diff options
Diffstat (limited to 'tests/tls10-server-kx-neg.c')
-rw-r--r-- | tests/tls10-server-kx-neg.c | 655 |
1 files changed, 304 insertions, 351 deletions
diff --git a/tests/tls10-server-kx-neg.c b/tests/tls10-server-kx-neg.c index e9e8c47730..0ef2439fea 100644 --- a/tests/tls10-server-kx-neg.c +++ b/tests/tls10-server-kx-neg.c @@ -20,7 +20,7 @@ */ #ifdef HAVE_CONFIG_H -# include <config.h> +#include <config.h> #endif /* This program tests the ciphersuite negotiation for various key exchange @@ -38,359 +38,312 @@ #include "server-kx-neg-common.c" test_case_st tests[] = { - { - .name = "TLS 1.0 ANON-DH without cred", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, - .server_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 ANON-DH with cred but no DH params", - .client_ret = 0, - .server_ret = 0, - .have_anon_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 ANON-DH with cred and DH params", - .server_ret = 0, - .client_ret = 0, - .have_anon_cred = 1, - .have_anon_dh_params = 1, - .server_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 DHE-RSA without cred", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, - .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 DHE-RSA with cred but no DH params or cert", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_cert_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 DHE-RSA with cred and cert but no DH params", - .client_ret = 0, - .server_ret = 0, - .have_cert_cred = 1, - .have_rsa_sign_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 DHE-RSA with cred and DH params but no cert", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_cert_cred = 1, - .have_cert_dh_params = 1, - .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = - "TLS 1.0 DHE-RSA with cred and incompatible cert and DH params", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_cert_cred = 1, - .have_rsa_decrypt_cert = 1, - .have_ecc_sign_cert = 1, - .have_cert_dh_params = 1, - .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 DHE-RSA with cred and cert and DH params", - .client_ret = 0, - .server_ret = 0, - .have_cert_cred = 1, - .have_rsa_sign_cert = 1, - .have_cert_dh_params = 1, - .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 DHE-RSA with cred and multiple certs and DH params", - .client_ret = 0, - .server_ret = 0, - .have_cert_cred = 1, - .have_rsa_sign_cert = 1, - .have_ecc_sign_cert = 1, - .have_rsa_decrypt_cert = 1, - .have_cert_dh_params = 1, - .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 DHE-PSK without cred", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, - .server_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 DHE-PSK with cred but no DH params", - .client_ret = 0, - .server_ret = 0, - .have_psk_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 DHE-PSK with cred DH params", - .client_ret = 0, - .server_ret = 0, - .have_psk_cred = 1, - .have_psk_dh_params = 1, - .server_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 ECDHE-RSA without cred", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 ECDHE-RSA with cred but no common curve or cert", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_cert_cred = 1, - .server_prio = - "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP256R1", - .client_prio = - "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP384R1"}, - { - .name = "TLS 1.0 ECDHE-RSA with cred and cert but no common curve", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_cert_cred = 1, - .have_rsa_sign_cert = 1, - .server_prio = - "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP256R1", - .client_prio = - "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP384R1"}, - { - .name = "TLS 1.0 ECDHE-RSA with cred and common curve but no cert", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_cert_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = - "TLS 1.0 ECDHE-RSA with cred and incompatible cert and common curve", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_cert_cred = 1, - .have_rsa_decrypt_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 ECDHE-RSA with cred and cert and common curve", - .server_ret = 0, - .client_ret = 0, - .have_cert_cred = 1, - .have_rsa_sign_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = - "TLS 1.0 ECDHE-RSA with cred and multiple certs and common curve", - .server_ret = 0, - .client_ret = 0, - .have_cert_cred = 1, - .have_rsa_decrypt_cert = 1, - .have_rsa_sign_cert = 1, - .have_ecc_sign_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0"}, + { .name = "TLS 1.0 ANON-DH without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .server_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ANON-DH with cred but no DH params", + .client_ret = 0, + .server_ret = 0, + .have_anon_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ANON-DH with cred and DH params", + .server_ret = 0, + .client_ret = 0, + .have_anon_cred = 1, + .have_anon_dh_params = 1, + .server_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ANON-DH:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 DHE-RSA without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 DHE-RSA with cred but no DH params or cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 DHE-RSA with cred and cert but no DH params", + .client_ret = 0, + .server_ret = 0, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 DHE-RSA with cred and DH params but no cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_cert_dh_params = 1, + .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 DHE-RSA with cred and incompatible cert and DH params", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_rsa_decrypt_cert = 1, + .have_ecc_sign_cert = 1, + .have_cert_dh_params = 1, + .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 DHE-RSA with cred and cert and DH params", + .client_ret = 0, + .server_ret = 0, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_cert_dh_params = 1, + .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 DHE-RSA with cred and multiple certs and DH params", + .client_ret = 0, + .server_ret = 0, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_ecc_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .have_cert_dh_params = 1, + .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 DHE-PSK without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .server_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 DHE-PSK with cred but no DH params", + .client_ret = 0, + .server_ret = 0, + .have_psk_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 DHE-PSK with cred DH params", + .client_ret = 0, + .server_ret = 0, + .have_psk_cred = 1, + .have_psk_dh_params = 1, + .server_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+DHE-PSK:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ECDHE-RSA without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ECDHE-RSA with cred but no common curve or cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .server_prio = + "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP256R1", + .client_prio = + "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP384R1" }, + { .name = "TLS 1.0 ECDHE-RSA with cred and cert but no common curve", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .server_prio = + "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP256R1", + .client_prio = + "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP384R1" }, + { .name = "TLS 1.0 ECDHE-RSA with cred and common curve but no cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ECDHE-RSA with cred and incompatible cert and common curve", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_rsa_decrypt_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ECDHE-RSA with cred and cert and common curve", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ECDHE-RSA with cred and multiple certs and common curve", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_rsa_decrypt_cert = 1, + .have_rsa_sign_cert = 1, + .have_ecc_sign_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.0" }, - { - .name = "TLS 1.0 ECDHE-ECDSA without cred", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 ECDHE-ECDSA with cred but no common curve or cert", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_cert_cred = 1, - .server_prio = - "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP256R1", - .client_prio = - "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP384R1"}, - { - .name = "TLS 1.0 ECDHE-ECDSA with cred and cert but no common curve", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_cert_cred = 1, - .have_ecc_sign_cert = 1, - .server_prio = - "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP256R1", - .client_prio = - "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP384R1"}, - { - .name = - "TLS 1.0 ECDHE-ECDSA with cred and common curve but no ECDSA cert", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_cert_cred = 1, - .have_rsa_sign_cert = 1, - .have_rsa_decrypt_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 ECDHE-ECDSA with cred and common curve but no cert", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_cert_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 ECDHE-ECDSA with cred and cert and common curve", - .server_ret = 0, - .client_ret = 0, - .have_cert_cred = 1, - .have_ecc_sign_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = - "TLS 1.0 ECDHE-ECDSA with cred and multiple certs and common curve", - .server_ret = 0, - .client_ret = 0, - .have_cert_cred = 1, - .have_ecc_sign_cert = 1, - .have_rsa_sign_cert = 1, - .have_rsa_decrypt_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0"}, + { .name = "TLS 1.0 ECDHE-ECDSA without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ECDHE-ECDSA with cred but no common curve or cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .server_prio = + "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP256R1", + .client_prio = + "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP384R1" }, + { .name = "TLS 1.0 ECDHE-ECDSA with cred and cert but no common curve", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_ecc_sign_cert = 1, + .server_prio = + "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP256R1", + .client_prio = + "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP384R1" }, + { .name = "TLS 1.0 ECDHE-ECDSA with cred and common curve but no ECDSA cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ECDHE-ECDSA with cred and common curve but no cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_cert_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ECDHE-ECDSA with cred and cert and common curve", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_ecc_sign_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ECDHE-ECDSA with cred and multiple certs and common curve", + .server_ret = 0, + .client_ret = 0, + .have_cert_cred = 1, + .have_ecc_sign_cert = 1, + .have_rsa_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.0" }, - { - .name = "TLS 1.0 ECDHE-PSK without cred", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 ECDHE-PSK with cred but no common curve", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_psk_cred = 1, - .server_prio = - "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP256R1", - .client_prio = - "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP384R1"}, - { - .name = "TLS 1.0 ECDHE-PSK with cred and common curve", - .client_ret = 0, - .server_ret = 0, - .have_psk_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 RSA-PSK without cert cred", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, - .have_psk_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 RSA-PSK without psk cred", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_psk_cred = 0, - .have_cert_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 RSA-PSK with cred but invalid cert", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_psk_cred = 1, - .have_cert_cred = 1, - .have_rsa_sign_cert = 1, - .have_ecc_sign_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 RSA-PSK with cred", - .server_ret = 0, - .client_ret = 0, - .have_psk_cred = 1, - .have_cert_cred = 1, - .have_rsa_decrypt_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 RSA-PSK with cred and multiple certs", - .server_ret = 0, - .client_ret = 0, - .have_psk_cred = 1, - .have_cert_cred = 1, - .have_rsa_sign_cert = 1, - .have_ecc_sign_cert = 1, - .have_rsa_decrypt_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0"}, + { .name = "TLS 1.0 ECDHE-PSK without cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 ECDHE-PSK with cred but no common curve", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_psk_cred = 1, + .server_prio = + "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP256R1", + .client_prio = + "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0:-CURVE-ALL:+CURVE-SECP384R1" }, + { .name = "TLS 1.0 ECDHE-PSK with cred and common curve", + .client_ret = 0, + .server_ret = 0, + .have_psk_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+ECDHE-PSK:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 RSA-PSK without cert cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .have_psk_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 RSA-PSK without psk cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_psk_cred = 0, + .have_cert_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 RSA-PSK with cred but invalid cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_psk_cred = 1, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_ecc_sign_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 RSA-PSK with cred", + .server_ret = 0, + .client_ret = 0, + .have_psk_cred = 1, + .have_cert_cred = 1, + .have_rsa_decrypt_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 RSA-PSK with cred and multiple certs", + .server_ret = 0, + .client_ret = 0, + .have_psk_cred = 1, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_ecc_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+RSA-PSK:-VERS-ALL:+VERS-TLS1.0" }, #ifdef ENABLE_SRP - { - .name = "TLS 1.0 SRP-RSA without cert cred", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, - .have_srp_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 SRP-RSA without srp cred", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_srp_cred = 0, - .have_cert_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 SRP-RSA with cred but invalid cert", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_NO_CIPHER_SUITES, - .have_srp_cred = 1, - .have_cert_cred = 1, - .have_rsa_decrypt_cert = 1, - .have_ecc_sign_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 SRP-RSA with cred", - .server_ret = 0, - .client_ret = 0, - .have_srp_cred = 1, - .have_cert_cred = 1, - .have_rsa_sign_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 SRP-RSA with cred and multiple certs", - .server_ret = 0, - .client_ret = 0, - .have_srp_cred = 1, - .have_cert_cred = 1, - .have_rsa_sign_cert = 1, - .have_ecc_sign_cert = 1, - .have_rsa_decrypt_cert = 1, - .server_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 SRP without srp cred", - .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, - .have_srp_cred = 0, - .have_cert_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.0"}, - { - .name = "TLS 1.0 SRP with cred", - .server_ret = 0, - .client_ret = 0, - .have_srp_cred = 1, - .server_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.0", - .client_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.0"} + { .name = "TLS 1.0 SRP-RSA without cert cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .have_srp_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 SRP-RSA without srp cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_srp_cred = 0, + .have_cert_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 SRP-RSA with cred but invalid cert", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, + .have_srp_cred = 1, + .have_cert_cred = 1, + .have_rsa_decrypt_cert = 1, + .have_ecc_sign_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 SRP-RSA with cred", + .server_ret = 0, + .client_ret = 0, + .have_srp_cred = 1, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 SRP-RSA with cred and multiple certs", + .server_ret = 0, + .client_ret = 0, + .have_srp_cred = 1, + .have_cert_cred = 1, + .have_rsa_sign_cert = 1, + .have_ecc_sign_cert = 1, + .have_rsa_decrypt_cert = 1, + .server_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+SRP-RSA:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 SRP without srp cred", + .client_ret = GNUTLS_E_AGAIN, + .server_ret = GNUTLS_E_INSUFFICIENT_CREDENTIALS, + .have_srp_cred = 0, + .have_cert_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.0" }, + { .name = "TLS 1.0 SRP with cred", + .server_ret = 0, + .client_ret = 0, + .have_srp_cred = 1, + .server_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.0", + .client_prio = "NORMAL:-KX-ALL:+SRP:-VERS-ALL:+VERS-TLS1.0" } #endif }; |