tests: updated to reflect the fact that invalid dns names are rejected

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

7 files changed, 31 insertions, 66 deletions

diff --git a/tests/cert_verify_inv_utf8.c b/tests/cert_verify_inv_utf8.c
index a424e51075..4afd52311d 100644
--- a/tests/cert_verify_inv_utf8.c
+++ b/tests/cert_verify_inv_utf8.c
@@ -137,7 +137,7 @@ static void auto_parse(void)
 	test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "localhost", 0, 0);
 	test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκοσ.com");
 	test_cli_serv_vf(x509_cred, clicred, "NORMAL", "www.νίκος.com");
-	test_cli_serv_vf(x509_cred, clicred, "NORMAL", "raw:www.νίκος.com");
+	test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:www.νίκος.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN);
 
 	gnutls_certificate_free_credentials(x509_cred);
 	gnutls_certificate_free_credentials(clicred);
diff --git a/tests/mini-server-name.c b/tests/mini-server-name.c
index 05b9136a67..eba6f58110 100644
--- a/tests/mini-server-name.c
+++ b/tests/mini-server-name.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2012 Free Software Foundation, Inc.
- *
+ * Copyright (C) 2017 Red Hat, Inc.
+
  * Author: Nikos Mavrogiannopoulos
  *
  * This file is part of GnuTLS.
@@ -15,9 +16,8 @@
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License
- * along with GnuTLS; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
  */
 
 #ifdef HAVE_CONFIG_H
@@ -26,6 +26,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include "cert-common.h"
 
 #ifdef _WIN32
 
@@ -65,53 +66,12 @@ static void client_log_func(int level, const char *str)
 	fprintf(stderr, "client|<%d>| %s", level, str);
 }
 
-static unsigned char server_cert_pem[] =
-    "-----BEGIN CERTIFICATE-----\n"
-    "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n"
-    "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n"
-    "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n"
-    "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n"
-    "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n"
-    "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n"
-    "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n"
-    "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n"
-    "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n"
-    "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n"
-    "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n"
-    "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n"
-    "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n";
-
-const gnutls_datum_t server_cert = { server_cert_pem,
-	sizeof(server_cert_pem)
-};
-
-static unsigned char server_key_pem[] =
-    "-----BEGIN RSA PRIVATE KEY-----\n"
-    "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n"
-    "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n"
-    "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n"
-    "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n"
-    "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n"
-    "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n"
-    "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n"
-    "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n"
-    "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n"
-    "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n"
-    "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n"
-    "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n"
-    "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n"
-    "-----END RSA PRIVATE KEY-----\n";
-
-const gnutls_datum_t server_key = { server_key_pem,
-	sizeof(server_key_pem)
-};
-
 /* internal function */
 int _gnutls_server_name_set_raw(gnutls_session_t session,
 				gnutls_server_name_type_t type,
 				const void *name, size_t name_length);
 
-static void client(const char *test_name, int fd, unsigned raw, const char *name, unsigned name_len)
+static void client(const char *test_name, int fd, unsigned raw, const char *name, unsigned name_len, int server_err)
 {
 	int ret;
 	gnutls_anon_client_credentials_t anoncred;
@@ -155,9 +115,10 @@ static void client(const char *test_name, int fd, unsigned raw, const char *name
 	while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
 
 	if (ret < 0) {
+		if (server_err < 0)
+			goto cleanup;
 		test_fail("Handshake failed\n");
-		gnutls_perror(ret);
-		exit(1);
+		goto cleanup;
 	} else {
 		if (debug)
 			test_success("Handshake was completed\n");
@@ -170,6 +131,7 @@ static void client(const char *test_name, int fd, unsigned raw, const char *name
 
 	gnutls_bye(session, GNUTLS_SHUT_WR);
 
+ cleanup:
 	close(fd);
 
 	gnutls_deinit(session);
@@ -190,7 +152,7 @@ static void terminate(void)
 	exit(1);
 }
 
-static void server(const char *test_name, int fd, const char *name, unsigned name_len)
+static void server(const char *test_name, int fd, const char *name, unsigned name_len, int exp_err)
 {
 	int ret;
 	char buffer[MAX_BUF + 1];
@@ -234,6 +196,8 @@ static void server(const char *test_name, int fd, const char *name, unsigned nam
 	}
 	while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
 	if (ret < 0) {
+		if (exp_err == ret)
+			goto cleanup;
 		close(fd);
 		gnutls_deinit(session);
 		test_fail("Handshake has failed (%s)\n\n",
@@ -259,7 +223,7 @@ static void server(const char *test_name, int fd, const char *name, unsigned nam
 		test_fail("server_name: %s/%d\n", gnutls_strerror(ret), ret);
 	} else {
 		if (name == NULL || name[0] == 0) {
-			test_fail("did not received expected name\n");
+			test_fail("did not receive the expected name: got: %s\n", buffer);
 			exit(1);
 		}
 		if (buffer_size != strlen(buffer)) {
@@ -278,7 +242,7 @@ static void server(const char *test_name, int fd, const char *name, unsigned nam
 	/* do not wait for the peer to close the connection.
 	 */
 	gnutls_bye(session, GNUTLS_SHUT_WR);
-
+ cleanup:
 	close(fd);
 	gnutls_deinit(session);
 
@@ -294,7 +258,7 @@ static void server(const char *test_name, int fd, const char *name, unsigned nam
 /* name: the name sent by client
  * server_exp: the name which should be expected by the server to see
  */
-static void start(const char *test_name, unsigned raw, const char *name, unsigned len, const char *server_exp, unsigned server_exp_len)
+static void start(const char *test_name, unsigned raw, const char *name, unsigned len, const char *server_exp, unsigned server_exp_len, int server_error)
 {
 	int fd[2];
 	int ret;
@@ -315,11 +279,11 @@ static void start(const char *test_name, unsigned raw, const char *name, unsigne
 	if (child) {
 		/* parent */
 		close(fd[1]);
-		server(test_name, fd[0], server_exp, server_exp_len);
+		server(test_name, fd[0], server_exp, server_exp_len, server_error);
 		kill(child, SIGTERM);
 	} else {
 		close(fd[0]);
-		client(test_name, fd[1], raw, name, len);
+		client(test_name, fd[1], raw, name, len, server_error);
 		exit(0);
 	}
 }
@@ -337,16 +301,12 @@ void doit(void)
 	signal(SIGCHLD, ch_handler);
 	signal(SIGPIPE, SIG_IGN);
 
-	start("NULL", 0, NULL, 0, NULL, 0);
-	start("empty", 0, "", 0, "", 0);
-	start("test.example.com", 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"));
-	start("longtest.example.com", 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"));
-#if defined(HAVE_LIBIDN2)
-	/* test invalid UTF8 */
-	start("invalid-utf8", 1, "invalid\xff.example.com.", sizeof("invalid\xff.example.com")-1, NULL, 0);
-#endif
+	start("NULL", 0, NULL, 0, NULL, 0, 0);
+	start("empty", 0, "", 0, "", 0, 0);
+	start("test.example.com", 0, "test.example.com", strlen("test.example.com"), "test.example.com", strlen("test.example.com"), 0);
+	start("longtest.example.com", 0, "longtest.example.com.", strlen("longtest.example.com"), "longtest.example.com.", strlen("longtest.example.com"), 0);
 	/* test embedded NULL */
-	start("embedded-NULL", 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0);
+	start("embedded-NULL", 1, "invalid\x00.example.com.", sizeof("invalid\x00.example.com")-1, NULL, 0, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
 }
 
 #endif				/* _WIN32 */
diff --git a/tests/set_key_utf8.c b/tests/set_key_utf8.c
index 55788671e0..7a02e45618 100644
--- a/tests/set_key_utf8.c
+++ b/tests/set_key_utf8.c
@@ -136,9 +136,12 @@ static void auto_parse(void)
 
 	test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); /* the DNS name of the first cert */
 	test_cli_serv(x509_cred, clicred, "NORMAL", "简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */
-	test_cli_serv(x509_cred, clicred, "NORMAL", "raw:简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */
 	test_cli_serv(x509_cred, clicred, "NORMAL", "xn--fiqu1az03c18t.xn--mxah1amo.com", NULL, NULL, NULL); /* its IDNA equivalent */
 
+	/* the raw DNS should result to verification failure as the advertized name should
+	 * not be considered and the first cert should be provided */
+	test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN);
+
 	gnutls_certificate_free_credentials(x509_cred);
 	gnutls_certificate_free_credentials(clicred);
 
diff --git a/tests/set_x509_key_utf8.c b/tests/set_x509_key_utf8.c
index fc1ba38b23..7cc5b99ea8 100644
--- a/tests/set_x509_key_utf8.c
+++ b/tests/set_x509_key_utf8.c
@@ -175,9 +175,10 @@ void doit(void)
 	test_cli_serv(x509_cred, clicred, "NORMAL", "localhost", NULL, NULL, NULL);
 	test_cli_serv(x509_cred, clicred, "NORMAL", "www.xn--kxawhku.com", NULL, NULL, NULL); /* the previous name in IDNA format */
 	test_cli_serv(x509_cred, clicred, "NORMAL", "简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */
-	test_cli_serv(x509_cred, clicred, "NORMAL", "raw:简体中文.εξτρα.com", NULL, NULL, NULL); /* the second DNS name of cert */
 	test_cli_serv(x509_cred, clicred, "NORMAL", "xn--fiqu1az03c18t.xn--mxah1amo.com", NULL, NULL, NULL); /* its IDNA equivalent */
 
+	test_cli_serv_expect(x509_cred, clicred, "NORMAL", "NORMAL", "raw:简体中文.εξτρα.com", GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, GNUTLS_E_AGAIN);
+
 	gnutls_certificate_free_credentials(x509_cred);
 	gnutls_certificate_free_credentials(clicred);
 
diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer
-Subproject fdfa2525c0b33383037004d8130093801fbaaf4
+Subproject 744a2c8dc3b0c8ce36c4956d2713a3757b83213
diff --git a/tests/suite/tls-fuzzer/tlslite-ng b/tests/suite/tls-fuzzer/tlslite-ng
-Subproject f450a90b6a29ef9d3e0742240220c3995a4497e
+Subproject 26a323a8beb51a8696f578769295db98121570b
diff --git a/tests/utils-adv.c b/tests/utils-adv.c
index 0947cd0160..0615a88c84 100644
--- a/tests/utils-adv.c
+++ b/tests/utils-adv.c
@@ -104,6 +104,7 @@ _test_cli_serv(gnutls_certificate_credentials_t server_cred,
 		HANDSHAKE(client, server);
 	} else {
 		HANDSHAKE_EXPECT(client, server, cli_err, serv_err);
+		goto cleanup;
 	}
 
 	/* check the number of certificates received and verify */