diff options
Diffstat (limited to 'src/tests.c')
-rw-r--r-- | src/tests.c | 57 |
1 files changed, 55 insertions, 2 deletions
diff --git a/src/tests.c b/src/tests.c index 82474b0995..c7f2662efe 100644 --- a/src/tests.c +++ b/src/tests.c @@ -128,9 +128,12 @@ char prio_str[768] = ""; #define ALL_CIPHERS "+CIPHER-ALL:+ARCFOUR-128:+3DES-CBC" GOST_CIPHERS #define BLOCK_CIPHERS "+3DES-CBC:+AES-128-CBC:+CAMELLIA-128-CBC:+AES-256-CBC:+CAMELLIA-256-CBC" +#define SSL3_CIPHERS "+ARCFOUR-128:+3DES-CBC" #define ALL_COMP "+COMP-NULL" #define ALL_MACS "+MAC-ALL:+MD5:+SHA1" GOST_MACS +#define SSL3_MACS "+MD5:+SHA1" #define ALL_KX "+RSA:+DHE-RSA:+DHE-DSS:+ANON-DH:+ECDHE-RSA:+ECDHE-ECDSA:+ANON-ECDH" GOST_KX +#define SSL3_KX "+RSA:+DHE-RSA:+DHE-DSS" #define INIT_STR "NONE:" char rest[384] = "%UNSAFE_RENEGOTIATION:+SIGN-ALL:+GROUP-ALL" GOST_REST; @@ -608,6 +611,48 @@ test_code_t test_ssl3(gnutls_session_t session) { int ret; sprintf(prio_str, INIT_STR + SSL3_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:%%NO_EXTENSIONS:" + SSL3_MACS ":" SSL3_KX ":%s", rest); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake(session); + if (ret == TEST_SUCCEED) + ssl3_ok = 1; + + return ret; +} + +test_code_t test_ssl3_with_extensions(gnutls_session_t session) +{ + int ret; + sprintf(prio_str, INIT_STR + SSL3_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:" + SSL3_MACS ":" SSL3_KX ":%s", rest); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake(session); + if (ssl3_ok != 0 && ret != TEST_SUCCEED) { + /* We need to disable extensions before trying TLS 1.0, because + * it also may not work with extensions. There are known servers + * which partially support both SSL 3.0 and TLS 1.0, but *both* + * only with disabled extensions: + * https://gitlab.com/gnutls/gnutls/-/issues/958#note_309267384 + */ + tls_ext_ok = 0; + strcat(rest, ":%NO_EXTENSIONS"); + } + + return ret; +} + +test_code_t test_ssl3_unknown_ciphersuites(gnutls_session_t session) +{ + int ret; + sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":+VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%s", rest); _gnutls_priority_set_direct(session, prio_str); @@ -1003,7 +1048,8 @@ test_code_t test_record_padding(gnutls_session_t session) if (ret == TEST_SUCCEED) { tls1_ok = 1; strcat(rest, ":%COMPAT"); - } + } else + ret = TEST_IGNORE2; /* neither succeeded */ } return ret; @@ -1013,6 +1059,12 @@ test_code_t test_no_extensions(gnutls_session_t session) { int ret; +#ifdef ENABLE_SSL3 + /* If already disabled by test_ssl3_with_extensions */ + if (ssl3_ok != 0 && tls_ext_ok == 0) + return TEST_FAILED; +#endif + sprintf(prio_str, INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS ":" ALL_KX ":%s", protocol_str, rest); @@ -1034,7 +1086,8 @@ test_code_t test_no_extensions(gnutls_session_t session) if (ret == TEST_SUCCEED) { tls_ext_ok = 0; strcat(rest, ":%NO_EXTENSIONS"); - } + } else + ret = TEST_IGNORE2; /* neither succeeded */ } return ret; |