From: Daniel Lenski <dlenski@gmail.com>
Date: Mon, 23 Mar 2020 02:01:55 +0000 (-0700)
Subject: add additional tests of SSL 3.0 (with extensions, and with cipher suites not in SSL... 
X-Git-Tag: 3.6.13~7^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f64a95e0ffa2e10b6e1eafcd4e76f934fd785ce7;p=thirdparty%2Fgnutls.git

add additional tests of SSL 3.0 (with extensions, and with cipher suites not in SSL 3.0)

See #958

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---

diff --git a/src/cli-debug.c b/src/cli-debug.c
index 06e47fd55e..ece03a2729 100644
--- a/src/cli-debug.c
+++ b/src/cli-debug.c
@@ -85,15 +85,20 @@ static const TLS_TEST tls_tests[] = {
 	 test_send_record_with_allow_small_records, "yes", "no", "dunno"},
 #ifdef ENABLE_SSL3
 	{"for SSL 3.0 (RFC6101) support", test_ssl3, "yes", "no", "dunno"},
+	{"for SSL 3.0 with extensions", test_ssl3_with_extensions, "yes", "no", "dunno"},
+	{"for SSL 3.0 with cipher suites not in SSL 3.0 spec",
+	 test_ssl3_unknown_ciphersuites, "yes", "no", "dunno"},
+#endif
 	/* The following tests will disable TLS 1.x if the server is
 	 * buggy */
-#endif
 	{"whether we need to disable TLS 1.2", test_tls_disable2, "no",
 	 "yes", "dunno"},
 	{"whether we need to disable TLS 1.1", test_tls_disable1, "no",
 	 "yes", "dunno"},
 	{"whether we need to disable TLS 1.0", test_tls_disable0, "no",
 	 "yes", "dunno"},
+	/* The following test will disable extensions if the server
+	 * is buggy */
 	{"whether %NO_EXTENSIONS is required", test_no_extensions, "no", "yes",
 	 "dunno"},
 	{"whether %COMPAT is required", test_record_padding, "no", "yes",
diff --git a/src/tests.c b/src/tests.c
index 1062b3c168..8cc06347c1 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -624,6 +624,40 @@ test_code_t test_ssl3(gnutls_session_t session)
 	return ret;
 }
 
+test_code_t test_ssl3_with_extensions(gnutls_session_t session)
+{
+	int ret;
+	sprintf(prio_str, INIT_STR
+		SSL3_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:"
+		SSL3_MACS ":" SSL3_KX ":%s", rest);
+	_gnutls_priority_set_direct(session, prio_str);
+
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+	ret = test_do_handshake(session);
+	if (ret == TEST_SUCCEED)
+		ssl3_ok = 1;
+
+	return ret;
+}
+
+test_code_t test_ssl3_unknown_ciphersuites(gnutls_session_t session)
+{
+	int ret;
+	sprintf(prio_str, INIT_STR
+		ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:%%NO_EXTENSIONS:"
+		ALL_MACS ":" ALL_KX ":%s", rest);
+	_gnutls_priority_set_direct(session, prio_str);
+
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+	ret = test_do_handshake(session);
+	if (ret == TEST_SUCCEED)
+		ssl3_ok = 1;
+
+	return ret;
+}
+
 static int alrm = 0;
 static void got_alarm(int k)
 {
diff --git a/src/tests.h b/src/tests.h
index a8326019ca..d9721a70e2 100644
--- a/src/tests.h
+++ b/src/tests.h
@@ -36,6 +36,8 @@ test_code_t test_dhe(gnutls_session_t state);
 test_code_t test_rfc7919(gnutls_session_t state);
 test_code_t test_dhe_group(gnutls_session_t state);
 test_code_t test_ssl3(gnutls_session_t state);
+test_code_t test_ssl3_with_extensions(gnutls_session_t state);
+test_code_t test_ssl3_unknown_ciphersuites(gnutls_session_t state);
 test_code_t test_aes(gnutls_session_t state);
 test_code_t test_camellia_cbc(gnutls_session_t state);
 test_code_t test_camellia_gcm(gnutls_session_t state);