gnutls-cli-debug: added check for inappropriate fallback support

3 files changed, 33 insertions, 0 deletions

diff --git a/src/cli-debug.c b/src/cli-debug.c
index 90d1b2a112..c9eb4a2c36 100644
--- a/src/cli-debug.c
+++ b/src/cli-debug.c
@@ -103,6 +103,7 @@ static const TLS_TEST tls_tests[] = {
 	{"for TLS 1.2 (RFC5246) support", test_tls1_2, "yes", "no", "dunno"},
 	{"fallback from TLS 1.6 to", test_tls1_6_fallback, NULL,
 	 "failed (server requires fallback dance)", "dunno"},
+	{"for RFC7507 inappropriate fallback", test_rfc7507, "yes", "no", "dunno"},
 	{"for HTTPS server name", test_server, NULL, "failed", "not checked", 1},
 	{"for certificate information", test_certificate, NULL, "", ""},
 	{"for certificate chain order", test_chain_order, "sorted", "unsorted", "unknown"},
diff --git a/src/tests.c b/src/tests.c
index 3848e7332f..bc40b8da47 100644
--- a/src/tests.c
+++ b/src/tests.c
@@ -229,6 +229,37 @@ test_code_t test_ecdhe(gnutls_session_t session)
 	return ret;
 }
 
+test_code_t test_rfc7507(gnutls_session_t session)
+{
+	int ret;
+	const char *pstr = NULL;
+
+	if (tls1_2_ok && tls1_1_ok)
+		pstr = "-VERS-TLS-ALL:+VERS-TLS1.1:%FALLBACK_SCSV";
+	else if (tls1_1_ok && tls1_ok)
+		pstr = "-VERS-TLS-ALL:+VERS-TLS1.0:%FALLBACK_SCSV";
+	else if (tls1_ok && ssl3_ok)
+		pstr = "-VERS-TLS-ALL:+VERS-SSL3:%FALLBACK_SCSV";
+	else
+		return TEST_IGNORE;
+
+	sprintf(prio_str, INIT_STR
+		ALL_CIPHERS ":" ALL_COMP ":%s:" ALL_MACS
+		":"ALL_KX":%s", pstr, rest);
+	_gnutls_priority_set_direct(session, prio_str);
+
+	gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+
+	ret = do_handshake(session);
+	if (ret < 0)
+		return TEST_IGNORE;
+
+	if (handshake_output < 0)
+		return TEST_SUCCEED;
+
+	return TEST_FAILED;
+}
+
 
 test_code_t test_safe_renegotiation(gnutls_session_t session)
 {
diff --git a/src/tests.h b/src/tests.h
index 6631d69868..35d642dc64 100644
--- a/src/tests.h
+++ b/src/tests.h
@@ -28,6 +28,7 @@ test_code_t test_record_padding(gnutls_session_t state);
 test_code_t test_no_extensions(gnutls_session_t state);
 test_code_t test_heartbeat_extension(gnutls_session_t state);
 test_code_t test_small_records(gnutls_session_t state);
+test_code_t test_rfc7507(gnutls_session_t state);
 test_code_t test_dhe(gnutls_session_t state);
 test_code_t test_dhe_group(gnutls_session_t state);
 test_code_t test_ssl3(gnutls_session_t state);