diff options
author | Daiki Ueno <dueno@redhat.com> | 2019-06-07 11:37:37 +0200 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2019-06-19 15:09:33 +0200 |
commit | 70ed45cfe52d0a8f37f3527fcdca28b36c45797d (patch) | |
tree | 3e8fe11ff782bf5499ef63767c5180f1eb8674e8 | |
parent | 1c5a1c865b12654798dd53af54357daca93f7dcf (diff) | |
download | gnutls-70ed45cfe52d0a8f37f3527fcdca28b36c45797d.tar.gz |
gnutls-cli-debug: check if %ALLOW_SMALL_RECORDS is required
This adds a new test against the server to check if
%ALLOW_SMALL_RECORDS is required to continue communicating with the
server. The test is in two parts: one to check if the server accepts
records with the default size (512 bytes) and the other is to check if
%ALLOW_SMALL_RECORDS helps if the previuos test fails.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
-rw-r--r-- | src/cli-debug.c | 8 | ||||
-rw-r--r-- | src/tests.c | 61 | ||||
-rw-r--r-- | src/tests.h | 2 | ||||
-rwxr-xr-x | tests/gnutls-cli-debug.sh | 21 |
4 files changed, 90 insertions, 2 deletions
diff --git a/src/cli-debug.c b/src/cli-debug.c index 8308b9b48f..c1333b1935 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -83,6 +83,10 @@ typedef struct { } TLS_TEST; static const TLS_TEST tls_tests[] = { + {"whether the server accepts default record size (512 bytes)", + test_send_record, "yes", "no", "dunno"}, + {"whether %ALLOW_SMALL_RECORDS is required", + test_send_record_with_allow_small_records, "yes", "no", "dunno"}, #ifdef ENABLE_SSL3 {"for SSL 3.0 (RFC6101) support", test_ssl3, "yes", "no", "dunno"}, /* The following tests will disable TLS 1.x if the server is @@ -94,9 +98,9 @@ static const TLS_TEST tls_tests[] = { "yes", "dunno"}, {"whether we need to disable TLS 1.0", test_tls_disable0, "no", "yes", "dunno"}, - {"whether \%NO_EXTENSIONS is required", test_no_extensions, "no", "yes", + {"whether %NO_EXTENSIONS is required", test_no_extensions, "no", "yes", "dunno"}, - {"whether \%COMPAT is required", test_record_padding, "no", "yes", + {"whether %COMPAT is required", test_record_padding, "no", "yes", "dunno"}, {"for TLS 1.0 (RFC2246) support", test_tls1, "yes", "no", "dunno"}, {"for TLS 1.0 (RFC2246) support with TLS 1.0 record version", test_tls1_nossl3, "yes", "no", "dunno"}, diff --git a/src/tests.c b/src/tests.c index 3073beae56..115f3ae82b 100644 --- a/src/tests.c +++ b/src/tests.c @@ -57,6 +57,7 @@ int ssl3_ok = 0; int tls1_1_ok = 0; int tls1_2_ok = 0; int tls1_3_ok = 0; +int send_record_ok = 0; /* keep session info */ static char *session_data = NULL; @@ -1518,3 +1519,63 @@ test_code_t test_server_cas(gnutls_session_t session) ext_text = "none"; return TEST_SUCCEED; } + +static test_code_t +test_do_handshake_and_send_record(gnutls_session_t session) +{ + int ret; + /* This will be padded to 512 bytes. */ + const char snd_buf[] = "GET / HTTP/1.0\r\n\r\n"; + static char buf[5 * 1024]; + + ret = test_do_handshake(session); + if (ret != TEST_SUCCEED) + return ret; + + gnutls_record_send(session, snd_buf, sizeof(snd_buf) - 1); + ret = gnutls_record_recv(session, buf, sizeof(buf) - 1); + if (ret < 0) + return TEST_FAILED; + + return TEST_SUCCEED; +} + +/* These tests shall be sent in this order to check if the server + * advertises smaller limits than our default 512. and we can work it + * around with %ALLOW_SMALL_RECORDS. */ +test_code_t test_send_record(gnutls_session_t session) +{ + int ret; + + sprintf(prio_str, + INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:" + ALL_MACS ":" ALL_KX ":%s", protocol_str, rest); + _gnutls_priority_set_direct(session, prio_str); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake_and_send_record(session); + if (ret == TEST_SUCCEED) + send_record_ok = 1; + return ret; +} + +test_code_t test_send_record_with_allow_small_records(gnutls_session_t session) +{ + int ret; + + /* If test_send_record succeeded, we don't need to check. */ + if (send_record_ok) + return TEST_FAILED; + + sprintf(prio_str, + INIT_STR ALL_CIPHERS ":" ALL_COMP ":%s:" + ALL_MACS ":" ALL_KX ":%%ALLOW_SMALL_RECORDS:%s", + protocol_str, rest); + _gnutls_priority_set_direct(session, prio_str); + gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + + ret = test_do_handshake_and_send_record(session); + if (ret == TEST_SUCCEED) + strcat(rest, ":%ALLOW_SMALL_RECORDS"); + return ret; +} diff --git a/src/tests.h b/src/tests.h index 098c441a8d..0e6ad1824a 100644 --- a/src/tests.h +++ b/src/tests.h @@ -70,6 +70,8 @@ test_code_t test_server_cas(gnutls_session_t state); test_code_t test_session_resume2(gnutls_session_t state); test_code_t test_rsa_pms_version_check(gnutls_session_t session); test_code_t test_version_oob(gnutls_session_t session); +test_code_t test_send_record(gnutls_session_t session); +test_code_t test_send_record_with_allow_small_records(gnutls_session_t session); int _test_srp_username_callback(gnutls_session_t session, char **username, char **password); diff --git a/tests/gnutls-cli-debug.sh b/tests/gnutls-cli-debug.sh index 191096ce6c..2de64b9a41 100755 --- a/tests/gnutls-cli-debug.sh +++ b/tests/gnutls-cli-debug.sh @@ -142,4 +142,25 @@ fi rm -f ${OUTFILE} +# Small records test +echo "" +echo "Checking output of gnutls-cli-debug for small records" + +eval "${GETPORT}" +launch_server $$ --echo --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%ALLOW_SMALL_RECORDS" --x509keyfile ${KEY1} --x509certfile ${CERT1} \ + --x509keyfile ${KEY2} --x509certfile ${CERT2} --x509keyfile ${KEY3} --x509certfile ${CERT3} --recordsize=64 >/dev/null 2>&1 +PID=$! +wait_server ${PID} + +timeout 1800 datefudge "2017-08-9" \ +"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!" + +kill ${PID} +wait + +check_text "whether the server accepts default record size (512 bytes)... no" +check_text "whether %ALLOW_SMALL_RECORDS is required... yes" + +rm -f ${OUTFILE} + exit 0 |