]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
gnutls-cli-debug: added check for inappropriate fallback support
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 28 Aug 2015 10:05:02 +0000 (12:05 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 28 Aug 2015 10:05:02 +0000 (12:05 +0200)
src/cli-debug.c
src/tests.c
src/tests.h

index 90d1b2a112592dbe39355cf5163618c433babace..c9eb4a2c362bf181be5bb6da434b6e39274893e0 100644 (file)
@@ -103,6 +103,7 @@ static const TLS_TEST tls_tests[] = {
        {"for TLS 1.2 (RFC5246) support", test_tls1_2, "yes", "no", "dunno"},
        {"fallback from TLS 1.6 to", test_tls1_6_fallback, NULL,
         "failed (server requires fallback dance)", "dunno"},
+       {"for RFC7507 inappropriate fallback", test_rfc7507, "yes", "no", "dunno"},
        {"for HTTPS server name", test_server, NULL, "failed", "not checked", 1},
        {"for certificate information", test_certificate, NULL, "", ""},
        {"for certificate chain order", test_chain_order, "sorted", "unsorted", "unknown"},
index 3848e7332f96d071263258d1e1ccf0c29f1727ce..bc40b8da4768d84b598598fdb30f9f676a56d847 100644 (file)
@@ -229,6 +229,37 @@ test_code_t test_ecdhe(gnutls_session_t session)
        return ret;
 }
 
+test_code_t test_rfc7507(gnutls_session_t session)
+{
+       int ret;
+       const char *pstr = NULL;
+
+       if (tls1_2_ok && tls1_1_ok)
+               pstr = "-VERS-TLS-ALL:+VERS-TLS1.1:%FALLBACK_SCSV";
+       else if (tls1_1_ok && tls1_ok)
+               pstr = "-VERS-TLS-ALL:+VERS-TLS1.0:%FALLBACK_SCSV";
+       else if (tls1_ok && ssl3_ok)
+               pstr = "-VERS-TLS-ALL:+VERS-SSL3:%FALLBACK_SCSV";
+       else
+               return TEST_IGNORE;
+
+       sprintf(prio_str, INIT_STR
+               ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS
+               ":"ALL_KX":%s", pstr, rest);
+       _gnutls_priority_set_direct(session, prio_str);
+
+       gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+       ret = do_handshake(session);
+       if (ret < 0)
+               return TEST_IGNORE;
+
+       if (handshake_output < 0)
+               return TEST_SUCCEED;
+
+       return TEST_FAILED;
+}
+
 
 test_code_t test_safe_renegotiation(gnutls_session_t session)
 {
index 6631d698686d35c7a2e278e370ace96a18fd6196..35d642dc64e7373ef5c923a2c04b9d4365efbf06 100644 (file)
@@ -28,6 +28,7 @@ test_code_t test_record_padding(gnutls_session_t state);
 test_code_t test_no_extensions(gnutls_session_t state);
 test_code_t test_heartbeat_extension(gnutls_session_t state);
 test_code_t test_small_records(gnutls_session_t state);
+test_code_t test_rfc7507(gnutls_session_t state);
 test_code_t test_dhe(gnutls_session_t state);
 test_code_t test_dhe_group(gnutls_session_t state);
 test_code_t test_ssl3(gnutls_session_t state);