summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/alert.c1
-rw-r--r--lib/tls13-sig.c2
-rw-r--r--lib/tls13/certificate_verify.c2
-rw-r--r--tests/suite/tls-fuzzer/gnutls-cert.json23
4 files changed, 26 insertions, 2 deletions
diff --git a/lib/alert.c b/lib/alert.c
index 047c976d1b..cfd1205d01 100644
--- a/lib/alert.c
+++ b/lib/alert.c
@@ -227,6 +227,7 @@ int gnutls_error_to_alert(int err, int *level)
case GNUTLS_E_PK_INVALID_PUBKEY:
case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM:
case GNUTLS_E_RECEIVED_DISALLOWED_NAME:
+ case GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY:
ret = GNUTLS_A_ILLEGAL_PARAMETER;
_level = GNUTLS_AL_FATAL;
break;
diff --git a/lib/tls13-sig.c b/lib/tls13-sig.c
index aee15eaf87..61f9d58209 100644
--- a/lib/tls13-sig.c
+++ b/lib/tls13-sig.c
@@ -72,7 +72,7 @@ _gnutls13_handshake_verify_data(gnutls_session_t session,
ret =
_gnutls_session_sign_algo_enabled(session, se->id);
if (ret < 0)
- return gnutls_assert_val(ret);
+ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
if (se->tls13_ok == 0) /* explicitly prohibited */
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
diff --git a/lib/tls13/certificate_verify.c b/lib/tls13/certificate_verify.c
index 7300f88f5d..6c3617c026 100644
--- a/lib/tls13/certificate_verify.c
+++ b/lib/tls13/certificate_verify.c
@@ -85,7 +85,7 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session)
se = _gnutls_tls_aid_to_sign_entry(buf.data[0], buf.data[1], get_version(session));
if (se == NULL) {
_gnutls_handshake_log("Found unsupported signature (%d.%d)\n", (int)buf.data[0], (int)buf.data[1]);
- ret = gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+ ret = gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
goto cleanup;
}
diff --git a/tests/suite/tls-fuzzer/gnutls-cert.json b/tests/suite/tls-fuzzer/gnutls-cert.json
index c2b28c5569..f0443d8a7d 100644
--- a/tests/suite/tls-fuzzer/gnutls-cert.json
+++ b/tests/suite/tls-fuzzer/gnutls-cert.json
@@ -9,6 +9,20 @@
"server_hostname": "localhost",
"server_port": @PORT@,
"tests" : [
+ {"name" : "test-tls13-certificate-verify.py",
+ "comment" : "tlsfuzzer doesn't like our set of algorithms (e.g., ed25519)",
+ "arguments" : ["-k", "tests/clientX509Key.pem",
+ "-c", "tests/clientX509Cert.pem",
+ "-n", "10",
+ "-e", "check sigalgs in cert request",
+ "-p", "@PORT@"]},
+ {"name" : "test-tls13-certificate-verify.py",
+ "comment" : "tlsfuzzer doesn't like our set of algorithms (e.g., ed25519)",
+ "arguments" : ["-k", "tests/clientRSAPSSKey.pem",
+ "-c", "tests/clientRSAPSSCert.pem",
+ "-n", "10",
+ "-e", "check sigalgs in cert request",
+ "-p", "@PORT@"]},
{"name": "test-rsa-sigs-on-certificate-verify.py",
"arguments" : ["-k", "tests/clientX509Key.pem",
"-c", "tests/clientX509Cert.pem",
@@ -45,6 +59,15 @@
"-n", "100",
"-p", "@PORT@"]
},
+ {"name" : "test-rsa-pss-sigs-on-certificate-verify.py",
+ "comment": "tlsfuzzer doesn't know ed25519 scheme which we advertise",
+ "arguments" : ["-k", "tests/clientRSAPSSKey.pem",
+ "-c", "tests/clientRSAPSSCert.pem",
+ "-e", "check CertificateRequest sigalgs",
+ "--illegpar",
+ "-n", "100",
+ "-p", "@PORT@"]
+ },
{"name": "test-certificate-malformed.py",
"comment" : "tlsfuzzer doesn't like the alerts we send",
"arguments" : ["-k", "tests/clientX509Key.pem",