test_code_t
test_version_rollback (gnutls_session session)
{
int ret;
if (tls1_ok == 0)
return TEST_IGNORE;
/* here we enable both SSL 3.0 and TLS 1.0
* and we connect using a 3.1 client hello version,
* and a 3.0 record version. Some implementations
* are buggy (and vulnerable to man in the middle
* attacks which allow a version downgrade) and this
* connection will fail.
*/
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
_gnutls_record_set_default_version (session, 3, 0);
ret = do_handshake (session);
if (ret != TEST_SUCCEED)
return ret;
if (tls1_ok != 0 && gnutls_protocol_get_version (session) == GNUTLS_SSL3)
return TEST_FAILED;
return TEST_SUCCEED;
}
/* See if the server tolerates out of bounds
* record layer versions in the first client hello
* message.
*/
test_code_t
test_version_oob (gnutls_session_t session)
{
int ret;
/* here we enable both SSL 3.0 and TLS 1.0
* and we connect using a 5.5 record version.
*/
sprintf (prio_str,
INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES ":%s:" ALL_MACS
":" ALL_KX ":%s", protocol_str, rest);
_gnutls_priority_set_direct (session, prio_str);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
_gnutls_record_set_default_version (session, 5, 5);
ret = do_handshake (session);
return ret;
}
/* See if the server tolerates out of bounds
* record layer versions in the first client hello
* message.
*/
test_code_t
test_version_oob (gnutls_session session)
{
int ret;
/* here we enable both SSL 3.0 and TLS 1.0
* and we connect using a 5.5 record version.
*/
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
_gnutls_record_set_default_version (session, 5, 5);
ret = do_handshake (session);
return ret;
}
