From: Nikos Mavrogiannopoulos Date: Fri, 22 Jul 2016 12:11:25 +0000 (+0200) Subject: tests: added checks for OCSP response file support X-Git-Tag: gnutls_3_5_3~87 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fcacb0b849ca23bf659618be06caacfbf732855;p=thirdparty%2Fgnutls.git tests: added checks for OCSP response file support That is, check the usability of the APIs for setting and using an ocsp response. This improves and makes more generic the test suite API and test_cli_serv() in particular. --- diff --git a/tests/Makefile.am b/tests/Makefile.am index 03dd03dd59..a70ae2cde3 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -108,7 +108,8 @@ ctests = mini-record-2 simple gc set_pkcs12_cred certder certuniqueid \ tls1.1-cert-key-exchange tls1.0-cert-key-exchange ssl3.0-cert-key-exchange \ dtls1.2-cert-key-exchange dtls1.0-cert-key-exchange x509-cert-callback-legacy \ keylog-env ssl2-hello tlsfeature-ext dtls-rehandshake-cert-2 \ - tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start + tlsfeature-crt dtls-rehandshake-cert-3 resume-with-false-start \ + set_x509_key_file_ocsp if HAVE_SECCOMP_TESTS ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp diff --git a/tests/keylog-env.c b/tests/keylog-env.c index ec35a6b048..4d52ef1d64 100644 --- a/tests/keylog-env.c +++ b/tests/keylog-env.c @@ -73,6 +73,7 @@ static void search_for_str(const char *filename) static void run(const char *env, const char *filename) { gnutls_certificate_credentials_t x509_cred; + gnutls_certificate_credentials_t clicred; int ret; remove(filename); @@ -96,6 +97,7 @@ static void run(const char *env, const char *filename) /* test gnutls_certificate_flags() */ assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); ret = gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_localhost_cert, &server_ca3_key, @@ -105,7 +107,12 @@ static void run(const char *env, const char *filename) exit(1); } - test_cli_serv(x509_cred, "NORMAL", &ca3_cert, "localhost"); + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + + + test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); if (access(filename, R_OK) != 0) { fail("keylog file was not created\n"); @@ -115,6 +122,7 @@ static void run(const char *env, const char *filename) search_for_str(filename); gnutls_certificate_free_credentials(x509_cred); + gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); remove(filename); diff --git a/tests/set_x509_key.c b/tests/set_x509_key.c index 2b6dbdb23b..fb1b6a39b3 100644 --- a/tests/set_x509_key.c +++ b/tests/set_x509_key.c @@ -67,6 +67,7 @@ static time_t mytime(time_t * t) static void basic(void) { gnutls_certificate_credentials_t x509_cred; + gnutls_certificate_credentials_t clicred; gnutls_pcert_st pcert_list[16]; gnutls_privkey_t key; unsigned pcert_list_size; @@ -84,9 +85,14 @@ static void basic(void) if (debug) gnutls_global_set_log_level(6); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); assert(gnutls_privkey_init(&key)>=0); + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + pcert_list_size = sizeof(pcert_list)/sizeof(pcert_list[0]); ret = gnutls_pcert_list_import_x509_raw(pcert_list, &pcert_list_size, &server_cert, GNUTLS_X509_FMT_PEM, 0); @@ -129,9 +135,10 @@ static void basic(void) exit(1); } - test_cli_serv(x509_cred, "NORMAL", &ca_cert, "localhost"); + test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); gnutls_certificate_free_credentials(x509_cred); + gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); @@ -141,7 +148,7 @@ static void basic(void) static void auto_parse(void) { - gnutls_certificate_credentials_t x509_cred; + gnutls_certificate_credentials_t x509_cred, clicred; gnutls_pcert_st pcert_list[16]; gnutls_privkey_t key; gnutls_pcert_st second_pcert; @@ -162,6 +169,12 @@ static void auto_parse(void) assert(gnutls_certificate_allocate_credentials(&x509_cred)>=0); assert(gnutls_privkey_init(&key)>=0); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + pcert_list_size = sizeof(pcert_list)/sizeof(pcert_list[0]); ret = gnutls_pcert_list_import_x509_raw(pcert_list, &pcert_list_size, &server_ca3_localhost_cert, GNUTLS_X509_FMT_PEM, 0); @@ -203,11 +216,12 @@ static void auto_parse(void) exit(1); } - test_cli_serv(x509_cred, "NORMAL", &ca3_cert, "localhost"); /* the DNS name of the first cert */ - test_cli_serv(x509_cred, "NORMAL", &ca3_cert, "localhost6"); /* the DNS name of ECC cert */ - test_cli_serv(x509_cred, "NORMAL", &ca3_cert, "www.none.org"); /* the DNS name of ECC cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); /* the DNS name of the first cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "localhost6", NULL, NULL, NULL); /* the DNS name of ECC cert */ + test_cli_serv(x509_cred, clicred, "NORMAL", "www.none.org", NULL, NULL, NULL); /* the DNS name of ECC cert */ gnutls_certificate_free_credentials(x509_cred); + gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); diff --git a/tests/set_x509_key_file.c b/tests/set_x509_key_file.c index 35affc480d..f23683decb 100644 --- a/tests/set_x509_key_file.c +++ b/tests/set_x509_key_file.c @@ -65,7 +65,7 @@ static void compare(const gnutls_datum_t *der, const void *ipem) void doit(void) { int ret; - gnutls_certificate_credentials_t xcred; + gnutls_certificate_credentials_t xcred, clicred; const char *keyfile = "./certs/ecc256.pem"; const char *certfile = "does-not-exist.pem"; gnutls_datum_t tcert; @@ -84,6 +84,11 @@ void doit(void) gnutls_certificate_free_credentials(xcred); assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); certfile = get_tmpname(NULL); @@ -117,8 +122,9 @@ void doit(void) remove(certfile); - test_cli_serv(xcred, "NORMAL", &ca_cert, "localhost"); /* the DNS name of the first cert */ + test_cli_serv(xcred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); /* the DNS name of the first cert */ gnutls_certificate_free_credentials(xcred); + gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); } diff --git a/tests/set_x509_key_file_der.c b/tests/set_x509_key_file_der.c index c4d28fa2ef..eab1944d12 100644 --- a/tests/set_x509_key_file_der.c +++ b/tests/set_x509_key_file_der.c @@ -77,7 +77,7 @@ static void write_der(const char *file, const char *header, const char *ipem) void doit(void) { int ret; - gnutls_certificate_credentials_t xcred; + gnutls_certificate_credentials_t xcred, clicred; char keyfile[TMPNAME_SIZE]; char certfile[TMPNAME_SIZE]; gnutls_datum_t tcert; @@ -89,6 +89,12 @@ void doit(void) if (TMP_MAX < 2) exit(77); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + assert(get_tmpname(certfile)!=NULL); assert(get_tmpname(keyfile)!=NULL); @@ -112,9 +118,10 @@ void doit(void) remove(certfile); remove(keyfile); - test_cli_serv(xcred, "NORMAL", &ca3_cert, "localhost"); /* the DNS name of the first cert */ + test_cli_serv(xcred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); /* the DNS name of the first cert */ gnutls_certificate_free_credentials(xcred); + gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); } diff --git a/tests/set_x509_key_file_ocsp.c b/tests/set_x509_key_file_ocsp.c new file mode 100644 index 0000000000..9aae722482 --- /dev/null +++ b/tests/set_x509_key_file_ocsp.c @@ -0,0 +1,152 @@ +/* + * Copyright (C) 2016 Red Hat, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include + +#ifdef ENABLE_OCSP + +#include "cert-common.h" +#include "utils.h" + +/* Tests whether setting an OCSP response to a server + * is working as expected */ + +static time_t mytime(time_t * t) +{ + time_t then = 1469186559; + if (t) + *t = then; + + return then; +} + +#define RESP1 "\x30\x82\x06\x8C\x0A\x01\x00\xA0\x82\x06\x85\x30\x82\x06\x81\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x01\x04\x82\x06\x72\x30\x82\x06\x6E\x30\x82\x01\x07\xA1\x69\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x4F\x43\x53\x50\x20\x53\x69\x67\x6E\x69\x6E\x67\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x34\x32\x38\x5A\x30\x64\x30\x62\x30\x3A\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x04\x14\x13\x9D\xA0\x9E\xF4\x32\xAB\x8F\xE2\x89\x56\x67\xFA\xD0\xD4\xE3\x35\x86\x71\xB9\x04\x14\x5D\xA7\xDD\x70\x06\x51\x32\x7E\xE7\xB6\x6D\xB3\xB5\xE5\xE0\x60\xEA\x2E\x4D\xEF\x02\x01\x1D\x80\x00\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x34\x32\x38\x5A\xA0\x11\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x39\x32\x38\x5A\xA1\x23\x30\x21\x30\x1F\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x02\x04\x12\x04\x10\x16\x89\x7D\x91\x3A\xB5\x25\xA4\x45\xFE\xC9\xFD\xC2\xE5\x08\xA4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4E\xAD\x6B\x2B\xF7\xF2\xBF\xA9\x23\x1E\x3A\x0B\x06\xDB\x55\x53\x2B\x64\x54\x11\x32\xBF\x60\xF7\x4F\xE0\x8E\x9B\xA0\xA2\x4C\x79\xC3\x2A\xE0\x43\xF7\x40\x1A\xDC\xB9\xB4\x25\xEF\x48\x01\x97\x8C\xF5\x1E\xDB\xD1\x30\x37\x73\x69\xD6\xA7\x7A\x2D\x8E\xDE\x5C\xAA\xEA\x39\xB9\x52\xAA\x25\x1E\x74\x7D\xF9\x78\x95\x8A\x92\x1F\x98\x21\xF4\x60\x7F\xD3\x28\xEE\x47\x9C\xBF\xE2\x5D\xF6\x3F\x68\x0A\xD6\xFF\x08\xC1\xDC\x95\x1E\x29\xD7\x3E\x85\xD5\x65\xA4\x4B\xC0\xAF\xC3\x78\xAB\x06\x98\x88\x19\x8A\x64\xA6\x83\x91\x87\x13\xDB\x17\xCC\x46\xBD\xAB\x4E\xC7\x16\xD1\xF8\x35\xFD\x27\xC8\xF6\x6B\xEB\x37\xB8\x08\x6F\xE2\x6F\xB4\x7E\xD5\x68\xDB\x7F\x5D\x5E\x36\x38\xF2\x77\x59\x13\xE7\x3E\x4D\x67\x5F\xDB\xA2\xF5\x5D\x7C\xBF\xBD\xB5\x37\x33\x51\x36\x63\xF8\x21\x1E\xFC\x73\x8F\x32\x69\xBB\x97\xA7\xBD\xF1\xB6\xE0\x40\x09\x68\xEA\xD5\x93\xB8\xBB\x39\x8D\xA8\x16\x1B\xBF\x04\x7A\xBC\x18\x43\x01\xE9\x3C\x19\x5C\x4D\x4B\x98\xD8\x23\x37\x39\xA4\xC4\xDD\xED\x9C\xEC\x37\xAB\x66\x44\x9B\xE7\x5B\x5D\x32\xA2\xDB\xA6\x0B\x3B\x8C\xE1\xF5\xDB\xCB\x7D\x58\xA0\x82\x04\x4B\x30\x82\x04\x47\x30\x82\x04\x43\x30\x82\x03\x2B\xA0\x03\x02\x01\x02\x02\x01\x1E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x39\x31\x31\x32\x34\x31\x32\x35\x31\x35\x33\x5A\x17\x0D\x31\x34\x31\x31\x32\x33\x31\x32\x35\x31\x35\x33\x5A\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x4F\x43\x53\x50\x20\x53\x69\x67\x6E\x69\x6E\x67\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBC\x05\x3E\x4B\xBE\xC6\xB1\x33\x48\x0E\xC3\xD4\x0C\xEF\x83\x0B\xBD\xBC\x57\x5F\x14\xEF\xF5\x6D\x0B\xFF\xFA\x01\x9C\xFA\x21\x6D\x5C\xAE\x79\x29\x74\xFE\xBD\xAB\x70\x87\x98\x6B\x48\x35\x79\xE3\xE0\xC1\x14\x41\x1F\x0A\xF7\xE7\xA3\xA6\xDA\x6B\xFF\xCD\x74\xE9\x95\x00\x38\xAA\xD6\x3A\x60\xC6\x64\xA1\xE6\x02\x39\x58\x4E\xFD\xF2\x78\x08\x63\xB6\xD7\x7A\x96\x79\x62\x18\x39\xEE\x27\x8D\x3B\xA2\x3D\x48\x88\xDB\x43\xD6\x6A\x77\x20\x6A\x27\x39\x50\xE0\x02\x50\x19\xF2\x7A\xCF\x78\x23\x99\x01\xD4\xE5\xB1\xD1\x31\xE6\x6B\x84\xAF\xD0\x77\x41\x46\x85\xB0\x3B\xE6\x6A\x00\x0F\x3B\x7E\x95\x7F\x59\xA8\x22\xE8\x49\x49\x05\xC8\xCB\x6C\xEE\x47\xA7\x2D\xC9\x74\x5B\xEB\x8C\xD5\x99\xC2\xE2\x70\xDB\xEA\x87\x43\x84\x0E\x4F\x83\x1C\xA6\xEB\x1F\x22\x38\x17\x69\x9B\x72\x12\x95\x48\x71\xB2\x7B\x92\x73\x52\xAB\xE3\x1A\xA5\xD3\xF4\x44\x14\xBA\xC3\x35\xDA\x91\x6C\x7D\xB4\xC2\x00\x07\xD8\x0A\x51\xF1\x0D\x4C\xD9\x7A\xD1\x99\xE6\xA8\x8D\x0A\x80\xA8\x91\xDD\x8A\xA2\x6B\xF6\xDB\xB0\x3E\xC9\x71\xA9\xE0\x39\xC3\xA3\x58\x0D\x87\xD0\xB2\xA7\x9C\xB7\x69\x02\x03\x01\x00\x01\xA3\x82\x01\x1A\x30\x82\x01\x16\x30\x09\x06\x03\x55\x1D\x13\x04\x02\x30\x00\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x03\xA8\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x34\x91\x6E\x91\x32\xBF\x35\x25\x43\xCC\x28\x74\xEF\x82\xC2\x57\x92\x79\x13\x73\x30\x6D\x06\x03\x55\x1D\x23\x04\x66\x30\x64\x80\x14\x5D\xA7\xDD\x70\x06\x51\x32\x7E\xE7\xB6\x6D\xB3\xB5\xE5\xE0\x60\xEA\x2E\x4D\xEF\xA1\x49\xA4\x47\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x82\x01\x00\x30\x1E\x06\x03\x55\x1D\x11\x04\x17\x30\x15\x82\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x30\x13\x06\x03\x55\x1D\x25\x04\x0C\x30\x0A\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x09\x30\x39\x06\x03\x55\x1D\x1F\x04\x32\x30\x30\x30\x2E\xA0\x2C\xA0\x2A\x86\x28\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x2F\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x6D\x78\xD7\x66\x90\xA6\xEB\xDD\xB5\x09\x48\xA4\xDA\x27\xFA\xAC\xB1\xBC\x8F\x8C\xBE\xCC\x8C\x09\xA2\x40\x0D\x6C\x4A\xAE\x72\x22\x1E\xC8\xAF\x6D\xF1\x12\xAF\xD7\x40\x51\x79\xD4\xDD\xB2\x0C\xDB\x97\x84\xB6\x24\xD5\xF5\xA8\xBB\xC0\x4B\xF9\x7F\x71\xF7\xB0\x65\x42\x4A\x7D\xFE\x76\x7E\x05\xD2\x46\xB8\x7D\xB3\x39\x4C\x5C\xB1\xFA\xB9\xEE\x3B\x70\x33\x39\x57\x1A\xB9\x95\x51\x33\x00\x25\x1B\x4C\xAA\xB4\xA7\x55\xAF\x63\x6D\x6F\x88\x17\x6A\x7F\xB0\x97\xDE\x49\x14\x6A\x27\x6A\xB0\x42\x80\xD6\xA6\x9B\xEF\x04\x5E\x11\x7D\xD5\x8E\x54\x20\xA2\x76\xD4\x66\x58\xAC\x9C\x12\xD3\xF5\xCA\x54\x98\xCA\x21\xEC\xC1\x55\xA1\x2F\x68\x0B\x5D\x04\x50\xD2\x5E\x70\x25\xD8\x13\xD9\x44\x51\x0E\x8A\x42\x08\x18\x84\xE6\x61\xCE\x5A\x7D\x7B\x81\x35\x90\xC3\xD4\x9D\x19\xB6\x37\xEE\x8F\x63\x5C\xDA\xD8\xF0\x64\x60\x39\xEB\x9B\x1C\x54\x66\x75\x76\xB5\x0A\x58\xB9\x3F\x91\xE1\x21\x9C\xA0\x50\x15\x97\xB6\x7E\x41\xBC\xD0\xC4\x21\x4C\xF5\xD7\xF0\x13\xF8\x77\xE9\x74\xC4\x8A\x0E\x20\x17\x32\xAE\x38\xC2\xA5\xA8\x62\x85\x17\xB1\xA2\xD3\x22\x9F\x95\xB7\xA3\x4C" + +static gnutls_datum_t ocsp_resp1 = + { (unsigned char *) RESP1, sizeof(RESP1) - 1 }; + +static void check_response(gnutls_session_t session, void *priv) +{ + int ret; + gnutls_datum_t resp; + gnutls_datum_t *exp_resp = priv; + + ret = gnutls_ocsp_status_request_get(session, &resp); + if (ret < 0) { + if (priv == NULL) + return; + fail("no response was received\n"); + } + + if (priv == NULL) { + fail("not expected response, but received one\n"); + } + + if (resp.size != exp_resp->size || memcmp(resp.data, exp_resp->data, resp.size) != 0) { + fail("did not receive the expected response\n"); + } +} + +void doit(void) +{ + int ret; + gnutls_certificate_credentials_t xcred; + gnutls_certificate_credentials_t clicred; + const char *certfile; + const char *ocspfile1; + char certname[TMPNAME_SIZE], ocspname1[TMPNAME_SIZE]; + FILE *fp; + + global_init(); + gnutls_global_set_time_function(mytime); + + assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); + + certfile = get_tmpname(certname); + + fp = fopen(certfile, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(server_localhost_ca3_cert_pem, 1, strlen(server_localhost_ca3_cert_pem), fp)>0); + assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); + fclose(fp); + + /* set cert with localhost name */ + ret = gnutls_certificate_set_x509_key_file2(xcred, certfile, certfile, + GNUTLS_X509_FMT_PEM, NULL, 0); + if (ret < 0) + fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret)); + + fp = fopen(certfile, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(server_localhost6_ca3_cert_pem, 1, strlen(server_localhost6_ca3_cert_pem), fp)>0); + assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0); + fclose(fp); + + /* set OCSP response */ + ocspfile1 = get_tmpname(ocspname1); + ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, 0); + if (ret < 0) + fail("ocsp file set failed: %s\n", gnutls_strerror(ret)); + + fp = fopen(ocspfile1, "wb"); + if (fp == NULL) + fail("error in fopen\n"); + assert(fwrite(ocsp_resp1.data, 1, ocsp_resp1.size, fp)>0); + fclose(fp); + + /* make sure that our invalid OCSP responses are not considered in verification + */ + gnutls_certificate_set_verify_flags(clicred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS); + if (gnutls_certificate_get_verify_flags(clicred) != GNUTLS_VERIFY_DISABLE_CRL_CHECKS) + fail("error in gnutls_certificate_set_verify_flags\n"); + + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) { + fail("error in setting trust cert: %s\n", gnutls_strerror(ret)); + } + + test_cli_serv(xcred, clicred, "NORMAL", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */ + + gnutls_certificate_free_credentials(xcred); + gnutls_certificate_free_credentials(clicred); + gnutls_global_deinit(); + remove(ocspfile1); + remove(certfile); +} + +#else +void doit(void) +{ + exit(77); +} +#endif diff --git a/tests/set_x509_key_mem.c b/tests/set_x509_key_mem.c index 32df0a4ef8..e3d5e24f94 100644 --- a/tests/set_x509_key_mem.c +++ b/tests/set_x509_key_mem.c @@ -37,6 +37,7 @@ #include #endif #include +#include #include #include @@ -55,6 +56,7 @@ static void tls_log_func(int level, const char *str) void doit(void) { gnutls_certificate_credentials_t x509_cred; + gnutls_certificate_credentials_t clicred; int ret; /* this must be called once in the program @@ -65,8 +67,14 @@ void doit(void) if (debug) gnutls_global_set_log_level(6); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); gnutls_certificate_allocate_credentials(&x509_cred); + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + + ret = gnutls_certificate_set_x509_key_mem(x509_cred, &cli_cert, &server_key, GNUTLS_X509_FMT_PEM); @@ -97,10 +105,11 @@ void doit(void) exit(1); } - test_cli_serv(x509_cred, "NORMAL", &ca3_cert, "localhost"); - test_cli_serv(x509_cred, "NORMAL", &ca3_cert, "localhost6"); + test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); + test_cli_serv(x509_cred, clicred, "NORMAL", "localhost6", NULL, NULL, NULL); gnutls_certificate_free_credentials(x509_cred); + gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); diff --git a/tests/set_x509_pkcs12_key.c b/tests/set_x509_pkcs12_key.c index 4ef8239503..852b57ce4b 100644 --- a/tests/set_x509_pkcs12_key.c +++ b/tests/set_x509_pkcs12_key.c @@ -57,6 +57,7 @@ void doit(void) { int ret; gnutls_certificate_credentials_t xcred; + gnutls_certificate_credentials_t clicred; const char *certfile = "does-not-exist.pem"; gnutls_datum_t tcert; FILE *fp; @@ -72,8 +73,13 @@ void doit(void) gnutls_certificate_free_credentials(xcred); + assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); + ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); + certfile = get_tmpname(NULL); fp = fopen(certfile, "w"); @@ -99,9 +105,10 @@ void doit(void) remove(certfile); - test_cli_serv(xcred, "NORMAL", &ca3_cert, "localhost"); /* the DNS name of the first cert */ + test_cli_serv(xcred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); /* the DNS name of the first cert */ gnutls_certificate_free_credentials(xcred); + gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); } diff --git a/tests/utils-adv.c b/tests/utils-adv.c index 5e8ccb9896..9e6ffdb9f3 100644 --- a/tests/utils-adv.c +++ b/tests/utils-adv.c @@ -37,8 +37,10 @@ const char *side = NULL; void -test_cli_serv(gnutls_certificate_credentials_t server_cred, const char *prio, - const gnutls_datum_t *ca_cert, const char *host) +test_cli_serv(gnutls_certificate_credentials_t server_cred, + gnutls_certificate_credentials_t client_cred, + const char *prio, const char *host, + void *priv, callback_func *client_cb, callback_func *server_cb) { int exit_code = EXIT_SUCCESS; int ret; @@ -46,7 +48,6 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred, const char *prio, gnutls_session_t server; int sret = GNUTLS_E_AGAIN; /* Client stuff. */ - gnutls_certificate_credentials_t clientx509cred; gnutls_session_t client; int cret = GNUTLS_E_AGAIN; @@ -54,7 +55,6 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred, const char *prio, reset_buffers(); /* Init server */ - gnutls_init(&server, GNUTLS_SERVER); gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, server_cred); @@ -63,15 +63,6 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred, const char *prio, gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); - /* Init client */ - ret = gnutls_certificate_allocate_credentials(&clientx509cred); - if (ret < 0) - exit(1); - - ret = gnutls_certificate_set_x509_trust_mem(clientx509cred, ca_cert, GNUTLS_X509_FMT_PEM); - if (ret < 0) - exit(1); - ret = gnutls_init(&client, GNUTLS_CLIENT); if (ret < 0) exit(1); @@ -80,7 +71,7 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred, const char *prio, assert(gnutls_server_name_set(client, GNUTLS_NAME_DNS, host, strlen(host))>=0); ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, - clientx509cred); + client_cred); if (ret < 0) exit(1); @@ -134,14 +125,17 @@ test_cli_serv(gnutls_certificate_credentials_t server_cred, const char *prio, } } + if (client_cb) + client_cb(client, priv); + if (server_cb) + server_cb(server, priv); + gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); gnutls_deinit(client); gnutls_deinit(server); - gnutls_certificate_free_credentials(clientx509cred); - if (debug > 0) { if (exit_code == 0) puts("Self-test successful"); diff --git a/tests/utils.h b/tests/utils.h index 3978ee87f6..fbd6b7a160 100644 --- a/tests/utils.h +++ b/tests/utils.h @@ -70,8 +70,13 @@ extern void binprint(const void *str, size_t len); int disable_system_calls(void); void sec_sleep(int sec); -void test_cli_serv(gnutls_certificate_credentials_t server_cred, const char *prio, - const gnutls_datum_t *ca_cert, const char *host); +typedef void callback_func(gnutls_session_t, void *priv); +void test_cli_serv(gnutls_certificate_credentials_t server_cred, + gnutls_certificate_credentials_t client_cred, + const char *prio, const char *host, + void *priv, + callback_func *client_cb, + callback_func *server_cb); #define TMPNAME_SIZE 128 char *get_tmpname(char s[TMPNAME_SIZE]);