test_code_t
test_rsa_pms (gnutls_session session)
{
int ret;
/* here we enable both SSL 3.0 and TLS 1.0
* and try to connect and use rsa authentication.
* If the server is old, buggy and only supports
* SSL 3.0 then the handshake will fail.
*/
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_KX (session, GNUTLS_KX_RSA);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_FAILED)
return TEST_FAILED;
if (gnutls_protocol_get_version (session) == GNUTLS_TLS1)
return TEST_SUCCEED;
return TEST_UNSURE;
}
test_code_t
test_tls1_1_fallback (gnutls_session session)
{
int ret;
if (tls1_1_ok)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_PROTOCOL3 (session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret != TEST_SUCCEED)
return TEST_FAILED;
if (gnutls_protocol_get_version (session) == GNUTLS_TLS1)
return TEST_SUCCEED;
else if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
return TEST_UNSURE;
return TEST_FAILED;
}
test_code_t
test_srp (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_KX (session, GNUTLS_KX_SRP);
srp_detected = 0;
gnutls_srp_set_client_credentials_function (srp_cred,
_test_srp_username_callback);
gnutls_credentials_set (session, GNUTLS_CRD_SRP, srp_cred);
ret = do_handshake (session);
gnutls_srp_set_client_credentials_function (srp_cred, NULL);
if (srp_detected != 0)
return TEST_SUCCEED;
else
return TEST_FAILED;
}
test_code_t
test_version_rollback (gnutls_session session)
{
int ret;
if (tls1_ok == 0)
return TEST_IGNORE;
/* here we enable both SSL 3.0 and TLS 1.0
* and we connect using a 3.1 client hello version,
* and a 3.0 record version. Some implementations
* are buggy (and vulnerable to man in the middle
* attacks which allow a version downgrade) and this
* connection will fail.
*/
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
_gnutls_record_set_default_version (session, 3, 0);
ret = do_handshake (session);
if (ret != TEST_SUCCEED)
return ret;
if (tls1_ok != 0 && gnutls_protocol_get_version (session) == GNUTLS_SSL3)
return TEST_FAILED;
return TEST_SUCCEED;
}
/* Prints the trusted server's CAs. This is only
* if the server sends a certificate request packet.
*/
test_code_t
test_server_cas (gnutls_session session)
{
int ret;
if (verbose == 0)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
ret = do_handshake (session);
gnutls_certificate_client_set_retrieve_function (xcred, NULL);
if (ret == TEST_FAILED)
return ret;
return TEST_SUCCEED;
}
test_code_t
test_certificate (gnutls_session session)
{
int ret;
if (verbose == 0)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_FAILED)
return ret;
printf ("\n");
print_cert_info (session, hostname);
return TEST_SUCCEED;
}
/* Advertize both TLS 1.0 and SSL 3.0. If the connection fails,
* but the previous SSL 3.0 test succeeded then disable TLS 1.0.
*/
test_code_t
test_tls_disable (gnutls_session session)
{
int ret;
if (tls1_ok != 0)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_FAILED)
{
/* disable TLS 1.0 */
if (ssl3_ok != 0)
{
protocol_priority[0] = GNUTLS_SSL3;
protocol_priority[1] = 0;
}
}
return ret;
}
test_code_t
test_bye (gnutls_session session)
{
int ret;
char data[20];
int old, secs = 6;
#ifndef _WIN32
signal (SIGALRM, got_alarm);
#endif
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_FAILED)
return ret;
ret = gnutls_bye (session, GNUTLS_SHUT_WR);
if (ret < 0)
return TEST_FAILED;
#ifndef _WIN32
old = siginterrupt (SIGALRM, 1);
alarm (secs);
#else
setsockopt (gnutls_transport_get_ptr (session), SOL_SOCKET, SO_RCVTIMEO,
(char *) &secs, sizeof (int));
#endif
do
{
ret = gnutls_record_recv (session, data, sizeof (data));
}
while (ret > 0);
#ifndef _WIN32
siginterrupt (SIGALRM, old);
#else
if (WSAGetLastError () == WSAETIMEDOUT ||
WSAGetLastError () == WSAECONNABORTED)
alrm = 1;
#endif
if (ret == 0)
return TEST_SUCCEED;
if (alrm == 0)
return TEST_UNSURE;
return TEST_FAILED;
}
test_code_t
test_export_info (gnutls_session session)
{
int ret2, ret;
gnutls_datum exp2, mod2;
const char *print;
if (verbose == 0 || export_true == 0)
return TEST_IGNORE;
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_KX (session, GNUTLS_KX_RSA_EXPORT);
ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_SUCCEED)
{
ret2 = gnutls_rsa_export_get_pubkey (session, &exp2, &mod2);
if (ret2 >= 0)
{
printf ("\n");
print = raw_to_string (exp2.data, exp2.size);
if (print)
printf (" Exponent [%d bits]: %s\n", exp2.size * 8, print);
print = raw_to_string (mod2.data, mod2.size);
if (print)
printf (" Modulus [%d bits]: %s\n", mod2.size * 8, print);
if (mod2.size != mod.size || exp2.size != exp.size ||
memcmp (mod2.data, mod.data, mod.size) != 0 ||
memcmp (exp2.data, exp.data, exp.size) != 0)
{
printf
(" (server uses different public keys per connection)\n");
}
}
}
return ret;
}
test_code_t
test_server (gnutls_session session)
{
int ret, i = 0;
char buf[5 * 1024];
char *p;
const char snd_buf[] = "GET / HTTP/1.0\n\n";
if (verbose == 0)
return TEST_UNSURE;
buf[sizeof (buf) - 1] = 0;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret != TEST_SUCCEED)
return TEST_FAILED;
gnutls_record_send (session, snd_buf, sizeof (snd_buf) - 1);
ret = gnutls_record_recv (session, buf, sizeof (buf) - 1);
if (ret < 0)
return TEST_FAILED;
p = strstr (buf, "Server:");
if (p != NULL)
p = strchr (p, ':');
if (p != NULL)
{
p++;
while (*p != 0 && *p != '\r' && *p != '\n')
{
putc (*p, stdout);
p++;
i++;
if (i > 128)
break;
}
}
return TEST_SUCCEED;
}
test_code_t
test_sha (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_MAC (session, GNUTLS_MAC_SHA1);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
test_code_t
test_3des (gnutls_session_t session)
{
int ret;
ADD_CIPHER (session, GNUTLS_CIPHER_3DES_CBC);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
test_code_t
test_arcfour_40 (gnutls_session session)
{
int ret;
ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
test_code_t
test_unknown_ciphersuites (gnutls_session session)
{
int ret;
ADD_CIPHER3 (session, GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
test_code_t
test_hello_extension (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_record_set_max_size (session, 512);
ret = do_handshake (session);
return ret;
}
test_code_t
test_dhe_group (gnutls_session session)
{
int ret, ret2;
gnutls_datum gen, prime, pubkey2;
const char *print;
if (verbose == 0 || pubkey.data == NULL)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
ret2 = gnutls_dh_get_group (session, &gen, &prime);
if (ret2 >= 0)
{
printf ("\n");
print = raw_to_string (gen.data, gen.size);
if (print)
printf (" Generator [%d bits]: %s\n", gen.size * 8, print);
print = raw_to_string (prime.data, prime.size);
if (print)
printf (" Prime [%d bits]: %s\n", prime.size * 8, print);
gnutls_dh_get_pubkey (session, &pubkey2);
print = raw_to_string (pubkey2.data, pubkey2.size);
if (print)
printf (" Pubkey [%d bits]: %s\n", pubkey2.size * 8, print);
if (pubkey2.data && pubkey2.size == pubkey.size &&
memcmp (pubkey.data, pubkey2.data, pubkey.size) == 0)
{
printf (" (public key seems to be static among sessions)\n");
}
}
return ret;
}
test_code_t
test_session_resume2 (gnutls_session session)
{
int ret;
char tmp_session_id[32];
int tmp_session_id_size;
if (session == NULL)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
gnutls_session_set_data (session, session_data, session_data_size);
memcpy (tmp_session_id, session_id, session_id_size);
tmp_session_id_size = session_id_size;
ret = do_handshake (session);
if (ret == TEST_FAILED)
return ret;
/* check if we actually resumed the previous session */
session_id_size = sizeof (session_id);
gnutls_session_get_id (session, session_id, &session_id_size);
if (session_id_size == 0)
return TEST_FAILED;
if (gnutls_session_is_resumed (session))
return TEST_SUCCEED;
if (tmp_session_id_size == session_id_size &&
memcmp (tmp_session_id, session_id, tmp_session_id_size) == 0)
return TEST_SUCCEED;
else
return TEST_FAILED;
}
test_code_t
test_ssl3 (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_PROTOCOL (session, GNUTLS_SSL3);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_SUCCEED)
ssl3_ok = 1;
return ret;
}
test_code_t
test_lzo (gnutls_session session)
{
int ret;
gnutls_handshake_set_private_extensions (session, 1);
ADD_ALL_CIPHERS (session);
ADD_COMP (session, GNUTLS_COMP_LZO);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
/* See if the server tolerates out of bounds
* record layer versions in the first client hello
* message.
*/
test_code_t
test_version_oob (gnutls_session session)
{
int ret;
/* here we enable both SSL 3.0 and TLS 1.0
* and we connect using a 5.5 record version.
*/
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
_gnutls_record_set_default_version (session, 5, 5);
ret = do_handshake (session);
return ret;
}
test_code_t
test_anonymous (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_KX (session, GNUTLS_KX_ANON_DH);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
ret = do_handshake (session);
if (ret == TEST_SUCCEED)
gnutls_dh_get_pubkey (session, &pubkey);
return ret;
}
test_code_t
test_dhe (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_KX2 (session, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
gnutls_dh_get_pubkey (session, &pubkey);
return ret;
}
test_code_t
test_unknown_ciphersuites (gnutls_session_t session)
{
int ret;
#ifdef ENABLE_CAMELLIA
ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC,
GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_ARCFOUR_128);
#else
ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC,
GNUTLS_CIPHER_ARCFOUR_128, 0);
#endif
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
test_code_t
test_rsa_pms_version_check (gnutls_session session)
{
int ret;
/* here we use an arbitary version in the RSA PMS
* to see whether to server will check this version.
*
* A normal server would abort this handshake.
*/
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
_gnutls_rsa_pms_set_version (session, 5, 5); /* use SSL 5.5 version */
ret = do_handshake (session);
return ret;
}
test_code_t
test_max_record_size (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_record_set_max_size (session, 512);
ret = do_handshake (session);
if (ret == TEST_FAILED)
return ret;
ret = gnutls_record_get_max_size (session);
if (ret == 512)
return TEST_SUCCEED;
return TEST_FAILED;
}
test_code_t
test_export (gnutls_session session)
{
int ret;
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_KX (session, GNUTLS_KX_RSA_EXPORT);
ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_SUCCEED)
{
export_true = 1;
gnutls_rsa_export_get_pubkey (session, &exp, &mod);
}
return ret;
}
