tests: added negative tests for RSA-PSS key exchange

Relates #400 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2018-03-07 12:52:46 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2018-03-09 17:02:23 +0100
commit: 28e65c00ae7092c67f1fe0a86b87cd55a1d9a630 (patch)
tree: a562576f2d5fd3e0024a8be32fa1b4282986550e
parent: 51d21634c9329463a8d7def24550ef268bc9b88c (diff)
download: gnutls-28e65c00ae7092c67f1fe0a86b87cd55a1d9a630.tar.gz
5 files changed, 141 insertions, 3 deletions
diff --git a/tests/common-cert-key-exchange.c b/tests/common-cert-key-exchange.c
index ed79973bfe..3f3ce085f5 100644
--- a/tests/common-cert-key-exchange.c
+++ b/tests/common-cert-key-exchange.c
@@ -49,6 +49,94 @@ static void tls_log_func(int level, const char *str)
 
 #define MSG "hello there ppl"
 
+void try_with_key_fail(const char *name, const char *client_prio,
+			int server_err, int client_err,
+			const gnutls_datum_t *serv_cert,
+			const gnutls_datum_t *serv_key,
+			const gnutls_datum_t *cli_cert,
+			const gnutls_datum_t *cli_key)
+{
+	int ret;
+	/* Server stuff. */
+	gnutls_certificate_credentials_t serverx509cred;
+	gnutls_session_t server;
+	int sret = GNUTLS_E_AGAIN;
+	/* Client stuff. */
+	gnutls_certificate_credentials_t clientx509cred;
+	gnutls_session_t client;
+	int cret = GNUTLS_E_AGAIN;
+	const char *err;
+
+	/* General init. */
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(6);
+
+	reset_buffers();
+	/* Init server */
+	gnutls_certificate_allocate_credentials(&serverx509cred);
+
+	ret = gnutls_certificate_set_x509_key_mem(serverx509cred,
+						  serv_cert, serv_key,
+						  GNUTLS_X509_FMT_PEM);
+	if (ret < 0)
+		fail("Could not set key/cert: %s\n", gnutls_strerror(ret));
+
+	gnutls_init(&server, GNUTLS_SERVER);
+	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
+			       serverx509cred);
+
+
+	if (server_priority)
+		assert(gnutls_priority_set_direct(server, server_priority, NULL) >= 0);
+	else
+		assert(gnutls_priority_set_direct(server, client_prio, NULL) >= 0);
+
+	gnutls_transport_set_push_function(server, server_push);
+	gnutls_transport_set_pull_function(server, server_pull);
+	gnutls_transport_set_ptr(server, server);
+
+	/* Init client */
+	ret = gnutls_certificate_allocate_credentials(&clientx509cred);
+	if (ret < 0)
+		exit(1);
+
+	if (cli_cert) {
+		gnutls_certificate_set_x509_key_mem(clientx509cred,
+						    cli_cert, cli_key,
+						    GNUTLS_X509_FMT_PEM);
+		gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUIRE);
+	}
+
+	ret = gnutls_init(&client, GNUTLS_CLIENT);
+	if (ret < 0)
+		exit(1);
+
+	ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
+				clientx509cred);
+	if (ret < 0)
+		exit(1);
+
+	gnutls_transport_set_push_function(client, client_push);
+	gnutls_transport_set_pull_function(client, client_pull);
+	gnutls_transport_set_ptr(client, client);
+
+	ret = gnutls_priority_set_direct(client, client_prio, &err);
+	if (ret < 0) {
+		if (ret == GNUTLS_E_INVALID_REQUEST)
+			fprintf(stderr, "Error in %s\n", err);
+		exit(1);
+	}
+	success("negotiating %s\n", name);
+	HANDSHAKE_EXPECT(client, server, client_err, server_err);
+
+	gnutls_deinit(client);
+	gnutls_deinit(server);
+
+	gnutls_certificate_free_credentials(serverx509cred);
+	gnutls_certificate_free_credentials(clientx509cred);
+}
+
 void try_with_key_ks(const char *name, const char *client_prio, gnutls_kx_algorithm_t client_kx,
 		gnutls_sign_algorithm_t server_sign_algo,
 		gnutls_sign_algorithm_t client_sign_algo,
diff --git a/tests/common-cert-key-exchange.h b/tests/common-cert-key-exchange.h
index 47e3738900..b52c95ea72 100644
--- a/tests/common-cert-key-exchange.h
+++ b/tests/common-cert-key-exchange.h
@@ -67,6 +67,13 @@ void try_with_key(const char *name, const char *client_prio, gnutls_kx_algorithm
 			       serv_cert, serv_key, cli_cert, cli_key, client_cert, 0);
 }
 
+void try_with_key_fail(const char *name, const char *client_prio,
+			int server_err, int client_err,
+			const gnutls_datum_t *serv_cert,
+			const gnutls_datum_t *serv_key,
+			const gnutls_datum_t *cli_cert,
+			const gnutls_datum_t *cli_key);
+
 #define dtls_try(name, client_prio, client_kx, server_sign_algo, client_sign_algo) \
 	dtls_try_with_key(name, client_prio, client_kx, server_sign_algo, client_sign_algo, \
 		&server_ca3_localhost_cert, &server_ca3_key, NULL, NULL, 0)
diff --git a/tests/tls11-cert-key-exchange.c b/tests/tls11-cert-key-exchange.c
index 410126fc74..860574afdc 100644
--- a/tests/tls11-cert-key-exchange.c
+++ b/tests/tls11-cert-key-exchange.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2017 Red Hat, Inc.
+ * Copyright (C) 2015-2018 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -62,5 +62,12 @@ void doit(void)
 	try_with_key("TLS 1.1 with ecdhe ecdsa cert", "NORMAL:-VERS-ALL:+VERS-TLS1.1:-KX-ALL:+ECDHE-ECDSA", GNUTLS_KX_ECDHE_ECDSA, GNUTLS_SIGN_UNKNOWN, GNUTLS_SIGN_UNKNOWN,
 		&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, &cli_ca3_cert, &cli_ca3_key, ASK_CERT);
 
+	/* illegal setups */
+	server_priority = NULL;
+	try_with_key_fail("TLS 1.1 with rsa-pss cert and no cli cert",
+			"NORMAL:-VERS-ALL:+VERS-TLS1.1:-KX-ALL:+DHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512",
+			GNUTLS_E_UNWANTED_ALGORITHM, GNUTLS_E_AGAIN,
+			&server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, NULL, NULL);
+
 	gnutls_global_deinit();
 }
diff --git a/tests/tls12-cert-key-exchange.c b/tests/tls12-cert-key-exchange.c
index 5a7eade47b..bdfd91f72f 100644
--- a/tests/tls12-cert-key-exchange.c
+++ b/tests/tls12-cert-key-exchange.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2017 Red Hat, Inc.
+ * Copyright (C) 2015-2018 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -84,5 +84,23 @@ void doit(void)
 	try_with_key("TLS 1.2 with ecdhe ecdsa cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-ECDSA", GNUTLS_KX_ECDHE_ECDSA, GNUTLS_SIGN_ECDSA_SHA256, GNUTLS_SIGN_UNKNOWN, 
 		&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, &cli_ca3_cert, &cli_ca3_key, ASK_CERT);
 
+	/* illegal setups */
+	server_priority = "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA";
+	try_with_key_fail("TLS 1.2 with rsa cert and only RSA-PSS sig algos in client",
+			"NORMAL:-VERS-ALL:+VERS-TLS1.2:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512",
+			GNUTLS_E_NO_CIPHER_SUITES, GNUTLS_E_AGAIN,
+			&server_ca3_localhost_cert, &server_ca3_key, NULL, NULL);
+
+	server_priority = NULL;
+	try_with_key_fail("TLS 1.2 with rsa cert and only RSA-PSS sig algos",
+			"NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512",
+			GNUTLS_E_NO_CIPHER_SUITES, GNUTLS_E_AGAIN,
+			&server_ca3_localhost_cert, &server_ca3_key, NULL, NULL);
+
+	try_with_key_fail("TLS 1.2 with rsa-pss cert and rsa cli cert with only RSA-PSS sig algos",
+			"NORMAL:-VERS-ALL:+VERS-TLS1.2:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512",
+			GNUTLS_E_AGAIN, GNUTLS_E_UNWANTED_ALGORITHM,
+			&server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, &cli_ca3_cert, &cli_ca3_key);
+
 	gnutls_global_deinit();
 }
diff --git a/tests/tls13-cert-key-exchange.c b/tests/tls13-cert-key-exchange.c
index 91e73cba77..5cf60a7189 100644
--- a/tests/tls13-cert-key-exchange.c
+++ b/tests/tls13-cert-key-exchange.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2017 Red Hat, Inc.
+ * Copyright (C) 2015-2018 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -97,5 +97,23 @@ void doit(void)
 	try("TLS 1.2 fallback with secp521r1 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:-GROUP-ALL:+GROUP-SECP521R1", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_SHA256, GNUTLS_SIGN_UNKNOWN);
 	try("TLS 1.2 fallback with ffdhe2048 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:-KX-ALL:+DHE-RSA:-GROUP-ALL:+GROUP-FFDHE2048", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_SHA256, GNUTLS_SIGN_UNKNOWN);
 
+	/* illegal setups */
+	server_priority = "NORMAL:-VERS-ALL:+VERS-TLS1.3";
+	try_with_key_fail("TLS 1.3 with rsa cert and only RSA-PSS sig algos in client",
+			"NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512",
+			GNUTLS_E_NO_CIPHER_SUITES, GNUTLS_E_AGAIN,
+			&server_ca3_localhost_cert, &server_ca3_key, NULL, NULL);
+
+	server_priority = NULL;
+	try_with_key_fail("TLS 1.3 with rsa cert and only RSA-PSS sig algos",
+			"NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512",
+			GNUTLS_E_NO_CIPHER_SUITES, GNUTLS_E_AGAIN,
+			&server_ca3_localhost_cert, &server_ca3_key, NULL, NULL);
+
+	try_with_key_fail("TLS 1.3 with rsa-pss cert and rsa cli cert with only RSA-PSS sig algos",
+			"NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512",
+			GNUTLS_E_AGAIN, GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY,
+			&server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, &cli_ca3_cert, &cli_ca3_key);
+
 	gnutls_global_deinit();
 }
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2018-03-07 12:52:46 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2018-03-09 17:02:23 +0100
commit	28e65c00ae7092c67f1fe0a86b87cd55a1d9a630 (patch)
tree	a562576f2d5fd3e0024a8be32fa1b4282986550e
parent	51d21634c9329463a8d7def24550ef268bc9b88c (diff)
download	gnutls-28e65c00ae7092c67f1fe0a86b87cd55a1d9a630.tar.gz