/* Advertize both TLS 1.0 and SSL 3.0. If the connection fails,
* but the previous SSL 3.0 test succeeded then disable TLS 1.0.
*/
test_code_t
test_tls_disable (gnutls_session session)
{
int ret;
if (tls1_ok != 0)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_FAILED)
{
/* disable TLS 1.0 */
if (ssl3_ok != 0)
{
protocol_priority[0] = GNUTLS_SSL3;
protocol_priority[1] = 0;
}
}
return ret;
}
test_code_t
test_version_rollback (gnutls_session session)
{
int ret;
if (tls1_ok == 0)
return TEST_IGNORE;
/* here we enable both SSL 3.0 and TLS 1.0
* and we connect using a 3.1 client hello version,
* and a 3.0 record version. Some implementations
* are buggy (and vulnerable to man in the middle
* attacks which allow a version downgrade) and this
* connection will fail.
*/
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
_gnutls_record_set_default_version (session, 3, 0);
ret = do_handshake (session);
if (ret != TEST_SUCCEED)
return ret;
if (tls1_ok != 0 && gnutls_protocol_get_version (session) == GNUTLS_SSL3)
return TEST_FAILED;
return TEST_SUCCEED;
}
/* Prints the trusted server's CAs. This is only
* if the server sends a certificate request packet.
*/
test_code_t
test_server_cas (gnutls_session session)
{
int ret;
if (verbose == 0)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_certificate_client_set_retrieve_function (xcred, cert_callback);
ret = do_handshake (session);
gnutls_certificate_client_set_retrieve_function (xcred, NULL);
if (ret == TEST_FAILED)
return ret;
return TEST_SUCCEED;
}
test_code_t
test_certificate (gnutls_session session)
{
int ret;
if (verbose == 0)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_FAILED)
return ret;
printf ("\n");
print_cert_info (session, hostname);
return TEST_SUCCEED;
}
test_code_t
test_tls1_1_fallback (gnutls_session session)
{
int ret;
if (tls1_1_ok)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_PROTOCOL3 (session, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret != TEST_SUCCEED)
return TEST_FAILED;
if (gnutls_protocol_get_version (session) == GNUTLS_TLS1)
return TEST_SUCCEED;
else if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
return TEST_UNSURE;
return TEST_FAILED;
}
test_code_t
test_bye (gnutls_session session)
{
int ret;
char data[20];
int old, secs = 6;
#ifndef _WIN32
signal (SIGALRM, got_alarm);
#endif
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_FAILED)
return ret;
ret = gnutls_bye (session, GNUTLS_SHUT_WR);
if (ret < 0)
return TEST_FAILED;
#ifndef _WIN32
old = siginterrupt (SIGALRM, 1);
alarm (secs);
#else
setsockopt (gnutls_transport_get_ptr (session), SOL_SOCKET, SO_RCVTIMEO,
(char *) &secs, sizeof (int));
#endif
do
{
ret = gnutls_record_recv (session, data, sizeof (data));
}
while (ret > 0);
#ifndef _WIN32
siginterrupt (SIGALRM, old);
#else
if (WSAGetLastError () == WSAETIMEDOUT ||
WSAGetLastError () == WSAECONNABORTED)
alrm = 1;
#endif
if (ret == 0)
return TEST_SUCCEED;
if (alrm == 0)
return TEST_UNSURE;
return TEST_FAILED;
}
test_code_t
test_server (gnutls_session session)
{
int ret, i = 0;
char buf[5 * 1024];
char *p;
const char snd_buf[] = "GET / HTTP/1.0\n\n";
if (verbose == 0)
return TEST_UNSURE;
buf[sizeof (buf) - 1] = 0;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret != TEST_SUCCEED)
return TEST_FAILED;
gnutls_record_send (session, snd_buf, sizeof (snd_buf) - 1);
ret = gnutls_record_recv (session, buf, sizeof (buf) - 1);
if (ret < 0)
return TEST_FAILED;
p = strstr (buf, "Server:");
if (p != NULL)
p = strchr (p, ':');
if (p != NULL)
{
p++;
while (*p != 0 && *p != '\r' && *p != '\n')
{
putc (*p, stdout);
p++;
i++;
if (i > 128)
break;
}
}
return TEST_SUCCEED;
}
test_code_t
test_arcfour_40 (gnutls_session session)
{
int ret;
ADD_CIPHER (session, GNUTLS_CIPHER_ARCFOUR_40);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
test_code_t
test_3des (gnutls_session_t session)
{
int ret;
ADD_CIPHER (session, GNUTLS_CIPHER_3DES_CBC);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
test_code_t
test_sha (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_MAC (session, GNUTLS_MAC_SHA1);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
test_code_t
test_unknown_ciphersuites (gnutls_session session)
{
int ret;
ADD_CIPHER3 (session, GNUTLS_CIPHER_AES_128_CBC,
GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
test_code_t
test_hello_extension (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_record_set_max_size (session, 512);
ret = do_handshake (session);
return ret;
}
test_code_t
test_session_resume2 (gnutls_session session)
{
int ret;
char tmp_session_id[32];
int tmp_session_id_size;
if (session == NULL)
return TEST_IGNORE;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_credentials_set (session, GNUTLS_CRD_ANON, anon_cred);
gnutls_session_set_data (session, session_data, session_data_size);
memcpy (tmp_session_id, session_id, session_id_size);
tmp_session_id_size = session_id_size;
ret = do_handshake (session);
if (ret == TEST_FAILED)
return ret;
/* check if we actually resumed the previous session */
session_id_size = sizeof (session_id);
gnutls_session_get_id (session, session_id, &session_id_size);
if (session_id_size == 0)
return TEST_FAILED;
if (gnutls_session_is_resumed (session))
return TEST_SUCCEED;
if (tmp_session_id_size == session_id_size &&
memcmp (tmp_session_id, session_id, tmp_session_id_size) == 0)
return TEST_SUCCEED;
else
return TEST_FAILED;
}
test_code_t
test_ssl3 (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_PROTOCOL (session, GNUTLS_SSL3);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_SUCCEED)
ssl3_ok = 1;
return ret;
}
test_code_t
test_lzo (gnutls_session session)
{
int ret;
gnutls_handshake_set_private_extensions (session, 1);
ADD_ALL_CIPHERS (session);
ADD_COMP (session, GNUTLS_COMP_LZO);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
/* See if the server tolerates out of bounds
* record layer versions in the first client hello
* message.
*/
test_code_t
test_version_oob (gnutls_session session)
{
int ret;
/* here we enable both SSL 3.0 and TLS 1.0
* and we connect using a 5.5 record version.
*/
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
_gnutls_record_set_default_version (session, 5, 5);
ret = do_handshake (session);
return ret;
}
test_code_t
test_unknown_ciphersuites (gnutls_session_t session)
{
int ret;
#ifdef ENABLE_CAMELLIA
ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC,
GNUTLS_CIPHER_CAMELLIA_128_CBC, GNUTLS_CIPHER_ARCFOUR_128);
#else
ADD_CIPHER4 (session, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC,
GNUTLS_CIPHER_ARCFOUR_128, 0);
#endif
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
return ret;
}
test_code_t
test_openpgp1 (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_CERTTYPE (session, GNUTLS_CRT_OPENPGP);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
ret = do_handshake (session);
if (ret == TEST_FAILED)
return ret;
if (gnutls_certificate_type_get (session) == GNUTLS_CRT_OPENPGP)
return TEST_SUCCEED;
return TEST_FAILED;
}
test_code_t
test_rsa_pms_version_check (gnutls_session session)
{
int ret;
/* here we use an arbitary version in the RSA PMS
* to see whether to server will check this version.
*
* A normal server would abort this handshake.
*/
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
_gnutls_rsa_pms_set_version (session, 5, 5); /* use SSL 5.5 version */
ret = do_handshake (session);
return ret;
}
test_code_t
test_max_record_size (gnutls_session session)
{
int ret;
ADD_ALL_CIPHERS (session);
ADD_ALL_COMP (session);
ADD_ALL_CERTTYPES (session);
ADD_ALL_PROTOCOLS (session);
ADD_ALL_MACS (session);
ADD_ALL_KX (session);
gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, xcred);
gnutls_record_set_max_size (session, 512);
ret = do_handshake (session);
if (ret == TEST_FAILED)
return ret;
ret = gnutls_record_get_max_size (session);
if (ret == 512)
return TEST_SUCCEED;
return TEST_FAILED;
}