src/tls_test.c

   1 /*
   2  * Copyright (C) 2000-2012 Free Software Foundation, Inc.
   3  *
   4  * This file is part of GnuTLS.
   5  *
   6  * GnuTLS is free software: you can redistribute it and/or modify it
   7  * under the terms of the GNU General Public License as published by
   8  * the Free Software Foundation, either version 3 of the License, or
   9  * (at your option) any later version.
  10  *
  11  * GnuTLS is distributed in the hope that it will be useful, but
  12  * WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public License
  17  * along with this program.  If not, see
  18  * <http://www.gnu.org/licenses/>.
  19  */
  20
  21 #include <config.h>
  22 #include <stdio.h>
  23 #include <errno.h>
  24 #include <stdlib.h>
  25 #include <sys/types.h>
  26 #include <string.h>
  27 #include <gnutls/gnutls.h>
  28 #include <sys/time.h>
  29 #if HAVE_SYS_SOCKET_H
  30 # include <sys/socket.h>
  31 #elif HAVE_WS2TCPIP_H
  32 # include <ws2tcpip.h>
  33 #endif
  34 #include <tests.h>
  35 #include <common.h>
  36 #include <cli-debug-args.h>
  37 #include <socket.h>
  38
  39 /* Gnulib portability files. */
  40 #include <progname.h>
  41 #include <version-etc.h>
  42 #include "sockets.h"
  43
  44 static void cmd_parser (int argc, char **argv);
  45
  46 #define ERR(err,s) if (err==-1) {perror(s);return(1);}
  47 #define MAX_BUF 4096
  48
  49 /* global stuff here */
  50 int resume;
  51 const char *hostname = NULL;
  52 int port;
  53 int record_max_size;
  54 int fingerprint;
  55 static int debug = 0;
  56
  57 gnutls_srp_client_credentials_t srp_cred;
  58 gnutls_anon_client_credentials_t anon_cred;
  59 gnutls_certificate_credentials_t xcred;
  60
  61 /* end of global stuff */
  62
  63 unsigned int verbose = 0;
  64
  65 extern int tls1_ok;
  66 extern int tls1_1_ok;
  67 extern int ssl3_ok;
  68
  69 static void
  70 tls_log_func (int level, const char *str)
  71 {
  72   fprintf (stderr, "|<%d>| %s", level, str);
  73 }
  74
  75 typedef test_code_t (*TEST_FUNC) (gnutls_session_t);
  76
  77 typedef struct
  78 {
  79   const char *test_name;
  80   TEST_FUNC func;
  81   const char *suc_str;
  82   const char *fail_str;
  83   const char *unsure_str;
  84 } TLS_TEST;
  85
  86 static const TLS_TEST tls_tests[] = {
  87   {"for SSL 3.0 support", test_ssl3, "yes", "no", "dunno"},
  88   {"whether \%COMPAT is required", test_record_padding, "no", "yes", "dunno"},
  89   {"for TLS 1.0 support", test_tls1, "yes", "no", "dunno"},
  90   {"for TLS 1.1 support", test_tls1_1, "yes", "no", "dunno"},
  91   {"fallback from TLS 1.1 to", test_tls1_1_fallback, "TLS 1.0", "failed",
  92    "SSL 3.0"},
  93   {"for TLS 1.2 support", test_tls1_2, "yes", "no", "dunno"},
  94   /* The following tests will disable TLS 1.x if the server is
  95    * buggy */
  96   {"whether we need to disable TLS 1.2", test_tls_disable2, "no", "yes",
  97    "dunno"},
  98   {"whether we need to disable TLS 1.1", test_tls_disable1, "no", "yes",
  99    "dunno"},
 100   {"whether we need to disable TLS 1.0", test_tls_disable0, "no", "yes",
 101    "dunno"},
 102   {"for Safe renegotiation support", test_safe_renegotiation, "yes", "no",
 103    "dunno"},
 104   {"for Safe renegotiation support (SCSV)", test_safe_renegotiation_scsv,
 105    "yes", "no", "dunno"},
 106   {"for HTTPS server name", test_server, "", "failed", "not checked"},
 107   {"for version rollback bug in RSA PMS", test_rsa_pms, "no", "yes",
 108    "dunno"},
 109   {"for version rollback bug in Client Hello", test_version_rollback,
 110    "no", "yes", "dunno"},
 111
 112
 113   {"whether the server ignores the RSA PMS version",
 114    test_rsa_pms_version_check, "yes", "no", "dunno"},
 115   {"whether the server can accept Hello Extensions",
 116    test_hello_extension, "yes", "no", "dunno"},
 117   {"whether the server can accept small records (512 bytes)",
 118    test_small_records, "yes", "no", "dunno"},
 119   {"whether the server can accept cipher suites not in SSL 3.0 spec",
 120    test_unknown_ciphersuites, "yes", "no", "dunno"},
 121   {"whether the server can accept a bogus TLS record version in the client hello", test_version_oob, "yes", "no", "dunno"},
 122   {"for certificate information", test_certificate, "", "", ""},
 123   {"for trusted CAs", test_server_cas, "", "", ""},
 124   {"whether the server understands TLS closure alerts", test_bye, "yes",
 125    "no", "partially"},
 126   /* the fact that is after the closure alert test does matter.
 127    */
 128   {"whether the server supports session resumption",
 129    test_session_resume2, "yes", "no", "dunno"},
 130   {"for export-grade ciphersuite support", test_export, "yes", "no",
 131    "dunno"},
 132   {"RSA-export ciphersuite info", test_export_info, "", "N/A", "N/A"},
 133 #ifdef ENABLE_ANON
 134   {"for anonymous authentication support", test_anonymous, "yes", "no",
 135    "dunno"},
 136   {"anonymous Diffie-Hellman group info", test_dhe_group, "", "N/A",
 137    "N/A"},
 138 #endif
 139   {"for ephemeral Diffie-Hellman support", test_dhe, "yes", "no",
 140    "dunno"},
 141   {"ephemeral Diffie-Hellman group info", test_dhe_group, "", "N/A",
 142    "N/A"},
 143   {"for ephemeral EC Diffie-Hellman support", test_ecdhe, "yes", "no",
 144    "dunno"},
 145   {"ephemeral EC Diffie-Hellman group info", test_ecdhe_curve, "", "N/A",
 146    "N/A"},
 147   {"for AES-GCM cipher support", test_aes_gcm, "yes", "no",
 148    "dunno"},
 149   {"for AES-CBC cipher support", test_aes, "yes", "no",
 150    "dunno"},
 151   {"for CAMELLIA cipher support", test_camellia, "yes", "no",
 152    "dunno"},
 153   {"for 3DES-CBC cipher support", test_3des, "yes", "no", "dunno"},
 154   {"for ARCFOUR 128 cipher support", test_arcfour, "yes", "no", "dunno"},
 155   {"for ARCFOUR 40 cipher support", test_arcfour_40, "yes", "no",
 156    "dunno"},
 157   {"for MD5 MAC support", test_md5, "yes", "no", "dunno"},
 158   {"for SHA1 MAC support", test_sha, "yes", "no", "dunno"},
 159   {"for SHA256 MAC support", test_sha256, "yes", "no", "dunno"},
 160 #ifdef HAVE_LIBZ
 161   {"for ZLIB compression support", test_zlib, "yes",
 162    "no", "dunno"},
 163 #endif
 164   {"for max record size", test_max_record_size, "yes",
 165    "no", "dunno"},
 166   {"for OpenPGP authentication support", test_openpgp1,
 167    "yes", "no", "dunno"},
 168   {NULL, NULL, NULL, NULL, NULL}
 169 };
 170
 171 static int tt = 0;
 172 const char *ip;
 173
 174 int
 175 main (int argc, char **argv)
 176 {
 177   int err, ret;
 178   int sd, i;
 179   gnutls_session_t state;
 180   char buffer[MAX_BUF + 1];
 181   char portname[6];
 182   struct addrinfo hints, *res, *ptr;
 183
 184   set_program_name (argv[0]);
 185   cmd_parser(argc, argv);
 186
 187 #ifndef _WIN32
 188   signal (SIGPIPE, SIG_IGN);
 189 #endif
 190
 191   sockets_init ();
 192
 193   if (gnutls_global_init () < 0)
 194     {
 195       fprintf (stderr, "global state initialization error\n");
 196       exit (1);
 197     }
 198
 199   gnutls_global_set_log_function (tls_log_func);
 200   gnutls_global_set_log_level (debug);
 201
 202   printf ("Resolving '%s'...\n", hostname);
 203   /* get server name */
 204   memset (&hints, 0, sizeof (hints));
 205   hints.ai_socktype = SOCK_STREAM;
 206   hints.ai_flags = 0;
 207   snprintf (portname, sizeof (portname), "%d", port);
 208   if ((err = getaddrinfo (hostname, portname, &hints, &res)) != 0)
 209     {
 210       fprintf (stderr, "Cannot resolve %s: %s\n", hostname,
 211                gai_strerror (err));
 212       exit (1);
 213     }
 214
 215   /* X509 stuff */
 216   if (gnutls_certificate_allocate_credentials (&xcred) < 0)
 217     {                           /* space for 2 certificates */
 218       fprintf (stderr, "memory error\n");
 219       exit (1);
 220     }
 221
 222   /* SRP stuff */
 223 #ifdef ENABLE_SRP
 224   if (gnutls_srp_allocate_client_credentials (&srp_cred) < 0)
 225     {
 226       fprintf (stderr, "memory error\n");
 227       exit (1);
 228     }
 229 #endif
 230
 231 #ifdef ENABLE_ANON
 232   /* ANON stuff */
 233   if (gnutls_anon_allocate_client_credentials (&anon_cred) < 0)
 234     {
 235       fprintf (stderr, "memory error\n");
 236       exit (1);
 237     }
 238 #endif
 239
 240   i = 0;
 241
 242   do
 243     {
 244
 245       if (tls_tests[i].test_name == NULL)
 246         break;                  /* finished */
 247
 248       /* if neither of SSL3 and TLSv1 are supported, exit
 249        */
 250       if (i > 6 && tls1_1_ok == 0 && tls1_ok == 0 && ssl3_ok == 0)
 251         {
 252           fprintf (stderr,
 253                    "\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1\n");
 254           break;
 255         }
 256
 257       sd = -1;
 258       for (ptr = res; ptr != NULL; ptr = ptr->ai_next)
 259         {
 260           sd = socket (ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol);
 261           if (sd == -1)
 262             {
 263               continue;
 264             }
 265
 266           getnameinfo (ptr->ai_addr, ptr->ai_addrlen, buffer, MAX_BUF,
 267                        NULL, 0, NI_NUMERICHOST);
 268           if (tt++ == 0)
 269             printf ("Connecting to '%s:%d'...\n", buffer, port);
 270           if ((err = connect (sd, ptr->ai_addr, ptr->ai_addrlen)) != 0)
 271             {
 272               close (sd);
 273               sd = -1;
 274               continue;
 275             }
 276         }
 277       ERR (err, "connect") gnutls_init (&state, GNUTLS_CLIENT);
 278       gnutls_transport_set_ptr (state, (gnutls_transport_ptr_t)
 279                                 gl_fd_to_handle (sd));
 280
 281       do
 282         {
 283           printf ("Checking %s...", tls_tests[i].test_name);
 284           fflush(stdout);
 285
 286           ret = tls_tests[i].func (state);
 287
 288           if (ret == TEST_SUCCEED)
 289             printf (" %s\n", tls_tests[i].suc_str);
 290           else if (ret == TEST_FAILED)
 291             printf (" %s\n", tls_tests[i].fail_str);
 292           else if (ret == TEST_UNSURE)
 293             printf (" %s\n", tls_tests[i].unsure_str);
 294           else if (ret == TEST_IGNORE)
 295             {
 296               printf (" N/A\n");
 297               i++;
 298             }
 299         }
 300       while (ret == TEST_IGNORE && tls_tests[i].test_name != NULL);
 301
 302       gnutls_deinit (state);
 303
 304       shutdown (sd, SHUT_RDWR); /* no more receptions */
 305       close (sd);
 306
 307       i++;
 308     }
 309   while (1);
 310
 311   freeaddrinfo (res);
 312
 313 #ifdef ENABLE_SRP
 314   gnutls_srp_free_client_credentials (srp_cred);
 315 #endif
 316   gnutls_certificate_free_credentials (xcred);
 317 #ifdef ENABLE_ANON
 318   gnutls_anon_free_client_credentials (anon_cred);
 319 #endif
 320   gnutls_global_deinit ();
 321
 322   return 0;
 323 }
 324
 325 static void cmd_parser (int argc, char **argv)
 326 {
 327   const char* rest = NULL;
 328   int optct = optionProcess( &gnutls_cli_debugOptions, argc, argv);
 329   argc -= optct;
 330   argv += optct;
 331
 332   if (rest == NULL && argc > 0)
 333     rest = argv[0];
 334
 335   if (HAVE_OPT(PORT))
 336     port = OPT_VALUE_PORT;
 337   else
 338     port = 443;
 339
 340   if (rest == NULL)
 341     hostname = "localhost";
 342   else
 343     hostname = rest;
 344
 345   if (HAVE_OPT(DEBUG))
 346     debug = OPT_VALUE_DEBUG;
 347
 348   if (HAVE_OPT(VERBOSE))
 349     verbose++;
 350
 351 }
 352
 353 void tls_test_version (void);
 354
 355 void
 356 tls_test_version (void)
 357 {
 358   const char *p = PACKAGE_NAME;
 359   if (strcmp (gnutls_check_version (NULL), PACKAGE_VERSION) != 0)
 360     p = PACKAGE_STRING;
 361   version_etc (stdout, "gnutls-cli-debug", p, gnutls_check_version (NULL),
 362                "Nikos Mavrogiannopoulos", (char *) NULL);
 363 }