*
* CA: ca3_cert, ca3_key
* TLS client: cli_ca3_cert, cli_ca3_key
+ * IPv4 server (SAN: IPAddr: 127.0.0.1): server_ca3_ipaddr_cert, server_ca3_key
* IPv6 server: server_ca3_localhost6_cert, server_ca3_key
* IPv4 server: server_ca3_localhost_cert, server_ca3_key
* IPv4 server: server_ca3_localhost_ecc_cert, server_ca3_ecc_key
sizeof(server_localhost6_ca3_cert_chain_pem)-1
};
+/* shares server_ca3 key */
+static char server_ipaddr_ca3_cert_pem[] =
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIEAzCCAmugAwIBAgIMWNI1ISkCpEsFglgfMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
+ "BgNVBAMTBENBLTMwHhcNMDQwMjI5MTUyMTQyWhcNMjQwMjI5MTUyMTQxWjANMQsw\n"
+ "CQYDVQQGEwJHUjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANk9eJmq\n"
+ "LPfAu7P4Hhmcm4KmEsRfuTXk1ylqYvf715riBfJ94VIdtJqKE9q4FRwMxVsv/B+S\n"
+ "HFiIlEJfvCociQkrgSfloTNIMNrqkj8IjmVJuJd00MZsUuHlvwa6+F/PLLyUOMU0\n"
+ "3LdpuR9TbvS2fMVjmaRjBiCO439GA+qHRvwxxP7FR433Hg+5JdeYwLWve/vLgm4z\n"
+ "ETxnMYOFbZpArkizpBi/RYQtLmFW8HwZ0/ldDBMnDgcfmL9gRLtMQ1XZEHLNFjyE\n"
+ "VD1JsrlgccaizNUkiUi7Gbm/w3YiDVxbq3u3cee5lsNhEMIREyISKAHPy8RlnIWw\n"
+ "wuDlnsmI0pIb9/4RH0LMMlceDEFy1X0QRzYqZFPU/0l4j/FlQ6X2UqWNz63ybRSb\n"
+ "cCzHl25abi1xmbsV5ydomJNcP+0QbripMpa0O6gjv5f0yMd7mW9/aAglPcKgpbbh\n"
+ "Gfo7V9z2gIKdUCLRXoUszhdobnRf00LrrpFUQWReKHxMcDWAL2b00kysPQIDAQAB\n"
+ "o2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdEQQIMAaHBH8AAAEwHQYDVR0OBBYEFDOd\n"
+ "4SfTi9X86wX8tceBaU9eO9nWMB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv\n"
+ "8bSvMA0GCSqGSIb3DQEBCwUAA4IBgQCNwaCnuNcrSpKjNI99kwuS2/LRnt40yN0B\n"
+ "LvN4wnkfEh02LXg2ylXCYZZw59m3w7Cefr1BGLXJjbJTNHASjSOvmurJVEX5sqdX\n"
+ "zGQs9HzysDvTVHQh1VUWXyj612DUWZoAYYaUg+CiAZLA/ShT+zN/OC8kWa1RXZPt\n"
+ "BfTM7REBxAOxUEDuL1aa/KkFqXgy3cr795TWqdt0lZ/dk7kHxqZKR7nJ2TcOmYK9\n"
+ "UdJWnmebDgjlRvXS4CgG8JNzyJtukogSjmp7qsxX9QZ1umUw3Lf7StSdXZT1oIDI\n"
+ "evLJCTohtE3/ocRlHfQ9l+B8V+8z7YE+0liFwjwUyrYVUpJ2YuPmHHfauTI2JyVX\n"
+ "Kk9dJopvnkhA6rIvNjkd3N3iWE3ftSkk/PV9Iu7PQ2jtR8JXkPMJfgq0owbxhn5N\n"
+ "oqQW/zQU7pq4Y9+rvH2qPFSxHGmecBhxetXoAPT66hHJCUTAspF/5DgT6TVMu+Gs\n"
+ "hiRt+POJ1lVlGUHsF9Z7IE/d+NCESwU=\n"
+ "-----END CERTIFICATE-----\n";
+
+static char server_ipaddr_ca3_cert_chain_pem[] =
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIEAzCCAmugAwIBAgIMWNI1ISkCpEsFglgfMA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
+ "BgNVBAMTBENBLTMwHhcNMDQwMjI5MTUyMTQyWhcNMjQwMjI5MTUyMTQxWjANMQsw\n"
+ "CQYDVQQGEwJHUjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANk9eJmq\n"
+ "LPfAu7P4Hhmcm4KmEsRfuTXk1ylqYvf715riBfJ94VIdtJqKE9q4FRwMxVsv/B+S\n"
+ "HFiIlEJfvCociQkrgSfloTNIMNrqkj8IjmVJuJd00MZsUuHlvwa6+F/PLLyUOMU0\n"
+ "3LdpuR9TbvS2fMVjmaRjBiCO439GA+qHRvwxxP7FR433Hg+5JdeYwLWve/vLgm4z\n"
+ "ETxnMYOFbZpArkizpBi/RYQtLmFW8HwZ0/ldDBMnDgcfmL9gRLtMQ1XZEHLNFjyE\n"
+ "VD1JsrlgccaizNUkiUi7Gbm/w3YiDVxbq3u3cee5lsNhEMIREyISKAHPy8RlnIWw\n"
+ "wuDlnsmI0pIb9/4RH0LMMlceDEFy1X0QRzYqZFPU/0l4j/FlQ6X2UqWNz63ybRSb\n"
+ "cCzHl25abi1xmbsV5ydomJNcP+0QbripMpa0O6gjv5f0yMd7mW9/aAglPcKgpbbh\n"
+ "Gfo7V9z2gIKdUCLRXoUszhdobnRf00LrrpFUQWReKHxMcDWAL2b00kysPQIDAQAB\n"
+ "o2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdEQQIMAaHBH8AAAEwHQYDVR0OBBYEFDOd\n"
+ "4SfTi9X86wX8tceBaU9eO9nWMB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv\n"
+ "8bSvMA0GCSqGSIb3DQEBCwUAA4IBgQCNwaCnuNcrSpKjNI99kwuS2/LRnt40yN0B\n"
+ "LvN4wnkfEh02LXg2ylXCYZZw59m3w7Cefr1BGLXJjbJTNHASjSOvmurJVEX5sqdX\n"
+ "zGQs9HzysDvTVHQh1VUWXyj612DUWZoAYYaUg+CiAZLA/ShT+zN/OC8kWa1RXZPt\n"
+ "BfTM7REBxAOxUEDuL1aa/KkFqXgy3cr795TWqdt0lZ/dk7kHxqZKR7nJ2TcOmYK9\n"
+ "UdJWnmebDgjlRvXS4CgG8JNzyJtukogSjmp7qsxX9QZ1umUw3Lf7StSdXZT1oIDI\n"
+ "evLJCTohtE3/ocRlHfQ9l+B8V+8z7YE+0liFwjwUyrYVUpJ2YuPmHHfauTI2JyVX\n"
+ "Kk9dJopvnkhA6rIvNjkd3N3iWE3ftSkk/PV9Iu7PQ2jtR8JXkPMJfgq0owbxhn5N\n"
+ "oqQW/zQU7pq4Y9+rvH2qPFSxHGmecBhxetXoAPT66hHJCUTAspF/5DgT6TVMu+Gs\n"
+ "hiRt+POJ1lVlGUHsF9Z7IE/d+NCESwU=\n"
+ "-----END CERTIFICATE-----\n"
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIEDTCCAnWgAwIBAgIMV6MdMjWzT9C59ec8MA0GCSqGSIb3DQEBCwUAMA8xDTAL\n"
+ "BgNVBAMTBENBLTMwIBcNMTYwNTEwMDg0ODMwWhgPOTk5OTEyMzEyMzU5NTlaMBIx\n"
+ "EDAOBgNVBAMTB3N1YkNBLTMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIB\n"
+ "gQCgOcNXzStOnRFoi05aMRLeMB45X4a2srSBul3ULxDSGjIP0EEl//X2WLiope/x\n"
+ "NL8bPCRpI1sSVXl8Hb1cK3qWNGazVmC7xW07NxL26I86e3/BVRnq8ioVtvPQwEpv\n"
+ "uI8F97x1vL/n+cfcdkN77NScr5C9jHMVioRvC+qKz9bUBx5DSySV66PR5+wGsJDv\n"
+ "kfsmjVOgqiTlSWQS5G3nMMq0Rixsc5dP5Wygkbdh9+45UCtObcnHABJrP+GtLiG0\n"
+ "AOUx6oPzPteZL13erWXg7zYusTarj9rTcdsgR/Im1mIzmD2i7GhJo4Gj0Sk3Rq93\n"
+ "JyeA+Ay5UPmqcm+dqX00b49MTTv4GtO53kLQSCXYFJ96jcMiXMzBFJD1ROsdk4WU\n"
+ "ed/tJMHffttDz9j3WcuX9M2nzTT2xlauokjbEAhRDRw5fxCFZh7TbmaH4vysDO9U\n"
+ "ZXVEXSLKonQ2Lmyso48s/G30VmlSjtPtJqRsv/oPpCO/c0D6BrkHV55B48xfmyIF\n"
+ "jgECAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0G\n"
+ "A1UdDgQWBBQtMwQbJ3+UBHzH4zVP6SWklOG3oTAfBgNVHSMEGDAWgBT5qIYZY7ak\n"
+ "FBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAMii5Gx3/d/58oDRy5a0o\n"
+ "PvQhkU0dKa61NfjjOz9uqxNSilLJE7jGJPaG2tKtC/XU1Ybql2tqQY68kogjKs31\n"
+ "QC6RFkoZAFouTJt11kzbgVWKewCk3/OrA0/ZkRrAfE0Pma/NITRwTHmTsQOdv/bz\n"
+ "R+xIPhjKxKrKyJFMG5xb+Q0OKSbd8kDpgYWKob5x2jsNYgEDp8nYSRT45SGw7c7F\n"
+ "cumkXz2nA6r5NwbnhELvNFK8fzsY+QJKHaAlJ9CclliP1PiiAcl2LQo2gaygWNiD\n"
+ "+ggnqzy7nqam9rieOOMHls1kKFAFrWy2g/cBhTfS+/7Shpex7NK2GAiujgUV0TZH\n"
+ "EyEZt6um4gLS9vwUKs/R4XS9VL/bBlfAy2hAVTeUejiRBGeTJkqBu7+c4FdrCByV\n"
+ "haeQASMYu/lga8eaGL1zJbJe2BQWI754KDYDT9qKNqGlgysr4AVje7z1Y1MQ72Sn\n"
+ "frzYSQw6BB85CurB6iou3Q+eM4o4g/+xGEuDo0Ne/8ir\n"
+ "-----END CERTIFICATE-----\n";
+
+
+const gnutls_datum_t server_ca3_ipaddr_cert = { (void*)server_ipaddr_ca3_cert_pem,
+ sizeof(server_ipaddr_ca3_cert_pem)-1
+};
+
+
+const gnutls_datum_t server_ca3_ipaddr_cert_chain = {
+ (void*)server_ipaddr_ca3_cert_chain_pem,
+ sizeof(server_ipaddr_ca3_cert_chain_pem)-1
+};
+
/* shares server_ca3 key - uses IDNA2003 encoding */
static char server_localhost_utf8_ca3_cert_pem[] =
--- /dev/null
+/*
+ * Copyright (C) 2008-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <gnutls/gnutls.h>
+#include <assert.h>
+#include "utils.h"
+#include "eagain-common.h"
+#include "cert-common.h"
+
+const char *side;
+
+static void tls_log_func(int level, const char *str)
+{
+ fprintf(stderr, "%s|<%d>| %s", side, level, str);
+}
+
+static time_t mytime(time_t * t)
+{
+ time_t then = 1490171562;
+
+ if (t)
+ *t = then;
+
+ return then;
+}
+
+/* A unit test for GNUTLS_DT_IP_ADDRESS option of
+ * gnutls_certificate_verify_peers().
+ */
+
+void doit(void)
+{
+ int exit_code = EXIT_SUCCESS;
+ int ret;
+ /* Server stuff. */
+ gnutls_certificate_credentials_t serverx509cred;
+ gnutls_session_t server;
+ int sret = GNUTLS_E_AGAIN;
+ /* Client stuff. */
+ gnutls_certificate_credentials_t clientx509cred;
+ gnutls_session_t client;
+ int cret = GNUTLS_E_AGAIN;
+ gnutls_typed_vdata_st data[2];
+ gnutls_datum_t t;
+ unsigned status;
+
+ /* General init. */
+ global_init();
+ gnutls_global_set_log_function(tls_log_func);
+ if (debug)
+ gnutls_global_set_log_level(6);
+
+ gnutls_global_set_time_function(mytime);
+
+ /* Init server */
+ assert(gnutls_certificate_allocate_credentials(&serverx509cred)>=0);
+ ret = gnutls_certificate_set_x509_key_mem(serverx509cred,
+ &server_ca3_ipaddr_cert, &server_ca3_key,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ fail("could not import cert: %s\n", gnutls_strerror(ret));
+ }
+
+ assert(gnutls_init(&server, GNUTLS_SERVER)>=0);
+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
+ serverx509cred);
+ assert(gnutls_set_default_priority(server)>=0);
+ gnutls_transport_set_push_function(server, server_push);
+ gnutls_transport_set_pull_function(server, server_pull);
+ gnutls_transport_set_ptr(server, server);
+
+ /* Init client */
+ ret = gnutls_certificate_allocate_credentials(&clientx509cred);
+ if (ret < 0)
+ exit(1);
+
+ ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, &ca3_cert, GNUTLS_X509_FMT_PEM);
+ if (ret < 0)
+ exit(1);
+
+ ret = gnutls_init(&client, GNUTLS_CLIENT);
+ if (ret < 0)
+ exit(1);
+
+ ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
+ clientx509cred);
+ if (ret < 0)
+ exit(1);
+
+ assert(gnutls_set_default_priority(client) >= 0);
+ gnutls_transport_set_push_function(client, client_push);
+ gnutls_transport_set_pull_function(client, client_pull);
+ gnutls_transport_set_ptr(client, client);
+
+ HANDSHAKE(client, server);
+
+ /* attempt to verify */
+ {
+
+ /* try hostname - which is invalid */
+ memset(data, 0, sizeof(data));
+
+ data[0].type = GNUTLS_DT_DNS_HOSTNAME;
+ data[0].data = (void*)"localhost1";
+
+ data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
+ data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
+
+ ret = gnutls_certificate_verify_peers(client, data, 2, &status);
+ if (ret < 0) {
+ fail("could not verify certificate: %s\n", gnutls_strerror(ret));
+ exit(1);
+ }
+
+ if (status == 0) {
+ fail("should not have accepted!\n");
+ exit(1);
+ }
+
+ /* try bogus IP */
+ memset(data, 0, sizeof(data));
+
+ data[0].type = GNUTLS_DT_IP_ADDRESS;
+ data[0].data = (void*)"\x01\x00\x01\x02";
+ data[0].size = 4;
+
+ data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
+ data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
+
+ ret = gnutls_certificate_verify_peers(client, data, 2, &status);
+ if (ret < 0) {
+ fail("could not verify certificate: %s\n", gnutls_strerror(ret));
+ exit(1);
+ }
+
+ if (status == 0) {
+ fail("should not have accepted!\n");
+ exit(1);
+ }
+
+ /* try correct IP */
+ memset(data, 0, sizeof(data));
+
+ data[0].type = GNUTLS_DT_IP_ADDRESS;
+ data[0].data = (void*)"\x7f\x00\x00\x01";
+ data[0].size = 4;
+
+ data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
+ data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
+
+ ret = gnutls_certificate_verify_peers(client, data, 2, &status);
+ if (ret < 0) {
+ fail("could not verify certificate: %s\n", gnutls_strerror(ret));
+ exit(1);
+ }
+
+ if (status != 0) {
+ assert(gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509, &t, 0)>=0);
+ fail("could not verify: %s/%.4x!\n", t.data, status);
+ }
+
+ /* try the other verification functions */
+ ret = gnutls_certificate_verify_peers3(client, "127.0.0.1", &status);
+ if (ret < 0) {
+ fail("could not verify certificate: %s\n", gnutls_strerror(ret));
+ exit(1);
+ }
+
+ if (status != 0) {
+ assert(gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509, &t, 0)>=0);
+ fail("could not verify: %s/%.4x!\n", t.data, status);
+ }
+ }
+
+ {
+ /* change the flags */
+ gnutls_certificate_set_verify_flags(clientx509cred, GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES);
+
+ /* now the compatibility option should fail */
+ ret = gnutls_certificate_verify_peers3(client, "127.0.0.1", &status);
+ if (ret < 0) {
+ fail("could not verify certificate: %s\n", gnutls_strerror(ret));
+ exit(1);
+ }
+
+ if (status == 0) {
+ fail("should not have accepted!\n");
+ exit(1);
+ }
+
+ memset(data, 0, sizeof(data));
+
+ data[0].type = GNUTLS_DT_DNS_HOSTNAME;
+ data[0].data = (void*)"127.0.0.1";
+
+ data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
+ data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
+
+ ret = gnutls_certificate_verify_peers(client, data, 2, &status);
+ if (ret < 0) {
+ fail("could not verify certificate: %s\n", gnutls_strerror(ret));
+ exit(1);
+ }
+
+ if (status == 0) {
+ fail("should not have accepted!\n");
+ exit(1);
+ }
+
+ /* try again the right one */
+ memset(data, 0, sizeof(data));
+
+ data[0].type = GNUTLS_DT_IP_ADDRESS;
+ data[0].data = (void*)"\x7f\x00\x00\x01";
+ data[0].size = 4;
+
+ data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
+ data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
+
+ ret = gnutls_certificate_verify_peers(client, data, 2, &status);
+ if (ret < 0) {
+ fail("could not verify certificate: %s\n", gnutls_strerror(ret));
+ exit(1);
+ }
+
+ if (status != 0) {
+ assert(gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509, &t, 0)>=0);
+ fail("could not verify: %s/%.4x!\n", t.data, status);
+ }
+ }
+
+ gnutls_bye(client, GNUTLS_SHUT_RDWR);
+ gnutls_bye(server, GNUTLS_SHUT_RDWR);
+
+ gnutls_deinit(client);
+ gnutls_deinit(server);
+
+ gnutls_certificate_free_credentials(serverx509cred);
+ gnutls_certificate_free_credentials(clientx509cred);
+
+ gnutls_global_deinit();
+
+ if (debug > 0) {
+ if (exit_code == 0)
+ puts("Self-test successful");
+ else
+ puts("Self-test failed");
+ }
+}
projects / thirdparty / gnutls.git / commitdiff
