Moved these tests here from sbin/isakmpd/regress. They mostly work

but are not enabled by default yet.

2 files changed, 369 insertions, 0 deletions

diff --git a/regress/sbin/isakmpd/x509/Makefile b/regress/sbin/isakmpd/x509/Makefile
new file mode 100644
index 00000000000..af44e8f1d35
--- /dev/null
+++ b/regress/sbin/isakmpd/x509/Makefile
@@ -0,0 +1,78 @@
+#	$OpenBSD: Makefile,v 1.1 2005/04/08 17:12:50 cloder Exp $
+#	$EOM: Makefile,v 1.16 2000/09/28 12:53:27 niklas Exp $
+
+#
+# Copyright (c) 1999 Niels Provos.  All rights reserved.
+# Copyright (c) 1999, 2001 Niklas Hallqvist.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+# Test X509
+
+# Enable this if you have a DNSSEC enabled OpenSSL
+#LIBLWRES=	/usr/local/lib/liblwres.a
+
+PROG=		x509test
+SRCS=		x509test.c conf.c log.c libcrypto.c sysdep.c field.c util.c \
+		isakmp_fld.c ipsec_fld.c ipsec_num.c isakmp_num.c constants.c \
+		cert.c
+TOPSRC=		${.CURDIR}/../../../../sbin/isakmpd
+TOPOBJ!=	cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
+OS!=		awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile
+FEATURES!=	awk '/^FEATURES=/ { print $$0 }' ${TOPSRC}/Makefile | sed 's/FEATURES=.//'
+.PATH:		${TOPSRC} ${TOPSRC}/sysdep/openbsd ${TOPOBJ}
+CFLAGS+=	-I${TOPSRC} -I${TOPSRC}/sysdep/openbsd -I${TOPOBJ} -Wall
+NOMAN=
+DEBUG=		-g
+
+.if ${FEATURES:Mgmp} == "gmp"
+CFLAGS+=	-DMP_FLAVOUR=MP_FLAVOUR_GMP
+LDADD+=		-lgmp
+DPADD+=		${LIBGMP}
+.else
+CFLAGS+=	-DMP_FLAVOUR=MP_FLAVOUR_OPENSSL
+.endif
+
+.include "${TOPSRC}/sysdep/openbsd/Makefile.sysdep"
+
+X509=		x509.c
+POLICY=		policy.c
+
+POLICY=		policy.c
+LDADD+=		-lkeynote -lm
+DPADD+=		${LIBKEYNOTE} ${LIBM}
+CFLAGS+=	-DUSE_KEYNOTE
+
+CFLAGS+=	-DUSE_LIBCRYPTO
+LDADD+=		-lcrypto ${LIBLWRES}
+DPADD+=		${LIBCRYPTO}
+
+SRCS+=		${X509} ${POLICY}
+
+LDADD+=		${DESLIB}
+DPADD+=		${DESLIBDEP}
+
+.include <bsd.regress.mk>
diff --git a/regress/sbin/isakmpd/x509/x509test.c b/regress/sbin/isakmpd/x509/x509test.c
new file mode 100644
index 00000000000..116a8717771
--- /dev/null
+++ b/regress/sbin/isakmpd/x509/x509test.c
@@ -0,0 +1,291 @@
+/*	$OpenBSD: x509test.c,v 1.1 2005/04/08 17:12:50 cloder Exp $	*/
+/*	$EOM: x509test.c,v 1.9 2000/12/21 15:24:25 ho Exp $	*/
+
+/*
+ * Copyright (c) 1998, 1999 Niels Provos.  All rights reserved.
+ * Copyright (c) 1999, 2001 Niklas Hallqvist.  All rights reserved.
+ * Copyright (c) 2001 Håkan Olsson.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+/*
+ * This program takes a certificate generated by ssleay and a key pair
+ * from rsakeygen. It reads the IP address from certificate.txt and
+ * includes this as subject alt name extension into the certifcate.
+ * The result gets written as new certificate that can be used by
+ * isakmpd.
+ */
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <ctype.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "conf.h"
+#include "ipsec_num.h"
+#include "isakmp_fld.h"
+#include "libcrypto.h"
+#include "log.h"
+#include "math_mp.h"
+#include "x509.h"
+
+static int x509_check_subjectaltname (u_char *, u_int, X509 *);
+
+u_int32_t file_sz;
+
+#if 0
+/* XXX Currently unused.  */
+static u_int8_t *
+open_file (char *name)
+{
+  int fd;
+  struct stat st;
+  u_int8_t *addr;
+
+  if (stat (name, &st) == -1)
+    log_fatal ("stat (\"%s\", &st)", name);
+  file_sz = st.st_size;
+  fd = open (name, O_RDONLY);
+  if (fd == -1)
+    log_fatal ("open (\"%s\", O_RDONLY)", name);
+  addr = mmap (0, file_sz, PROT_READ | PROT_WRITE, MAP_FILE | MAP_PRIVATE,
+	       fd, 0);
+  if (addr == MAP_FAILED)
+    log_fatal ("mmap (0, %d, PROT_READ | PROT_WRITE, MAP_FILE | MAP_PRIVATE,"
+	       "%d, 0)", file_sz, fd);
+  close (fd);
+
+  return addr;
+}
+#endif
+
+/*
+ * Check that a certificate has a subjectAltName and that it matches our ID.
+ */
+static int
+x509_check_subjectaltname (u_char *id, u_int id_len, X509 *scert)
+{
+  u_int8_t *altname;
+  u_int32_t altlen;
+  int type, idtype, ret;
+
+  type = x509_cert_subjectaltname (scert, &altname, &altlen);
+  if (!type)
+    {
+      log_print ("x509_check_subjectaltname: can't access subjectAltName");
+      return 0;
+    }
+
+  /*
+   * Now that we have the X509 certicate in native form, get the
+   * subjectAltName extension and verify that it matches our ID.
+   */
+
+  /* XXX Get type of ID.  */
+  idtype = id[0];
+  id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ;
+  id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ;
+
+  ret = 0;
+  switch (idtype)
+    {
+    case IPSEC_ID_IPV4_ADDR:
+      if (type == X509v3_IP_ADDR)
+	ret = 1;
+      break;
+    case IPSEC_ID_FQDN:
+      if (type == X509v3_DNS_NAME)
+	ret = 1;
+      break;
+    case IPSEC_ID_USER_FQDN:
+      if (type == X509v3_RFC_NAME)
+	ret = 1;
+      break;
+    default:
+      ret = 0;
+      break;
+    }
+
+  if (!ret)
+    {
+      LOG_DBG ((LOG_CRYPTO, 50,
+		"x509_check_subjectaltname: "
+		"our ID type (%d) does not match X509 cert ID type (%d)",
+		idtype, type));
+      return 0;
+    }
+
+  if (altlen != id_len || memcmp (altname, id, id_len) != 0)
+    {
+      LOG_DBG ((LOG_CRYPTO, 50,
+		"x509_check_subjectaltname: "
+		"our ID does not match X509 cert ID"));
+      return 0;
+    }
+
+  return 1;
+}
+
+int
+main (int argc, char *argv[])
+{
+  RSA *pub_key, *priv_key;
+  X509 *cert;
+  BIO *certfile, *keyfile;
+  EVP_PKEY *pkey_pub;
+  u_char ipaddr[6];
+  struct in_addr saddr;
+  char enc[256], dec[256];
+  u_int8_t idpayload[8];
+  int err, len;
+
+  if (argc < 3 || argc > 4)
+    {
+      fprintf (stderr, "usage: x509test private-key certificate ip-address\n");
+      exit (1);
+    }
+
+  /*
+   * X509_verify will fail, as will all other functions that call
+   * EVP_get_digest_byname.
+   */
+
+  libcrypto_init ();
+
+  printf ("Reading private key %s\n", argv[1]);
+  keyfile = BIO_new (BIO_s_file ());
+  if (BIO_read_filename (keyfile, argv[1]) == -1)
+    {
+      perror ("read");
+      exit (1);
+    }
+#if SSLEAY_VERSION_NUMBER >= 0x00904100L
+  priv_key = PEM_read_bio_RSAPrivateKey (keyfile, NULL, NULL, NULL);
+#else
+  priv_key = PEM_read_bio_RSAPrivateKey (keyfile, NULL, NULL);
+#endif
+  BIO_free (keyfile);
+  if (priv_key == NULL)
+    {
+      printf("PEM_read_bio_RSAPrivateKey () failed\n");
+      exit (1);
+    }
+
+  /* Use a certificate created by ssleay.  */
+  printf ("Reading ssleay created certificate %s\n", argv[2]);
+  certfile = BIO_new (BIO_s_file ());
+  if (BIO_read_filename (certfile, argv[2]) == -1)
+    {
+      perror ("read");
+      exit (1);
+    }
+#if SSLEAY_VERSION_NUMBER >= 0x00904100L
+  cert = PEM_read_bio_X509 (certfile, NULL, NULL, NULL);
+#else
+  cert = PEM_read_bio_X509 (certfile, NULL, NULL);
+#endif
+  BIO_free (certfile);
+  if (cert == NULL)
+    {
+      printf("PEM_read_bio_X509 () failed\n");
+      exit (1);
+    }
+
+  pkey_pub = X509_get_pubkey (cert);
+  /* XXX Violation of the interface?  */
+  pub_key = pkey_pub->pkey.rsa;
+  if (pub_key == NULL)
+    {
+      exit (1);
+    }
+
+  printf ("Testing RSA keys: ");
+
+  err = 0;
+  strlcpy (dec, "Eine kleine Testmeldung", 256);
+  if ((len = RSA_private_encrypt (strlen (dec), dec, enc, priv_key,
+				  RSA_PKCS1_PADDING)) == -1)
+
+    printf ("SIGN FAILED ");
+  else
+    err = RSA_public_decrypt (len, enc, dec, pub_key, RSA_PKCS1_PADDING);
+
+  if (err == -1 || strcmp (dec, "Eine kleine Testmeldung"))
+    printf ("SIGN/VERIFY FAILED");
+  else
+    printf ("OKAY");
+  printf ("\n");
+
+
+  printf ("Validate SIGNED: ");
+  err = X509_verify (cert, pkey_pub);
+  printf ("X509 verify: %d ", err);
+  if (err == -1)
+    printf ("FAILED ");
+  else
+    printf ("OKAY ");
+  printf ("\n");
+
+  if (argc == 4)
+    {
+      printf ("Verifying extension: ");
+      if (inet_aton (argv[3], &saddr) == 0)
+	{
+	  printf ("inet_aton () failed\n");
+	  exit (1);
+	}
+
+      saddr.s_addr = htonl (saddr.s_addr);
+      ipaddr[0] = 0x87;
+      ipaddr[1] = 0x04;
+      ipaddr[2] = saddr.s_addr >> 24;
+      ipaddr[3] = (saddr.s_addr >> 16) & 0xff;
+      ipaddr[4] = (saddr.s_addr >> 8) & 0xff;
+      ipaddr[5] = saddr.s_addr & 0xff;
+      bzero (idpayload, sizeof idpayload);
+      idpayload[0] = IPSEC_ID_IPV4_ADDR;
+      bcopy (ipaddr + 2, idpayload + 4, 4);
+
+      if (!x509_check_subjectaltname (idpayload, sizeof idpayload, cert))
+	printf("FAILED ");
+      else
+	printf("OKAY ");
+      printf ("\n");
+    }
+
+  return 1;
+}