diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-02-02 09:13:40 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-02-06 12:52:41 +0100 |
| commit | aaf286293050a4a2dbcd98d9eb2d69eca99c502a (patch) | |
| tree | b8e74a52a784152ebc2d733f999e66add9e30bb7 /tests | |
| parent | daf6650142f63c0f602b99c92ba941ff1d9f851c (diff) | |
| download | gnutls-aaf286293050a4a2dbcd98d9eb2d69eca99c502a.tar.gz | |
Fallback to TLS 1.2 when incompatible with signature certs are provided
This only takes into account certificates in the credentials structure.
If certificates are provided in a callback, these must be checked by
the provider. For that we assume that the credentials structure is
filled when associated with a session; if not then the fallback mechanism
will not work and the handshake will fail.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/common-cert-key-exchange.c | 57 | ||||
| -rw-r--r-- | tests/tls13-cert-key-exchange.c | 7 |
2 files changed, 34 insertions, 30 deletions
diff --git a/tests/common-cert-key-exchange.c b/tests/common-cert-key-exchange.c index 468475f846..c0c27a4064 100644 --- a/tests/common-cert-key-exchange.c +++ b/tests/common-cert-key-exchange.c @@ -74,7 +74,7 @@ void try_with_key_fail(const char *name, const char *client_prio, reset_buffers(); /* Init server */ - gnutls_certificate_allocate_credentials(&serverx509cred); + assert(gnutls_certificate_allocate_credentials(&serverx509cred)>=0); ret = gnutls_certificate_set_x509_key_mem(serverx509cred, serv_cert, serv_key, @@ -82,16 +82,15 @@ void try_with_key_fail(const char *name, const char *client_prio, if (ret < 0) fail("Could not set key/cert: %s\n", gnutls_strerror(ret)); - gnutls_init(&server, GNUTLS_SERVER); - gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, - serverx509cred); - - + assert(gnutls_init(&server, GNUTLS_SERVER)>=0); if (server_priority) assert(gnutls_priority_set_direct(server, server_priority, NULL) >= 0); else assert(gnutls_priority_set_direct(server, client_prio, NULL) >= 0); + assert(gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, + serverx509cred)>=0); + gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); @@ -112,11 +111,6 @@ void try_with_key_fail(const char *name, const char *client_prio, if (ret < 0) exit(1); - ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, - clientx509cred); - if (ret < 0) - exit(1); - gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); gnutls_transport_set_ptr(client, client); @@ -127,6 +121,12 @@ void try_with_key_fail(const char *name, const char *client_prio, fprintf(stderr, "Error in %s\n", err); exit(1); } + + ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, + clientx509cred); + if (ret < 0) + exit(1); + success("negotiating %s\n", name); HANDSHAKE_EXPECT(client, server, client_err, server_err); @@ -173,8 +173,8 @@ void try_with_key_ks(const char *name, const char *client_prio, gnutls_kx_algori reset_buffers(); /* Init server */ - gnutls_anon_allocate_server_credentials(&s_anoncred); - gnutls_certificate_allocate_credentials(&server_cred); + assert(gnutls_anon_allocate_server_credentials(&s_anoncred)>=0); + assert(gnutls_certificate_allocate_credentials(&server_cred)>=0); // Set server crt creds based on ctype switch (server_ctype) { @@ -201,11 +201,10 @@ void try_with_key_ks(const char *name, const char *client_prio, gnutls_kx_algori gnutls_certificate_set_dh_params(server_cred, dh_params); gnutls_anon_set_server_dh_params(s_anoncred, dh_params); - gnutls_init(&server, GNUTLS_SERVER | GNUTLS_ENABLE_RAWPK); - gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, - server_cred); - gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred); - + assert(gnutls_init(&server, GNUTLS_SERVER | GNUTLS_ENABLE_RAWPK)>=0); + assert(gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, + server_cred)>=0); + assert(gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred)>=0); if (server_priority) assert(gnutls_priority_set_direct(server, server_priority, NULL) >= 0); @@ -254,8 +253,8 @@ void try_with_key_ks(const char *name, const char *client_prio, gnutls_kx_algori exit(1); - gnutls_anon_allocate_client_credentials(&c_anoncred); - gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred); + assert(gnutls_anon_allocate_client_credentials(&c_anoncred)>=0); + assert(gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred)>=0); ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, client_cred); if (ret < 0) @@ -397,14 +396,14 @@ void dtls_try_with_key_mtu(const char *name, const char *client_prio, gnutls_kx_ gnutls_certificate_set_dh_params(serverx509cred, dh_params); gnutls_anon_set_server_dh_params(s_anoncred, dh_params); - gnutls_init(&server, GNUTLS_SERVER|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK); - gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, - serverx509cred); - gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred); + assert(gnutls_init(&server, GNUTLS_SERVER|GNUTLS_DATAGRAM|GNUTLS_NONBLOCK)>=0); + assert(gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, + serverx509cred)>=0); + assert(gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred)>=0); - gnutls_priority_set_direct(server, - "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519", - NULL); + assert(gnutls_priority_set_direct(server, + "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519", + NULL)>=0); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_pull_timeout_function(server, server_pull_timeout_func); @@ -440,8 +439,8 @@ void dtls_try_with_key_mtu(const char *name, const char *client_prio, gnutls_kx_ if (ret < 0) exit(1); - gnutls_anon_allocate_client_credentials(&c_anoncred); - gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred); + assert(gnutls_anon_allocate_client_credentials(&c_anoncred)>=0); + assert(gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred)>=0); ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, clientx509cred); if (ret < 0) diff --git a/tests/tls13-cert-key-exchange.c b/tests/tls13-cert-key-exchange.c index 066c7d2fb0..3a214f9ad1 100644 --- a/tests/tls13-cert-key-exchange.c +++ b/tests/tls13-cert-key-exchange.c @@ -143,6 +143,11 @@ void doit(void) GNUTLS_E_NO_CIPHER_SUITES, GNUTLS_E_AGAIN, &server_ca3_localhost_rsa_decrypt_cert, &server_ca3_key, NULL, NULL); + try_with_key_fail("TLS 1.3 and TLS 1.2 with rsa encryption cert", + "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2", + GNUTLS_E_SUCCESS, GNUTLS_E_SUCCESS, + &server_ca3_localhost_rsa_decrypt_cert, &server_ca3_key, NULL, NULL); + try_with_key_fail("TLS 1.3 with (forced) rsa encryption cert - client should detect", "NORMAL:-VERS-ALL:+VERS-TLS1.3:%DEBUG_ALLOW_KEY_USAGE_VIOLATIONS", GNUTLS_E_AGAIN, GNUTLS_E_KEY_USAGE_VIOLATION, @@ -150,7 +155,7 @@ void doit(void) try_with_key_fail("TLS 1.3 with client rsa encryption cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3", - GNUTLS_E_AGAIN, GNUTLS_E_KEY_USAGE_VIOLATION, + GNUTLS_E_AGAIN, GNUTLS_E_INSUFFICIENT_CREDENTIALS, &server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, &server_ca3_localhost_rsa_decrypt_cert, &server_ca3_key); try_with_key_fail("TLS 1.3 with (forced) client rsa encryption cert - server should detect", |