From: Nikos Mavrogiannopoulos Date: Mon, 24 Nov 2014 12:27:09 +0000 (+0100) Subject: gnutls-cli-debug: Added check for sorted certificate chain X-Git-Tag: gnutls_3_4_0~563 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1302e4c920d07e8aeba1b6375c5d337966f22d7a;p=thirdparty%2Fgnutls.git gnutls-cli-debug: Added check for sorted certificate chain --- diff --git a/src/cli-debug.c b/src/cli-debug.c index bde27b43f5..5bc55241ee 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -102,6 +102,9 @@ static const TLS_TEST tls_tests[] = { {"whether we need to disable TLS 1.0", test_tls_disable0, "no", "yes", "dunno"}, {"for HTTPS server name", test_server, NULL, "failed", "not checked", 1}, + {"for certificate information", test_certificate, NULL, "", ""}, + {"for certificate chain order", test_chain_order, "sorted", "unsorted", "unknown"}, + {"for trusted CAs", test_server_cas, NULL, "", ""}, {"whether Hello Extensions are accepted", test_hello_extension, "yes", "no", "dunno"}, {"for safe renegotiation (RFC5746) support", test_safe_renegotiation, "yes", @@ -123,8 +126,6 @@ static const TLS_TEST tls_tests[] = { {"whether cipher suites not in SSL 3.0 spec are accepted", test_unknown_ciphersuites, "yes", "no", "dunno"}, {"whether a bogus TLS record version in the client hello is accepted", test_version_oob, "yes", "no", "dunno"}, - {"for certificate information", test_certificate, NULL, "", ""}, - {"for trusted CAs", test_server_cas, NULL, "", ""}, {"whether the server understands TLS closure alerts", test_bye, "yes", "no", "partially"}, /* the fact that is after the closure alert test does matter. diff --git a/src/tests.c b/src/tests.c index 96ff317df9..886f9decdf 100644 --- a/src/tests.c +++ b/src/tests.c @@ -1204,6 +1204,75 @@ test_code_t test_certificate(gnutls_session_t session) return TEST_FAILED; } +test_code_t test_chain_order(gnutls_session_t session) +{ + int ret; + const gnutls_datum_t *cert_list; + unsigned int cert_list_size = 0; + unsigned int i; + unsigned p_size; + gnutls_datum_t t; + gnutls_x509_crt_t *certs; + char *p, *pos; + + sprintf(prio_str, + INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" + ALL_MACS ":" ALL_KX ":%s", protocol_str, rest); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + if (ret == TEST_FAILED) + return ret; + + if (gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) + return TEST_IGNORE; + + cert_list = gnutls_certificate_get_peers(session, &cert_list_size); + if (cert_list_size == 0) { + ext_text = "No certificates found!"; + return TEST_IGNORE; + } + + p = 0; + p_size = 0; + pos = NULL; + for (i=0;i