From 0697185611074c23057f83cbef3283f2cc9adfd4 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Thu, 12 Jul 2018 09:17:11 +0200
Subject: gnutls-cli-debug: detect TLS1.3 support

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 src/cli-debug.c | 12 +++++++-----
 src/tests.c     | 45 ++++++++++++++++++++++++++++++++++++++++++---
 src/tests.h     |  1 +
 3 files changed, 50 insertions(+), 8 deletions(-)

diff --git a/src/cli-debug.c b/src/cli-debug.c
index 899edd4938..ba54526688 100644
--- a/src/cli-debug.c
+++ b/src/cli-debug.c
@@ -62,6 +62,7 @@ unsigned int verbose = 0;
 extern int tls1_ok;
 extern int tls1_1_ok;
 extern int tls1_2_ok;
+extern int tls1_3_ok;
 extern int ssl3_ok;
 extern const char *ext_text;
 
@@ -102,7 +103,8 @@ static const TLS_TEST tls_tests[] = {
 	 "failed",
 	 "SSL 3.0"},
 	{"for TLS 1.2 (RFC5246) support", test_tls1_2, "yes", "no", "dunno"},
-	{"fallback from TLS 1.6 to", test_tls1_6_fallback, NULL,
+	{"for TLS 1.3 (draft-ietf-tls-tls13-28) support", test_tls1_3, "yes", "no", "dunno"},
+	{"TLS1.2 neg fallback from TLS 1.6 to", test_tls1_6_fallback, NULL,
 	 "failed (server requires fallback dance)", "dunno"},
 	{"for inappropriate fallback (RFC7507) support", test_rfc7507, "yes", "no", "dunno"},
 	{"for HTTPS server name", test_server, NULL, "failed", "not checked", 1},
@@ -153,7 +155,7 @@ static const TLS_TEST tls_tests[] = {
 	{"for curve SECP256r1 (RFC4492)", test_ecdhe_secp256r1, "yes", "no", "dunno"},
 	{"for curve SECP384r1 (RFC4492)", test_ecdhe_secp384r1, "yes", "no", "dunno"},
 	{"for curve SECP521r1 (RFC4492)", test_ecdhe_secp521r1, "yes", "no", "dunno"},
-	{"for curve X25519 (draft-ietf-tls-rfc4492bis-07)", test_ecdhe_x25519, "yes", "no", "dunno"},
+	{"for curve X25519 (draft-ietf-tls-rfc4492bis-17)", test_ecdhe_x25519, "yes", "no", "dunno"},
 	{"for AES-128-GCM cipher (RFC5288) support", test_aes_gcm, "yes", "no",
 	 "dunno"},
 	{"for AES-128-CCM cipher (RFC6655) support", test_aes_ccm, "yes", "no",
@@ -281,10 +283,10 @@ int main(int argc, char **argv)
 
 		/* if neither of SSL3 and TLSv1 are supported, exit
 		 */
-		if (i > 10 && tls1_2_ok == 0 && tls1_1_ok == 0 && tls1_ok == 0
-		    && ssl3_ok == 0) {
+		if (i > 11 && tls1_2_ok == 0 && tls1_1_ok == 0 && tls1_ok == 0
+		    && ssl3_ok == 0 && tls1_3_ok == 0) {
 			fprintf(stderr,
-				"\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2\n");
+				"\nServer does not support any of SSL 3.0, TLS 1.0, 1.1, 1.2 and 1.3\n");
 			break;
 		}
 
diff --git a/src/tests.c b/src/tests.c
index d1503cd7f0..80e77bf8d3 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -56,6 +56,7 @@ int tls1_ok = 0;
 int ssl3_ok = 0;
 int tls1_1_ok = 0;
 int tls1_2_ok = 0;
+int tls1_3_ok = 0;
 
 /* keep session info */
 static char *session_data = NULL;
@@ -920,7 +921,17 @@ test_code_t test_record_padding(gnutls_session_t session)
 	if (ret == TEST_SUCCEED) {
 		tls1_ok = 1;
 	} else {
-		strcat(rest, ":%COMPAT");
+		sprintf(prio_str,
+			INIT_STR BLOCK_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES
+			":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:-VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%%COMPAT:%s", rest);
+		_gnutls_priority_set_direct(session, prio_str);
+
+		gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+		ret = do_handshake(session);
+		if (ret == TEST_SUCCEED) {
+			tls1_ok = 1;
+			strcat(rest, ":%COMPAT");
+		}
 	}
 
 	return ret;
@@ -941,8 +952,17 @@ test_code_t test_no_extensions(gnutls_session_t session)
 	if (ret == TEST_SUCCEED) {
 		tls_ext_ok = 1;
 	} else {
-		tls_ext_ok = 0;
-		strcat(rest, ":%NO_EXTENSIONS");
+		sprintf(prio_str,
+			INIT_STR BLOCK_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES
+			":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:-VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%%NO_EXTENSIONS:%s", rest);
+		_gnutls_priority_set_direct(session, prio_str);
+
+		gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+		ret = do_handshake(session);
+		if (ret == TEST_SUCCEED) {
+			tls_ext_ok = 0;
+			strcat(rest, ":%NO_EXTENSIONS");
+		}
 	}
 
 	return ret;
@@ -967,6 +987,25 @@ test_code_t test_tls1_2(gnutls_session_t session)
 
 }
 
+test_code_t test_tls1_3(gnutls_session_t session)
+{
+	int ret;
+
+	sprintf(prio_str,
+		INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES
+		":+VERS-TLS1.3:" ALL_MACS ":" ALL_KX ":%s", rest);
+	_gnutls_priority_set_direct(session, prio_str);
+
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+	ret = do_handshake(session);
+	if (ret == TEST_SUCCEED)
+		tls1_3_ok = 1;
+
+	return ret;
+
+}
+
 test_code_t test_tls1_1(gnutls_session_t session)
 {
 	int ret;
diff --git a/src/tests.h b/src/tests.h
index 78fd842ddb..4d093fc554 100644
--- a/src/tests.h
+++ b/src/tests.h
@@ -49,6 +49,7 @@ test_code_t test_etm(gnutls_session_t state);
 test_code_t test_safe_renegotiation_scsv(gnutls_session_t state);
 test_code_t test_tls1_1(gnutls_session_t state);
 test_code_t test_tls1_2(gnutls_session_t state);
+test_code_t test_tls1_3(gnutls_session_t state);
 test_code_t test_tls1_1_fallback(gnutls_session_t state);
 test_code_t test_tls1_6_fallback(gnutls_session_t state);
 test_code_t test_tls_disable0(gnutls_session_t state);
-- 
cgit v1.2.1