From dc5dd7ee36dae7011f73137965d5546880cd4c47 Mon Sep 17 00:00:00 2001 From: Vivek Saini Date: Wed, 20 Apr 2022 00:30:01 +0000 Subject: [PATCH 1/2] Only run the tls-name-validation test if --tls is passed into runtest --- tests/unit/tls-name-validation.tcl | 169 +++++++++++++++-------------- 1 file changed, 89 insertions(+), 80 deletions(-) diff --git a/tests/unit/tls-name-validation.tcl b/tests/unit/tls-name-validation.tcl index f0569b028..f6f20b4f9 100644 --- a/tests/unit/tls-name-validation.tcl +++ b/tests/unit/tls-name-validation.tcl @@ -1,111 +1,120 @@ -test {TLS: Able to connect with no allowlist} { - start_server {tags {"tls"}} { - catch {r PING} e - assert_match {PONG} $e +# only run this test if tls is enabled +if {$::tls} { + package require tls + test {TLS: Able to connect with no allowlist} { + start_server {tags {"tls"}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to connect with allowlist '*'} { - start_server {tags {"tls"} overrides {tls-allowlist *}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to connect with allowlist '*'} { + start_server {tags {"tls"} overrides {tls-allowlist *}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to connect with matching CN} { - start_server {tags {"tls"} overrides {tls-allowlist client.keydb.dev}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to connect with matching CN} { + start_server {tags {"tls"} overrides {tls-allowlist client.keydb.dev}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to connect with matching SAN} { - start_server {tags {"tls"} overrides {tls-allowlist san1.keydb.dev}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to connect with matching SAN} { + start_server {tags {"tls"} overrides {tls-allowlist san1.keydb.dev}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to connect with matching CN with wildcard} { - start_server {tags {"tls"} overrides {tls-allowlist client*.dev}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to connect with matching CN with wildcard} { + start_server {tags {"tls"} overrides {tls-allowlist client*.dev}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to connect with matching SAN with wildcard} { - start_server {tags {"tls"} overrides {tls-allowlist san*.dev}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to connect with matching SAN with wildcard} { + start_server {tags {"tls"} overrides {tls-allowlist san*.dev}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to connect while with CN having a comprehensive list} { - start_server {tags {"tls"} overrides {tls-allowlist {dummy.keydb.dev client.keydb.dev other.keydb.dev}}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to connect while with CN having a comprehensive list} { + start_server {tags {"tls"} overrides {tls-allowlist {dummy.keydb.dev client.keydb.dev other.keydb.dev}}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to connect while with SAN having a comprehensive list} { - start_server {tags {"tls"} overrides {tls-allowlist {dummy.keydb.dev san2.keydb.dev other.keydb.dev}}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to connect while with SAN having a comprehensive list} { + start_server {tags {"tls"} overrides {tls-allowlist {dummy.keydb.dev san2.keydb.dev other.keydb.dev}}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to connect while with CN having a comprehensive list with wildcards} { - start_server {tags {"tls"} overrides {tls-allowlist {dummy.* client*.dev other.*}}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to connect while with CN having a comprehensive list with wildcards} { + start_server {tags {"tls"} overrides {tls-allowlist {dummy.* client*.dev other.*}}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to connect while with SAN having a comprehensive list with wildcards} { - start_server {tags {"tls"} overrides {tls-allowlist {dummy.* san*.dev other.*}}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to connect while with SAN having a comprehensive list with wildcards} { + start_server {tags {"tls"} overrides {tls-allowlist {dummy.* san*.dev other.*}}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Not matching CN or SAN rejected} { - start_server {tags {"tls"} overrides {tls-allowlist {client.keydb.dev}}} { - catch {set r2 [redis_client_tls -keyfile "$::tlsdir/client2.key" -certfile "$::tlsdir/client2.crt" -require 1 -cafile "$::tlsdir/ca.crt"]} e - assert_match {*I/O error reading reply*} $e + test {TLS: Not matching CN or SAN rejected} { + start_server {tags {"tls"} overrides {tls-allowlist {client.keydb.dev}}} { + catch {set r2 [redis_client_tls -keyfile "$::tlsdir/client2.key" -certfile "$::tlsdir/client2.crt" -require 1 -cafile "$::tlsdir/ca.crt"]} e + assert_match {*I/O error reading reply*} $e + } } -} -test {TLS: Able to match against DNS SAN} { - start_server {tags {"tls"} overrides {tls-allowlist {san1.keydb.dev}}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to match against DNS SAN} { + start_server {tags {"tls"} overrides {tls-allowlist {san1.keydb.dev}}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to match against email SAN} { - start_server {tags {"tls"} overrides {tls-allowlist {someone@keydb.dev}}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to match against email SAN} { + start_server {tags {"tls"} overrides {tls-allowlist {someone@keydb.dev}}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to match against IPv4 SAN} { - start_server {tags {"tls"} overrides {tls-allowlist {192.168.0.1}}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to match against IPv4 SAN} { + start_server {tags {"tls"} overrides {tls-allowlist {192.168.0.1}}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to match against IPv4 with a wildcard} { - start_server {tags {"tls"} overrides {tls-allowlist {192.*}}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to match against IPv4 with a wildcard} { + start_server {tags {"tls"} overrides {tls-allowlist {192.*}}} { + catch {r PING} e + assert_match {PONG} $e + } } -} -test {TLS: Able to match against URI SAN} { - start_server {tags {"tls"} overrides {tls-allowlist {https://keydb.dev}}} { - catch {r PING} e - assert_match {PONG} $e + test {TLS: Able to match against URI SAN} { + start_server {tags {"tls"} overrides {tls-allowlist {https://keydb.dev}}} { + catch {r PING} e + assert_match {PONG} $e + } } -} +} else { + start_server {} { + # just a dummy server so that the test doesn't panic if tls is disabled + # otherwise the test will try to bind to a server that just isn't there + } +} \ No newline at end of file From 08f88f7a5997b572e5ffb24a1bb5bf7f81c6bf5b Mon Sep 17 00:00:00 2001 From: Vivek Saini Date: Wed, 20 Apr 2022 01:21:11 +0000 Subject: [PATCH 2/2] Fix KeyDB not building with TLS < 1.1.1 --- src/tls.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/tls.cpp b/src/tls.cpp index c2490bd56..9b3a0415c 100644 --- a/src/tls.cpp +++ b/src/tls.cpp @@ -491,6 +491,12 @@ bool tlsCheckAgainstAllowlist(const char * client){ return false; } +/* ASN1_STRING_get0_data was introduced in OPENSSL 1.1.1 + * use ASN1_STRING_data for older versions where it is not available */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif + bool tlsValidateCertificateName(tls_connection* conn){ if (g_pserver->tls_allowlist.empty()) return true; // Empty list implies acceptance of all