Better TLS checks

3 files changed, 48 insertions, 29 deletions

diff --git a/src/lib/cert/x509/x509path.cpp b/src/lib/cert/x509/x509path.cpp
index c1b68e72d..e8e44f653 100644
--- a/src/lib/cert/x509/x509path.cpp
+++ b/src/lib/cert/x509/x509path.cpp
@@ -171,7 +171,8 @@ check_chain(const std::vector<X509_Certificate>& cert_path,
 
       if(!crl_p)
          {
-         status.insert(Certificate_Status_Code::NO_REVOCATION_DATA);
+         if(restrictions.require_revocation_information())
+            status.insert(Certificate_Status_Code::NO_REVOCATION_DATA);
          continue;
          }
 
diff --git a/src/tests/unit_tls.cpp b/src/tests/unit_tls.cpp
index af3627217..875fe8a48 100644
--- a/src/tests/unit_tls.cpp
+++ b/src/tests/unit_tls.cpp
@@ -136,33 +136,20 @@ Credentials_Manager* create_creds(RandomNumberGenerator& rng)
    return new Credentials_Manager_Test(server_cert, ca_cert, server_key);
    }
 
-
-size_t test_handshake()
+size_t basic_test_handshake(RandomNumberGenerator& rng,
+                            TLS::Protocol_Version offer_version,
+                            Credentials_Manager& creds,
+                            TLS::Policy& policy)
    {
-   AutoSeeded_RNG rng;
-   TLS::Policy default_policy;
-
-   std::auto_ptr<Credentials_Manager> creds(create_creds(rng));
-
    TLS::Session_Manager_In_Memory server_sessions(rng);
    TLS::Session_Manager_In_Memory client_sessions(rng);
 
    std::vector<byte> c2s_q, s2c_q, c2s_data, s2c_data;
 
-   auto handshake_complete = [](const TLS::Session& session) -> bool
+   auto handshake_complete = [&](const TLS::Session& session) -> bool
    {
-      if(false)
-         {
-         std::cout << "Handshake complete, " << session.version().to_string()
-                   << " using " << session.ciphersuite().to_string() << "\n";
-
-         if(!session.session_id().empty())
-            std::cout << "Session ID " << hex_encode(session.session_id()) << "\n";
-
-         if(!session.session_ticket().empty())
-            std::cout << "Session ticket " << hex_encode(session.session_ticket()) << "\n";
-         }
-
+      if(session.version() != offer_version)
+         std::cout << "Wrong version negotiated\n";
       return true;
    };
 
@@ -188,9 +175,18 @@ size_t test_handshake()
                       print_alert,
                       handshake_complete,
                       server_sessions,
-                      *creds,
-                      default_policy,
-                      rng);
+                      creds,
+                      policy,
+                      rng,
+                      { "test/1", "test/2" });
+
+   auto next_protocol_chooser = [&](std::vector<std::string> protos) {
+      if(protos.size() != 2)
+         std::cout << "Bad protocol size\n";
+      if(protos[0] != "test/1" || protos[1] != "test/2")
+         std::cout << "Bad protocol values\n";
+      return "test/3";
+   };
 
    TLS::Client client([&](const byte buf[], size_t sz)
                       { c2s_q.insert(c2s_q.end(), buf, buf+sz); },
@@ -198,16 +194,23 @@ size_t test_handshake()
                       print_alert,
                       handshake_complete,
                       client_sessions,
-                      *creds,
-                      default_policy,
-                      rng);
+                      creds,
+                      policy,
+                      rng,
+                      TLS::Server_Information(),
+                      offer_version,
+                      next_protocol_chooser);
 
    while(true)
       {
       if(client.is_active())
          client.send("1");
       if(server.is_active())
+         {
+         if(server.next_protocol() != "test/3")
+            std::cout << "Wrong protocol " << server.next_protocol() << "\n";
          server.send("2");
+         }
 
       /*
       * Use this as a temp value to hold the queues as otherwise they
@@ -265,13 +268,28 @@ size_t test_handshake()
    return 0;
    }
 
+class Test_Policy : public TLS::Policy
+   {
+   public:
+      bool acceptable_protocol_version(TLS::Protocol_Version) const { return true; }
+   };
+
 }
 
 size_t test_tls()
    {
    size_t errors = 0;
 
-   errors += test_handshake();
+   Test_Policy default_policy;
+   AutoSeeded_RNG rng;
+   std::auto_ptr<Credentials_Manager> basic_creds(create_creds(rng));
+
+   errors += basic_test_handshake(rng, TLS::Protocol_Version::SSL_V3, *basic_creds, default_policy);
+   errors += basic_test_handshake(rng, TLS::Protocol_Version::TLS_V10, *basic_creds, default_policy);
+   errors += basic_test_handshake(rng, TLS::Protocol_Version::TLS_V11, *basic_creds, default_policy);
+   errors += basic_test_handshake(rng, TLS::Protocol_Version::TLS_V12, *basic_creds, default_policy);
+
+   test_report("TLS", 4, errors);
 
    return errors;
    }
diff --git a/src/tests/unit_x509.cpp b/src/tests/unit_x509.cpp
index a6d6f98de..dd681c894 100644
--- a/src/tests/unit_x509.cpp
+++ b/src/tests/unit_x509.cpp
@@ -182,7 +182,7 @@ size_t test_x509()
 
    store.add_certificate(ca_cert);
 
-   Path_Validation_Restrictions restrictions;
+   Path_Validation_Restrictions restrictions(false);
 
    Path_Validation_Result result_u1 = x509_path_validate(user1_cert, restrictions, store);
    if(!result_u1.successful_validation())