diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-14 10:07:58 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-10-14 11:29:02 +0200 |
commit | a7698b53df8b7d09600964a34417c5169b426c9e (patch) | |
tree | 623fecb5ac705516a54d600b26e387a681dbaf24 /tests | |
parent | 7e4336c5c5f29b6430fd42fb3b453a024ebd2b7d (diff) | |
download | gnutls-a7698b53df8b7d09600964a34417c5169b426c9e.tar.gz |
tests: added check to verify that the server will bail out after receiving only alerts
Diffstat (limited to 'tests')
-rw-r--r-- | tests/Makefile.am | 2 | ||||
-rw-r--r-- | tests/naked-alerts.c | 171 |
2 files changed, 172 insertions, 1 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 50884c7bc6..b919311c91 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -114,7 +114,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ rsa-illegal-import set_x509_key_file_ocsp_multi set_key set_x509_key_file_ocsp_multi2 \ set_key_utf8 set_x509_key_utf8 insecure_key handshake-large-packet \ client_dsa_key server_ecdsa_key tls-session-ext-register tls-session-supplemental \ - multi-alerts + multi-alerts naked-alerts if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/naked-alerts.c b/tests/naked-alerts.c new file mode 100644 index 0000000000..48d26afdb4 --- /dev/null +++ b/tests/naked-alerts.c @@ -0,0 +1,171 @@ +/* + * Copyright (C) 2016 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> + +/* In this test we check whether the server will bail out after receiving + * a bunch of warning alerts without a client hello. + */ + +#if defined(_WIN32) + +/* socketpair isn't supported on Win32. */ +int main(int argc, char **argv) +{ + exit(77); +} + +#else + +#include <string.h> +#include <sys/types.h> +#include <sys/socket.h> +#if !defined(_WIN32) +#include <sys/wait.h> +#endif +#include <unistd.h> +#include <gnutls/gnutls.h> + +#include "utils.h" +#include "cert-common.h" + +pid_t child; + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "%s |<%d>| %s", child ? "server" : "client", level, + str); +} + +static unsigned char tls_alert[] = + "\x15\x03\x03\x00\x02\x00\x0A"; + +static void client(int sd) +{ + int ret; + unsigned i; + + /* send a list of warning alerts */ + + for (i=0;i<128;i++) { + ret = send(sd, tls_alert, sizeof(tls_alert)-1, 0); + if (ret < 0) + fail("error sending hello\n"); + } + + close(sd); +} + +static void server(int sd) +{ + gnutls_certificate_credentials_t x509_cred; + gnutls_session_t session; + int ret; + unsigned loops; + + /* this must be called once in the program + */ + global_init(); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + gnutls_certificate_allocate_credentials(&x509_cred); + gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, + GNUTLS_X509_FMT_PEM); + + gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert, + &server_ca3_key, + GNUTLS_X509_FMT_PEM); + + if (debug) + success("Launched, generating DH parameters...\n"); + + gnutls_init(&session, GNUTLS_SERVER); + + /* avoid calling all the priority functions, since the defaults + * are adequate. + */ + gnutls_priority_set_direct(session, "NORMAL", NULL); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); + + gnutls_transport_set_int(session, sd); + loops = 0; + do { + ret = gnutls_handshake(session); + loops++; + if (loops > 64) + fail("Too many loops in the handshake!\n"); + } while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_WARNING_ALERT_RECEIVED); + + if (ret != GNUTLS_E_UNEXPECTED_PACKET) { + fail("server: Handshake didn't fail with expected code (failed with %d)\n", ret); + } + + close(sd); + gnutls_deinit(session); + + gnutls_certificate_free_credentials(x509_cred); + + gnutls_global_deinit(); + + if (debug) + success("server: finished\n"); +} + + +void doit(void) +{ + int sockets[2]; + int err; + + err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets); + if (err == -1) { + perror("socketpair"); + fail("socketpair failed\n"); + return; + } + + child = fork(); + if (child < 0) { + perror("fork"); + fail("fork"); + return; + } + + if (child) { + int status; + + server(sockets[0]); + wait(&status); + } else + client(sockets[1]); +} + +#endif /* _WIN32 */ |