commit f086b8f0f1706a38ad5a5e597c5e95afd634e62b
author Gilles Peskine <Gilles.Peskine@arm.com> Thu Feb 13 21:46:00 2025 +0100
committer Gilles Peskine <Gilles.Peskine@arm.com> Mon Feb 24 18:04:29 2025 +0100
tree f46f0096ff5ce43c9fc8bb75028fd815ff7954de
parent 18b52ce40c3f0beae806a1f38401fbd7f5c3f3d7

mbedtls_ssl_set_hostname tests: add tests with CA callback

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

tests/ssl-opt.sh

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index cc77c26..afe15df 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -4664,6 +4664,18 @@
          -C "! mbedtls_ssl_handshake returned" \
          -C "X509 - Certificate verification failed"
 
+run_test "Authentication: hostname match, client required, CA callback" \
+         "$P_SRV" \
+         "$P_CLI auth_mode=required server_name=localhost debug_level=3 ca_callback=1" \
+         0 \
+         -C "does not match with the expected CN" \
+         -C "Certificate verification without having set hostname" \
+         -C "Certificate verification without CN verification" \
+         -c "use CA callback for X.509 CRT verification" \
+         -C "x509_verify_cert() returned -" \
+         -C "! mbedtls_ssl_handshake returned" \
+         -C "X509 - Certificate verification failed"
+
 run_test "Authentication: hostname mismatch (wrong), client required" \
          "$P_SRV" \
          "$P_CLI auth_mode=required server_name=wrong-name debug_level=1" \
@@ -4784,6 +4796,34 @@
          -C "! mbedtls_ssl_handshake returned" \
          -C "X509 - Certificate verification failed"
 
+requires_config_disabled MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+run_test "Authentication: hostname unset, client required, secure config, CA callback" \
+         "$P_SRV" \
+         "$P_CLI auth_mode=required set_hostname=no debug_level=3 ca_callback=1" \
+         1 \
+         -C "does not match with the expected CN" \
+         -c "Certificate verification without having set hostname" \
+         -C "Certificate verification without CN verification" \
+         -c "get_hostname_for_verification() returned -" \
+         -C "use CA callback for X.509 CRT verification" \
+         -C "x509_verify_cert() returned -" \
+         -c "! mbedtls_ssl_handshake returned" \
+         -C "X509 - Certificate verification failed"
+
+requires_config_enabled MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+run_test "Authentication: hostname unset, client required, historical config, CA callback" \
+         "$P_SRV" \
+         "$P_CLI auth_mode=required set_hostname=no debug_level=3 ca_callback=1" \
+         0 \
+         -C "does not match with the expected CN" \
+         -c "Certificate verification without having set hostname" \
+         -c "Certificate verification without CN verification" \
+         -C "get_hostname_for_verification() returned -" \
+         -c "use CA callback for X.509 CRT verification" \
+         -C "x509_verify_cert() returned -" \
+         -C "! mbedtls_ssl_handshake returned" \
+         -C "X509 - Certificate verification failed"
+
 run_test "Authentication: hostname unset, client optional" \
          "$P_SRV" \
          "$P_CLI auth_mode=optional set_hostname=no debug_level=2" \