diff options
author | Martin Ukrop <mukrop@redhat.com> | 2016-07-20 14:29:40 +0200 |
---|---|---|
committer | GitLab <gitlab@gitlab.com> | 2016-07-21 17:35:21 +0000 |
commit | 593fbbedee6cc4f62956c529ffbd981ed3bff25f (patch) | |
tree | 0de8824d08de67c7734092b802ed2de76faf7b97 /tests/name-constraints-merge.c | |
parent | 8b07e0085fa23c37d7b4c530cca1a89af6380c68 (diff) | |
download | gnutls-593fbbedee6cc4f62956c529ffbd981ed3bff25f.tar.gz |
tests: Add DNS name constraints tests
- One chaintest with empty permitted intersection.
- Merge testset with 2 permitted constraints with empty intersection (intersected list is completely empty).
- Merge testset with 3 permitted constraints, 2 of which have empty intersection.
- Merge testset with 2 permitted constraints with empty intersection and one constraints of different type that remains (intersected list is not empty).
- Enhance failing function with suite number for easier comprehension.
Diffstat (limited to 'tests/name-constraints-merge.c')
-rw-r--r-- | tests/name-constraints-merge.c | 203 |
1 files changed, 181 insertions, 22 deletions
diff --git a/tests/name-constraints-merge.c b/tests/name-constraints-merge.c index 6487bed225..76430fb80b 100644 --- a/tests/name-constraints-merge.c +++ b/tests/name-constraints-merge.c @@ -47,12 +47,15 @@ static void check_for_error(int ret) { #define NAME_ACCEPTED 1 #define NAME_REJECTED 0 -static void check_test_result(int ret, int expected_outcome, gnutls_datum_t *tested_data) { +static void check_test_result(int suite, int ret, int expected_outcome, + gnutls_datum_t *tested_data) { if (expected_outcome == NAME_ACCEPTED ? ret == 0 : ret != 0) { if (expected_outcome == NAME_ACCEPTED) { - fail("Checking \"%.*s\" should have succeeded.\n", tested_data->size, tested_data->data); + fail("Checking \"%.*s\" should have succeeded (suite %d).\n", + tested_data->size, tested_data->data, suite); } else { - fail("Checking \"%.*s\" should have failed.\n", tested_data->size, tested_data->data); + fail("Checking \"%.*s\" should have failed (suite %d).\n", + tested_data->size, tested_data->data, suite); } } } @@ -69,13 +72,13 @@ static void tls_log_func(int level, const char *str) void doit(void) { - int ret; + int ret, suite; gnutls_x509_name_constraints_t nc1, nc2; gnutls_datum_t name; gnutls_global_set_log_function(tls_log_func); if (debug) - gnutls_global_set_log_level(6); + gnutls_global_set_log_level(1000); /* 0: test the merge permitted name constraints * NC1: permitted DNS org @@ -84,6 +87,7 @@ void doit(void) * NC2: permitted DNS org * permitted DNS aaa.bbb.ccc.com */ + suite = 0; ret = gnutls_x509_name_constraints_init(&nc1); check_for_error(ret); @@ -117,52 +121,52 @@ void doit(void) /* unrelated */ set_name("xxx.example.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); set_name("example.org", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_ACCEPTED, &name); + check_test_result(suite, ret, NAME_ACCEPTED, &name); set_name("com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); set_name("xxx.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); set_name("ccc.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); /* check intersection of permitted */ set_name("xxx.aaa.bbb.ccc.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_ACCEPTED, &name); + check_test_result(suite, ret, NAME_ACCEPTED, &name); set_name("aaa.bbb.ccc.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_ACCEPTED, &name); + check_test_result(suite, ret, NAME_ACCEPTED, &name); set_name("xxx.bbb.ccc.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); set_name("xxx.ccc.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); set_name("ccc.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); set_name("ccc.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name); - check_test_result(ret, NAME_ACCEPTED, &name); + check_test_result(suite, ret, NAME_ACCEPTED, &name); set_name("xxx.ccc.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); gnutls_x509_name_constraints_deinit(nc1); gnutls_x509_name_constraints_deinit(nc2); @@ -171,6 +175,7 @@ void doit(void) * NC1: denied DNS example.com * NC2: denied DNS example.net */ + suite = 1; ret = gnutls_x509_name_constraints_init(&nc1); check_for_error(ret); @@ -191,27 +196,181 @@ void doit(void) set_name("xxx.example.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); set_name("xxx.example.net", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); set_name("example.com", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); set_name("example.net", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_REJECTED, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); set_name("example.org", &name); ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); - check_test_result(ret, NAME_ACCEPTED, &name); + check_test_result(suite, ret, NAME_ACCEPTED, &name); gnutls_x509_name_constraints_deinit(nc1); gnutls_x509_name_constraints_deinit(nc2); + /* 2: test permitted constraints with empty intersection + * (no permitted nodes remain) + * NC1: permitted DNS one.example.com + * NC2: permitted DNS two.example.com + */ + suite = 2; + + ret = gnutls_x509_name_constraints_init(&nc1); + check_for_error(ret); + + ret = gnutls_x509_name_constraints_init(&nc2); + check_for_error(ret); + + set_name("one.example.com", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); + + set_name("two.example.com", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); + + ret = _gnutls_x509_name_constraints_merge(nc1, nc2); + check_for_error(ret); + + set_name("one.example.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + set_name("two.example.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + set_name("three.example.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + set_name("example.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + set_name("org", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + gnutls_x509_name_constraints_deinit(nc1); + gnutls_x509_name_constraints_deinit(nc2); + + /* 3: test more permitted constraints, some with empty intersection + * NC1: permitted DNS foo.com + * permitted DNS bar.com + * permitted email redhat.com + * NC2: permitted DNS sub.foo.com + */ + suite = 3; + + ret = gnutls_x509_name_constraints_init(&nc1); + check_for_error(ret); + + ret = gnutls_x509_name_constraints_init(&nc2); + check_for_error(ret); + + set_name("foo.com", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); + + set_name("bar.com", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); + + set_name("sub.foo.com", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); + + ret = _gnutls_x509_name_constraints_merge(nc1, nc2); + check_for_error(ret); + + set_name("foo.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + set_name("bar.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + set_name("sub.foo.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_ACCEPTED, &name); + + set_name("anothersub.foo.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + set_name("com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + gnutls_x509_name_constraints_deinit(nc1); + gnutls_x509_name_constraints_deinit(nc2); + + /* 4: test permitted constraints with empty intersection + * almost identical to 2, but extra name constraint of different type + * that remains after intersection + * NC1: permitted DNS three.example.com + * permitted email redhat.com + * NC2: permitted DNS four.example.com + */ + suite = 4; + + ret = gnutls_x509_name_constraints_init(&nc1); + check_for_error(ret); + + ret = gnutls_x509_name_constraints_init(&nc2); + check_for_error(ret); + + set_name("three.example.com", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); + + set_name("redhat.com", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_RFC822NAME, &name); + check_for_error(ret); + + set_name("four.example.com", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); + + ret = _gnutls_x509_name_constraints_merge(nc1, nc2); + check_for_error(ret); + + set_name("three.example.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + set_name("four.example.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + set_name("five.example.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + set_name("example.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + set_name("org", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(suite, ret, NAME_REJECTED, &name); + + gnutls_x509_name_constraints_deinit(nc1); + gnutls_x509_name_constraints_deinit(nc2); + + /* Test footer */ + if (debug) success("Test success.\n"); } |