]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Added more tests to check whether various TLS versions need to be disabled.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Sat, 11 Feb 2012 10:07:25 +0000 (11:07 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Sat, 11 Feb 2012 10:07:25 +0000 (11:07 +0100)
src/tests.c
src/tests.h
src/tls_test.c

index 0a327fe75b70202f75de1c2a9ee4b351304168f5..a3c5383676067729e06fc4527a8bf30aa60ddab0 100644 (file)
@@ -103,7 +103,7 @@ do_handshake (gnutls_session_t session)
   return TEST_SUCCEED;
 }
 
-char protocol_str[] = "+VERS-TLS1.0:+VERS-SSL3.0";
+char protocol_str[] = "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0";
 char protocol_all_str[] = "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0";
 char prio_str[512] = "";
 
@@ -782,7 +782,7 @@ test_tls1_1_fallback (gnutls_session_t session)
  * but the previous SSL 3.0 test succeeded then disable TLS 1.0.
  */
 test_code_t
-test_tls_disable (gnutls_session_t session)
+test_tls_disable0 (gnutls_session_t session)
 {
   int ret;
   if (tls1_ok != 0)
@@ -808,6 +808,84 @@ test_tls_disable (gnutls_session_t session)
 
 }
 
+test_code_t
+test_tls_disable1 (gnutls_session_t session)
+{
+  int ret;
+
+  if (tls1_1_ok != 0)
+    return TEST_IGNORE;
+
+  sprintf (prio_str,
+           INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS
+           ":" ALL_KX ":%s", protocol_str, rest);
+  _gnutls_priority_set_direct (session, prio_str);
+
+  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+  ret = do_handshake (session);
+  if (ret == TEST_FAILED)
+    {
+      protocol_str[0] = 0;
+      /* disable TLS 1.1 */
+      if (tls1_ok != 0)
+        {
+          strcat (protocol_str, "+VERS-TLS1.0");
+        }
+      if (ssl3_ok != 0)
+        {
+          if (protocol_str[0] != 0)
+            strcat (protocol_str, ":+VERS-SSL3.0");
+          else
+            strcat (protocol_str, "+VERS-SSL3.0");
+        }
+    }
+  return ret;
+}
+
+test_code_t
+test_tls_disable2 (gnutls_session_t session)
+{
+  int ret;
+
+  if (tls1_2_ok != 0)
+    return TEST_IGNORE;
+
+  sprintf (prio_str,
+           INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS
+           ":" ALL_KX ":%s", protocol_str, rest);
+  _gnutls_priority_set_direct (session, prio_str);
+
+  gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+  ret = do_handshake (session);
+  if (ret == TEST_FAILED)
+    {
+      /* disable TLS 1.2 */
+      protocol_str[0] = 0;
+      if (tls1_1_ok != 0)
+        {
+          strcat (protocol_str, "+VERS-TLS1.1");
+        }
+      if (tls1_ok != 0)
+        {
+          if (protocol_str[0] != 0)
+            strcat (protocol_str, ":+VERS-TLS1.0");
+          else
+            strcat (protocol_str, "+VERS-TLS1.0");
+        }
+      if (ssl3_ok != 0)
+        {
+          if (protocol_str[0] != 0)
+            strcat (protocol_str, ":+VERS-SSL3.0");
+          else
+            strcat (protocol_str, "+VERS-SSL3.0");
+        }
+    }
+  return ret;
+}
+
+
 test_code_t
 test_rsa_pms (gnutls_session_t session)
 {
index 60703e8c6c588e0e252ae075881ce51bdea61f9e..53dda0c49f6cb7a4c334c5e23ee142a6a727a05a 100644 (file)
@@ -45,7 +45,9 @@ test_code_t test_safe_renegotiation_scsv (gnutls_session_t state);
 test_code_t test_tls1_1 (gnutls_session_t state);
 test_code_t test_tls1_2 (gnutls_session_t state);
 test_code_t test_tls1_1_fallback (gnutls_session_t state);
-test_code_t test_tls_disable (gnutls_session_t state);
+test_code_t test_tls_disable0 (gnutls_session_t state);
+test_code_t test_tls_disable1 (gnutls_session_t state);
+test_code_t test_tls_disable2 (gnutls_session_t state);
 test_code_t test_rsa_pms (gnutls_session_t state);
 test_code_t test_max_record_size (gnutls_session_t state);
 test_code_t test_version_rollback (gnutls_session_t state);
index 2ba714ded1efb0f77da9c59373c91efa6abaad8f..46a17181b603245524cea013fcf41f0b95d5ca85 100644 (file)
@@ -91,9 +91,13 @@ static const TLS_TEST tls_tests[] = {
   {"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "failed",
    "SSL 3.0"},
   {"for TLS 1.2 support", test_tls1_2, "yes", "no", "dunno"},
-  /* this test will disable TLS 1.0 if the server is
+  /* The following tests will disable TLS 1.x if the server is
    * buggy */
-  {"whether we need to disable TLS 1.0", test_tls_disable, "no", "yes",
+  {"whether we need to disable TLS 1.2", test_tls_disable2, "no", "yes",
+   "dunno"},
+  {"whether we need to disable TLS 1.1", test_tls_disable1, "no", "yes",
+   "dunno"},
+  {"whether we need to disable TLS 1.0", test_tls_disable0, "no", "yes",
    "dunno"},
   {"for Safe renegotiation support", test_safe_renegotiation, "yes", "no",
    "dunno"},
@@ -277,6 +281,7 @@ main (int argc, char **argv)
       do
         {
           printf ("Checking %s...", tls_tests[i].test_name);
+          fflush(stdout);
 
           ret = tls_tests[i].func (state);