summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/priority.c14
-rw-r--r--tests/common-cert-key-exchange.c6
-rwxr-xr-xtests/server-multi-keys.sh8
-rwxr-xr-xtests/suite/tls-fuzzer/tls-fuzzer-cert.sh4
-rwxr-xr-xtests/suite/tls-fuzzer/tls-fuzzer-nocert.sh4
-rw-r--r--tests/tls-neg-ext4-key.c9
-rw-r--r--tests/tls12-cert-key-exchange.c2
7 files changed, 27 insertions, 20 deletions
diff --git a/lib/priority.c b/lib/priority.c
index ff49875e7b..6019321405 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004-2015 Free Software Foundation, Inc.
- * Copyright (C) 2015-2017 Red Hat, Inc.
+ * Copyright (C) 2015-2018 Red Hat, Inc.
*
* Author: Nikos Mavrogiannopoulos
*
@@ -376,9 +376,9 @@ static const int _sign_priority_default[] = {
GNUTLS_SIGN_ECDSA_SHA1,
/* added on the final position for compatibility purposes */
- GNUTLS_SIGN_RSA_PSS_SHA256,
+ /*GNUTLS_SIGN_RSA_PSS_SHA256,
GNUTLS_SIGN_RSA_PSS_SHA384,
- GNUTLS_SIGN_RSA_PSS_SHA512,
+ GNUTLS_SIGN_RSA_PSS_SHA512,*/
GNUTLS_SIGN_EDDSA_ED25519,
0
@@ -407,9 +407,9 @@ static const int _sign_priority_secure128[] = {
GNUTLS_SIGN_ECDSA_SHA512,
/* added on the final position for compatibility purposes */
- GNUTLS_SIGN_RSA_PSS_SHA256,
+ /*GNUTLS_SIGN_RSA_PSS_SHA256,
GNUTLS_SIGN_RSA_PSS_SHA384,
- GNUTLS_SIGN_RSA_PSS_SHA512,
+ GNUTLS_SIGN_RSA_PSS_SHA512,*/
GNUTLS_SIGN_EDDSA_ED25519,
0
@@ -423,8 +423,8 @@ static const int _sign_priority_secure192[] = {
GNUTLS_SIGN_ECDSA_SHA512,
/* added on the final position for compatibility purposes */
- GNUTLS_SIGN_RSA_PSS_SHA384,
- GNUTLS_SIGN_RSA_PSS_SHA512,
+ /*GNUTLS_SIGN_RSA_PSS_SHA384,
+ GNUTLS_SIGN_RSA_PSS_SHA512,*/
0
};
static const int* sign_priority_secure192 = _sign_priority_secure192;
diff --git a/tests/common-cert-key-exchange.c b/tests/common-cert-key-exchange.c
index 6708d34348..e36e32cbca 100644
--- a/tests/common-cert-key-exchange.c
+++ b/tests/common-cert-key-exchange.c
@@ -101,7 +101,8 @@ void try_with_key(const char *name, const char *client_prio, gnutls_kx_algorithm
gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_priority_set_direct(server,
- "NORMAL:+VERS-SSL3.0:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519",
+ /*"NORMAL:+VERS-SSL3.0:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519",*/
+ "NORMAL:+VERS-SSL3.0:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512",
NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
@@ -269,7 +270,8 @@ void dtls_try_with_key_mtu(const char *name, const char *client_prio, gnutls_kx_
gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_priority_set_direct(server,
- "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519",
+ /*"NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519",*/
+ "NORMAL:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA256",
NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
diff --git a/tests/server-multi-keys.sh b/tests/server-multi-keys.sh
index 25ab601a13..f72d2b18e2 100755
--- a/tests/server-multi-keys.sh
+++ b/tests/server-multi-keys.sh
@@ -59,18 +59,20 @@ CERT3=${srcdir}/../doc/credentials/x509/cert-rsa-pss.pem
CAFILE=${srcdir}/../doc/credentials/x509/ca.pem
TMPFILE=outcert.$$.tmp
+PRIO_ADD=":+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512"
+
eval "${GETPORT}"
-launch_server $$ --echo --priority "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA" --x509keyfile ${KEY1} --x509certfile ${CERT1} \
+launch_server $$ --echo --priority "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA${PRIO_ADD}" --x509keyfile ${KEY1} --x509certfile ${CERT1} \
--x509keyfile ${KEY2} --x509certfile ${CERT2} --x509keyfile ${KEY3} --x509certfile ${CERT3}
PID=$!
wait_server ${PID}
timeout 1800 datefudge "2017-08-9" \
-"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA" </dev/null || \
+"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA${PRIO_ADD}" </dev/null || \
fail ${PID} "1. handshake with RSA should have succeeded!"
timeout 1800 datefudge "2017-08-9" \
-"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-ECDSA" </dev/null || \
+"${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-ECDSA${PRIO_ADD}" </dev/null || \
fail ${PID} "2. handshake with ECC should have succeeded!"
timeout 1800 datefudge "2017-08-9" \
diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh
index 30cfe25c38..b7352b8f73 100755
--- a/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh
+++ b/tests/suite/tls-fuzzer/tls-fuzzer-cert.sh
@@ -49,10 +49,10 @@ wait_for_free_port $PORT
retval=0
-PRIORITY="NORMAL:+ARCFOUR-128:%VERIFY_ALLOW_SIGN_WITH_SHA1:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0"
+PRIORITY="NORMAL:+ARCFOUR-128:%VERIFY_ALLOW_SIGN_WITH_SHA1:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:-CURVE-SECP192R1:+VERS-SSL3.0"
${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1
if test $? != 0;then
- PRIORITY="NORMAL:+ARCFOUR-128:%VERIFY_ALLOW_SIGN_WITH_SHA1:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0"
+ PRIORITY="NORMAL:+ARCFOUR-128:%VERIFY_ALLOW_SIGN_WITH_SHA1:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+VERS-SSL3.0"
fi
TLS_PY=./tlslite-ng/scripts/tls.py
diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh
index 62d75344f7..d3cfec2070 100755
--- a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh
+++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh
@@ -49,10 +49,10 @@ wait_for_free_port $PORT
retval=0
-PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:+VERS-SSL3.0"
+PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:-CURVE-SECP192R1:+VERS-SSL3.0"
${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1
if test $? != 0;then
- PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+VERS-SSL3.0"
+ PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-DSA-SHA1:+VERS-SSL3.0"
fi
TLS_PY=./tlslite-ng/scripts/tls.py
diff --git a/tests/tls-neg-ext4-key.c b/tests/tls-neg-ext4-key.c
index b916294d3e..1ee12d7ae4 100644
--- a/tests/tls-neg-ext4-key.c
+++ b/tests/tls-neg-ext4-key.c
@@ -228,7 +228,8 @@ void try_with_key(const char *name, const char *client_prio,
s_xcred);
gnutls_priority_set_direct(server,
- "NORMAL:+VERS-SSL3.0:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519",
+ /*"NORMAL:+VERS-SSL3.0:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519",*/
+ "NORMAL:+VERS-SSL3.0:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512",
NULL);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
@@ -387,7 +388,8 @@ static const test_st tests[] = {
},
{.name = "rsa-pss-sign key",
.pk = GNUTLS_PK_RSA_PSS,
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.2",
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.2:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512",
+ /*.prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.2",*/
.cert = &server_ca3_rsa_pss2_cert,
.key = &server_ca3_rsa_pss2_key,
.sig = GNUTLS_SIGN_RSA_PSS_SHA256,
@@ -395,7 +397,8 @@ static const test_st tests[] = {
},
{.name = "rsa-pss cert, rsa-sign key", /* we expect the server to refuse negotiating */
.pk = GNUTLS_PK_RSA,
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.2",
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.2:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512",
+ /*.prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.2",*/
.cert = &server_ca3_rsa_pss_cert,
.key = &server_ca3_rsa_pss_key,
.exp_kx = GNUTLS_KX_ECDHE_RSA,
diff --git a/tests/tls12-cert-key-exchange.c b/tests/tls12-cert-key-exchange.c
index 497c8aee3c..8f7a9fe3f6 100644
--- a/tests/tls12-cert-key-exchange.c
+++ b/tests/tls12-cert-key-exchange.c
@@ -50,7 +50,7 @@ void doit(void)
try("TLS 1.2 with ecdhe rsa-pss sig no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
/* Test RSA-PSS cert/key combo issues */
- try_with_key("TLS 1.2 with ecdhe with rsa-pss-sha256 key no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN,
+ try_with_key("TLS 1.2 with ecdhe with rsa-pss-sha256 key no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN,
&server_ca3_rsa_pss2_cert, &server_ca3_rsa_pss2_key, NULL, NULL, 0);
try_with_key("TLS 1.2 with ecdhe with rsa-pss-sha256 key and 1 sig no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN,
&server_ca3_rsa_pss2_cert, &server_ca3_rsa_pss2_key, NULL, NULL, 0);