diff options
Diffstat (limited to 'tests')
-rw-r--r-- | tests/cert-tests/Makefile.am | 4 | ||||
-rw-r--r-- | tests/cert-tests/data/invalid-sig4.pem | 23 | ||||
-rw-r--r-- | tests/cert-tests/data/invalid-sig5.pem | 22 | ||||
-rwxr-xr-x | tests/cert-tests/invalid-sig | 20 | ||||
-rw-r--r-- | tests/conv-utf8.c | 6 | ||||
-rw-r--r-- | tests/pkcs11/pkcs11-token-raw.c | 37 | ||||
-rw-r--r-- | tests/seccomp.c | 5 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert-ssl3.json | 2 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert-tls13.json | 38 | ||||
-rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert.json | 33 | ||||
m--------- | tests/suite/tls-fuzzer/tlsfuzzer | 0 | ||||
-rw-r--r-- | tests/test-chains.h | 123 | ||||
-rw-r--r-- | tests/tls-record-size-limit.c | 223 | ||||
-rw-r--r-- | tests/tls13/prf.c | 8 | ||||
-rw-r--r-- | tests/tls13/rnd-check-rollback-val.c | 56 |
15 files changed, 443 insertions, 157 deletions
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index 0e5692df6d..f3beadec0d 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -35,8 +35,8 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem templates/template-generalized.tmpl data/privkey1.pem data/privkey2.pem data/privkey3.pem \ data/name-constraints-ip.pem data/cert-invalid-utf8.der data/very-long-dn.pem \ data/provable3072.pem data/provable2048.pem data/provable-dsa2048.pem \ - data/provable-dsa2048-fips.pem templates/template-crq.tmpl \ - templates/template-unique.tmpl data/template-unique.pem \ + data/provable-dsa2048-fips.pem templates/template-crq.tmpl data/invalid-sig5.pem \ + templates/template-unique.tmpl data/template-unique.pem data/invalid-sig4.pem \ templates/template-othername.tmpl data/template-othername.pem \ templates/template-othername-xmpp.tmpl data/template-othername-xmpp.pem \ templates/template-krb5name.tmpl data/crl-demo1.pem data/crl-demo2.pem data/crl-demo3.pem \ diff --git a/tests/cert-tests/data/invalid-sig4.pem b/tests/cert-tests/data/invalid-sig4.pem new file mode 100644 index 0000000000..f039e3c18f --- /dev/null +++ b/tests/cert-tests/data/invalid-sig4.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1jCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT +MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i +YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG +EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM +IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0 +l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e +6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb +ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8 +N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5 +HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd +gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC +St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w +EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js +Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw +JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTAOBgkqhkiG9w0B +AQUEAUEDggEBAKu8vApdGJTjwbHDqExV1r60mPHuPBzNz/MkJFyWAydY/Dauoi+P +8f7aKwLDM73I3UgiK2APpQMQ/Xf40O2WZ0/96kcgcFTcqQxVfuGWJYrZtdpXSr6N +jklDY6VsTieHJetbbf6ifzgo4DarrTmlpWLEt1xYLKpdAWCmYmejwMdiI/TnbEbu +tdOAaiIT0i0/dE/qr4xftDic267Or4QepvY0UVl50+N13LzX83PfkuzSIFlvnPuV ++JJ2GAp8Dyymyt6KYnvY885faL2PPsF0uxVyOhaDqQvmTZmc2FfsqAFRx29XNF6r +SixC9k8ciXjeJk71b5NMFWsnVk0AVGx6t7c= +-----END CERTIFICATE----- diff --git a/tests/cert-tests/data/invalid-sig5.pem b/tests/cert-tests/data/invalid-sig5.pem new file mode 100644 index 0000000000..f7a148cf42 --- /dev/null +++ b/tests/cert-tests/data/invalid-sig5.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDmjCCAlKgAwIBAgIMWXnRYyHbNWzuFxmzMD0GCSqGSIb3DQEBCjAwoA0wCwYJ +YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAMA8xDTAL +BgNVBAMTBENBLTAwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMA8x +DTALBgNVBAMTBENBLTEwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIB +oRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEKAoIBAQDB +uQ2UwKWT1BfN6H2B3svKL34aPW/+MTfN8McvExZsZYuQyRxeG8SV4uJ+GAtJ/Ml/ +eaUqiKG0pNCna846FUtAax/0quuVSaZ2xOVA3lMKj2frtRLJ3W6ZaglCHkZUHhII +JEtE1s0F8aaaZ6X4/57OAi6uyFNuBSBsp3giQS6SrtFMbhq7OuSSt2T14XlVGvAI +TiO7t21+Eukq2jDGOerUax4Yxki4l8589uXu5IQzZalj42hr9YKbNb75RAICNnY8 +jxCezc0o8KNoDF0IAK7UERz6uUQElUh/bdm0k3UV+uVA6t0disZ4gdenPuLsGSVD +9fcbh/zFlv2V3A9HLJB3AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P +AQH/BAUDAwcEADAdBgNVHQ4EFgQU6h4fxmpkIoNy/qx6u4Z13H7WN+QwHwYDVR0j +BBgwFoAUZ97LfvATPRiWxwNOO+sxC5ig8VkwPQYJKoZIhvcNAQEKMDCgDTALBglg +hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBAFGH +zxWW8R95wmmuDecuKf31LEKPubtaeqMRqt2Vk2mGCQOxcerl6MMGyl3w46hEkAjU +jAPwmNnB9xyEyqR5w2TYrpzsrnUcZn+6HzSiPTEJ0jhY2S8N2V+Bch1QgMwlgeaD +bZrY6qAG6PeqoQ8XhZ8+1sI/IpQKJHmmBN+qYbLFxEPjE4QnBahPbKfbpMY0MMX0 +uuI2nSBKcYmkYiWBYdydpP24VfeoUP0V6bXc5rrDdCNGp+AxUID51GT0AoMf2FGK +LeOLJtPqH7raz44pa1qezHq4gPeXC0Ende9j7IimpsdB6eDVle8UZipfeASq9XVL +F430KTcS7x42r71NZUU= +-----END CERTIFICATE----- diff --git a/tests/cert-tests/invalid-sig b/tests/cert-tests/invalid-sig index eaa75c7543..bc2774e1f5 100755 --- a/tests/cert-tests/invalid-sig +++ b/tests/cert-tests/invalid-sig @@ -59,4 +59,24 @@ if test "${rc}" = "0"; then exit ${rc} fi +#check whether different parameters in tbsCertificate than the outer signature is tolerated +${VALGRIND} "${CERTTOOL}" -e --infile "${srcdir}/data/invalid-sig4.pem" +rc=$? + +# We're done. +if test "${rc}" = "0"; then + echo "Verification of invalid signature (4) failed" + exit ${rc} +fi + +#check whether different RSA-PSS parameters in tbsCertificate than the outer signature is tolerated +${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/invalid-sig5.pem" +rc=$? + +# We're done. +if test "${rc}" = "0"; then + echo "Verification of invalid signature (4) failed" + exit ${rc} +fi + exit 0 diff --git a/tests/conv-utf8.c b/tests/conv-utf8.c index 73f4ff3abd..9d630e73d0 100644 --- a/tests/conv-utf8.c +++ b/tests/conv-utf8.c @@ -35,7 +35,7 @@ #include <cmocka.h> int _gnutls_utf8_to_ucs2(const void *data, size_t size, - gnutls_datum_t * output); + gnutls_datum_t * output, unsigned be); int _gnutls_ucs2_to_utf8(const void *data, size_t size, gnutls_datum_t * output, unsigned be); @@ -60,7 +60,7 @@ static void PRINT(const char *str, unsigned char *val, unsigned int size) static void fname(void **glob_state) \ { \ gnutls_datum_t out; \ - int ret = _gnutls_utf8_to_ucs2(utf8, strlen(utf8), &out); \ + int ret = _gnutls_utf8_to_ucs2(utf8, strlen(utf8), &out, 1); \ assert_int_equal(ret, 0); \ if (out.size != sizeof(utf16)-1 || memcmp(utf16, out.data, out.size) != 0) { PRINT("got: ", out.data, out.size); \ PRINT("expected: ", (unsigned char*)utf16, sizeof(utf16)-1); } \ @@ -86,7 +86,7 @@ static void fname(void **glob_state) \ static void fname(void **glob_state) \ { \ gnutls_datum_t out; \ - int ret = _gnutls_utf8_to_ucs2(utf8, utf8_size, &out); \ + int ret = _gnutls_utf8_to_ucs2(utf8, utf8_size, &out, 1); \ assert_int_not_equal(ret, 0); \ } diff --git a/tests/pkcs11/pkcs11-token-raw.c b/tests/pkcs11/pkcs11-token-raw.c index bbcb23eb81..c09e762cc5 100644 --- a/tests/pkcs11/pkcs11-token-raw.c +++ b/tests/pkcs11/pkcs11-token-raw.c @@ -57,6 +57,7 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "|<%d>| %s", level, str); } +#define TOKEN_NAME "whatever" void doit(void) { int ret; @@ -93,6 +94,42 @@ void doit(void) exit(1); } + { + static const char url[] = "pkcs11:token="TOKEN_NAME; + + /* Testing a too small buffer */ + size_t size = 1; + char *buf = gnutls_malloc(size); + assert(buf != NULL); + ret = gnutls_pkcs11_token_get_info(url, + GNUTLS_PKCS11_TOKEN_LABEL, + buf, &size); + assert(ret == GNUTLS_E_SHORT_MEMORY_BUFFER); + assert(size == strlen(TOKEN_NAME)+1); + + /* Testing a too small buffer by one */ + size -= 1; + buf = gnutls_realloc(buf, size); + assert(buf != NULL); + ret = gnutls_pkcs11_token_get_info(url, + GNUTLS_PKCS11_TOKEN_LABEL, + buf, &size); + assert(ret == GNUTLS_E_SHORT_MEMORY_BUFFER); + assert(size == strlen(TOKEN_NAME)+1); + + /* Testing an exactly fitting buffer */ + buf = gnutls_realloc(buf, size); + assert(buf != NULL); + ret = gnutls_pkcs11_token_get_info(url, + GNUTLS_PKCS11_TOKEN_LABEL, + buf, &size); + assert(ret == 0); + assert(strcmp(buf, TOKEN_NAME) == 0); + assert(size == strlen(TOKEN_NAME)); + + gnutls_free(buf); + } + ret = gnutls_pkcs11_token_get_ptr("pkcs11:token=invalid", (void**)&mod, &slot_id, 0); assert(ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); diff --git a/tests/seccomp.c b/tests/seccomp.c index b68fcd7efa..466f7db740 100644 --- a/tests/seccomp.c +++ b/tests/seccomp.c @@ -26,6 +26,9 @@ #include <seccomp.h> #include <errno.h> #include <string.h> +#if defined(__linux__) +# include <sys/syscall.h> +#endif int disable_system_calls(void) { @@ -70,7 +73,9 @@ int disable_system_calls(void) /* to read from /dev/urandom */ ADD_SYSCALL(read, 0); +#ifdef SYS_getrandom ADD_SYSCALL(getrandom, 0); +#endif /* we use it in select */ ADD_SYSCALL(sigprocmask, 0); diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-ssl3.json b/tests/suite/tls-fuzzer/gnutls-nocert-ssl3.json index 9bf3fa20f1..a297392255 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert-ssl3.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert-ssl3.json @@ -18,7 +18,7 @@ }, {"name" : "test-export-ciphers-rejected.py", "comment" : "we negotiate AES even in SSL3.0", - "arguments" : ["--ssl3", "-p", "@PORT@"] }, + "arguments" : ["-p", "@PORT@"] }, {"name" : "test-client-compatibility.py", "arguments" : ["-p", "@PORT@", "18: IE 6 on XP", "52: YandexBot 3.0 on unknown", diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json index 06fbf92351..47fcf878a4 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json @@ -12,6 +12,38 @@ "server_hostname": "localhost", "server_port": @PORT@, "tests" : [ + {"name" : "test-record-size-limit.py", + "comment" : "changed extension after HRR is not supported #617", + "arguments" : ["-p", "@PORT@", "--reply-AD-size", "685", + "--minimal-size", "512", + "-e", "change size in TLS 1.2 resumption", + "-e", "change size in TLS 1.3 session resumption", + "-e", "check if server accepts maximum size in TLS 1.0", + "-e", "check if server accepts maximum size in TLS 1.1", + "-e", "check if server accepts maximum size in TLS 1.2", + "-e", "check if server accepts minimal size in TLS 1.0", + "-e", "check if server accepts minimal size in TLS 1.1", + "-e", "check if server accepts minimal size in TLS 1.2", + "-e", "check interaction with sha256 prf", + "-e", "check interaction with sha384 prf", + "-e", "check server sent size in TLS 1.0", + "-e", "check server sent size in TLS 1.1", + "-e", "check server sent size in TLS 1.2", + "-e", "drop extension in TLS 1.2 resumption", + "-e", "drop extension in TLS 1.3 session resumption", + "-e", "modified extension in 2nd CH in HRR handshake", + "-e", "renegotiation with changed limit", + "-e", "renegotiation with dropped extension", + "-e", "added extension in 2nd CH in HRR handshake", + "-e", "check server sent size in TLS 1.0 with max_fragment_length", + "-e", "check server sent size in TLS 1.1 with max_fragment_length", + "-e", "check server sent size in TLS 1.2 with max_fragment_length", + "-e", "removed extension in 2nd CH in HRR handshake"] }, + {"name" : "test-record-size-limit.py", + "arguments" : ["-p", "@PORT@", "--reply-AD-size", "672", + "--minimal-size", "512", + "change size in TLS 1.3 session resumption", + "drop extension in TLS 1.3 session resumption"] }, {"name" : "test-tls13-0rtt-garbage.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-ccs.py", @@ -81,7 +113,11 @@ {"name" : "test-tls13-version-negotiation.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-zero-length-data.py", - "arguments": ["-p", "@PORT@"]} + "arguments": ["-p", "@PORT@"]}, + {"name" : "test-downgrade-protection.py", + "comment" : "1/n-1 splitting in TLS 1.0 is not supported", + "arguments": ["-p", "@PORT@", "--server-max-protocol", "TLSv1.3", + "-e", "TLS 1.3 downgrade check for Protocol (3, 1)"]} ] } ] diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json index 04376f40ea..e25b6b3613 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert.json @@ -231,27 +231,38 @@ "-e", "small, maximum fragmentation: 1 fragment - 20B extension", "-e", "medium, maximum fragmentation: 1 fragment - 1024B extension"]}, {"name" : "test-record-size-limit.py", - "comment" : "These tests rely on too small lower limit we don't support; TLS 1.3 high limit is not what we expect; 1/n-1 splitting is not supported in TLS 1.0; we don't reject too large appliation_data records in TLS 1.2 #676", - "arguments" : ["-p", "@PORT@", "--reply-AD-size", "{expected_size}", - "-e", "change size in TLS 1.2 resumption", - "-e", "change size in TLS 1.3 session resumption", + "comment" : "TLS 1.3 tests are done separately; 1/n-1 splitting is not supported in TLS 1.0", + "arguments" : ["-p", "@PORT@", "--reply-AD-size", "821", + "--minimal-size", "512", "-e", "check if server accepts maximum size in TLS 1.0", "-e", "check if server accepts maximum size in TLS 1.3", "-e", "check if server accepts minimal size in TLS 1.0", - "-e", "check if server accepts minimal size in TLS 1.1", - "-e", "check if server accepts minimal size in TLS 1.2", "-e", "check if server accepts minimal size in TLS 1.3", + "-e", "check if server omits extension for unrecognized size 64 in TLS 1.3", + "-e", "check if server omits extension for unrecognized size 511 in TLS 1.3", "-e", "check interaction with sha256 prf", "-e", "check interaction with sha384 prf", "-e", "check server sent size in TLS 1.0", "-e", "check server sent size in TLS 1.3", - "-e", "drop extension in TLS 1.3 session resumption", "-e", "HRR sanity", + "-e", "too large record payload in TLS 1.3", + "-e", "change size in TLS 1.3 session resumption", + "-e", "drop extension in TLS 1.3 session resumption", "-e", "modified extension in 2nd CH in HRR handshake", - "-e", "renegotiation with changed limit", - "-e", "renegotiation with dropped extension", - "-e", "too large record in TLS 1.2", - "-e", "too large record payload in TLS 1.3"] }, + "-e", "added extension in 2nd CH in HRR handshake", + "-e", "check server sent size in TLS 1.0 with max_fragment_length", + "-e", "check server sent size in TLS 1.3 with max_fragment_length", + "-e", "removed extension in 2nd CH in HRR handshake"] }, + {"name" : "test-record-size-limit.py", + "comment" : "The reply includes PRF algorithm and affects the AD size", + "arguments" : ["-p", "@PORT@", "--reply-AD-size", "827", + "--minimal-size", "512", + "check interaction with sha256 prf"] }, + {"name" : "test-record-size-limit.py", + "comment" : "The reply includes PRF algorithm and affects the AD size", + "arguments" : ["-p", "@PORT@", "--reply-AD-size", "816", + "--minimal-size", "512", + "check interaction with sha384 prf"] }, {"name" : "test-sessionID-resumption.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-serverhello-random.py", diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer -Subproject 7b2ebe4c8bd06e5a1059a8aeb5bfe2b014e2b52 +Subproject 13479e5a44bc10e3577fc28b921c5b999a363ce diff --git a/tests/test-chains.h b/tests/test-chains.h index 09a386c821..095ccbabd2 100644 --- a/tests/test-chains.h +++ b/tests/test-chains.h @@ -154,71 +154,76 @@ static const char *chain_with_no_subject_id_in_ca_ok[] = { "-----END CERTIFICATE-----\n" }; +/* This chain was generated by a modified gnutls lib. The script tests/suite/certs/create-chain.sh + * was used after modifying it to generate RSA-PSS certificates and set 64 byte salt in intermediate + * CA, and 48-byte otherwise. Then _gnutls_x509_write_sign_params() was modified to set a 32-byte salt + * when it would have set a 64-byte one. That way signatures from the intermediate certificate restricted + * to 64-byte salts will be incorrectly set to 32-bytes. */ static const char *rsa_pss_chain_smaller_salt_in_sig_fail[] = { "-----BEGIN CERTIFICATE-----\n" - "MIIDfzCCAjegAwIBAgIMWXnRYyUPHcgwMUF2MD0GCSqGSIb3DQEBCjAwoA0wCwYJ\n" - "YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgMA8xDTAL\n" - "BgNVBAMTBENBLTEwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMBMx\n" - "ETAPBgNVBAMTCHNlcnZlci0yMIIBIDALBgkqhkiG9w0BAQoDggEPADCCAQoCggEB\n" - "ALPUjrvjgPh9hv3gYDxu/Un28TzS3os+O1eAbVGuTeO0BX3u5D2ZtaVeB7gLwSku\n" - "YkDKLrXs+M5BsvpZOfKIyQjrLuc5U5ik8W7SsSH5MVliergMTz4Qi+DtXdsrIjpk\n" - "oTDxgUatrpYQSocPfqdMgma3DyW3jlZv4BoLZ95TsJi23qZxZI9fQeGG9DZ+x2h6\n" - "3QeW4OTpJB75O6ruas7KiId9RH6WHj/JvLF99RGhPHa7SUZstyvnDA80Igood6S6\n" - "J3GNs1RHnaHeOqcyfbdNzlyTaLK0Acos6AKlkm4OYABXRmfDSyjVPto7FTV4I9CV\n" - "jSRXOa5IK3kUvFApM6SvzQsCAwEAAaN3MHUwDAYDVR0TAQH/BAIwADAUBgNVHREE\n" - "DTALgglsb2NhbGhvc3QwDwYDVR0PAQH/BAUDAweAADAdBgNVHQ4EFgQUhAHLtEhd\n" - "NxMr6TQX5GB4a29ng4YwHwYDVR0jBBgwFoAU6h4fxmpkIoNy/qx6u4Z13H7WN+Qw\n" - "PQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJ\n" - "YIZIAWUDBAIBogMCASADggEBAL5SQpMtcGQ4mNZaaW3SNB8EBPo4VZ1GXYsOd0ef\n" - "JmhNKKrw5Z2WHR8xDbP7cwq/X+U0M9TMhCWPaDgzt46TJu+ct43UqGt/bgz2Xt2R\n" - "xCvlhwGNM3A5c417jmNQiQvMyCiEZSPD7RLowoE34XyjaxydYoWGq9otNoIq0CX9\n" - "Q7GZudWfWvwDU3zM8gy6k8EPmOgG8PdvW6PjKyf5y/uSDHY7Dm8d9E/uybAbZUVo\n" - "WfdwhhP66EDmNozTNaBcfIkJTmuxq2oxnA8JS1V5hMccfZLIRh0hBkpdGXSAOMNV\n" - "qjqJUOWrbU5hbcZUk2UHK34rNvkX+rDmuKD2vAQ7MguzHfI=\n" + "MIIDiTCCAkGgAwIBAgIUMquMu6/Azo9N40rNZ1z7hkotqC0wPQYJKoZIhvcNAQEK\n" + "MDCgDTALBglghkgBZQMEAgKhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogMC\n" + "ASAwDzENMAsGA1UEAxMEQ0EtMTAgFw0xOTAyMTIyMDU0NTlaGA85OTk5MTIzMTIz\n" + "NTk1OVowEzERMA8GA1UEAxMIc2VydmVyLTIwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "DwAwggEKAoIBAQDrEJ5ONj7OYNjDZ3johFKItvX6BFJ7ejLfNELvT7I9hsiGJBr5\n" + "Q/NgeQolSXLKHYG0L5Lxu1fbHINzC43NEivY3KMKKl0+MdXWwAr0yW/cTeuDc/+e\n" + "YqGT3TpCcxa/0dJ+Y3zAS1DqsHjNOxyYBvyKATyvFKo+oAwOqtR/OLflUvoXvYZV\n" + "YByseOLhE70Vfuk8yppRcKwokwk/3S6dZjoxK1K3PBQGARJNaUChtx5iM1qMrluK\n" + "uDj7yV9DYhtyhSmYvcZ1gb3t0aAxGoGbfdOHa7XMovzfRDUPbwvkKUJqcNfGkeGn\n" + "pZRzbA8D/YrjFtm7QVgf6yD20DbZChzoxRWzAgMBAAGjdzB1MAwGA1UdEwEB/wQC\n" + "MAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0O\n" + "BBYEFM/CHpfVzdNRBMYfqBXUieW9m9oFMB8GA1UdIwQYMBaAFDBBFsyy+oqRFlRx\n" + "MH5qlHt7guXUMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAICoRowGAYJKoZI\n" + "hvcNAQEIMAsGCWCGSAFlAwQCAqIDAgEgA4IBAQADuShUlCXrs5K6Yu7mKvoyZztJ\n" + "dQFuxv4WDvbhoZ19GEEg6icRUoaA3tWKf7tNRnqQklMLhWIZParXtt+xz7q5K6ic\n" + "kX5oGzzUNryAx5DJkZCCffdA1FaQjCEI6Cy5cEnGifXyacwA7BViUwMnWvJRSKYi\n" + "gvBVKc1TBwA+vPIzlSb3COo1zhshxM+C7mhzspDFkceXV7qapFDMj7M/GbgqH7h0\n" + "yuJv2bymytjXadR43LuG6yqqsFvIPHYBcyPq3Uzu+57UJbHhAlkTXaAXfZkc1Ut7\n" + "Xz8pOEzcxZHl4SEgsO6KeT2uQUE1Zx5AgwaNfuMmg0aFJep8vKcQ1jvdzxS2\n" "-----END CERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n" - "MIIDmjCCAlKgAwIBAgIMWXnRYyHbNWzuFxmzMD0GCSqGSIb3DQEBCjAwoA0wCwYJ\n" - "YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAMA8xDTAL\n" - "BgNVBAMTBENBLTAwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMA8x\n" - "DTALBgNVBAMTBENBLTEwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIB\n" - "oRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgEgA4IBDwAwggEKAoIBAQDB\n" - "uQ2UwKWT1BfN6H2B3svKL34aPW/+MTfN8McvExZsZYuQyRxeG8SV4uJ+GAtJ/Ml/\n" - "eaUqiKG0pNCna846FUtAax/0quuVSaZ2xOVA3lMKj2frtRLJ3W6ZaglCHkZUHhII\n" - "JEtE1s0F8aaaZ6X4/57OAi6uyFNuBSBsp3giQS6SrtFMbhq7OuSSt2T14XlVGvAI\n" - "TiO7t21+Eukq2jDGOerUax4Yxki4l8589uXu5IQzZalj42hr9YKbNb75RAICNnY8\n" - "jxCezc0o8KNoDF0IAK7UERz6uUQElUh/bdm0k3UV+uVA6t0disZ4gdenPuLsGSVD\n" - "9fcbh/zFlv2V3A9HLJB3AgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P\n" - "AQH/BAUDAwcEADAdBgNVHQ4EFgQU6h4fxmpkIoNy/qx6u4Z13H7WN+QwHwYDVR0j\n" - "BBgwFoAUZ97LfvATPRiWxwNOO+sxC5ig8VkwPQYJKoZIhvcNAQEKMDCgDTALBglg\n" - "hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBAFGH\n" - "zxWW8R95wmmuDecuKf31LEKPubtaeqMRqt2Vk2mGCQOxcerl6MMGyl3w46hEkAjU\n" - "jAPwmNnB9xyEyqR5w2TYrpzsrnUcZn+6HzSiPTEJ0jhY2S8N2V+Bch1QgMwlgeaD\n" - "bZrY6qAG6PeqoQ8XhZ8+1sI/IpQKJHmmBN+qYbLFxEPjE4QnBahPbKfbpMY0MMX0\n" - "uuI2nSBKcYmkYiWBYdydpP24VfeoUP0V6bXc5rrDdCNGp+AxUID51GT0AoMf2FGK\n" - "LeOLJtPqH7raz44pa1qezHq4gPeXC0Ende9j7IimpsdB6eDVle8UZipfeASq9XVL\n" - "F430KTcS7x42r71NZUU=\n" + "MIIDojCCAlqgAwIBAgIUYIZPL5Kf86B0XYSKAdI8dv4HJY8wPQYJKoZIhvcNAQEK\n" + "MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n" + "ATAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTAyMTIyMDU0NTlaGA85OTk5MTIzMTIz\n" + "NTk1OVowDzENMAsGA1UEAxMEQ0EtMTCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n" + "hkgBZQMEAgKhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAICogMCAUADggEPADCC\n" + "AQoCggEBANCQ6fUJYYI3OTDYIcyshBdnVBQq0uGjHg/04niCpoAZi/nlfP3tCRZS\n" + "k44kMt6hla9cEkdj5mzeGFlG5AYG9C5MimyYwTJ5Sho6t8ct4wPESeypuDbcvMRX\n" + "MTLM/9+ZECkDgKA238z4sNX0T0ppsCXy8IK0Jmn7bky6lqNmaMTjYWy7Tu4kQOMX\n" + "7RE4tv/WlaH95d7zHYuaAf5dNY5GJ/cGrkYLrL1KpN/UU/4KKxvWs3EbsnDvrTcs\n" + "mzLrTOIaedrrNXY6FsGE3+XKDCo+Z80LsrySpCozAECrEFCENMfS3ptOwI+Vblb1\n" + "Kar8+4+7uMxbGY/RJ/gGIKGYibkpzicCAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB\n" + "/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBQwQRbMsvqKkRZUcTB+apR7e4Ll\n" + "1DAfBgNVHSMEGDAWgBR1lWzS3rLSrmdPPgma8JL4j1PJgzA9BgkqhkiG9w0BAQow\n" + "MKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgGiAwIB\n" + "MAOCAQEAnYZf5bo7ZtysyLO/3QjAM+o1IWXinH97XANEbs5oZOK/rQNLBIpOLaYp\n" + "YcnziJTEIqvy+7/KNwdjLcKZ4f5PBlDHBsr70XeJmMc+9/ZadY14BHZUEWNfBPx5\n" + "dZR55/g62CdermdCJEoY6XdIMqdTHrdwmBIS/7g/dciQt0+lrjanX14VLAVRUAIu\n" + "HMn5C4ZGeBDd8av3P+VIqdkFfpAYlZ5BsYqshel4pnAyhpUO5wTmY7cm78fqctyX\n" + "qmQ0PRLQXmlqrL2oJtlGcSWlT0u1bS0gJPpvszataCZhnX/O9x6yzzgeUpP4I/AR\n" + "KS4ZXRehFmQH4xS1eq5fmWiTzbvWHA==\n" "-----END CERTIFICATE-----\n", NULL, "-----BEGIN CERTIFICATE-----\n" - "MIIDeTCCAjGgAwIBAgIMWXnRYxvG34hjjASYMD0GCSqGSIb3DQEBCjAwoA0wCwYJ\n" - "YIZIAWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAMA8xDTAL\n" - "BgNVBAMTBENBLTAwIBcNMTcwNzI3MTE0MTIzWhgPOTk5OTEyMzEyMzU5NTlaMA8x\n" - "DTALBgNVBAMTBENBLTAwggFSMD0GCSqGSIb3DQEBCjAwoA0wCwYJYIZIAWUDBAIB\n" - "oRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIDAgFAA4IBDwAwggEKAoIBAQCw\n" - "/vJ8ccKv5ptzLvQjduQJ67JMAsizWhdkOlEy1idzXo/qjtEw6eqUJdcraF5Nzhon\n" - "HnXtioIvV2C3cYtauKO2rCKjlChiK59YaaeIbl521sSLRpFYhYIKkjOLHJePxHny\n" - "FTQEuF8b8CvrM8GsxIVZ9U+DRnxJdzhUiqxadnPpiXG/IrQRBjm/Abb8s/CG+Ny6\n" - "sEJBt9gDYfIfgDfbzeLu5zaPibi4N/+fYfToA7I8LXn7/AmsWAIjrY9rSOxdKJKw\n" - "H5C0Yd7myhtJY0EeHDl3Y3L+lwO/JkqxhRzIiZnIbxFcgeb9lZjeU94z/oi3mI7H\n" - "xzOk+D7IGgCkEBhfY53RAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P\n" - "AQH/BAUDAwcGADAdBgNVHQ4EFgQUZ97LfvATPRiWxwNOO+sxC5ig8VkwPQYJKoZI\n" - "hvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUD\n" - "BAIBogMCAUADggEBAH3ilegUORDk8WQ7sQWFsM1L3nnfGLlHAcac+P6vLnMCkkiD\n" - "bpzqKEfAvEnRnZhU9vMLJkv2vUNzqIaLalPveZx98yYAxDkjGbF3PU9Eesd+JYWd\n" - "aJQIqpFxMDgnAXhpny6JFnMS4PWqu8NDLukEXCeeC+asweChP4TubHTJYXVRlCPL\n" - "Xla2fDgaG3ZKAgoUo18Hmc+Ju/17jQxgVa+SUQW9AJL+87pUoaGP1lzwrRuZl4rr\n" - "kmuKVjoKukJ9BYIlz6RZ/8kZZtoCd7e84DJ+zEAd0/s9w5K6lzS0gpFDi/Yo23sr\n" - "6L6PwffJ42OdtgXobk6AlzKU5r3iQFdu4juNNQ0=\n" + "MIIDgTCCAjmgAwIBAgIUUVxp7I/ecuDCjWdn2Rng+TBNidUwPQYJKoZIhvcNAQEK\n" + "MDCgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMC\n" + "ATAwDzENMAsGA1UEAxMEQ0EtMDAgFw0xOTAyMTIyMDU0NTlaGA85OTk5MTIzMTIz\n" + "NTk1OVowDzENMAsGA1UEAxMEQ0EtMDCCAVIwPQYJKoZIhvcNAQEKMDCgDTALBglg\n" + "hkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCATADggEPADCC\n" + "AQoCggEBAMcPAwX89KK6Nz39xdQRbSy9Ax7XzKAqtmmIczRVTKqsdQh4bm/gDuD6\n" + "Edxjl02cISBLczWV13brINSBI+QX/eLPyBmGGzI4ryyJuP+1qc0NMjDAlfYw+kXF\n" + "NZz02W6svxvrrt26mKJ1F+K/bZE+s9XHN0DW+hifQBBr8HX3BWJ9g6yj6YPd55pm\n" + "kQQcVgRG3BG1EMkJGK4LNesGdJGTHy+uqgtcykrMjh25uhr0oTOG6UjVYjXalZ5o\n" + "rOqo6CV+uGPmJYW2pBOlAOmblMMXSHXhIAhRBY8+h01BCsCU5wlEfPIsvclP2gSG\n" + "RVbM/9XgS/+4yN0fD+oXgi5Jh6TCYz8CAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB\n" + "/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBR1lWzS3rLSrmdPPgma8JL4j1PJ\n" + "gzA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAaEaMBgGCSqGSIb3DQEBCDAL\n" + "BglghkgBZQMEAgGiAwIBMAOCAQEAqudvb92hfo7iAS63u902onL2XwhfS9IZtu3D\n" + "Lum78Q8nzhWf+YSls4/o8ln/Erv8LfrrhxoPEVpxQTPCbj/mmHez3hh+xrb0ZUVQ\n" + "pi5gE6kkkzzvL1VEMce85RLbm4AyVDl4onU2gaFXTxpMpKwBTZoKRbLcG2TsQgyW\n" + "Kgq+XnyT/1AC2vp4Ou8G1MIh5bkfetTeo2KJ3lmEVGoUh0k0diayDwaBgBDeX7hl\n" + "XvKrG/hhhWPVWNDXdQsiYYKVty76yM3vJiK9No1+jPZzNTv+pZaRqJiQ/ZaCICvC\n" + "uK/63Yrle+W/W1Jdj23/kSSL94ugw7PFwbqo2gPkECbG2Mk8pw==\n" "-----END CERTIFICATE-----\n" }; @@ -4120,7 +4125,7 @@ static struct { "rsa pss: invalid self sig - fail", rsa_pss_invalid_self_sig, &rsa_pss_invalid_self_sig[0], GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501138253}, { "rsa pss: invalid chain with pkcs#1 1.5 sig - fail", rsa_pss_invalid_chain_with_pkcs1_sig, &rsa_pss_invalid_chain_with_pkcs1_sig[2], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501138253}, { "rsa pss: invalid chain with wrong hash (sha384-sha256) - fail", rsa_pss_invalid_chain_with_wrong_hash, &rsa_pss_invalid_chain_with_wrong_hash[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501138253}, - { "rsa pss: smaller salt in sig than spki - fail", rsa_pss_chain_smaller_salt_in_sig_fail, &rsa_pss_chain_smaller_salt_in_sig_fail[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1501159136}, + { "rsa pss: smaller salt in sig than spki - fail", rsa_pss_chain_smaller_salt_in_sig_fail, &rsa_pss_chain_smaller_salt_in_sig_fail[3], 0, GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE, 0, 1550005473}, { "rsa pss: chain with sha1 hash - fail", rsa_pss_chain_with_sha1_fail, &rsa_pss_chain_with_sha1_fail[3], 0, GNUTLS_CERT_INVALID, 0, 1501159136}, { "rsa pss: chain with different mgf hash - fail", rsa_pss_chain_with_diff_mgf_oid_fail, &rsa_pss_chain_with_diff_mgf_oid_fail[3], 0, GNUTLS_CERT_INVALID, 0, 1501159136}, { "rsa pss: chain with sha256 - ok", rsa_pss_chain_sha256_ok, &rsa_pss_chain_sha256_ok[3], 0, 0, 0, 1501138253}, diff --git a/tests/tls-record-size-limit.c b/tests/tls-record-size-limit.c index 8c9729719f..8346ee56d9 100644 --- a/tests/tls-record-size-limit.c +++ b/tests/tls-record-size-limit.c @@ -52,9 +52,10 @@ #define HANDSHAKE_SESSION_ID_POS 34 -static size_t max_record_size; +static size_t server_max_send_size; +static size_t client_max_send_size; -#define SERVER_PUSH_ADD if (len > max_record_size + 5+32) fail("max record set to %d, len: %d\n", (int)max_record_size, (int)len); +#define SERVER_PUSH_ADD if (len > server_max_send_size + 5+32) fail("max record set to %d, len: %d\n", (int)server_max_send_size, (int)len); #include "eagain-common.h" #include "cert-common.h" @@ -136,22 +137,23 @@ static int handshake_callback(gnutls_session_t session, unsigned int htype, #define MAX_BUF 16384 static char buffer[MAX_BUF]; -struct test_ext_st { +struct test_exp_st { + int error; + size_t size; bool max_record_size; bool record_size_limit; }; struct test_st { const char *prio; - size_t max_size; + size_t server_max_size; + size_t client_max_size; - int expect_error; - size_t expect_size; - struct test_ext_st expect_server_ext; - struct test_ext_st expect_client_ext; + struct test_exp_st server_exp; + struct test_exp_st client_exp; }; -static void check_exts(const struct test_ext_st *exp, +static void check_exts(const struct test_exp_st *exp, struct handshake_cb_data_st *data) { if (exp->max_record_size && !data->found_max_record_size) @@ -198,6 +200,15 @@ static void start(const struct test_st *test) serverx509cred); gnutls_priority_set_direct(server, test->prio, NULL); + + ret = gnutls_record_set_max_size(server, test->server_max_size); + if (ret != test->server_exp.error) + fail("server: unexpected error from gnutls_record_set_max_size()"); + if (ret == 0) + server_max_send_size = test->server_max_size; + else + server_max_send_size = MAX_BUF; + gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_pull_timeout_function(server, @@ -233,13 +244,13 @@ static void start(const struct test_st *test) if (ret < 0) exit(1); - ret = gnutls_record_set_max_size(client, test->max_size); - if (ret != test->expect_error) - fail("unexpected error from gnutls_record_set_max_size()"); + ret = gnutls_record_set_max_size(client, test->client_max_size); + if (ret != test->client_exp.error) + fail("client: unexpected error from gnutls_record_set_max_size()"); if (ret == 0) - max_record_size = test->max_size; + client_max_send_size = test->client_max_size; else - max_record_size = MAX_BUF; + client_max_send_size = MAX_BUF; gnutls_transport_set_push_function(client, client_push); gnutls_transport_set_pull_function(client, client_pull); @@ -256,22 +267,39 @@ static void start(const struct test_st *test) HANDSHAKE(client, server); memset(buffer, 1, sizeof(buffer)); - ret = gnutls_record_send(server, buffer, max_record_size + 1); + ret = gnutls_record_send(server, buffer, server_max_send_size + 1); if (ret < 0) { gnutls_perror(ret); exit(1); } - if (ret != (int)test->expect_size) - fail("unexpected record size sent: %d (%d)\n", - ret, (int)test->expect_size); - success("did not send a %d-byte packet\n", (int)max_record_size + 1); + if (ret != (int)test->server_exp.size) + fail("server: unexpected record size sent: %d (%d)\n", + ret, (int)test->server_exp.size); + success("server: did not send a %d-byte packet\n", (int)server_max_send_size + 1); - ret = gnutls_record_send(server, buffer, max_record_size); + ret = gnutls_record_send(server, buffer, server_max_send_size); if (ret < 0) { gnutls_perror(ret); exit(1); } - success("did send a %d-byte packet\n", (int)max_record_size); + success("server: did send a %d-byte packet\n", (int)server_max_send_size); + + ret = gnutls_record_send(client, buffer, client_max_send_size + 1); + if (ret < 0) { + gnutls_perror(ret); + exit(1); + } + if (ret != (int)test->client_exp.size) + fail("client: unexpected record size sent: %d (%d)\n", + ret, (int)test->client_exp.size); + success("client: did not send a %d-byte packet\n", (int)client_max_send_size + 1); + + ret = gnutls_record_send(client, buffer, client_max_send_size); + if (ret < 0) { + gnutls_perror(ret); + exit(1); + } + success("client: did send a %d-byte packet\n", (int)client_max_send_size); gnutls_bye(client, GNUTLS_SHUT_RDWR); gnutls_bye(server, GNUTLS_SHUT_RDWR); @@ -286,79 +314,94 @@ static void start(const struct test_st *test) reset_buffers(); - check_exts(&test->expect_server_ext, + check_exts(&test->server_exp, &server_handshake_cb_data); - check_exts(&test->expect_client_ext, + check_exts(&test->client_exp, &client_handshake_cb_data); } static const struct test_st tests[] = { { .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2", - .max_size = 511, - .expect_error = GNUTLS_E_INVALID_REQUEST, - .expect_size = 16384, - .expect_server_ext = { + .server_max_size = 511, + .client_max_size = 511, + .server_exp = { + .error = GNUTLS_E_INVALID_REQUEST, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 }, - .expect_client_ext = { + .client_exp = { + .error = GNUTLS_E_INVALID_REQUEST, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 } }, { .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2", - .max_size = 512, - .expect_error = 0, - .expect_size = 512, - .expect_server_ext = { + .server_max_size = 512, + .client_max_size = 512, + .server_exp = { + .error = 0, + .size = 512, .max_record_size = 1, .record_size_limit = 1 }, - .expect_client_ext = { + .client_exp = { + .error = 0, + .size = 512, .max_record_size = 0, .record_size_limit = 1 } }, { .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2", - .max_size = 8192, - .expect_error = 0, - .expect_size = 8192, - .expect_server_ext = { + .server_max_size = 8192, + .client_max_size = 8192, + .server_exp = { + .error = 0, + .size = 8192, .max_record_size = 0, .record_size_limit = 1 }, - .expect_client_ext = { + .client_exp = { + .error = 0, + .size = 8192, .max_record_size = 0, .record_size_limit = 1 } }, { .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2", - .max_size = 16384, - .expect_error = 0, - .expect_size = 16384, - .expect_server_ext = { + .server_max_size = 16384, + .client_max_size = 16384, + .server_exp = { + .error = 0, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 }, - .expect_client_ext = { + .client_exp = { + .error = 0, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 } }, { .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.2", - .max_size = 16385, - .expect_error = GNUTLS_E_INVALID_REQUEST, - .expect_size = 16384, - .expect_server_ext = { + .server_max_size = 16385, + .client_max_size = 16385, + .server_exp = { + .error = GNUTLS_E_INVALID_REQUEST, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 }, - .expect_client_ext = { + .client_exp = { + .error = GNUTLS_E_INVALID_REQUEST, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 } @@ -366,70 +409,102 @@ static const struct test_st tests[] = { { .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3", - .max_size = 511, - .expect_error = GNUTLS_E_INVALID_REQUEST, - .expect_size = 16384, - .expect_server_ext = { + .server_max_size = 511, + .client_max_size = 511, + .server_exp = { + .error = GNUTLS_E_INVALID_REQUEST, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 }, - .expect_client_ext = { + .client_exp = { + .error = GNUTLS_E_INVALID_REQUEST, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 } - }, + }, { .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3", - .max_size = 512, - .expect_error = 0, - .expect_size = 512, - .expect_server_ext = { + .server_max_size = 512, + .client_max_size = 512, + .server_exp = { + .error = 0, + .size = 512, .max_record_size = 1, .record_size_limit = 1 }, - .expect_client_ext = { + .client_exp = { + .error = 0, + .size = 512, + .max_record_size = 0, + .record_size_limit = 1 + } + }, + { + .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3", + .server_max_size = 8192, + .client_max_size = 8192, + .server_exp = { + .error = 0, + .size = 8192, + .max_record_size = 0, + .record_size_limit = 1 + }, + .client_exp = { + .error = 0, + .size = 8192, .max_record_size = 0, .record_size_limit = 1 } }, { .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3", - .max_size = 8192, - .expect_error = 0, - .expect_size = 8192, - .expect_server_ext = { + .server_max_size = 16384, + .client_max_size = 16384, + .server_exp = { + .error = 0, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 }, - .expect_client_ext = { + .client_exp = { + .error = 0, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 } }, { .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3", - .max_size = 16384, - .expect_error = 0, - .expect_size = 16384, - .expect_server_ext = { + .server_max_size = 16383, + .client_max_size = 16384, + .server_exp = { + .error = 0, + .size = 16383, .max_record_size = 0, .record_size_limit = 1 }, - .expect_client_ext = { + .client_exp = { + .error = 0, + .size = 16383, .max_record_size = 0, .record_size_limit = 1 } }, { .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3", - .max_size = 16385, - .expect_error = GNUTLS_E_INVALID_REQUEST, - .expect_size = 16384, - .expect_server_ext = { + .server_max_size = 16385, + .client_max_size = 16385, + .server_exp = { + .error = GNUTLS_E_INVALID_REQUEST, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 }, - .expect_client_ext = { + .client_exp = { + .error = GNUTLS_E_INVALID_REQUEST, + .size = 16384, .max_record_size = 0, .record_size_limit = 1 } diff --git a/tests/tls13/prf.c b/tests/tls13/prf.c index 75daff59d4..fda8ce6843 100644 --- a/tests/tls13/prf.c +++ b/tests/tls13/prf.c @@ -130,10 +130,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size) } \ } -#define KEY_EXP_VALUE "\xfb\xcb\x96\x87\x8c\x64\x8b\x60\xef\xdc\x76\xb0\x7c\x3b\xd1\x50\x1e\xb1\x3f\x39\xb2\x20\x74\x2c\xb2\x76\x12\x9f\xfc\xad\xb9\xce\x1d\x9a" -#define HELLO_VALUE "\x61\x32\x14\x81\x9b\xa0\x43\xcd\x39\xbf\x63\x18\x7c\xb7\xf3\x02\x65\xab\x2c\xa4\xaf\xbc\x1c\x7a\x1d\xa4\xc5\x28\x8f\x45\x68" -#define CONTEXT_VALUE "\xa7\x3c\xa7\x59\x94\x33\xb4\x97\x90\x92\x8c\xe2\x39\xda\x56\x42\x4a\xeb\xeb\xab\x73\xc4\x20\xf0\x34\x4f\xda\xf8\x17\xf5\xbd" -#define NULL_CONTEXT_VALUE "\x66\xa1\x0a\xcb\xfa\x28\x85\x79\xa3\x30\xeb\xc5\xd5\x50\x62\xdd\xb4\x9c\xa7\x0b\x0b\xe0\x28\x03\x18\xfb\x32\x3d\x37\xf2\xe5" +#define KEY_EXP_VALUE "\xec\x26\x9e\x8c\x5f\xff\x5c\xb2\x60\x4f\x82\xe7\x6b\xb9\x70\x40\xb9\x2d\x2f\xe7\x41\xa8\xe7\xfa\x03\x7c\xe8\x6d\xfa\xda\xc2\xa9\x3f\x58" +#define HELLO_VALUE "\xd4\x74\x4a\x09\x28\x0a\x99\xb9\xa4\x5b\x51\x5b\x80\xe7\x50\x1c\x16\xca\x57\x78\xf0\xe5\xa1\x94\x6b\x20\x2b\x14\xff\x2b\x53" +#define CONTEXT_VALUE "\x8d\xde\xea\x58\xab\x90\xaf\x6c\x5c\x7a\x69\xbf\x8a\xd2\x16\xb4\x0f\x75\xb8\x63\xdb\x86\xe7\x66\x04\x59\xac\x57\xe0\x03\x37" +#define NULL_CONTEXT_VALUE "\x6c\x1a\x10\x1f\xa9\x5a\xfd\xcd\xf4\xcf\x27\x09\x00\xa8\xca\x8e\x8a\x56\xfb\x80\xf0\x0d\xb3\xa6\xe9\x4a\x5f\xe0\x0c\x31\xd9" static void check_prfs(gnutls_session_t session) { unsigned char key_material[512]; diff --git a/tests/tls13/rnd-check-rollback-val.c b/tests/tls13/rnd-check-rollback-val.c index f573596c5e..6b7adafcb5 100644 --- a/tests/tls13/rnd-check-rollback-val.c +++ b/tests/tls13/rnd-check-rollback-val.c @@ -89,6 +89,8 @@ static void client(int fd) gnutls_certificate_credentials_t x509_cred; gnutls_session_t session; gnutls_datum_t srandom; + unsigned try = 0; + gnutls_datum_t session_data = { NULL, 0 }; global_init(); @@ -102,6 +104,7 @@ static void client(int fd) &cli_ca3_key, GNUTLS_X509_FMT_PEM); + retry: /* Initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); @@ -112,6 +115,9 @@ static void client(int fd) if (ret < 0) fail("cannot set TLS priorities\n"); + if (try > 0) + gnutls_session_set_data(session, session_data.data, session_data.size); + /* put the anonymous credentials to the current session */ gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); @@ -129,6 +135,9 @@ static void client(int fd) fail("error in handshake: %s\n", gnutls_strerror(ret)); } + if (try > 0) + assert(gnutls_session_is_resumed(session)); + gnutls_session_get_random(session, NULL, &srandom); if (srandom.size != 32) @@ -147,10 +156,28 @@ static void client(int fd) fail("unexpected random data for %s\n", name); } - close(fd); + do { + ret = gnutls_record_send(session, "\x00", 1); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (try == 0) { + ret = gnutls_session_get_data2(session, &session_data); + if (ret < 0) + fail("couldn't retrieve session data: %s\n", + gnutls_strerror(ret)); + } gnutls_deinit(session); + if (try == 0) { + try++; + goto retry; + } + + close(fd); + + gnutls_free(session_data.data); + gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); @@ -162,6 +189,9 @@ static void server(int fd) int ret; gnutls_session_t session; gnutls_certificate_credentials_t x509_cred; + gnutls_datum_t skey; + unsigned try = 0; + unsigned char buf[16]; /* this must be called once in the program */ @@ -177,6 +207,9 @@ static void server(int fd) &server_key, GNUTLS_X509_FMT_PEM); + assert(gnutls_session_ticket_key_generate(&skey) >= 0); + + retry: gnutls_init(&session, GNUTLS_SERVER); gnutls_handshake_set_timeout(session, 20 * 1000); @@ -185,6 +218,8 @@ static void server(int fd) gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); + assert(gnutls_session_ticket_enable_server(session, &skey) >= 0); + gnutls_transport_set_int(session, fd); do { @@ -197,9 +232,26 @@ static void server(int fd) if (ret < 0) fail("error in handshake: %s\n", gnutls_strerror(ret)); - close(fd); + if (try > 0) + assert(gnutls_session_is_resumed(session)); + + do { + ret = gnutls_record_recv(session, buf, sizeof(buf)); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret < 0) + fail("server: recv did not succeed as expected: %s\n", gnutls_strerror(ret)); + gnutls_deinit(session); + if (try == 0) { + try++; + goto retry; + } + + close(fd); + + gnutls_free(skey.data); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); |