source-git / gnutls

Clone
Source Code
GIT

Blame tests/tls13/anti_replay.c

c8 c8s master
  1.   c8s
  2.   tests
  3.   tls13
  4.   anti_replay.c
Blob History Raw
Packit Service 4684c1 
/*
Packit Service 4684c1 
 * Copyright (C) 2015-2018 Red Hat, Inc.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * This file is part of GnuTLS.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * GnuTLS is free software; you can redistribute it and/or modify it
Packit Service 4684c1 
 * under the terms of the GNU General Public License as published by
Packit Service 4684c1 
 * the Free Software Foundation; either version 3 of the License, or
Packit Service 4684c1 
 * (at your option) any later version.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * GnuTLS is distributed in the hope that it will be useful, but
Packit Service 4684c1 
 * WITHOUT ANY WARRANTY; without even the implied warranty of
Packit Service 4684c1 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Packit Service 4684c1 
 * General Public License for more details.
Packit Service 4684c1 
 *
Packit Service 4684c1 
 * You should have received a copy of the GNU Lesser General Public License
Packit Service 4684c1 
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
Packit Service 4684c1 
 */
Packit Service 4684c1
Packit Service 4684c1 
#ifdef HAVE_CONFIG_H
Packit Service 4684c1 
#include <config.h>
Packit Service 4684c1 
#endif
Packit Service 4684c1
Packit Service 4684c1 
#include <assert.h>
Packit Service 4684c1 
#include <stdint.h>
Packit Service 4684c1
Packit Service 4684c1 
#include "virt-time.h"
Packit Service 4684c1 
#include "../../lib/tls13/anti_replay.h"
Packit Service 4684c1 
#include "../../lib/system.h"
Packit Service 4684c1
Packit Service 4684c1 
/* utils.h must be loaded after gnutls_int.h, as it redefines some
Packit Service 4684c1 
 * macros from gnulib */
Packit Service 4684c1 
#include "utils.h"
Packit Service 4684c1
Packit Service 4684c1 
#define MAX_CLIENT_HELLO_RECORDED 10
Packit Service 4684c1
Packit Service 4684c1 
struct storage_st {
Packit Service 4684c1 
	gnutls_datum_t entries[MAX_CLIENT_HELLO_RECORDED];
Packit Service 4684c1 
	size_t num_entries;
Packit Service 4684c1 
};
Packit Service 4684c1
Packit Service 4684c1 
static int
Packit Service 4684c1 
storage_add(void *ptr, time_t expires, const gnutls_datum_t *key, const gnutls_datum_t *value)
Packit Service 4684c1 
{
Packit Service 4684c1 
	struct storage_st *storage = ptr;
Packit Service 4684c1 
	gnutls_datum_t *datum;
Packit Service 4684c1 
	size_t i;
Packit Service 4684c1
Packit Service 4684c1 
	for (i = 0; i < storage->num_entries; i++) {
Packit Service 4684c1 
		if (key->size == storage->entries[i].size &&
Packit Service 4684c1 
		    memcmp(storage->entries[i].data, key->data, key->size) == 0) {
Packit Service 4684c1 
			return GNUTLS_E_DB_ENTRY_EXISTS;
Packit Service 4684c1 
		}
Packit Service 4684c1 
	}
Packit Service 4684c1
Packit Service 4684c1 
	/* If the maximum number of ClientHello exceeded, reject early
Packit Service 4684c1 
	 * data until next time.
Packit Service 4684c1 
	 */
Packit Service 4684c1 
	if (storage->num_entries == MAX_CLIENT_HELLO_RECORDED)
Packit Service 4684c1 
		return GNUTLS_E_DB_ERROR;
Packit Service 4684c1
Packit Service 4684c1 
	datum = &storage->entries[storage->num_entries];
Packit Service 4684c1 
	datum->data = gnutls_malloc(key->size);
Packit Service 4684c1 
	if (!datum->data)
Packit Service 4684c1 
		return GNUTLS_E_MEMORY_ERROR;
Packit Service 4684c1 
	memcpy(datum->data, key->data, key->size);
Packit Service 4684c1 
	datum->size = key->size;
Packit Service 4684c1
Packit Service 4684c1 
	storage->num_entries++;
Packit Service 4684c1
Packit Service 4684c1 
	return 0;
Packit Service 4684c1 
}
Packit Service 4684c1
Packit Service 4684c1 
static void
Packit Service 4684c1 
storage_clear(struct storage_st *storage)
Packit Service 4684c1 
{
Packit Service 4684c1 
	size_t i;
Packit Service 4684c1
Packit Service 4684c1 
	for (i = 0; i < storage->num_entries; i++)
Packit Service 4684c1 
		gnutls_free(storage->entries[i].data);
Packit Service 4684c1 
	storage->num_entries = 0;
Packit Service 4684c1 
}
Packit Service 4684c1
Packit Service 4684c1 
void doit(void)
Packit Service 4684c1 
{
Packit Service 4684c1 
	gnutls_anti_replay_t anti_replay;
Packit Service 4684c1 
	gnutls_datum_t key = { (unsigned char *) "\xFF\xFF\xFF\xFF", 4 };
Packit Service 4684c1 
	struct timespec creation_time;
Packit Service 4684c1 
	struct storage_st storage;
Packit Service 4684c1 
	int ret;
Packit Service 4684c1
Packit Service 4684c1 
	virt_time_init();
Packit Service 4684c1 
	memset(&storage, 0, sizeof(storage));
Packit Service 4684c1
Packit Service 4684c1 
	/* server_ticket_age < client_ticket_age */
Packit Service 4684c1 
	ret = gnutls_anti_replay_init(&anti_replay);
Packit Service 4684c1 
	assert(ret == 0);
Packit Service 4684c1 
	gnutls_anti_replay_set_window(anti_replay, 10000);
Packit Service 4684c1 
	gnutls_anti_replay_set_add_function(anti_replay, storage_add);
Packit Service 4684c1 
	gnutls_anti_replay_set_ptr(anti_replay, &storage);
Packit Service 4684c1 
	mygettime(&creation_time);
Packit Service 4684c1 
	ret = _gnutls_anti_replay_check(anti_replay, 10000, &creation_time, &key);
Packit Service 4684c1 
	if (ret != GNUTLS_E_ILLEGAL_PARAMETER)
Packit Service 4684c1 
		fail("error is not returned, while server_ticket_age < client_ticket_age\n");
Packit Service 4684c1 
	gnutls_anti_replay_deinit(anti_replay);
Packit Service 4684c1 
	storage_clear(&storage);
Packit Service 4684c1
Packit Service 4684c1 
	/* server_ticket_age - client_ticket_age > window */
Packit Service 4684c1 
	ret = gnutls_anti_replay_init(&anti_replay);
Packit Service 4684c1 
	assert(ret == 0);
Packit Service 4684c1 
	gnutls_anti_replay_set_add_function(anti_replay, storage_add);
Packit Service 4684c1 
	gnutls_anti_replay_set_ptr(anti_replay, &storage);
Packit Service 4684c1 
	gnutls_anti_replay_set_window(anti_replay, 10000);
Packit Service 4684c1 
	mygettime(&creation_time);
Packit Service 4684c1 
	virt_sec_sleep(30);
Packit Service 4684c1 
	ret = _gnutls_anti_replay_check(anti_replay, 10000, &creation_time, &key);
Packit Service 4684c1 
	if (ret != GNUTLS_E_EARLY_DATA_REJECTED)
Packit Service 4684c1 
		fail("early data is NOT rejected, while freshness check fails\n");
Packit Service 4684c1 
	gnutls_anti_replay_deinit(anti_replay);
Packit Service 4684c1 
	storage_clear(&storage);
Packit Service 4684c1
Packit Service 4684c1 
	/* server_ticket_age - client_ticket_age < window */
Packit Service 4684c1 
	ret = gnutls_anti_replay_init(&anti_replay);
Packit Service 4684c1 
	assert(ret == 0);
Packit Service 4684c1 
	gnutls_anti_replay_set_add_function(anti_replay, storage_add);
Packit Service 4684c1 
	gnutls_anti_replay_set_ptr(anti_replay, &storage);
Packit Service 4684c1 
	gnutls_anti_replay_set_window(anti_replay, 10000);
Packit Service 4684c1 
	mygettime(&creation_time);
Packit Service 4684c1 
	virt_sec_sleep(15);
Packit Service 4684c1 
	ret = _gnutls_anti_replay_check(anti_replay, 10000, &creation_time, &key);
Packit Service 4684c1 
	if (ret != 0)
Packit Service 4684c1 
		fail("early data is rejected, while freshness check succeeds\n");
Packit Service 4684c1 
	ret = _gnutls_anti_replay_check(anti_replay, 10000, &creation_time, &key);
Packit Service 4684c1 
	if (ret != GNUTLS_E_EARLY_DATA_REJECTED)
Packit Service 4684c1 
		fail("early data is NOT rejected for a duplicate key\n");
Packit Service 4684c1 
	gnutls_anti_replay_deinit(anti_replay);
Packit Service 4684c1 
	storage_clear(&storage);
Packit Service 4684c1 
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation