diff options
| author | Martin Ukrop <mukrop@redhat.com> | 2016-07-20 14:28:20 +0200 |
|---|---|---|
| committer | GitLab <gitlab@gitlab.com> | 2016-07-21 17:35:21 +0000 |
| commit | 8b07e0085fa23c37d7b4c530cca1a89af6380c68 (patch) | |
| tree | dea9089a6c9e0f3e3fd99329a42fef414f5c0c4b | |
| parent | fa6502d15a006f32434a3f7283c37ab167875c3d (diff) | |
| download | gnutls-8b07e0085fa23c37d7b4c530cca1a89af6380c68.tar.gz | |
tests: Tidy up old X509 name constraints tests
- Use convenience functions for error checking and failure reporting.
- Drop explicit (de)initialization (prevents some not reed reachable memory due to PKCS11 subsystem not being deinitialized in the destructor).
- Use variables to count set permitted/excluded constraints instead of hard-coded numbers.
| -rw-r--r-- | tests/name-constraints-merge.c | 309 | ||||
| -rw-r--r-- | tests/name-constraints.c | 211 |
2 files changed, 227 insertions, 293 deletions
diff --git a/tests/name-constraints-merge.c b/tests/name-constraints-merge.c index 167b8aaebb..6487bed225 100644 --- a/tests/name-constraints-merge.c +++ b/tests/name-constraints-merge.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2016 Red Hat, Inc. * - * Author: Nikos Mavrogiannopoulos + * Authors: Nikos Mavrogiannopoulos, Martin Ukrop * * This file is part of GnuTLS. * @@ -39,222 +39,179 @@ /* Test for name constraints PKIX extension. */ +static void check_for_error(int ret) { + if (ret != GNUTLS_E_SUCCESS) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); +} + +#define NAME_ACCEPTED 1 +#define NAME_REJECTED 0 + +static void check_test_result(int ret, int expected_outcome, gnutls_datum_t *tested_data) { + if (expected_outcome == NAME_ACCEPTED ? ret == 0 : ret != 0) { + if (expected_outcome == NAME_ACCEPTED) { + fail("Checking \"%.*s\" should have succeeded.\n", tested_data->size, tested_data->data); + } else { + fail("Checking \"%.*s\" should have failed.\n", tested_data->size, tested_data->data); + } + } +} + +static void set_name(const char *name, gnutls_datum_t *datum) { + datum->data = (unsigned char*) name; + datum->size = strlen((char*) name); +} + static void tls_log_func(int level, const char *str) { fprintf(stderr, "<%d>| %s", level, str); } -/* deny */ -const gnutls_datum_t example_com = { (void*)"example.com", sizeof("example.com")-1 }; -const gnutls_datum_t example_net = { (void*)"example.net", sizeof("example.net")-1 }; - -/* allowed */ -const gnutls_datum_t org = { (void*)"org", sizeof("org")-1 }; -const gnutls_datum_t ccc_com = { (void*)"ccc.com", sizeof("ccc.com")-1 }; -const gnutls_datum_t aaa_bbb_ccc_com = { (void*)"aaa.bbb.ccc.com", sizeof("aaa.bbb.ccc.com")-1 }; - void doit(void) { int ret; - gnutls_x509_name_constraints_t nc; - gnutls_x509_name_constraints_t nc2; + gnutls_x509_name_constraints_t nc1, nc2; gnutls_datum_t name; - /* this must be called once in the program - */ - global_init(); - gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); - /* 0: test the merge permitted */ + /* 0: test the merge permitted name constraints + * NC1: permitted DNS org + * permitted DNS ccc.com + * permitted email ccc.com + * NC2: permitted DNS org + * permitted DNS aaa.bbb.ccc.com + */ - ret = gnutls_x509_name_constraints_init(&nc); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + ret = gnutls_x509_name_constraints_init(&nc1); + check_for_error(ret); ret = gnutls_x509_name_constraints_init(&nc2); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + check_for_error(ret); + set_name("org", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); - /* nc: dnsName: .org + ccc.com, rfc822Name: ccc.com */ - ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_DNSNAME, - &org); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + set_name("ccc.com", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_DNSNAME, - &ccc_com); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + set_name("ccc.com", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc1, GNUTLS_SAN_RFC822NAME, &name); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_RFC822NAME, - &ccc_com); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + set_name("org", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); - /* nc2: dnsName: .org + aaa.bbb.ccc.com */ - ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, - &org); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + set_name("aaa.bbb.ccc.com", &name); + ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_permitted(nc2, GNUTLS_SAN_DNSNAME, - &aaa_bbb_ccc_com); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + ret = _gnutls_x509_name_constraints_merge(nc1, nc2); + check_for_error(ret); - /* intersection: permit: aaa.bbb.ccc.com */ - ret = _gnutls_x509_name_constraints_merge(nc, nc2); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + /* unrelated */ + set_name("xxx.example.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_REJECTED, &name); + set_name("example.org", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_ACCEPTED, &name); - /* unrelated */ - name.data = (unsigned char*)"xxx.example.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking domain should have failed\n"); - - name.data = (unsigned char*)"example.org"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret == 0) - fail("Checking %s should have succeeded\n", name.data); - - name.data = (unsigned char*)"com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking %s should have failed\n", name.data); - - name.data = (unsigned char*)"xxx.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking %s should have failed\n", name.data); - - name.data = (unsigned char*)"ccc.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking %s should have failed\n", name.data); + set_name("com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_REJECTED, &name); + + set_name("xxx.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_REJECTED, &name); + set_name("ccc.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_REJECTED, &name); /* check intersection of permitted */ - name.data = (unsigned char*)"xxx.aaa.bbb.ccc.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret == 0) - fail("Checking %s should have succeeded\n", name.data); - - name.data = (unsigned char*)"aaa.bbb.ccc.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret == 0) - fail("Checking %s should have succeeded\n", name.data); - - name.data = (unsigned char*)"xxx.bbb.ccc.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking %s should have failed\n", name.data); - - name.data = (unsigned char*)"xxx.ccc.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking %s should have failed\n", name.data); - - name.data = (unsigned char*)"ccc.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking %s should have failed\n", name.data); - - name.data = (unsigned char*)"ccc.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME, &name); - if (ret == 0) - fail("Checking %s should have succeeded\n", name.data); - - name.data = (unsigned char*)"xxx.ccc.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME, &name); - if (ret != 0) - fail("Checking %s should have failed\n", name.data); - - gnutls_x509_name_constraints_deinit(nc); + set_name("xxx.aaa.bbb.ccc.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_ACCEPTED, &name); + + set_name("aaa.bbb.ccc.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_ACCEPTED, &name); + + set_name("xxx.bbb.ccc.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_REJECTED, &name); + + set_name("xxx.ccc.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_REJECTED, &name); + + set_name("ccc.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_REJECTED, &name); + + set_name("ccc.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name); + check_test_result(ret, NAME_ACCEPTED, &name); + + set_name("xxx.ccc.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_RFC822NAME, &name); + check_test_result(ret, NAME_REJECTED, &name); + + gnutls_x509_name_constraints_deinit(nc1); gnutls_x509_name_constraints_deinit(nc2); - /* 1: test the merge of name constraints with excluded */ + /* 1: test the merge of excluded name constraints + * NC1: denied DNS example.com + * NC2: denied DNS example.net + */ - ret = gnutls_x509_name_constraints_init(&nc); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + ret = gnutls_x509_name_constraints_init(&nc1); + check_for_error(ret); ret = gnutls_x509_name_constraints_init(&nc2); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_DNSNAME, - &example_com); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + set_name("example.com", &name); + ret = gnutls_x509_name_constraints_add_excluded(nc1, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_excluded(nc2, GNUTLS_SAN_DNSNAME, - &example_net); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + set_name("example.net", &name); + ret = gnutls_x509_name_constraints_add_excluded(nc2, GNUTLS_SAN_DNSNAME, &name); + check_for_error(ret); + ret = _gnutls_x509_name_constraints_merge(nc1, nc2); + check_for_error(ret); - /* intersection: permit: example.com and example.net denied */ - ret = _gnutls_x509_name_constraints_merge(nc, nc2); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + set_name("xxx.example.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_REJECTED, &name); + set_name("xxx.example.net", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_REJECTED, &name); - /* check the union */ - name.data = (unsigned char*)"xxx.example.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking domain should have failed\n"); - - name.data = (unsigned char*)"xxx.example.net"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking domain should have failed\n"); - - name.data = (unsigned char*)"example.com"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking domain should have failed\n"); - - name.data = (unsigned char*)"example.net"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking domain should have failed\n"); - - - /* check an allowed name */ - name.data = (unsigned char*)"example.org"; - name.size = strlen((char*)name.data); - ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret == 0) - fail("Checking %s should have succeeded\n", name.data); - - gnutls_x509_name_constraints_deinit(nc); - gnutls_x509_name_constraints_deinit(nc2); + set_name("example.com", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_REJECTED, &name); + + set_name("example.net", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_REJECTED, &name); - gnutls_global_deinit(); + set_name("example.org", &name); + ret = gnutls_x509_name_constraints_check(nc1, GNUTLS_SAN_DNSNAME, &name); + check_test_result(ret, NAME_ACCEPTED, &name); + + gnutls_x509_name_constraints_deinit(nc1); + gnutls_x509_name_constraints_deinit(nc2); if (debug) - success("success"); + success("Test success.\n"); } diff --git a/tests/name-constraints.c b/tests/name-constraints.c index 346ce76323..455acd4374 100644 --- a/tests/name-constraints.c +++ b/tests/name-constraints.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2014 Free Software Foundation, Inc. * - * Author: Nikos Mavrogiannopoulos + * Authors: Nikos Mavrogiannopoulos, Martin Ukrop * * This file is part of GnuTLS. * @@ -39,6 +39,29 @@ /* Test for name constraints PKIX extension. */ +static void check_for_error(int ret) { + if (ret != GNUTLS_E_SUCCESS) + fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); +} + +#define NAME_ACCEPTED 1 +#define NAME_REJECTED 0 + +static void check_test_result(int ret, int expected_outcome, gnutls_datum_t *tested_data) { + if (expected_outcome == NAME_ACCEPTED ? ret == 0 : ret != 0) { + if (expected_outcome == NAME_ACCEPTED) { + fail("Checking \"%.*s\" should have succeeded.\n", tested_data->size, tested_data->data); + } else { + fail("Checking \"%.*s\" should have failed.\n", tested_data->size, tested_data->data); + } + } +} + +static void set_name(const char *name, gnutls_datum_t *datum) { + datum->data = (unsigned char*) name; + datum->size = strlen((char*) name); +} + static void tls_log_func(int level, const char *str) { fprintf(stderr, "<%d>| %s", level, str); @@ -86,16 +109,12 @@ const gnutls_datum_t mail4 = { (void*)"koko.example.net", sizeof("koko.example.n void doit(void) { int ret; - unsigned int crit, i; + unsigned int crit, i, permitted, excluded; gnutls_x509_crt_t crt; gnutls_x509_name_constraints_t nc; unsigned type; gnutls_datum_t name; - /* this must be called once in the program - */ - global_init(); - gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); @@ -103,20 +122,16 @@ void doit(void) /* 0: test the reading of name constraints */ ret = gnutls_x509_name_constraints_init(&nc); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + check_for_error(ret); ret = gnutls_x509_crt_init(&crt); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + check_for_error(ret); ret = gnutls_x509_crt_import(crt, &cert, GNUTLS_X509_FMT_PEM); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + check_for_error(ret); ret = gnutls_x509_crt_get_name_constraints(crt, nc, 0, &crit); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + check_for_error(ret); if (crit != 0) { fail("error reading criticality\n"); @@ -142,66 +157,56 @@ void doit(void) /* 1: test the generation of name constraints */ + permitted = 0; + excluded = 0; + ret = gnutls_x509_name_constraints_init(&nc); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + check_for_error(ret); ret = gnutls_x509_crt_init(&crt); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + check_for_error(ret); ret = gnutls_x509_crt_import(crt, &cert, GNUTLS_X509_FMT_PEM); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_DNSNAME, - &name1); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + permitted++; + ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_DNSNAME, &name1); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_DNSNAME, - &name2); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + excluded++; + ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_DNSNAME, &name2); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_DNSNAME, - &name3); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + excluded++; + ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_DNSNAME, &name3); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_DNSNAME, - &name4); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + permitted++; + ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_DNSNAME, &name4); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_URI, - &name3); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + excluded++; + ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_URI, &name3); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_RFC822NAME, - &mail1); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + permitted++; + ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_RFC822NAME, &mail1); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_RFC822NAME, - &mail2); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + permitted++; + ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_RFC822NAME, &mail2); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_RFC822NAME, - &mail3); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + permitted++; + ret = gnutls_x509_name_constraints_add_permitted(nc, GNUTLS_SAN_RFC822NAME, &mail3); + check_for_error(ret); - ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_RFC822NAME, - &mail4); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + excluded++; + ret = gnutls_x509_name_constraints_add_excluded(nc, GNUTLS_SAN_RFC822NAME, &mail4); + check_for_error(ret); ret = gnutls_x509_crt_set_name_constraints(crt, nc, 1); - if (ret < 0) - fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); + check_for_error(ret); /* 2: test the reading of the generated constraints */ @@ -216,8 +221,8 @@ void doit(void) } } while(ret == 0); - if (i-1 != 5) { - fail("Could not read all contraints; read %d, expected %d\n", i-1, 5); + if (i-1 != permitted) { + fail("Could not read all contraints; read %d, expected %d\n", i-1, permitted); } i = 0; @@ -236,100 +241,72 @@ void doit(void) } } while(ret == 0); - if (i-1 != 4) { - fail("Could not read all excluded contraints; read %d, expected %d\n", i-1, 4); + if (i-1 != excluded) { + fail("Could not read all excluded contraints; read %d, expected %d\n", i-1, excluded); } /* 3: test the name constraints check function */ /* This name constraints structure doesn't have any excluded GNUTLS_SAN_DN so * this test should succeed */ - name.data = (unsigned char*)"ASFHAJHjhafjs"; - name.size = strlen((char*)name.data); + set_name("ASFHAJHjhafjs", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DN, &name); - if (ret == 0) - fail("Checking DN should have succeeded\n"); + check_test_result(ret, NAME_ACCEPTED, &name); /* Test e-mails */ - name.data = (unsigned char*)"nmav@redhat.com"; - name.size = strlen((char*)name.data); + set_name("nmav@redhat.com", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME, &name); - if (ret == 0) - fail("Checking email should have succeeded\n"); + check_test_result(ret, NAME_ACCEPTED, &name); - name.data = (unsigned char*)"nmav@radhat.com"; - name.size = strlen((char*)name.data); + set_name("nmav@radhat.com", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME, &name); - if (ret != 0) - fail("Checking email should have failed\n"); + check_test_result(ret, NAME_REJECTED, &name); - name.data = (unsigned char*)"nmav@example.com"; - name.size = strlen((char*)name.data); + set_name("nmav@example.com", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME, &name); - if (ret == 0) - fail("Checking email should have succeeded\n"); + check_test_result(ret, NAME_ACCEPTED, &name); - name.data = (unsigned char*)"nmav@test.example.net"; - name.size = strlen((char*)name.data); + set_name("nmav@test.example.net", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME, &name); - if (ret == 0) - fail("Checking email should have succeeded\n"); + check_test_result(ret, NAME_ACCEPTED, &name); - name.data = (unsigned char*)"nmav@example.net"; - name.size = strlen((char*)name.data); + set_name("nmav@example.net", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME, &name); - if (ret != 0) - fail("Checking email should have failed\n"); + check_test_result(ret, NAME_REJECTED, &name); - name.data = (unsigned char*)"nmav@koko.example.net"; - name.size = strlen((char*)name.data); + set_name("nmav@koko.example.net", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME, &name); - if (ret != 0) - fail("Checking email should have failed\n"); + check_test_result(ret, NAME_REJECTED, &name); /* This name constraints structure does have an excluded URI so * this test should fail */ - name.data = (unsigned char*)"http://www.com"; - name.size = strlen((char*)name.data); + set_name("http://www.com", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_URI, &name); - if (ret != 0) - fail("Checking URI should have failed\n"); + check_test_result(ret, NAME_REJECTED, &name); - name.data = (unsigned char*)"goodexample.com"; - name.size = strlen((char*)name.data); + set_name("goodexample.com", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret == 0) - fail("Checking %s should have succeeded\n", name.data); + check_test_result(ret, NAME_ACCEPTED, &name); - name.data = (unsigned char*)"good.com"; - name.size = strlen((char*)name.data); + set_name("good.com", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret == 0) - fail("Checking %s should have succeeded\n", name.data); + check_test_result(ret, NAME_ACCEPTED, &name); - name.data = (unsigned char*)"www.example.com"; - name.size = strlen((char*)name.data); + set_name("www.example.com", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking %s should have failed\n", name.data); + check_test_result(ret, NAME_REJECTED, &name); - name.data = (unsigned char*)"www.example.net"; - name.size = strlen((char*)name.data); + set_name("www.example.net", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret != 0) - fail("Checking %s should have failed\n", name.data); + check_test_result(ret, NAME_REJECTED, &name); - name.data = (unsigned char*)"www.example.gr"; - name.size = strlen((char*)name.data); + set_name("www.example.gr", &name); ret = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME, &name); - if (ret == 0) - fail("Checking %s should have succeeded\n", name.data); + check_test_result(ret, NAME_ACCEPTED, &name); gnutls_x509_name_constraints_deinit(nc); gnutls_x509_crt_deinit(crt); - gnutls_global_deinit(); - if (debug) - success("success"); + success("Test success.\n"); } |