summaryrefslogtreecommitdiff
path: root/src/tests.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/tests.c')
-rw-r--r--src/tests.c57
1 files changed, 55 insertions, 2 deletions
diff --git a/src/tests.c b/src/tests.c
index 82474b0995..c7f2662efe 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -128,9 +128,12 @@ char prio_str[768] = "";
#define ALL_CIPHERS "+CIPHER-ALL:+ARCFOUR-128:+3DES-CBC" GOST_CIPHERS
#define BLOCK_CIPHERS "+3DES-CBC:+AES-128-CBC:+CAMELLIA-128-CBC:+AES-256-CBC:+CAMELLIA-256-CBC"
+#define SSL3_CIPHERS "+ARCFOUR-128:+3DES-CBC"
#define ALL_COMP "+COMP-NULL"
#define ALL_MACS "+MAC-ALL:+MD5:+SHA1" GOST_MACS
+#define SSL3_MACS "+MD5:+SHA1"
#define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+ECDHE-RSA:+ECDHE-ECDSA:+ANON-ECDH" GOST_KX
+#define SSL3_KX "+RSA:+DHE-RSA:+DHE-DSS"
#define INIT_STR "NONE:"
char rest[384] = "%UNSAFE_RENEGOTIATION:+SIGN-ALL:+GROUP-ALL" GOST_REST;
@@ -608,6 +611,48 @@ test_code_t test_ssl3(gnutls_session_t session)
{
int ret;
sprintf(prio_str, INIT_STR
+ SSL3_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:%%NO_EXTENSIONS:"
+ SSL3_MACS ":" SSL3_KX ":%s", rest);
+ _gnutls_priority_set_direct(session, prio_str);
+
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = test_do_handshake(session);
+ if (ret == TEST_SUCCEED)
+ ssl3_ok = 1;
+
+ return ret;
+}
+
+test_code_t test_ssl3_with_extensions(gnutls_session_t session)
+{
+ int ret;
+ sprintf(prio_str, INIT_STR
+ SSL3_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:"
+ SSL3_MACS ":" SSL3_KX ":%s", rest);
+ _gnutls_priority_set_direct(session, prio_str);
+
+ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+ ret = test_do_handshake(session);
+ if (ssl3_ok != 0 && ret != TEST_SUCCEED) {
+ /* We need to disable extensions before trying TLS 1.0, because
+ * it also may not work with extensions. There are known servers
+ * which partially support both SSL 3.0 and TLS 1.0, but *both*
+ * only with disabled extensions:
+ * https://gitlab.com/gnutls/gnutls/-/issues/958#note_309267384
+ */
+ tls_ext_ok = 0;
+ strcat(rest, ":%NO_EXTENSIONS");
+ }
+
+ return ret;
+}
+
+test_code_t test_ssl3_unknown_ciphersuites(gnutls_session_t session)
+{
+ int ret;
+ sprintf(prio_str, INIT_STR
ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:"
ALL_MACS ":" ALL_KX ":%s", rest);
_gnutls_priority_set_direct(session, prio_str);
@@ -1003,7 +1048,8 @@ test_code_t test_record_padding(gnutls_session_t session)
if (ret == TEST_SUCCEED) {
tls1_ok = 1;
strcat(rest, ":%COMPAT");
- }
+ } else
+ ret = TEST_IGNORE2; /* neither succeeded */
}
return ret;
@@ -1013,6 +1059,12 @@ test_code_t test_no_extensions(gnutls_session_t session)
{
int ret;
+#ifdef ENABLE_SSL3
+ /* If already disabled by test_ssl3_with_extensions */
+ if (ssl3_ok != 0 && tls_ext_ok == 0)
+ return TEST_FAILED;
+#endif
+
sprintf(prio_str,
INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:"
ALL_MACS ":" ALL_KX ":%s", protocol_str, rest);
@@ -1034,7 +1086,8 @@ test_code_t test_no_extensions(gnutls_session_t session)
if (ret == TEST_SUCCEED) {
tls_ext_ok = 0;
strcat(rest, ":%NO_EXTENSIONS");
- }
+ } else
+ ret = TEST_IGNORE2; /* neither succeeded */
}
return ret;
View Lorry Controller Status