PageRenderTime 51ms CodeModel.GetById 15ms RepoModel.GetById 1ms app.codeStats 0ms

/ncat/test/test-wildcard.c

https://github.com/prakashgamit/nmap
C | 576 lines | 447 code | 84 blank | 45 comment | 129 complexity | 8df8ac76cdc641e01ca50fc7452b4d0b MD5 | raw file
Possible License(s): BSD-3-Clause, GPL-2.0, LGPL-2.0, LGPL-2.1 
    

  1. /*
    2. 

  2. Usage: ./test-wildcard
    3. 

    4. 

  4. This is a test program for the ssl_post_connect_check function. It generates
    5. 

  5. certificates with a variety of different combinations of commonNames and
    6. 

  6. dNSNames, then checks that matching names are accepted and non-matching names
    7. 

  7. are rejected. The SSL transactions happen over OpenSSL BIO pairs.
    8. 

  8. */
    9. 

  9. 

  10. #include <stdio.h>
    11. 

  11. #include <stdlib.h>
    12. 

  12. #include <unistd.h>
    13. 

  13. 

  14. #include <openssl/bio.h>
    15. 

  15. #include <openssl/ssl.h>
    16. 

  16. #include <openssl/err.h>
    17. 

  17. #include <openssl/x509.h>
    18. 

  18. #include <openssl/x509v3.h>
    19. 

  19. 

  20. #include "ncat_core.h"
    21. 

  21. 

  22. #define KEY_BITS 1024
    23. 

  23. 

  24. static int tests_run = 0, tests_passed = 0;
    25. 

  25. 

  26. /* A length-delimited string. */
    27. 

  27. struct lstr {
    28. 

  28.     size_t len;
    29. 

  29.     const char *s;
    30. 

  30. };
    31. 

  31. 

  32. /* Make an anonymous struct lstr. */
    33. 

  33. #define LSTR(s) { sizeof(s) - 1, (s) }
    34. 

  34. 

  35. /* Variable-length arrays of struct lstr are terminated with a special sentinel
    36. 

  36.    value. */
    37. 

  37. #define LSTR_SENTINEL { -1, NULL }
    38. 

  38. const struct lstr lstr_sentinel = LSTR_SENTINEL;
    39. 

  39. 

  40. int is_sentinel(const struct lstr *name) {
    41. 

  41.     return name->len == -1;
    42. 

  42. }
    43. 

  43. 

  44. int ssl_post_connect_check(SSL *ssl, const char *hostname);
    45. 

  45. 

  46. static struct lstr *check(SSL *ssl, const struct lstr names[]);
    47. 

  47. static int ssl_ctx_trust_cert(SSL_CTX *ctx, X509 *cert);
    48. 

  48. static int gen_cert(X509 **cert, EVP_PKEY **key,
    49. 

  49.     const struct lstr commonNames[], const struct lstr dNSNames[]);
    50. 

  50. static void print_escaped(const char *s, size_t len);
    51. 

  51. static void print_array(const struct lstr array[]);
    52. 

  52. static int arrays_equal(const struct lstr a[], const struct lstr b[]);
    53. 

  53. 

  54. /* Returns positive on success, 0 on failure. The various arrays must be
    55. 

  55.    NULL-terminated. */
    56. 

  56. static int test(const struct lstr commonNames[], const struct lstr dNSNames[],
    57. 

  57.     const struct lstr test_names[], const struct lstr expected[])
    58. 

  58. {
    59. 

  59.     SSL_CTX *server_ctx, *client_ctx;
    60. 

  60.     SSL *server_ssl, *client_ssl;
    61. 

  61.     BIO *server_bio, *client_bio;
    62. 

  62.     X509 *cert;
    63. 

  63.     EVP_PKEY *key;
    64. 

  64.     struct lstr *results;
    65. 

  65.     int need_accept, need_connect;
    66. 

  66.     int passed;
    67. 

  67. 

  68.     tests_run++;
    69. 

  69. 

  70.     ncat_assert(gen_cert(&cert, &key, commonNames, dNSNames) == 1);
    71. 

  71. 

  72.     ncat_assert(BIO_new_bio_pair(&server_bio, 0, &client_bio, 0) == 1);
    73. 

  73. 

  74.     server_ctx = SSL_CTX_new(SSLv23_server_method());
    75. 

  75.     ncat_assert(server_ctx != NULL);
    76. 

  76. 

  77.     client_ctx = SSL_CTX_new(SSLv23_client_method());
    78. 

  78.     ncat_assert(client_ctx != NULL);
    79. 

  79.     SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, NULL);
    80. 

  80.     SSL_CTX_set_verify_depth(client_ctx, 1);
    81. 

  81.     ssl_ctx_trust_cert(client_ctx, cert);
    82. 

  82. 

  83.     server_ssl = SSL_new(server_ctx);
    84. 

  84.     ncat_assert(server_ssl != NULL);
    85. 

  85.     SSL_set_accept_state(server_ssl);
    86. 

  86.     SSL_set_bio(server_ssl, server_bio, server_bio);
    87. 

  87.     ncat_assert(SSL_use_certificate(server_ssl, cert) == 1);
    88. 

  88.     ncat_assert(SSL_use_PrivateKey(server_ssl, key) == 1);
    89. 

  89. 

  90.     client_ssl = SSL_new(client_ctx);
    91. 

  91.     ncat_assert(client_ssl != NULL);
    92. 

  92.     SSL_set_connect_state(client_ssl);
    93. 

  93.     SSL_set_bio(client_ssl, client_bio, client_bio);
    94. 

  94. 

  95.     passed = 0;
    96. 

  96. 

  97.     need_accept = 1;
    98. 

  98.     need_connect = 1;
    99. 

  99.     do {
    100. 

  100.         int rc, err;
    101. 

  101. 

  102.         if (need_accept) {
    103. 

  103.             rc = SSL_accept(server_ssl);
    104. 

  104.             err = SSL_get_error(server_ssl, rc);
    105. 

  105.             if (rc == 1) {
    106. 

  106.                 need_accept = 0;
    107. 

  107.             } else {
    108. 

  108.                 if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) {
    109. 

  109.                     printf("SSL_accept: %s \n",
    110. 

  110.                         ERR_error_string(ERR_get_error(), NULL));
    111. 

  111.                     goto end;
    112. 

  112.                 }
    113. 

  113.             }
    114. 

  114.         }
    115. 

  115.         if (need_connect) {
    116. 

  116.             rc = SSL_connect(client_ssl);
    117. 

  117.             err = SSL_get_error(client_ssl, rc);
    118. 

  118.             if (rc == 1) {
    119. 

  119.                 need_connect = 0;
    120. 

  120.             } else {
    121. 

  121.                 if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_WANT_WRITE) {
    122. 

  122.                     printf("SSL_connect: %s \n",
    123. 

  123.                         ERR_error_string(ERR_get_error(), NULL));
    124. 

  124.                     goto end;
    125. 

  125.                 }
    126. 

  126.             }
    127. 

  127.         }
    128. 

  128.     } while (need_accept || need_connect);
    129. 

  129. 

  130.     results = check(client_ssl, test_names);
    131. 

  131.     if (arrays_equal(results, expected)) {
    132. 

  132.         tests_passed++;
    133. 

  133.         passed = 1;
    134. 

  134.         printf("PASS CN");
    135. 

  135.         print_array(commonNames);
    136. 

  136.         printf(" DNS");
    137. 

  137.         print_array(dNSNames);
    138. 

  138.         printf("\n");
    139. 

  139.     } else {
    140. 

  140.         printf("FAIL CN");
    141. 

  141.         print_array(commonNames);
    142. 

  142.         printf(" DNS");
    143. 

  143.         print_array(dNSNames);
    144. 

  144.         printf("\n");
    145. 

  145.         printf("     got ");
    146. 

  146.         print_array(results);
    147. 

  147.         printf("\n");
    148. 

  148.         printf("expected ");
    149. 

  149.         print_array(expected);
    150. 

  150.         printf("\n");
    151. 

  151.     }
    152. 

  152.     free(results);
    153. 

  153. 

  154. end:
    155. 

  155.     X509_free(cert);
    156. 

  156.     EVP_PKEY_free(key);
    157. 

  157. 

  158.     (void) BIO_destroy_bio_pair(server_bio);
    159. 

  159. 

  160.     SSL_CTX_free(server_ctx);
    161. 

  161.     SSL_CTX_free(client_ctx);
    162. 

  162. 

  163.     SSL_free(server_ssl);
    164. 

  164.     SSL_free(client_ssl);
    165. 

  165. 

  166.     return passed;
    167. 

  167. }
    168. 

  168. 

  169. /* Returns a sentinel-terminated malloc-allocated array of names that match ssl
    170. 

  170.    with ssl_post_connect_check. */
    171. 

  171. static struct lstr *check(SSL *ssl, const struct lstr names[])
    172. 

  172. {
    173. 

  173.     const struct lstr *name;
    174. 

  174.     struct lstr *results = NULL;
    175. 

  175.     size_t size = 0, capacity = 0;
    176. 

  176. 

  177.     if (names == NULL)
    178. 

  178.         return NULL;
    179. 

  179. 

  180.     for (name = names; !is_sentinel(name); name++) {
    181. 

  181.         if (ssl_post_connect_check(ssl, name->s)) {
    182. 

  182.             if (size >= capacity) {
    183. 

  183.                 capacity = (size + 1) * 2;
    184. 

  184.                 results = safe_realloc(results, (capacity + 1) * sizeof(results[0]));
    185. 

  185.             }
    186. 

  186.             results[size++] = *name;
    187. 

  187.         }
    188. 

  188.     }
    189. 

  189.     results = safe_realloc(results, (size + 1) * sizeof(results[0]));
    190. 

  190.     results[size] = lstr_sentinel;
    191. 

  191. 

  192.     return results;
    193. 

  193. }
    194. 

  194. 

  195. /* Make a certificate object trusted by an SSL_CTX. I coulnd't find a way to do
    196. 

  196.    this directly, so the certificate is written in PEM format to a temporary
    197. 

  197.    file and then loaded with SSL_CTX_load_verify_locations. Returns 1 on success
    198. 

  198.    and 0 on failure. */
    199. 

  199. static int ssl_ctx_trust_cert(SSL_CTX *ctx, X509 *cert)
    200. 

  200. {
    201. 

  201.     char name[] = "ncat-test-XXXXXX";
    202. 

  202.     int fd;
    203. 

  203.     FILE *fp;
    204. 

  204.     int rc;
    205. 

  205. 

  206.     fd = mkstemp(name);
    207. 

  207.     if (fd == -1)
    208. 

  208.         return 0;
    209. 

  209.     fp = fdopen(fd, "w");
    210. 

  210.     if (fp == NULL) {
    211. 

  211.         close(fd);
    212. 

  212.         return 0;
    213. 

  213.     }
    214. 

  214.     if (PEM_write_X509(fp, cert) == 0) {
    215. 

  215.         fclose(fp);
    216. 

  216.         return 0;
    217. 

  217.     }
    218. 

  218.     fclose(fp);
    219. 

  219. 

  220.     rc = SSL_CTX_load_verify_locations(ctx, name, NULL);
    221. 

  221.     if (rc == 0) {
    222. 

  222.         fprintf(stderr, "SSL_CTX_load_verify_locations: %s \n",
    223. 

  223.             ERR_error_string(ERR_get_error(), NULL));
    224. 

  224.     }
    225. 

  225.     if (unlink(name) == -1)
    226. 

  226.         fprintf(stderr, "unlink(\"%s\"): %s\n", name, strerror(errno));
    227. 

  227. 

  228.     return rc;
    229. 

  229. }
    230. 

  230. 

  231. static int set_dNSNames(X509 *cert, const struct lstr dNSNames[])
    232. 

  232. {
    233. 

  233.     STACK_OF(GENERAL_NAME) *gen_names;
    234. 

  234.     GENERAL_NAME *gen_name;
    235. 

  235.     X509_EXTENSION *ext;
    236. 

  236.     const struct lstr *name;
    237. 

  237. 

  238.     if (dNSNames == NULL || is_sentinel(&dNSNames[0]))
    239. 

  239.         return 1;
    240. 

  240. 

  241.     /* We break the abstraction here a bit because the normal way of setting
    242. 

  242.        a list of values, using an i2v method, uses a stack of CONF_VALUE that
    243. 

  243.        doesn't contain the length of each value. We rely on the fact that
    244. 

  244.        the internal representation (the "i" in "i2d") for
    245. 

  245.        NID_subject_alt_name is STACK_OF(GENERAL_NAME). */
    246. 

  246. 

  247.     gen_names = sk_GENERAL_NAME_new_null();
    248. 

  248.     if (gen_names == NULL)
    249. 

  249.         return 0;
    250. 

  250. 

  251.     for (name = dNSNames; !is_sentinel(name); name++) {
    252. 

  252.         gen_name = GENERAL_NAME_new();
    253. 

  253.         if (gen_name == NULL)
    254. 

  254.             goto stack_err;
    255. 

  255.         gen_name->type = GEN_DNS;
    256. 

  256.         gen_name->d.dNSName = M_ASN1_IA5STRING_new();
    257. 

  257.         if (gen_name->d.dNSName == NULL)
    258. 

  258.             goto name_err;
    259. 

  259.         if (ASN1_STRING_set(gen_name->d.dNSName, name->s, name->len) == 0)
    260. 

  260.             goto name_err;
    261. 

  261.         if (sk_GENERAL_NAME_push(gen_names, gen_name) == 0)
    262. 

  262.             goto name_err;
    263. 

  263.     }
    264. 

  264.     ext = X509V3_EXT_i2d(NID_subject_alt_name, 0, gen_names);
    265. 

  265.     if (ext == NULL)
    266. 

  266.         goto stack_err;
    267. 

  267.     if (X509_add_ext(cert, ext, -1) == 0) {
    268. 

  268.         X509_EXTENSION_free(ext);
    269. 

  269.         goto stack_err;
    270. 

  270.     }
    271. 

  271.     X509_EXTENSION_free(ext);
    272. 

  272.     sk_GENERAL_NAME_pop_free(gen_names, GENERAL_NAME_free);
    273. 

  273. 

  274.     return 1;
    275. 

  275. 

  276. name_err:
    277. 

  277.     GENERAL_NAME_free(gen_name);
    278. 

  278. 

  279. stack_err:
    280. 

  280.     sk_GENERAL_NAME_pop_free(gen_names, GENERAL_NAME_free);
    281. 

  281. 

  282.     return 0;
    283. 

  283. }
    284. 

  284. 

  285. static int gen_cert(X509 **cert, EVP_PKEY **key,
    286. 

  286.     const struct lstr commonNames[], const struct lstr dNSNames[])
    287. 

  287. {
    288. 

  288.     RSA *rsa;
    289. 

  289.     int rc;
    290. 

  290. 

  291.     *cert = NULL;
    292. 

  292.     *key = NULL;
    293. 

  293. 

  294.     /* Generate a private key. */
    295. 

  295.     *key = EVP_PKEY_new();
    296. 

  296.     if (*key == NULL)
    297. 

  297.         goto err;
    298. 

  298.     do {
    299. 

  299.         rsa = RSA_generate_key(KEY_BITS, RSA_F4, NULL, NULL);
    300. 

  300.         if (rsa == NULL)
    301. 

  301.             goto err;
    302. 

  302.         rc = RSA_check_key(rsa);
    303. 

  303.     } while (rc == 0);
    304. 

  304.     if (rc == -1)
    305. 

  305.         goto err;
    306. 

  306.     if (EVP_PKEY_assign_RSA(*key, rsa) == 0) {
    307. 

  307.         RSA_free(rsa);
    308. 

  308.         goto err;
    309. 

  309.     }
    310. 

  310. 

  311.     /* Generate a certificate. */
    312. 

  312.     *cert = X509_new();
    313. 

  313.     if (*cert == NULL)
    314. 

  314.         goto err;
    315. 

  315.     if (X509_set_version(*cert, 2) == 0) /* Version 3. */
    316. 

  316.         goto err;
    317. 

  317.     ASN1_INTEGER_set(X509_get_serialNumber(*cert), get_random_u32() & 0x7FFFFFFF);
    318. 

  318. 

  319.     /* Set the commonNames. */
    320. 

  320.     if (commonNames != NULL) {
    321. 

  321.         X509_NAME *subj;
    322. 

  322.         const struct lstr *name;
    323. 

  323. 

  324.         subj = X509_get_subject_name(*cert);
    325. 

  325.         for (name = commonNames; !is_sentinel(name); name++) {
    326. 

  326.             if (X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC,
    327. 

  327.                 (unsigned char *) name->s, name->len, -1, 0) == 0) {
    328. 

  328.                 goto err;
    329. 

  329.             }
    330. 

  330.         }
    331. 

  331.     }
    332. 

  332. 

  333.     /* Set the dNSNames. */
    334. 

  334.     if (set_dNSNames(*cert, dNSNames) == 0)
    335. 

  335.         goto err;
    336. 

  336. 

  337.     if (X509_set_issuer_name(*cert, X509_get_subject_name(*cert)) == 0
    338. 

  338.         || X509_gmtime_adj(X509_get_notBefore(*cert), 0) == 0
    339. 

  339.         || X509_gmtime_adj(X509_get_notAfter(*cert), 60) == 0
    340. 

  340.         || X509_set_pubkey(*cert, *key) == 0) {
    341. 

  341.         goto err;
    342. 

  342.     }
    343. 

  343. 

  344.     /* Sign it. */
    345. 

  345.     if (X509_sign(*cert, *key, EVP_sha1()) == 0)
    346. 

  346.         goto err;
    347. 

  347. 

  348.     return 1;
    349. 

  349. 

  350. err:
    351. 

  351.     if (*cert != NULL)
    352. 

  352.         X509_free(*cert);
    353. 

  353.     if (*key != NULL)
    354. 

  354.         EVP_PKEY_free(*key);
    355. 

  355. 

  356.     return 0;
    357. 

  357. }
    358. 

  358. 

  359. static void print_escaped(const char *s, size_t len)
    360. 

  360. {
    361. 

  361.     int c;
    362. 

  362.     for ( ; len > 0; len--) {
    363. 

  363.         c = (unsigned char) *s++;
    364. 

  364.         if (isprint(c) && !isspace(c))
    365. 

  365.             putchar(c);
    366. 

  366.         else
    367. 

  367.             printf("\\%03o", c);
    368. 

  368.     }
    369. 

  369. }
    370. 

  370. 

  371. static void print_array(const struct lstr array[])
    372. 

  372. {
    373. 

  373.     const struct lstr *p;
    374. 

  374. 

  375.     if (array == NULL) {
    376. 

  376.         printf("[]");
    377. 

  377.         return;
    378. 

  378.     }
    379. 

  379.     printf("[");
    380. 

  380.     for (p = array; !is_sentinel(p); p++) {
    381. 

  381.         if (p != array)
    382. 

  382.             printf(" ");
    383. 

  383.         print_escaped(p->s, p->len);
    384. 

  384.     }
    385. 

  385.     printf("]");
    386. 

  386. }
    387. 

  387. 

  388. static int lstr_equal(const struct lstr *a, const struct lstr *b)
    389. 

  389. {
    390. 

  390.     return a->len == b->len && memcmp(a->s, b->s, a->len) == 0;
    391. 

  391. }
    392. 

  392. 

  393. static int arrays_equal(const struct lstr a[], const struct lstr b[])
    394. 

  394. {
    395. 

  395.     if (a == NULL)
    396. 

  396.         return b == NULL;
    397. 

  397.     if (b == NULL)
    398. 

  398.         return a == NULL;
    399. 

  399.     while (!is_sentinel(a) && !is_sentinel(b)) {
    400. 

  400.         if (!lstr_equal(a, b))
    401. 

  401.             return 0;
    402. 

  402.         a++;
    403. 

  403.         b++;
    404. 

  404.     }
    405. 

  405. 

  406.     return is_sentinel(a) && is_sentinel(b);
    407. 

  407. }
    408. 

  408. 

  409. /* This is just a constant used to give a fixed length to the arrays that are
    410. 

  410.    conceptually variable-length in the test cases. Increase it if some array
    411. 

  411.    grows too big. */
    412. 

  412. #define ARR_LEN 10
    413. 

  413. 

  414. const struct lstr test_names[] = {
    415. 

  415.     LSTR("a.com"), LSTR("www.a.com"), LSTR("sub.www.a.com"),
    416. 

  416.     LSTR("www.example.com"), LSTR("example.co.uk"), LSTR("*.*.com"),
    417. 

  417.     LSTR_SENTINEL
    418. 

  418. };
    419. 

  419. 

  420. /* These tests just check that matching a single string works properly. */
    421. 

  421. struct {
    422. 

  422.     const struct lstr name[ARR_LEN];
    423. 

  423.     const struct lstr expected[ARR_LEN];
    424. 

  424. } single_tests[] = {
    425. 

  425.     { { LSTR_SENTINEL },
    426. 

  426.       { LSTR_SENTINEL } },
    427. 

  427.     { { LSTR("a.com"), LSTR_SENTINEL },
    428. 

  428.       { LSTR("a.com"), LSTR_SENTINEL } },
    429. 

  429.     { { LSTR("www.a.com"), LSTR_SENTINEL },
    430. 

  430.       { LSTR("www.a.com"), LSTR_SENTINEL } },
    431. 

  431.     { { LSTR("*.a.com"), LSTR_SENTINEL },
    432. 

  432.       { LSTR("www.a.com"), LSTR_SENTINEL } },
    433. 

  433.     { { LSTR("w*.a.com"), LSTR_SENTINEL },
    434. 

  434.       { LSTR_SENTINEL } },
    435. 

  435.     { { LSTR("*w.a.com"), LSTR_SENTINEL },
    436. 

  436.       { LSTR_SENTINEL } },
    437. 

  437.     { { LSTR("www.*.com"), LSTR_SENTINEL },
    438. 

  438.       { LSTR_SENTINEL } },
    439. 

  439.     { { LSTR("*.com"), LSTR_SENTINEL },
    440. 

  440.       { LSTR_SENTINEL } },
    441. 

  441.     { { LSTR("*.com."), LSTR_SENTINEL },
    442. 

  442.       { LSTR_SENTINEL } },
    443. 

  443.     { { LSTR("*.*.com"), LSTR_SENTINEL },
    444. 

  444.       { LSTR_SENTINEL } },
    445. 

  445.     { { LSTR("a.com\0evil.com"), LSTR_SENTINEL },
    446. 

  446.       { LSTR_SENTINEL } },
    447. 

  447. };
    448. 

  448. 

  449. /* These test different combinations of commonName and dNSName. */
    450. 

  450. struct {
    451. 

  451.     const struct lstr common[ARR_LEN];
    452. 

  452.     const struct lstr dns[ARR_LEN];
    453. 

  453.     const struct lstr expected[ARR_LEN];
    454. 

  454. } double_tests[] = {
    455. 

  455.     /* Should not match any commonName if any dNSNames exist. */
    456. 

  456.     { { LSTR("a.com"), LSTR_SENTINEL },
    457. 

  457.       { LSTR("example.co.uk"), LSTR_SENTINEL },
    458. 

  458.       { LSTR("example.co.uk"), LSTR_SENTINEL } },
    459. 

  459.     { { LSTR("a.com"), LSTR_SENTINEL },
    460. 

  460.       { LSTR("b.com"), LSTR_SENTINEL },
    461. 

  461.       { LSTR_SENTINEL } },
    462. 

  462.     /* Should check against all of the dNSNames. */
    463. 

  463.     { { LSTR_SENTINEL },
    464. 

  464.       { LSTR("a.com"), LSTR("example.co.uk"), LSTR("b.com"), LSTR_SENTINEL },
    465. 

  465.       { LSTR("a.com"), LSTR("example.co.uk"), LSTR_SENTINEL } },
    466. 

  466. };
    467. 

  467. 

  468. const struct lstr specificity_test_names[] = {
    469. 

  469.     LSTR("a.com"),
    470. 

  470.     LSTR("sub.b.com"), LSTR("sub.c.com"), LSTR("sub.d.com"),
    471. 

  471.     LSTR("sub.sub.e.com"), LSTR("sub.sub.f.com"), LSTR("sub.sub.g.com"),
    472. 

  472.     LSTR_SENTINEL
    473. 

  473. };
    474. 

  474. 

  475. /* Validation should check only the "most specific" commonName if multiple
    476. 

  476.    exist. This "most specific" term is used in RFCs 2818, 4261, and 5018 at
    477. 

  477.    least, but is not defined anywhere that I can find. Let's interpret it as the
    478. 

  478.    greatest number of name elements, with wildcard names considered less
    479. 

  479.    specific than all non-wildcard names. For ties, the name that comes later is
    480. 

  480.    considered more specific. */
    481. 

  481. struct {
    482. 

  482.     const struct lstr patterns[ARR_LEN];
    483. 

  483.     const struct lstr expected_forward;
    484. 

  484.     const struct lstr expected_backward;
    485. 

  485. } specificity_tests[] = {
    486. 

  486.     { { LSTR("a.com"), LSTR("*.b.com"), LSTR("sub.c.com"), LSTR("sub.d.com"), LSTR("*.sub.e.com"), LSTR("*.sub.f.com"), LSTR("sub.sub.g.com"), LSTR_SENTINEL },
    487. 

  487.       LSTR("sub.sub.g.com"), LSTR("sub.sub.g.com") },
    488. 

  488.     { { LSTR("a.com"), LSTR("*.b.com"), LSTR("sub.c.com"), LSTR("sub.d.com"), LSTR("*.sub.e.com"), LSTR("*.sub.f.com"), LSTR_SENTINEL },
    489. 

  489.       LSTR("sub.d.com"), LSTR("sub.c.com") },
    490. 

  490.     { { LSTR("a.com"), LSTR("*.b.com"), LSTR("sub.c.com"), LSTR("*.sub.e.com"), LSTR("*.sub.f.com"), LSTR_SENTINEL },
    491. 

  491.       LSTR("sub.c.com"), LSTR("sub.c.com") },
    492. 

  492.     { { LSTR("a.com"), LSTR("*.b.com"), LSTR("*.sub.e.com"), LSTR("*.sub.f.com"), LSTR_SENTINEL },
    493. 

  493.       LSTR("a.com"), LSTR("a.com") },
    494. 

  494.     { { LSTR("*.b.com"), LSTR("*.sub.e.com"), LSTR("*.sub.f.com"), LSTR_SENTINEL },
    495. 

  495.       LSTR("sub.sub.f.com"), LSTR("sub.sub.e.com") },
    496. 

  496.     { { LSTR("*.b.com"), LSTR("*.sub.e.com"), LSTR_SENTINEL },
    497. 

  497.       LSTR("sub.sub.e.com"), LSTR("sub.sub.e.com") },
    498. 

  498. };
    499. 

  499. 

  500. #define NELEMS(a) (sizeof(a) / sizeof(a[0]))
    501. 

  501. 

  502. void reverse(struct lstr a[])
    503. 

  503. {
    504. 

  504.     struct lstr tmp;
    505. 

  505.     unsigned int i, j;
    506. 

  506. 

  507.     i = 0;
    508. 

  508.     for (j = 0; !is_sentinel(&a[j]); j++)
    509. 

  509.         ;
    510. 

  510.     if (j == 0)
    511. 

  511.         return;
    512. 

  512.     j--;
    513. 

  513.     while (i < j) {
    514. 

  514.         tmp = a[i];
    515. 

  515.         a[i] = a[j];
    516. 

  516.         a[j] = tmp;
    517. 

  517.         i++;
    518. 

  518.         j--;
    519. 

  519.     }
    520. 

  520. }
    521. 

  521. 

  522. void test_specificity(const struct lstr patterns[],
    523. 

  523.     const struct lstr test_names[],
    524. 

  524.     const struct lstr expected_forward[],
    525. 

  525.     const struct lstr expected_backward[])
    526. 

  526. {
    527. 

  527.     struct lstr scratch[ARR_LEN];
    528. 

  528.     unsigned int i;
    529. 

  529. 

  530.     for (i = 0; i < ARR_LEN && !is_sentinel(&patterns[i]); i++)
    531. 

  531.         scratch[i] = patterns[i];
    532. 

  532.     ncat_assert(i < ARR_LEN);
    533. 

  533.     scratch[i] = lstr_sentinel;
    534. 

  534. 

  535.     test(scratch, NULL, test_names, expected_forward);
    536. 

  536.     reverse(scratch);
    537. 

  537.     test(scratch, NULL, test_names, expected_backward);
    538. 

  538. 

  539.     return;
    540. 

  540. }
    541. 

  541. 

  542. int main(void)
    543. 

  543. {
    544. 

  544.     unsigned int i;
    545. 

  545. 

  546.     SSL_library_init();
    547. 

  547.     ERR_load_crypto_strings();
    548. 

  548.     SSL_load_error_strings();
    549. 

  549. 

  550.     /* Test single pattens in both the commonName and dNSName positions. */
    551. 

  551.     for (i = 0; i < NELEMS(single_tests); i++)
    552. 

  552.         test(single_tests[i].name, NULL, test_names, single_tests[i].expected);
    553. 

  553.     for (i = 0; i < NELEMS(single_tests); i++)
    554. 

  554.         test(NULL, single_tests[i].name, test_names, single_tests[i].expected);
    555. 

  555. 

  556.     for (i = 0; i < NELEMS(double_tests); i++) {
    557. 

  557.         test(double_tests[i].common, double_tests[i].dns,
    558. 

  558.             test_names, double_tests[i].expected);
    559. 

  559.     }
    560. 

  560. 

  561.     for (i = 0; i < NELEMS(specificity_tests); i++) {
    562. 

  562.         struct lstr expected_forward[2], expected_backward[2];
    563. 

  563. 

  564.         /* Put the expected names in arrays for the test. */
    565. 

  565.         expected_forward[0] = specificity_tests[i].expected_forward;
    566. 

  566.         expected_forward[1] = lstr_sentinel;
    567. 

  567.         expected_backward[0] = specificity_tests[i].expected_backward;
    568. 

  568.         expected_backward[1] = lstr_sentinel;
    569. 

  569.         test_specificity(specificity_tests[i].patterns,
    570. 

  570.             specificity_test_names, expected_forward, expected_backward);
    571. 

  571.     }
    572. 

  572. 

  573.     printf("%d / %d tests passed.\n", tests_passed, tests_run);
    574. 

  574. 

  575.     return tests_passed == tests_run ? 0 : 1;
    576. 

  576. }
    577. 

  577.