diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-07 14:00:41 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-07 14:01:37 +0200 |
commit | b13d81a05041440fc1661be89e19e4e3382a8a11 (patch) | |
tree | 6c29929800a4c1be12bd31d016f7c42e4cc10b43 | |
parent | cc72089397eaea2f23a8202aa6e4ccdbf5496929 (diff) | |
download | gnutls-b13d81a05041440fc1661be89e19e4e3382a8a11.tar.gz |
tests: enhanced tofu trustdb checks
Include checks which store and load commitments from the user's home
directory.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | tests/Makefile.am | 2 | ||||
-rw-r--r-- | tests/trustdb-tofu.c (renamed from tests/mini-tdb.c) | 43 |
2 files changed, 42 insertions, 3 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 08817210a2..48f05b6452 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -91,7 +91,7 @@ ctests = mini-record-2 simple gc set_pkcs12_cred cert certuniqueid \ nul-in-x509-names x509_altname pkcs12_encode mini-x509 \ tls-rehandshake-cert rng-fork mini-eagain-dtls resume-dtls \ x509cert x509cert-tl infoaccess mini-dtls-hello-verify \ - mini-tdb dtls-rehandshake-anon mini-alpn mini-dtls-large \ + trustdb-tofu dtls-rehandshake-anon mini-alpn mini-dtls-large \ mini-termination mini-x509-cas mini-x509-2 pkcs12_simple \ mini-emsgsize-dtls chainverify-unsorted mini-overhead \ mini-dtls-heartbeat mini-x509-callbacks key-openssl priorities \ diff --git a/tests/mini-tdb.c b/tests/trustdb-tofu.c index e508eb8b9d..85d08886a0 100644 --- a/tests/mini-tdb.c +++ b/tests/trustdb-tofu.c @@ -29,6 +29,7 @@ #include <string.h> #include <errno.h> #include <gnutls/gnutls.h> +#include <unistd.h> #include "utils.h" /* This will test whether the default public key storage backend @@ -76,7 +77,9 @@ static char client_pem[] = const gnutls_datum_t client_cert = { (void *) client_pem, sizeof(client_pem) }; -#define TMP_FILE "mini-tdb-tmp" +#define TMP_FILE "mini-tdb.tmp" +#define HOSTS_DIR ".gnutls/" +#define HOSTS_FILE HOSTS_DIR"known_hosts" #define SHA1_HASH "\x53\x4b\x3b\xdc\x5e\xc8\x44\x4c\x02\x20\xbf\x39\x48\x6f\x4c\xfe\xcd\x25\x52\x10" @@ -85,6 +88,7 @@ void doit(void) gnutls_datum_t der_cert, der_cert2; int ret; gnutls_datum_t hash; + char path[512]; /* the sha1 hash of the server's pubkey */ hash.data = (void *) SHA1_HASH; @@ -112,6 +116,7 @@ void doit(void) goto fail; } + remove(HOSTS_FILE); remove(TMP_FILE); /* verify whether the stored hash verification succeeeds */ @@ -140,6 +145,36 @@ void doit(void) if (debug) success("Commitment verification: passed\n"); + /* Verify access to home dir */ +#ifndef _WIN32 + setenv("HOME", getcwd(path, sizeof(path)), 1); + + /* verify whether the stored hash verification succeeeds */ + ret = gnutls_store_commitment(NULL, NULL, "localhost", "https", + GNUTLS_DIG_SHA1, &hash, 0, GNUTLS_SCOMMIT_FLAG_ALLOW_BROKEN); + if (ret != 0) { + fail("commitment storage: %s\n", gnutls_strerror(ret)); + goto fail; + } + + if (debug) + success("Commitment storage: passed\n"); + + ret = + gnutls_verify_stored_pubkey(NULL, NULL, "localhost", + "https", GNUTLS_CRT_X509, + &der_cert, 0); + + if (ret != 0) { + fail("commitment verification: %s\n", + gnutls_strerror(ret)); + goto fail; + } + + if (debug) + success("Commitment from homedir verification: passed\n"); +#endif + /* verify whether the stored pubkey verification succeeeds */ ret = gnutls_store_pubkey(TMP_FILE, NULL, "localhost", "https", GNUTLS_CRT_X509, &der_cert, 0, 0); @@ -164,7 +199,6 @@ void doit(void) gnutls_verify_stored_pubkey(TMP_FILE, NULL, "localhost", "https", GNUTLS_CRT_X509, &der_cert2, 0); - remove(TMP_FILE); if (ret == 0) { fail("verification succeed when shouldn't!\n"); goto fail; @@ -178,6 +212,9 @@ void doit(void) if (debug) success("Public key verification: passed\n"); + remove(HOSTS_FILE); + remove(TMP_FILE); + rmdir(HOSTS_DIR); gnutls_global_deinit(); gnutls_free(der_cert.data); @@ -185,6 +222,8 @@ void doit(void) return; fail: + remove(HOSTS_FILE); remove(TMP_FILE); + rmdir(HOSTS_DIR); exit(1); } |