Changeset 31:26685c67d387 in freeDiameter
- Timestamp:
- Oct 28, 2009, 6:51:45 PM (15 years ago)
- Branch:
- default
- Phase:
- public
- Location:
- freeDiameter
- Files:
-
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
freeDiameter/cnxctx.c
r30 r31 404 404 } 405 405 406 /* Set the hostname to check during handshake */ 407 void fd_cnx_sethostname(struct cnxctx * conn, char * hn) 408 { 409 CHECK_PARAMS_DO( conn, return ); 410 conn->cc_tls_para.cn = hn; 411 } 412 406 413 /* Return the TLS state of a connection */ 407 414 int fd_cnx_getTLS(struct cnxctx * conn) … … 769 776 } 770 777 778 /* Verify remote credentials after successful handshake (return 0 if OK, EINVAL otherwise) */ 779 int fd_tls_verify_credentials(gnutls_session_t session, struct cnxctx * conn) 780 { 781 int ret, i; 782 const gnutls_datum_t *cert_list; 783 unsigned int cert_list_size; 784 gnutls_x509_crt_t cert; 785 time_t now; 786 787 /* First, use built-in verification */ 788 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (session, &ret), return EINVAL ); 789 if (ret) { 790 if (TRACE_BOOL(INFO)) { 791 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id); 792 if (ret & GNUTLS_CERT_INVALID) 793 fd_log_debug(" - The certificate is not trusted (unknown CA?)\n"); 794 if (ret & GNUTLS_CERT_REVOKED) 795 fd_log_debug(" - The certificate has been revoked.\n"); 796 if (ret & GNUTLS_CERT_SIGNER_NOT_FOUND) 797 fd_log_debug(" - The certificate hasn't got a known issuer.\n"); 798 if (ret & GNUTLS_CERT_SIGNER_NOT_CA) 799 fd_log_debug(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints.\n"); 800 if (ret & GNUTLS_CERT_INSECURE_ALGORITHM) 801 fd_log_debug(" - The certificate signature uses a weak algorithm.\n"); 802 } 803 return EINVAL; 804 } 805 806 /* Code from http://www.gnu.org/software/gnutls/manual/gnutls.html#Verifying-peer_0027s-certificate */ 807 if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) 808 return EINVAL; 809 810 cert_list = gnutls_certificate_get_peers (session, &cert_list_size); 811 if (cert_list == NULL) 812 return EINVAL; 813 814 now = time(NULL); 815 816 /* Check validity of all the certificates */ 817 for (i = 0; i < cert_list_size; i++) 818 { 819 time_t deadline; 820 821 CHECK_GNUTLS_DO( gnutls_x509_crt_init (&cert), return EINVAL); 822 CHECK_GNUTLS_DO( gnutls_x509_crt_import (cert, &cert_list[i], GNUTLS_X509_FMT_DER), return EINVAL); 823 824 deadline = gnutls_x509_crt_get_expiration_time(cert); 825 if ((deadline != (time_t)-1) && (deadline < now)) { 826 if (TRACE_BOOL(INFO)) { 827 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id); 828 fd_log_debug(" - The certificate %d in the chain is expired\n", i); 829 } 830 return EINVAL; 831 } 832 833 deadline = gnutls_x509_crt_get_activation_time(cert); 834 if ((deadline != (time_t)-1) && (deadline > now)) { 835 if (TRACE_BOOL(INFO)) { 836 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id); 837 fd_log_debug(" - The certificate %d in the chain is not yet activated\n", i); 838 } 839 return EINVAL; 840 } 841 842 if ((i == 0) && (conn->cc_tls_para.cn)) { 843 if (!gnutls_x509_crt_check_hostname (cert, conn->cc_tls_para.cn)) { 844 if (TRACE_BOOL(INFO)) { 845 fd_log_debug("TLS: Remote certificate invalid on socket %d (Remote: '%s')(Connection: '%s') :\n", conn->cc_socket, conn->cc_remid, conn->cc_id); 846 fd_log_debug(" - The certificate hostname does not match '%s'\n", conn->cc_tls_para.cn); 847 } 848 return EINVAL; 849 } 850 } 851 852 gnutls_x509_crt_deinit (cert); 853 } 854 855 return 0; 856 } 857 771 858 /* TLS handshake a connection; no need to have called start_clear before. Reception is active if handhsake is successful */ 772 859 int fd_cnx_handshake(struct cnxctx * conn, int mode, char * priority, void * alt_creds) … … 813 900 814 901 /* Now verify the remote credentials are valid -- only simple test here */ 815 CHECK_GNUTLS_DO( gnutls_certificate_verify_peers2 (conn->cc_tls_para.session, &ret), return EINVAL ); 816 if (ret) { 817 if (TRACE_BOOL(INFO)) { 818 fd_log_debug("TLS: Remote certificate invalid on socket %d (%s) :\n", conn->cc_socket, conn->cc_id); 819 if (ret & GNUTLS_CERT_INVALID) 820 fd_log_debug(" - The certificate is not trusted (unknown CA?)\n"); 821 if (ret & GNUTLS_CERT_REVOKED) 822 fd_log_debug(" - The certificate has been revoked.\n"); 823 if (ret & GNUTLS_CERT_SIGNER_NOT_FOUND) 824 fd_log_debug(" - The certificate hasn't got a known issuer.\n"); 825 if (ret & GNUTLS_CERT_SIGNER_NOT_CA) 826 fd_log_debug(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints.\n"); 827 if (ret & GNUTLS_CERT_INSECURE_ALGORITHM) 828 fd_log_debug(" - The certificate signature uses a weak algorithm.\n"); 829 } 830 return EINVAL; 831 } 902 CHECK_FCT( fd_tls_verify_credentials(conn->cc_tls_para.session, conn) ); 832 903 } 833 904 -
freeDiameter/cnxctx.h
r29 r31 43 43 char cc_id[60]; /* The name of this connection */ 44 44 char cc_remid[60]; /* Id of remote peer */ 45 45 46 46 int cc_socket; /* The socket object of the connection -- <=0 if no socket is created */ 47 47 … … 58 58 /* If cc_tls == true */ 59 59 struct { 60 char *cn; /* If not NULL, remote certif will be checked to match this Common Name */ 60 61 int mode; /* GNUTLS_CLIENT / GNUTLS_SERVER */ 61 62 gnutls_session_t session; /* Session object (stream #0 in case of SCTP) */ … … 80 81 int fd_tls_rcvthr_core(struct cnxctx * conn, gnutls_session_t session); 81 82 int fd_tls_prepare(gnutls_session_t * session, int mode, char * priority, void * alt_creds); 83 int fd_tls_verify_credentials(gnutls_session_t session, struct cnxctx * conn); 82 84 83 85 /* TCP */ -
freeDiameter/fD.h
r29 r31 225 225 struct cnxctx * fd_cnx_cli_connect_sctp(int no_ip6, uint16_t port, struct fd_list * list); 226 226 int fd_cnx_start_clear(struct cnxctx * conn, int loop); 227 void fd_cnx_sethostname(struct cnxctx * conn, char * hn); 227 228 int fd_cnx_handshake(struct cnxctx * conn, int mode, char * priority, void * alt_creds); 228 229 char * fd_cnx_getid(struct cnxctx * conn); -
freeDiameter/sctps.c
r29 r31 431 431 { 432 432 struct sctps_ctx * ctx = (struct sctps_ctx *) arg; 433 int resumed; 434 433 435 TRACE_ENTRY("%p", arg); 434 436 … … 443 445 CHECK_GNUTLS_DO( gnutls_handshake( ctx->session ), return NULL); 444 446 447 resumed = gnutls_session_is_resumed(ctx->session); 448 if (!resumed) { 449 /* Check the credentials here also */ 450 CHECK_FCT_DO( fd_tls_verify_credentials(ctx->session, ctx->parent), return NULL ); 451 } 445 452 if (TRACE_BOOL(FULL)) { 446 int resumed = gnutls_session_is_resumed(ctx->session);447 453 if (resumed) { 448 454 fd_log_debug("Session was resumed successfully on stream %hu (conn: '%s')\n", ctx->strid, fd_cnx_getid(ctx->parent)); 449 455 } else { 450 fd_log_debug("Session was NOT resumed (full handshake) on stream %hu(conn: '%s')\n", ctx->strid, fd_cnx_getid(ctx->parent));456 fd_log_debug("Session was NOT resumed on stream %hu (full handshake + verif) (conn: '%s')\n", ctx->strid, fd_cnx_getid(ctx->parent)); 451 457 } 452 458 } 453 459 454 /* Finish */460 /* Finished, OK */ 455 461 return arg; 456 462 } -
freeDiameter/tests/testcnx.c
r30 r31 39 39 #define TEST_PORT 3868 40 40 #endif /* TEST_PORT */ 41 42 #ifndef NB_STREAMS 43 #define NB_STREAMS 10 44 #endif /* NB_STREAMS */ 41 45 42 46 #ifndef GNUTLS_DEFAULT_PRIORITY … … 345 349 "-----END RSA PRIVATE KEY-----\n"; 346 350 351 /* Unknown CA certificate : 352 Certificate: 353 Data: 354 Version: 3 (0x2) 355 Serial Number: 1 (0x1) 356 Signature Algorithm: sha1WithRSAEncryption 357 Issuer: C=JP, ST=Tokyo, L=Koganei, O=WIDE, OU=AAA WG, CN=chavroux.cowaddict.org/emailAddress=sdecugis@nict.go.jp 358 Validity 359 Not Before: Oct 28 08:04:40 2009 GMT 360 Not After : Oct 28 08:04:40 2010 GMT 361 Subject: C=JP, ST=Tokyo, L=Koganei, O=WIDE, OU=AAA WG, CN=unknown.cs/emailAddress=unknown@ca 362 Subject Public Key Info: 363 Public Key Algorithm: rsaEncryption 364 RSA Public Key: (1024 bit) 365 Modulus (1024 bit): 366 00:e6:3a:d5:8a:14:c8:15:d0:f0:5c:03:c3:af:33: 367 51:2c:17:b7:65:ac:45:e8:48:2d:ae:70:fd:7c:79: 368 3a:c7:80:c8:50:53:d0:19:d8:3a:26:a8:16:4d:4c: 369 04:17:09:df:69:9b:59:2b:89:c8:e0:60:bb:1d:37: 370 82:d2:3f:17:39:c9:8f:5d:76:e1:0f:6e:08:9a:8f: 371 16:4a:ea:83:86:f9:bd:15:14:56:68:87:79:05:f9: 372 5f:66:11:bd:22:46:26:64:be:57:16:51:66:41:50: 373 ac:f2:b1:ca:d0:38:11:4b:4c:b2:ee:25:36:6e:d3: 374 b9:63:72:c4:84:82:1c:2b:27 375 Exponent: 65537 (0x10001) 376 X509v3 extensions: 377 X509v3 Basic Constraints: 378 CA:FALSE 379 Netscape Comment: 380 OpenSSL Generated Certificate 381 X509v3 Subject Key Identifier: 382 BA:5A:9D:D2:B0:4B:72:D6:1F:00:11:0B:B5:7B:59:DF:08:38:81:BE 383 X509v3 Authority Key Identifier: 384 keyid:52:C5:A4:63:B8:DB:AC:F2:92:34:2F:72:56:71:C8:11:8E:76:E6:DF 385 386 Signature Algorithm: sha1WithRSAEncryption 387 90:8f:3b:bd:e3:a1:ca:6a:92:a6:fd:f0:64:ae:46:83:32:35: 388 61:80:57:8b:30:12:70:02:e1:51:d9:87:c8:af:d9:4b:b9:6d: 389 bf:ab:86:5f:19:1f:dc:af:84:67:bf:3c:bf:33:f3:7c:c6:81: 390 7b:e4:e9:26:1d:bc:d6:8c:ab:72:94:7f:85:33:95:d9:24:ec: 391 fd:7b:d2:fd:50:3e:e5:61:4f:75:51:ae:c6:4a:ec:df:cf:aa: 392 73:a5:08:f7:f3:9a:40:66:48:f0:8e:9b:43:b1:30:f3:e3:c8: 393 36:3f:68:36:6a:1c:aa:16:40:49:b4:73:9a:71:f1:17:6c:0b: 394 d3:e1:a7:b7:40:de:2c:3c:36:7c:d4:dd:d6:94:c9:d7:5f:f5: 395 ae:35:56:e8:cc:65:9c:bb:3d:e8:7a:ca:0e:ed:78:03:41:cb: 396 fd:80:81:de:f9:de:b2:14:4b:81:24:36:de:29:c1:06:11:86: 397 8c:a9:b0:0c:c7:57:cf:79:a7:3a:84:0c:27:dc:86:6d:cb:44: 398 2d:26:dc:7e:fb:17:d6:b2:3d:31:03:d3:f1:ab:5d:91:5d:94: 399 e4:94:88:70:96:b3:7c:0f:15:fe:c8:c6:4d:99:37:ab:09:0c: 400 da:ba:b6:0e:fa:5e:bb:4b:ce:04:21:06:09:a9:2c:27:86:76: 401 cc:ee:73:6f 402 */ 403 static char notrust_ca_data[] = "-----BEGIN CERTIFICATE-----\n" 404 "MIIEqjCCA5KgAwIBAgIJAP3UMghSlH9PMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYD\n" 405 "VQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB0tvZ2FuZWkxDTALBgNV\n" 406 "BAoMBFdJREUxDzANBgNVBAsMBkFBQSBXRzEfMB0GA1UEAwwWY2hhdnJvdXguY293\n" 407 "YWRkaWN0Lm9yZzEiMCAGCSqGSIb3DQEJARYTc2RlY3VnaXNAbmljdC5nby5qcDAe\n" 408 "Fw0wOTEwMjgwODAzNDRaFw0xOTEwMjYwODAzNDRaMIGUMQswCQYDVQQGEwJKUDEO\n" 409 "MAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB0tvZ2FuZWkxDTALBgNVBAoMBFdJREUx\n" 410 "DzANBgNVBAsMBkFBQSBXRzEfMB0GA1UEAwwWY2hhdnJvdXguY293YWRkaWN0Lm9y\n" 411 "ZzEiMCAGCSqGSIb3DQEJARYTc2RlY3VnaXNAbmljdC5nby5qcDCCASIwDQYJKoZI\n" 412 "hvcNAQEBBQADggEPADCCAQoCggEBALKW9iSUggF5mbvYe1Xk128Csfiijx+fwH5y\n" 413 "ZqWrHNt0YG/tZSwyCDMWBLXTeuYsntg5y0mcpsrN8v02tvrPiCzDfRPyz3mG68us\n" 414 "DPEEgQ1kqL2Gsti2DUcsdyZcDM+4rgsWRivgOTVyoNimv5f+xgmPYoElkgelLwZK\n" 415 "WxGt1VCebOxP3qZA3hSHWE1hJgL4svful7RD1PbwPzidxJKITyAiJoPKWQA9cjSa\n" 416 "gVzRQ7S4vmYALJn7xe+dMFRcfAK8RMv7/gJF6Rw7zufW0DIZK98KZs6aL0lmMPVk\n" 417 "f31N2uvndf+cjy0n4luwEoXY+TeJZY205lbwHrzR0rH75FSm0RsCAwEAAaOB/DCB\n" 418 "+TAdBgNVHQ4EFgQUUsWkY7jbrPKSNC9yVnHIEY525t8wgckGA1UdIwSBwTCBvoAU\n" 419 "UsWkY7jbrPKSNC9yVnHIEY525t+hgZqkgZcwgZQxCzAJBgNVBAYTAkpQMQ4wDAYD\n" 420 "VQQIDAVUb2t5bzEQMA4GA1UEBwwHS29nYW5laTENMAsGA1UECgwEV0lERTEPMA0G\n" 421 "A1UECwwGQUFBIFdHMR8wHQYDVQQDDBZjaGF2cm91eC5jb3dhZGRpY3Qub3JnMSIw\n" 422 "IAYJKoZIhvcNAQkBFhNzZGVjdWdpc0BuaWN0LmdvLmpwggkA/dQyCFKUf08wDAYD\n" 423 "VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEACANo6IR3OQlQaXHJaprVVDvl\n" 424 "oMJC0FRbVCK503sbmWTJL98UqxRdsTZNIL07gXlK0oUKyiNijIXiLG8d5IlUrDxF\n" 425 "H/Vsu6s8k3/PpAUVeiO2oygWqvU5NGvt0jg54MrOJKhYYPWrzbmHty+cAXyoNzOR\n" 426 "+W5RX6HRQgxvZWQq2Ok46VX622R1nNjFmCBYT7I7/gWG+hkbIAoH6d9sULLjpC+B\n" 427 "bI+L/N7ac9/Og8pGIgpUI60Gn5zO93+E+Nhg+1BlcDHGnQD6vFNs8LYp5CCX/Zj1\n" 428 "tWFVXZnx58odaU3M4t9/ZQnkZdx9YJIroETbN0PoqlnSagBjgUvbWwn4YCotCA==\n" 429 "-----END CERTIFICATE-----\n"; 430 431 static char notrust_cert_data[]="-----BEGIN CERTIFICATE-----\n" 432 "MIIDhjCCAm6gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBlDELMAkGA1UEBhMCSlAx\n" 433 "DjAMBgNVBAgMBVRva3lvMRAwDgYDVQQHDAdLb2dhbmVpMQ0wCwYDVQQKDARXSURF\n" 434 "MQ8wDQYDVQQLDAZBQUEgV0cxHzAdBgNVBAMMFmNoYXZyb3V4LmNvd2FkZGljdC5v\n" 435 "cmcxIjAgBgkqhkiG9w0BCQEWE3NkZWN1Z2lzQG5pY3QuZ28uanAwHhcNMDkxMDI4\n" 436 "MDgwNDQwWhcNMTAxMDI4MDgwNDQwWjB/MQswCQYDVQQGEwJKUDEOMAwGA1UECAwF\n" 437 "VG9reW8xEDAOBgNVBAcMB0tvZ2FuZWkxDTALBgNVBAoMBFdJREUxDzANBgNVBAsM\n" 438 "BkFBQSBXRzETMBEGA1UEAwwKdW5rbm93bi5jczEZMBcGCSqGSIb3DQEJARYKdW5r\n" 439 "bm93bkBjYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5jrVihTIFdDwXAPD\n" 440 "rzNRLBe3ZaxF6EgtrnD9fHk6x4DIUFPQGdg6JqgWTUwEFwnfaZtZK4nI4GC7HTeC\n" 441 "0j8XOcmPXXbhD24Imo8WSuqDhvm9FRRWaId5BflfZhG9IkYmZL5XFlFmQVCs8rHK\n" 442 "0DgRS0yy7iU2btO5Y3LEhIIcKycCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB\n" 443 "hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE\n" 444 "FLpandKwS3LWHwARC7V7Wd8IOIG+MB8GA1UdIwQYMBaAFFLFpGO426zykjQvclZx\n" 445 "yBGOdubfMA0GCSqGSIb3DQEBBQUAA4IBAQCQjzu946HKapKm/fBkrkaDMjVhgFeL\n" 446 "MBJwAuFR2YfIr9lLuW2/q4ZfGR/cr4Rnvzy/M/N8xoF75OkmHbzWjKtylH+FM5XZ\n" 447 "JOz9e9L9UD7lYU91Ua7GSuzfz6pzpQj385pAZkjwjptDsTDz48g2P2g2ahyqFkBJ\n" 448 "tHOacfEXbAvT4ae3QN4sPDZ81N3WlMnXX/WuNVbozGWcuz3oesoO7XgDQcv9gIHe\n" 449 "+d6yFEuBJDbeKcEGEYaMqbAMx1fPeac6hAwn3IZty0QtJtx++xfWsj0xA9Pxq12R\n" 450 "XZTklIhwlrN8DxX+yMZNmTerCQzaurYO+l67S84EIQYJqSwnhnbM7nNv\n" 451 "-----END CERTIFICATE-----\n"; 452 static char notrust_priv_data[]="-----BEGIN RSA PRIVATE KEY-----\n" 453 "MIICXQIBAAKBgQDmOtWKFMgV0PBcA8OvM1EsF7dlrEXoSC2ucP18eTrHgMhQU9AZ\n" 454 "2DomqBZNTAQXCd9pm1kricjgYLsdN4LSPxc5yY9dduEPbgiajxZK6oOG+b0VFFZo\n" 455 "h3kF+V9mEb0iRiZkvlcWUWZBUKzyscrQOBFLTLLuJTZu07ljcsSEghwrJwIDAQAB\n" 456 "AoGAeRec1SGVE5Rvt5XrSK0vFofq2DlCE6hTDpszWFLTDbe4pDdRDybhfw+Nm15O\n" 457 "EGgK8BrbTcEMvKdkAzv9POQeLDE8JImgesHZFxN3jnkK+b762BGRDt57DzvMJsfj\n" 458 "1LBle+UBnZB1CvjrINvu+tNMVPlUpjIstbpMq0D+s01+ijECQQD8MHTv/M+Uc86u\n" 459 "1SFywgs+eQPQ8g0OoTLxzqo6YhW8FtwLjoRCZx2TNQS5gYBuQrixd/yE0Spfv9aS\n" 460 "UtlAaOc1AkEA6bVufggHVHcgiWqS8CHzb6g/GRxQixVshOsoVLMkCSz04zlwIfXF\n" 461 "c03hh5RJVv7jmuBmhHbayujMgvinw75oawJAQb9oXUDt5Wgj1FTgeYi5YbovEoRo\n" 462 "fw3ruDsHCl2UCQt0ptarCJzVixFhf/ORRi3C9RGxFfdqMrhS+qb62N4AmQJBALYU\n" 463 "T1BLiwJoiWXmLTJ/EP0V9Irov2uMtm5cE6DhrJqlduksz8r1gu7RZ3tMsVLg5Iy+\n" 464 "dcCQJOffNa54caQUTZ8CQQDTs/70Nr6F6ktrtmtU/S7lIitpQJCu9u/SPyBYPmFZ\n" 465 "9Axy6Ee66Php+eWDNP4Ln4axrapD0732wD8DcmGDVHij\n" 466 "-----END RSA PRIVATE KEY-----\n"; 467 468 347 469 struct fd_list eps = FD_LIST_INITIALIZER(eps); 348 470 … … 415 537 gnutls_datum_t expired_cert = { expired_cert_data, sizeof(expired_cert_data) }; 416 538 gnutls_datum_t expired_priv = { expired_priv_data, sizeof(expired_priv_data) }; 539 gnutls_datum_t notrust_ca = { notrust_ca_data, sizeof(notrust_ca_data) }; 540 gnutls_datum_t notrust_cert = { notrust_cert_data, sizeof(notrust_cert_data) }; 541 gnutls_datum_t notrust_priv = { notrust_priv_data, sizeof(notrust_priv_data) }; 417 542 418 543 struct cnxctx * listener; … … 431 556 /* First, initialize the daemon modules */ 432 557 INIT_FD(); 558 559 /* Restrain the # of streams */ 560 fd_g_config->cnf_sctp_str = NB_STREAMS; 433 561 434 562 /* Set the CA parameter in the config */ … … 663 791 664 792 /* Send a few TLS protected message, and replies */ 665 for (i = 0; i < 10; i++) {793 for (i = 0; i < 2 * NB_STREAMS; i++) { 666 794 CHECK( 0, fd_cnx_send(server_side, cer_buf, cer_sz)); 667 795 CHECK( 0, fd_cnx_receive(client_side, NULL, &rcv_buf, &rcv_sz)); … … 744 872 745 873 /* Send a few TLS protected message, and replies */ 746 for (i = 0; i < 100; i++) {874 for (i = 0; i < 2 * NB_STREAMS; i++) { 747 875 CHECK( 0, fd_cnx_send(server_side, cer_buf, cer_sz)); 748 876 CHECK( 0, fd_cnx_receive(client_side, NULL, &rcv_buf, &rcv_sz)); … … 773 901 struct connect_flags cf; 774 902 struct handshake_flags hf; 775 int i;776 903 777 904 memset(&cf, 0, sizeof(cf)); … … 809 936 810 937 /* Send a few TLS protected message, and replies */ 811 for (i = 0; i < 10; i++) {938 for (i = 0; i < 2 * NB_STREAMS; i++) { 812 939 CHECK( 0, fd_cnx_send(server_side, cer_buf, cer_sz)); 813 940 CHECK( 0, fd_cnx_receive(client_side, NULL, &rcv_buf, &rcv_sz)); … … 832 959 } 833 960 961 #ifndef DISABLE_SCTP 962 /* SCTP Client / server emulating new Diameter behavior (handshake at connection directly) */ 963 { 964 struct connect_flags cf; 965 struct handshake_flags hf; 966 967 memset(&cf, 0, sizeof(cf)); 968 cf.proto = IPPROTO_SCTP; 969 970 memset(&hf, 0, sizeof(hf)); 971 972 /* Initialize remote certificate */ 973 CHECK_GNUTLS_DO( ret = gnutls_certificate_allocate_credentials (&hf.creds), ); 974 CHECK( GNUTLS_E_SUCCESS, ret ); 975 /* Set the CA */ 976 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_trust_mem( hf.creds, &ca, GNUTLS_X509_FMT_PEM), ); 977 CHECK( 1, ret ); 978 /* Set the key */ 979 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_key_mem( hf.creds, &client_cert, &client_priv, GNUTLS_X509_FMT_PEM), ); 980 CHECK( GNUTLS_E_SUCCESS, ret ); 981 982 /* Start the client thread */ 983 CHECK( 0, pthread_create(&thr, 0, connect_thr, &cf) ); 984 985 /* Accept the connection of the client */ 986 server_side = fd_cnx_serv_accept(listener_sctp); 987 CHECK( 1, server_side ? 1 : 0 ); 988 989 /* Retrieve the client connection object */ 990 CHECK( 0, pthread_join( thr, (void *)&client_side ) ); 991 CHECK( 1, client_side ? 1 : 0 ); 992 hf.cnx = client_side; 993 994 /* Start the handshake directly */ 995 CHECK( 0, pthread_create(&thr, 0, handshake_thr, &hf) ); 996 CHECK( 0, fd_cnx_handshake(server_side, GNUTLS_SERVER, NULL, NULL) ); 997 CHECK( 0, pthread_join(thr, NULL) ); 998 CHECK( 0, hf.ret ); 999 1000 /* Send a few TLS protected message, and replies */ 1001 for (i = 0; i < 2 * NB_STREAMS; i++) { 1002 CHECK( 0, fd_cnx_send(server_side, cer_buf, cer_sz)); 1003 CHECK( 0, fd_cnx_receive(client_side, NULL, &rcv_buf, &rcv_sz)); 1004 CHECK( cer_sz, rcv_sz ); 1005 CHECK( 0, memcmp( rcv_buf, cer_buf, cer_sz ) ); 1006 1007 CHECK( 0, fd_cnx_send(client_side, cer_buf, cer_sz)); 1008 CHECK( 0, fd_cnx_receive(server_side, NULL, &rcv_buf, &rcv_sz)); 1009 CHECK( cer_sz, rcv_sz ); 1010 CHECK( 0, memcmp( rcv_buf, cer_buf, cer_sz ) ); 1011 } 1012 1013 1014 /* Now close the connection */ 1015 CHECK( 0, pthread_create(&thr, 0, destroy_thr, client_side) ); 1016 fd_cnx_destroy(server_side); 1017 CHECK( 0, pthread_join(thr, NULL) ); 1018 1019 /* Free the credentials */ 1020 gnutls_certificate_free_keys(hf.creds); 1021 gnutls_certificate_free_cas(hf.creds); 1022 gnutls_certificate_free_credentials(hf.creds); 1023 } 1024 #endif /* DISABLE_SCTP */ 1025 1026 /* Basic operation tested successfully, now test we detect error conditions */ 1027 1028 /* Untrusted certificate, TCP */ 1029 { 1030 struct connect_flags cf; 1031 struct handshake_flags hf; 1032 1033 memset(&cf, 0, sizeof(cf)); 1034 cf.proto = IPPROTO_TCP; 1035 1036 memset(&hf, 0, sizeof(hf)); 1037 1038 /* Initialize remote certificate */ 1039 CHECK_GNUTLS_DO( ret = gnutls_certificate_allocate_credentials (&hf.creds), ); 1040 CHECK( GNUTLS_E_SUCCESS, ret ); 1041 /* Set the CA */ 1042 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_trust_mem( hf.creds, ¬rust_ca, GNUTLS_X509_FMT_PEM), ); 1043 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_trust_mem( hf.creds, &ca, GNUTLS_X509_FMT_PEM), ); 1044 CHECK( 1, ret ); 1045 /* Set the key */ 1046 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_key_mem( hf.creds, ¬rust_cert, ¬rust_priv, GNUTLS_X509_FMT_PEM), ); 1047 CHECK( GNUTLS_E_SUCCESS, ret ); 1048 1049 /* Start the client thread */ 1050 CHECK( 0, pthread_create(&thr, 0, connect_thr, &cf) ); 1051 1052 /* Accept the connection of the client */ 1053 server_side = fd_cnx_serv_accept(listener); 1054 CHECK( 1, server_side ? 1 : 0 ); 1055 1056 /* Retrieve the client connection object */ 1057 CHECK( 0, pthread_join( thr, (void *)&client_side ) ); 1058 CHECK( 1, client_side ? 1 : 0 ); 1059 hf.cnx = client_side; 1060 1061 /* Start the handshake directly */ 1062 CHECK( 0, pthread_create(&thr, 0, handshake_thr, &hf) ); 1063 CHECK( EINVAL, fd_cnx_handshake(server_side, GNUTLS_SERVER, NULL, NULL) ); 1064 CHECK( 0, pthread_join(thr, NULL) ); 1065 1066 /* Now close the connection */ 1067 CHECK( 0, pthread_create(&thr, 0, destroy_thr, client_side) ); 1068 fd_cnx_destroy(server_side); 1069 CHECK( 0, pthread_join(thr, NULL) ); 1070 1071 /* Free the credentials */ 1072 gnutls_certificate_free_keys(hf.creds); 1073 gnutls_certificate_free_cas(hf.creds); 1074 gnutls_certificate_free_credentials(hf.creds); 1075 } 1076 1077 /* Same in SCTP */ 1078 #ifndef DISABLE_SCTP 1079 { 1080 struct connect_flags cf; 1081 struct handshake_flags hf; 1082 1083 memset(&cf, 0, sizeof(cf)); 1084 cf.proto = IPPROTO_SCTP; 1085 1086 memset(&hf, 0, sizeof(hf)); 1087 1088 /* Initialize remote certificate */ 1089 CHECK_GNUTLS_DO( ret = gnutls_certificate_allocate_credentials (&hf.creds), ); 1090 CHECK( GNUTLS_E_SUCCESS, ret ); 1091 /* Set the CA */ 1092 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_trust_mem( hf.creds, ¬rust_ca, GNUTLS_X509_FMT_PEM), ); 1093 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_trust_mem( hf.creds, &ca, GNUTLS_X509_FMT_PEM), ); 1094 CHECK( 1, ret ); 1095 /* Set the key */ 1096 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_key_mem( hf.creds, ¬rust_cert, ¬rust_priv, GNUTLS_X509_FMT_PEM), ); 1097 CHECK( GNUTLS_E_SUCCESS, ret ); 1098 1099 /* Start the client thread */ 1100 CHECK( 0, pthread_create(&thr, 0, connect_thr, &cf) ); 1101 1102 /* Accept the connection of the client */ 1103 server_side = fd_cnx_serv_accept(listener_sctp); 1104 CHECK( 1, server_side ? 1 : 0 ); 1105 1106 /* Retrieve the client connection object */ 1107 CHECK( 0, pthread_join( thr, (void *)&client_side ) ); 1108 CHECK( 1, client_side ? 1 : 0 ); 1109 hf.cnx = client_side; 1110 1111 /* Start the handshake directly */ 1112 CHECK( 0, pthread_create(&thr, 0, handshake_thr, &hf) ); 1113 CHECK( EINVAL, fd_cnx_handshake(server_side, GNUTLS_SERVER, NULL, NULL) ); 1114 CHECK( 0, pthread_join(thr, NULL) ); 1115 1116 /* Now close the connection */ 1117 CHECK( 0, pthread_create(&thr, 0, destroy_thr, client_side) ); 1118 fd_cnx_destroy(server_side); 1119 CHECK( 0, pthread_join(thr, NULL) ); 1120 1121 /* Free the credentials */ 1122 gnutls_certificate_free_keys(hf.creds); 1123 gnutls_certificate_free_cas(hf.creds); 1124 gnutls_certificate_free_credentials(hf.creds); 1125 } 1126 #endif /* DISABLE_SCTP */ 1127 1128 /* Expired certificate */ 1129 { 1130 struct connect_flags cf; 1131 struct handshake_flags hf; 1132 1133 memset(&cf, 0, sizeof(cf)); 1134 cf.proto = IPPROTO_TCP; 1135 1136 memset(&hf, 0, sizeof(hf)); 1137 1138 /* Initialize remote certificate */ 1139 CHECK_GNUTLS_DO( ret = gnutls_certificate_allocate_credentials (&hf.creds), ); 1140 CHECK( GNUTLS_E_SUCCESS, ret ); 1141 /* Set the CA */ 1142 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_trust_mem( hf.creds, &ca, GNUTLS_X509_FMT_PEM), ); 1143 CHECK( 1, ret ); 1144 /* Set the key */ 1145 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_key_mem( hf.creds, &expired_cert, &expired_priv, GNUTLS_X509_FMT_PEM), ); 1146 CHECK( GNUTLS_E_SUCCESS, ret ); 1147 1148 /* Start the client thread */ 1149 CHECK( 0, pthread_create(&thr, 0, connect_thr, &cf) ); 1150 1151 /* Accept the connection of the client */ 1152 server_side = fd_cnx_serv_accept(listener); 1153 CHECK( 1, server_side ? 1 : 0 ); 1154 1155 /* Retrieve the client connection object */ 1156 CHECK( 0, pthread_join( thr, (void *)&client_side ) ); 1157 CHECK( 1, client_side ? 1 : 0 ); 1158 hf.cnx = client_side; 1159 1160 /* Start the handshake directly */ 1161 CHECK( 0, pthread_create(&thr, 0, handshake_thr, &hf) ); 1162 CHECK( EINVAL, fd_cnx_handshake(server_side, GNUTLS_SERVER, NULL, NULL) ); 1163 CHECK( 0, pthread_join(thr, NULL) ); 1164 1165 /* Now close the connection */ 1166 CHECK( 0, pthread_create(&thr, 0, destroy_thr, client_side) ); 1167 fd_cnx_destroy(server_side); 1168 CHECK( 0, pthread_join(thr, NULL) ); 1169 1170 /* Free the credentials */ 1171 gnutls_certificate_free_keys(hf.creds); 1172 gnutls_certificate_free_cas(hf.creds); 1173 gnutls_certificate_free_credentials(hf.creds); 1174 } 1175 1176 /* Non matching hostname */ 1177 1178 { 1179 struct connect_flags cf; 1180 struct handshake_flags hf; 1181 1182 memset(&cf, 0, sizeof(cf)); 1183 cf.proto = IPPROTO_TCP; 1184 1185 memset(&hf, 0, sizeof(hf)); 1186 1187 /* Initialize remote certificate */ 1188 CHECK_GNUTLS_DO( ret = gnutls_certificate_allocate_credentials (&hf.creds), ); 1189 CHECK( GNUTLS_E_SUCCESS, ret ); 1190 /* Set the CA */ 1191 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_trust_mem( hf.creds, &ca, GNUTLS_X509_FMT_PEM), ); 1192 CHECK( 1, ret ); 1193 /* Set the key */ 1194 CHECK_GNUTLS_DO( ret = gnutls_certificate_set_x509_key_mem( hf.creds, &client_cert, &client_priv, GNUTLS_X509_FMT_PEM), ); 1195 CHECK( GNUTLS_E_SUCCESS, ret ); 1196 1197 /* Start the client thread */ 1198 CHECK( 0, pthread_create(&thr, 0, connect_thr, &cf) ); 1199 1200 /* Accept the connection of the client */ 1201 server_side = fd_cnx_serv_accept(listener); 1202 CHECK( 1, server_side ? 1 : 0 ); 1203 1204 /* Retrieve the client connection object */ 1205 CHECK( 0, pthread_join( thr, (void *)&client_side ) ); 1206 CHECK( 1, client_side ? 1 : 0 ); 1207 hf.cnx = client_side; 1208 1209 /* Set the correct hostname we expect from the client (in the server) */ 1210 fd_cnx_sethostname(server_side, "client.test"); 1211 1212 /* Start the handshake, check it is successful */ 1213 CHECK( 0, pthread_create(&thr, 0, handshake_thr, &hf) ); 1214 CHECK( 0, fd_cnx_handshake(server_side, GNUTLS_SERVER, NULL, NULL) ); 1215 CHECK( 0, pthread_join(thr, NULL) ); 1216 CHECK( 0, hf.ret ); 1217 1218 /* Now close the connection */ 1219 CHECK( 0, pthread_create(&thr, 0, destroy_thr, client_side) ); 1220 fd_cnx_destroy(server_side); 1221 CHECK( 0, pthread_join(thr, NULL) ); 1222 1223 /* Do it again with an invalid hostname */ 1224 CHECK( 0, pthread_create(&thr, 0, connect_thr, &cf) ); 1225 1226 /* Accept the connection of the client */ 1227 server_side = fd_cnx_serv_accept(listener); 1228 CHECK( 1, server_side ? 1 : 0 ); 1229 1230 /* Retrieve the client connection object */ 1231 CHECK( 0, pthread_join( thr, (void *)&client_side ) ); 1232 CHECK( 1, client_side ? 1 : 0 ); 1233 hf.cnx = client_side; 1234 1235 /* Set the correct hostname we expect from the client (in the server) */ 1236 fd_cnx_sethostname(server_side, "nomatch.test"); 1237 1238 /* Start the handshake, check it is successful */ 1239 CHECK( 0, pthread_create(&thr, 0, handshake_thr, &hf) ); 1240 CHECK( EINVAL, fd_cnx_handshake(server_side, GNUTLS_SERVER, NULL, NULL) ); 1241 CHECK( 0, pthread_join(thr, NULL) ); 1242 1243 /* Now close the connection */ 1244 CHECK( 0, pthread_create(&thr, 0, destroy_thr, client_side) ); 1245 fd_cnx_destroy(server_side); 1246 CHECK( 0, pthread_join(thr, NULL) ); 1247 1248 /* Free the credentials */ 1249 gnutls_certificate_free_keys(hf.creds); 1250 gnutls_certificate_free_cas(hf.creds); 1251 gnutls_certificate_free_credentials(hf.creds); 1252 } 1253 834 1254 /* That's all for the tests yet */ 835 1255 PASSTEST(); -
freeDiameter/tests/tests.h
r29 r31 65 65 #define FAILTEST( message... ){ \ 66 66 fprintf(stderr, ## message); \ 67 TRACE_DEBUG(INFO, "Test failed"); \ 67 68 exit(FAIL); \ 68 69 } … … 93 94 __typeof__ (_val) __ret = (_assert); \ 94 95 if (__ret != (_val)) { \ 95 FAILTEST( "%s:%d: %s == %lx != %lx\n", \96 FAILTEST( "%s:%d: CHECK FAILED : %s == %lx != %lx\n", \ 96 97 __FILE__, \ 97 98 __LINE__, \
Note: See TracChangeset
for help on using the changeset viewer.