commit: r1685 - neon/branches/0.28.x/test

joe at manyfish.co.uk joe at manyfish.co.uk
Tue Aug 18 09:43:30 EDT 2009 

Author: joe
Date: Tue Aug 18 06:43:29 2009
New Revision: 1685

Modified:
   neon/branches/0.28.x/test/makekeys.sh
   neon/branches/0.28.x/test/ssl.c

Log:
Merge r1429 from trunk:

Fix issues with CA list handling in the SSL server, for GnuTLS:

* test/makekeys.sh: Generate wrongcn.cert signed by the CA.

* test/ssl.c (struct ssl_server_args): Remove send_ca field.
  (check_cert): Update to expect the wrongcn subject name.
  (parse_chain, fail_wrongCN): Update to use the wrongcn cert, and to
  trust the CA cert.  
  (cc_provided_dnames): Stop using the send_ca server args field.


Modified: neon/branches/0.28.x/test/makekeys.sh
==============================================================================
--- neon/branches/0.28.x/test/makekeys.sh	(original)
+++ neon/branches/0.28.x/test/makekeys.sh	Tue Aug 18 06:43:29 2009
@@ -84,12 +84,12 @@
 csr_fields "Bad ipAddress altname 3 Dept" nowhere.example.com | \
 ${REQ} -new -key ${srcdir}/server.key -out altname8.csr
 
+csr_fields "Bad Hostname Department" nohost.example.com | \
+${REQ} -new -key ${srcdir}/server.key -out wrongcn.csr
+
 csr_fields "Self-Signed" | \
 ${MKCERT} -key ${srcdir}/server.key -out ssigned.pem
 
-csr_fields "Bad Hostname Department" nohost.example.com | \
-${MKCERT} -key ${srcdir}/server.key -out wrongcn.pem
-
 # default => T61String
 csr_fields "`echo -e 'H\0350llo World'`" localhost |
 ${MKCERT} -key ${srcdir}/server.key -out t61subj.cert
@@ -148,7 +148,8 @@
 
 ### don't put ${REQ} invocations after here
 
-for f in server client twocn caseless cnfirst missingcn justmail twoou wildcard; do
+for f in server client twocn caseless cnfirst \
+    missingcn justmail twoou wildcard wrongcn; do
   ${CA} -days 900 -in ${f}.csr -out ${f}.cert
 done
 

Modified: neon/branches/0.28.x/test/ssl.c
==============================================================================
--- neon/branches/0.28.x/test/ssl.c	(original)
+++ neon/branches/0.28.x/test/ssl.c	Tue Aug 18 06:43:29 2009
@@ -74,7 +74,6 @@
     /* client cert handling: */
     int require_cc; /* require a client cert if non-NULL */
     const char *ca_list; /* file of CA certs to verify client cert against */
-    const char *send_ca; /* file of CA certs to send in client cert request */
     int fail_silently; /* exit with success if handshake fails */
     
     /* session caching: */
@@ -120,8 +119,8 @@
         args->ca_list = CA_CERT;
     }
 
-    ne_ssl_context_set_verify(ctx, args->require_cc, args->send_ca,
-                              args->ca_list);
+    ne_ssl_context_set_verify(ctx, args->require_cc, 
+                              args->ca_list, args->ca_list);
 
     ret = ne_sock_accept_ssl(sock, ctx);
     if (ret && args->fail_silently) {
@@ -619,12 +618,15 @@
     return OK;
 }
 
+#define WRONGCN_DNAME "Bad Hostname Department, Neon Hackers Ltd, " \
+    "Cambridge, Cambridgeshire, GB"
+
 /* Check the certificate chain presented against known dnames. */
 static int check_chain(void *userdata, int fs, const ne_ssl_certificate *cert)
 {
     int *ret = userdata;
 
-    if (check_cert_dnames(cert, SERVER_DNAME, CACERT_DNAME) == FAIL) {
+    if (check_cert_dnames(cert, WRONGCN_DNAME, CACERT_DNAME) == FAIL) {
         *ret = -1;
         return 0;
     }
@@ -650,13 +652,13 @@
 {
     ne_session *sess = DEFSESS;
     int ret = 0;
-    struct ssl_server_args args = {SERVER_CERT, 0};
+    struct ssl_server_args args = {"wrongcn.cert", 0};
 
     args.ca_list = "ca/cert.pem";    
 
-    /* don't give a CA cert; should force the verify callback to be
-     * used. */
-    CALL(any_ssl_request(sess, ssl_server, &args, NULL, 
+    /* The cert is signed by the CA but has a CN mismatch, so will
+     * force the verification callback to be invoked. */
+    CALL(any_ssl_request(sess, ssl_server, &args, "ca/cert.pem", 
 			 check_chain, &ret));
     ne_session_destroy(sess);
 
@@ -779,7 +781,7 @@
 static int fail_ssl_request(char *cert, char *cacert, const char *host,
 			    const char *msg, int failures)
 {
-    return fail_ssl_request_with_error2(cert, cacert, NULL, host, NULL,
+    return fail_ssl_request_with_error2(cert, NULL, cacert, host, NULL,
                                         msg, failures, NULL);
 }        
 
@@ -790,7 +792,7 @@
  * flagged as such. */
 static int fail_wrongCN(void)
 {
-    return fail_ssl_request("wrongcn.pem", "wrongcn.pem", "localhost",
+    return fail_ssl_request("wrongcn.cert", "ca/cert.pem", "localhost",
 			    "certificate with incorrect CN was accepted",
 			    NE_SSL_IDMISMATCH);
 }
@@ -988,7 +990,7 @@
     struct ssl_server_args args = {SERVER_CERT, NULL};
 
     args.require_cc = 1;
-    args.send_ca = "calist.pem";
+    args.ca_list = "calist.pem";
 
     PRECOND(def_cli_cert);

More information about the neon-commits mailing list