From: Nikos Mavrogiannopoulos Date: Sat, 11 Feb 2012 10:07:25 +0000 (+0100) Subject: Added more tests to check whether various TLS versions need to be disabled. X-Git-Tag: gnutls_3_0_13~58 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a2564518939e7982926302da42b8e9973fa6f2d3;p=thirdparty%2Fgnutls.git Added more tests to check whether various TLS versions need to be disabled. --- diff --git a/src/tests.c b/src/tests.c index 0a327fe75b..a3c5383676 100644 --- a/src/tests.c +++ b/src/tests.c @@ -103,7 +103,7 @@ do_handshake (gnutls_session_t session) return TEST_SUCCEED; } -char protocol_str[] = "+VERS-TLS1.0:+VERS-SSL3.0"; +char protocol_str[] = "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"; char protocol_all_str[] = "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0"; char prio_str[512] = ""; @@ -782,7 +782,7 @@ test_tls1_1_fallback (gnutls_session_t session) * but the previous SSL 3.0 test succeeded then disable TLS 1.0. */ test_code_t -test_tls_disable (gnutls_session_t session) +test_tls_disable0 (gnutls_session_t session) { int ret; if (tls1_ok != 0) @@ -808,6 +808,84 @@ test_tls_disable (gnutls_session_t session) } +test_code_t +test_tls_disable1 (gnutls_session_t session) +{ + int ret; + + if (tls1_1_ok != 0) + return TEST_IGNORE; + + sprintf (prio_str, + INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS + ":" ALL_KX ":%s", protocol_str, rest); + _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); + if (ret == TEST_FAILED) + { + protocol_str[0] = 0; + /* disable TLS 1.1 */ + if (tls1_ok != 0) + { + strcat (protocol_str, "+VERS-TLS1.0"); + } + if (ssl3_ok != 0) + { + if (protocol_str[0] != 0) + strcat (protocol_str, ":+VERS-SSL3.0"); + else + strcat (protocol_str, "+VERS-SSL3.0"); + } + } + return ret; +} + +test_code_t +test_tls_disable2 (gnutls_session_t session) +{ + int ret; + + if (tls1_2_ok != 0) + return TEST_IGNORE; + + sprintf (prio_str, + INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS + ":" ALL_KX ":%s", protocol_str, rest); + _gnutls_priority_set_direct (session, prio_str); + + gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake (session); + if (ret == TEST_FAILED) + { + /* disable TLS 1.2 */ + protocol_str[0] = 0; + if (tls1_1_ok != 0) + { + strcat (protocol_str, "+VERS-TLS1.1"); + } + if (tls1_ok != 0) + { + if (protocol_str[0] != 0) + strcat (protocol_str, ":+VERS-TLS1.0"); + else + strcat (protocol_str, "+VERS-TLS1.0"); + } + if (ssl3_ok != 0) + { + if (protocol_str[0] != 0) + strcat (protocol_str, ":+VERS-SSL3.0"); + else + strcat (protocol_str, "+VERS-SSL3.0"); + } + } + return ret; +} + + test_code_t test_rsa_pms (gnutls_session_t session) { diff --git a/src/tests.h b/src/tests.h index 60703e8c6c..53dda0c49f 100644 --- a/src/tests.h +++ b/src/tests.h @@ -45,7 +45,9 @@ test_code_t test_safe_renegotiation_scsv (gnutls_session_t state); test_code_t test_tls1_1 (gnutls_session_t state); test_code_t test_tls1_2 (gnutls_session_t state); test_code_t test_tls1_1_fallback (gnutls_session_t state); -test_code_t test_tls_disable (gnutls_session_t state); +test_code_t test_tls_disable0 (gnutls_session_t state); +test_code_t test_tls_disable1 (gnutls_session_t state); +test_code_t test_tls_disable2 (gnutls_session_t state); test_code_t test_rsa_pms (gnutls_session_t state); test_code_t test_max_record_size (gnutls_session_t state); test_code_t test_version_rollback (gnutls_session_t state); diff --git a/src/tls_test.c b/src/tls_test.c index 2ba714ded1..46a17181b6 100644 --- a/src/tls_test.c +++ b/src/tls_test.c @@ -91,9 +91,13 @@ static const TLS_TEST tls_tests[] = { {"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "failed", "SSL 3.0"}, {"for TLS 1.2 support", test_tls1_2, "yes", "no", "dunno"}, - /* this test will disable TLS 1.0 if the server is + /* The following tests will disable TLS 1.x if the server is * buggy */ - {"whether we need to disable TLS 1.0", test_tls_disable, "no", "yes", + {"whether we need to disable TLS 1.2", test_tls_disable2, "no", "yes", + "dunno"}, + {"whether we need to disable TLS 1.1", test_tls_disable1, "no", "yes", + "dunno"}, + {"whether we need to disable TLS 1.0", test_tls_disable0, "no", "yes", "dunno"}, {"for Safe renegotiation support", test_safe_renegotiation, "yes", "no", "dunno"}, @@ -277,6 +281,7 @@ main (int argc, char **argv) do { printf ("Checking %s...", tls_tests[i].test_name); + fflush(stdout); ret = tls_tests[i].func (state);