1 /*
2 * Copyright (C) 2015 Red Hat, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * GnuTLS is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * GnuTLS is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with GnuTLS; if not, write to the Free Software Foundation,
20 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <errno.h>
31 #include <assert.h>
32 #include <gnutls/gnutls.h>
33 #include <gnutls/abstract.h>
34 #include <gnutls/x509.h>
35 #include "utils.h"
36 #include "eagain-common.h"
37 #include "cert-common.h"
38
39 /* This tests gnutls_certificate_set_x509_key() */
40
41 const char *side;
42
tls_log_func(int level,const char * str)43 static void tls_log_func(int level, const char *str)
44 {
45 fprintf(stderr, "%s|<%d>| %s", side, level, str);
46 }
47
48 static int
cert_callback(gnutls_session_t session,const gnutls_datum_t * req_ca_rdn,int nreqs,const gnutls_pk_algorithm_t * pk_algos,int pk_algos_length,gnutls_retr2_st * st)49 cert_callback(gnutls_session_t session,
50 const gnutls_datum_t * req_ca_rdn, int nreqs,
51 const gnutls_pk_algorithm_t * pk_algos,
52 int pk_algos_length,
53 gnutls_retr2_st *st)
54 {
55 int ret;
56 gnutls_x509_crt_t *crts;
57 unsigned int crts_size;
58 gnutls_x509_privkey_t pkey;
59
60 if (gnutls_certificate_client_get_request_status(session) == 0) {
61 fail("gnutls_certificate_client_get_request_status failed\n");
62 return -1;
63 }
64
65 st->cert_type = GNUTLS_CRT_X509;
66
67 ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &cli_ca3_cert_chain, GNUTLS_X509_FMT_PEM,
68 GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
69 if (ret < 0) {
70 fail("error: %s\n", gnutls_strerror(ret));
71 exit(1);
72 }
73
74 ret = gnutls_x509_privkey_init(&pkey);
75 if (ret < 0) {
76 fail("error: %s\n", gnutls_strerror(ret));
77 exit(1);
78 }
79
80 ret = gnutls_x509_privkey_import(pkey, &cli_ca3_key, GNUTLS_X509_FMT_PEM);
81 if (ret < 0) {
82 fail("error: %s\n", gnutls_strerror(ret));
83 exit(1);
84 }
85
86 st->cert.x509 = crts;
87 st->ncerts = crts_size;
88
89 st->key.x509 = pkey;
90 st->deinit_all = 1;
91
92 return 0;
93 }
94
95 static int
server_cert_callback(gnutls_session_t session,const gnutls_datum_t * req_ca_rdn,int nreqs,const gnutls_pk_algorithm_t * pk_algos,int pk_algos_length,gnutls_retr2_st * st)96 server_cert_callback(gnutls_session_t session,
97 const gnutls_datum_t * req_ca_rdn, int nreqs,
98 const gnutls_pk_algorithm_t * pk_algos,
99 int pk_algos_length,
100 gnutls_retr2_st *st)
101 {
102 int ret;
103 gnutls_x509_crt_t *crts;
104 unsigned int crts_size;
105 gnutls_x509_privkey_t pkey;
106
107 st->cert_type = GNUTLS_CRT_X509;
108
109 ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &server_ca3_cert_chain, GNUTLS_X509_FMT_PEM,
110 GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
111 if (ret < 0) {
112 fail("error: %s\n", gnutls_strerror(ret));
113 exit(1);
114 }
115
116 ret = gnutls_x509_privkey_init(&pkey);
117 if (ret < 0) {
118 fail("error: %s\n", gnutls_strerror(ret));
119 exit(1);
120 }
121
122 ret = gnutls_x509_privkey_import(pkey, &server_ca3_key, GNUTLS_X509_FMT_PEM);
123 if (ret < 0) {
124 fail("error: %s\n", gnutls_strerror(ret));
125 exit(1);
126 }
127
128 st->cert.x509 = crts;
129 st->ncerts = crts_size;
130
131 st->key.x509 = pkey;
132 st->deinit_all = 1;
133
134 return 0;
135 }
136
start(const char * prio)137 static void start(const char *prio)
138 {
139 int ret;
140 /* Server stuff. */
141 gnutls_certificate_credentials_t serverx509cred;
142 gnutls_session_t server;
143 int sret = GNUTLS_E_AGAIN;
144 /* Client stuff. */
145 gnutls_certificate_credentials_t clientx509cred;
146 gnutls_session_t client;
147 int cret = GNUTLS_E_AGAIN;
148
149 success("testing %s\n", prio);
150
151 /* General init. */
152 global_init();
153 gnutls_global_set_log_function(tls_log_func);
154 if (debug)
155 gnutls_global_set_log_level(2);
156
157 /* Init server */
158 gnutls_certificate_allocate_credentials(&serverx509cred);
159
160 gnutls_certificate_set_retrieve_function(serverx509cred,
161 server_cert_callback);
162
163 gnutls_init(&server, GNUTLS_SERVER);
164 gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, serverx509cred);
165 assert(gnutls_priority_set_direct(server, prio, NULL) >= 0);
166 gnutls_transport_set_push_function(server, server_push);
167 gnutls_transport_set_pull_function(server, server_pull);
168 gnutls_transport_set_ptr(server, server);
169 gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
170
171 /* Init client */
172 /* Init client */
173 ret = gnutls_certificate_allocate_credentials(&clientx509cred);
174 if (ret < 0)
175 exit(1);
176
177 ret =
178 gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca3_cert,
179 GNUTLS_X509_FMT_PEM);
180 if (ret < 0)
181 exit(1);
182
183 gnutls_certificate_set_retrieve_function(clientx509cred,
184 cert_callback);
185
186 ret = gnutls_init(&client, GNUTLS_CLIENT);
187 if (ret < 0)
188 exit(1);
189
190 ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
191 clientx509cred);
192 if (ret < 0)
193 exit(1);
194
195 assert(gnutls_priority_set_direct(client, prio, NULL) >= 0);
196 gnutls_transport_set_push_function(client, client_push);
197 gnutls_transport_set_pull_function(client, client_pull);
198 gnutls_transport_set_ptr(client, client);
199
200 HANDSHAKE(client, server);
201
202 if (gnutls_certificate_get_ours(client) == NULL) {
203 fail("client certificate was not sent!\n");
204 exit(1);
205 }
206
207 /* check gnutls_certificate_get_ours() - server side */
208 {
209 const gnutls_datum_t *mcert;
210 gnutls_datum_t scert;
211 gnutls_x509_crt_t crt;
212
213 mcert = gnutls_certificate_get_ours(server);
214 if (mcert == NULL) {
215 fail("gnutls_certificate_get_ours(): failed\n");
216 exit(1);
217 }
218
219 gnutls_x509_crt_init(&crt);
220 ret =
221 gnutls_x509_crt_import(crt, &server_ca3_localhost_cert_chain,
222 GNUTLS_X509_FMT_PEM);
223 if (ret < 0) {
224 fail("gnutls_x509_crt_import: %s\n",
225 gnutls_strerror(ret));
226 exit(1);
227 }
228
229 ret = gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &scert);
230 if (ret < 0) {
231 fail("gnutls_x509_crt_export2: %s\n",
232 gnutls_strerror(ret));
233 exit(1);
234 }
235 gnutls_x509_crt_deinit(crt);
236
237 if (scert.size != mcert->size
238 || memcmp(scert.data, mcert->data, mcert->size) != 0) {
239 fail("gnutls_certificate_get_ours output doesn't match cert\n");
240 exit(1);
241 }
242 gnutls_free(scert.data);
243 }
244
245 /* check gnutls_certificate_get_ours() - client side */
246 {
247 const gnutls_datum_t *mcert;
248 gnutls_datum_t ccert;
249 gnutls_x509_crt_t crt;
250
251 mcert = gnutls_certificate_get_ours(client);
252 if (mcert == NULL) {
253 fail("gnutls_certificate_get_ours(): failed\n");
254 exit(1);
255 }
256
257 gnutls_x509_crt_init(&crt);
258 ret =
259 gnutls_x509_crt_import(crt, &cli_ca3_cert_chain,
260 GNUTLS_X509_FMT_PEM);
261 if (ret < 0) {
262 fail("gnutls_x509_crt_import: %s\n",
263 gnutls_strerror(ret));
264 exit(1);
265 }
266
267 ret = gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &ccert);
268 if (ret < 0) {
269 fail("gnutls_x509_crt_export2: %s\n",
270 gnutls_strerror(ret));
271 exit(1);
272 }
273 gnutls_x509_crt_deinit(crt);
274
275 if (ccert.size != mcert->size
276 || memcmp(ccert.data, mcert->data, mcert->size) != 0) {
277 fail("gnutls_certificate_get_ours output doesn't match cert\n");
278 exit(1);
279 }
280 gnutls_free(ccert.data);
281 }
282
283 /* check the number of certificates received */
284 {
285 unsigned cert_list_size = 0;
286 gnutls_typed_vdata_st data[2];
287 unsigned status;
288
289 memset(data, 0, sizeof(data));
290
291 /* check with wrong hostname */
292 data[0].type = GNUTLS_DT_DNS_HOSTNAME;
293 data[0].data = (void *)"localhost1";
294
295 data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
296 data[1].data = (void *)GNUTLS_KP_TLS_WWW_SERVER;
297
298 gnutls_certificate_get_peers(client, &cert_list_size);
299 if (cert_list_size != 2) {
300 fprintf(stderr, "received a certificate list of %d!\n",
301 cert_list_size);
302 exit(1);
303 }
304
305 ret = gnutls_certificate_verify_peers(client, data, 2, &status);
306 if (ret < 0) {
307 fprintf(stderr, "could not verify certificate: %s\n",
308 gnutls_strerror(ret));
309 exit(1);
310 }
311
312 if (status == 0) {
313 fprintf(stderr, "should not have accepted!\n");
314 exit(1);
315 }
316
317 /* check with wrong purpose */
318 data[0].type = GNUTLS_DT_DNS_HOSTNAME;
319 data[0].data = (void *)"localhost";
320
321 data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
322 data[1].data = (void *)GNUTLS_KP_TLS_WWW_CLIENT;
323
324 gnutls_certificate_get_peers(client, &cert_list_size);
325 if (cert_list_size != 2) {
326 fprintf(stderr, "received a certificate list of %d!\n",
327 cert_list_size);
328 exit(1);
329 }
330
331 ret = gnutls_certificate_verify_peers(client, data, 2, &status);
332 if (ret < 0) {
333 fprintf(stderr, "could not verify certificate: %s\n",
334 gnutls_strerror(ret));
335 exit(1);
336 }
337
338 if (status == 0) {
339 fprintf(stderr, "should not have accepted!\n");
340 exit(1);
341 }
342
343 /* check with correct purpose */
344 data[0].type = GNUTLS_DT_DNS_HOSTNAME;
345 data[0].data = (void *)"localhost";
346
347 data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
348 data[1].data = (void *)GNUTLS_KP_TLS_WWW_SERVER;
349
350 ret = gnutls_certificate_verify_peers(client, data, 2, &status);
351 if (ret < 0) {
352 fprintf(stderr, "could not verify certificate: %s\n",
353 gnutls_strerror(ret));
354 exit(1);
355 }
356
357 if (status != 0) {
358 fprintf(stderr, "could not verify certificate: %.4x\n",
359 status);
360 exit(1);
361 }
362 }
363
364 if (gnutls_certificate_client_get_request_status(client) == 0) {
365 fail("gnutls_certificate_client_get_request_status - 2 failed\n");
366 exit(1);
367 }
368
369 gnutls_bye(client, GNUTLS_SHUT_RDWR);
370 gnutls_bye(server, GNUTLS_SHUT_RDWR);
371
372 gnutls_deinit(client);
373 gnutls_deinit(server);
374
375 gnutls_certificate_free_credentials(serverx509cred);
376 gnutls_certificate_free_credentials(clientx509cred);
377
378 gnutls_global_deinit();
379
380 reset_buffers();
381 }
382
doit(void)383 void doit(void)
384 {
385 start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3");
386 start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2");
387 start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1");
388 start("NORMAL");
389 }
390