From: Andrew Zaborowski <andrew.zaborowski@intel.com>
To: ell@lists.01.org
Subject: [PATCH 2/8] unit: Add l_tls_set_domain_mask tests
Date: Fri, 23 Aug 2019 02:41:32 +0200 [thread overview]
Message-ID: <20190823004138.5480-2-andrew.zaborowski@intel.com> (raw)
In-Reply-To: <20190823004138.5480-1-andrew.zaborowski@intel.com>
[-- Attachment #1: Type: text/plain, Size: 9274 bytes --]
---
unit/test-tls.c | 169 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 169 insertions(+)
diff --git a/unit/test-tls.c b/unit/test-tls.c
index d701f42..36f9934 100644
--- a/unit/test-tls.c
+++ b/unit/test-tls.c
@@ -309,6 +309,7 @@ struct tls_conn_test {
const char *client_ca_cert_path;
const char *client_expect_identity;
const char **client_cipher_suites;
+ char **client_domain_mask;
bool expect_alert;
bool expect_client_start_fail;
enum l_tls_alert_desc alert_desc;
@@ -566,6 +567,9 @@ static void test_tls_with_ver(const struct tls_conn_test *test,
assert(l_tls_set_cacert(s[0].tls, test->server_ca_cert_path));
assert(l_tls_set_cacert(s[1].tls, test->client_ca_cert_path));
+ if (test->client_domain_mask)
+ l_tls_set_domain_mask(s[1].tls, test->client_domain_mask);
+
assert(l_tls_start(s[0].tls));
assert(!!l_tls_start(s[1].tls) == !test->expect_client_start_fail);
@@ -616,6 +620,152 @@ static void test_tls_version_mismatch_test(const void *data)
L_TLS_V10, L_TLS_V11);
}
+static const struct tls_conn_test tls_conn_test_domain_match1 = {
+ .server_cert_path = CERTDIR "cert-server.pem",
+ .server_key_path = CERTDIR "cert-server-key-pkcs8.pem",
+ .server_ca_cert_path = CERTDIR "cert-ca.pem",
+ .server_expect_identity = "/O=Bar Example Organization"
+ "/CN=Bar Example Organization/emailAddress=bar(a)mail.example",
+ .client_cert_path = CERTDIR "cert-client.pem",
+ .client_key_path = CERTDIR "cert-client-key-pkcs8.pem",
+ .client_ca_cert_path = CERTDIR "cert-ca.pem",
+ .client_expect_identity = "/O=Foo Example Organization"
+ "/CN=Foo Example Organization/emailAddress=foo(a)mail.example",
+ .client_domain_mask = (char *[]) { "Foo Example Organization", NULL },
+};
+
+static const struct tls_conn_test tls_conn_test_domain_match2 = {
+ .server_cert_path = CERTDIR "cert-server.pem",
+ .server_key_path = CERTDIR "cert-server-key-pkcs8.pem",
+ .server_ca_cert_path = CERTDIR "cert-ca.pem",
+ .server_expect_identity = "/O=Bar Example Organization"
+ "/CN=Bar Example Organization/emailAddress=bar(a)mail.example",
+ .client_cert_path = CERTDIR "cert-client.pem",
+ .client_key_path = CERTDIR "cert-client-key-pkcs8.pem",
+ .client_ca_cert_path = CERTDIR "cert-ca.pem",
+ .client_expect_identity = "/O=Foo Example Organization"
+ "/CN=Foo Example Organization/emailAddress=foo(a)mail.example",
+ .client_domain_mask = (char *[]) {
+ "Foo Example Organization", "Bar Example Organization", NULL
+ },
+};
+
+static const struct tls_conn_test tls_conn_test_domain_match3 = {
+ .server_cert_path = CERTDIR "cert-server.pem",
+ .server_key_path = CERTDIR "cert-server-key-pkcs8.pem",
+ .server_ca_cert_path = CERTDIR "cert-ca.pem",
+ .server_expect_identity = "/O=Bar Example Organization"
+ "/CN=Bar Example Organization/emailAddress=bar(a)mail.example",
+ .client_cert_path = CERTDIR "cert-client.pem",
+ .client_key_path = CERTDIR "cert-client-key-pkcs8.pem",
+ .client_ca_cert_path = CERTDIR "cert-ca.pem",
+ .client_expect_identity = "/O=Foo Example Organization"
+ "/CN=Foo Example Organization/emailAddress=foo(a)mail.example",
+ .client_domain_mask = (char *[]) {
+ "Bar Example Organization", "Foo Example Organization", NULL
+ },
+};
+
+static const struct tls_conn_test tls_conn_test_domain_match4 = {
+ .server_cert_path = CERTDIR "cert-server.pem",
+ .server_key_path = CERTDIR "cert-server-key-pkcs8.pem",
+ .server_ca_cert_path = CERTDIR "cert-ca.pem",
+ .server_expect_identity = "/O=Bar Example Organization"
+ "/CN=Bar Example Organization/emailAddress=bar(a)mail.example",
+ .client_cert_path = CERTDIR "cert-client.pem",
+ .client_key_path = CERTDIR "cert-client-key-pkcs8.pem",
+ .client_ca_cert_path = CERTDIR "cert-ca.pem",
+ .client_expect_identity = "/O=Foo Example Organization"
+ "/CN=Foo Example Organization/emailAddress=foo(a)mail.example",
+ .client_domain_mask = (char *[]) { "*", NULL },
+};
+
+static const struct tls_conn_test tls_conn_test_domain_mismatch1 = {
+ .server_cert_path = CERTDIR "cert-server.pem",
+ .server_key_path = CERTDIR "cert-server-key-pkcs8.pem",
+ .server_ca_cert_path = CERTDIR "cert-ca.pem",
+ .server_expect_identity = "/O=Bar Example Organization"
+ "/CN=Bar Example Organization/emailAddress=bar(a)mail.example",
+ .client_cert_path = CERTDIR "cert-client.pem",
+ .client_key_path = CERTDIR "cert-client-key-pkcs8.pem",
+ .client_ca_cert_path = CERTDIR "cert-ca.pem",
+ .client_expect_identity = "/O=Foo Example Organization"
+ "/CN=Foo Example Organization/emailAddress=foo(a)mail.example",
+ .client_domain_mask = (char *[]) { "", NULL },
+ .expect_alert = true,
+ .alert_desc = TLS_ALERT_BAD_CERT,
+};
+
+static const struct tls_conn_test tls_conn_test_domain_mismatch2 = {
+ .server_cert_path = CERTDIR "cert-server.pem",
+ .server_key_path = CERTDIR "cert-server-key-pkcs8.pem",
+ .server_ca_cert_path = CERTDIR "cert-ca.pem",
+ .server_expect_identity = "/O=Bar Example Organization"
+ "/CN=Bar Example Organization/emailAddress=bar(a)mail.example",
+ .client_cert_path = CERTDIR "cert-client.pem",
+ .client_key_path = CERTDIR "cert-client-key-pkcs8.pem",
+ .client_ca_cert_path = CERTDIR "cert-ca.pem",
+ .client_expect_identity = "/O=Foo Example Organization"
+ "/CN=Foo Example Organization/emailAddress=foo(a)mail.example",
+ .client_domain_mask = (char *[]) { "Bar Example Organization", NULL },
+ .expect_alert = true,
+ .alert_desc = TLS_ALERT_BAD_CERT,
+};
+
+static const struct tls_conn_test tls_conn_test_domain_mismatch3 = {
+ .server_cert_path = CERTDIR "cert-server.pem",
+ .server_key_path = CERTDIR "cert-server-key-pkcs8.pem",
+ .server_ca_cert_path = CERTDIR "cert-ca.pem",
+ .server_expect_identity = "/O=Bar Example Organization"
+ "/CN=Bar Example Organization/emailAddress=bar(a)mail.example",
+ .client_cert_path = CERTDIR "cert-client.pem",
+ .client_key_path = CERTDIR "cert-client-key-pkcs8.pem",
+ .client_ca_cert_path = CERTDIR "cert-ca.pem",
+ .client_expect_identity = "/O=Foo Example Organization"
+ "/CN=Foo Example Organization/emailAddress=foo(a)mail.example",
+ .client_domain_mask = (char *[]) {
+ "Foo Example Organization.com", NULL
+ },
+ .expect_alert = true,
+ .alert_desc = TLS_ALERT_BAD_CERT,
+};
+
+static const struct tls_conn_test tls_conn_test_domain_mismatch4 = {
+ .server_cert_path = CERTDIR "cert-server.pem",
+ .server_key_path = CERTDIR "cert-server-key-pkcs8.pem",
+ .server_ca_cert_path = CERTDIR "cert-ca.pem",
+ .server_expect_identity = "/O=Bar Example Organization"
+ "/CN=Bar Example Organization/emailAddress=bar(a)mail.example",
+ .client_cert_path = CERTDIR "cert-client.pem",
+ .client_key_path = CERTDIR "cert-client-key-pkcs8.pem",
+ .client_ca_cert_path = CERTDIR "cert-ca.pem",
+ .client_expect_identity = "/O=Foo Example Organization"
+ "/CN=Foo Example Organization/emailAddress=foo(a)mail.example",
+ .client_domain_mask = (char *[]) {
+ "Foo Example Organization.*", NULL
+ },
+ .expect_alert = true,
+ .alert_desc = TLS_ALERT_BAD_CERT,
+};
+
+static const struct tls_conn_test tls_conn_test_domain_mismatch5 = {
+ .server_cert_path = CERTDIR "cert-server.pem",
+ .server_key_path = CERTDIR "cert-server-key-pkcs8.pem",
+ .server_ca_cert_path = CERTDIR "cert-ca.pem",
+ .server_expect_identity = "/O=Bar Example Organization"
+ "/CN=Bar Example Organization/emailAddress=bar(a)mail.example",
+ .client_cert_path = CERTDIR "cert-client.pem",
+ .client_key_path = CERTDIR "cert-client-key-pkcs8.pem",
+ .client_ca_cert_path = CERTDIR "cert-ca.pem",
+ .client_expect_identity = "/O=Foo Example Organization"
+ "/CN=Foo Example Organization/emailAddress=foo(a)mail.example",
+ .client_domain_mask = (char *[]) {
+ "*.Foo Example Organization", NULL
+ },
+ .expect_alert = true,
+ .alert_desc = TLS_ALERT_BAD_CERT,
+};
+
static void test_tls_suite_test(const void *data)
{
const char *suite_name = data;
@@ -720,6 +870,25 @@ int main(int argc, char *argv[])
l_test_add("TLS connection version mismatch",
test_tls_version_mismatch_test, NULL);
+ l_test_add("TLS connection domain match 1", test_tls_test,
+ &tls_conn_test_domain_match1);
+ l_test_add("TLS connection domain match 2", test_tls_test,
+ &tls_conn_test_domain_match2);
+ l_test_add("TLS connection domain match 3", test_tls_test,
+ &tls_conn_test_domain_match3);
+ l_test_add("TLS connection domain match 4", test_tls_test,
+ &tls_conn_test_domain_match4);
+ l_test_add("TLS connection domain mismatch 1", test_tls_test,
+ &tls_conn_test_domain_mismatch1);
+ l_test_add("TLS connection domain mismatch 2", test_tls_test,
+ &tls_conn_test_domain_mismatch2);
+ l_test_add("TLS connection domain mismatch 3", test_tls_test,
+ &tls_conn_test_domain_mismatch3);
+ l_test_add("TLS connection domain mismatch 4", test_tls_test,
+ &tls_conn_test_domain_mismatch4);
+ l_test_add("TLS connection domain mismatch 5", test_tls_test,
+ &tls_conn_test_domain_mismatch5);
+
for (i = 0; tls_cipher_suite_pref[i]; i++) {
struct tls_cipher_suite *suite = tls_cipher_suite_pref[i];
struct tls_bulk_encryption_algorithm *alg = suite->encryption;
--
2.20.1
next prev parent reply other threads:[~2019-08-23 0:41 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-23 0:41 [PATCH 1/8] tls: Implement l_tls_set_domain_mask Andrew Zaborowski
2019-08-23 0:41 ` Andrew Zaborowski [this message]
2019-08-23 0:41 ` [PATCH 3/8] asn1-private: Handle Context-specific tag class Andrew Zaborowski
2019-08-23 0:41 ` [PATCH 4/8] cert: Implement l_cert_get_extension Andrew Zaborowski
2019-08-23 0:41 ` [PATCH 5/8] strv: Implement l_strv_copy Andrew Zaborowski
2019-08-23 14:16 ` Denis Kenzior
2019-08-23 0:41 ` [PATCH 6/8] tls: Validate peer certificate's DNSNames against mask Andrew Zaborowski
2019-08-23 14:27 ` Denis Kenzior
2019-08-23 17:51 ` Andrew Zaborowski
2019-08-23 20:21 ` Denis Kenzior
2019-08-23 23:50 ` Andrew Zaborowski
2019-08-23 0:41 ` [PATCH 7/8] build: Add DNSNames to the test server cert Andrew Zaborowski
2019-08-23 14:29 ` Denis Kenzior
2019-08-23 0:41 ` [PATCH 8/8] unit: Add TLS tests for cert's DNSName matching Andrew Zaborowski
2019-08-23 14:28 ` [PATCH 1/8] tls: Implement l_tls_set_domain_mask Denis Kenzior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190823004138.5480-2-andrew.zaborowski@intel.com \
--to=andrew.zaborowski@intel.com \
--cc=ell@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.