danetest.c revision 1.1.1.2
1 1.1 christos /* 2 1.1 christos * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * 4 1.1 christos * Licensed under the Apache License 2.0 (the "License"). You may not use 5 1.1 christos * this file except in compliance with the License. You can obtain a copy 6 1.1 christos * in the file LICENSE in the source distribution or at 7 1.1 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1 christos #include <stdio.h> 11 1.1 christos #include <string.h> 12 1.1 christos #include <ctype.h> 13 1.1 christos #include <limits.h> 14 1.1 christos #include <errno.h> 15 1.1 christos 16 1.1 christos #include <openssl/crypto.h> 17 1.1 christos #include <openssl/evp.h> 18 1.1 christos #include <openssl/x509.h> 19 1.1 christos #include <openssl/ssl.h> 20 1.1 christos #include <openssl/err.h> 21 1.1 christos #include <openssl/conf.h> 22 1.1 christos #ifndef OPENSSL_NO_ENGINE 23 1.1.1.2 christos #include <openssl/engine.h> 24 1.1 christos #endif 25 1.1 christos #include "testutil.h" 26 1.1 christos 27 1.1 christos #include "internal/nelem.h" 28 1.1 christos 29 1.1 christos #define _UC(c) ((unsigned char)(c)) 30 1.1 christos 31 1.1 christos static const char *basedomain; 32 1.1 christos static const char *CAfile; 33 1.1 christos static const char *tlsafile; 34 1.1 christos 35 1.1 christos /* 36 1.1 christos * Forward declaration, of function that uses internal interfaces, from headers 37 1.1 christos * included at the end of this module. 38 1.1 christos */ 39 1.1 christos static void store_ctx_dane_init(X509_STORE_CTX *, SSL *); 40 1.1 christos 41 1.1 christos static int saved_errno; 42 1.1 christos 43 1.1 christos static void save_errno(void) 44 1.1 christos { 45 1.1 christos saved_errno = errno; 46 1.1 christos } 47 1.1 christos 48 1.1 christos static int restore_errno(void) 49 1.1 christos { 50 1.1 christos int ret = errno; 51 1.1 christos errno = saved_errno; 52 1.1 christos return ret; 53 1.1 christos } 54 1.1 christos 55 1.1 christos static int verify_chain(SSL *ssl, STACK_OF(X509) *chain) 56 1.1 christos { 57 1.1 christos X509_STORE_CTX *store_ctx = NULL; 58 1.1 christos SSL_CTX *ssl_ctx = NULL; 59 1.1 christos X509_STORE *store = NULL; 60 1.1 christos int ret = 0; 61 1.1 christos int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); 62 1.1 christos 63 1.1 christos if (!TEST_ptr(store_ctx = X509_STORE_CTX_new()) 64 1.1.1.2 christos || !TEST_ptr(ssl_ctx = SSL_get_SSL_CTX(ssl)) 65 1.1.1.2 christos || !TEST_ptr(store = SSL_CTX_get_cert_store(ssl_ctx)) 66 1.1.1.2 christos || !TEST_true(X509_STORE_CTX_init(store_ctx, store, NULL, chain)) 67 1.1.1.2 christos || !TEST_true(X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, 68 1.1.1.2 christos ssl))) 69 1.1 christos goto end; 70 1.1 christos 71 1.1.1.2 christos X509_STORE_CTX_set_default(store_ctx, SSL_is_server(ssl) ? "ssl_client" : "ssl_server"); 72 1.1 christos X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx), 73 1.1.1.2 christos SSL_get0_param(ssl)); 74 1.1 christos store_ctx_dane_init(store_ctx, ssl); 75 1.1 christos 76 1.1 christos if (SSL_get_verify_callback(ssl) != NULL) 77 1.1 christos X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl)); 78 1.1 christos 79 1.1 christos /* Mask "internal failures" (-1) from our return value. */ 80 1.1 christos if (!TEST_int_ge(ret = X509_STORE_CTX_verify(store_ctx), 0)) 81 1.1 christos ret = 0; 82 1.1 christos 83 1.1 christos SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(store_ctx)); 84 1.1 christos 85 1.1 christos end: 86 1.1 christos X509_STORE_CTX_free(store_ctx); 87 1.1 christos return ret; 88 1.1 christos } 89 1.1 christos 90 1.1 christos static STACK_OF(X509) *load_chain(BIO *fp, int nelem) 91 1.1 christos { 92 1.1 christos int count; 93 1.1 christos char *name = 0; 94 1.1 christos char *header = 0; 95 1.1 christos unsigned char *data = 0; 96 1.1 christos long len; 97 1.1 christos char *errtype = 0; /* if error: cert or pkey? */ 98 1.1 christos STACK_OF(X509) *chain; 99 1.1 christos typedef X509 *(*d2i_X509_t)(X509 **, const unsigned char **, long); 100 1.1 christos 101 1.1 christos if (!TEST_ptr(chain = sk_X509_new_null())) 102 1.1 christos goto err; 103 1.1 christos 104 1.1 christos for (count = 0; 105 1.1.1.2 christos count < nelem && errtype == 0 106 1.1.1.2 christos && PEM_read_bio(fp, &name, &header, &data, &len) == 1; 107 1.1.1.2 christos ++count) { 108 1.1 christos if (strcmp(name, PEM_STRING_X509) == 0 109 1.1.1.2 christos || strcmp(name, PEM_STRING_X509_TRUSTED) == 0 110 1.1.1.2 christos || strcmp(name, PEM_STRING_X509_OLD) == 0) { 111 1.1 christos d2i_X509_t d = strcmp(name, PEM_STRING_X509_TRUSTED) != 0 112 1.1.1.2 christos ? d2i_X509_AUX 113 1.1.1.2 christos : d2i_X509; 114 1.1 christos X509 *cert; 115 1.1 christos const unsigned char *p = data; 116 1.1 christos 117 1.1 christos if (!TEST_ptr(cert = d(0, &p, len)) 118 1.1.1.2 christos || !TEST_long_eq(p - data, len)) { 119 1.1 christos TEST_info("Certificate parsing error"); 120 1.1 christos goto err; 121 1.1 christos } 122 1.1 christos 123 1.1 christos if (!TEST_true(sk_X509_push(chain, cert))) 124 1.1 christos goto err; 125 1.1 christos } else { 126 1.1 christos TEST_info("Unknown chain file object %s", name); 127 1.1 christos goto err; 128 1.1 christos } 129 1.1 christos 130 1.1 christos OPENSSL_free(name); 131 1.1 christos OPENSSL_free(header); 132 1.1 christos OPENSSL_free(data); 133 1.1 christos name = header = NULL; 134 1.1 christos data = NULL; 135 1.1 christos } 136 1.1 christos 137 1.1 christos if (count == nelem) { 138 1.1 christos ERR_clear_error(); 139 1.1 christos return chain; 140 1.1 christos } 141 1.1 christos 142 1.1 christos err: 143 1.1 christos OPENSSL_free(name); 144 1.1 christos OPENSSL_free(header); 145 1.1 christos OPENSSL_free(data); 146 1.1 christos OSSL_STACK_OF_X509_free(chain); 147 1.1 christos return NULL; 148 1.1 christos } 149 1.1 christos 150 1.1 christos static char *read_to_eol(BIO *f) 151 1.1 christos { 152 1.1 christos static char buf[4096]; 153 1.1 christos int n; 154 1.1 christos 155 1.1 christos if (BIO_gets(f, buf, sizeof(buf)) <= 0) 156 1.1 christos return NULL; 157 1.1 christos 158 1.1 christos n = strlen(buf); 159 1.1 christos if (buf[n - 1] != '\n') { 160 1.1 christos if (n + 1 == sizeof(buf)) 161 1.1 christos TEST_error("input too long"); 162 1.1 christos else 163 1.1 christos TEST_error("EOF before newline"); 164 1.1 christos return NULL; 165 1.1 christos } 166 1.1 christos 167 1.1 christos /* Trim trailing whitespace */ 168 1.1 christos while (n > 0 && isspace(_UC(buf[n - 1]))) 169 1.1 christos buf[--n] = '\0'; 170 1.1 christos 171 1.1 christos return buf; 172 1.1 christos } 173 1.1 christos 174 1.1 christos /* 175 1.1 christos * Hex decoder that tolerates optional whitespace 176 1.1 christos */ 177 1.1 christos static ossl_ssize_t hexdecode(const char *in, void *result) 178 1.1 christos { 179 1.1 christos unsigned char **out = (unsigned char **)result; 180 1.1 christos unsigned char *ret; 181 1.1 christos unsigned char *cp; 182 1.1 christos uint8_t byte; 183 1.1 christos int nibble = 0; 184 1.1 christos 185 1.1 christos if (!TEST_ptr(ret = OPENSSL_malloc(strlen(in) / 2))) 186 1.1 christos return -1; 187 1.1 christos cp = ret; 188 1.1 christos 189 1.1 christos for (byte = 0; *in; ++in) { 190 1.1 christos int x; 191 1.1 christos 192 1.1 christos if (isspace(_UC(*in))) 193 1.1 christos continue; 194 1.1 christos x = OPENSSL_hexchar2int(*in); 195 1.1 christos if (x < 0) { 196 1.1 christos OPENSSL_free(ret); 197 1.1 christos return 0; 198 1.1 christos } 199 1.1 christos byte |= (char)x; 200 1.1 christos if ((nibble ^= 1) == 0) { 201 1.1 christos *cp++ = byte; 202 1.1 christos byte = 0; 203 1.1 christos } else { 204 1.1 christos byte <<= 4; 205 1.1 christos } 206 1.1 christos } 207 1.1 christos if (nibble != 0) { 208 1.1 christos OPENSSL_free(ret); 209 1.1 christos return 0; 210 1.1 christos } 211 1.1 christos 212 1.1 christos return cp - (*out = ret); 213 1.1 christos } 214 1.1 christos 215 1.1 christos static ossl_ssize_t checked_uint8(const char *in, void *out) 216 1.1 christos { 217 1.1 christos uint8_t *result = (uint8_t *)out; 218 1.1 christos const char *cp = in; 219 1.1 christos char *endp; 220 1.1 christos long v; 221 1.1 christos int e; 222 1.1 christos 223 1.1 christos save_errno(); 224 1.1 christos v = strtol(cp, &endp, 10); 225 1.1 christos e = restore_errno(); 226 1.1 christos 227 1.1.1.2 christos if (((v == LONG_MIN || v == LONG_MAX) && e == ERANGE) || endp == cp || !isspace(_UC(*endp)) || v != (*(uint8_t *)result = (uint8_t)v)) { 228 1.1 christos return -1; 229 1.1 christos } 230 1.1 christos for (cp = endp; isspace(_UC(*cp)); ++cp) 231 1.1 christos continue; 232 1.1 christos return cp - in; 233 1.1 christos } 234 1.1 christos 235 1.1 christos struct tlsa_field { 236 1.1 christos void *var; 237 1.1 christos const char *name; 238 1.1 christos ossl_ssize_t (*parser)(const char *, void *); 239 1.1 christos }; 240 1.1 christos 241 1.1 christos static int tlsa_import_rr(SSL *ssl, const char *rrdata) 242 1.1 christos { 243 1.1 christos static uint8_t usage; 244 1.1 christos static uint8_t selector; 245 1.1 christos static uint8_t mtype; 246 1.1 christos static unsigned char *data = NULL; 247 1.1 christos static struct tlsa_field tlsa_fields[] = { 248 1.1 christos { &usage, "usage", checked_uint8 }, 249 1.1 christos { &selector, "selector", checked_uint8 }, 250 1.1 christos { &mtype, "mtype", checked_uint8 }, 251 1.1 christos { &data, "data", hexdecode }, 252 1.1.1.2 christos { 253 1.1.1.2 christos NULL, 254 1.1.1.2 christos } 255 1.1 christos }; 256 1.1 christos int ret; 257 1.1 christos struct tlsa_field *f; 258 1.1 christos const char *cp = rrdata; 259 1.1 christos ossl_ssize_t len = 0; 260 1.1 christos 261 1.1 christos for (f = tlsa_fields; f->var; ++f) { 262 1.1 christos if ((len = f->parser(cp += len, f->var)) <= 0) { 263 1.1 christos TEST_info("bad TLSA %s field in: %s", f->name, rrdata); 264 1.1 christos return 0; 265 1.1 christos } 266 1.1 christos } 267 1.1 christos 268 1.1 christos ret = SSL_dane_tlsa_add(ssl, usage, selector, mtype, data, len); 269 1.1 christos OPENSSL_free(data); 270 1.1 christos if (ret == 0) { 271 1.1 christos TEST_info("unusable TLSA rrdata: %s", rrdata); 272 1.1 christos return 0; 273 1.1 christos } 274 1.1 christos if (ret < 0) { 275 1.1 christos TEST_info("error loading TLSA rrdata: %s", rrdata); 276 1.1 christos return 0; 277 1.1 christos } 278 1.1 christos 279 1.1 christos return ret; 280 1.1 christos } 281 1.1 christos 282 1.1 christos static int allws(const char *cp) 283 1.1 christos { 284 1.1 christos while (*cp) 285 1.1 christos if (!isspace(_UC(*cp++))) 286 1.1 christos return 0; 287 1.1 christos return 1; 288 1.1 christos } 289 1.1 christos 290 1.1 christos static int test_tlsafile(SSL_CTX *ctx, const char *base_name, 291 1.1.1.2 christos BIO *f, const char *path) 292 1.1 christos { 293 1.1 christos char *line; 294 1.1 christos int testno = 0; 295 1.1 christos int ret = 1; 296 1.1 christos SSL *ssl; 297 1.1 christos 298 1.1 christos while (ret > 0 && (line = read_to_eol(f)) != NULL) { 299 1.1 christos STACK_OF(X509) *chain; 300 1.1 christos int ntlsa; 301 1.1 christos int ncert; 302 1.1 christos int noncheck; 303 1.1 christos int want; 304 1.1 christos int want_depth; 305 1.1 christos int off; 306 1.1 christos int i; 307 1.1 christos int ok; 308 1.1 christos int err; 309 1.1 christos int mdpth; 310 1.1 christos 311 1.1 christos if (*line == '\0' || *line == '#') 312 1.1 christos continue; 313 1.1 christos 314 1.1 christos ++testno; 315 1.1 christos if (sscanf(line, "%d %d %d %d %d%n", 316 1.1.1.2 christos &ntlsa, &ncert, &noncheck, &want, &want_depth, &off) 317 1.1.1.2 christos != 5 318 1.1 christos || !allws(line + off)) { 319 1.1 christos TEST_error("Malformed line for test %d", testno); 320 1.1 christos return 0; 321 1.1 christos } 322 1.1 christos 323 1.1 christos if (!TEST_ptr(ssl = SSL_new(ctx))) 324 1.1 christos return 0; 325 1.1 christos SSL_set_connect_state(ssl); 326 1.1 christos if (SSL_dane_enable(ssl, base_name) <= 0) { 327 1.1 christos SSL_free(ssl); 328 1.1 christos return 0; 329 1.1 christos } 330 1.1 christos if (noncheck) 331 1.1 christos SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS); 332 1.1 christos 333 1.1 christos for (i = 0; i < ntlsa; ++i) { 334 1.1 christos if ((line = read_to_eol(f)) == NULL || !tlsa_import_rr(ssl, line)) { 335 1.1 christos SSL_free(ssl); 336 1.1 christos return 0; 337 1.1 christos } 338 1.1 christos } 339 1.1 christos 340 1.1 christos /* Don't report old news */ 341 1.1 christos ERR_clear_error(); 342 1.1 christos if (!TEST_ptr(chain = load_chain(f, ncert))) { 343 1.1 christos SSL_free(ssl); 344 1.1 christos return 0; 345 1.1 christos } 346 1.1 christos 347 1.1 christos ok = verify_chain(ssl, chain); 348 1.1 christos OSSL_STACK_OF_X509_free(chain); 349 1.1 christos err = SSL_get_verify_result(ssl); 350 1.1 christos /* 351 1.1 christos * Peek under the hood, normally TLSA match data is hidden when 352 1.1 christos * verification fails, we can obtain any suppressed data by setting the 353 1.1 christos * verification result to X509_V_OK before looking. 354 1.1 christos */ 355 1.1 christos SSL_set_verify_result(ssl, X509_V_OK); 356 1.1 christos mdpth = SSL_get0_dane_authority(ssl, NULL, NULL); 357 1.1 christos /* Not needed any more, but lead by example and put the error back. */ 358 1.1 christos SSL_set_verify_result(ssl, err); 359 1.1 christos SSL_free(ssl); 360 1.1 christos 361 1.1 christos if (!TEST_int_eq(err, want)) { 362 1.1 christos if (want == X509_V_OK) 363 1.1 christos TEST_info("Verification failure in test %d: %d=%s", 364 1.1.1.2 christos testno, err, X509_verify_cert_error_string(err)); 365 1.1 christos else 366 1.1 christos TEST_info("Unexpected error in test %d", testno); 367 1.1 christos ret = 0; 368 1.1 christos continue; 369 1.1 christos } 370 1.1 christos if (!TEST_false(want == 0 && ok == 0)) { 371 1.1 christos TEST_info("Verification failure in test %d: ok=0", testno); 372 1.1 christos ret = 0; 373 1.1 christos continue; 374 1.1 christos } 375 1.1 christos if (!TEST_int_eq(mdpth, want_depth)) { 376 1.1 christos TEST_info("In test test %d", testno); 377 1.1 christos ret = 0; 378 1.1 christos } 379 1.1 christos } 380 1.1 christos ERR_clear_error(); 381 1.1 christos 382 1.1 christos return ret; 383 1.1 christos } 384 1.1 christos 385 1.1 christos static int run_tlsatest(void) 386 1.1 christos { 387 1.1 christos SSL_CTX *ctx = NULL; 388 1.1 christos BIO *f = NULL; 389 1.1 christos int ret = 0; 390 1.1 christos 391 1.1 christos if (!TEST_ptr(f = BIO_new_file(tlsafile, "r")) 392 1.1.1.2 christos || !TEST_ptr(ctx = SSL_CTX_new(TLS_client_method())) 393 1.1.1.2 christos || !TEST_int_gt(SSL_CTX_dane_enable(ctx), 0) 394 1.1.1.2 christos || !TEST_true(SSL_CTX_load_verify_file(ctx, CAfile)) 395 1.1.1.2 christos || !TEST_int_gt(SSL_CTX_dane_mtype_set(ctx, EVP_sha512(), 2, 1), 0) 396 1.1.1.2 christos || !TEST_int_gt(SSL_CTX_dane_mtype_set(ctx, EVP_sha256(), 1, 2), 0) 397 1.1.1.2 christos || !TEST_int_gt(test_tlsafile(ctx, basedomain, f, tlsafile), 0)) 398 1.1 christos goto end; 399 1.1 christos ret = 1; 400 1.1 christos 401 1.1 christos end: 402 1.1 christos BIO_free(f); 403 1.1 christos SSL_CTX_free(ctx); 404 1.1 christos 405 1.1 christos return ret; 406 1.1 christos } 407 1.1 christos 408 1.1 christos OPT_TEST_DECLARE_USAGE("basedomain CAfile tlsafile\n") 409 1.1 christos 410 1.1 christos int setup_tests(void) 411 1.1 christos { 412 1.1 christos if (!test_skip_common_options()) { 413 1.1 christos TEST_error("Error parsing test options\n"); 414 1.1 christos return 0; 415 1.1 christos } 416 1.1 christos 417 1.1 christos if (!TEST_ptr(basedomain = test_get_argument(0)) 418 1.1.1.2 christos || !TEST_ptr(CAfile = test_get_argument(1)) 419 1.1.1.2 christos || !TEST_ptr(tlsafile = test_get_argument(2))) 420 1.1 christos return 0; 421 1.1 christos 422 1.1 christos ADD_TEST(run_tlsatest); 423 1.1 christos return 1; 424 1.1 christos } 425 1.1 christos 426 1.1 christos #include "internal/dane.h" 427 1.1 christos 428 1.1 christos static void store_ctx_dane_init(X509_STORE_CTX *store_ctx, SSL *ssl) 429 1.1 christos { 430 1.1 christos X509_STORE_CTX_set0_dane(store_ctx, SSL_get0_dane(ssl)); 431 1.1 christos } 432
Indexes created Sun Mar 01 05:31:48 UTC 2026