diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-07-12 09:17:11 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-07-12 17:43:16 +0200 |
| commit | 0697185611074c23057f83cbef3283f2cc9adfd4 (patch) | |
| tree | 5171ed72611be5b4d2da7bfdc91c70344970f8ad | |
| parent | 98bd9f68e8aba6b2f29f59b277b905086657427a (diff) | |
| download | gnutls-0697185611074c23057f83cbef3283f2cc9adfd4.tar.gz | |
gnutls-cli-debug: detect TLS1.3 support
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | src/cli-debug.c | 12 | ||||
| -rw-r--r-- | src/tests.c | 45 | ||||
| -rw-r--r-- | src/tests.h | 1 |
3 files changed, 50 insertions, 8 deletions
diff --git a/src/cli-debug.c b/src/cli-debug.c index 899edd4938..ba54526688 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -62,6 +62,7 @@ unsigned int verbose = 0; extern int tls1_ok; extern int tls1_1_ok; extern int tls1_2_ok; +extern int tls1_3_ok; extern int ssl3_ok; extern const char *ext_text; @@ -102,7 +103,8 @@ static const TLS_TEST tls_tests[] = { "failed", "SSL 3.0"}, {"for TLS 1.2 (RFC5246) support", test_tls1_2, "yes", "no", "dunno"}, - {"fallback from TLS 1.6 to", test_tls1_6_fallback, NULL, + {"for TLS 1.3 (draft-ietf-tls-tls13-28) support", test_tls1_3, "yes", "no", "dunno"}, + {"TLS1.2 neg fallback from TLS 1.6 to", test_tls1_6_fallback, NULL, "failed (server requires fallback dance)", "dunno"}, {"for inappropriate fallback (RFC7507) support", test_rfc7507, "yes", "no", "dunno"}, {"for HTTPS server name", test_server, NULL, "failed", "not checked", 1}, @@ -153,7 +155,7 @@ static const TLS_TEST tls_tests[] = { {"for curve SECP256r1 (RFC4492)", test_ecdhe_secp256r1, "yes", "no", "dunno"}, {"for curve SECP384r1 (RFC4492)", test_ecdhe_secp384r1, "yes", "no", "dunno"}, {"for curve SECP521r1 (RFC4492)", test_ecdhe_secp521r1, "yes", "no", "dunno"}, - {"for curve X25519 (draft-ietf-tls-rfc4492bis-07)", test_ecdhe_x25519, "yes", "no", "dunno"}, + {"for curve X25519 (draft-ietf-tls-rfc4492bis-17)", test_ecdhe_x25519, "yes", "no", "dunno"}, {"for AES-128-GCM cipher (RFC5288) support", test_aes_gcm, "yes", "no", "dunno"}, {"for AES-128-CCM cipher (RFC6655) support", test_aes_ccm, "yes", "no", @@ -281,10 +283,10 @@ int main(int argc, char **argv) /* if neither of SSL3 and TLSv1 are supported, exit */ - if (i > 10 && tls1_2_ok == 0 && tls1_1_ok == 0 && tls1_ok == 0 - && ssl3_ok == 0) { + if (i > 11 && tls1_2_ok == 0 && tls1_1_ok == 0 && tls1_ok == 0 + && ssl3_ok == 0 && tls1_3_ok == 0) { fprintf(stderr, - "\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2\n"); + "\nServer does not support any of SSL 3.0, TLS 1.0, 1.1, 1.2 and 1.3\n"); break; } diff --git a/src/tests.c b/src/tests.c index d1503cd7f0..80e77bf8d3 100644 --- a/src/tests.c +++ b/src/tests.c @@ -56,6 +56,7 @@ int tls1_ok = 0; int ssl3_ok = 0; int tls1_1_ok = 0; int tls1_2_ok = 0; +int tls1_3_ok = 0; /* keep session info */ static char *session_data = NULL; @@ -920,7 +921,17 @@ test_code_t test_record_padding(gnutls_session_t session) if (ret == TEST_SUCCEED) { tls1_ok = 1; } else { - strcat(rest, ":%COMPAT"); + sprintf(prio_str, + INIT_STR BLOCK_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES + ":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:-VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%%COMPAT:%s", rest); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + ret = do_handshake(session); + if (ret == TEST_SUCCEED) { + tls1_ok = 1; + strcat(rest, ":%COMPAT"); + } } return ret; @@ -941,8 +952,17 @@ test_code_t test_no_extensions(gnutls_session_t session) if (ret == TEST_SUCCEED) { tls_ext_ok = 1; } else { - tls_ext_ok = 0; - strcat(rest, ":%NO_EXTENSIONS"); + sprintf(prio_str, + INIT_STR BLOCK_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES + ":+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:-VERS-SSL3.0:" ALL_MACS ":" ALL_KX ":%%NO_EXTENSIONS:%s", rest); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + ret = do_handshake(session); + if (ret == TEST_SUCCEED) { + tls_ext_ok = 0; + strcat(rest, ":%NO_EXTENSIONS"); + } } return ret; @@ -967,6 +987,25 @@ test_code_t test_tls1_2(gnutls_session_t session) } +test_code_t test_tls1_3(gnutls_session_t session) +{ + int ret; + + sprintf(prio_str, + INIT_STR ALL_CIPHERS ":" ALL_COMP ":" ALL_CERTTYPES + ":+VERS-TLS1.3:" ALL_MACS ":" ALL_KX ":%s", rest); + _gnutls_priority_set_direct(session, prio_str); + + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = do_handshake(session); + if (ret == TEST_SUCCEED) + tls1_3_ok = 1; + + return ret; + +} + test_code_t test_tls1_1(gnutls_session_t session) { int ret; diff --git a/src/tests.h b/src/tests.h index 78fd842ddb..4d093fc554 100644 --- a/src/tests.h +++ b/src/tests.h @@ -49,6 +49,7 @@ test_code_t test_etm(gnutls_session_t state); test_code_t test_safe_renegotiation_scsv(gnutls_session_t state); test_code_t test_tls1_1(gnutls_session_t state); test_code_t test_tls1_2(gnutls_session_t state); +test_code_t test_tls1_3(gnutls_session_t state); test_code_t test_tls1_1_fallback(gnutls_session_t state); test_code_t test_tls1_6_fallback(gnutls_session_t state); test_code_t test_tls_disable0(gnutls_session_t state); |