tests: added check for client-side DSA key

This checks whether a client can use and send a DSA key, even
if DSA is not enabled (which should prohibit the server from providing
a DSA certificate).

5 files changed, 184 insertions, 7 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 6744c7d907..c2118e3da4 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -112,7 +112,8 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid	\
 	 safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
 	 safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
 	 rsa-illegal-import set_x509_key_file_ocsp_multi set_key set_x509_key_file_ocsp_multi2 \
-	 set_key_utf8 set_x509_key_utf8 insecure_key handshake-large-packet
+	 set_key_utf8 set_x509_key_utf8 insecure_key handshake-large-packet \
+	 client_dsa_key
 
 if HAVE_SECCOMP_TESTS
 ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp
diff --git a/tests/cert-common.h b/tests/cert-common.h
index 2c16daf388..9b35d04ba5 100644
--- a/tests/cert-common.h
+++ b/tests/cert-common.h
@@ -678,6 +678,55 @@ const gnutls_datum_t cli_ca3_cert_chain = { (void*)cli_ca3_cert_chain_pem,
 	sizeof(cli_ca3_cert_chain_pem)-1
 };
 
+static char clidsa_ca3_cert_pem[] =
+	"-----BEGIN CERTIFICATE-----\n"
+	"MIIEMzCCApugAwIBAgIIV+OL0jeIUYkwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n"
+	"AxMEQ0EtMzAgFw0xNjA5MjIwNzQ0MjBaGA85OTk5MTIzMTIzNTk1OVowFTETMBEG\n"
+	"A1UEAxMKRFNBIGNsaWVudDCCAbcwggErBgcqhkjOOAQBMIIBHgKBgQD6BQw6J3GB\n"
+	"Lv8xjTjq6flgCLUYf9wNQO1osjl8F3mP3P0ggZd101pwDG34Kdffby+PTB5rpe8Z\n"
+	"SUx83ozzCiCcxf+kM4B0B0JP7mlqLrdTyPbWTap8sCMtabKnuR7UWdhsB8WU2Ct9\n"
+	"/IcCEG2dYcmzzWXE6/Pdo45iCd7lv+fl/wIVAM8gQzNh7394wHpNStxbGq9Xe+7z\n"
+	"AoGAJuUzfmL64dwFgQDmow8BjA5jI4mPiXc9+HDlUG0xXT65tUqHyg5fTSVm8p+q\n"
+	"WaklZeWTvuDc7KYofGZolG3LxhBKvIXHiUrD5hJ/cE/qcx89oczD7mChHG8k4a+Y\n"
+	"sr9/gXMFp8/TUsiTXrPLvEedBiAL9isDGC+ibRswfFYqGKYDgYUAAoGBAOFzLEe4\n"
+	"9nHYysKSgx6o7LadjsWAcLLHvI4EcmRZf7cHW/S/FCHgpnMn7GvnD4xiaysDFA8A\n"
+	"XEh9QJutRiLcpp14bVkPd0E+1z3v3LDhwVaJ1DofWEMnAsGoRVkAuEBkND6aNoKI\n"
+	"AuUMvFlnpU8SD5SZrUQkP22jyMj+mxsJntK9o3YwdDAMBgNVHRMBAf8EAjAAMBMG\n"
+	"A1UdJQQMMAoGCCsGAQUFBwMCMA8GA1UdDwEB/wQFAwMHgAAwHQYDVR0OBBYEFCnQ\n"
+	"ScP7Ao3G+SjKY0a5DEmNF5X+MB8GA1UdIwQYMBaAFPmohhljtqQUE2B2DwGaNTbv\n"
+	"8bSvMA0GCSqGSIb3DQEBCwUAA4IBgQArAfKJgKd6Sz7BW0m46T4DxXWsrlYVc76M\n"
+	"metxnSBDZdWzRbP6dGXGkKH1J2Oftv3kVrRL8amDz7DLRE6pBAUDx+5Es/dheTNA\n"
+	"juIVZuKzSYoRPtuiO1gHvRPvyV/2HUpnLl+w2qW/Df4ZWlHz6ujuYFzhdWueon+t\n"
+	"7/JtabcuBxK6gFyNs+A0fHjszpWtZxUXuik1t4y9IcEV6Ig+vWk+GNwVAs5lQenv\n"
+	"7IhIg1EWxBNiRF3yKINAiyFkM4FcFEPqlbijX9xDorCK2Xn4HLIN2oUQJFYDqVOV\n"
+	"KGg0rMmeJ8rRZI0ELK89SdPyALe4HQzKnQtzxy45oq+Vv7A8B0lorTMPIq3WKxo4\n"
+	"mXJdEF2aYxeUsMYBDZOOslBc8UMaUAF8ncrk6eNqJoDZCxElfgDXx4CfM8Lh0V2c\n"
+	"MDBXeiNUf1HWcCkvnMPGLXZXez/5abnhNIFqDsmRxuhUqlTbarq3CxjAWMjQRb9c\n"
+	"SWUGHPlOkmEGRv5JB6djjpRFRwtHLNc=\n"
+	"-----END CERTIFICATE-----\n";
+
+static char clidsa_ca3_key_pem[] =
+	"-----BEGIN DSA PRIVATE KEY-----\n"
+	"MIIBuwIBAAKBgQD6BQw6J3GBLv8xjTjq6flgCLUYf9wNQO1osjl8F3mP3P0ggZd1\n"
+	"01pwDG34Kdffby+PTB5rpe8ZSUx83ozzCiCcxf+kM4B0B0JP7mlqLrdTyPbWTap8\n"
+	"sCMtabKnuR7UWdhsB8WU2Ct9/IcCEG2dYcmzzWXE6/Pdo45iCd7lv+fl/wIVAM8g\n"
+	"QzNh7394wHpNStxbGq9Xe+7zAoGAJuUzfmL64dwFgQDmow8BjA5jI4mPiXc9+HDl\n"
+	"UG0xXT65tUqHyg5fTSVm8p+qWaklZeWTvuDc7KYofGZolG3LxhBKvIXHiUrD5hJ/\n"
+	"cE/qcx89oczD7mChHG8k4a+Ysr9/gXMFp8/TUsiTXrPLvEedBiAL9isDGC+ibRsw\n"
+	"fFYqGKYCgYEA4XMsR7j2cdjKwpKDHqjstp2OxYBwsse8jgRyZFl/twdb9L8UIeCm\n"
+	"cyfsa+cPjGJrKwMUDwBcSH1Am61GItymnXhtWQ93QT7XPe/csOHBVonUOh9YQycC\n"
+	"wahFWQC4QGQ0Ppo2gogC5Qy8WWelTxIPlJmtRCQ/baPIyP6bGwme0r0CFDUW6VNf\n"
+	"FgAdB5hhtag7oTw45a72\n"
+	"-----END DSA PRIVATE KEY-----\n";
+
+const gnutls_datum_t clidsa_ca3_key = { (void*)clidsa_ca3_key_pem,
+	sizeof(clidsa_ca3_key_pem)-1
+};
+
+const gnutls_datum_t clidsa_ca3_cert = { (void*)clidsa_ca3_cert_pem,
+	sizeof(clidsa_ca3_cert_pem)-1
+};
+
 static char server_ca3_key_pem[] =
 	"-----BEGIN RSA PRIVATE KEY-----\n"
 	"MIIG5AIBAAKCAYEA2T14maos98C7s/geGZybgqYSxF+5NeTXKWpi9/vXmuIF8n3h\n"
diff --git a/tests/client_dsa_key.c b/tests/client_dsa_key.c
new file mode 100644
index 0000000000..a1bfb85f3e
--- /dev/null
+++ b/tests/client_dsa_key.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2016 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#if !defined(_WIN32)
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <arpa/inet.h>
+#endif
+#include <unistd.h>
+#include <assert.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+#include "utils.h"
+#include "cert-common.h"
+
+/* Test for correct operation when a client uses a DSA key when the server
+ * has DSA signatures enabled but not the client.
+ *
+ */
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "<%d>| %s", level, str);
+}
+
+void doit(void)
+{
+	gnutls_certificate_credentials_t serv_cred;
+	gnutls_certificate_credentials_t cli_cred;
+	int ret;
+
+	/* this must be called once in the program
+	 */
+	global_init();
+
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(6);
+
+	assert(gnutls_certificate_allocate_credentials(&cli_cred) >= 0);
+
+	ret = gnutls_certificate_set_x509_trust_mem(cli_cred, &ca3_cert, GNUTLS_X509_FMT_PEM);
+	if (ret < 0)
+		fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
+
+
+	ret = gnutls_certificate_set_x509_key_mem(cli_cred, &clidsa_ca3_cert,
+					    &clidsa_ca3_key,
+					    GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fail("error in error code: %s\n", gnutls_strerror(ret));
+		exit(1);
+	}
+
+	/* test gnutls_certificate_flags() */
+	gnutls_certificate_allocate_credentials(&serv_cred);
+	gnutls_certificate_set_flags(serv_cred, GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH);
+
+	ret = gnutls_certificate_set_x509_trust_mem(serv_cred, &ca3_cert, GNUTLS_X509_FMT_PEM);
+	if (ret < 0)
+		fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret));
+
+	ret = gnutls_certificate_set_x509_key_mem(serv_cred, &server_ca3_localhost_cert_chain,
+					    &server_ca3_key,
+					    GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fail("error in error code\n");
+		exit(1);
+	}
+
+	test_cli_serv_cert(serv_cred, cli_cred, "NORMAL:+DHE-DSS:+SIGN-DSA-SHA1", "NORMAL:-DHE-DSS:-SIGN-DSA-SHA1", "localhost");
+
+	gnutls_certificate_free_credentials(serv_cred);
+	gnutls_certificate_free_credentials(cli_cred);
+
+	gnutls_global_deinit();
+
+	if (debug)
+		success("success");
+}
diff --git a/tests/utils-adv.c b/tests/utils-adv.c
index f19fad2d76..9889f8fa26 100644
--- a/tests/utils-adv.c
+++ b/tests/utils-adv.c
@@ -45,9 +45,11 @@ const char *side = NULL;
 static int
 _test_cli_serv(gnutls_certificate_credentials_t server_cred,
 	      gnutls_certificate_credentials_t client_cred,
-	      const char *prio, const char *host,
+	      const char *serv_prio, const char *cli_prio,
+	      const char *host,
 	      void *priv, callback_func *client_cb, callback_func *server_cb,
-	      unsigned expect_verification_failure)
+	      unsigned expect_verification_failure,
+	      unsigned require_cert)
 {
 	int exit_code = EXIT_SUCCESS;
 	int ret;
@@ -65,11 +67,14 @@ _test_cli_serv(gnutls_certificate_credentials_t server_cred,
 	gnutls_init(&server, GNUTLS_SERVER);
 	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
 				server_cred);
-	gnutls_priority_set_direct(server, prio, NULL);
+	gnutls_priority_set_direct(server, serv_prio, NULL);
 	gnutls_transport_set_push_function(server, server_push);
 	gnutls_transport_set_pull_function(server, server_pull);
 	gnutls_transport_set_ptr(server, server);
 
+	if (require_cert)
+		gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUIRE);
+
 	ret = gnutls_init(&client, GNUTLS_CLIENT);
 	if (ret < 0)
 		exit(1);
@@ -88,7 +93,7 @@ _test_cli_serv(gnutls_certificate_credentials_t server_cred,
 	if (ret < 0)
 		exit(1);
 
-	gnutls_priority_set_direct(client, prio, NULL);
+	gnutls_priority_set_direct(client, cli_prio, NULL);
 	gnutls_transport_set_push_function(client, client_push);
 	gnutls_transport_set_pull_function(client, client_pull);
 	gnutls_transport_set_ptr(client, client);
@@ -175,7 +180,15 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred,
 	      const char *prio, const char *host,
 	      void *priv, callback_func *client_cb, callback_func *server_cb)
 {
-	_test_cli_serv(server_cred, client_cred, prio, host, priv, client_cb, server_cb, 0);
+	_test_cli_serv(server_cred, client_cred, prio, prio, host, priv, client_cb, server_cb, 0, 0);
+}
+
+void
+test_cli_serv_cert(gnutls_certificate_credentials_t server_cred,
+	      gnutls_certificate_credentials_t client_cred,
+	      const char *cli_prio, const char *serv_prio, const char *host)
+{
+	_test_cli_serv(server_cred, client_cred, cli_prio, serv_prio, host, NULL, NULL, NULL, 0, 1);
 }
 
 /* An expected to fail verification run. Returns verification status */
@@ -184,5 +197,5 @@ test_cli_serv_vf(gnutls_certificate_credentials_t server_cred,
 	      gnutls_certificate_credentials_t client_cred,
 	      const char *prio, const char *host)
 {
-	return _test_cli_serv(server_cred, client_cred, prio, host, NULL, NULL, NULL, 1);
+	return _test_cli_serv(server_cred, client_cred, prio, prio, host, NULL, NULL, NULL, 1, 0);
 }
diff --git a/tests/utils.h b/tests/utils.h
index c8efe49b3a..e35e10ab0e 100644
--- a/tests/utils.h
+++ b/tests/utils.h
@@ -84,6 +84,11 @@ void test_cli_serv(gnutls_certificate_credentials_t server_cred,
 		   void *priv,
 		   callback_func * client_cb, callback_func * server_cb);
 
+void
+test_cli_serv_cert(gnutls_certificate_credentials_t server_cred,
+	      gnutls_certificate_credentials_t client_cred,
+	      const char *serv_prio, const char *cli_prio, const char *host);
+
 unsigned
 test_cli_serv_vf(gnutls_certificate_credentials_t server_cred,
 	      gnutls_certificate_credentials_t client_cred,