Add x509_constraints.c - a new implementation of x509 name constraints, with

regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit ok jsing@
author: beck <> 2020-09-11 18:34:29 +0000
committer: beck <> 2020-09-11 18:34:29 +0000
commit: 86186e0432ea06c0067e1a468d1c13e49bbce996 (patch)
tree: 72fbaf173cde91943a60047f07ba0ce99e8116ab /src/regress/lib/libcrypto/x509/constraints.c
parent: cb4349853bf54ac34c4b6615aa3102e8d10f685f (diff)
download: openbsd-86186e0432ea06c0067e1a468d1c13e49bbce996.tar.gz
openbsd-86186e0432ea06c0067e1a468d1c13e49bbce996.tar.bz2
openbsd-86186e0432ea06c0067e1a468d1c13e49bbce996.zip
1 files changed, 485 insertions, 0 deletions
diff --git a/src/regress/lib/libcrypto/x509/constraints.c b/src/regress/lib/libcrypto/x509/constraints.c
new file mode 100644
index 0000000000..c04fc15000
--- /dev/null
+++ b/src/regress/lib/libcrypto/x509/constraints.c
@@ -0,0 +1,485 @@
+/* $OpenBSD: constraints.c */
+/*
+ * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <err.h>
+#include <string.h>
+#include <openssl/safestack.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include "x509_verify.h"
+#include "x509_internal.h"
+#define FAIL(msg, ...)                                          \
+do {                                                            \
+        fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__);  \
+        fprintf(stderr, msg, ##__VA_ARGS__);                    \
+} while(0)
+unsigned char *valid_hostnames[] = {
+        "openbsd.org",
+        "op3nbsd.org",
+        "org",
+        "3openbsd.com",
+        "3-0penb-d.c-m",
+        "a",
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+        "open_bsd.org", /* because this is liberal */
+        NULL,
+};
+unsigned char *valid_sandns_names[] = {
+        "*.ca",
+        "*.op3nbsd.org",
+        NULL,
+};
+unsigned char *valid_domain_constraints[] = {
+        "",
+        ".ca",
+        ".op3nbsd.org",
+        ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+        "www.openbsd.org",
+        NULL,
+};
+unsigned char *valid_mbox_names[] = {
+        "\"!#$%&\\\"*+-/=?\002^_`{|}~.\"@openbsd.org",
+        "beck@openbsd.org",
+        "beck@openbsd.org",
+        "beck@op3nbsd.org",
+        "beck@org",
+        "beck@3openbsd.com",
+        "beck@3-0penb-d.c-m",
+        "bec@a",
+        "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
+        "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+        "beck@open_bsd.org", /* because this is liberal */
+        NULL,
+};
+unsigned char *invalid_hostnames[] = {
+        "openbsd.org.",
+        "openbsd..org",
+        "openbsd.org-",
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
+        "-p3nbsd.org",
+        "openbs-.org",
+        "openbsd\n.org",
+        "open\178bsd.org",
+        "open\255bsd.org",
+        NULL,
+};
+unsigned char *invalid_sandns_names[] = {
+        "",
+        ".",
+        "*.a",
+        "*.",
+        "*.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
+        ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
+        "*.-p3nbsd.org",
+        "a*.openbsd.org",
+        "*.*..openbsd.org",
+        "*..openbsd.org",
+        ".openbsd.org",
+        NULL,
+};
+unsigned char *invalid_mbox_names[] = {
+        "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
+        "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
+        "beck@.-openbsd.org",
+        "beck@.openbsd.org.",
+        "beck@.a",
+        "beck@.",
+        "beck@",
+        "beck@.ca",
+        "@openbsd.org",
+        NULL,
+};
+unsigned char *invalid_domain_constraints[] = {
+        ".",
+        ".a",
+        "..",
+        ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
+        ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
+        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
+        ".-p3nbsd.org",
+        "..openbsd.org",
+        NULL,
+};
+unsigned char *invaliduri[] = {
+        "https://-www.openbsd.org",
+        "https://.www.openbsd.org/",
+        "https://www.ope|nbsd.org%",
+        "https://www.openbsd.org.#",
+        NULL,
+};
+static int
+test_valid_hostnames(void)
+{
+        int i, failure = 0;
+        for (i = 0; valid_hostnames[i] != NULL; i++) {
+                if (!x509_constraints_valid_host(valid_hostnames[i],
+                        strlen(valid_hostnames[i]))) {
+                        FAIL("Valid hostname '%s' rejected\n",
+                            valid_hostnames[i]);
+                        failure = 1;
+                        goto done;
+                }
+                if (!x509_constraints_valid_sandns(valid_hostnames[i],
+                        strlen(valid_hostnames[i]))) {
+                        FAIL("Valid sandns '%s' rejected\n",
+                            valid_hostnames[i]);
+                        failure = 1;
+                        goto done;
+                }
+        }
+ done:
+        return failure;
+}
+static int
+test_valid_sandns_names(void)
+{
+        int i, failure = 0;
+        for (i = 0; valid_sandns_names[i] != NULL; i++) {
+                if (!x509_constraints_valid_sandns(valid_sandns_names[i],
+                        strlen(valid_sandns_names[i]))) {
+                        FAIL("Valid dnsname '%s' rejected\n",
+                            valid_sandns_names[i]);
+                        failure = 1;
+                        goto done;
+                }
+        }
+ done:
+        return failure;
+}
+static int
+test_valid_domain_constraints(void)
+{
+        int i, failure = 0;
+        for (i = 0; valid_domain_constraints[i] != NULL; i++) {
+                if (!x509_constraints_valid_domain_constraint(valid_domain_constraints[i],
+                    strlen(valid_domain_constraints[i]))) {
+                        FAIL("Valid dnsname '%s' rejected\n",
+                            valid_domain_constraints[i]);
+                        failure = 1;
+                        goto done;
+                }
+        }
+ done:
+        return failure;
+}
+static int
+test_valid_mbox_names(void)
+{
+        struct x509_constraints_name name = {0};
+        int i, failure = 0;
+        for (i = 0; valid_mbox_names[i] != NULL; i++) {
+                if (!x509_constraints_parse_mailbox(valid_mbox_names[i],
+                    strlen(valid_mbox_names[i]), &name)) {
+                        FAIL("Valid mailbox name '%s' rejected\n",
+                            valid_mbox_names[i]);
+                        failure = 1;
+                        goto done;
+                }
+                free(name.name);
+                name.name = NULL;
+                free(name.local);
+                name.local = NULL;
+        }
+ done:
+        return failure;
+}
+static int
+test_invalid_hostnames(void)
+{
+        int i, failure = 0;
+        for (i = 0; invalid_hostnames[i] != NULL; i++) {
+                if (x509_constraints_valid_host(invalid_hostnames[i],
+                    strlen(invalid_hostnames[i]))) {
+                        FAIL("Invalid hostname '%s' accepted\n",
+                            invalid_hostnames[i]);
+                        failure = 1;
+                        goto done;
+                }
+                if (x509_constraints_valid_sandns(invalid_hostnames[i],
+                    strlen(invalid_hostnames[i]))) {
+                        FAIL("Invalid sandns '%s' accepted\n",
+                            invalid_hostnames[i]);
+                        failure = 1;
+                        goto done;
+                }
+        }
+        char *nulhost = "www.openbsd.org\0";
+        if (x509_constraints_valid_host(nulhost,
+            strlen(nulhost) + 1)) {
+                FAIL("hostname with NUL byte accepted\n");
+                failure = 1;
+                goto done;
+        }
+        if (x509_constraints_valid_sandns(nulhost,
+            strlen(nulhost) + 1)) {
+                FAIL("sandns with NUL byte accepted\n");
+                failure = 1;
+                goto done;
+        }
+ done:
+        return failure;
+}
+static int
+test_invalid_sandns_names(void)
+{
+        int i, failure = 0;
+        for (i = 0; invalid_sandns_names[i] != NULL; i++) {
+                if (x509_constraints_valid_sandns(invalid_sandns_names[i],
+                    strlen(invalid_sandns_names[i]))) {
+                        FAIL("Valid dnsname '%s' rejected\n",
+                            invalid_sandns_names[i]);
+                        failure = 1;
+                        goto done;
+                }
+        }
+ done:
+        return failure;
+}
+static int
+test_invalid_mbox_names(void)
+{
+        int i, failure = 0;
+        struct x509_constraints_name name = {0};
+        for (i = 0; invalid_mbox_names[i] != NULL; i++) {
+                if (x509_constraints_parse_mailbox(invalid_mbox_names[i],
+                    strlen(invalid_mbox_names[i]), &name)) {
+                        FAIL("invalid mailbox name '%s' accepted\n",
+                            invalid_mbox_names[i]);
+                        failure = 1;
+                        goto done;
+                }
+                free(name.name);
+                name.name = NULL;
+                free(name.local);
+                name.local = NULL;
+        }
+ done:
+        return failure;
+}
+static int
+test_invalid_domain_constraints(void)
+{
+        int i, failure = 0;
+        for (i = 0; invalid_domain_constraints[i] != NULL; i++) {
+                if (x509_constraints_valid_domain_constraint(invalid_domain_constraints[i],
+                    strlen(invalid_domain_constraints[i]))) {
+                        FAIL("invalid dnsname '%s' accepted\n",
+                            invalid_domain_constraints[i]);
+                        failure = 1;
+                        goto done;
+                }
+        }
+ done:
+        return failure;
+}
+static int
+test_invalid_uri(void) {
+        int j, failure=0;
+        char *hostpart;
+        for (j = 0; invaliduri[j] != NULL; j++) {
+                if (x509_constraints_uri_host(invaliduri[j],
+                        strlen(invaliduri[j]), &hostpart) != 0) {
+                        FAIL("invalid URI '%s' accepted\n",
+                            invaliduri[j]);
+                        failure = 1;
+                }
+                goto done;
+        }
+ done:
+        return failure;
+}
+static int
+test_constraints1()
+{
+        char *c; size_t cl;
+        char *d; size_t dl;
+        int failure = 0;
+        int error = 0;
+        int i, j;
+        unsigned char *constraints[] = {
+                ".org",
+                ".openbsd.org",
+                "www.openbsd.org",
+                NULL,
+        };
+        unsigned char *failing[] = {
+                ".ca",
+                "openbsd.ca",
+                "org",
+                NULL,
+        };
+        unsigned char *matching[] = {
+                "www.openbsd.org",
+                NULL,
+        };
+        unsigned char *matchinguri[] = {
+                "https://www.openbsd.org",
+                "https://www.openbsd.org/",
+                "https://www.openbsd.org?",
+                "https://www.openbsd.org#",
+                "herp://beck@www.openbsd.org:",
+                "spiffe://beck@www.openbsd.org/this/is/so/spiffe/",
+                NULL,
+        };
+        unsigned char *failinguri[] = {
+                "https://www.openbsd.ca",
+                "https://www.freebsd.com/",
+                "https://www.openbsd.net?",
+                "https://org#",
+                "herp://beck@org:",
+                NULL,
+        };
+        for (i = 0; constraints[i] != NULL; i++) {
+                char *constraint = constraints[i];
+                size_t clen = strlen(constraints[i]);
+                for (j = 0; matching[j] != NULL; j++) {
+                        if (!x509_constraints_domain(matching[j],
+                            strlen(matching[j]), constraint, clen)) {
+                                FAIL("constraint '%s' should have matched"
+                                    " '%s'\n",
+                                    constraint, matching[j]);
+                                failure = 1;
+                                goto done;
+                        }
+                }
+                for (j = 0; matchinguri[j] != NULL; j++) {
+                        error = 0;
+                        if (!x509_constraints_uri(matchinguri[j],
+                            strlen(matchinguri[j]), constraint, clen, &error)) {
+                                FAIL("constraint '%s' should have matched URI"
+                                    " '%s' (error %d)\n",
+                                    constraint, matchinguri[j], error);
+                                failure = 1;
+                                goto done;
+                        }
+                }
+                for (j = 0; failing[j] != NULL; j++) {
+                        if (x509_constraints_domain(failing[j],
+                            strlen(failing[j]), constraint, clen)) {
+                                FAIL("constraint '%s' should not have matched"
+                                    " '%s'\n",
+                                    constraint, failing[j]);
+                                failure = 1;
+                                goto done;
+                        }
+                }
+                for (j = 0; failinguri[j] != NULL; j++) {
+                        error = 0;
+                        if (x509_constraints_uri(failinguri[j],
+                            strlen(failinguri[j]), constraint, clen, &error)) {
+                                FAIL("constraint '%s' should not have matched URI"
+                                    " '%s' (error %d)\n",
+                                    constraint, failinguri[j], error);
+                                failure = 1;
+                                goto done;
+                        }
+                }
+        }
+        c = ".openbsd.org";
+        cl = strlen(".openbsd.org");
+        d = "*.openbsd.org";
+        dl = strlen("*.openbsd.org");
+        if (!x509_constraints_domain(d, dl, c, cl)) {
+                FAIL("constraint '%s' should have matched '%s'\n",
+                    c, d);
+                failure = 1;
+                goto done;
+        }
+        c = "www.openbsd.org";
+        cl = strlen("www.openbsd.org");
+        if (x509_constraints_domain(d, dl, c, cl)) {
+                FAIL("constraint '%s' should not have matched '%s'\n",
+                    c, d);
+                failure = 1;
+                goto done;
+        }
+        c = "";
+        cl = 0;
+        if (!x509_constraints_domain(d, dl, c, cl)) {
+                FAIL("constraint '%s' should have matched '%s'\n",
+                    c, d);
+                failure = 1;
+                goto done;
+        }
+ done:
+        return failure;
+}
+int
+main(int argc, char **argv)
+{
+        int failed = 0;
+        failed |= test_valid_hostnames();
+        failed |= test_invalid_hostnames();
+        failed |= test_valid_sandns_names();
+        failed |= test_invalid_sandns_names();
+        failed |= test_valid_mbox_names();
+        failed |= test_invalid_mbox_names();
+        failed |= test_valid_domain_constraints();
+        failed |= test_invalid_domain_constraints();
+        failed |= test_invalid_uri();
+        failed |= test_constraints1();
+        return (failed);
+}
author	beck <>	2020-09-11 18:34:29 +0000
committer	beck <>	2020-09-11 18:34:29 +0000
commit	86186e0432ea06c0067e1a468d1c13e49bbce996 (patch)
tree	72fbaf173cde91943a60047f07ba0ce99e8116ab /src/regress/lib/libcrypto/x509/constraints.c
parent	cb4349853bf54ac34c4b6615aa3102e8d10f685f (diff)
download	openbsd-86186e0432ea06c0067e1a468d1c13e49bbce996.tar.gz openbsd-86186e0432ea06c0067e1a468d1c13e49bbce996.tar.bz2 openbsd-86186e0432ea06c0067e1a468d1c13e49bbce996.zip

diff --git a/src/regress/lib/libcrypto/x509/constraints.c b/src/regress/lib/libcrypto/x509/constraints.c new file mode 100644 index 0000000000..c04fc15000 --- /dev/null +++ b/src/regress/lib/libcrypto/x509/constraints.c
@@ -0,0 +1,485 @@
	1	/* $OpenBSD: constraints.c */
	2	/*
	3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
	4	*
	5	* Permission to use, copy, modify, and distribute this software for any
	6	* purpose with or without fee is hereby granted, provided that the above
	7	* copyright notice and this permission notice appear in all copies.
	8	*
	9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	*/
	17
	18	#include <err.h>
	19	#include <string.h>
	20
	21	#include <openssl/safestack.h>
	22	#include <openssl/x509.h>
	23	#include <openssl/x509v3.h>
	24	#include "x509_verify.h"
	25	#include "x509_internal.h"
	26
	27
	28	#define FAIL(msg, ...) \
	29	do { \
	30	fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \
	31	fprintf(stderr, msg, ##__VA_ARGS__); \
	32	} while(0)
	33
	34	unsigned char *valid_hostnames[] = {
	35	"openbsd.org",
	36	"op3nbsd.org",
	37	"org",
	38	"3openbsd.com",
	39	"3-0penb-d.c-m",
	40	"a",
	41	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
	42	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	43	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	44	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	45	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
	46	"open_bsd.org", /* because this is liberal */
	47	NULL,
	48	};
	49
	50	unsigned char *valid_sandns_names[] = {
	51	"*.ca",
	52	"*.op3nbsd.org",
	53	NULL,
	54	};
	55
	56	unsigned char *valid_domain_constraints[] = {
	57	"",
	58	".ca",
	59	".op3nbsd.org",
	60	".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	61	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	62	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	63	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
	64	"www.openbsd.org",
	65	NULL,
	66	};
	67
	68	unsigned char *valid_mbox_names[] = {
	69	"\"!#$%&\\\"*+-/=?\002^_`{\|}~.\"@openbsd.org",
	70	"beck@openbsd.org",
	71	"beck@openbsd.org",
	72	"beck@op3nbsd.org",
	73	"beck@org",
	74	"beck@3openbsd.com",
	75	"beck@3-0penb-d.c-m",
	76	"bec@a",
	77	"beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
	78	"beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	79	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	80	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	81	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
	82	"beck@open_bsd.org", /* because this is liberal */
	83	NULL,
	84	};
	85
	86	unsigned char *invalid_hostnames[] = {
	87	"openbsd.org.",
	88	"openbsd..org",
	89	"openbsd.org-",
	90	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
	91	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	92	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	93	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	94	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
	95	"-p3nbsd.org",
	96	"openbs-.org",
	97	"openbsd\n.org",
	98	"open\178bsd.org",
	99	"open\255bsd.org",
	100	NULL,
	101	};
	102
	103	unsigned char *invalid_sandns_names[] = {
	104	"",
	105	".",
	106	"*.a",
	107	"*.",
	108	"*.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
	109	".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	110	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	111	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	112	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
	113	"*.-p3nbsd.org",
	114	"a*.openbsd.org",
	115	"...openbsd.org",
	116	"*..openbsd.org",
	117	".openbsd.org",
	118	NULL,
	119	};
	120
	121	unsigned char *invalid_mbox_names[] = {
	122	"beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
	123	"beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	124	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	125	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	126	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
	127	"beck@.-openbsd.org",
	128	"beck@.openbsd.org.",
	129	"beck@.a",
	130	"beck@.",
	131	"beck@",
	132	"beck@.ca",
	133	"@openbsd.org",
	134	NULL,
	135	};
	136
	137	unsigned char *invalid_domain_constraints[] = {
	138	".",
	139	".a",
	140	"..",
	141	".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com",
	142	".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	143	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	144	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa."
	145	"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a",
	146	".-p3nbsd.org",
	147	"..openbsd.org",
	148	NULL,
	149	};
	150
	151	unsigned char *invaliduri[] = {
	152	"https://-www.openbsd.org",
	153	"https://.www.openbsd.org/",
	154	"https://www.ope\|nbsd.org%",
	155	"https://www.openbsd.org.#",
	156	NULL,
	157	};
	158
	159	static int
	160	test_valid_hostnames(void)
	161	{
	162	int i, failure = 0;
	163
	164	for (i = 0; valid_hostnames[i] != NULL; i++) {
	165	if (!x509_constraints_valid_host(valid_hostnames[i],
	166	strlen(valid_hostnames[i]))) {
	167	FAIL("Valid hostname '%s' rejected\n",
	168	valid_hostnames[i]);
	169	failure = 1;
	170	goto done;
	171	}
	172	if (!x509_constraints_valid_sandns(valid_hostnames[i],
	173	strlen(valid_hostnames[i]))) {
	174	FAIL("Valid sandns '%s' rejected\n",
	175	valid_hostnames[i]);
	176	failure = 1;
	177	goto done;
	178	}
	179	}
	180	done:
	181	return failure;
	182	}
	183
	184	static int
	185	test_valid_sandns_names(void)
	186	{
	187	int i, failure = 0;
	188	for (i = 0; valid_sandns_names[i] != NULL; i++) {
	189	if (!x509_constraints_valid_sandns(valid_sandns_names[i],
	190	strlen(valid_sandns_names[i]))) {
	191	FAIL("Valid dnsname '%s' rejected\n",
	192	valid_sandns_names[i]);
	193	failure = 1;
	194	goto done;
	195	}
	196	}
	197	done:
	198	return failure;
	199	}
	200
	201	static int
	202	test_valid_domain_constraints(void)
	203	{
	204	int i, failure = 0;
	205	for (i = 0; valid_domain_constraints[i] != NULL; i++) {
	206	if (!x509_constraints_valid_domain_constraint(valid_domain_constraints[i],
	207	strlen(valid_domain_constraints[i]))) {
	208	FAIL("Valid dnsname '%s' rejected\n",
	209	valid_domain_constraints[i]);
	210	failure = 1;
	211	goto done;
	212	}
	213	}
	214	done:
	215	return failure;
	216	}
	217
	218	static int
	219	test_valid_mbox_names(void)
	220	{
	221	struct x509_constraints_name name = {0};
	222	int i, failure = 0;
	223	for (i = 0; valid_mbox_names[i] != NULL; i++) {
	224	if (!x509_constraints_parse_mailbox(valid_mbox_names[i],
	225	strlen(valid_mbox_names[i]), &name)) {
	226	FAIL("Valid mailbox name '%s' rejected\n",
	227	valid_mbox_names[i]);
	228	failure = 1;
	229	goto done;
	230	}
	231	free(name.name);
	232	name.name = NULL;
	233	free(name.local);
	234	name.local = NULL;
	235	}
	236	done:
	237	return failure;
	238	}
	239
	240	static int
	241	test_invalid_hostnames(void)
	242	{
	243	int i, failure = 0;
	244
	245	for (i = 0; invalid_hostnames[i] != NULL; i++) {
	246	if (x509_constraints_valid_host(invalid_hostnames[i],
	247	strlen(invalid_hostnames[i]))) {
	248	FAIL("Invalid hostname '%s' accepted\n",
	249	invalid_hostnames[i]);
	250	failure = 1;
	251	goto done;
	252	}
	253	if (x509_constraints_valid_sandns(invalid_hostnames[i],
	254	strlen(invalid_hostnames[i]))) {
	255	FAIL("Invalid sandns '%s' accepted\n",
	256	invalid_hostnames[i]);
	257	failure = 1;
	258	goto done;
	259	}
	260	}
	261	char *nulhost = "www.openbsd.org\0";
	262	if (x509_constraints_valid_host(nulhost,
	263	strlen(nulhost) + 1)) {
	264	FAIL("hostname with NUL byte accepted\n");
	265	failure = 1;
	266	goto done;
	267	}
	268	if (x509_constraints_valid_sandns(nulhost,
	269	strlen(nulhost) + 1)) {
	270	FAIL("sandns with NUL byte accepted\n");
	271	failure = 1;
	272	goto done;
	273	}
	274	done:
	275	return failure;
	276	}
	277
	278	static int
	279	test_invalid_sandns_names(void)
	280	{
	281	int i, failure = 0;
	282	for (i = 0; invalid_sandns_names[i] != NULL; i++) {
	283	if (x509_constraints_valid_sandns(invalid_sandns_names[i],
	284	strlen(invalid_sandns_names[i]))) {
	285	FAIL("Valid dnsname '%s' rejected\n",
	286	invalid_sandns_names[i]);
	287	failure = 1;
	288	goto done;
	289	}
	290	}
	291	done:
	292	return failure;
	293	}
	294
	295	static int
	296	test_invalid_mbox_names(void)
	297	{
	298	int i, failure = 0;
	299	struct x509_constraints_name name = {0};
	300	for (i = 0; invalid_mbox_names[i] != NULL; i++) {
	301	if (x509_constraints_parse_mailbox(invalid_mbox_names[i],
	302	strlen(invalid_mbox_names[i]), &name)) {
	303	FAIL("invalid mailbox name '%s' accepted\n",
	304	invalid_mbox_names[i]);
	305	failure = 1;
	306	goto done;
	307	}
	308	free(name.name);
	309	name.name = NULL;
	310	free(name.local);
	311	name.local = NULL;
	312	}
	313	done:
	314	return failure;
	315	}
	316
	317	static int
	318	test_invalid_domain_constraints(void)
	319	{
	320	int i, failure = 0;
	321	for (i = 0; invalid_domain_constraints[i] != NULL; i++) {
	322	if (x509_constraints_valid_domain_constraint(invalid_domain_constraints[i],
	323	strlen(invalid_domain_constraints[i]))) {
	324	FAIL("invalid dnsname '%s' accepted\n",
	325	invalid_domain_constraints[i]);
	326	failure = 1;
	327	goto done;
	328	}
	329	}
	330	done:
	331	return failure;
	332	}
	333
	334	static int
	335	test_invalid_uri(void) {
	336	int j, failure=0;
	337	char *hostpart;
	338	for (j = 0; invaliduri[j] != NULL; j++) {
	339	if (x509_constraints_uri_host(invaliduri[j],
	340	strlen(invaliduri[j]), &hostpart) != 0) {
	341	FAIL("invalid URI '%s' accepted\n",
	342	invaliduri[j]);
	343	failure = 1;
	344	}
	345	goto done;
	346	}
	347	done:
	348	return failure;
	349	}
	350
	351	static int
	352	test_constraints1()
	353	{
	354	char *c; size_t cl;
	355	char *d; size_t dl;
	356	int failure = 0;
	357	int error = 0;
	358	int i, j;
	359	unsigned char *constraints[] = {
	360	".org",
	361	".openbsd.org",
	362	"www.openbsd.org",
	363	NULL,
	364	};
	365	unsigned char *failing[] = {
	366	".ca",
	367	"openbsd.ca",
	368	"org",
	369	NULL,
	370	};
	371	unsigned char *matching[] = {
	372	"www.openbsd.org",
	373	NULL,
	374	};
	375	unsigned char *matchinguri[] = {
	376	"https://www.openbsd.org",
	377	"https://www.openbsd.org/",
	378	"https://www.openbsd.org?",
	379	"https://www.openbsd.org#",
	380	"herp://beck@www.openbsd.org:",
	381	"spiffe://beck@www.openbsd.org/this/is/so/spiffe/",
	382	NULL,
	383	};
	384	unsigned char *failinguri[] = {
	385	"https://www.openbsd.ca",
	386	"https://www.freebsd.com/",
	387	"https://www.openbsd.net?",
	388	"https://org#",
	389	"herp://beck@org:",
	390	NULL,
	391	};
	392	for (i = 0; constraints[i] != NULL; i++) {
	393	char *constraint = constraints[i];
	394	size_t clen = strlen(constraints[i]);
	395	for (j = 0; matching[j] != NULL; j++) {
	396	if (!x509_constraints_domain(matching[j],
	397	strlen(matching[j]), constraint, clen)) {
	398	FAIL("constraint '%s' should have matched"
	399	" '%s'\n",
	400	constraint, matching[j]);
	401	failure = 1;
	402	goto done;
	403	}
	404	}
	405	for (j = 0; matchinguri[j] != NULL; j++) {
	406	error = 0;
	407	if (!x509_constraints_uri(matchinguri[j],
	408	strlen(matchinguri[j]), constraint, clen, &error)) {
	409	FAIL("constraint '%s' should have matched URI"
	410	" '%s' (error %d)\n",
	411	constraint, matchinguri[j], error);
	412	failure = 1;
	413	goto done;
	414	}
	415	}
	416	for (j = 0; failing[j] != NULL; j++) {
	417	if (x509_constraints_domain(failing[j],
	418	strlen(failing[j]), constraint, clen)) {
	419	FAIL("constraint '%s' should not have matched"
	420	" '%s'\n",
	421	constraint, failing[j]);
	422	failure = 1;
	423	goto done;
	424	}
	425	}
	426	for (j = 0; failinguri[j] != NULL; j++) {
	427	error = 0;
	428	if (x509_constraints_uri(failinguri[j],
	429	strlen(failinguri[j]), constraint, clen, &error)) {
	430	FAIL("constraint '%s' should not have matched URI"
	431	" '%s' (error %d)\n",
	432	constraint, failinguri[j], error);
	433	failure = 1;
	434	goto done;
	435	}
	436	}
	437	}
	438	c = ".openbsd.org";
	439	cl = strlen(".openbsd.org");
	440	d = "*.openbsd.org";
	441	dl = strlen("*.openbsd.org");
	442	if (!x509_constraints_domain(d, dl, c, cl)) {
	443	FAIL("constraint '%s' should have matched '%s'\n",
	444	c, d);
	445	failure = 1;
	446	goto done;
	447	}
	448	c = "www.openbsd.org";
	449	cl = strlen("www.openbsd.org");
	450	if (x509_constraints_domain(d, dl, c, cl)) {
	451	FAIL("constraint '%s' should not have matched '%s'\n",
	452	c, d);
	453	failure = 1;
	454	goto done;
	455	}
	456	c = "";
	457	cl = 0;
	458	if (!x509_constraints_domain(d, dl, c, cl)) {
	459	FAIL("constraint '%s' should have matched '%s'\n",
	460	c, d);
	461	failure = 1;
	462	goto done;
	463	}
	464	done:
	465	return failure;
	466	}
	467
	468	int
	469	main(int argc, char **argv)
	470	{
	471	int failed = 0;
	472
	473	failed \|= test_valid_hostnames();
	474	failed \|= test_invalid_hostnames();
	475	failed \|= test_valid_sandns_names();
	476	failed \|= test_invalid_sandns_names();
	477	failed \|= test_valid_mbox_names();
	478	failed \|= test_invalid_mbox_names();
	479	failed \|= test_valid_domain_constraints();
	480	failed \|= test_invalid_domain_constraints();
	481	failed \|= test_invalid_uri();
	482	failed \|= test_constraints1();
	483
	484	return (failed);
	485	}