summaryrefslogtreecommitdiff
path: root/tests/name-constraints-merge.c
diff options
context:
space:
mode:
authorMartin Ukrop <mukrop@redhat.com>2016-07-20 14:29:40 +0200
committerGitLab <gitlab@gitlab.com>2016-07-21 17:35:21 +0000
commit593fbbedee6cc4f62956c529ffbd981ed3bff25f (patch)
tree0de8824d08de67c7734092b802ed2de76faf7b97 /tests/name-constraints-merge.c
parent8b07e0085fa23c37d7b4c530cca1a89af6380c68 (diff)
downloadgnutls-593fbbedee6cc4f62956c529ffbd981ed3bff25f.tar.gz
tests: Add DNS name constraints tests
- One chaintest with empty permitted intersection. - Merge testset with 2 permitted constraints with empty intersection (intersected list is completely empty). - Merge testset with 3 permitted constraints, 2 of which have empty intersection. - Merge testset with 2 permitted constraints with empty intersection and one constraints of different type that remains (intersected list is not empty). - Enhance failing function with suite number for easier comprehension.
Diffstat (limited to 'tests/name-constraints-merge.c')
-rw-r--r--tests/name-constraints-merge.c203
1 files changed, 181 insertions, 22 deletions
diff --git a/tests/name-constraints-merge.c b/tests/name-constraints-merge.c
index 6487bed225..76430fb80b 100644
--- a/tests/name-constraints-merge.c
+++ b/tests/name-constraints-merge.c
@@ -47,12 +47,15 @@ static void check_for_error(int ret) {
#define NAME_ACCEPTED 1
#define NAME_REJECTED 0
-static void check_test_result(int ret, int expected_outcome, gnutls_datum_t *tested_data) {
+static void check_test_result(int suite, int ret, int expected_outcome,
+ gnutls_datum_t *tested_data) {
if (expected_outcome == NAME_ACCEPTED ? ret == 0 : ret != 0) {
if (expected_outcome == NAME_ACCEPTED) {
- fail("Checking \"%.*s\" should have succeeded.\n", tested_data->size, tested_data->data);
+ fail("Checking \"%.*s\" should have succeeded (suite %d).\n",
+ tested_data->size, tested_data->data, suite);
} else {
- fail("Checking \"%.*s\" should have failed.\n", tested_data->size, tested_data->data);
+ fail("Checking \"%.*s\" should have failed (suite %d).\n",
+ tested_data->size, tested_data->data, suite);
}
}
}
@@ -69,13 +72,13 @@ static void tls_log_func(int level, const char *str)
void doit(void)
{
- int ret;
+ int ret, suite;
gnutls_x509_name_constraints_t nc1, nc2;
gnutls_datum_t name;
gnutls_global_set_log_function(tls_log_func);
if (debug)
- gnutls_global_set_log_level(6);
+ gnutls_global_set_log_level(1000);
/* 0: test the merge permitted name constraints
* NC1: permitted DNS org
@@ -84,6 +87,7 @@ void doit(void)
* NC2: permitted DNS org
* permitted DNS aaa.bbb.ccc.com
*/
+ suite = 0;
ret = gnutls_x509_name_constraints_init(&nc1);
check_for_error(ret);
@@ -117,52 +121,52 @@ void doit(void)
/* unrelated */
set_name("xxx.example.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("example.org", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_ACCEPTED, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
set_name("com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("xxx.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
/* check intersection of permitted */
set_name("xxx.aaa.bbb.ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_ACCEPTED, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
set_name("aaa.bbb.ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_ACCEPTED, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
set_name("xxx.bbb.ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("xxx.ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name);
- check_test_result(ret, NAME_ACCEPTED, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
set_name("xxx.ccc.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
gnutls_x509_name_constraints_deinit(nc1);
gnutls_x509_name_constraints_deinit(nc2);
@@ -171,6 +175,7 @@ void doit(void)
* NC1: denied DNS example.com
* NC2: denied DNS example.net
*/
+ suite = 1;
ret = gnutls_x509_name_constraints_init(&nc1);
check_for_error(ret);
@@ -191,27 +196,181 @@ void doit(void)
set_name("xxx.example.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("xxx.example.net", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("example.com", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("example.net", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_REJECTED, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
set_name("example.org", &name);
ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
- check_test_result(ret, NAME_ACCEPTED, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
gnutls_x509_name_constraints_deinit(nc1);
gnutls_x509_name_constraints_deinit(nc2);
+ /* 2: test permitted constraints with empty intersection
+ * (no permitted nodes remain)
+ * NC1: permitted DNS one.example.com
+ * NC2: permitted DNS two.example.com
+ */
+ suite = 2;
+
+ ret = gnutls_x509_name_constraints_init(&nc1);
+ check_for_error(ret);
+
+ ret = gnutls_x509_name_constraints_init(&nc2);
+ check_for_error(ret);
+
+ set_name("one.example.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ set_name("two.example.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
+ check_for_error(ret);
+
+ set_name("one.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("two.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("three.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("org", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ gnutls_x509_name_constraints_deinit(nc1);
+ gnutls_x509_name_constraints_deinit(nc2);
+
+ /* 3: test more permitted constraints, some with empty intersection
+ * NC1: permitted DNS foo.com
+ * permitted DNS bar.com
+ * permitted email redhat.com
+ * NC2: permitted DNS sub.foo.com
+ */
+ suite = 3;
+
+ ret = gnutls_x509_name_constraints_init(&nc1);
+ check_for_error(ret);
+
+ ret = gnutls_x509_name_constraints_init(&nc2);
+ check_for_error(ret);
+
+ set_name("foo.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ set_name("bar.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ set_name("sub.foo.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
+ check_for_error(ret);
+
+ set_name("foo.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("bar.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("sub.foo.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_ACCEPTED, &name);
+
+ set_name("anothersub.foo.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ gnutls_x509_name_constraints_deinit(nc1);
+ gnutls_x509_name_constraints_deinit(nc2);
+
+ /* 4: test permitted constraints with empty intersection
+ * almost identical to 2, but extra name constraint of different type
+ * that remains after intersection
+ * NC1: permitted DNS three.example.com
+ * permitted email redhat.com
+ * NC2: permitted DNS four.example.com
+ */
+ suite = 4;
+
+ ret = gnutls_x509_name_constraints_init(&nc1);
+ check_for_error(ret);
+
+ ret = gnutls_x509_name_constraints_init(&nc2);
+ check_for_error(ret);
+
+ set_name("three.example.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ set_name("redhat.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_RFC822NAME, &name);
+ check_for_error(ret);
+
+ set_name("four.example.com", &name);
+ ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name);
+ check_for_error(ret);
+
+ ret = _gnutls_x509_name_constraints_merge(nc1, nc2);
+ check_for_error(ret);
+
+ set_name("three.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("four.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("five.example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("example.com", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ set_name("org", &name);
+ ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name);
+ check_test_result(suite, ret, NAME_REJECTED, &name);
+
+ gnutls_x509_name_constraints_deinit(nc1);
+ gnutls_x509_name_constraints_deinit(nc2);
+
+ /* Test footer */
+
if (debug)
success("Test success.\n");
}
View Lorry Controller Status