summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2017-04-10 17:12:30 +0000
committerjsing <>2017-04-10 17:12:30 +0000
commit10059e358052a8f06e7696b89c13e7479b335c0c (patch)
tree415a3c0fd7b960b7fec809df119b57d5c8b06482
parent1fb5784eee903ab9b8621581b6128aaccf2d3120 (diff)
downloadopenbsd-10059e358052a8f06e7696b89c13e7479b335c0c.tar.gz
openbsd-10059e358052a8f06e7696b89c13e7479b335c0c.tar.bz2
openbsd-10059e358052a8f06e7696b89c13e7479b335c0c.zip
Rework and significantly extend TLS name verification tests to match
changes in libtls.
Diffstat
-rw-r--r--src/regress/lib/libtls/verify/verifytest.c476
1 files changed, 377 insertions, 99 deletions
diff --git a/src/regress/lib/libtls/verify/verifytest.c b/src/regress/lib/libtls/verify/verifytest.c
index cd208fc707..ccf6930392 100644
--- a/src/regress/lib/libtls/verify/verifytest.c
+++ b/src/regress/lib/libtls/verify/verifytest.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: verifytest.c,v 1.5 2015/09/11 13:10:42 beck Exp $ */ 1/* $OpenBSD: verifytest.c,v 1.6 2017/04/10 17:12:30 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -22,212 +22,490 @@
22#include <openssl/x509v3.h> 22#include <openssl/x509v3.h>
23#include <tls.h> 23#include <tls.h>
24 24
25extern int tls_check_name(struct tls *ctx, X509 *cert, const char *name); 25extern int tls_check_name(struct tls *ctx, X509 *cert, const char *name,
26 int *match);
27
28struct alt_name {
29 const char name[128];
30 int name_len;
31 int name_type;
32};
26 33
27struct verify_test { 34struct verify_test {
28 const char common_name[128]; 35 const char common_name[128];
29 const char alt_name[128]; 36 int common_name_len;
30 int alt_name_len; 37 struct alt_name alt_name1;
31 int alt_name_type; 38 struct alt_name alt_name2;
39 struct alt_name alt_name3;
32 const char name[128]; 40 const char name[128];
33 int want; 41 int want_return;
42 int want_match;
34}; 43};
35 44
36struct verify_test verify_tests[] = { 45struct verify_test verify_tests[] = {
37 { 46 {
47 /* CN without SANs - matching. */
38 .common_name = "www.openbsd.org", 48 .common_name = "www.openbsd.org",
49 .common_name_len = -1,
39 .name = "www.openbsd.org", 50 .name = "www.openbsd.org",
40 .want = 0, 51 .want_return = 0,
52 .want_match = 1,
41 }, 53 },
42 { 54 {
55 /* Zero length name - non-matching. */
43 .common_name = "www.openbsd.org", 56 .common_name = "www.openbsd.org",
57 .common_name_len = -1,
44 .name = "", 58 .name = "",
45 .want = -1, 59 .want_return = 0,
60 .want_match = 0,
46 }, 61 },
47 { 62 {
63 /* CN wildcard without SANs - matching. */
48 .common_name = "*.openbsd.org", 64 .common_name = "*.openbsd.org",
65 .common_name_len = -1,
49 .name = "www.openbsd.org", 66 .name = "www.openbsd.org",
50 .want = 0, 67 .want_return = 0,
68 .want_match = 1,
51 }, 69 },
52 { 70 {
71 /* CN without SANs - non-matching. */
53 .common_name = "www.openbsdfoundation.org", 72 .common_name = "www.openbsdfoundation.org",
73 .common_name_len = -1,
54 .name = "www.openbsd.org", 74 .name = "www.openbsd.org",
55 .want = -1, 75 .want_return = 0,
76 .want_match = 0,
56 }, 77 },
57 { 78 {
79 /* CN wildcard without SANs - invalid CN wildcard. */
58 .common_name = "w*.openbsd.org", 80 .common_name = "w*.openbsd.org",
81 .common_name_len = -1,
59 .name = "www.openbsd.org", 82 .name = "www.openbsd.org",
60 .want = -1, 83 .want_return = 0,
84 .want_match = 0,
61 }, 85 },
62 { 86 {
87 /* CN wildcard without SANs - invalid CN wildcard. */
63 .common_name = "www.*.org", 88 .common_name = "www.*.org",
89 .common_name_len = -1,
64 .name = "www.openbsd.org", 90 .name = "www.openbsd.org",
65 .want = -1, 91 .want_return = 0,
92 .want_match = 0,
66 }, 93 },
67 { 94 {
95 /* CN wildcard without SANs - invalid CN wildcard. */
68 .common_name = "www.openbsd.*", 96 .common_name = "www.openbsd.*",
97 .common_name_len = -1,
69 .name = "www.openbsd.org", 98 .name = "www.openbsd.org",
70 .want = -1, 99 .want_return = 0,
100 .want_match = 0,
71 }, 101 },
72 { 102 {
103 /* CN wildcard without SANs - invalid CN wildcard. */
73 .common_name = "*", 104 .common_name = "*",
105 .common_name_len = -1,
74 .name = "www.openbsd.org", 106 .name = "www.openbsd.org",
75 .want = -1, 107 .want_return = 0,
108 .want_match = 0,
76 }, 109 },
77 { 110 {
111 /* CN wildcard without SANs - invalid CN wildcard. */
78 .common_name = "*.org", 112 .common_name = "*.org",
113 .common_name_len = -1,
79 .name = "www.openbsd.org", 114 .name = "www.openbsd.org",
80 .want = -1, 115 .want_return = 0,
116 .want_match = 0,
81 }, 117 },
82 { 118 {
119 /* CN wildcard without SANs - invalid CN wildcard. */
83 .common_name = "*.org", 120 .common_name = "*.org",
121 .common_name_len = -1,
84 .name = "openbsd.org", 122 .name = "openbsd.org",
85 .want = -1, 123 .want_return = 0,
124 .want_match = 0,
86 }, 125 },
87 { 126 {
127 /* CN IPv4 without SANs - matching. */
88 .common_name = "1.2.3.4", 128 .common_name = "1.2.3.4",
129 .common_name_len = -1,
89 .name = "1.2.3.4", 130 .name = "1.2.3.4",
90 .want = 0, 131 .want_return = 0,
132 .want_match = 1,
91 }, 133 },
92 { 134 {
135 /* CN IPv4 wildcard without SANS - invalid IP wildcard. */
93 .common_name = "*.2.3.4", 136 .common_name = "*.2.3.4",
137 .common_name_len = -1,
94 .name = "1.2.3.4", 138 .name = "1.2.3.4",
95 .want = -1, 139 .want_return = 0,
140 .want_match = 0,
96 }, 141 },
97 { 142 {
143 /* CN IPv6 without SANs - matching. */
98 .common_name = "cafe::beef", 144 .common_name = "cafe::beef",
145 .common_name_len = -1,
99 .name = "cafe::beef", 146 .name = "cafe::beef",
100 .want = 0, 147 .want_return = 0,
148 .want_match = 1,
149 },
150 {
151 /* CN without SANs - error due to embedded NUL in CN. */
152 .common_name = {
153 0x77, 0x77, 0x77, 0x2e, 0x6f, 0x70, 0x65, 0x6e,
154 0x62, 0x73, 0x64, 0x2e, 0x6f, 0x72, 0x67, 0x00,
155 0x6e, 0x61, 0x73, 0x74, 0x79, 0x2e, 0x6f, 0x72,
156 0x67,
157 },
158 .common_name_len = 25,
159 .name = "www.openbsd.org",
160 .want_return = -1,
161 .want_match = 0,
162 },
163 {
164 /* CN wildcard without SANs - invalid non-matching name. */
165 .common_name = "*.openbsd.org",
166 .common_name_len = -1,
167 .name = ".openbsd.org",
168 .want_return = 0,
169 .want_match = 0,
101 }, 170 },
102 { 171 {
172 /* CN with SANs - matching on first SAN. */
103 .common_name = "www.openbsd.org", 173 .common_name = "www.openbsd.org",
104 .alt_name = "ftp.openbsd.org", 174 .common_name_len = -1,
105 .alt_name_len = -1, 175 .alt_name1 = {
106 .alt_name_type = GEN_DNS, 176 .name = "www.openbsd.org",
177 .name_len = -1,
178 .name_type = GEN_DNS,
179 },
180 .alt_name2 = {
181 .name = "ftp.openbsd.org",
182 .name_len = -1,
183 .name_type = GEN_DNS,
184 },
185 .name = "www.openbsd.org",
186 .want_return = 0,
187 .want_match = 1,
188 },
189 {
190 /* SANs only - matching on first SAN. */
191 .common_name_len = 0,
192 .alt_name1 = {
193 .name = "www.openbsd.org",
194 .name_len = -1,
195 .name_type = GEN_DNS,
196 },
197 .alt_name2 = {
198 .name = "ftp.openbsd.org",
199 .name_len = -1,
200 .name_type = GEN_DNS,
201 },
202 .name = "www.openbsd.org",
203 .want_return = 0,
204 .want_match = 1,
205 },
206 {
207 /* SANs only - matching on second SAN. */
208 .common_name_len = 0,
209 .alt_name1 = {
210 .name = "www.openbsd.org",
211 .name_len = -1,
212 .name_type = GEN_DNS,
213 },
214 .alt_name2 = {
215 .name = "ftp.openbsd.org",
216 .name_len = -1,
217 .name_type = GEN_DNS,
218 },
107 .name = "ftp.openbsd.org", 219 .name = "ftp.openbsd.org",
108 .want = 0, 220 .want_return = 0,
221 .want_match = 1,
109 }, 222 },
110 { 223 {
224 /* SANs only - non-matching. */
225 .common_name_len = 0,
226 .alt_name1 = {
227 .name = "www.openbsd.org",
228 .name_len = -1,
229 .name_type = GEN_DNS,
230 },
231 .alt_name2 = {
232 .name = "ftp.openbsd.org",
233 .name_len = -1,
234 .name_type = GEN_DNS,
235 },
236 .name = "mail.openbsd.org",
237 .want_return = 0,
238 .want_match = 0,
239 },
240 {
241 /* CN with SANs - matching on second SAN. */
242 .common_name = "www.openbsd.org",
243 .common_name_len = -1,
244 .alt_name1 = {
245 .name = "www.openbsd.org",
246 .name_len = -1,
247 .name_type = GEN_DNS,
248 },
249 .alt_name2 = {
250 .name = "ftp.openbsd.org",
251 .name_len = -1,
252 .name_type = GEN_DNS,
253 },
254 .name = "ftp.openbsd.org",
255 .want_return = 0,
256 .want_match = 1,
257 },
258 {
259 /* CN with SANs - matching on wildcard second SAN. */
111 .common_name = "www.openbsdfoundation.org", 260 .common_name = "www.openbsdfoundation.org",
112 .alt_name = "*.openbsd.org", 261 .common_name_len = -1,
113 .alt_name_len = -1, 262 .alt_name1 = {
114 .alt_name_type = GEN_DNS, 263 .name = "www.openbsdfoundation.org",
264 .name_len = -1,
265 .name_type = GEN_DNS,
266 },
267 .alt_name2 = {
268 .name = "*.openbsd.org",
269 .name_len = -1,
270 .name_type = GEN_DNS,
271 },
115 .name = "www.openbsd.org", 272 .name = "www.openbsd.org",
116 .want = 0, 273 .want_return = 0,
274 .want_match = 1,
117 }, 275 },
118 { 276 {
277 /* CN with SANs - non-matching invalid wildcard. */
119 .common_name = "www.openbsdfoundation.org", 278 .common_name = "www.openbsdfoundation.org",
120 .alt_name = "*.org", 279 .common_name_len = -1,
121 .alt_name_len = -1, 280 .alt_name1 = {
122 .alt_name_type = GEN_DNS, 281 .name = "www.openbsdfoundation.org",
282 .name_len = -1,
283 .name_type = GEN_DNS,
284 },
285 .alt_name2 = {
286 .name = "*.org",
287 .name_len = -1,
288 .name_type = GEN_DNS,
289 },
123 .name = "www.openbsd.org", 290 .name = "www.openbsd.org",
124 .want = -1, 291 .want_return = 0,
292 .want_match = 0,
125 }, 293 },
126 { 294 {
295 /* CN with SANs - non-matching IPv4 due to GEN_DNS SAN. */
127 .common_name = "www.openbsd.org", 296 .common_name = "www.openbsd.org",
128 .alt_name = "1.2.3.4", 297 .common_name_len = -1,
129 .alt_name_len = -1, 298 .alt_name1 = {
130 .alt_name_type = GEN_DNS, 299 .name = "www.openbsd.org",
300 .name_len = -1,
301 .name_type = GEN_DNS,
302 },
303 .alt_name2 = {
304 .name = "1.2.3.4",
305 .name_len = -1,
306 .name_type = GEN_DNS,
307 },
131 .name = "1.2.3.4", 308 .name = "1.2.3.4",
132 .want = -1, 309 .want_return = 0,
310 .want_match = 0,
133 }, 311 },
134 { 312 {
313 /* CN with SANs - matching IPv4 on GEN_IPADD SAN. */
135 .common_name = "www.openbsd.org", 314 .common_name = "www.openbsd.org",
136 .alt_name = {0x1, 0x2, 0x3, 0x4}, 315 .common_name_len = -1,
137 .alt_name_len = 4, 316 .alt_name1 = {
138 .alt_name_type = GEN_IPADD, 317 .name = "www.openbsd.org",
318 .name_len = -1,
319 .name_type = GEN_DNS,
320 },
321 .alt_name2 = {
322 .name = {0x01, 0x02, 0x03, 0x04},
323 .name_len = 4,
324 .name_type = GEN_IPADD,
325 },
139 .name = "1.2.3.4", 326 .name = "1.2.3.4",
140 .want = 0, 327 .want_return = 0,
328 .want_match = 1,
141 }, 329 },
142 { 330 {
331 /* CN with SANs - matching IPv6 on GEN_IPADD SAN. */
143 .common_name = "www.openbsd.org", 332 .common_name = "www.openbsd.org",
144 .alt_name = { 333 .common_name_len = -1,
145 0xca, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 334 .alt_name1 = {
146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbe, 0xef, 335 .name = "www.openbsd.org",
336 .name_len = -1,
337 .name_type = GEN_DNS,
338 },
339 .alt_name2 = {
340 .name = {
341 0xca, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
342 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbe, 0xef,
343 },
344 .name_len = 16,
345 .name_type = GEN_IPADD,
147 }, 346 },
148 .alt_name_len = 16,
149 .alt_name_type = GEN_IPADD,
150 .name = "cafe::beef", 347 .name = "cafe::beef",
151 .want = 0, 348 .want_return = 0,
349 .want_match = 1,
152 }, 350 },
153 { 351 {
154 .common_name = "*.openbsd.org", 352 /* CN with SANs - error due to embedded NUL in GEN_DNS. */
155 .name = ".openbsd.org", 353 .common_name = "www.openbsd.org.nasty.org",
156 .want = -1, 354 .common_name_len = -1,
355 .alt_name1 = {
356 .name = "www.openbsd.org.nasty.org",
357 .name_len = -1,
358 .name_type = GEN_DNS,
359 },
360 .alt_name2 = {
361 .name = {
362 0x77, 0x77, 0x77, 0x2e, 0x6f, 0x70, 0x65, 0x6e,
363 0x62, 0x73, 0x64, 0x2e, 0x6f, 0x72, 0x67, 0x00,
364 0x6e, 0x61, 0x73, 0x74, 0x79, 0x2e, 0x6f, 0x72,
365 0x67,
366 },
367 .name_len = 25,
368 .name_type = GEN_DNS,
369 },
370 .name = "www.openbsd.org",
371 .want_return = -1,
372 .want_match = 0,
373 },
374 {
375 /* CN with SAN - non-matching due to non-matching SAN. */
376 .common_name = "www.openbsd.org",
377 .common_name_len = -1,
378 .alt_name1 = {
379 .name = "ftp.openbsd.org",
380 .name_len = -1,
381 .name_type = GEN_DNS,
382 },
383 .name = "www.openbsd.org",
384 .want_return = 0,
385 .want_match = 0,
386 },
387 {
388 /* CN with SAN - error due to illegal dNSName. */
389 .common_name = "www.openbsd.org",
390 .common_name_len = -1,
391 .alt_name1 = {
392 .name = " ",
393 .name_len = -1,
394 .name_type = GEN_DNS,
395 },
396 .name = "www.openbsd.org",
397 .want_return = -1,
398 .want_match = 0,
157 }, 399 },
158}; 400};
159 401
160#define N_VERIFY_TESTS \ 402#define N_VERIFY_TESTS \
161 (sizeof(verify_tests) / sizeof(*verify_tests)) 403 (sizeof(verify_tests) / sizeof(*verify_tests))
162 404
163static int 405static void
164do_verify_test(int test_no, struct verify_test *vt) 406alt_names_add(STACK_OF(GENERAL_NAME) *alt_name_stack, struct alt_name *alt)
165{ 407{
166 STACK_OF(GENERAL_NAME) *alt_name_stack = NULL;
167 ASN1_STRING *alt_name_str; 408 ASN1_STRING *alt_name_str;
168 GENERAL_NAME *alt_name; 409 GENERAL_NAME *alt_name;
410
411 if ((alt_name = GENERAL_NAME_new()) == NULL)
412 errx(1, "failed to malloc GENERAL_NAME");
413 alt_name->type = alt->name_type;
414
415 if ((alt_name_str = ASN1_STRING_new()) == NULL)
416 errx(1, "failed to malloc alt name");
417 if (ASN1_STRING_set(alt_name_str, alt->name, alt->name_len) == 0)
418 errx(1, "failed to set alt name");
419
420 switch (alt_name->type) {
421 case GEN_DNS:
422 alt_name->d.dNSName = alt_name_str;
423 break;
424 case GEN_IPADD:
425 alt_name->d.iPAddress = alt_name_str;
426 break;
427 default:
428 errx(1, "unknown alt name type (%i)", alt_name->type);
429 }
430
431 if (sk_GENERAL_NAME_push(alt_name_stack, alt_name) == 0)
432 errx(1, "failed to push alt_name");
433}
434
435static void
436cert_add_alt_names(X509 *cert, struct verify_test *vt)
437{
438 STACK_OF(GENERAL_NAME) *alt_name_stack = NULL;
439
440 if (vt->alt_name1.name_type == 0)
441 return;
442
443 if ((alt_name_stack = sk_GENERAL_NAME_new_null()) == NULL)
444 errx(1, "failed to malloc sk_GENERAL_NAME");
445
446 if (vt->alt_name1.name_type != 0)
447 alt_names_add(alt_name_stack, &vt->alt_name1);
448 if (vt->alt_name2.name_type != 0)
449 alt_names_add(alt_name_stack, &vt->alt_name2);
450 if (vt->alt_name3.name_type != 0)
451 alt_names_add(alt_name_stack, &vt->alt_name3);
452
453 if (X509_add1_ext_i2d(cert, NID_subject_alt_name,
454 alt_name_stack, 0, 0) == 0)
455 errx(1, "failed to set subject alt name");
456
457 sk_GENERAL_NAME_pop_free(alt_name_stack, GENERAL_NAME_free);
458}
459
460static int
461do_verify_test(int test_no, struct verify_test *vt)
462{
463 struct tls *tls;
169 X509_NAME *name; 464 X509_NAME *name;
170 X509 *cert; 465 X509 *cert;
171 struct tls *tls; 466 int failed = 1;
467 int match;
172 468
173 /* Build certificate structure. */ 469 /* Build certificate structure. */
174 if ((cert = X509_new()) == NULL) 470 if ((cert = X509_new()) == NULL)
175 errx(1, "failed to malloc X509"); 471 errx(1, "failed to malloc X509");
176 if ((name = X509_NAME_new()) == NULL) 472
177 errx(1, "failed to malloc X509_NAME"); 473 if (vt->common_name_len != 0) {
178 if (X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC, 474 if ((name = X509_NAME_new()) == NULL)
179 (unsigned char *)vt->common_name, -1, -1, 0) == 0) 475 errx(1, "failed to malloc X509_NAME");
180 errx(1, "failed to add name entry"); 476 if (X509_NAME_add_entry_by_NID(name, NID_commonName,
181 if (X509_set_subject_name(cert, name) == 0) 477 MBSTRING_ASC, (unsigned char *)vt->common_name,
182 errx(1, "failed to set subject name"); 478 vt->common_name_len, -1, 0) == 0)
183 X509_NAME_free(name); 479 errx(1, "failed to add name entry");
480 if (X509_set_subject_name(cert, name) == 0)
481 errx(1, "failed to set subject name");
482 X509_NAME_free(name);
483 }
484
184 if ((tls = tls_client()) == NULL) 485 if ((tls = tls_client()) == NULL)
185 errx(1, "failed to malloc tls_client"); 486 errx(1, "failed to malloc tls_client");
186 487
187 if (vt->alt_name_type != 0) { 488 cert_add_alt_names(cert, vt);
188 if ((alt_name_stack = sk_GENERAL_NAME_new_null()) == NULL) 489
189 errx(1, "failed to malloc sk_GENERAL_NAME"); 490 match = 1;
190 if ((alt_name = GENERAL_NAME_new()) == NULL)
191 errx(1, "failed to malloc GENERAL_NAME");
192 alt_name->type = vt->alt_name_type;
193
194 if ((alt_name_str = ASN1_STRING_new()) == NULL)
195 errx(1, "failed to malloc alt name");
196 if (ASN1_STRING_set(alt_name_str, vt->alt_name,
197 vt->alt_name_len) == 0)
198 errx(1, "failed to set alt name");
199
200 switch (alt_name->type) {
201 case GEN_DNS:
202 alt_name->d.dNSName = alt_name_str;
203 break;
204
205 case GEN_IPADD:
206 alt_name->d.iPAddress = alt_name_str;
207 break;
208
209 default:
210 errx(1, "unknown alt name type (%i)", alt_name->type);
211 }
212
213 if (sk_GENERAL_NAME_push(alt_name_stack, alt_name) == 0)
214 errx(1, "failed to push alt_name");
215 if (X509_add1_ext_i2d(cert, NID_subject_alt_name,
216 alt_name_stack, 0, 0) == 0)
217 errx(1, "failed to set subject alt name");
218 sk_GENERAL_NAME_pop_free(alt_name_stack, GENERAL_NAME_free);
219 }
220 491
221 if (tls_check_name(tls, cert, vt->name) != vt->want) { 492 if (tls_check_name(tls, cert, vt->name, &match) != vt->want_return) {
222 fprintf(stderr, "FAIL: test %i failed with common name " 493 fprintf(stderr, "FAIL: test %i failed for check name '%s': "
223 "'%s', alt name '%s' and name '%s'\n", test_no, 494 "%s\n", test_no, vt->name, tls_error(tls));
224 vt->common_name, vt->alt_name, vt->name); 495 goto done;
225 return (1); 496 }
497 if (match != vt->want_match) {
498 fprintf(stderr, "FAIL: test %i failed to match name '%s'\n",
499 test_no, vt->name);
500 goto done;
226 } 501 }
227 502
503 failed = 0;
504
505 done:
228 X509_free(cert); 506 X509_free(cert);
229 507
230 return (0); 508 return (failed);
231} 509}
232 510
233int 511int
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 13:02:33 +0000