From: Nikos Mavrogiannopoulos Date: Sun, 14 Jul 2019 20:27:50 +0000 (+0200) Subject: Fixed alerts returned on TLS1.3 corner cases X-Git-Tag: gnutls_3_6_9~7^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b3ca79d87ad1f324996a63a4b277649fbe53d2ee;p=thirdparty%2Fgnutls.git Fixed alerts returned on TLS1.3 corner cases This enables the tls-fuzzer tests 'test-tls13-certificate-verify.py'. Resolves: #682 Signed-off-by: Nikos Mavrogiannopoulos --- diff --git a/lib/alert.c b/lib/alert.c index 047c976d1b..cfd1205d01 100644 --- a/lib/alert.c +++ b/lib/alert.c @@ -227,6 +227,7 @@ int gnutls_error_to_alert(int err, int *level) case GNUTLS_E_PK_INVALID_PUBKEY: case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM: case GNUTLS_E_RECEIVED_DISALLOWED_NAME: + case GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY: ret = GNUTLS_A_ILLEGAL_PARAMETER; _level = GNUTLS_AL_FATAL; break; diff --git a/lib/tls13-sig.c b/lib/tls13-sig.c index aee15eaf87..61f9d58209 100644 --- a/lib/tls13-sig.c +++ b/lib/tls13-sig.c @@ -72,7 +72,7 @@ _gnutls13_handshake_verify_data(gnutls_session_t session, ret = _gnutls_session_sign_algo_enabled(session, se->id); if (ret < 0) - return gnutls_assert_val(ret); + return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); if (se->tls13_ok == 0) /* explicitly prohibited */ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); diff --git a/lib/tls13/certificate_verify.c b/lib/tls13/certificate_verify.c index 7300f88f5d..6c3617c026 100644 --- a/lib/tls13/certificate_verify.c +++ b/lib/tls13/certificate_verify.c @@ -85,7 +85,7 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session) se = _gnutls_tls_aid_to_sign_entry(buf.data[0], buf.data[1], get_version(session)); if (se == NULL) { _gnutls_handshake_log("Found unsupported signature (%d.%d)\n", (int)buf.data[0], (int)buf.data[1]); - ret = gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); + ret = gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); goto cleanup; } diff --git a/tests/suite/tls-fuzzer/gnutls-cert.json b/tests/suite/tls-fuzzer/gnutls-cert.json index c2b28c5569..f0443d8a7d 100644 --- a/tests/suite/tls-fuzzer/gnutls-cert.json +++ b/tests/suite/tls-fuzzer/gnutls-cert.json @@ -9,6 +9,20 @@ "server_hostname": "localhost", "server_port": @PORT@, "tests" : [ + {"name" : "test-tls13-certificate-verify.py", + "comment" : "tlsfuzzer doesn't like our set of algorithms (e.g., ed25519)", + "arguments" : ["-k", "tests/clientX509Key.pem", + "-c", "tests/clientX509Cert.pem", + "-n", "10", + "-e", "check sigalgs in cert request", + "-p", "@PORT@"]}, + {"name" : "test-tls13-certificate-verify.py", + "comment" : "tlsfuzzer doesn't like our set of algorithms (e.g., ed25519)", + "arguments" : ["-k", "tests/clientRSAPSSKey.pem", + "-c", "tests/clientRSAPSSCert.pem", + "-n", "10", + "-e", "check sigalgs in cert request", + "-p", "@PORT@"]}, {"name": "test-rsa-sigs-on-certificate-verify.py", "arguments" : ["-k", "tests/clientX509Key.pem", "-c", "tests/clientX509Cert.pem", @@ -45,6 +59,15 @@ "-n", "100", "-p", "@PORT@"] }, + {"name" : "test-rsa-pss-sigs-on-certificate-verify.py", + "comment": "tlsfuzzer doesn't know ed25519 scheme which we advertise", + "arguments" : ["-k", "tests/clientRSAPSSKey.pem", + "-c", "tests/clientRSAPSSCert.pem", + "-e", "check CertificateRequest sigalgs", + "--illegpar", + "-n", "100", + "-p", "@PORT@"] + }, {"name": "test-certificate-malformed.py", "comment" : "tlsfuzzer doesn't like the alerts we send", "arguments" : ["-k", "tests/clientX509Key.pem",