Merge branch '25.1-tls-security-fix' into '25.1'

(25.1) - aws-net-ssl__gnutls.adb: Properly initialize the API.

See merge request eng/toolchain/aws!78

Author: TurboGit

config/ssl/aws-net-ssl__gnutls.adb

@@ -2502,6 +2502,8 @@ package body AWS.Net.SSL is
    end Write_Socket;
 
 begin
+   Initialize_Default_Config;
+
    TSSL.gnutls_global_set_mem_functions
      (alloc_func        => Lib_Alloc'Address,
       secure_alloc_func => System.Memory.Alloc'Address,

regtests/0364_ssl_check_certs/cert.pem

@@ -0,0 +1,96 @@
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=FR, ST=Ile de France, O=AWS Team, CN=localhost/[email protected]
+        Validity
+            Not Before: Jun 28 14:05:49 2022 GMT
+            Not After : Jun 25 14:05:49 2032 GMT
+        Subject: C=FR, ST=Ile de France, O=AWS Team, CN=0043_check_mem/[email protected]
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:d3:97:fb:e7:70:79:e9:09:77:97:94:6a:6e:eb:
+                    11:93:74:47:47:d0:6d:8f:b3:85:6a:57:85:ad:5d:
+                    78:b3:6f:97:e4:e3:ec:fe:de:dd:9d:58:e0:c9:d0:
+                    bb:08:eb:21:fd:27:20:43:87:3f:e9:ef:0d:f6:21:
+                    c9:c3:66:bf:4f:d7:34:ef:d8:c9:07:9f:e0:d6:32:
+                    cc:e8:59:45:2c:65:57:6c:24:e3:af:7f:11:ae:0b:
+                    1c:25:82:10:a1:4f:b0:fb:f3:13:e9:e6:44:7e:0b:
+                    c3:3f:1c:11:a3:71:6d:f4:bf:ef:0d:c1:b2:75:52:
+                    6a:2e:e4:4c:5f:92:80:0d:a4:73:64:d4:cc:5d:cd:
+                    51:59:45:8d:73:36:6c:28:3f:a2:e6:7e:6f:70:48:
+                    cc:7a:0c:df:25:9a:63:b4:d8:0b:4d:d3:a9:2b:21:
+                    8e:23:5f:fa:d0:23:fd:4b:4d:5a:c3:f6:9b:55:9e:
+                    92:9d:0a:8a:28:2c:7a:d7:bb:e9:8d:77:14:74:63:
+                    a7:79:d2:07:d0:fc:37:56:b6:6d:88:0f:b0:36:c4:
+                    8b:f8:1f:87:a5:b4:92:36:07:ba:5f:2b:11:25:c7:
+                    02:28:df:f5:8d:26:49:3b:26:2a:14:a4:fa:78:e7:
+                    6e:41:70:b5:39:33:7e:4a:a3:04:4b:32:04:b5:3b:
+                    f4:fb
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha256WithRSAEncryption
+         8a:8c:93:a8:3b:00:a7:f1:c4:bd:6e:2b:e1:22:f5:34:10:77:
+         4d:9e:85:e9:ce:eb:1d:46:1b:5d:85:c6:e2:80:bb:30:ac:66:
+         9b:51:99:e6:ce:dc:65:3d:e4:c8:a2:c3:2c:ba:d8:bb:b9:8a:
+         e5:d6:88:12:3b:44:07:2b:d6:6d:f1:31:53:0d:84:3e:4f:81:
+         c3:2b:f4:60:2b:b6:2c:61:2b:91:cd:6c:61:11:a6:11:b6:2e:
+         cd:9a:7a:f7:4c:d5:89:4f:b3:40:e4:60:cb:76:6e:77:62:fb:
+         ff:5f:62:87:c4:3f:22:27:a8:33:49:80:32:9e:b9:08:b3:ea:
+         f5:91:39:da:4a:b2:5e:da:2f:f5:ab:a3:52:59:17:fa:71:0b:
+         7c:16:fc:6a:6a:ab:38:89:36:c2:49:89:01:c9:77:db:3c:97:
+         94:02:29:30:17:43:a4:07:88:86:7e:fa:f8:59:50:18:c5:4d:
+         ac:3e:83:a2:6b:eb:84:e2:88:1e:94:bc:96:13:e6:2b:aa:70:
+         a3:52:10:e6:fb:2d:0c:f5:61:5f:5a:9b:9b:50:7b:af:5a:0b:
+         43:55:e6:22:2c:36:cb:b8:91:99:51:f3:00:92:58:71:ea:b4:
+         13:ab:c8:5e:38:96:b1:16:b2:fd:a6:3d:e0:77:33:c8:27:0c:
+         0e:4c:c0:4f
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjMCAQEwDQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCRlIxFjAUBgNV
+BAgMDUlsZSBkZSBGcmFuY2UxETAPBgNVBAoMCEFXUyBUZWFtMRIwEAYDVQQDDAls
+b2NhbGhvc3QxGzAZBgkqhkiG9w0BCQEWDGF3c0BvYnJ5Lm5ldDAeFw0yMjA2Mjgx
+NDA1NDlaFw0zMjA2MjUxNDA1NDlaMG4xCzAJBgNVBAYTAkZSMRYwFAYDVQQIDA1J
+bGUgZGUgRnJhbmNlMREwDwYDVQQKDAhBV1MgVGVhbTEXMBUGA1UEAwwOMDA0M19j
+aGVja19tZW0xGzAZBgkqhkiG9w0BCQEWDGF3c0BvYnJ5Lm5ldDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBANOX++dweekJd5eUam7rEZN0R0fQbY+zhWpX
+ha1deLNvl+Tj7P7e3Z1Y4MnQuwjrIf0nIEOHP+nvDfYhycNmv0/XNO/YyQef4NYy
+zOhZRSxlV2wk469/Ea4LHCWCEKFPsPvzE+nmRH4Lwz8cEaNxbfS/7w3BsnVSai7k
+TF+SgA2kc2TUzF3NUVlFjXM2bCg/ouZ+b3BIzHoM3yWaY7TYC03TqSshjiNf+tAj
+/UtNWsP2m1Wekp0Kiigsete76Y13FHRjp3nSB9D8N1a2bYgPsDbEi/gfh6W0kjYH
+ul8rESXHAijf9Y0mSTsmKhSk+njnbkFwtTkzfkqjBEsyBLU79PsCAwEAATANBgkq
+hkiG9w0BAQsFAAOCAQEAioyTqDsAp/HEvW4r4SL1NBB3TZ6F6c7rHUYbXYXG4oC7
+MKxmm1GZ5s7cZT3kyKLDLLrYu7mK5daIEjtEByvWbfExUw2EPk+Bwyv0YCu2LGEr
+kc1sYRGmEbYuzZp690zViU+zQORgy3Zud2L7/19ih8Q/IieoM0mAMp65CLPq9ZE5
+2kqyXtov9aujUlkX+nELfBb8amqrOIk2wkmJAcl32zyXlAIpMBdDpAeIhn76+FlQ
+GMVNrD6DomvrhOKIHpS8lhPmK6pwo1IQ5vstDPVhX1qbm1B7r1oLQ1XmIiw2y7iR
+mVHzAJJYceq0E6vIXjiWsRay/aY94HczyCcMDkzATw==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA05f753B56Ql3l5RqbusRk3RHR9Btj7OFaleFrV14s2+X5OPs
+/t7dnVjgydC7COsh/ScgQ4c/6e8N9iHJw2a/T9c079jJB5/g1jLM6FlFLGVXbCTj
+r38RrgscJYIQoU+w+/MT6eZEfgvDPxwRo3Ft9L/vDcGydVJqLuRMX5KADaRzZNTM
+Xc1RWUWNczZsKD+i5n5vcEjMegzfJZpjtNgLTdOpKyGOI1/60CP9S01aw/abVZ6S
+nQqKKCx617vpjXcUdGOnedIH0Pw3VrZtiA+wNsSL+B+HpbSSNge6XysRJccCKN/1
+jSZJOyYqFKT6eOduQXC1OTN+SqMESzIEtTv0+wIDAQABAoIBAQCGSan025xzeq+s
+wuO9m3CfLafjevNdxSiCMiPDwFPPRZ6YBNOvedAagYLAcrmRUnFS0hcW5Gp61F3+
+/LipS7dVO5b8NZB4R06RgtIrECTnpTWTi+H4ymN1GtX1NBPL3ODNNhtIUfzcJij3
+D6BeI6oOMBXOnETfUrvTIM8bxMWCYdjB/kTLBdn6dnY8Jfjits7HklFtYCyB9N86
+V75lKt247cDnahf7A+sYdNVJlWHgCcTQjwNhfCmMyou/FAt0M2hs8Rm5jK6iPLE/
+5ow3zVw0H/bVoNtpf/dDUtMV0wrnEieX78PdoRXvR35XMfIKiNzcTBEJnlzGlYjn
+C4/QecxZAoGBAP6XIfY2MSHcTFUc6Dh7vrsIYAWbcane2ax0OLv+Pqm9lniP7VT6
+jfPM1Wj1LsK5V22jNNQU5Y6NcLzInWwnMa8pgelEgr7DL/B9UfGTzfd4mbFPcOYG
+YgG3FRRu5PatVLOGfPUdgYUtZOTQbAdYLjye3CNUFoxu3+SZI05tOaiVAoGBANTD
+5++fMHgKPNbmzvrwqI8ASkRWdvKJK4WRKr/BOh3UiWzeIERH2QmA2sud8vJi7ALD
+vXgw1YkP9v39/DXEeO7L6/ydX7rmt/ZwK37TiKgY2KMxkZFXKqB6dEk0gyF3yAv2
+zgxysMn8GzVCcrY6fQPihhwqlKxaCKox/W+nXnNPAoGBAK9VyKb3lYjbXpqziN71
+olrPHspdzr8N4l3ZwQT/yYo/LrUjcnE3CbJhXIynZyfmW2b/oq95IMu3b3Akvf4x
+VA9th7HuZBka9hYrSNcWUyBfJ4Is0vUoajECNPtYkEmvAAmP0tlBE+VzaOwI+o1o
+VpebVMLj84+OAJZAPUeTA8WtAoGAB0Z/qtj1rlUjSXHxB/Gswd8PqxCN1rNMErAp
+Fw+DbjuzS065KbyPNlz6nlXTVeh+C4Yn93EsDBjIqFzEAA6s1/WPJz82Y8y546po
+Qlj3ZlAbMFFkmeSyJ3Sof0xVY5KV+5q/5vsRAoclYwfXplWPqs9XKKVoGhCmFTPK
+Z8QAXc8CgYBe1GTV6GEcCgv9zcZUOXQpg9iq3rgpJUUg2N1HLkJDesNq+YZjbh0v
+02u3CkDLiYhQi7ClxGGvVcZ3tBf0y37Mi4n/GH651HDUVhXmj0fsTf1Sh7F3OpD8
+3M/kr2QFBGZgq3H7rfIh/eQdH3PZdk38c2e+DzXpi8KkyY4cuAB7pg==
+-----END RSA PRIVATE KEY-----

regtests/0364_ssl_check_certs/check_cert.adb

@@ -0,0 +1,163 @@
+------------------------------------------------------------------------------
+--                              Ada Web Server                              --
+--                                                                          --
+--                       Copyright (C) 2024, AdaCore                        --
+--                                                                          --
+--  This is free software;  you can redistribute it  and/or modify it       --
+--  under terms of the  GNU General Public License as published  by the     --
+--  Free Software  Foundation;  either version 3,  or (at your option) any  --
+--  later version.  This software is distributed in the hope  that it will  --
+--  be useful, but WITHOUT ANY WARRANTY;  without even the implied warranty --
+--  of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU     --
+--  General Public License for  more details.                               --
+--                                                                          --
+--  You should have  received  a copy of the GNU General  Public  License   --
+--  distributed  with  this  software;   see  file COPYING3.  If not, go    --
+--  to http://www.gnu.org/licenses for a complete copy of the license.      --
+------------------------------------------------------------------------------
+
+with Ada.Text_IO;
+with Ada.Exceptions;
+
+with AWS.Client;
+with AWS.Response;
+with AWS.Net.SSL.Certificate;
+
+procedure Check_Cert is
+
+   use Ada;
+   use Ada.Exceptions;
+
+   function Clean_Up_Response (Content : String) return String;
+   --  Only first line, remove traceback
+
+   procedure Check (URL : String);
+   --  Check a bad URL and report error
+
+   ---------------
+   -- Check_Def --
+   ---------------
+
+   procedure Check_Def (URL : String) is
+      use AWS;
+
+      Conn : Client.HTTP_Connection;
+      Data : Response.Data;
+   begin
+      Text_IO.Put_Line ("CHECK: default SSL setup");
+
+      --  Issue a Get on a connection established with the default SSL
+      --  setting (request to check certificates which is the default).
+
+      Client.Create
+        (Connection => Conn,
+         Host       => URL);
+
+      Client.Get (Conn, Data);
+
+      Text_IO.Put_Line ("  Status Code: " & Response.Status_Code (Data)'Img);
+      Text_IO.Put_Line
+        ("  Response: "
+         & Clean_Up_Response (Response.Message_Body (Data)));
+   exception
+      when E : others =>
+         Text_IO.Put_Line (Exception_Message (E));
+   end Check_Def;
+
+   ---------------
+   -- Check_Cnf --
+   ---------------
+
+   procedure Check_Cnf (URL : String; Check_Certificate : Boolean) is
+      use AWS;
+
+      Conn    : Client.HTTP_Connection;
+      Data    : Response.Data;
+      SSL_Cfg : AWS.Net.SSL.Config;
+
+   begin
+      Text_IO.Put_Line
+        ("CHECK: SSL config with Check_Certificate = "
+         & Check_Certificate'Image);
+
+      AWS.Net.SSL.Initialize
+        (Config               => SSL_Cfg,
+         Security_Mode        => AWS.Net.SSL.TLS_Client,
+         Check_Certificate    => Check_Certificate,
+         Exchange_Certificate => True);
+
+      --  Issue a Get on a connection established with an explicit
+      --  request to check or ignore certificates.
+      --
+      --  When checking certificate we expect a S4xx response
+      --  otherwise S200 status code is expected.
+
+      Client.Create
+        (Connection => Conn,
+         Host       => URL,
+         SSL_Config => SSL_Cfg);
+
+      Client.Get (Conn, Data);
+
+      Text_IO.Put_Line ("  Status Code: " & Response.Status_Code (Data)'Img);
+
+      --  Don't display the actual body if we do not check certificate, this
+      --  has no meaning as a standard Web page is returned.
+
+      if Check_Certificate then
+         Text_IO.Put_Line
+           ("  Response: "
+            & Clean_Up_Response (Response.Message_Body (Data)));
+      end if;
+   exception
+      when E : others =>
+         Text_IO.Put_Line (Exception_Message (E));
+   end Check_Cnf;
+
+   -----------
+   -- Check --
+   -----------
+
+   procedure Check (URL : String) is
+   begin
+      --  We check three cases
+      Text_IO.Put_Line ("-------------------------------------------------");
+      Text_IO.Put_Line ("URL : " & URL);
+
+      --  Check that the default SSL configuration is properly initialized
+      Check_Def (URL);
+      --  Check that when using a specific configuration the check is done
+      Check_Cnf (URL, Check_Certificate => True);
+      --  Check that when using a specific configuration without certificate
+      --  checking we don't fail.
+      Check_Cnf (URL, Check_Certificate => False);
+      Text_IO.New_Line;
+   end Check;
+
+   -----------------------
+   -- Clean_Up_Response --
+   -----------------------
+
+   function Clean_Up_Response (Content : String) return String is
+      C    : String := Content;
+      Last : Natural := C'First;
+   begin
+      while Last in C'Range
+        and then C (Last) /= ASCII.CR
+        and then C (Last) /= ASCII.LF
+      loop
+         if C (Last) in '0' .. '9' then
+            C (Last) := 'x';
+         end if;
+         Last := Last + 1;
+      end loop;
+
+      return C (C'First .. Last);
+   end Clean_Up_Response;
+
+begin
+   Check ("https://expired.badssl.com");
+   Check ("https://wrong.host.badssl.com");
+   Check ("https://self-signed.badssl.com");
+   Check ("https://untrusted-root.badssl.com");
+end Check_Cert;

regtests/0364_ssl_check_certs/check_cert.gpr

@@ -0,0 +1,5 @@
+with "aws";
+project Check_Cert is
+   for Source_Dirs use (".");
+   for Main use ("check_cert.adb");
+end Check_Cert;

regtests/0364_ssl_check_certs/test-gnutls.out

@@ -0,0 +1,55 @@
+-------------------------------------------------
+URL : https://expired.badssl.com
+
+CHECK: default SSL setup
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : Error in the certificate verification.
+
+CHECK: SSL config with Check_Certificate = TRUE
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : Error in the certificate verification.
+
+CHECK: SSL config with Check_Certificate = FALSE
+  Status Code: S200
+
+-------------------------------------------------
+URL : https://wrong.host.badssl.com
+
+CHECK: default SSL setup
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : Error in the certificate verification.
+
+CHECK: SSL config with Check_Certificate = TRUE
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : Error in the certificate verification.
+
+CHECK: SSL config with Check_Certificate = FALSE
+  Status Code: S200
+
+-------------------------------------------------
+URL : https://self-signed.badssl.com
+
+CHECK: default SSL setup
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : Error in the certificate verification.
+
+CHECK: SSL config with Check_Certificate = TRUE
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : Error in the certificate verification.
+
+CHECK: SSL config with Check_Certificate = FALSE
+  Status Code: S200
+
+-------------------------------------------------
+URL : https://untrusted-root.badssl.com
+
+CHECK: default SSL setup
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : Error in the certificate verification.
+
+CHECK: SSL config with Check_Certificate = TRUE
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : Error in the certificate verification.
+
+CHECK: SSL config with Check_Certificate = FALSE
+  Status Code: S200

regtests/0364_ssl_check_certs/test.opt

@@ -0,0 +1,2 @@
+ssl    REQUIRED
+gnutls OUT test-gnutls.out

regtests/0364_ssl_check_certs/test.out

@@ -0,0 +1,55 @@
+-------------------------------------------------
+URL : https://expired.badssl.com
+
+CHECK: default SSL setup
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : certificate verification error : (xx) certificate has expired
+
+CHECK: SSL config with Check_Certificate = TRUE
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : certificate verification error : (xx) certificate has expired
+
+CHECK: SSL config with Check_Certificate = FALSE
+  Status Code: S200
+
+-------------------------------------------------
+URL : https://wrong.host.badssl.com
+
+CHECK: default SSL setup
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : certificate verification error : (xx) hostname mismatch
+
+CHECK: SSL config with Check_Certificate = TRUE
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : certificate verification error : (xx) hostname mismatch
+
+CHECK: SSL config with Check_Certificate = FALSE
+  Status Code: S200
+
+-------------------------------------------------
+URL : https://self-signed.badssl.com
+
+CHECK: default SSL setup
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : certificate verification error : (xx) self-signed certificate
+
+CHECK: SSL config with Check_Certificate = TRUE
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : certificate verification error : (xx) self-signed certificate
+
+CHECK: SSL config with Check_Certificate = FALSE
+  Status Code: S200
+
+-------------------------------------------------
+URL : https://untrusted-root.badssl.com
+
+CHECK: default SSL setup
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : certificate verification error : (xx) self-signed certificate in certificate chain
+
+CHECK: SSL config with Check_Certificate = TRUE
+  Status Code: S400
+  Response: GET request error. raised AWS.CLIENT.CONNECTION_ERROR : certificate verification error : (xx) self-signed certificate in certificate chain
+
+CHECK: SSL config with Check_Certificate = FALSE
+  Status Code: S200

regtests/0364_ssl_check_certs/test.py

@@ -0,0 +1,7 @@
+from test_support import *
+
+#  This test that the SSL layer is properly setup to
+#  reject wrong host or expired certificates. This is
+#  an important secure aspect to check.
+
+build_and_run('check_cert')