1 /*
2 * Copyright (C) 2015-2017 Red Hat, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * GnuTLS is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * GnuTLS is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <https://www.gnu.org/licenses/>
20 */
21
22 #ifdef HAVE_CONFIG_H
23 #include <config.h>
24 #endif
25
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <errno.h>
30 #include <assert.h>
31 #include <gnutls/gnutls.h>
32 #include <gnutls/abstract.h>
33 #include <gnutls/x509.h>
34 #include "utils.h"
35 #include "eagain-common.h"
36 #include "cert-common.h"
37
38 /* This tests gnutls_certificate_set_x509_key() */
39
40 const char *side;
41
tls_log_func(int level,const char * str)42 static void tls_log_func(int level, const char *str)
43 {
44 fprintf(stderr, "%s|<%d>| %s", side, level, str);
45 }
46
47 static gnutls_privkey_t server_pkey = NULL;
48 static gnutls_pcert_st *server_pcert = NULL;
49 static gnutls_ocsp_data_st ocspdata[2];
50
51 #define OCSP_SIZE 16
52 #define OCSP_DATA "\xff\xff\xf0\xf0\xff\xff\xf0\xf0\xff\xff\xf0\xf0\xff\xff\xf0\xf0"
53
54 static int
server_cert_callback(gnutls_session_t session,const struct gnutls_cert_retr_st * info,gnutls_pcert_st ** pcert,unsigned int * pcert_length,gnutls_ocsp_data_st ** ocsp,unsigned int * ocsp_length,gnutls_privkey_t * pkey,unsigned int * flags)55 server_cert_callback(gnutls_session_t session,
56 const struct gnutls_cert_retr_st *info,
57 gnutls_pcert_st **pcert,
58 unsigned int *pcert_length,
59 gnutls_ocsp_data_st **ocsp,
60 unsigned int *ocsp_length,
61 gnutls_privkey_t *pkey,
62 unsigned int *flags)
63 {
64 int ret;
65 gnutls_pcert_st *p;
66 gnutls_privkey_t lkey;
67 gnutls_x509_crt_t *certs;
68 unsigned certs_size, i;
69
70 if (server_pkey == NULL) {
71 p = gnutls_malloc(2 * sizeof(*p));
72 if (p == NULL)
73 return -1;
74
75 ocspdata[0].response.data = (void*)OCSP_DATA;
76 ocspdata[0].response.size = OCSP_SIZE;
77 ocspdata[0].exptime = 0;
78
79 ocspdata[1].response.data = (void*)OCSP_DATA;
80 ocspdata[1].response.size = OCSP_SIZE;
81 ocspdata[1].exptime = 0;
82
83 ret = gnutls_x509_crt_list_import2(&certs, &certs_size,
84 &server_ca3_localhost_cert_chain,
85 GNUTLS_X509_FMT_PEM, 0);
86 if (ret < 0)
87 return -1;
88 ret = gnutls_pcert_import_x509_list(p, certs, &certs_size, 0);
89 if (ret < 0)
90 return -1;
91 for (i = 0; i < certs_size; i++)
92 gnutls_x509_crt_deinit(certs[i]);
93 gnutls_free(certs);
94
95 ret = gnutls_privkey_init(&lkey);
96 if (ret < 0)
97 return -1;
98
99 ret =
100 gnutls_privkey_import_x509_raw(lkey, &server_ca3_key,
101 GNUTLS_X509_FMT_PEM, NULL,
102 0);
103 if (ret < 0)
104 return -1;
105
106 server_pcert = p;
107 server_pkey = lkey;
108
109 *pcert = p;
110 *pcert_length = 2;
111 *pkey = lkey;
112 *ocsp = ocspdata;
113 *ocsp_length = 2;
114 } else {
115 *pcert = server_pcert;
116 *pcert_length = 2;
117 *pkey = server_pkey;
118 *ocsp = ocspdata;
119 *ocsp_length = 2;
120 }
121
122 return 0;
123 }
124
start(const char * prio)125 static void start(const char *prio)
126 {
127 int ret;
128 /* Server stuff. */
129 gnutls_certificate_credentials_t scred;
130 gnutls_session_t server;
131 gnutls_datum_t response;
132 int sret = GNUTLS_E_AGAIN;
133 /* Client stuff. */
134 gnutls_certificate_credentials_t ccred;
135 gnutls_session_t client;
136 int cret = GNUTLS_E_AGAIN;
137
138 success("testing %s\n", prio);
139
140 /* General init. */
141 global_init();
142 gnutls_global_set_log_function(tls_log_func);
143 if (debug)
144 gnutls_global_set_log_level(4);
145
146 /* Init server */
147 gnutls_certificate_allocate_credentials(&scred);
148
149 gnutls_certificate_set_retrieve_function3(scred,
150 server_cert_callback);
151
152 gnutls_init(&server, GNUTLS_SERVER);
153 gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
154 assert(gnutls_priority_set_direct(server,
155 prio, NULL) >= 0);
156 gnutls_transport_set_push_function(server, server_push);
157 gnutls_transport_set_pull_function(server, server_pull);
158 gnutls_transport_set_ptr(server, server);
159 gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
160
161 /* Init client */
162 ret = gnutls_certificate_allocate_credentials(&ccred);
163 if (ret < 0)
164 exit(1);
165
166 gnutls_certificate_set_verify_flags(ccred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS);
167
168 ret =
169 gnutls_certificate_set_x509_trust_mem(ccred, &ca3_cert,
170 GNUTLS_X509_FMT_PEM);
171 if (ret < 0)
172 exit(1);
173
174 ret = gnutls_init(&client, GNUTLS_CLIENT);
175 if (ret < 0)
176 exit(1);
177
178 ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
179 ccred);
180 if (ret < 0)
181 exit(1);
182
183 assert(gnutls_priority_set_direct(client, prio, NULL)>=0);
184 gnutls_transport_set_push_function(client, client_push);
185 gnutls_transport_set_pull_function(client, client_pull);
186 gnutls_transport_set_ptr(client, client);
187
188 HANDSHAKE(client, server);
189
190 assert((gnutls_session_get_flags(server) & GNUTLS_SFLAGS_CLI_REQUESTED_OCSP) != 0);
191 assert((gnutls_session_get_flags(client) & GNUTLS_SFLAGS_CLI_REQUESTED_OCSP) != 0);
192
193 ret = gnutls_ocsp_status_request_get(client, &response);
194 if (ret != 0)
195 fail("no response was found: %s\n", gnutls_strerror(ret));
196
197 assert(response.size == OCSP_SIZE);
198 assert(memcmp(response.data, OCSP_DATA, OCSP_SIZE) == 0);
199
200 if (gnutls_protocol_get_version(client) == GNUTLS_TLS1_3) {
201 ret = gnutls_ocsp_status_request_get2(client, 1, &response);
202 if (ret != 0)
203 fail("no response was found for 1: %s\n", gnutls_strerror(ret));
204
205 assert(response.size == OCSP_SIZE);
206 assert(memcmp(response.data, OCSP_DATA, OCSP_SIZE) == 0);
207 }
208
209 ret = gnutls_ocsp_status_request_get2(client, 2, &response);
210 if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
211 fail("found response in index 2: %s\n", gnutls_strerror(ret));
212 }
213
214 gnutls_bye(client, GNUTLS_SHUT_WR);
215 gnutls_bye(server, GNUTLS_SHUT_WR);
216
217 gnutls_deinit(client);
218 gnutls_deinit(server);
219
220 gnutls_certificate_free_credentials(scred);
221 gnutls_certificate_free_credentials(ccred);
222
223 gnutls_global_deinit();
224
225 reset_buffers();
226 }
227
doit(void)228 void doit(void)
229 {
230 start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3");
231 start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2");
232 start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1");
233 start("NORMAL");
234 }
235