diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2020-01-26 12:37:38 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2020-01-26 12:37:38 +0000 |
commit | 92052ce87c8bce74aa622cbd68778e29b8450545 (patch) | |
tree | 815149721ce119cb9566760ddd667473eaba95bc | |
parent | a963369e626b7fac7e86b9577570a065b885e053 (diff) | |
parent | 989bc92439b7ed4e83309071738fc8ffd56718df (diff) | |
download | gnutls-92052ce87c8bce74aa622cbd68778e29b8450545.tar.gz |
Merge branch 'tmp-update-tlsfuzzer' into 'master'
tlsfuzzer: updated to latest upstream
Closes #907
See merge request gnutls/gnutls!1179
-rw-r--r-- | lib/ext/key_share.c | 20 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-cert.json | 27 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert-tls13.json | 36 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert.json | 31 | ||||
-rwxr-xr-x | tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh | 2 | ||||
-rwxr-xr-x | tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh | 4 | ||||
m--------- | tests/suite/tls-fuzzer/tlsfuzzer | 0 | ||||
m--------- | tests/suite/tls-fuzzer/tlslite-ng | 0 |
8 files changed, 86 insertions, 34 deletions
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c index 41dd1b7326..ab8abf8fe6 100644 --- a/lib/ext/key_share.c +++ b/lib/ext/key_share.c @@ -148,17 +148,17 @@ static int client_gen_key_share(gnutls_session_t session, const gnutls_group_ent ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_G], group->generator->data, group->generator->size); if (ret < 0) - return gnutls_assert_val(ret); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_P], group->prime->data, group->prime->size); if (ret < 0) - return gnutls_assert_val(ret); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_Q], group->q->data, group->q->size); if (ret < 0) - return gnutls_assert_val(ret); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); session->key.kshare.dh_params.algo = group->pk; session->key.kshare.dh_params.dh_group = group->id; /* no curve in FFDH, we write the group */ @@ -354,17 +354,17 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_G], group->generator->data, group->generator->size); if (ret < 0) - return gnutls_assert_val(ret); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_P], group->prime->data, group->prime->size); if (ret < 0) - return gnutls_assert_val(ret); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); ret = _gnutls_mpi_init_scan_nz(&session->key.kshare.dh_params.params[DH_Q], group->q->data, group->q->size); if (ret < 0) - return gnutls_assert_val(ret); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); session->key.kshare.dh_params.algo = GNUTLS_PK_DH; session->key.kshare.dh_params.qbits = *group->q_bits; @@ -381,7 +381,7 @@ server_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou ret = _gnutls_mpi_init_scan_nz(&pub.params[DH_Y], data, data_size); if (ret < 0) - return gnutls_assert_val(ret); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); pub.algo = group->pk; @@ -489,7 +489,7 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou ret = _gnutls_mpi_init_scan_nz(&pub.params[DH_Y], data, data_size); if (ret < 0) - return gnutls_assert_val(ret); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); pub.algo = group->pk; @@ -599,7 +599,7 @@ key_share_recv_params(gnutls_session_t session, if (_gnutls_ext_get_msg(session) == GNUTLS_EXT_FLAG_HRR) { if (unlikely(!(session->internals.hsk_flags & HSK_HRR_RECEIVED))) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); DECR_LEN(data_size, 2); gid = _gnutls_read_uint16(data); @@ -692,7 +692,7 @@ key_share_send_params(gnutls_session_t session, if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */ group = get_group(session); if (unlikely(group == NULL)) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); ret = client_gen_key_share(session, group, extdata); if (ret == GNUTLS_E_INT_RET_0) diff --git a/tests/suite/tls-fuzzer/gnutls-cert.json b/tests/suite/tls-fuzzer/gnutls-cert.json index f0443d8a7d..7a5af26e53 100644 --- a/tests/suite/tls-fuzzer/gnutls-cert.json +++ b/tests/suite/tls-fuzzer/gnutls-cert.json @@ -2,7 +2,7 @@ {"server_command": ["@SERVER@", "--http", "--x509keyfile", "tests/serverX509Key.pem", "--x509certfile", "tests/serverX509Cert.pem", - "--debug=4", + "--debug=6", "--priority=@PRIORITY@", "--port=@PORT@"], "environment": {"PYTHONPATH" : "."}, @@ -10,16 +10,20 @@ "server_port": @PORT@, "tests" : [ {"name" : "test-tls13-certificate-verify.py", + "comment" : "tlsfuzzer doesn't like our status request (see #633)", + "exp_pass" : false, "comment" : "tlsfuzzer doesn't like our set of algorithms (e.g., ed25519)", "arguments" : ["-k", "tests/clientX509Key.pem", "-c", "tests/clientX509Cert.pem", "-n", "10", "-e", "check sigalgs in cert request", "-p", "@PORT@"]}, - {"name" : "test-tls13-certificate-verify.py", + {"name" : "test-tls13-ecdsa-in-certificate-verify.py", + "comment" : "tlsfuzzer doesn't like our status request (see #633)", + "exp_pass" : false, "comment" : "tlsfuzzer doesn't like our set of algorithms (e.g., ed25519)", - "arguments" : ["-k", "tests/clientRSAPSSKey.pem", - "-c", "tests/clientRSAPSSCert.pem", + "arguments" : ["-k", "tests/serverECKey.pem", + "-c", "tests/serverECCert.pem", "-n", "10", "-e", "check sigalgs in cert request", "-p", "@PORT@"]}, @@ -33,6 +37,18 @@ "-c", "tests/clientX509Cert.pem", "-p", "@PORT@"] }, + {"name" : "test-ecdsa-in-certificate-verify.py", + "comment" : "we don't support sha224; we send illegal_parameter instead of handshake_failure in md5+ecdsa", + "arguments" : ["-k", "tests/serverECKey.pem", + "-c", "tests/serverECCert.pem", + "-e", "make sha224+ecdsa signature in CertificateVerify", + "-e", "make sha224+ecdsa signature, advertise it as sha1+ecdsa in CertificateVerify", + "-e", "make sha224+ecdsa signature, advertise it as sha256+ecdsa in CertificateVerify", + "-e", "make sha224+ecdsa signature, advertise it as sha384+ecdsa in CertificateVerify", + "-e", "make sha224+ecdsa signature, advertise it as sha512+ecdsa in CertificateVerify", + "-e", "md5+ecdsa forced", + "-p", "@PORT@"] + }, {"name" : "test-certificate-verify-malformed.py", "arguments" : ["-k", "tests/clientX509Key.pem", "-c", "tests/clientX509Cert.pem", @@ -44,10 +60,11 @@ "-p", "@PORT@"] }, {"name" : "test-certificate-request.py", - "comment" : "tlsfuzzer doesn't like our set of algorithms", + "comment" : "tlsfuzzer doesn't like our set of algorithms or supported cert types", "arguments" : ["-k", "tests/clientX509Key.pem", "-c", "tests/clientX509Cert.pem", "-e", "check sigalgs in cert request", + "-e", "check cert types in cert request", "-p", "@PORT@"] }, {"name" : "test-rsa-pss-sigs-on-certificate-verify.py", diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json index e293b1ce78..0bf5be4bea 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json @@ -4,9 +4,13 @@ "--x509certfile", "tests/serverX509Cert.pem", "--x509keyfile", "tests/serverRSAPSSKey.pem", "--x509certfile", "tests/serverRSAPSSCert.pem", - "--x509keyfile", "../../../certs/ecc256.pem", - "--x509certfile", "../../../certs/cert-ecc256.pem", - "--debug=3", + "--x509keyfile", "tests/serverECKey.pem", + "--x509certfile", "tests/serverECCert.pem", + "--x509keyfile", "tests/serverP384ECKey.pem", + "--x509certfile", "tests/serverP384ECCert.pem", + "--x509keyfile", "tests/serverP521ECKey.pem", + "--x509certfile", "tests/serverP521ECCert.pem", + "--debug=6", "--httpdata=../http.dat", "--priority=@PRIORITY@", "--disable-client-cert", "--port=@PORT@"], @@ -52,9 +56,21 @@ "comment": "We do not support x448", "arguments": ["-p", "@PORT@", "-e", "TLS 1.3 with x448", - "-n", "5"]}, + "-n", "4"]}, + {"name" : "test-tls13-ecdhe-curves.py", + "arguments": ["-p", "@PORT@"]}, + {"name" : "test-tls13-ecdsa-support.py", + "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-empty-alert.py", "arguments": ["-p", "@PORT@"]}, + {"name" : "test-tls13-ffdhe-groups.py", + "comment" : "We do not check for duplicate entries", + "arguments": ["-p", "@PORT@", + "-e", "ffdhe2048 - duplicated key share entry", + "-e", "ffdhe3072 - duplicated key share entry", + "-e", "ffdhe4096 - duplicated key share entry", + "-e", "ffdhe6144 - duplicated key share entry", + "-e", "ffdhe8192 - duplicated key share entry"]}, {"name" : "test-tls13-ffdhe-sanity.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-finished.py", @@ -68,6 +84,16 @@ "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-keyshare-omitted.py", "arguments": ["-p", "@PORT@"]}, + {"name" : "test-tls13-keyupdate.py", + "comment" : "we have limits that prohibit the running multiple messages test; app data split timeouts waiting for new session ticket", + "arguments": ["-p", "@PORT@", + "-e", "app data split, conversation with KeyUpdate msg", + "-e", "multiple KeyUpdate messages"]}, + {"name" : "test-tls13-large-number-of-extensions.py", + "comment" : "This test assumes that 22 (EtM) is unassigned which is incorrect - see #632", + "arguments": ["-p", "@PORT@", + "-e", "empty unassigned extensions, ids in range from 2 to 4118", + "-e", "unassigned extensions with random payload, ids in range from 2 to 1046"]}, {"name" : "test-tls13-legacy-version.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-nociphers.py", @@ -75,8 +101,6 @@ {"name" : "test-tls13-non-support.py", "arguments": ["-p", "@PORT@"], "exp_pass" : false}, - {"name" : "test-tls13-obsolete-curves.py", - "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-pkcs-signature.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-record-padding.py", diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json index bef461789f..2a6f47d68d 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert.json @@ -2,9 +2,13 @@ {"server_command": ["@SERVER@", "--http", "--x509keyfile", "tests/serverX509Key.pem", "--x509certfile", "tests/serverX509Cert.pem", - "--x509keyfile", "../../../certs/ecc256.pem", - "--x509certfile", "../../../certs/cert-ecc256.pem", - "--debug=3", + "--x509keyfile", "tests/serverECKey.pem", + "--x509certfile", "tests/serverECCert.pem", + "--x509keyfile", "tests/serverP384ECKey.pem", + "--x509certfile", "tests/serverP384ECCert.pem", + "--x509keyfile", "tests/serverP521ECKey.pem", + "--x509certfile", "tests/serverP521ECCert.pem", + "--debug=6", "--noticket", "--httpdata=../http.dat", "--priority=@PRIORITY@", @@ -13,7 +17,8 @@ "server_port": @PORT@, "tests" : [ {"name" : "test-fuzzed-plaintext.py", - "arguments" : ["-p", "@PORT@"] }, + "arguments" : ["-p", "@PORT@", + "-n", "4"] }, {"name" : "test-large-hello.py", "arguments" : [ "-p", "@PORT@", @@ -31,7 +36,9 @@ "fragmented, padding ext 65354 bytes", "fragmented, padding ext 16213 bytes"]}, {"name" : "test-ecdsa-sig-flexibility.py", - "arguments" : ["-p", "@PORT@"] }, + "comment" : "we do not support SHA224", + "arguments" : ["-p", "@PORT@", + "-e", "connect with sha224+ecdsa only"] }, {"name" : "test-encrypt-then-mac.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ocsp-stapling.py", @@ -64,11 +71,13 @@ "arguments" : ["-p", "@PORT@"] }, {"name" : "test-aes-gcm-nonces.py", "arguments" : ["-p", "@PORT@"] }, + {"name" : "test-aesccm.py", + "arguments" : ["-p", "@PORT@"] }, {"name" : "test-atypical-padding.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-bleichenbacher-workaround.py", "arguments" : ["-p", "@PORT@", - "-n", "20"] + "-n", "5"] }, {"name" : "test-clienthello-md5.py", "arguments" : ["-p", "@PORT@"] }, @@ -79,6 +88,8 @@ "-e", "100: IE 6 on XP"]}, {"name" : "test-conversation.py", "arguments" : ["-p", "@PORT@"] }, + {"name" : "test-no-heartbeat.py", + "arguments" : ["-p", "@PORT@"] }, {"name" : "test-client-hello-max-size.py", "comment" : "FIXME: we fail with: Handshake buffer length is 131400 (max: 131072)", "arguments" : ["-p", "@PORT@", @@ -101,7 +112,7 @@ "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0)", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", - "-n", "6", + "-n", "5", "-z"]}, {"name" : "test-dhe-rsa-key-exchange.py", "arguments" : ["-p", "@PORT@"] }, @@ -124,7 +135,7 @@ "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 0)", "-z", - "-n", "6"]}, + "-n", "5"]}, {"name" : "test-ecdhe-rsa-key-exchange.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ecdhe-rsa-key-exchange-with-bad-messages.py", @@ -135,7 +146,7 @@ "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 0)", "-z", - "-n", "6"]}, + "-n", "5"]}, {"name" : "test-empty-extensions.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-export-ciphers-rejected.py", @@ -264,7 +275,7 @@ "-e", "duplicated 2342 non-rsa schemes", "-e", "duplicated 8119 non-rsa schemes", "-e", "duplicated 23741 non-rsa schemes", - "-e", "duplicated 32748 non-rsa schemes", + "-e", "duplicated 32744 non-rsa schemes", "-e", "tolerance max (32764) number of methods"] }, {"name" : "test-sslv2-connection.py", diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh index 1b9b0f1765..f9268627a2 100755 --- a/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh +++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert-tls13.sh @@ -21,7 +21,7 @@ srcdir="${srcdir:-.}" tls_fuzzer_prepare() { -PRIORITY="NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1" +PRIORITY="NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+AES-128-CCM:+AES-256-CCM:+AES-128-CCM-8" sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-nocert-tls13.json >${TMPFILE} } diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh index 6e6b809c57..5405fc936c 100755 --- a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh +++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh @@ -22,10 +22,10 @@ srcdir="${srcdir:-.}" tls_fuzzer_prepare() { VERSIONS="-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0" -PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256:+SHA384" +PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256:+SHA384:+AES-128-CCM:+AES-256-CCM:+AES-128-CCM-8:+AES-256-CCM-8" ${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1 if test $? != 0;then - PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:${VERSIONS}:+SHA256:+SHA384" + PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:${VERSIONS}:+SHA256:+SHA384:+AES-128-CCM:+AES-256-CCM:+AES-128-CCM-8:+AES-256-CCM-8" fi sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-nocert.json >${TMPFILE} diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer -Subproject 3d57169c83e960597d7f90f4b837858d9530d7f +Subproject ca536d11ac14da2deacbde95f3f0a70a5ce4211 diff --git a/tests/suite/tls-fuzzer/tlslite-ng b/tests/suite/tls-fuzzer/tlslite-ng -Subproject 029425144f6b26d5ab8acc3a79e3ead79253ad7 +Subproject bff8773e4309cc43dd6acf0a6d4623949f911fd |