2 * Copyright (C) 2016-2019 Tim Kosse
3 * Copyright (C) 2019 Nikos Mavrogiannopoulos
5 * Author: Tim Kosse, Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * GnuTLS is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 3 of the License, or
12 * (at your option) any later version.
14 * GnuTLS is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this program. If not, see <https://www.gnu.org/licenses/>
42 #include <sys/types.h>
43 #include <netinet/in.h>
44 #include <sys/socket.h>
46 #include <arpa/inet.h>
49 #include <gnutls/gnutls.h>
50 #include <gnutls/dtls.h>
54 #include "cert-common.h"
56 /* This program tests that handshakes succeed if the server includes the
57 * requested certificate status with the server certificate having
58 * TLS feature 5 (status request).
63 static time_t mytime(time_t * t)
65 time_t then = 1559941819;
72 static void server_log_func(int level, const char *str)
74 fprintf(stderr, "server|<%d>| %s", level, str);
77 static void client_log_func(int level, const char *str)
79 fprintf(stderr, "client|<%d>| %s", level, str);
82 const unsigned char ocsp_resp[] = {
83 0x30, 0x82, 0x02, 0x3f, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x02, 0x38, 0x30,
84 0x82, 0x02, 0x34, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30,
85 0x01, 0x01, 0x04, 0x82, 0x02, 0x25, 0x30, 0x82, 0x02, 0x21, 0x30, 0x81,
86 0x8a, 0xa1, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55,
87 0x04, 0x03, 0x13, 0x04, 0x43, 0x41, 0x2d, 0x33, 0x18, 0x0f, 0x32, 0x30,
88 0x31, 0x39, 0x30, 0x36, 0x30, 0x37, 0x32, 0x31, 0x31, 0x35, 0x32, 0x32,
89 0x5a, 0x30, 0x64, 0x30, 0x62, 0x30, 0x4d, 0x30, 0x09, 0x06, 0x05, 0x2b,
90 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0xb7, 0xca, 0x0f, 0xab,
91 0xdc, 0x6f, 0xb8, 0xb0, 0x96, 0x7a, 0x15, 0xac, 0x98, 0x0a, 0x0f, 0x19,
92 0xfe, 0xa4, 0x12, 0xde, 0x04, 0x14, 0x1e, 0x85, 0xed, 0x7f, 0x9e, 0x71,
93 0xfa, 0x08, 0x9d, 0x37, 0x48, 0x43, 0xa0, 0x12, 0xef, 0xe5, 0xaa, 0xe1,
94 0xe3, 0x8a, 0x02, 0x14, 0x60, 0x14, 0x5f, 0x01, 0xcb, 0xe0, 0x05, 0x45,
95 0x38, 0x8c, 0x26, 0xfc, 0x5b, 0xcf, 0x6c, 0x41, 0xc3, 0xcb, 0xaa, 0xcc,
96 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x31, 0x39, 0x30, 0x36, 0x30, 0x37,
97 0x32, 0x31, 0x31, 0x35, 0x32, 0x32, 0x5a, 0x30, 0x0d, 0x06, 0x09, 0x2a,
98 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,
99 0x01, 0x81, 0x00, 0x44, 0xc4, 0x59, 0xab, 0x7b, 0x6e, 0x35, 0x4e, 0x18,
100 0x83, 0x02, 0xbd, 0x94, 0x26, 0x50, 0x01, 0xe2, 0xb1, 0x50, 0xdd, 0xca,
101 0x61, 0x30, 0xb0, 0x93, 0x18, 0x56, 0xfe, 0x8d, 0x4f, 0xcc, 0x33, 0xc8,
102 0x01, 0x1e, 0xac, 0xa1, 0x8e, 0xb0, 0x76, 0x0f, 0x41, 0x38, 0x7d, 0x06,
103 0x9b, 0xfe, 0x09, 0x50, 0x6d, 0x86, 0x07, 0x2a, 0x48, 0x6e, 0x6a, 0xb1,
104 0x13, 0xf4, 0xc0, 0x0f, 0x7c, 0x7d, 0x89, 0xb9, 0x69, 0xe7, 0x04, 0x2e,
105 0xa4, 0x3d, 0xf6, 0xbd, 0x51, 0xbf, 0x52, 0x7d, 0xfb, 0x38, 0x7a, 0xbf,
106 0xe6, 0xd7, 0x32, 0x57, 0x36, 0x87, 0xec, 0x91, 0x07, 0x0c, 0xac, 0xb9,
107 0x79, 0xe7, 0x79, 0x4e, 0x49, 0x72, 0x1d, 0x16, 0xb6, 0x94, 0xbf, 0xc4,
108 0x9f, 0x4e, 0x8b, 0x51, 0x54, 0x73, 0xb4, 0x4d, 0xe7, 0x01, 0x91, 0xcd,
109 0x7c, 0xb2, 0x91, 0x4a, 0xc3, 0x4d, 0xc4, 0x4f, 0xa3, 0x42, 0xf1, 0x89,
110 0xc7, 0xab, 0x36, 0x11, 0xf0, 0x7c, 0xc6, 0x8f, 0x03, 0x53, 0x85, 0x0c,
111 0xfb, 0x30, 0x6b, 0xdd, 0x9e, 0x72, 0xd7, 0x77, 0xe5, 0xea, 0xd3, 0x39,
112 0xb5, 0xb8, 0xdd, 0x61, 0xb9, 0xe7, 0x24, 0x9c, 0x85, 0x42, 0xd7, 0x2b,
113 0x2e, 0x99, 0xdf, 0xe5, 0x8b, 0x79, 0xe3, 0x6e, 0x56, 0x6e, 0xd6, 0xed,
114 0x5f, 0x9b, 0x5f, 0x40, 0x89, 0x17, 0x1a, 0x76, 0xbb, 0x3c, 0x9f, 0x33,
115 0x71, 0xc1, 0xc5, 0x2f, 0xf4, 0x69, 0xe5, 0x5f, 0x83, 0xd4, 0x3a, 0x3d,
116 0xd7, 0x44, 0xaa, 0xc0, 0x9d, 0xd9, 0xd9, 0x99, 0xec, 0x80, 0x4c, 0x46,
117 0x5f, 0x91, 0xf4, 0x09, 0x06, 0xef, 0x37, 0x7c, 0x32, 0x64, 0x67, 0x85,
118 0x99, 0xde, 0x9c, 0xce, 0x3e, 0x58, 0x1a, 0x6c, 0x59, 0xc9, 0x60, 0x26,
119 0x02, 0xeb, 0x95, 0x52, 0x3e, 0x4f, 0xdd, 0x5f, 0x6c, 0x2d, 0x37, 0xc2,
120 0x3b, 0x72, 0x70, 0xab, 0x1d, 0xf5, 0x2a, 0xbe, 0x8c, 0x70, 0x8e, 0xf0,
121 0x25, 0x18, 0x68, 0xe5, 0xe9, 0xd1, 0xcf, 0xd8, 0x1f, 0x6c, 0x8e, 0xcf,
122 0x18, 0x46, 0x51, 0xb4, 0x69, 0xbb, 0x6f, 0x4f, 0x1e, 0x2a, 0x61, 0x3f,
123 0x64, 0x8b, 0x07, 0x7f, 0xc5, 0x80, 0xb9, 0x06, 0xd6, 0xb1, 0x8d, 0x47,
124 0x4a, 0x61, 0xd2, 0x3e, 0xb4, 0xa6, 0xab, 0x12, 0xc6, 0x5c, 0x90, 0x9e,
125 0x2e, 0x16, 0x2e, 0xd4, 0xfc, 0x4b, 0x08, 0x41, 0x94, 0xaf, 0x1d, 0x6e,
126 0x6c, 0x11, 0x5c, 0x88, 0x3d, 0xd9, 0x30, 0x9d, 0x69, 0xf7, 0x45, 0xbe,
127 0x5d, 0x1e, 0xd5, 0xe2, 0xf6, 0x38, 0xfa, 0xe1, 0xbf, 0xae, 0x9f, 0x2f,
128 0xc6, 0x7b, 0x7b, 0x98, 0x89, 0x05, 0x8d, 0x4c, 0x01, 0xad, 0x61, 0x14,
129 0x00, 0xca, 0xa3, 0xed, 0xd0, 0x2c, 0xfe, 0x1b, 0x7e, 0x1d, 0x70, 0x5b,
130 0x2e, 0xc2, 0x54, 0xcf, 0x4c, 0x0a, 0xb3, 0x21, 0x58, 0xed, 0x51, 0xe7,
133 static int received = 0;
135 static int handshake_callback(gnutls_session_t session, unsigned int htype,
136 unsigned post, unsigned int incoming,
137 const gnutls_datum_t * msg)
145 static void client(int fd, const char *prio)
149 gnutls_certificate_credentials_t x509_cred;
150 gnutls_session_t session;
152 gnutls_global_set_time_function(mytime);
156 gnutls_global_set_log_function(client_log_func);
157 gnutls_global_set_log_level(7);
160 assert(gnutls_certificate_allocate_credentials(&x509_cred) >= 0);
161 assert(gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, GNUTLS_X509_FMT_PEM)>=0);
163 assert(gnutls_init(&session, GNUTLS_CLIENT) >= 0);
165 assert(gnutls_priority_set_direct(session, prio, NULL) >= 0);
167 gnutls_handshake_set_hook_function(session,
168 GNUTLS_HANDSHAKE_CERTIFICATE_STATUS,
172 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
174 gnutls_transport_set_int(session, fd);
177 ret = gnutls_handshake(session);
179 while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
181 fail("client: Handshake failed: %s\n", gnutls_strerror(ret));
184 success("client: Handshake was completed\n");
188 success("client: TLS version is: %s\n",
189 gnutls_protocol_get_name
190 (gnutls_protocol_get_version(session)));
193 && gnutls_protocol_get_version(session) == GNUTLS_TLS1_2) {
194 fail("client: did not receive certificate status when we should.\n");
197 ret = gnutls_certificate_verify_peers2(session, &status);
198 if (ret != GNUTLS_E_SUCCESS) {
199 fail("client: Peer certificate validation failed: %s\n",
200 gnutls_strerror(ret));
204 assert(gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509, &tmp, 0)>=0);
205 fail("client: Validation status is not success (%x: %s)\n",
206 status, (char*)tmp.data);
210 gnutls_bye(session, GNUTLS_SHUT_WR);
214 gnutls_deinit(session);
216 gnutls_certificate_free_credentials(x509_cred);
218 gnutls_global_deinit();
221 static int status_func(gnutls_session_t session, void *ptr, gnutls_datum_t *resp)
223 resp->data = gnutls_malloc(sizeof(ocsp_resp));
224 if (resp->data == NULL)
227 memcpy(resp->data, ocsp_resp, sizeof(ocsp_resp));
228 resp->size = sizeof(ocsp_resp);
232 static void server(int fd, const char *prio)
235 char buffer[MAX_BUF + 1];
236 gnutls_session_t session;
237 gnutls_certificate_credentials_t x509_cred;
239 /* this must be called once in the program
242 memset(buffer, 0, sizeof(buffer));
245 gnutls_global_set_log_function(server_log_func);
246 gnutls_global_set_log_level(4711);
249 assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0);
250 assert(gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_tlsfeat_cert,
251 &server_ca3_key, GNUTLS_X509_FMT_PEM)>=0);
253 assert(gnutls_init(&session, GNUTLS_SERVER) >= 0);
255 assert(gnutls_priority_set_direct(session, prio, NULL) >= 0);
257 gnutls_certificate_set_ocsp_status_request_function(x509_cred, status_func, NULL);
259 gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
261 gnutls_transport_set_int(session, fd);
264 ret = gnutls_handshake(session);
265 } while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
268 fail("server: Handshake failed: %s\n", gnutls_strerror(ret));
272 success("server: Handshake was completed\n");
276 success("server: TLS version is: %s\n",
277 gnutls_protocol_get_name
278 (gnutls_protocol_get_version(session)));
280 /* do not wait for the peer to close the connection.
282 gnutls_bye(session, GNUTLS_SHUT_WR);
285 gnutls_deinit(session);
287 gnutls_certificate_free_credentials(x509_cred);
289 gnutls_global_deinit();
292 success("server: finished\n");
295 static void ch_handler(int sig)
300 static void start(const char *name, const char *prio)
306 signal(SIGCHLD, ch_handler);
307 signal(SIGPIPE, SIG_IGN);
310 success("running: %s\n", name);
312 ret = socketpair(AF_UNIX, SOCK_STREAM, 0, fd);
314 perror("socketpair");
329 waitpid(child, &status, 0);
330 check_wait_status(status);
342 start("tls1.2", "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2");
343 start("tls1.3", "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3");
344 start("default", "NORMAL");