diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-03 09:09:27 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-08-02 08:45:41 +0200 |
commit | 687fdd62143d3e19c53934cf8927a475bea3832a (patch) | |
tree | 94e85088f8fa4ebdfefb6c98b96450aee1059924 | |
parent | aa842f8d6430cf93b35cc0f3b85c6642b0979ff3 (diff) | |
download | gnutls-687fdd62143d3e19c53934cf8927a475bea3832a.tar.gz |
tests: enhanced server key exchange tests with explicit DH param setting
That is, not only check the DH parameter setting using the known_dh_params()
functions, but also with the explicit setting --set_server_dh_params().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | tests/server-kx-neg-common.c | 29 | ||||
-rw-r--r-- | tests/tls12-server-kx-neg.c | 34 |
2 files changed, 59 insertions, 4 deletions
diff --git a/tests/server-kx-neg-common.c b/tests/server-kx-neg-common.c index 935bb2e88a..de4c7ad91a 100644 --- a/tests/server-kx-neg-common.c +++ b/tests/server-kx-neg-common.c @@ -26,11 +26,14 @@ typedef struct test_case_st { int client_ret; unsigned have_anon_cred; unsigned have_anon_dh_params; + unsigned have_anon_exp_dh_params; unsigned have_srp_cred; unsigned have_psk_cred; unsigned have_psk_dh_params; + unsigned have_psk_exp_dh_params; unsigned have_cert_cred; unsigned have_cert_dh_params; + unsigned have_cert_exp_dh_params; unsigned have_rsa_sign_cert; unsigned have_ecc_sign_cert; unsigned have_ed25519_sign_cert; @@ -109,7 +112,7 @@ serv_srp_func(gnutls_session_t session, const char *username, static void try(test_case_st *test) { - int sret, cret; + int sret, cret, ret; gnutls_anon_client_credentials_t c_anon_cred; gnutls_anon_server_credentials_t s_anon_cred; gnutls_psk_client_credentials_t c_psk_cred; @@ -118,6 +121,9 @@ static void try(test_case_st *test) gnutls_certificate_credentials_t c_cert_cred; gnutls_srp_server_credentials_t s_srp_cred; gnutls_srp_client_credentials_t c_srp_cred; + const gnutls_datum_t p3_2048 = + { (void *)pkcs3_2048, strlen(pkcs3_2048) }; + gnutls_dh_params_t dh_params = NULL; gnutls_session_t server, client; const gnutls_datum_t pskkey = { (void *) "DEADBEEF", 8 }; @@ -137,6 +143,7 @@ static void try(test_case_st *test) assert(gnutls_srp_allocate_server_credentials(&s_srp_cred) >= 0); assert(gnutls_certificate_allocate_credentials(&s_cert_cred) >= 0); assert(gnutls_certificate_allocate_credentials(&c_cert_cred) >= 0); + assert(gnutls_dh_params_init(&dh_params) >= 0); assert(gnutls_init(&server, GNUTLS_SERVER)>=0); assert(gnutls_init(&client, GNUTLS_CLIENT)>=0); @@ -145,18 +152,36 @@ static void try(test_case_st *test) gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anon_cred); if (test->have_anon_dh_params) gnutls_anon_set_server_known_dh_params(s_anon_cred, GNUTLS_SEC_PARAM_MEDIUM); + else if (test->have_anon_exp_dh_params) { + ret = gnutls_dh_params_import_pkcs3(dh_params, &p3_2048, + GNUTLS_X509_FMT_PEM); + assert(ret>=0); + gnutls_anon_set_server_dh_params(s_anon_cred, dh_params); + } } if (test->have_cert_cred) { gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, s_cert_cred); if (test->have_cert_dh_params) gnutls_certificate_set_known_dh_params(s_cert_cred, GNUTLS_SEC_PARAM_MEDIUM); + else if (test->have_cert_exp_dh_params) { + ret = gnutls_dh_params_import_pkcs3(dh_params, &p3_2048, + GNUTLS_X509_FMT_PEM); + assert(ret>=0); + gnutls_certificate_set_dh_params(s_cert_cred, dh_params); + } } if (test->have_psk_cred) { gnutls_credentials_set(server, GNUTLS_CRD_PSK, s_psk_cred); if (test->have_psk_dh_params) gnutls_psk_set_server_known_dh_params(s_psk_cred, GNUTLS_SEC_PARAM_MEDIUM); + else if (test->have_psk_exp_dh_params) { + ret = gnutls_dh_params_import_pkcs3(dh_params, &p3_2048, + GNUTLS_X509_FMT_PEM); + assert(ret>=0); + gnutls_psk_set_server_dh_params(s_psk_cred, dh_params); + } gnutls_psk_set_server_credentials_function(s_psk_cred, serv_psk_func); } @@ -215,6 +240,8 @@ static void try(test_case_st *test) gnutls_srp_free_server_credentials(s_srp_cred); gnutls_certificate_free_credentials(s_cert_cred); gnutls_certificate_free_credentials(c_cert_cred); + if (dh_params) + gnutls_dh_params_deinit(dh_params); reset_buffers(); } diff --git a/tests/tls12-server-kx-neg.c b/tests/tls12-server-kx-neg.c index 3de87becff..009f2d8d74 100644 --- a/tests/tls12-server-kx-neg.c +++ b/tests/tls12-server-kx-neg.c @@ -54,7 +54,7 @@ test_case_st tests[] = { .client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.2" }, { - .name = "TLS 1.2 ANON-DH with cred and DH params", + .name = "TLS 1.2 ANON-DH with cred and DH params (level)", .server_ret = 0, .client_ret = 0, .have_anon_cred = 1, @@ -63,6 +63,15 @@ test_case_st tests[] = { .client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.2" }, { + .name = "TLS 1.2 ANON-DH with cred and DH params (explicit)", + .server_ret = 0, + .client_ret = 0, + .have_anon_cred = 1, + .have_anon_exp_dh_params = 1, + .server_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.2" + }, + { .name = "TLS 1.2 DHE-RSA without cred", .client_ret = GNUTLS_E_AGAIN, .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, @@ -107,7 +116,7 @@ test_case_st tests[] = { .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.2" }, { - .name = "TLS 1.2 DHE-RSA with cred and cert and DH params", + .name = "TLS 1.2 DHE-RSA with cred and cert and DH params (level)", .client_ret = 0, .server_ret = 0, .have_cert_cred = 1, @@ -117,6 +126,16 @@ test_case_st tests[] = { .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.2" }, { + .name = "TLS 1.2 DHE-RSA with cred and cert and DH params (explicit)", + .client_ret = 0, + .server_ret = 0, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_cert_exp_dh_params = 1, + .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.2" + }, + { .name = "TLS 1.2 DHE-RSA with cred and multiple certs and DH params", .client_ret = 0, .server_ret = 0, @@ -144,7 +163,7 @@ test_case_st tests[] = { .client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.2" }, { - .name = "TLS 1.2 DHE-PSK with cred DH params", + .name = "TLS 1.2 DHE-PSK with cred and DH params (level)", .client_ret = 0, .server_ret = 0, .have_psk_cred = 1, @@ -153,6 +172,15 @@ test_case_st tests[] = { .client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.2" }, { + .name = "TLS 1.2 DHE-PSK with cred and DH params (explicit)", + .client_ret = 0, + .server_ret = 0, + .have_psk_cred = 1, + .have_psk_exp_dh_params = 1, + .server_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.2", + .client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.2" + }, + { .name = "TLS 1.2 ECDHE-RSA without cred", .client_ret = GNUTLS_E_AGAIN, .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, |