diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-08-28 12:05:02 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-08-28 12:05:02 +0200 |
commit | 501fe50af37262148ed97c6cc801c9aa3cd40d81 (patch) | |
tree | 643ac84b6b05f52c108af983cf817d8da9a1ca24 /src | |
parent | 4b6003734006fd7e63812ba03eeefbb1525dc060 (diff) | |
download | gnutls-501fe50af37262148ed97c6cc801c9aa3cd40d81.tar.gz |
gnutls-cli-debug: added check for inappropriate fallback support
Diffstat (limited to 'src')
-rw-r--r-- | src/cli-debug.c | 1 | ||||
-rw-r--r-- | src/tests.c | 31 | ||||
-rw-r--r-- | src/tests.h | 1 |
3 files changed, 33 insertions, 0 deletions
diff --git a/src/cli-debug.c b/src/cli-debug.c index 90d1b2a112..c9eb4a2c36 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -103,6 +103,7 @@ static const TLS_TEST tls_tests[] = { {"for TLS 1.2 (RFC5246) support", test_tls1_2, "yes", "no", "dunno"}, {"fallback from TLS 1.6 to", test_tls1_6_fallback, NULL, "failed (server requires fallback dance)", "dunno"}, + {"for RFC7507 inappropriate fallback", test_rfc7507, "yes", "no", "dunno"}, {"for HTTPS server name", test_server, NULL, "failed", "not checked", 1}, {"for certificate information", test_certificate, NULL, "", ""}, {"for certificate chain order", test_chain_order, "sorted", "unsorted", "unknown"}, diff --git a/src/tests.c b/src/tests.c index 3848e7332f..bc40b8da47 100644 --- a/src/tests.c +++ b/src/tests.c @@ -229,6 +229,37 @@ test_code_t test_ecdhe(gnutls_session_t session) return ret; } +test_code_t test_rfc7507(gnutls_session_t session) +{ + int ret; + const char *pstr = NULL; + + if (tls1_2_ok && tls1_1_ok) + pstr = "-VERS-TLS-ALL:+VERS-TLS1.1:%FALLBACK_SCSV"; + else if (tls1_1_ok && tls1_ok) + pstr = "-VERS-TLS-ALL:+VERS-TLS1.0:%FALLBACK_SCSV"; + else if (tls1_ok && ssl3_ok) + pstr = "-VERS-TLS-ALL:+VERS-SSL3:%FALLBACK_SCSV"; + else + return TEST_IGNORE; + + sprintf(prio_str, INIT_STR + ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS + ":"ALL_KX":%s", pstr, rest); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + if (ret < 0) + return TEST_IGNORE; + + if (handshake_output < 0) + return TEST_SUCCEED; + + return TEST_FAILED; +} + test_code_t test_safe_renegotiation(gnutls_session_t session) { diff --git a/src/tests.h b/src/tests.h index 6631d69868..35d642dc64 100644 --- a/src/tests.h +++ b/src/tests.h @@ -28,6 +28,7 @@ test_code_t test_record_padding(gnutls_session_t state); test_code_t test_no_extensions(gnutls_session_t state); test_code_t test_heartbeat_extension(gnutls_session_t state); test_code_t test_small_records(gnutls_session_t state); +test_code_t test_rfc7507(gnutls_session_t state); test_code_t test_dhe(gnutls_session_t state); test_code_t test_dhe_group(gnutls_session_t state); test_code_t test_ssl3(gnutls_session_t state); |