tests: enhanced server key exchange tests with explicit DH param setting

That is, not only check the DH parameter setting using the known_dh_params() functions, but also with the explicit setting --set_server_dh_params(). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-07-03 09:09:27 +0200
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-08-02 08:45:41 +0200
commit: 687fdd62143d3e19c53934cf8927a475bea3832a (patch)
tree: 94e85088f8fa4ebdfefb6c98b96450aee1059924
parent: aa842f8d6430cf93b35cc0f3b85c6642b0979ff3 (diff)
download: gnutls-687fdd62143d3e19c53934cf8927a475bea3832a.tar.gz
2 files changed, 59 insertions, 4 deletions
diff --git a/tests/server-kx-neg-common.c b/tests/server-kx-neg-common.c
index 935bb2e88a..de4c7ad91a 100644
--- a/tests/server-kx-neg-common.c
+++ b/tests/server-kx-neg-common.c
@@ -26,11 +26,14 @@ typedef struct test_case_st {
 	int client_ret;
 	unsigned have_anon_cred;
 	unsigned have_anon_dh_params;
+	unsigned have_anon_exp_dh_params;
 	unsigned have_srp_cred;
 	unsigned have_psk_cred;
 	unsigned have_psk_dh_params;
+	unsigned have_psk_exp_dh_params;
 	unsigned have_cert_cred;
 	unsigned have_cert_dh_params;
+	unsigned have_cert_exp_dh_params;
 	unsigned have_rsa_sign_cert;
 	unsigned have_ecc_sign_cert;
 	unsigned have_ed25519_sign_cert;
@@ -109,7 +112,7 @@ serv_srp_func(gnutls_session_t session, const char *username,
 
 static void try(test_case_st *test)
 {
-	int sret, cret;
+	int sret, cret, ret;
 	gnutls_anon_client_credentials_t c_anon_cred;
 	gnutls_anon_server_credentials_t s_anon_cred;
 	gnutls_psk_client_credentials_t c_psk_cred;
@@ -118,6 +121,9 @@ static void try(test_case_st *test)
 	gnutls_certificate_credentials_t c_cert_cred;
 	gnutls_srp_server_credentials_t s_srp_cred;
 	gnutls_srp_client_credentials_t c_srp_cred;
+	const gnutls_datum_t p3_2048 =
+	    { (void *)pkcs3_2048, strlen(pkcs3_2048) };
+	gnutls_dh_params_t dh_params = NULL;
 
 	gnutls_session_t server, client;
 	const gnutls_datum_t pskkey = { (void *) "DEADBEEF", 8 };
@@ -137,6 +143,7 @@ static void try(test_case_st *test)
 	assert(gnutls_srp_allocate_server_credentials(&s_srp_cred) >= 0);
 	assert(gnutls_certificate_allocate_credentials(&s_cert_cred) >= 0);
 	assert(gnutls_certificate_allocate_credentials(&c_cert_cred) >= 0);
+	assert(gnutls_dh_params_init(&dh_params) >= 0);
 
 	assert(gnutls_init(&server, GNUTLS_SERVER)>=0);
 	assert(gnutls_init(&client, GNUTLS_CLIENT)>=0);
@@ -145,18 +152,36 @@ static void try(test_case_st *test)
 		gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anon_cred);
 		if (test->have_anon_dh_params)
 			gnutls_anon_set_server_known_dh_params(s_anon_cred, GNUTLS_SEC_PARAM_MEDIUM);
+		else if (test->have_anon_exp_dh_params) {
+			ret = gnutls_dh_params_import_pkcs3(dh_params, &p3_2048,
+							    GNUTLS_X509_FMT_PEM);
+			assert(ret>=0);
+			gnutls_anon_set_server_dh_params(s_anon_cred, dh_params);
+		}
 	}
 
 	if (test->have_cert_cred) {
 		gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, s_cert_cred);
 		if (test->have_cert_dh_params)
 			gnutls_certificate_set_known_dh_params(s_cert_cred, GNUTLS_SEC_PARAM_MEDIUM);
+		else if (test->have_cert_exp_dh_params) {
+			ret = gnutls_dh_params_import_pkcs3(dh_params, &p3_2048,
+							    GNUTLS_X509_FMT_PEM);
+			assert(ret>=0);
+			gnutls_certificate_set_dh_params(s_cert_cred, dh_params);
+		}
 	}
 
 	if (test->have_psk_cred) {
 		gnutls_credentials_set(server, GNUTLS_CRD_PSK, s_psk_cred);
 		if (test->have_psk_dh_params)
 			gnutls_psk_set_server_known_dh_params(s_psk_cred, GNUTLS_SEC_PARAM_MEDIUM);
+		else if (test->have_psk_exp_dh_params) {
+			ret = gnutls_dh_params_import_pkcs3(dh_params, &p3_2048,
+							    GNUTLS_X509_FMT_PEM);
+			assert(ret>=0);
+			gnutls_psk_set_server_dh_params(s_psk_cred, dh_params);
+		}
 
 		gnutls_psk_set_server_credentials_function(s_psk_cred, serv_psk_func);
 	}
@@ -215,6 +240,8 @@ static void try(test_case_st *test)
 	gnutls_srp_free_server_credentials(s_srp_cred);
 	gnutls_certificate_free_credentials(s_cert_cred);
 	gnutls_certificate_free_credentials(c_cert_cred);
+	if (dh_params)
+		gnutls_dh_params_deinit(dh_params);
 
 	reset_buffers();
 }
diff --git a/tests/tls12-server-kx-neg.c b/tests/tls12-server-kx-neg.c
index 3de87becff..009f2d8d74 100644
--- a/tests/tls12-server-kx-neg.c
+++ b/tests/tls12-server-kx-neg.c
@@ -54,7 +54,7 @@ test_case_st tests[] = {
 		.client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
-		.name = "TLS 1.2 ANON-DH with cred and DH params",
+		.name = "TLS 1.2 ANON-DH with cred and DH params (level)",
 		.server_ret = 0,
 		.client_ret = 0,
 		.have_anon_cred = 1,
@@ -63,6 +63,15 @@ test_case_st tests[] = {
 		.client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
+		.name = "TLS 1.2 ANON-DH with cred and DH params (explicit)",
+		.server_ret = 0,
+		.client_ret = 0,
+		.have_anon_cred = 1,
+		.have_anon_exp_dh_params = 1,
+		.server_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.2"
+	},
+	{
 		.name = "TLS 1.2 DHE-RSA without cred",
 		.client_ret = GNUTLS_E_AGAIN,
 		.server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS,
@@ -107,7 +116,7 @@ test_case_st tests[] = {
 		.client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
-		.name = "TLS 1.2 DHE-RSA with cred and cert and DH params",
+		.name = "TLS 1.2 DHE-RSA with cred and cert and DH params (level)",
 		.client_ret = 0,
 		.server_ret = 0,
 		.have_cert_cred = 1,
@@ -117,6 +126,16 @@ test_case_st tests[] = {
 		.client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
+		.name = "TLS 1.2 DHE-RSA with cred and cert and DH params (explicit)",
+		.client_ret = 0,
+		.server_ret = 0,
+		.have_cert_cred = 1,
+		.have_rsa_sign_cert = 1,
+		.have_cert_exp_dh_params = 1,
+		.server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.2"
+	},
+	{
 		.name = "TLS 1.2 DHE-RSA with cred and multiple certs and DH params",
 		.client_ret = 0,
 		.server_ret = 0,
@@ -144,7 +163,7 @@ test_case_st tests[] = {
 		.client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
-		.name = "TLS 1.2 DHE-PSK with cred DH params",
+		.name = "TLS 1.2 DHE-PSK with cred and DH params (level)",
 		.client_ret = 0,
 		.server_ret = 0,
 		.have_psk_cred = 1,
@@ -153,6 +172,15 @@ test_case_st tests[] = {
 		.client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.2"
 	},
 	{
+		.name = "TLS 1.2 DHE-PSK with cred and DH params (explicit)",
+		.client_ret = 0,
+		.server_ret = 0,
+		.have_psk_cred = 1,
+		.have_psk_exp_dh_params = 1,
+		.server_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.2",
+		.client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.2"
+	},
+	{
 		.name = "TLS 1.2 ECDHE-RSA without cred",
 		.client_ret = GNUTLS_E_AGAIN,
 		.server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS,
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-07-03 09:09:27 +0200
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-08-02 08:45:41 +0200
commit	687fdd62143d3e19c53934cf8927a475bea3832a (patch)
tree	94e85088f8fa4ebdfefb6c98b96450aee1059924
parent	aa842f8d6430cf93b35cc0f3b85c6642b0979ff3 (diff)
download	gnutls-687fdd62143d3e19c53934cf8927a475bea3832a.tar.gz