diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-07-14 22:27:50 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-07-15 08:06:44 +0200 |
| commit | b3ca79d87ad1f324996a63a4b277649fbe53d2ee (patch) | |
| tree | 105fe031a2de8843295b91a79ec7d1043893bec3 | |
| parent | 67d2bb911c3882f7fb7fbfaec9cadd77a08e30b7 (diff) | |
| download | gnutls-b3ca79d87ad1f324996a63a4b277649fbe53d2ee.tar.gz | |
Fixed alerts returned on TLS1.3 corner cases
This enables the tls-fuzzer tests 'test-tls13-certificate-verify.py'.
Resolves: #682
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| -rw-r--r-- | lib/alert.c | 1 | ||||
| -rw-r--r-- | lib/tls13-sig.c | 2 | ||||
| -rw-r--r-- | lib/tls13/certificate_verify.c | 2 | ||||
| -rw-r--r-- | tests/suite/tls-fuzzer/gnutls-cert.json | 23 |
4 files changed, 26 insertions, 2 deletions
diff --git a/lib/alert.c b/lib/alert.c index 047c976d1b..cfd1205d01 100644 --- a/lib/alert.c +++ b/lib/alert.c @@ -227,6 +227,7 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_PK_INVALID_PUBKEY: case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: case GNUTLS_E_RECEIVED_DISALLOWED_NAME: + case GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY: ret = GNUTLS_A_ILLEGAL_PARAMETER; _level = GNUTLS_AL_FATAL; break; diff --git a/lib/tls13-sig.c b/lib/tls13-sig.c index aee15eaf87..61f9d58209 100644 --- a/lib/tls13-sig.c +++ b/lib/tls13-sig.c @@ -72,7 +72,7 @@ _gnutls13_handshake_verify_data(gnutls_session_t session, ret = _gnutls_session_sign_algo_enabled(session, se->id); if (ret < 0) - return gnutls_assert_val(ret); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); if (se->tls13_ok == 0) /* explicitly prohibited */ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); diff --git a/lib/tls13/certificate_verify.c b/lib/tls13/certificate_verify.c index 7300f88f5d..6c3617c026 100644 --- a/lib/tls13/certificate_verify.c +++ b/lib/tls13/certificate_verify.c @@ -85,7 +85,7 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) se = _gnutls_tls_aid_to_sign_entry(buf.data[0], buf.data[1], get_version(session)); if (se == NULL) { _gnutls_handshake_log("Found unsupported signature (%d.%d)\n", (int)buf.data[0], (int)buf.data[1]); - ret = gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); + ret = gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); goto cleanup; } diff --git a/tests/suite/tls-fuzzer/gnutls-cert.json b/tests/suite/tls-fuzzer/gnutls-cert.json index c2b28c5569..f0443d8a7d 100644 --- a/tests/suite/tls-fuzzer/gnutls-cert.json +++ b/tests/suite/tls-fuzzer/gnutls-cert.json @@ -9,6 +9,20 @@ "server_hostname": "localhost", "server_port": @PORT@, "tests" : [ + {"name" : "test-tls13-certificate-verify.py", + "comment" : "tlsfuzzer doesn't like our set of algorithms (e.g., ed25519)", + "arguments" : ["-k", "tests/clientX509Key.pem", + "-c", "tests/clientX509Cert.pem", + "-n", "10", + "-e", "check sigalgs in cert request", + "-p", "@PORT@"]}, + {"name" : "test-tls13-certificate-verify.py", + "comment" : "tlsfuzzer doesn't like our set of algorithms (e.g., ed25519)", + "arguments" : ["-k", "tests/clientRSAPSSKey.pem", + "-c", "tests/clientRSAPSSCert.pem", + "-n", "10", + "-e", "check sigalgs in cert request", + "-p", "@PORT@"]}, {"name": "test-rsa-sigs-on-certificate-verify.py", "arguments" : ["-k", "tests/clientX509Key.pem", "-c", "tests/clientX509Cert.pem", @@ -45,6 +59,15 @@ "-n", "100", "-p", "@PORT@"] }, + {"name" : "test-rsa-pss-sigs-on-certificate-verify.py", + "comment": "tlsfuzzer doesn't know ed25519 scheme which we advertise", + "arguments" : ["-k", "tests/clientRSAPSSKey.pem", + "-c", "tests/clientRSAPSSCert.pem", + "-e", "check CertificateRequest sigalgs", + "--illegpar", + "-n", "100", + "-p", "@PORT@"] + }, {"name": "test-certificate-malformed.py", "comment" : "tlsfuzzer doesn't like the alerts we send", "arguments" : ["-k", "tests/clientX509Key.pem", |