\n"); @@ -195,13 +192,11 @@ static void client(int fd) if (received == 1) { fail("client: received certificate status when we shouldn't.\n"); - terminate(); } ret = gnutls_certificate_verify_peers2(session, &status); if (ret != GNUTLS_E_SUCCESS) { fail("client: Peer certificate validation failed: %s\n", gnutls_strerror(ret)); - terminate(); } else { if (status & GNUTLS_CERT_MISSING_OCSP_STATUS) { @@ -209,7 +204,6 @@ static void client(int fd) } else { fail("client: Validation status does not include GNUTLS_CERT_MISSING_OCSP_STATUS. Status is %d\n", status); - terminate(); } } @@ -227,16 +221,7 @@ static void client(int fd) } -/* These are global */ -pid_t child; - -static void terminate(void) -{ - kill(child, SIGTERM); - exit(1); -} - -static void server(int fd) +static void server(int fd, const char *prio) { int ret; char buffer[MAX_BUF + 1]; @@ -263,7 +248,7 @@ static void server(int fd) /* avoid calling all the priority functions, since the defaults * are adequate. */ - gnutls_priority_set_direct(session, "NORMAL", NULL); + gnutls_priority_set_direct(session, prio, NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); @@ -307,14 +292,18 @@ static void ch_handler(int sig) return; } -void doit(void) +static void start(const char *name, const char *prio) { + pid_t child; int fd[2]; int ret, status = 0; signal(SIGCHLD, ch_handler); signal(SIGPIPE, SIG_IGN); + received = 0; + success("running: %s\n", name); + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); if (ret < 0) { perror("socketpair"); @@ -331,16 +320,23 @@ void doit(void) if (child) { /* parent */ close(fd[1]); - client(fd[0]); + client(fd[0], prio); waitpid(child, &status, 0); check_wait_status(status); } else { close(fd[0]); - server(fd[1]); + server(fd[1], prio); exit(0); } return; } +void doit(void) +{ + start("tls1.2", "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"); + start("tls1.3", "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3"); + start("default", "NORMAL"); +} + #endif /* _WIN32 */ diff --git a/tests/rfc7633-ok.c b/tests/rfc7633-ok.c new file mode 100644 index 0000000000..5959065cf3 --- /dev/null +++ b/tests/rfc7633-ok.c @@ -0,0 +1,347 @@ +/* + * Copyright (C) 2016-2019 Tim Kosse + * Copyright (C) 2019 Nikos Mavrogiannopoulos + * + * Author: Tim Kosse, Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + * + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> + +#if defined(_WIN32) + +int main() +{ + exit(77); +} + +#else + +#include <string.h> +#include <sys/types.h> +#include <netinet/in.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <arpa/inet.h> +#include <unistd.h> +#include <time.h> +#include <gnutls/gnutls.h> +#include <gnutls/dtls.h> +#include <signal.h> + +#include "utils.h" +#include "cert-common.h" + +/* This program tests that handshakes succeed if the server includes the + * requested certificate status with the server certificate having + * TLS feature 5 (status request). + * + * See RFC 7633 + */ + +static time_t mytime(time_t * t) +{ + time_t then = 1559941819; + if (t) + *t = then; + + return then; +} + +static void server_log_func(int level, const char *str) +{ + fprintf(stderr, "server|<%d>| %s", level, str); +} + +static void client_log_func(int level, const char *str) +{ + fprintf(stderr, "client|<%d>| %s", level, str); +} + +const unsigned char ocsp_resp[] = { + 0x30, 0x82, 0x02, 0x3f, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x02, 0x38, 0x30, + 0x82, 0x02, 0x34, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, + 0x01, 0x01, 0x04, 0x82, 0x02, 0x25, 0x30, 0x82, 0x02, 0x21, 0x30, 0x81, + 0x8a, 0xa1, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x13, 0x04, 0x43, 0x41, 0x2d, 0x33, 0x18, 0x0f, 0x32, 0x30, + 0x31, 0x39, 0x30, 0x36, 0x30, 0x37, 0x32, 0x31, 0x31, 0x35, 0x32, 0x32, + 0x5a, 0x30, 0x64, 0x30, 0x62, 0x30, 0x4d, 0x30, 0x09, 0x06, 0x05, 0x2b, + 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0xb7, 0xca, 0x0f, 0xab, + 0xdc, 0x6f, 0xb8, 0xb0, 0x96, 0x7a, 0x15, 0xac, 0x98, 0x0a, 0x0f, 0x19, + 0xfe, 0xa4, 0x12, 0xde, 0x04, 0x14, 0x1e, 0x85, 0xed, 0x7f, 0x9e, 0x71, + 0xfa, 0x08, 0x9d, 0x37, 0x48, 0x43, 0xa0, 0x12, 0xef, 0xe5, 0xaa, 0xe1, + 0xe3, 0x8a, 0x02, 0x14, 0x60, 0x14, 0x5f, 0x01, 0xcb, 0xe0, 0x05, 0x45, + 0x38, 0x8c, 0x26, 0xfc, 0x5b, 0xcf, 0x6c, 0x41, 0xc3, 0xcb, 0xaa, 0xcc, + 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x31, 0x39, 0x30, 0x36, 0x30, 0x37, + 0x32, 0x31, 0x31, 0x35, 0x32, 0x32, 0x5a, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, + 0x01, 0x81, 0x00, 0x44, 0xc4, 0x59, 0xab, 0x7b, 0x6e, 0x35, 0x4e, 0x18, + 0x83, 0x02, 0xbd, 0x94, 0x26, 0x50, 0x01, 0xe2, 0xb1, 0x50, 0xdd, 0xca, + 0x61, 0x30, 0xb0, 0x93, 0x18, 0x56, 0xfe, 0x8d, 0x4f, 0xcc, 0x33, 0xc8, + 0x01, 0x1e, 0xac, 0xa1, 0x8e, 0xb0, 0x76, 0x0f, 0x41, 0x38, 0x7d, 0x06, + 0x9b, 0xfe, 0x09, 0x50, 0x6d, 0x86, 0x07, 0x2a, 0x48, 0x6e, 0x6a, 0xb1, + 0x13, 0xf4, 0xc0, 0x0f, 0x7c, 0x7d, 0x89, 0xb9, 0x69, 0xe7, 0x04, 0x2e, + 0xa4, 0x3d, 0xf6, 0xbd, 0x51, 0xbf, 0x52, 0x7d, 0xfb, 0x38, 0x7a, 0xbf, + 0xe6, 0xd7, 0x32, 0x57, 0x36, 0x87, 0xec, 0x91, 0x07, 0x0c, 0xac, 0xb9, + 0x79, 0xe7, 0x79, 0x4e, 0x49, 0x72, 0x1d, 0x16, 0xb6, 0x94, 0xbf, 0xc4, + 0x9f, 0x4e, 0x8b, 0x51, 0x54, 0x73, 0xb4, 0x4d, 0xe7, 0x01, 0x91, 0xcd, + 0x7c, 0xb2, 0x91, 0x4a, 0xc3, 0x4d, 0xc4, 0x4f, 0xa3, 0x42, 0xf1, 0x89, + 0xc7, 0xab, 0x36, 0x11, 0xf0, 0x7c, 0xc6, 0x8f, 0x03, 0x53, 0x85, 0x0c, + 0xfb, 0x30, 0x6b, 0xdd, 0x9e, 0x72, 0xd7, 0x77, 0xe5, 0xea, 0xd3, 0x39, + 0xb5, 0xb8, 0xdd, 0x61, 0xb9, 0xe7, 0x24, 0x9c, 0x85, 0x42, 0xd7, 0x2b, + 0x2e, 0x99, 0xdf, 0xe5, 0x8b, 0x79, 0xe3, 0x6e, 0x56, 0x6e, 0xd6, 0xed, + 0x5f, 0x9b, 0x5f, 0x40, 0x89, 0x17, 0x1a, 0x76, 0xbb, 0x3c, 0x9f, 0x33, + 0x71, 0xc1, 0xc5, 0x2f, 0xf4, 0x69, 0xe5, 0x5f, 0x83, 0xd4, 0x3a, 0x3d, + 0xd7, 0x44, 0xaa, 0xc0, 0x9d, 0xd9, 0xd9, 0x99, 0xec, 0x80, 0x4c, 0x46, + 0x5f, 0x91, 0xf4, 0x09, 0x06, 0xef, 0x37, 0x7c, 0x32, 0x64, 0x67, 0x85, + 0x99, 0xde, 0x9c, 0xce, 0x3e, 0x58, 0x1a, 0x6c, 0x59, 0xc9, 0x60, 0x26, + 0x02, 0xeb, 0x95, 0x52, 0x3e, 0x4f, 0xdd, 0x5f, 0x6c, 0x2d, 0x37, 0xc2, + 0x3b, 0x72, 0x70, 0xab, 0x1d, 0xf5, 0x2a, 0xbe, 0x8c, 0x70, 0x8e, 0xf0, + 0x25, 0x18, 0x68, 0xe5, 0xe9, 0xd1, 0xcf, 0xd8, 0x1f, 0x6c, 0x8e, 0xcf, + 0x18, 0x46, 0x51, 0xb4, 0x69, 0xbb, 0x6f, 0x4f, 0x1e, 0x2a, 0x61, 0x3f, + 0x64, 0x8b, 0x07, 0x7f, 0xc5, 0x80, 0xb9, 0x06, 0xd6, 0xb1, 0x8d, 0x47, + 0x4a, 0x61, 0xd2, 0x3e, 0xb4, 0xa6, 0xab, 0x12, 0xc6, 0x5c, 0x90, 0x9e, + 0x2e, 0x16, 0x2e, 0xd4, 0xfc, 0x4b, 0x08, 0x41, 0x94, 0xaf, 0x1d, 0x6e, + 0x6c, 0x11, 0x5c, 0x88, 0x3d, 0xd9, 0x30, 0x9d, 0x69, 0xf7, 0x45, 0xbe, + 0x5d, 0x1e, 0xd5, 0xe2, 0xf6, 0x38, 0xfa, 0xe1, 0xbf, 0xae, 0x9f, 0x2f, + 0xc6, 0x7b, 0x7b, 0x98, 0x89, 0x05, 0x8d, 0x4c, 0x01, 0xad, 0x61, 0x14, + 0x00, 0xca, 0xa3, 0xed, 0xd0, 0x2c, 0xfe, 0x1b, 0x7e, 0x1d, 0x70, 0x5b, + 0x2e, 0xc2, 0x54, 0xcf, 0x4c, 0x0a, 0xb3, 0x21, 0x58, 0xed, 0x51, 0xe7, + 0xeb, 0x8d, 0xb7 }; + +static int received = 0; + +static int handshake_callback(gnutls_session_t session, unsigned int htype, + unsigned post, unsigned int incoming, + const gnutls_datum_t * msg) +{ + received = 1; + return 0; +} + +#define MAX_BUF 1024 + +static void client(int fd, const char *prio) +{ + int ret; + unsigned int status; + gnutls_certificate_credentials_t x509_cred; + gnutls_session_t session; + + gnutls_global_set_time_function(mytime); + global_init(); + + if (debug) { + gnutls_global_set_log_function(client_log_func); + gnutls_global_set_log_level(7); + } + + assert(gnutls_certificate_allocate_credentials(&x509_cred) >= 0); + assert(gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, GNUTLS_X509_FMT_PEM)>=0); + + assert(gnutls_init(&session, GNUTLS_CLIENT) >= 0); + + assert(gnutls_priority_set_direct(session, prio, NULL) >= 0); + + gnutls_handshake_set_hook_function(session, + GNUTLS_HANDSHAKE_CERTIFICATE_STATUS, + GNUTLS_HOOK_POST, + handshake_callback); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); + + gnutls_transport_set_int(session, fd); + + do { + ret = gnutls_handshake(session); + } + while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + if (ret < 0) { + fail("client: Handshake failed: %s\n", gnutls_strerror(ret)); + } else { + if (debug) + success("client: Handshake was completed\n"); + } + + if (debug) + success("client: TLS version is: %s\n", + gnutls_protocol_get_name + (gnutls_protocol_get_version(session))); + + if (received == 0 + && gnutls_protocol_get_version(session) == GNUTLS_TLS1_2) { + fail("client: did not receive certificate status when we should.\n"); + } + + ret = gnutls_certificate_verify_peers2(session, &status); + if (ret != GNUTLS_E_SUCCESS) { + fail("client: Peer certificate validation failed: %s\n", + gnutls_strerror(ret)); + } else { + if (status) { + gnutls_datum_t tmp; + assert(gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509, &tmp, 0)>=0); + fail("client: Validation status is not success (%x: %s)\n", + status, (char*)tmp.data); + } + } + + gnutls_bye(session, GNUTLS_SHUT_WR); + + close(fd); + + gnutls_deinit(session); + + gnutls_certificate_free_credentials(x509_cred); + + gnutls_global_deinit(); +} + +static int status_func(gnutls_session_t session, void *ptr, gnutls_datum_t *resp) +{ + resp->data = gnutls_malloc(sizeof(ocsp_resp)); + if (resp->data == NULL) + return -1; + + memcpy(resp->data, ocsp_resp, sizeof(ocsp_resp)); + resp->size = sizeof(ocsp_resp); + return 0; +} + +static void server(int fd, const char *prio) +{ + int ret; + char buffer[MAX_BUF + 1]; + gnutls_session_t session; + gnutls_certificate_credentials_t x509_cred; + + /* this must be called once in the program + */ + global_init(); + memset(buffer, 0, sizeof(buffer)); + + if (debug) { + gnutls_global_set_log_function(server_log_func); + gnutls_global_set_log_level(4711); + } + + assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); + assert(gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_tlsfeat_cert, + &server_ca3_key, GNUTLS_X509_FMT_PEM)>=0); + + assert(gnutls_init(&session, GNUTLS_SERVER) >= 0); + + assert(gnutls_priority_set_direct(session, prio, NULL) >= 0); + + gnutls_certificate_set_ocsp_status_request_function(x509_cred, status_func, NULL); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); + + gnutls_transport_set_int(session, fd); + + do { + ret = gnutls_handshake(session); + } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + + if (ret < 0) { + fail("server: Handshake failed: %s\n", gnutls_strerror(ret)); + } + + if (debug) { + success("server: Handshake was completed\n"); + } + + if (debug) + success("server: TLS version is: %s\n", + gnutls_protocol_get_name + (gnutls_protocol_get_version(session))); + + /* do not wait for the peer to close the connection. + */ + gnutls_bye(session, GNUTLS_SHUT_WR); + + close(fd); + gnutls_deinit(session); + + gnutls_certificate_free_credentials(x509_cred); + + gnutls_global_deinit(); + + if (debug) + success("server: finished\n"); +} + +static void ch_handler(int sig) +{ + return; +} + +static void start(const char *name, const char *prio) +{ + pid_t child; + int fd[2]; + int ret, status = 0; + + signal(SIGCHLD, ch_handler); + signal(SIGPIPE, SIG_IGN); + + received = 0; + success("running: %s\n", name); + + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); + if (ret < 0) { + perror("socketpair"); + exit(1); + } + + child = fork(); + if (child < 0) { + perror("fork"); + fail("fork"); + exit(1); + } + + if (child) { + /* parent */ + close(fd[1]); + client(fd[0], prio); + waitpid(child, &status, 0); + check_wait_status(status); + } else { + close(fd[0]); + server(fd[1], prio); + exit(0); + } + + return; +} + +void doit(void) +{ + start("tls1.2", "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"); + start("tls1.3", "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3"); + start("default", "NORMAL"); +} + +#endif /* _WIN32 */ diff --git a/tests/status-request-ext.c b/tests/status-request-ext.c index e893c5c528..495e08a197 100644 --- a/tests/status-request-ext.c +++ b/tests/status-request-ext.c @@ -49,8 +49,6 @@ int main() #include "cert-common.h" #include "utils.h" -static void terminate(void); - /* This program tests that the server does not send the * status request extension if no status response exists. That * is to provide compatibility with gnutls 3.3.x which requires @@ -157,7 +155,7 @@ static int handshake_callback(gnutls_session_t session, unsigned int htype, #define MAX_BUF 1024 -static void client(int fd) +static void client(int fd, const char *prio) { int ret; gnutls_certificate_credentials_t x509_cred; @@ -178,7 +176,7 @@ static void client(int fd) gnutls_init(&session, GNUTLS_CLIENT); /* Use default priorities */ - gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+ECDHE-RSA", NULL); + gnutls_priority_set_direct(session, prio, NULL); /* put the anonymous credentials to the current session */ @@ -200,7 +198,6 @@ static void client(int fd) if (ret < 0) { fail("client: Handshake failed: %s\n", gnutls_strerror(ret)); - terminate(); } else { if (debug) success("client: Handshake was completed\n"); @@ -225,16 +222,7 @@ static void client(int fd) } -/* These are global */ -pid_t child; - -static void terminate(void) -{ - kill(child, SIGTERM); - exit(1); -} - -static void server(int fd) +static void server(int fd, const char *prio) { int ret; char buffer[MAX_BUF + 1]; @@ -265,7 +253,7 @@ static void server(int fd) /* avoid calling all the priority functions, since the defaults * are adequate. */ - gnutls_priority_set_direct(session, "NORMAL", NULL); + gnutls_priority_set_direct(session, prio, NULL); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); @@ -309,14 +297,17 @@ static void ch_handler(int sig) return; } -void doit(void) +static void start(const char *name, const char *prio) { + pid_t child; int fd[2]; int ret, status = 0; signal(SIGCHLD, ch_handler); signal(SIGPIPE, SIG_IGN); + success("running: %s\n", name); + ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd); if (ret < 0) { perror("socketpair"); @@ -333,14 +324,21 @@ void doit(void) if (child) { /* parent */ close(fd[1]); - server(fd[0]); + server(fd[0], prio); waitpid(child, &status, 0); check_wait_status(status); } else { close(fd[0]); - client(fd[1]); + client(fd[1], prio); exit(0); } } +void doit(void) +{ + start("tls1.2", "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"); + start("tls1.3", "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3"); + start("default", "NORMAL"); +} + #endif /* _WIN32 */ diff --git a/tests/status-request-ok.c b/tests/status-request-ok.c index 5dda6faf4f..fe1818eeee 100644 --- a/tests/status-request-ok.c +++ b/tests/status-request-ok.c @@ -49,8 +49,6 @@ int main() #include "utils.h" -static void terminate(void); - /* This program tests the status request extension and that receiving the * certificate status works. */ @@ -181,7 +179,6 @@ static void client(int fd) if (ret < 0) { fail("client: Handshake failed: %s\n", gnutls_strerror(ret)); - terminate(); } else { if (debug) success("client: Handshake was completed\n"); @@ -194,7 +191,6 @@ static void client(int fd) if (received == 0) { fail("client: didn't receive status request\n"); - terminate(); } gnutls_bye(session, GNUTLS_SHUT_WR); @@ -211,15 +207,6 @@ static void client(int fd) } -/* These are global */ -pid_t child; - -static void terminate(void) -{ - kill(child, SIGTERM); - exit(1); -} - static void server(int fd) { int ret; @@ -300,6 +287,7 @@ static void ch_handler(int sig) void doit(void) { + pid_t child; int fd[2]; int ret, status = 0; diff --git a/tests/status-request.c b/tests/status-request.c index 2ab57727cd..0e62969ba9 100644 --- a/tests/status-request.c +++ b/tests/status-request.c @@ -51,8 +51,6 @@ int main() #include "cert-common.h" #include "utils.h" -static void terminate(void); - /* This program tests that the client does not send the * status request extension if GNUTLS_NO_EXTENSIONS is set. */ @@ -133,7 +131,6 @@ static void client(int fd, const char *prio) if (ret < 0) { fail("client: Handshake failed: %s\n", gnutls_strerror(ret)); - terminate(); } else { if (debug) success("client: Handshake was completed\n"); @@ -158,7 +155,6 @@ static void client(int fd, const char *prio) goto end; } else if (ret < 0) { fail("client: Error: %s\n", gnutls_strerror(ret)); - terminate(); } gnutls_bye(session, GNUTLS_SHUT_WR); @@ -175,15 +171,6 @@ static void client(int fd, const char *prio) } -/* These are global */ -pid_t child; - -static void terminate(void) -{ - kill(child, SIGTERM); - exit(1); -} - static void server(int fd, const char *prio) { int ret; @@ -261,6 +248,7 @@ static void ch_handler(int sig) static void start(const char *prio) { + pid_t child; int fd[2]; int ret, status = 0; diff --git a/tests/suite/testcompat-main-openssl b/tests/suite/testcompat-main-openssl index d2708bfa8c..197243086a 100755 --- a/tests/suite/testcompat-main-openssl +++ b/tests/suite/testcompat-main-openssl @@ -481,6 +481,43 @@ run_client_suite() { kill ${PID} wait fi + + eval "${GETPORT}" + launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_udp_server ${PID} + + echo "${PREFIX}Checking DTLS 1.2 with AES-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + eval "${GETPORT}" + launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_udp_server ${PID} + + # Test DTLS 1.2 with RSA ciphersuite + echo "${PREFIX}Checking DTLS 1.2 with RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + + eval "${GETPORT}" + launch_bare_server $$ s_server -cipher ALL -quiet -accept "${PORT}" -keyform pem -certform pem -dtls1_2 -timeout ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" ${DSA_PARAMS} -Verify 1 -CAfile "${CA_CERT}" >/dev/null + PID=$! + wait_udp_server ${PID} + + echo "${PREFIX}Checking DTLS 1.2 with ECDHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+GROUP-ALL:+MAC-ALL:+VERS-DTLS1.2:+ECDHE-RSA${ADD}" --udp --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait } WAITPID="" @@ -838,7 +875,6 @@ run_server_suite() { PID=$! wait_udp_server ${PID} - ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ fail ${PID} "Failed" @@ -859,7 +895,6 @@ run_server_suite() { kill ${PID} wait - if test "${NO_DSS}" = 0; then echo "${PREFIX}Check DTLS 1.0 with DHE-DSS ciphersuite" eval "${GETPORT}" @@ -874,6 +909,58 @@ run_server_suite() { kill ${PID} wait fi + + echo "${PREFIX}Check DTLS 1.2 with AES-CBC" + eval "${GETPORT}" + launch_server $$ --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" + PID=$! + wait_udp_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "${PREFIX}Check DTLS 1.2 with RSA ciphersuite" + eval "${GETPORT}" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" + PID=$! + wait_udp_server ${PID} + + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + + echo "${PREFIX}Check DTLS 1.2 with DHE-RSA ciphersuite" + eval "${GETPORT}" + launch_server $$ --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+DHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" + PID=$! + wait_udp_server ${PID} + + + ${OPENSSL_CLI} s_client -cipher DHE -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + + echo "${PREFIX}Check DTLS 1.2 with ECDHE-RSA" + eval "${GETPORT}" + launch_server $$ --priority "NONE:+GROUP-ALL:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-DTLS1.2:+ECDHE-RSA${ADD}" --udp --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" + PID=$! + wait_udp_server ${PID} + + + ${OPENSSL_CLI} s_client -cipher ECDHE -host localhost -port "${PORT}" -dtls1_2 -cert "${CLI_CERT}" -key "${CLI_KEY}" -CAfile "${CA_CERT}" </dev/null 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + + kill ${PID} + wait + } WAITPID="" |