From: Nikos Mavrogiannopoulos Date: Tue, 4 Nov 2014 12:44:55 +0000 (+0100) Subject: gnutls-cli-debug: Added tests for EtM and extended master secret support X-Git-Tag: gnutls_3_4_0~694 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7716aff4a3d08065e806c8e2304f183a2b273c23;p=thirdparty%2Fgnutls.git gnutls-cli-debug: Added tests for EtM and extended master secret support In addition reworked the output for existing tests. --- diff --git a/src/cli-debug.c b/src/cli-debug.c index 9a360d94e9..95e6b1dd22 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -80,17 +80,17 @@ typedef struct { } TLS_TEST; static const TLS_TEST tls_tests[] = { - {"for SSL 3.0 support", test_ssl3, "yes", "no", "dunno"}, + {"for SSL 3.0 (RFC6101) support", test_ssl3, "yes", "no", "dunno"}, {"whether \%COMPAT is required", test_record_padding, "no", "yes", "dunno"}, - {"for TLS 1.0 support", test_tls1, "yes", "no", "dunno"}, - {"for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno"}, + {"for TLS 1.0 (RFC2246) support", test_tls1, "yes", "no", "dunno"}, + {"for TLS 1.1 (RFC4346) support", test_tls1_1, "yes", "no", "dunno"}, {"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "failed", "SSL 3.0"}, - {"for TLS 1.2 support", test_tls1_2, "yes", "no", "dunno"}, + {"for TLS 1.2 (RFC5246) support", test_tls1_2, "yes", "no", "dunno"}, {"fallback from TLS 1.6 to", test_tls1_6_fallback, NULL, - "failed", "dunno"}, + "failed (server requires fallback dance)", "dunno"}, /* The following tests will disable TLS 1.x if the server is * buggy */ {"whether we need to disable TLS 1.2", test_tls_disable2, "no", @@ -102,12 +102,14 @@ static const TLS_TEST tls_tests[] = { {"whether we need to disable TLS 1.0", test_tls_disable0, "no", "yes", "dunno"}, - {"for Safe renegotiation support", test_safe_renegotiation, "yes", + {"for Safe renegotiation (RFC5746) support", test_safe_renegotiation, "yes", "no", "dunno"}, {"for Safe renegotiation support (SCSV)", test_safe_renegotiation_scsv, "yes", "no", "dunno"}, + {"encrypt-then-MAC (RFC7366) support", test_etm, "yes", "no", "dunno"}, + {"extended master secret (draft-ietf-tls-session-hash) support", test_ext_master_secret, "yes", "no", "dunno"}, {"for HTTPS server name", test_server, "", "failed", "not checked"}, {"for version rollback bug in RSA PMS", test_rsa_pms, "no", "yes", @@ -118,20 +120,19 @@ static const TLS_TEST tls_tests[] = { {"whether the server ignores the RSA PMS version", test_rsa_pms_version_check, "yes", "no", "dunno"}, - {"whether the server can accept Hello Extensions", + {"whether Hello Extensions are accepted", test_hello_extension, "yes", "no", "dunno"}, - {"whether the server can accept HeartBeat Extension", + {"whether the HeartBeat Extension is accepted", test_heartbeat_extension, "yes", "no", "dunno"}, - {"whether the server can accept small records (512 bytes)", + {"whether small records (512 bytes) are accepted", test_small_records, "yes", "no", "dunno"}, - {"whether the server can accept cipher suites not in SSL 3.0 spec", + {"whether cipher suites not in SSL 3.0 spec are accepted", test_unknown_ciphersuites, "yes", "no", "dunno"}, - {"whether the server can accept a bogus TLS record version in the client hello", test_version_oob, "yes", "no", "dunno"}, + {"whether a bogus TLS record version in the client hello is accepted", test_version_oob, "yes", "no", "dunno"}, {"for certificate information", test_certificate, "", "", ""}, {"for trusted CAs", test_server_cas, "", "", ""}, {"whether the server understands TLS closure alerts", test_bye, - "yes", - "no", "partially"}, + "yes", "no", "partially"}, /* the fact that is after the closure alert test does matter. */ {"whether the server supports session resumption", @@ -150,19 +151,19 @@ static const TLS_TEST tls_tests[] = { {"for ephemeral EC Diffie-Hellman support", test_ecdhe, "yes", "no", "dunno"}, - {"ephemeral EC Diffie-Hellman group info", test_ecdhe_curve, "", + {"ephemeral EC Diffie-Hellman group info", test_ecdhe_curve, NULL, "N/A", "N/A"}, - {"for AES-128-GCM cipher support", test_aes_gcm, "yes", "no", + {"for AES-128-GCM cipher (RFC5288) support", test_aes_gcm, "yes", "no", "dunno"}, - {"for AES-128-CBC cipher support", test_aes, "yes", "no", + {"for AES-128-CBC cipher (RFC3268) support", test_aes, "yes", "no", "dunno"}, - {"for CAMELLIA-128-GCM cipher support", test_camellia_gcm, "yes", "no", + {"for CAMELLIA-128-GCM (RFC6367) cipher support", test_camellia_gcm, "yes", "no", "dunno"}, - {"for CAMELLIA-128-CBC cipher support", test_camellia_cbc, "yes", "no", + {"for CAMELLIA-128-CBC (RFC5932) cipher support", test_camellia_cbc, "yes", "no", "dunno"}, - {"for 3DES-CBC cipher support", test_3des, "yes", "no", "dunno"}, - {"for ARCFOUR 128 cipher support", test_arcfour, "yes", "no", + {"for 3DES-CBC cipher (RFC2246) support", test_3des, "yes", "no", "dunno"}, + {"for ARCFOUR 128 cipher (RFC2246) support", test_arcfour, "yes", "no", "dunno"}, {"for MD5 MAC support", test_md5, "yes", "no", "dunno"}, {"for SHA1 MAC support", test_sha, "yes", "no", "dunno"}, @@ -171,9 +172,9 @@ static const TLS_TEST tls_tests[] = { {"for ZLIB compression support", test_zlib, "yes", "no", "dunno"}, #endif - {"for max record size", test_max_record_size, "yes", + {"for max record size (RFC6066) support", test_max_record_size, "yes", "no", "dunno"}, - {"for OpenPGP authentication support", test_openpgp1, + {"for OpenPGP authentication (RFC6091) support", test_openpgp1, "yes", "no", "dunno"}, {NULL, NULL, NULL, NULL, NULL} }; @@ -242,6 +243,8 @@ int main(int argc, char **argv) i = 0; + printf("GnuTLS debug client %s\n", gnutls_check_version(NULL)); + printf("Checking %s:%s\n", hostname, portname); do { if (tls_tests[i].test_name == NULL) @@ -269,11 +272,14 @@ int main(int argc, char **argv) hostname, strlen(hostname)); do { - printf("Checking %s...", tls_tests[i].test_name); - fflush(stdout); ret = tls_tests[i].func(state); + if (ret != TEST_IGNORE) { + printf("%58s...", tls_tests[i].test_name); + fflush(stdout); + } + if (ret == TEST_SUCCEED) { if (tls_tests[i].suc_str == NULL) printf(" %s\n", ext_text); @@ -284,7 +290,6 @@ int main(int argc, char **argv) else if (ret == TEST_UNSURE) printf(" %s\n", tls_tests[i].unsure_str); else if (ret == TEST_IGNORE) { - printf(" N/A\n"); i++; } } diff --git a/src/tests.c b/src/tests.c index 06612f8dee..50a24aaa76 100644 --- a/src/tests.c +++ b/src/tests.c @@ -143,7 +143,7 @@ test_code_t test_server(gnutls_session_t session) const char snd_buf[] = "GET / HTTP/1.0\r\n\r\n"; if (verbose == 0) - return TEST_UNSURE; + return TEST_IGNORE; buf[sizeof(buf) - 1] = 0; @@ -238,6 +238,50 @@ test_code_t test_safe_renegotiation(gnutls_session_t session) return ret; } +test_code_t test_etm(gnutls_session_t session) +{ + int ret; + + sprintf(prio_str, INIT_STR + ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS + ":" ALL_KX, protocol_str); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + + if (ret < 0) + return TEST_FAILED; + + if (gnutls_session_etm_status(session) != 0) + return TEST_SUCCEED; + + return TEST_FAILED; +} + +test_code_t test_ext_master_secret(gnutls_session_t session) +{ + int ret; + + sprintf(prio_str, INIT_STR + ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS + ":" ALL_KX, protocol_str); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + + if (ret < 0) + return TEST_FAILED; + + if (gnutls_session_ext_master_secret_status(session) != 0) + return TEST_SUCCEED; + + return TEST_FAILED; +} + test_code_t test_safe_renegotiation_scsv(gnutls_session_t session) { int ret; @@ -306,8 +350,7 @@ test_code_t test_ecdhe_curve(gnutls_session_t session) if (curve == GNUTLS_ECC_CURVE_INVALID) return TEST_IGNORE; - printf("\n Curve %s", gnutls_ecc_curve_get_name(curve)); - + ext_text = gnutls_ecc_curve_get_name(curve); return TEST_SUCCEED; } diff --git a/src/tests.h b/src/tests.h index 2ecf8bfc81..34dd7d7c7c 100644 --- a/src/tests.h +++ b/src/tests.h @@ -39,6 +39,8 @@ test_code_t test_3des(gnutls_session_t state); test_code_t test_arcfour(gnutls_session_t state); test_code_t test_tls1(gnutls_session_t state); test_code_t test_safe_renegotiation(gnutls_session_t state); +test_code_t test_ext_master_secret(gnutls_session_t state); +test_code_t test_etm(gnutls_session_t state); test_code_t test_safe_renegotiation_scsv(gnutls_session_t state); test_code_t test_tls1_1(gnutls_session_t state); test_code_t test_tls1_2(gnutls_session_t state);