From 9a5c1f87b72298ed41d5de78cb8485cda3dd9b6d Mon Sep 17 00:00:00 2001 From: Sheldon Hearn Date: Fri, 17 Nov 2023 08:57:36 +0200 Subject: [PATCH 1/4] Demonstrate strerror regression Re JuliaLang/MbedTLS.jl#274 --- test/clntsrvr/badca.cert | 20 ++++++++++++++++ test/clntsrvr/clntsrvr.jl | 48 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 test/clntsrvr/badca.cert diff --git a/test/clntsrvr/badca.cert b/test/clntsrvr/badca.cert new file mode 100644 index 0000000..e07eaae --- /dev/null +++ b/test/clntsrvr/badca.cert @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIIRg8z3ebcnAkwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgNDYwZjMzMCAXDTIzMTExNjE0MjIzMFoYDzIxMjMx +MTE2MTQyMjMwWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA0NjBmMzMwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCofv0XrEfxbWcSLQSGUYK+LIVf +C5jkqquHOaH0MWnjNhJeDICqrRWLc3Z+X0cxlcboUvk/oZXWucJqrbaVL1foWIO/ +6dYROJiWyFZw/A7X9vUqJTIFiJuK7NVyDiKzBkNNBQ8Z/KfYjSyBCbWzjXb6fAT/ +lrJl1OGbI17iMhX/Y9imEHtw46wGgRRvSLif/UC114ujqAZ1tQlzZdcVsZzC5yAo +beeukLz/uIz3FvhzCM0zLfEdtnU0txj6yZqlMOD5sfMESZCkjdKuwwY0Vt/eHLKp +Jxwr1VGFKSmM7MLGtfwIvLIPQM22iXcntpYXFMUV4xRpqjnrjXapReL6vlP9AgMB +AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSPJmaTlhDlmJ9n +9tcf4Q3t+FPkzjAfBgNVHSMEGDAWgBSPJmaTlhDlmJ9n9tcf4Q3t+FPkzjANBgkq +hkiG9w0BAQsFAAOCAQEAdj0k/u0g7JQVaCd4sk7tlKvtaKoR5xjebNn87XuXyv80 +mv43yw2hWK4XihLz/SPCFhqz11aQfz7NaUemqX7YAK6jKR4ApjVLqW1tiJpBxX5C +DPlLV+2htc9Qbjj3/uIqooPfzfAaEOQMRS8JARP4XkdG/t+BCGyWVWBN9/ztFgUc +nUGlztsvZTknXz2nqplAVJH5TXGFLPegSU/y0y2z6xeIxs2Arx93SzmYNqZnokxR +WiK2UnH7ClLYiyHumppCpl/dcevs3dNIIqN+vVsRw9g3Qi2d3qgue1L2zC5sbknm +2EN6MBqIHxU3DgcoLcNrI+6qEhPOHdelSdum/x7A5A== +-----END CERTIFICATE----- diff --git a/test/clntsrvr/clntsrvr.jl b/test/clntsrvr/clntsrvr.jl index bed7406..de406fd 100644 --- a/test/clntsrvr/clntsrvr.jl +++ b/test/clntsrvr/clntsrvr.jl @@ -12,9 +12,8 @@ function sslaccept(server, certfile, keyfile) return sslconn end -function sslconnect(dest, port) +function sslconnect(dest, port, sslconfig = MbedTLS.SSLConfig(false)) conn = connect(dest, port) - sslconfig = MbedTLS.SSLConfig(false) sslconn = MbedTLS.SSLContext() MbedTLS.setup!(sslconn, sslconfig) MbedTLS.set_bio!(sslconn, conn) @@ -65,8 +64,53 @@ function testclntsrvr(certfile, keyfile) close(t) end +function testverify(certfile, keyfile, badcafile) + outbuff = ones(UInt8, 100) * UInt8(65) + trigger = Channel{Bool}(1) + port = UInt16(0) + local clntconn, srvrconn + + # setup a watchdog kill-switch + t = Timer(10) do t + @isdefined(clntconn) && close(clntconn) + @isdefined(srvrconn) && close(srvrconn) + close(trigger) + @test "test failed to complete within timeout" + end + + (port, server) = listenany(8000) + @info("listening on port $port") + + r = @async begin + try + srvrconn = sslaccept(server, certfile, keyfile) + close(server) + catch e + end + put!(trigger, true) + @isdefined(srvrconn) && close(srvrconn) + end + bind(trigger, r) + + @info("connecting to port $port") + badsslconfig = MbedTLS.SSLConfig(true) + badsslconfig.chain = MbedTLS.crt_parse(read(badcafile, String)) + @test_throws "Certificate verification failed" sslconnect("127.0.0.1", port, badsslconfig) + @test take!(trigger) + wait(r) + + close(t) +end + @testset "testclntsrvr" begin testclntsrvr( joinpath(@__DIR__, "test.cert"), joinpath(@__DIR__, "test.key")) end + +@testset "testverify" begin + testverify( + joinpath(@__DIR__, "test.cert"), + joinpath(@__DIR__, "test.key"), + joinpath(@__DIR__, "badca.cert")) +end From 1a0fe4804289c07c56810422cef0b373003a9ab4 Mon Sep 17 00:00:00 2001 From: Sheldon Hearn Date: Fri, 17 Nov 2023 08:59:17 +0200 Subject: [PATCH 2/4] Fix regression in strerror Fixes JuliaLang/MbedTLS.jl#274 --- src/error.jl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/error.jl b/src/error.jl index df28e15..af5ecd7 100644 --- a/src/error.jl +++ b/src/error.jl @@ -22,7 +22,7 @@ function strerror(ret, bufsize=1000) ccall((:mbedtls_strerror, libmbedcrypto), Cvoid, (Cint, Ptr{Cvoid}, Csize_t), ret, buf, bufsize) - resize!(buf, something(findfirst(0x00, buf), length(buf) + 1) - 1) + resize!(buf, something(findfirst(iszero, buf), length(buf) + 1) - 1) s = String(buf) if ret == MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE s *= " (You may need to enable `ssl_conf_renegotiation!`. See " * From a5474057087733713413a1fd662484f3f4113ac7 Mon Sep 17 00:00:00 2001 From: Sheldon Hearn Date: Fri, 17 Nov 2023 09:09:59 +0200 Subject: [PATCH 3/4] Match exception substring --- test/clntsrvr/clntsrvr.jl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/clntsrvr/clntsrvr.jl b/test/clntsrvr/clntsrvr.jl index de406fd..5d314ed 100644 --- a/test/clntsrvr/clntsrvr.jl +++ b/test/clntsrvr/clntsrvr.jl @@ -95,7 +95,7 @@ function testverify(certfile, keyfile, badcafile) @info("connecting to port $port") badsslconfig = MbedTLS.SSLConfig(true) badsslconfig.chain = MbedTLS.crt_parse(read(badcafile, String)) - @test_throws "Certificate verification failed" sslconnect("127.0.0.1", port, badsslconfig) + @test_throws r"Certificate verification failed" sslconnect("127.0.0.1", port, badsslconfig) @test take!(trigger) wait(r) From 37e929c8af3badbeb96240eb6f69eb2ae4e608ba Mon Sep 17 00:00:00 2001 From: Sheldon Hearn Date: Fri, 17 Nov 2023 09:28:47 +0200 Subject: [PATCH 4/4] Fix test on julia-1.6 --- test/clntsrvr/clntsrvr.jl | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/test/clntsrvr/clntsrvr.jl b/test/clntsrvr/clntsrvr.jl index 5d314ed..cd56fb3 100644 --- a/test/clntsrvr/clntsrvr.jl +++ b/test/clntsrvr/clntsrvr.jl @@ -95,7 +95,15 @@ function testverify(certfile, keyfile, badcafile) @info("connecting to port $port") badsslconfig = MbedTLS.SSLConfig(true) badsslconfig.chain = MbedTLS.crt_parse(read(badcafile, String)) - @test_throws r"Certificate verification failed" sslconnect("127.0.0.1", port, badsslconfig) + try + clntconn = sslconnect("127.0.0.1", port, badsslconfig) + catch e + @test contains(e.msg, "Certificate verification failed") + end + if @isdefined(clntconn) + close(clntconn) + @test "No exception raised for certificate verification failure" + end @test take!(trigger) wait(r)