|
Packit |
aea12f |
/*
|
|
Packit |
aea12f |
* Copyright (C) 2017 - 2018 ARPA2 project
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Author: Tom Vrancken (dev@tomvrancken.nl)
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* This file is part of GnuTLS.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* GnuTLS is free software; you can redistribute it and/or modify it
|
|
Packit |
aea12f |
* under the terms of the GNU General Public License as published by
|
|
Packit |
aea12f |
* the Free Software Foundation; either version 3 of the License, or
|
|
Packit |
aea12f |
* (at your option) any later version.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* GnuTLS is distributed in the hope that it will be useful, but
|
|
Packit |
aea12f |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
aea12f |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit |
aea12f |
* General Public License for more details.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* You should have received a copy of the GNU General Public License
|
|
Packit |
aea12f |
* along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#ifdef HAVE_CONFIG_H
|
|
Packit |
aea12f |
#include <config.h>
|
|
Packit |
aea12f |
#endif
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* This program tests the certificate type negotiation mechnism for
|
|
Packit |
aea12f |
* the handshake as specified in RFC7250 */
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
#include <stdio.h>
|
|
Packit |
aea12f |
#include <stdlib.h>
|
|
Packit |
aea12f |
#include <string.h>
|
|
Packit |
aea12f |
#include <errno.h>
|
|
Packit |
aea12f |
#include <gnutls/gnutls.h>
|
|
Packit |
aea12f |
#include "utils.h"
|
|
Packit |
aea12f |
#include "cert-common.h"
|
|
Packit |
aea12f |
#include "eagain-common.h"
|
|
Packit |
aea12f |
#include "crt_type-neg-common.c"
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
test_case_st tests[] = {
|
|
Packit |
aea12f |
/* Tests with only a single credential set for client/server.
|
|
Packit |
aea12f |
* Tests for X.509 cases.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Default case A
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority cli: NORMAL
|
|
Packit |
aea12f |
* Priority srv: NORMAL
|
|
Packit |
aea12f |
* Cli creds: None
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: cert types should default to X.509
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Default case A. Creds set (CLI/SRV): None/X509.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL",
|
|
Packit |
aea12f |
.server_prio = "NORMAL",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_EMPTY,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Default case B
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL
|
|
Packit |
aea12f |
* Cli creds: X.509
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: cert types should default to X.509
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Default case B. Creds set (CLI/SRV): X509/X509. No cli cert asked.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL",
|
|
Packit |
aea12f |
.server_prio = "NORMAL",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_X509,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Default case C
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL
|
|
Packit |
aea12f |
* Cli creds: X.509
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: cert types should default to X.509
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Default case C. Creds set (CLI/SRV): X509/X509. Cli cert asked.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL",
|
|
Packit |
aea12f |
.server_prio = "NORMAL",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_X509,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.request_cli_crt = true},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* No server credentials
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL
|
|
Packit |
aea12f |
* Cli creds: None
|
|
Packit |
aea12f |
* Srv creds: None
|
|
Packit |
aea12f |
* Handshake: results in errors
|
|
Packit |
aea12f |
* Negotiation: cert types are not evaluated
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "No server creds. Creds set (CLI/SRV): None/None.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL",
|
|
Packit |
aea12f |
.server_prio = "NORMAL",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_EMPTY,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_EMPTY,
|
|
Packit |
aea12f |
.client_err = GNUTLS_E_AGAIN,
|
|
Packit |
aea12f |
.server_err = GNUTLS_E_NO_CIPHER_SUITES},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation, cli creds x509, srv creds x509
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + request x509 for cli and srv
|
|
Packit |
aea12f |
* Cli creds: X.509
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: Fallback to default cli X.509, srv X.509 because
|
|
Packit |
aea12f |
* we advertise with only the cert type defaults. Extensions
|
|
Packit |
aea12f |
* will therefore not be activated.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI X.509 + SRV X.509. Creds set (CLI/SRV): X.509/X.509.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-CLI-X509:+CTYPE-SRV-X509",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-CLI-X509:+CTYPE-SRV-X509",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_X509,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation, cli creds x509, srv creds x509, no cli cert asked
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + request x509 for cli
|
|
Packit |
aea12f |
* Cli creds: X.509
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: Fallback to default cli X.509, srv X.509 because
|
|
Packit |
aea12f |
* we advertise with only the cert type defaults. Extensions
|
|
Packit |
aea12f |
* will therefore not be activated.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI X.509. Creds set (CLI/SRV): X.509/X.509.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-CLI-X509",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-CLI-X509",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_X509,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation, cli creds x509, srv creds x509, cli cert asked
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + request x509 for cli
|
|
Packit |
aea12f |
* Cli creds: X.509
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: Fallback to default cli X.509, srv X.509 because
|
|
Packit |
aea12f |
* we advertise with only the cert type defaults. Extensions
|
|
Packit |
aea12f |
* will therefore not be activated.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI X.509. Creds set (CLI/SRV): X.509/X.509.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-CLI-X509",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-CLI-X509",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_X509,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.request_cli_crt = true},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation, cli creds x509, srv creds x509
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + request x509 for srv
|
|
Packit |
aea12f |
* Cli creds: X.509
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: Fallback to default cli X.509, srv X.509 because
|
|
Packit |
aea12f |
* we advertise with only the cert type defaults. Extensions
|
|
Packit |
aea12f |
* will therefore not be activated.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate SRV X.509. Creds set (CLI/SRV): X.509/X.509.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-SRV-X509",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-SRV-X509",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_X509,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation, all types allowed for CLI, cli creds x509, srv creds x509
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + allow all client cert types
|
|
Packit |
aea12f |
* Cli creds: X.509
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: cli X.509 and srv X.509 because
|
|
Packit |
aea12f |
* we only have X.509 credentials set.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI all. Creds set (CLI/SRV): X.509/X.509.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-CLI-ALL",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-CLI-ALL",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_X509,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation, all types allowed for SRV, cli creds x509, srv creds x509
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + allow all server cert types
|
|
Packit |
aea12f |
* Cli creds: X.509
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: cli X.509 and srv X.509 because
|
|
Packit |
aea12f |
* we only have X.509 credentials set.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate SRV all. Creds set (CLI/SRV): X.509/X.509.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-SRV-ALL",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-SRV-ALL",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_X509,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation, all types allowed for CLI/SRV, cli creds x509, srv creds x509
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + allow all client and server cert types
|
|
Packit |
aea12f |
* Cli creds: X.509
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: cli X.509 and srv X.509 because
|
|
Packit |
aea12f |
* we only have X.509 credentials set.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI/SRV all. Creds set (CLI/SRV): X.509/X.509.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-CLI-ALL:+CTYPE-SRV-ALL",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-CLI-ALL:+CTYPE-SRV-ALL",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_X509,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509},
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
/* Tests with only a single credential set for client/server.
|
|
Packit |
aea12f |
* Tests for Raw public-key cases.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation, cli creds Raw PK, srv creds Raw PK, Req. cli cert.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + request rawpk for cli and srv
|
|
Packit |
aea12f |
* Cli creds: Raw PK
|
|
Packit |
aea12f |
* Srv creds: Raw PK
|
|
Packit |
aea12f |
* Request client cert: yes
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: both parties should have a Raw PK cert negotiated
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI Raw PK + SRV Raw PK. Creds set (CLI/SRV): RawPK/RawPK. Cert req.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.init_flags_cli = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.init_flags_srv = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.request_cli_crt = true},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation (TLS 1.2), cli creds Raw PK, srv creds Raw PK
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + request rawpk for cli and srv
|
|
Packit |
aea12f |
* Cli creds: Raw PK
|
|
Packit |
aea12f |
* Srv creds: Raw PK
|
|
Packit |
aea12f |
* Request client cert: no
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: a Raw PK server cert. A diverged state for the client
|
|
Packit |
aea12f |
* cert type. The server picks Raw PK but does not send a response
|
|
Packit |
aea12f |
* to the client (under TLS 1.2). The client therefore falls back to default (X.509).
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI Raw PK + SRV Raw PK. Creds set (CLI/SRV): RawPK/RawPK.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.expected_cli_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_cli_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.expected_cli_srv_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.expected_srv_srv_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.init_flags_cli = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.init_flags_srv = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.request_cli_crt = false,
|
|
Packit |
aea12f |
.cli_srv_may_diverge = true},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation (TLS 1.3), cli creds Raw PK, srv creds Raw PK
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + request rawpk for cli and srv
|
|
Packit |
aea12f |
* Cli creds: Raw PK
|
|
Packit |
aea12f |
* Srv creds: Raw PK
|
|
Packit |
aea12f |
* Request client cert: no
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: a Raw PK server cert and client cert. Under TLS 1.3
|
|
Packit |
aea12f |
* a respons is always sent by the server also when no client
|
|
Packit |
aea12f |
* cert is requested. This is necessary for post-handshake authentication
|
|
Packit |
aea12f |
* to work.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI Raw PK + SRV Raw PK. Creds set (CLI/SRV): RawPK/RawPK.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.expected_cli_cli_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.expected_srv_cli_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.expected_cli_srv_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.expected_srv_srv_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.init_flags_cli = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.init_flags_srv = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.request_cli_crt = false,
|
|
Packit |
aea12f |
.cli_srv_may_diverge = true},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation, cli creds Raw PK, srv creds Raw PK
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + request rawpk for cli
|
|
Packit |
aea12f |
* Cli creds: Raw PK
|
|
Packit |
aea12f |
* Srv creds: Raw PK
|
|
Packit |
aea12f |
* Request client cert: no
|
|
Packit |
aea12f |
* Handshake: fails because no valid cred (X.509) can be found for the server.
|
|
Packit |
aea12f |
* Negotiation: -
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI Raw PK. Creds set (CLI/SRV): RawPK/RawPK.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-CLI-RAWPK",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-CLI-RAWPK",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.init_flags_cli = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.init_flags_srv = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.client_err = GNUTLS_E_AGAIN,
|
|
Packit |
aea12f |
.server_err = GNUTLS_E_NO_CIPHER_SUITES},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation, cli creds Raw PK, srv creds Raw PK, request cli cert.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + request rawpk for srv
|
|
Packit |
aea12f |
* Cli creds: Raw PK
|
|
Packit |
aea12f |
* Srv creds: Raw PK
|
|
Packit |
aea12f |
* Request client cert: yes
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: Raw PK will be negotiated for server. Client will
|
|
Packit |
aea12f |
* default to X.509.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate SRV Raw PK. Creds set (CLI/SRV): RawPK/RawPK.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-SRV-RAWPK",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-SRV-RAWPK",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.init_flags_cli = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.init_flags_srv = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.request_cli_crt = true},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* Explicit cli/srv ctype negotiation, cli creds Raw PK, srv creds X.509, Request cli cert.
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + request rawpk for cli and srv
|
|
Packit |
aea12f |
* Cli creds: Raw PK
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Request client cert: yes
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: Raw PK will be negotiated for client. Server will
|
|
Packit |
aea12f |
* default to X.509.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI and SRV Raw PK. Creds set (CLI/SRV): RawPK/X.509.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.init_flags_cli = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.init_flags_srv = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.request_cli_crt = true},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* All types allowed for CLI, cli creds Raw PK, srv creds X.509
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + allow all client cert types
|
|
Packit |
aea12f |
* Cli creds: Raw PK
|
|
Packit |
aea12f |
* Srv creds: X.509
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: cli Raw PK and srv X.509 because
|
|
Packit |
aea12f |
* that are the only credentials set.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI all. Creds set (CLI/SRV): Raw PK/X.509.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-CLI-ALL",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-CLI-ALL",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_X509,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.init_flags_cli = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.init_flags_srv = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.request_cli_crt = true},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* All types allowed for SRV, cli creds x509, srv creds Raw PK
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + allow all server cert types
|
|
Packit |
aea12f |
* Cli creds: X.509
|
|
Packit |
aea12f |
* Srv creds: Raw PK
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: cli X.509 and srv Raw PK because
|
|
Packit |
aea12f |
* that are the only credentials set.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate SRV all. Creds set (CLI/SRV): X.509/Raw PK.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-SRV-ALL",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-SRV-ALL",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_X509,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_X509,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.init_flags_cli = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.init_flags_srv = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.request_cli_crt = true},
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
/* All types allowed for CLI/SRV, cli creds Raw PK, srv creds Raw PK
|
|
Packit |
aea12f |
*
|
|
Packit |
aea12f |
* Priority: NORMAL + allow all client and server cert types
|
|
Packit |
aea12f |
* Cli creds: Raw PK
|
|
Packit |
aea12f |
* Srv creds: Raw PK
|
|
Packit |
aea12f |
* Handshake: should complete without errors
|
|
Packit |
aea12f |
* Negotiation: cli Raw PK and srv Raw PK because
|
|
Packit |
aea12f |
* that are the only credentials set.
|
|
Packit |
aea12f |
*/
|
|
Packit |
aea12f |
.name = "Negotiate CLI/SRV all. Creds set (CLI/SRV): Raw PK/Raw PK.",
|
|
Packit |
aea12f |
.client_prio = "NORMAL:+CTYPE-CLI-ALL:+CTYPE-SRV-ALL",
|
|
Packit |
aea12f |
.server_prio = "NORMAL:+CTYPE-CLI-ALL:+CTYPE-SRV-ALL",
|
|
Packit |
aea12f |
.set_cli_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.set_srv_creds = CRED_RAWPK,
|
|
Packit |
aea12f |
.expected_cli_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.expected_srv_ctype = GNUTLS_CRT_RAWPK,
|
|
Packit |
aea12f |
.init_flags_cli = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.init_flags_srv = GNUTLS_ENABLE_RAWPK,
|
|
Packit |
aea12f |
.request_cli_crt = true},
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
};
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
void doit(void)
|
|
Packit |
aea12f |
{
|
|
Packit |
aea12f |
unsigned i;
|
|
Packit |
aea12f |
global_init();
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
|
|
Packit |
aea12f |
try(&tests[i]);
|
|
Packit |
aea12f |
}
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
gnutls_global_deinit();
|
|
Packit |
aea12f |
}
|