1 /*
2 * nghttp2 - HTTP/2 C Library
3 *
4 * Copyright (c) 2013 Tatsuhiro Tsujikawa
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining
7 * a copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to
11 * permit persons to whom the Software is furnished to do so, subject to
12 * the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
24 */
25 #include "shrpx_tls_test.h"
26
27 #include "munitxx.h"
28
29 #include "shrpx_tls.h"
30 #include "shrpx_log.h"
31 #include "util.h"
32 #include "template.h"
33 #include "ssl_compat.h"
34
35 using namespace nghttp2;
36
37 namespace shrpx {
38
39 namespace {
40 const MunitTest tests[]{
41 munit_void_test(test_shrpx_tls_create_lookup_tree),
42 munit_void_test(test_shrpx_tls_cert_lookup_tree_add_ssl_ctx),
43 munit_void_test(test_shrpx_tls_tls_hostname_match),
44 munit_void_test(test_shrpx_tls_verify_numeric_hostname),
45 munit_void_test(test_shrpx_tls_verify_dns_hostname),
46 munit_test_end(),
47 };
48 } // namespace
49
50 const MunitSuite tls_suite{
51 "/tls", tests, NULL, 1, MUNIT_SUITE_OPTION_NONE,
52 };
53
test_shrpx_tls_create_lookup_tree(void)54 void test_shrpx_tls_create_lookup_tree(void) {
55 auto tree = std::make_unique<tls::CertLookupTree>();
56
57 constexpr StringRef hostnames[] = {
58 "example.com"_sr, // 0
59 "www.example.org"_sr, // 1
60 "*www.example.org"_sr, // 2
61 "xy*.host.domain"_sr, // 3
62 "*yy.host.domain"_sr, // 4
63 "nghttp2.sourceforge.net"_sr, // 5
64 "sourceforge.net"_sr, // 6
65 "sourceforge.net"_sr, // 7, duplicate
66 "*.foo.bar"_sr, // 8, oo.bar is suffix of *.foo.bar
67 "oo.bar"_sr // 9
68 };
69 auto num = array_size(hostnames);
70
71 for (size_t idx = 0; idx < num; ++idx) {
72 tree->add_cert(hostnames[idx], idx);
73 }
74
75 tree->dump();
76
77 assert_ssize(0, ==, tree->lookup(hostnames[0]));
78 assert_ssize(1, ==, tree->lookup(hostnames[1]));
79 assert_ssize(2, ==, tree->lookup("2www.example.org"_sr));
80 assert_ssize(-1, ==, tree->lookup("www2.example.org"_sr));
81 assert_ssize(3, ==, tree->lookup("xy1.host.domain"_sr));
82 // Does not match *yy.host.domain, because * must match at least 1
83 // character.
84 assert_ssize(-1, ==, tree->lookup("yy.host.domain"_sr));
85 assert_ssize(4, ==, tree->lookup("xyy.host.domain"_sr));
86 assert_ssize(-1, ==, tree->lookup(StringRef{}));
87 assert_ssize(5, ==, tree->lookup(hostnames[5]));
88 assert_ssize(6, ==, tree->lookup(hostnames[6]));
89 static constexpr char h6[] = "pdylay.sourceforge.net";
90 for (int i = 0; i < 7; ++i) {
91 assert_ssize(-1, ==, tree->lookup(StringRef{h6 + i, str_size(h6) - i}));
92 }
93 assert_ssize(8, ==, tree->lookup("x.foo.bar"_sr));
94 assert_ssize(9, ==, tree->lookup(hostnames[9]));
95
96 constexpr StringRef names[] = {
97 "rab"_sr, // 1
98 "zab"_sr, // 2
99 "zzub"_sr, // 3
100 "ab"_sr // 4
101 };
102 num = array_size(names);
103
104 tree = std::make_unique<tls::CertLookupTree>();
105 for (size_t idx = 0; idx < num; ++idx) {
106 tree->add_cert(names[idx], idx);
107 }
108 for (size_t i = 0; i < num; ++i) {
109 assert_ssize((ssize_t)i, ==, tree->lookup(names[i]));
110 }
111 }
112
113 // We use cfssl to generate key pairs.
114 //
115 // CA self-signed key pairs generation:
116 //
117 // $ cfssl genkey -initca ca.nghttp2.org.csr.json |
118 // cfssljson -bare ca.nghttp2.org
119 //
120 // Create CSR:
121 //
122 // $ cfssl genkey test.nghttp2.org.csr.json | cfssljson -bare test.nghttp2.org
123 // $ cfssl genkey test.example.com.csr.json | cfssljson -bare test.example.com
124 //
125 // Sign CSR:
126 //
127 // $ cfssl sign -ca ca.nghttp2.org.pem -ca-key ca.nghttp2.org-key.pem
128 // -config=ca-config.json -profile=server test.nghttp2.org.csr |
129 // cfssljson -bare test.nghttp2.org
130 //
131 // $ cfssl sign -ca ca.nghttp2.org.pem -ca-key ca.nghttp2.org-key.pem
132 // -config=ca-config.json -profile=server test.example.com.csr |
133 // cfssljson -bare test.example.com
134 //
test_shrpx_tls_cert_lookup_tree_add_ssl_ctx(void)135 void test_shrpx_tls_cert_lookup_tree_add_ssl_ctx(void) {
136 int rv;
137
138 static constexpr char nghttp2_certfile[] =
139 NGHTTP2_SRC_DIR "/test.nghttp2.org.pem";
140 auto nghttp2_ssl_ctx = SSL_CTX_new(TLS_server_method());
141 auto nghttp2_ssl_ctx_del = defer(SSL_CTX_free, nghttp2_ssl_ctx);
142 auto nghttp2_tls_ctx_data = std::make_unique<tls::TLSContextData>();
143 nghttp2_tls_ctx_data->cert_file = nghttp2_certfile;
144 SSL_CTX_set_app_data(nghttp2_ssl_ctx, nghttp2_tls_ctx_data.get());
145 rv = SSL_CTX_use_certificate_chain_file(nghttp2_ssl_ctx, nghttp2_certfile);
146
147 assert_int(1, ==, rv);
148
149 static constexpr char examples_certfile[] =
150 NGHTTP2_SRC_DIR "/test.example.com.pem";
151 auto examples_ssl_ctx = SSL_CTX_new(TLS_server_method());
152 auto examples_ssl_ctx_del = defer(SSL_CTX_free, examples_ssl_ctx);
153 auto examples_tls_ctx_data = std::make_unique<tls::TLSContextData>();
154 examples_tls_ctx_data->cert_file = examples_certfile;
155 SSL_CTX_set_app_data(examples_ssl_ctx, examples_tls_ctx_data.get());
156 rv = SSL_CTX_use_certificate_chain_file(examples_ssl_ctx, examples_certfile);
157
158 assert_int(1, ==, rv);
159
160 tls::CertLookupTree tree;
161 std::vector<std::vector<SSL_CTX *>> indexed_ssl_ctx;
162
163 rv =
164 tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx, nghttp2_ssl_ctx);
165
166 assert_int(0, ==, rv);
167
168 rv =
169 tls::cert_lookup_tree_add_ssl_ctx(&tree, indexed_ssl_ctx, examples_ssl_ctx);
170
171 assert_int(0, ==, rv);
172
173 assert_ssize(-1, ==, tree.lookup("not-used.nghttp2.org"_sr));
174 #ifdef NGHTTP2_OPENSSL_IS_WOLFSSL
175 assert_ssize(0, ==, tree.lookup("www.test.nghttp2.org"_sr));
176 assert_ssize(1, ==, tree.lookup("w.test.nghttp2.org"_sr));
177 assert_ssize(2, ==, tree.lookup("test.nghttp2.org"_sr));
178 #else // !NGHTTP2_OPENSSL_IS_WOLFSSL
179 assert_ssize(0, ==, tree.lookup("test.nghttp2.org"_sr));
180 assert_ssize(1, ==, tree.lookup("w.test.nghttp2.org"_sr));
181 assert_ssize(2, ==, tree.lookup("www.test.nghttp2.org"_sr));
182 #endif // !NGHTTP2_OPENSSL_IS_WOLFSSL
183 assert_ssize(3, ==, tree.lookup("test.example.com"_sr));
184 }
185
186 template <size_t N, size_t M>
tls_hostname_match_wrapper(const char (& pattern)[N],const char (& hostname)[M])187 bool tls_hostname_match_wrapper(const char (&pattern)[N],
188 const char (&hostname)[M]) {
189 return tls::tls_hostname_match(StringRef{pattern, N}, StringRef{hostname, M});
190 }
191
test_shrpx_tls_tls_hostname_match(void)192 void test_shrpx_tls_tls_hostname_match(void) {
193 assert_true(tls_hostname_match_wrapper("example.com", "example.com"));
194 assert_true(tls_hostname_match_wrapper("example.com", "EXAMPLE.com"));
195
196 // check wildcard
197 assert_true(tls_hostname_match_wrapper("*.example.com", "www.example.com"));
198 assert_true(tls_hostname_match_wrapper("*w.example.com", "www.example.com"));
199 assert_true(
200 tls_hostname_match_wrapper("www*.example.com", "www1.example.com"));
201 assert_true(
202 tls_hostname_match_wrapper("www*.example.com", "WWW12.EXAMPLE.com"));
203 // at least 2 dots are required after '*'
204 assert_false(tls_hostname_match_wrapper("*.com", "example.com"));
205 assert_false(tls_hostname_match_wrapper("*", "example.com"));
206 // '*' must be in left most label
207 assert_false(
208 tls_hostname_match_wrapper("blog.*.example.com", "blog.my.example.com"));
209 // prefix is wrong
210 assert_false(
211 tls_hostname_match_wrapper("client*.example.com", "server.example.com"));
212 // '*' must match at least one character
213 assert_false(
214 tls_hostname_match_wrapper("www*.example.com", "www.example.com"));
215
216 assert_false(tls_hostname_match_wrapper("example.com", "nghttp2.org"));
217 assert_false(tls_hostname_match_wrapper("www.example.com", "example.com"));
218 assert_false(tls_hostname_match_wrapper("example.com", "www.example.com"));
219 }
220
load_cert(const char * path)221 static X509 *load_cert(const char *path) {
222 auto f = fopen(path, "r");
223 auto cert = PEM_read_X509(f, nullptr, nullptr, nullptr);
224
225 fclose(f);
226
227 return cert;
228 }
229
parse_addr(const char * ipaddr)230 static Address parse_addr(const char *ipaddr) {
231 addrinfo hints{};
232
233 hints.ai_family = AF_UNSPEC;
234 hints.ai_flags = AI_NUMERICHOST;
235 #ifdef AI_NUMERICSERV
236 hints.ai_flags |= AI_NUMERICSERV;
237 #endif
238
239 addrinfo *res = nullptr;
240
241 auto rv = getaddrinfo(ipaddr, "443", &hints, &res);
242
243 assert_int(0, ==, rv);
244 assert_not_null(res);
245
246 Address addr;
247 addr.len = res->ai_addrlen;
248 memcpy(&addr.su, res->ai_addr, res->ai_addrlen);
249
250 freeaddrinfo(res);
251
252 return addr;
253 }
254
test_shrpx_tls_verify_numeric_hostname(void)255 void test_shrpx_tls_verify_numeric_hostname(void) {
256 {
257 // Successful IPv4 address match in SAN
258 static constexpr auto ipaddr = "127.0.0.1"_sr;
259 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
260 auto addr = parse_addr(ipaddr.data());
261 auto rv = tls::verify_numeric_hostname(cert, ipaddr, &addr);
262
263 assert_int(0, ==, rv);
264
265 X509_free(cert);
266 }
267
268 {
269 // Successful IPv6 address match in SAN
270 static constexpr auto ipaddr = "::1"_sr;
271 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
272 auto addr = parse_addr(ipaddr.data());
273 auto rv = tls::verify_numeric_hostname(cert, ipaddr, &addr);
274
275 assert_int(0, ==, rv);
276
277 X509_free(cert);
278 }
279
280 {
281 // Unsuccessful IPv4 address match in SAN
282 static constexpr auto ipaddr = "192.168.0.127"_sr;
283 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
284 auto addr = parse_addr(ipaddr.data());
285 auto rv = tls::verify_numeric_hostname(cert, ipaddr, &addr);
286
287 assert_int(-1, ==, rv);
288
289 X509_free(cert);
290 }
291
292 {
293 // CommonName is not used if SAN is available
294 static constexpr auto ipaddr = "192.168.0.1"_sr;
295 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/ipaddr.crt");
296 auto addr = parse_addr(ipaddr.data());
297 auto rv = tls::verify_numeric_hostname(cert, ipaddr, &addr);
298
299 assert_int(-1, ==, rv);
300
301 X509_free(cert);
302 }
303
304 {
305 // Successful IPv4 address match in CommonName
306 static constexpr auto ipaddr = "127.0.0.1"_sr;
307 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/nosan_ip.crt");
308 auto addr = parse_addr(ipaddr.data());
309 auto rv = tls::verify_numeric_hostname(cert, ipaddr, &addr);
310
311 assert_int(0, ==, rv);
312
313 X509_free(cert);
314 }
315 }
316
test_shrpx_tls_verify_dns_hostname(void)317 void test_shrpx_tls_verify_dns_hostname(void) {
318 {
319 // Successful exact DNS name match in SAN
320 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
321 auto rv = tls::verify_dns_hostname(cert, "nghttp2.example.com"_sr);
322
323 assert_int(0, ==, rv);
324
325 X509_free(cert);
326 }
327
328 {
329 // Successful wildcard DNS name match in SAN
330 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
331 auto rv = tls::verify_dns_hostname(cert, "www.nghttp2.example.com"_sr);
332
333 assert_int(0, ==, rv);
334
335 X509_free(cert);
336 }
337
338 {
339 // CommonName is not used if SAN is available.
340 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/verify_hostname.crt");
341 auto rv = tls::verify_dns_hostname(cert, "localhost"_sr);
342
343 assert_int(-1, ==, rv);
344
345 X509_free(cert);
346 }
347
348 {
349 // Successful DNS name match in CommonName
350 auto cert = load_cert(NGHTTP2_SRC_DIR "/testdata/nosan.crt");
351 auto rv = tls::verify_dns_hostname(cert, "localhost"_sr);
352
353 assert_int(0, ==, rv);
354
355 X509_free(cert);
356 }
357 }
358
359 } // namespace shrpx
360