diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-03-17 15:08:49 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-03-17 15:08:49 +0100 |
commit | 2c2ec237ea595d8862d184ba2f78f8a782e3a323 (patch) | |
tree | 4cfa384ff142f6214cde64402cb805cb1a041a40 | |
parent | db90ccbc4d1533774bbaa4a40f8c3105eae4da49 (diff) | |
download | gnutls-nameconstraints2.tar.gz |
tests: introduced a check for merging name constraintsnameconstraints2
-rw-r--r-- | tests/Makefile.am | 2 | ||||
-rw-r--r-- | tests/name-constraints-merge.c | 238 |
2 files changed, 239 insertions, 1 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 5ffd592607..75f65c21e8 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -96,7 +96,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ rehandshake-switch-cert-client-allow handshake-versions dtls-handshake-versions \ dtls-max-record tls-max-record alpn-server-prec ocsp-filename-memleak \ dh-params rehandshake-ext-secret pcert-list session-export-funcs \ - handshake-false-start version-checks + handshake-false-start version-checks name-constraints-merge if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/name-constraints-merge.c b/tests/name-constraints-merge.c new file mode 100644 index 0000000000..7877708c01 --- /dev/null +++ b/tests/name-constraints-merge.c @@ -0,0 +1,238 @@ +/* + * Copyright (C) 2016 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from GnuTLS example programs. */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#include <unistd.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#include "utils.h" + +/* Test for name constraints PKIX extension. + */ + +static void tls_log_func(int level, const char *str) +{ + fprintf(stderr, "<%d>| %s", level, str); +} + +/* deny */ +const gnutls_datum_t example_com = { (void*)"example.com", sizeof("example.com")-1 }; +const gnutls_datum_t example_net = { (void*)"example.net", sizeof("example.net")-1 }; + +/* allowed */ +const gnutls_datum_t org = { (void*)"org", sizeof("org")-1 }; +const gnutls_datum_t ccc_com = { (void*)"ccc.com", sizeof("ccc.com")-1 }; +const gnutls_datum_t aaa_bbb_ccc_com = { (void*)"aaa.bbb.ccc.com", sizeof("aaa.bbb.ccc.com")-1 }; + +void doit(void) +{ + int ret; + gnutls_x509_name_constraints_t nc; + gnutls_x509_name_constraints_t nc2; + gnutls_datum_t name; + + /* this must be called once in the program + */ + global_init(); + + gnutls_global_set_log_function(tls_log_func); + if (debug) + gnutls_global_set_log_level(6); + + /* 0: test the merge permitted */ + + ret = gnutls_x509_name_constraints_init(&nc); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + ret = gnutls_x509_name_constraints_init(&nc2); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + + /* nc: .org + ccc.com */ + ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_DNSNAME, + &org); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_DNSNAME, + &ccc_com); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + /* nc2: .org + aaa.bbb.ccc.com */ + ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, + &org); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, + &aaa_bbb_ccc_com); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + /* intersection: permit: aaa.bbb.ccc.com */ + ret = gnutls_x509_name_constraints_merge(nc, nc2); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + + /* unrelated */ + name.data = (unsigned char*)"xxx.example.com"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret != 0) + fail("Checking domain should have failed\n"); + + name.data = (unsigned char*)"example.org"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret == 0) + fail("Checking %s should have succeeded\n", name.data); + + name.data = (unsigned char*)"com"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret != 0) + fail("Checking %s should have failed\n", name.data); + + name.data = (unsigned char*)"xxx.com"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret != 0) + fail("Checking %s should have failed\n", name.data); + + name.data = (unsigned char*)"ccc.com"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret != 0) + fail("Checking %s should have failed\n", name.data); + + + /* check intersection of permitted */ + name.data = (unsigned char*)"xxx.aaa.bbb.ccc.com"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret == 0) + fail("Checking %s should have succeeded\n", name.data); + + name.data = (unsigned char*)"aaa.bbb.ccc.com"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret == 0) + fail("Checking %s should have succeeded\n", name.data); + + name.data = (unsigned char*)"xxx.bbb.ccc.com"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret != 0) + fail("Checking %s should have failed\n", name.data); + + name.data = (unsigned char*)"xxx.ccc.com"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret != 0) + fail("Checking %s should have failed\n", name.data); + + + gnutls_x509_name_constraints_deinit(nc); + gnutls_x509_name_constraints_deinit(nc2); + + /* 1: test the merge of name constraints with excluded */ + + ret = gnutls_x509_name_constraints_init(&nc); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + ret = gnutls_x509_name_constraints_init(&nc2); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_DNSNAME, + &example_com); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + ret = gnutls_x509_name_constraints_add_excluded(nc2, GNUTLS_SAN_DNSNAME, + &example_net); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + + /* intersection: permit: example.com and example.net denied */ + ret = gnutls_x509_name_constraints_merge(nc, nc2); + if (ret < 0) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + + + /* check the union */ + name.data = (unsigned char*)"xxx.example.com"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret != 0) + fail("Checking domain should have failed\n"); + + name.data = (unsigned char*)"xxx.example.net"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret != 0) + fail("Checking domain should have failed\n"); + + name.data = (unsigned char*)"example.com"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret != 0) + fail("Checking domain should have failed\n"); + + name.data = (unsigned char*)"example.net"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret != 0) + fail("Checking domain should have failed\n"); + + + /* check an allowed name */ + name.data = (unsigned char*)"example.org"; + name.size = strlen((char*)name.data); + ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); + if (ret == 0) + fail("Checking %s should have succeeded\n", name.data); + + gnutls_x509_name_constraints_deinit(nc); + gnutls_x509_name_constraints_deinit(nc2); + + gnutls_global_deinit(); + + if (debug) + success("success"); +} |