diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-07-02 19:17:11 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-07-02 19:17:11 +0000 |
| commit | c2ff230b7dd941320c319bf340e5d9e968df75b0 (patch) | |
| tree | 9e603d757e8f96c8196d7b2d57d77ab530e86f3e | |
| parent | 71e10e56ee1e1105460fddd0fc3ed0df0bf1733c (diff) | |
| parent | 78d45b1b79dded81e09fdb24b84fae1e353771cd (diff) | |
| download | gnutls-c2ff230b7dd941320c319bf340e5d9e968df75b0.tar.gz | |
Merge branch 'tmp-fix-rsae-negotiation' into 'master'
sign_supports_cert_pk_algorithm: corrected check for RSAE-PSS
Closes #500
See merge request gnutls/gnutls!693
| -rw-r--r-- | lib/algorithms.h | 2 | ||||
| -rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert-tls13.json | 31 | ||||
| -rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert.json | 1 | ||||
| m--------- | tests/suite/tls-fuzzer/tlsfuzzer | 0 | ||||
| -rw-r--r-- | tests/tls13-cert-key-exchange.c | 5 |
5 files changed, 34 insertions, 5 deletions
diff --git a/lib/algorithms.h b/lib/algorithms.h index d105b3cd68..cff79348cb 100644 --- a/lib/algorithms.h +++ b/lib/algorithms.h @@ -374,7 +374,7 @@ sign_supports_priv_pk_algorithm(const gnutls_sign_entry_st *se, gnutls_pk_algori inline static unsigned sign_supports_cert_pk_algorithm(const gnutls_sign_entry_st *se, gnutls_pk_algorithm_t pk) { - if (pk == se->pk || (se->cert_pk && se->cert_pk == pk)) + if ((!se->cert_pk && pk == se->pk) || (se->cert_pk && se->cert_pk == pk)) return 1; return 0; diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json index 8c73c904ce..89c8853c68 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json @@ -2,6 +2,8 @@ {"server_command": ["@SERVER@", "--http", "--x509keyfile", "tests/serverX509Key.pem", "--x509certfile", "tests/serverX509Cert.pem", + "--x509keyfile", "tests/serverRSAPSSKey.pem", + "--x509certfile", "tests/serverRSAPSSCert.pem", "--x509keyfile", "../../../certs/ecc256.pem", "--x509certfile", "../../../certs/cert-ecc256.pem", "--debug=3", @@ -10,6 +12,20 @@ "server_hostname": "localhost", "server_port": @PORT@, "tests" : [ + {"name" : "test-tls13-legacy-version.py", + "arguments": ["-p", "@PORT@"]}, + {"name" : "test-tls13-empty-alert.py", + "arguments": ["-p", "@PORT@"]}, + {"name" : "test-tls13-hrr.py", + "arguments": ["-p", "@PORT@"]}, + {"name" : "test-tls13-nociphers.py", + "arguments": ["-p", "@PORT@"]}, + {"name" : "test-tls13-pkcs-signature.py", + "arguments": ["-p", "@PORT@"]}, + {"name" : "test-tls13-rsa-signatures.py", + "arguments": ["-p", "@PORT@", "-b"]}, + {"name" : "test-tls13-rsapss-signatures.py", + "arguments": ["-p", "@PORT@", "-b"]}, {"name" : "test-tls13-conversation.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-empty-alert.py", @@ -27,11 +43,18 @@ {"name" : "test-tls13-version-negotiation.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-zero-length-data.py", - "comment" : "in these tests tlsfuzzer splits ClientHello into the first 2 bytes and the remainder, which gnutls doesn't support", - "arguments": ["-e", "zero-length app data interleaved in handshake", - "-p", "@PORT@", + "comment" : "in these tests tlsfuzzer splits ClientHello into the first 2 bytes and the remainder, which gnutls doesn't support, last 3 related to #481", + "arguments": ["-p", "@PORT@", + "-e", "zero-len app data with large padding during handshake", + "-e", "zero-len app data with large padding interleaved in handshake", "-e", "zero-len app data with padding interleaved in handshake", - "-e", "zero-len app data with large padding interleaved in handshake"]} + "-e", "zero-length app data during handshake", + "-e", "zero-length app data interleaved in handshake", + "-e", "zero-length app data with padding during handshake"]}, + {"name" : "test-tls13-finished.py", + "arguments": ["-p", "@PORT@", "-n", "5"], + "exp_pass" : false, + "comment" : "we do not switch the keys early enough for this test see #481"} ] } ] diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json index e5b7a80b4c..6784511bf2 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert.json @@ -9,6 +9,7 @@ "--priority=@PRIORITY@", "--disable-client-cert", "--port=@PORT@"], "tests" : [ + {"name" : "test-fuzzed-plaintext.py"}, {"name" : "test-large-hello.py", "arguments" : [ "two ext, #80 61384 bytes", diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer -Subproject 4609e91ad6ce4deff093fe51c3f702e5c110dde +Subproject 65af9ab3615a14c59f579085e13fe5a4557a356 diff --git a/tests/tls13-cert-key-exchange.c b/tests/tls13-cert-key-exchange.c index dc1e8ccb15..af97df8e4e 100644 --- a/tests/tls13-cert-key-exchange.c +++ b/tests/tls13-cert-key-exchange.c @@ -109,6 +109,11 @@ void doit(void) GNUTLS_E_NO_CIPHER_SUITES, GNUTLS_E_AGAIN, &server_ca3_localhost_cert, &server_ca3_key, NULL, NULL); + try_with_key_fail("TLS 1.3 with x25519 with rsa-pss cert and RSAE signatures", + "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384", + GNUTLS_E_NO_CIPHER_SUITES, GNUTLS_E_AGAIN, + &server_ca3_rsa_pss2_cert, &server_ca3_rsa_pss2_key, NULL, NULL); + server_priority = NULL; try_with_key_fail("TLS 1.3 with rsa cert and only RSA-PSS sig algos", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512", |