diff options
| author | Daiki Ueno <dueno@redhat.com> | 2019-05-17 11:51:00 +0200 |
|---|---|---|
| committer | Daiki Ueno <dueno@redhat.com> | 2019-05-22 08:17:11 +0200 |
| commit | 0caf5b6922bd443bcf3eb1398a16c9d381fba86f (patch) | |
| tree | 6fe17727ff806cc23d24b857fe0f67a80f996f2d /tests | |
| parent | 86d5c56950489bc8469f73602d793ef48af6419a (diff) | |
| download | gnutls-0caf5b6922bd443bcf3eb1398a16c9d381fba86f.tar.gz | |
algorithms: eliminate the FFDHE alert desc requirement
This implements the errata for RFC 7919 eliminating the requirement to
reply with an insufficient_security alert when we have negotiated an
FFDHE group, but cannot find common ciphersuite:
https://www.rfc-editor.org/errata/eid4908
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert.json | 19 | ||||
| m--------- | tests/suite/tls-fuzzer/tlsfuzzer | 0 | ||||
| -rw-r--r-- | tests/tls-neg-ext4-key.c | 2 | ||||
| -rw-r--r-- | tests/tls12-ffdhe.c | 2 |
4 files changed, 17 insertions, 6 deletions
diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json index e25b6b3613..9a734fef57 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert.json @@ -93,7 +93,8 @@ {"name" : "test-ffdhe-negotiation.py" , "comment" : ["we don't prefer DHE over RSA if RSA is preferred by peer"], "arguments" : ["-p", "@PORT@", - "-e", "Check if DHE preferred"]}, + "-e", "Check if DHE preferred", + "--alert", "handshake_failure"]}, {"name" : "test-cve-2016-2107.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-dhe-key-share-random.py", @@ -273,7 +274,10 @@ "-e", "Protocol (3, 2) with x448 group", "-n", "4"]}, {"name" : "test-sig-algs.py", - "arguments" : ["-p", "@PORT@"] }, + "arguments" : ["-p", "@PORT@", + "-e", "rsa_pss_pss_sha256 only", + "-e", "rsa_pss_pss_sha384 only", + "-e", "rsa_pss_pss_sha512 only"] }, {"name" : "test-signature-algorithms.py", "comment" : "gnutls doesn't handle well duplicated sign algorithms; this is not an issue in practice", "arguments" : ["-p", "@PORT@", @@ -295,11 +299,18 @@ {"name" : "test-sslv2-force-export-cipher.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-sslv2hello-protocol.py", - "arguments" : ["-p", "@PORT@"] }, + "comment" : "https://gitlab.com/gnutls/gnutls/issues/771", + "arguments" : ["-p", "@PORT@", "--no-ssl2", + "-e", "Empty SSLv2 record - type 0", + "-e", "Empty SSLv2 record - type 1", + "-e", "Just version in SSLv2 hello", + "-e", "SSLv2 Client Hello"] }, {"name" : "test-TLSv1_2-rejected-without-TLSv1_2.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-truncating-of-client-hello.py", - "arguments" : ["-p", "@PORT@"] }, + "comment" : "https://gitlab.com/gnutls/gnutls/issues/771", + "arguments" : ["-p", "@PORT@", + "-e", "max pad: 16777167 of \"0\" byte padding"] }, {"name" : "test-truncating-of-finished.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-truncating-of-kRSA-client-key-exchange.py", diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer -Subproject 13479e5a44bc10e3577fc28b921c5b999a363ce +Subproject 79936b86187ca48ced7c40b9b1a3872386c3f56 diff --git a/tests/tls-neg-ext4-key.c b/tests/tls-neg-ext4-key.c index 1adc65b93a..3d9db855ba 100644 --- a/tests/tls-neg-ext4-key.c +++ b/tests/tls-neg-ext4-key.c @@ -451,7 +451,7 @@ static const test_st tests[] = { .key = &server_ca3_rsa_pss_key, .sig = GNUTLS_SIGN_RSA_SHA256, .exp_kx = GNUTLS_KX_ECDHE_RSA, - .exp_serv_err = GNUTLS_E_INSUFFICIENT_SECURITY + .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES }, {.name = "tls1.3 rsa-pss cert, rsa-sign key, downgrade to tls1.2", /* we expect the server to downgrade to TLS 1.2 and refuse negotiating */ .pk = GNUTLS_PK_RSA, diff --git a/tests/tls12-ffdhe.c b/tests/tls12-ffdhe.c index d68452147a..8a0555dcb3 100644 --- a/tests/tls12-ffdhe.c +++ b/tests/tls12-ffdhe.c @@ -344,7 +344,7 @@ test_case_st tests[] = { { .name = "TLS 1.2 DHE-RSA (incompatible options)", .client_ret = GNUTLS_E_AGAIN, - .server_ret = GNUTLS_E_INSUFFICIENT_SECURITY, + .server_ret = GNUTLS_E_NO_CIPHER_SUITES, .have_cert_cred = 1, .have_rsa_sign_cert = 1, .server_prio = "NORMAL:-KX-ALL:+DHE-RSA:-VERS-ALL:+VERS-TLS1.2:-GROUP-ALL:+GROUP-FFDHE8192", |