1 /*
2 * nghttp2 - HTTP/2 C Library
3 *
4 * Copyright (c) 2013 Tatsuhiro Tsujikawa
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining
7 * a copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to
11 * permit persons to whom the Software is furnished to do so, subject to
12 * the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
24 */
25 #include "shrpx_tls_test.h"
26
27 #include "munitxx.h"
28
29 #include "shrpx_tls.h"
30 #include "shrpx_log.h"
31 #include "util.h"
32 #include "template.h"
33
34 using namespace nghttp2;
35
36 namespace shrpx {
37
38 namespace {
39 const MunitTest tests[]{
40 munit_void_test(test_shrpx_tls_create_lookup_tree),
41 munit_void_test(test_shrpx_tls_cert_lookup_tree_add_ssl_ctx),
42 munit_void_test(test_shrpx_tls_tls_hostname_match),
43 munit_void_test(test_shrpx_tls_verify_numeric_hostname),
44 munit_void_test(test_shrpx_tls_verify_dns_hostname),
45 munit_test_end(),
46 };
47 } // namespace
48
49 const MunitSuite tls_suite{
50 "/tls", tests, NULL, 1, MUNIT_SUITE_OPTION_NONE,
51 };
52
test_shrpx_tls_create_lookup_tree(void)53 void test_shrpx_tls_create_lookup_tree(void) {
54 auto tree = std::make_unique<tls::CertLookupTree>();
55
56 constexpr StringRef hostnames[] = {
57 "example.com"_sr, // 0
58 "www.example.org"_sr, // 1
59 "*www.example.org"_sr, // 2
60 "xy*.host.domain"_sr, // 3
61 "*yy.host.domain"_sr, // 4
62 "nghttp2.sourceforge.net"_sr, // 5
63 "sourceforge.net"_sr, // 6
64 "sourceforge.net"_sr, // 7, duplicate
65 "*.foo.bar"_sr, // 8, oo.bar is suffix of *.foo.bar
66 "oo.bar"_sr // 9
67 };
68 auto num = array_size(hostnames);
69
70 for (size_t idx = 0; idx < num; ++idx) {
71 tree->add_cert(hostnames[idx], idx);
72 }
73
74 tree->dump();
75
76 assert_ssize(0, ==, tree->lookup(hostnames[0]));
77 assert_ssize(1, ==, tree->lookup(hostnames[1]));
78 assert_ssize(2, ==, tree->lookup("2www.example.org"_sr));
79 assert_ssize(-1, ==, tree->lookup("www2.example.org"_sr));
80 assert_ssize(3, ==, tree->lookup("xy1.host.domain"_sr));
81 // Does not match *yy.host.domain, because * must match at least 1
82 // character.
83 assert_ssize(-1, ==, tree->lookup("yy.host.domain"_sr));
84 assert_ssize(4, ==, tree->lookup("xyy.host.domain"_sr));
85 assert_ssize(-1, ==, tree->lookup(StringRef{}));
86 assert_ssize(5, ==, tree->lookup(hostnames[5]));
87 assert_ssize(6, ==, tree->lookup(hostnames[6]));
88 static constexpr char h6[] = "pdylay.sourceforge.net";
89 for (int i = 0; i < 7; ++i) {
90 assert_ssize(-1, ==, tree->lookup(StringRef{h6 + i, str_size(h6) - i}));
91 }
92 assert_ssize(8, ==, tree->lookup("x.foo.bar"_sr));
93 assert_ssize(9, ==, tree->lookup(hostnames[9]));
94
95 constexpr StringRef names[] = {
96 "rab"_sr, // 1
97 "zab"_sr, // 2
98 "zzub"_sr, // 3
99 "ab"_sr // 4
100 };
101 num = array_size(names);
102
103 tree = std::make_unique<tls::CertLookupTree>();
104 for (size_t idx = 0; idx < num; ++idx) {
105 tree->add_cert(names[idx], idx);
106 }
107 for (size_t i = 0; i < num; ++i) {
108 assert_ssize((ssize_t)i, ==, tree->lookup(names[i]));
109 }
110 }
111
112 // We use cfssl to generate key pairs.
113 //
114 // CA self-signed key pairs generation:
115 //
116 // $ cfssl genkey -initca ca.nghttp2.org.csr.json |
117 // cfssljson -bare ca.nghttp2.org
118 //
119 // Create CSR:
120 //
121 // $ cfssl genkey test.nghttp2.org.csr.json | cfssljson -bare test.nghttp2.org
122 // $ cfssl genkey test.example.com.csr.json | cfssljson -bare test.example.com
123 //
124 // Sign CSR:
125 //
126 // $ cfssl sign -ca ca.nghttp2.org.pem -ca-key ca.nghttp2.org-key.pem
127 // -config=ca-config.json -profile=server test.nghttp2.org.csr |
128 // cfssljson -bare test.nghttp2.org
129 //
130 // $ cfssl sign -ca ca.nghttp2.org.pem -ca-key ca.nghttp2.org-key.pem
131 // -config=ca-config.json -profile=server test.example.com.csr |
132 // cfssljson -bare test.example.com
133 //
test_shrpx_tls_cert_lookup_tree_add_ssl_ctx(void)134 void test_shrpx_tls_cert_lookup_tree_add_ssl_ctx(void) {
135 int rv;
136
137 static constexpr char nghttp2_certfile[] =
138 NGHTTP2_SRC_DIR "/test.nghttp2.org.pem";
139 auto nghttp2_ssl_ctx = SSL_CTX_new(TLS_server_method());
140 auto nghttp2_ssl_ctx_del = defer(SSL_CTX_free, nghttp2_ssl_ctx);
141 auto nghttp2_tls_ctx_data = std::make_unique<tls::TLSContextData>();
142 nghttp2_tls_ctx_data->cert_file = nghttp2_certfile;
143 SSL_CTX_set_app_data(nghttp2_ssl_ctx, nghttp2_tls_ctx_data.get());
144 rv = SSL_CTX_use_certificate_chain_file(nghttp2_ssl_ctx, nghttp2_certfile);
145
146 assert_int(1, ==, rv);
147
148 static constexpr char examples_certfile[] =
149 NGHTTP2_SRC_DIR "/test.example.com.pem";
150 auto examples_ssl_ctx = SSL_CTX_new(TLS_server_method());
151 auto examples_ssl_ctx_del = defer(SSL_CTX_free, examples_ssl_ctx);
152 auto examples_tls_ctx_data = std::make_unique<tls::TLSContextData>();
153 examples_tls_ctx_data->cert_file = examples_certfile;
154 SSL_CTX_set_app_data(examples_ssl_ctx, examples_tls_ctx_data.get());
155 rv = SSL_CTX_use_certificate_chain_file(examples_ssl_ctx, examples_certfile);
156
157 assert_int(1, ==, rv);
158
159 tls::CertLookupTree tree;
160 std::vector<std::vector<SSL_CTX *>> indexed_ssl_ctx;
161
162 rv = tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
163 nghttp2_ssl_ctx);
164
165 assert_int(0, ==, rv);
166
167 rv = tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx,
168 examples_ssl_ctx);
169
170 assert_int(0, ==, rv);
171
172 assert_ssize(-1, ==, tree.lookup("not-used.nghttp2.org"_sr));
173 assert_ssize(0, ==, tree.lookup("test.nghttp2.org"_sr));
174 assert_ssize(1, ==, tree.lookup("w.test.nghttp2.org"_sr));
175 assert_ssize(2, ==, tree.lookup("www.test.nghttp2.org"_sr));
176 assert_ssize(3, ==, tree.lookup("test.example.com"_sr));
177 }
178
179 template <size_t N, size_t M>
tls_hostname_match_wrapper(const char (& pattern)[N],const char (& hostname)[M])180 bool tls_hostname_match_wrapper(const char (&pattern)[N],
181 const char (&hostname)[M]) {
182 return tls::tls_hostname_match(StringRef{pattern, N}, StringRef{hostname, M});
183 }
184
test_shrpx_tls_tls_hostname_match(void)185 void test_shrpx_tls_tls_hostname_match(void) {
186 assert_true(tls_hostname_match_wrapper("example.com", "example.com"));
187 assert_true(tls_hostname_match_wrapper("example.com", "EXAMPLE.com"));
188
189 // check wildcard
190 assert_true(tls_hostname_match_wrapper("*.example.com", "www.example.com"));
191 assert_true(tls_hostname_match_wrapper("*w.example.com", "www.example.com"));
192 assert_true(
193 tls_hostname_match_wrapper("www*.example.com", "www1.example.com"));
194 assert_true(
195 tls_hostname_match_wrapper("www*.example.com", "WWW12.EXAMPLE.com"));
196 // at least 2 dots are required after '*'
197 assert_false(tls_hostname_match_wrapper("*.com", "example.com"));
198 assert_false(tls_hostname_match_wrapper("*", "example.com"));
199 // '*' must be in left most label
200 assert_false(
201 tls_hostname_match_wrapper("blog.*.example.com", "blog.my.example.com"));
202 // prefix is wrong
203 assert_false(
204 tls_hostname_match_wrapper("client*.example.com", "server.example.com"));
205 // '*' must match at least one character
206 assert_false(
207 tls_hostname_match_wrapper("www*.example.com", "www.example.com"));
208
209 assert_false(tls_hostname_match_wrapper("example.com", "nghttp2.org"));
210 assert_false(tls_hostname_match_wrapper("www.example.com", "example.com"));
211 assert_false(tls_hostname_match_wrapper("example.com", "www.example.com"));
212 }
213
load_cert(const char * path)214 static X509 *load_cert(const char *path) {
215 auto f = fopen(path, "r");
216 auto cert = PEM_read_X509(f, nullptr, nullptr, nullptr);
217
218 fclose(f);
219
220 return cert;
221 }
222
parse_addr(const char * ipaddr)223 static Address parse_addr(const char *ipaddr) {
224 addrinfo hints{};
225
226 hints.ai_family = AF_UNSPEC;
227 hints.ai_flags = AI_NUMERICHOST;
228 #ifdef AI_NUMERICSERV
229 hints.ai_flags |= AI_NUMERICSERV;
230 #endif
231
232 addrinfo *res = nullptr;
233
234 auto rv = getaddrinfo(ipaddr, "443", &hints, &res);
235
236 assert_int(0, ==, rv);
237 assert_not_null(res);
238
239 Address addr;
240 addr.len = res->ai_addrlen;
241 memcpy(&addr.su, res->ai_addr, res->ai_addrlen);
242
243 freeaddrinfo(res);
244
245 return addr;
246 }
247
test_shrpx_tls_verify_numeric_hostname(void)248 void test_shrpx_tls_verify_numeric_hostname(void) {
249 {
250 // Successful IPv4 address match in SAN
251 static constexpr auto ipaddr = "127.0.0.1"_sr;
252 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
253 auto addr = parse_addr(ipaddr.data());
254 auto rv = tls::verify_numeric_hostname(cert, ipaddr, &addr);
255
256 assert_int(0, ==, rv);
257
258 X509_free(cert);
259 }
260
261 {
262 // Successful IPv6 address match in SAN
263 static constexpr auto ipaddr = "::1"_sr;
264 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
265 auto addr = parse_addr(ipaddr.data());
266 auto rv = tls::verify_numeric_hostname(cert, ipaddr, &addr);
267
268 assert_int(0, ==, rv);
269
270 X509_free(cert);
271 }
272
273 {
274 // Unsuccessful IPv4 address match in SAN
275 static constexpr auto ipaddr = "192.168.0.127"_sr;
276 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
277 auto addr = parse_addr(ipaddr.data());
278 auto rv = tls::verify_numeric_hostname(cert, ipaddr, &addr);
279
280 assert_int(-1, ==, rv);
281
282 X509_free(cert);
283 }
284
285 {
286 // CommonName is not used if SAN is available
287 static constexpr auto ipaddr = "192.168.0.1"_sr;
288 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/ipaddr.crt");
289 auto addr = parse_addr(ipaddr.data());
290 auto rv = tls::verify_numeric_hostname(cert, ipaddr, &addr);
291
292 assert_int(-1, ==, rv);
293
294 X509_free(cert);
295 }
296
297 {
298 // Successful IPv4 address match in CommonName
299 static constexpr auto ipaddr = "127.0.0.1"_sr;
300 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/nosan_ip.crt");
301 auto addr = parse_addr(ipaddr.data());
302 auto rv = tls::verify_numeric_hostname(cert, ipaddr, &addr);
303
304 assert_int(0, ==, rv);
305
306 X509_free(cert);
307 }
308 }
309
test_shrpx_tls_verify_dns_hostname(void)310 void test_shrpx_tls_verify_dns_hostname(void) {
311 {
312 // Successful exact DNS name match in SAN
313 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
314 auto rv = tls::verify_dns_hostname(cert, "nghttp2.example.com"_sr);
315
316 assert_int(0, ==, rv);
317
318 X509_free(cert);
319 }
320
321 {
322 // Successful wildcard DNS name match in SAN
323 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
324 auto rv = tls::verify_dns_hostname(cert, "www.nghttp2.example.com"_sr);
325
326 assert_int(0, ==, rv);
327
328 X509_free(cert);
329 }
330
331 {
332 // CommonName is not used if SAN is available.
333 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
334 auto rv = tls::verify_dns_hostname(cert, "localhost"_sr);
335
336 assert_int(-1, ==, rv);
337
338 X509_free(cert);
339 }
340
341 {
342 // Successful DNS name match in CommonName
343 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/nosan.crt");
344 auto rv = tls::verify_dns_hostname(cert, "localhost"_sr);
345
346 assert_int(0, ==, rv);
347
348 X509_free(cert);
349 }
350 }
351
352 } // namespace shrpx
353