diff options
-rw-r--r-- | lib/alert.c | 2 | ||||
-rw-r--r-- | lib/hello_ext_lib.c | 2 | ||||
-rw-r--r-- | lib/tls-sig.c | 19 | ||||
-rw-r--r-- | lib/x509/x509_ext.c | 2 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-cert.json | 6 | ||||
m--------- | tests/suite/tls-fuzzer/tlsfuzzer | 0 | ||||
m--------- | tests/suite/tls-fuzzer/tlslite-ng | 0 |
7 files changed, 23 insertions, 8 deletions
diff --git a/lib/alert.c b/lib/alert.c index b9aa7bd9ba..a7770da676 100644 --- a/lib/alert.c +++ b/lib/alert.c @@ -223,6 +223,7 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER: case GNUTLS_E_ILLEGAL_SRP_USERNAME: case GNUTLS_E_PK_INVALID_PUBKEY: + case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: ret = GNUTLS_A_ILLEGAL_PARAMETER; _level = GNUTLS_AL_FATAL; break; @@ -247,7 +248,6 @@ int gnutls_error_to_alert(int err, int *level) _level = GNUTLS_AL_FATAL; break; case GNUTLS_E_UNKNOWN_CIPHER_SUITE: - case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: case GNUTLS_E_INSUFFICIENT_CREDENTIALS: case GNUTLS_E_NO_CIPHER_SUITES: case GNUTLS_E_NO_COMPRESSION_ALGORITHMS: diff --git a/lib/hello_ext_lib.c b/lib/hello_ext_lib.c index 663354caaf..5ee433b24e 100644 --- a/lib/hello_ext_lib.c +++ b/lib/hello_ext_lib.c @@ -40,7 +40,7 @@ void _gnutls_hello_ext_default_deinit(gnutls_ext_priv_data_t priv) int _gnutls_hello_ext_set_datum(gnutls_session_t session, extensions_t id, const gnutls_datum_t *data) -{ //REMARK: we are limiting the data size to fit in a uint16 while a datum_t uses unsigned int! +{ gnutls_ext_priv_data_t epriv; if (_gnutls_hello_ext_get_priv(session, id, &epriv) >= 0) diff --git a/lib/tls-sig.c b/lib/tls-sig.c index 75f88e5fbd..19357c06a1 100644 --- a/lib/tls-sig.c +++ b/lib/tls-sig.c @@ -271,10 +271,11 @@ _gnutls_handshake_verify_data12(gnutls_session_t session, gnutls_datum_t dconcat; int ret; const version_entry_st *ver = get_version(session); + const gnutls_sign_entry_st *se = _gnutls_sign_to_entry(sign_algo); _gnutls_handshake_log ("HSK[%p]: verify TLS 1.2 handshake data: using %s\n", session, - gnutls_sign_algorithm_get_name(sign_algo)); + se->name); ret = _gnutls_pubkey_compatible_with_sig(session, @@ -283,6 +284,12 @@ _gnutls_handshake_verify_data12(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); + if (unlikely(sign_supports_cert_pk_algorithm(se, cert->pubkey->params.algo) == 0)) { + _gnutls_handshake_log("HSK[%p]: certificate of %s cannot be combined with %s sig\n", + session, gnutls_pk_get_name(cert->pubkey->params.algo), se->name); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + } + ret = _gnutls_session_sign_algo_enabled(session, sign_algo); if (ret < 0) @@ -356,11 +363,18 @@ _gnutls_handshake_verify_crt_vrfy12(gnutls_session_t session, { int ret; gnutls_datum_t dconcat; + const gnutls_sign_entry_st *se = _gnutls_sign_to_entry(sign_algo); ret = _gnutls_session_sign_algo_enabled(session, sign_algo); if (ret < 0) return gnutls_assert_val(ret); + if (unlikely(sign_supports_cert_pk_algorithm(se, cert->pubkey->params.algo) == 0)) { + _gnutls_handshake_log("HSK[%p]: certificate of %s cannot be combined with %s sig\n", + session, gnutls_pk_get_name(cert->pubkey->params.algo), se->name); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + } + dconcat.data = session->internals.handshake_hash_buffer.data; dconcat.size = session->internals.handshake_hash_buffer_prev_len; @@ -567,6 +581,9 @@ _gnutls_handshake_sign_crt_vrfy12(gnutls_session_t session, gnutls_sign_algorithm_set_client(session, sign_algo); + if (unlikely(gnutls_sign_supports_pk_algorithm(sign_algo, pkey->pk_algorithm) == 0)) + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); + _gnutls_debug_log("sign handshake cert vrfy: picked %s\n", gnutls_sign_algorithm_get_name(sign_algo)); diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c index 8213c6e427..ffc05bc0a3 100644 --- a/lib/x509/x509_ext.c +++ b/lib/x509/x509_ext.c @@ -1052,7 +1052,7 @@ int gnutls_x509_ext_export_authority_key_id(gnutls_x509_aki_t aki, san.data, aki->cert_issuer. names[i].san.size); - if (result < 0) { + if (ret < 0) { gnutls_assert(); goto cleanup; } diff --git a/tests/suite/tls-fuzzer/gnutls-cert.json b/tests/suite/tls-fuzzer/gnutls-cert.json index f9de174699..c2b28c5569 100644 --- a/tests/suite/tls-fuzzer/gnutls-cert.json +++ b/tests/suite/tls-fuzzer/gnutls-cert.json @@ -37,13 +37,11 @@ "-p", "@PORT@"] }, {"name" : "test-rsa-pss-sigs-on-certificate-verify.py", - "comment" : "FIXME: We shouldn't allow rsa_pss_pss* schemes as there is only RSA key #645", + "comment": "tlsfuzzer doesn't know ed25519 scheme which we advertise", "arguments" : ["-k", "tests/clientX509Key.pem", "-c", "tests/clientX509Cert.pem", "-e", "check CertificateRequest sigalgs", - "-e", "rsa_pss_pss_sha256 in CertificateVerify with rsa key", - "-e", "rsa_pss_pss_sha384 in CertificateVerify with rsa key", - "-e", "rsa_pss_pss_sha512 in CertificateVerify with rsa key", + "--illegpar", "-n", "100", "-p", "@PORT@"] }, diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer -Subproject cd624f68c671f339b3a1e0ef90db984760bcfea +Subproject b9dec4fde7bedfac90850b86c2c3f644349f6c3 diff --git a/tests/suite/tls-fuzzer/tlslite-ng b/tests/suite/tls-fuzzer/tlslite-ng -Subproject d00ad94272be90172ecc5c422c923d679c23416 +Subproject 3696909715ba73ee807d3959a26d36b56f718ba |