yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-03-08 10:09:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

x509: IP in SAN: integration tests with SSL/TLS

Browse source
This commit is contained in:
Manuel Pégourié-Gonnard 2016-01-29 14:47:09 +01:00
parent 9855d63acb
commit a9f124378d
2 changed files with 51 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
include/mbedtls/ssl.h
View file

@ -1633,12 +1633,14 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
/** /**
* \brief Set hostname for ServerName TLS extension * \brief Set hostname for ServerName TLS extension and verification
* (client-side only) * of the server's certificate (client-side only)
*
* *
* \param ssl SSL context * \param ssl SSL context
* \param hostname the server hostname * \param hostname the server hostname
* Usually a DNS hostname, but other options are available,
* see the \c exp_name parameter of \c
* mbedtls_x509_crt_verify_with_profile()
* *
* \return 0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED * \return 0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED
*/ */

46
tests/ssl-opt.sh
View file

@ -1691,6 +1691,52 @@ run_test "Authentication: client no cert, ssl3" \
-C "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \
-S "X509 - Certificate verification failed" -S "X509 - Certificate verification failed"
# tests for IP adresses in subjectAlternativeName
requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT
run_test "IP address in SAN: IPv4, good" \
"$P_SRV crt_file=data_files/server5-san-ip.crt \
key_file=data_files/server5.key" \
"$P_CLI debug_level=1 auth_mode=required server_name=IP:127.0.0.1" \
0 \
-C "x509_verify_cert() returned" \
-C "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT
run_test "IP address in SAN: IPv4, bad" \
"$P_SRV crt_file=data_files/server5-san-ip.crt \
key_file=data_files/server5.key" \
"$P_CLI debug_level=1 auth_mode=required server_name=IP:127.0.0.2" \
1 \
-c "x509_verify_cert() returned" \
-c "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \
-c "! mbedtls_ssl_handshake returned" \
-c "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT
run_test "IP address in SAN: IPv6, good" \
"$P_SRV crt_file=data_files/server5-san-ip.crt \
key_file=data_files/server5.key" \
"$P_CLI debug_level=1 auth_mode=required server_name=IP:fe80:0000:0000:0000:0000:0000:0000:0001" \
0 \
-C "x509_verify_cert() returned" \
-C "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_X509_SAN_IP_ADDRESS_SUPPORT
run_test "IP address in SAN: IPv6, bad" \
"$P_SRV crt_file=data_files/server5-san-ip.crt \
key_file=data_files/server5.key" \
"$P_CLI debug_level=1 auth_mode=required server_name=IP:fe80:0000:0000:0000:0000:0000:0000:0002" \
1 \
-c "x509_verify_cert() returned" \
-c "! The certificate Common Name (CN) or subjectAltName (SAN) does not match with the expected name" \
-c "! mbedtls_ssl_handshake returned" \
-c "X509 - Certificate verification failed"
# Tests for certificate selection based on SHA verson # Tests for certificate selection based on SHA verson
run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \