gnutls_pk_algorithm_t pk;
gnutls_digest_algorithm_t hash;
+ /* if non-zero it must be the algorithm of the
+ * private key used or certificate. This is for algorithms
+ * which can have a different public key type than the
+ * private key (e.g., RSA PKCS#1 1.5 certificate, but
+ * an RSA-PSS private key, or an RSA private key and
+ * an RSA-PSS certificate). */
+ gnutls_pk_algorithm_t priv_pk;
+ gnutls_pk_algorithm_t cert_pk;
+
+ /* non-zero if it is ok to use under TLS1.3 */
+ unsigned tls13_ok;
+
/* if this signature algorithm is restricted to a curve
* under TLS 1.3. */
gnutls_ecc_curve_t curve;
const gnutls_sign_entry_st *_gnutls_pk_to_sign_entry(gnutls_pk_algorithm_t pk, gnutls_digest_algorithm_t hash);
const gnutls_sign_entry_st *_gnutls_oid_to_sign_entry(const char *oid);
+/* returns true if that signature can be generated
+ * from the given private key algorithm. */
+inline static unsigned
+sign_supports_priv_pk_algorithm(const gnutls_sign_entry_st *se, gnutls_pk_algorithm_t pk)
+{
+ if (pk == se->pk || (se->priv_pk && se->priv_pk == pk))
+ return 1;
+
+ return 0;
+}
+
+/* returns true if that signature can be verified with
+ * the given public key algorithm. */
+inline static unsigned
+sign_supports_cert_pk_algorithm(const gnutls_sign_entry_st *se, gnutls_pk_algorithm_t pk)
+{
+ if (pk == se->pk || (se->cert_pk && se->cert_pk == pk))
+ return 1;
+
+ return 0;
+}
+
bool _gnutls_sign_is_secure2(const gnutls_sign_entry_st *se, unsigned int flags);
gnutls_pk_algorithm_t _gnutls_x509_sign_to_pk(gnutls_sign_algorithm_t
# define SHA1_SECURE_VAL _INSECURE_FOR_CERTS
#endif
-/* Signature algorithms may be listed twice with a different PK algorithm,
- * e.g., RSA-PSS-SHA256 can be generated by GNUTLS_PK_RSA or GNUTLS_PK_RSA_PSS.
- */
static const gnutls_sign_entry_st sign_algorithms[] = {
/* RSA-PKCS#1 1.5: must be before PSS,
* so that gnutls_pk_to_sign() will return
.oid = PK_PKIX1_RSA_PSS_OID,
.id = GNUTLS_SIGN_RSA_PSS_SHA256,
.pk = GNUTLS_PK_RSA_PSS,
+ .priv_pk = GNUTLS_PK_RSA, /* PKCS#11 doesn't separate RSA from RSA-PSS privkeys */
.hash = GNUTLS_DIG_SHA256,
- .aid = {{8, 4}, SIG_SEM_DEFAULT}},
- {.name = "RSA-PSS-SHA256",
+ .tls13_ok = 1,
+ .aid = {{8, 9}, SIG_SEM_DEFAULT}},
+ {.name = "RSA-PSS-RSAE-SHA256",
.oid = PK_PKIX1_RSA_PSS_OID,
- .id = GNUTLS_SIGN_RSA_PSS_SHA256,
- .pk = GNUTLS_PK_RSA,
+ .id = GNUTLS_SIGN_RSA_PSS_RSAE_SHA256,
+ .pk = GNUTLS_PK_RSA_PSS,
+ .cert_pk = GNUTLS_PK_RSA,
+ .priv_pk = GNUTLS_PK_RSA,
.hash = GNUTLS_DIG_SHA256,
+ .tls13_ok = 1,
.aid = {{8, 4}, SIG_SEM_DEFAULT}},
{.name = "RSA-PSS-SHA384",
.oid = PK_PKIX1_RSA_PSS_OID,
.id = GNUTLS_SIGN_RSA_PSS_SHA384,
.pk = GNUTLS_PK_RSA_PSS,
+ .priv_pk = GNUTLS_PK_RSA,
.hash = GNUTLS_DIG_SHA384,
- .aid = {{8, 5}, SIG_SEM_DEFAULT}},
- {.name = "RSA-PSS-SHA384",
+ .tls13_ok = 1,
+ .aid = {{8, 0x0A}, SIG_SEM_DEFAULT}},
+ {.name = "RSA-PSS-RSAE-SHA384",
.oid = PK_PKIX1_RSA_PSS_OID,
- .id = GNUTLS_SIGN_RSA_PSS_SHA384,
- .pk = GNUTLS_PK_RSA,
+ .id = GNUTLS_SIGN_RSA_PSS_RSAE_SHA384,
+ .pk = GNUTLS_PK_RSA_PSS,
+ .cert_pk = GNUTLS_PK_RSA,
+ .priv_pk = GNUTLS_PK_RSA,
.hash = GNUTLS_DIG_SHA384,
+ .tls13_ok = 1,
.aid = {{8, 5}, SIG_SEM_DEFAULT}},
{.name = "RSA-PSS-SHA512",
.oid = PK_PKIX1_RSA_PSS_OID,
.id = GNUTLS_SIGN_RSA_PSS_SHA512,
.pk = GNUTLS_PK_RSA_PSS,
+ .priv_pk = GNUTLS_PK_RSA,
.hash = GNUTLS_DIG_SHA512,
- .aid = {{8, 6}, SIG_SEM_DEFAULT}},
- {.name = "RSA-PSS-SHA512",
+ .tls13_ok = 1,
+ .aid = {{8, 0x0B}, SIG_SEM_DEFAULT}},
+ {.name = "RSA-PSS-RSAE-SHA512",
.oid = PK_PKIX1_RSA_PSS_OID,
- .id = GNUTLS_SIGN_RSA_PSS_SHA512,
- .pk = GNUTLS_PK_RSA,
+ .id = GNUTLS_SIGN_RSA_PSS_RSAE_SHA512,
+ .pk = GNUTLS_PK_RSA_PSS,
+ .cert_pk = GNUTLS_PK_RSA,
+ .priv_pk = GNUTLS_PK_RSA,
.hash = GNUTLS_DIG_SHA512,
+ .tls13_ok = 1,
.aid = {{8, 6}, SIG_SEM_DEFAULT}},
/* Ed25519: The hash algorithm here is set to be SHA512, although that is
.id = GNUTLS_SIGN_EDDSA_ED25519,
.pk = GNUTLS_PK_EDDSA_ED25519,
.hash = GNUTLS_DIG_SHA512,
+ .tls13_ok = 1,
.aid = {{8, 7}, SIG_SEM_DEFAULT}},
/* ECDSA */
.pk = GNUTLS_PK_ECDSA,
.curve = GNUTLS_ECC_CURVE_SECP256R1,
.hash = GNUTLS_DIG_SHA256,
+ .tls13_ok = 1,
.aid = {{4, 3}, SIG_SEM_TLS13}},
{.name = "ECDSA-SECP384R1-SHA384",
.id = GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
.pk = GNUTLS_PK_ECDSA,
.curve = GNUTLS_ECC_CURVE_SECP384R1,
.hash = GNUTLS_DIG_SHA384,
+ .tls13_ok = 1,
.aid = {{5, 3}, SIG_SEM_TLS13}},
{.name = "ECDSA-SECP521R1-SHA512",
.id = GNUTLS_SIGN_ECDSA_SECP521R1_SHA512,
.pk = GNUTLS_PK_ECDSA,
.curve = GNUTLS_ECC_CURVE_SECP521R1,
.hash = GNUTLS_DIG_SHA512,
+ .tls13_ok = 1,
.aid = {{6, 3}, SIG_SEM_TLS13}},
/* ECDSA-SHA3 */
* @pk: is a public key algorithm
*
* This function returns non-zero if the public key algorithm corresponds to
- * the given signature algorithm.
+ * the given signature algorithm. That is, if that signature can be generated
+ * from the given private key algorithm.
*
* Since: 3.6.0
*
unsigned
gnutls_sign_supports_pk_algorithm(gnutls_sign_algorithm_t sign, gnutls_pk_algorithm_t pk)
{
- GNUTLS_SIGN_LOOP( if(p->id && p->id == sign && pk == p->pk) { return 1; } );
+ const gnutls_sign_entry_st *p;
+ unsigned r;
+
+ for(p = sign_algorithms; p->name != NULL; p++) {
+ if (p->id && p->id == sign) {
+ r = sign_supports_priv_pk_algorithm(p, pk);
+ if (r != 0)
+ return r;
+ }
+ }
return 0;
}
sig_ext_st *priv;
gnutls_ext_priv_data_t epriv;
unsigned int cert_algo;
+ const gnutls_sign_entry_st *se;
if (unlikely(ver == NULL))
return gnutls_assert_val(GNUTLS_SIGN_UNKNOWN);
return ret;
}
+
+
for (i = 0; i < priv->sign_algorithms_size; i++) {
- _gnutls_handshake_log("checking cert compat with %s\n", gnutls_sign_algorithm_get_name(priv->sign_algorithms[i]));
+ se = _gnutls_sign_to_entry(priv->sign_algorithms[i]);
+ if (se == NULL)
+ continue;
+
+ _gnutls_handshake_log("checking cert compat with %s\n", se->name);
if (_gnutls_privkey_compatible_with_sig(privkey, priv->sign_algorithms[i]) == 0)
continue;
- if (gnutls_sign_supports_pk_algorithm(priv->sign_algorithms[i], cert_algo) != 0) {
+ if (sign_supports_cert_pk_algorithm(se, cert_algo) != 0) {
if (_gnutls_pubkey_compatible_with_sig
- (session, cert->pubkey, ver,
- priv->sign_algorithms[i]) < 0)
+ (session, cert->pubkey, ver, se->id) < 0)
continue;
if (_gnutls_session_sign_algo_enabled
- (session, priv->sign_algorithms[i]) < 0)
+ (session, se->id) < 0)
continue;
- return priv->sign_algorithms[i];
+ return se->id;
}
}
* using algorithms we don't always enable by default (e.g., DSA-SHA1),
* continue and sign with it. */
if (client_cert) {
- _gnutls_audit_log(session, "No shared signature schemes with peer for client certificate (%s). Is the certificate a legacy one?",
+ _gnutls_audit_log(session, "No shared signature schemes with peer for client certificate (%s). Is the certificate a legacy one?\n",
gnutls_pk_get_name(cert_algo));
}
if (ver->tls13_sem) {
/* disallow RSA, DSA, and SHA1 */
const gnutls_sign_entry_st *se;
+
se = _gnutls_sign_to_entry(sig);
- if (se == NULL || se->pk == GNUTLS_PK_RSA || se->pk == GNUTLS_PK_DSA || se->hash == GNUTLS_DIG_SHA1) {
+ if (se == NULL || (se->tls13_ok == 0)) {
gnutls_assert();
goto disallowed;
}
* @GNUTLS_SIGN_RSA_SHA3_256: Digital signature algorithm RSA with SHA3-256.
* @GNUTLS_SIGN_RSA_SHA3_384: Digital signature algorithm RSA with SHA3-384.
* @GNUTLS_SIGN_RSA_SHA3_512: Digital signature algorithm RSA with SHA3-512.
- * @GNUTLS_SIGN_RSA_PSS_SHA256: Digital signature algorithm RSA with SHA-256, with PSS padding.
- * @GNUTLS_SIGN_RSA_PSS_SHA384: Digital signature algorithm RSA with SHA-384, with PSS padding.
- * @GNUTLS_SIGN_RSA_PSS_SHA512: Digital signature algorithm RSA with SHA-512, with PSS padding.
+ * @GNUTLS_SIGN_RSA_PSS_RSAE_SHA256: Digital signature algorithm RSA with SHA-256,
+ * with PSS padding (RSA PKCS#1 1.5 certificate). This signature is identical
+ * to #GNUTLS_SIGN_RSA_PSS_SHA256, but they are distinct as the TLS1.3 protocol
+ * treats them differently.
+ * @GNUTLS_SIGN_RSA_PSS_RSAE_SHA384: Digital signature algorithm RSA with SHA-384,
+ * with PSS padding (RSA PKCS#1 1.5 certificate). This signature is identical
+ * to #GNUTLS_SIGN_RSA_PSS_SHA384, but they are distinct as the TLS1.3 protocol
+ * treats them differently.
+ * @GNUTLS_SIGN_RSA_PSS_RSAE_SHA512: Digital signature algorithm RSA with SHA-512,
+ * with PSS padding (RSA PKCS#1 1.5 certificate). This signature is identical
+ * to #GNUTLS_SIGN_RSA_PSS_SHA512, but they are distinct as the TLS1.3 protocol
+ * treats them differently.
+ * @GNUTLS_SIGN_RSA_PSS_SHA256: Digital signature algorithm RSA with SHA-256, with PSS padding (RSA-PSS certificate).
+ * @GNUTLS_SIGN_RSA_PSS_SHA384: Digital signature algorithm RSA with SHA-384, with PSS padding (RSA-PSS certificate).
+ * @GNUTLS_SIGN_RSA_PSS_SHA512: Digital signature algorithm RSA with SHA-512, with PSS padding (RSA-PSS certificate).
* @GNUTLS_SIGN_EDDSA_ED25519: Digital signature algorithm EdDSA with Ed25519 curve.
*
* Enumeration of different digital signature algorithms.
GNUTLS_SIGN_ECDSA_SECP256R1_SHA256 = 37,
GNUTLS_SIGN_ECDSA_SECP384R1_SHA384 = 38,
GNUTLS_SIGN_ECDSA_SECP521R1_SHA512 = 39,
- GNUTLS_SIGN_MAX = GNUTLS_SIGN_ECDSA_SECP521R1_SHA512
+
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA256 = 40,
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA384 = 41,
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA512 = 42,
+ GNUTLS_SIGN_MAX = GNUTLS_SIGN_RSA_PSS_RSAE_SHA512
} gnutls_sign_algorithm_t;
/**
static const int _sign_priority_default[] = {
GNUTLS_SIGN_RSA_SHA256,
GNUTLS_SIGN_RSA_PSS_SHA256,
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA256,
GNUTLS_SIGN_ECDSA_SHA256,
GNUTLS_SIGN_ECDSA_SECP256R1_SHA256,
GNUTLS_SIGN_RSA_SHA384,
GNUTLS_SIGN_RSA_PSS_SHA384,
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA384,
GNUTLS_SIGN_ECDSA_SHA384,
GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
GNUTLS_SIGN_RSA_SHA512,
GNUTLS_SIGN_RSA_PSS_SHA512,
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA512,
GNUTLS_SIGN_ECDSA_SHA512,
GNUTLS_SIGN_ECDSA_SECP521R1_SHA512,
static const int _sign_priority_secure128[] = {
GNUTLS_SIGN_RSA_SHA256,
GNUTLS_SIGN_RSA_PSS_SHA256,
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA256,
GNUTLS_SIGN_ECDSA_SHA256,
GNUTLS_SIGN_ECDSA_SECP256R1_SHA256,
GNUTLS_SIGN_EDDSA_ED25519,
GNUTLS_SIGN_RSA_SHA384,
GNUTLS_SIGN_RSA_PSS_SHA384,
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA384,
GNUTLS_SIGN_ECDSA_SHA384,
GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
GNUTLS_SIGN_RSA_SHA512,
GNUTLS_SIGN_RSA_PSS_SHA512,
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA512,
GNUTLS_SIGN_ECDSA_SHA512,
GNUTLS_SIGN_ECDSA_SECP521R1_SHA512,
static const int _sign_priority_secure192[] = {
GNUTLS_SIGN_RSA_SHA384,
GNUTLS_SIGN_RSA_PSS_SHA384,
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA384,
GNUTLS_SIGN_ECDSA_SHA384,
GNUTLS_SIGN_ECDSA_SECP384R1_SHA384,
GNUTLS_SIGN_RSA_SHA512,
GNUTLS_SIGN_RSA_PSS_SHA512,
+ GNUTLS_SIGN_RSA_PSS_RSAE_SHA512,
GNUTLS_SIGN_ECDSA_SHA512,
GNUTLS_SIGN_ECDSA_SECP521R1_SHA512,
{
int ret;
gnutls_x509_spki_st params;
- const gnutls_sign_entry_st *e;
+ const gnutls_sign_entry_st *se;
if (flags & GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- e = _gnutls_sign_to_entry(algo);
- if (e == NULL)
+ se = _gnutls_sign_to_entry(algo);
+ if (se == NULL)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
ret = _gnutls_privkey_get_spki_params(signer, ¶ms);
return ret;
}
- ret = _gnutls_privkey_update_spki_params(signer, e->pk, e->hash,
+ ret = _gnutls_privkey_update_spki_params(signer, se->pk, se->hash,
flags, ¶ms);
if (ret < 0) {
gnutls_assert();
return ret;
}
- return privkey_sign_and_hash_data(signer, _gnutls_sign_to_entry(algo), data, signature, ¶ms);
+ return privkey_sign_and_hash_data(signer, se, data, signature, ¶ms);
}
/**
* and RSA keys which cannot do RSA-PSS (e.g., smart card) from
* negotiating RSA-PSS sig.
*/
- if (privkey->pk_algorithm == GNUTLS_PK_RSA_PSS && se->pk != GNUTLS_PK_RSA_PSS) {
+
+ if (se->pk != privkey->pk_algorithm) { /* if the PK algorithm of the signature differs to the one on the pubkey */
+ if (!sign_supports_priv_pk_algorithm(se, privkey->pk_algorithm)) {
+ _gnutls_handshake_log("cannot use privkey of %s with %s\n",
+ gnutls_pk_get_name(privkey->pk_algorithm), se->name);
return 0;
+ }
}
if (privkey->type == GNUTLS_PRIVKEY_EXT) {
unsigned bits;
if (se->pk != key_params->algo) {
- if (!gnutls_sign_supports_pk_algorithm(se->id, key_params->algo)) {
+ if (!sign_supports_priv_pk_algorithm(se, key_params->algo)) {
_gnutls_debug_log("have key: %s/%d, with sign %s/%d\n",
gnutls_pk_get_name(key_params->algo), key_params->algo,
se->name, se->id);
gnutls_ecc_curve_t curve = pubkey->params.curve;
if (curve != se->curve) {
- _gnutls_debug_log("have key: ECDSA with %s/%d, with sign %s/%d\n",
+ _gnutls_handshake_log("have key: ECDSA with %s/%d, with sign %s/%d\n",
gnutls_ecc_curve_get_name(curve), (int)curve,
se->name, se->id);
return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY);
}
if (se->pk != pubkey->params.algo) { /* if the PK algorithm of the signature differs to the one on the pubkey */
- if (!gnutls_sign_supports_pk_algorithm(se->id, pubkey->params.algo)) {
- _gnutls_debug_log("have key: %s/%d, with sign %s/%d\n",
+ if (!sign_supports_priv_pk_algorithm(se, pubkey->params.algo)) {
+ _gnutls_handshake_log("have key: %s/%d, with sign %s/%d\n",
gnutls_pk_get_name(pubkey->params.algo), pubkey->params.algo,
se->name, se->id);
return gnutls_assert_val(GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY);
("HSK[%p]: signing TLS 1.2 handshake data: using %s\n", session,
gnutls_sign_algorithm_get_name(sign_algo));
+ if (unlikely(gnutls_sign_supports_pk_algorithm(sign_algo, pkey->pk_algorithm) == 0))
+ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
dconcat.size = GNUTLS_RANDOM_SIZE*2 + params->size;
dconcat.data = gnutls_malloc(dconcat.size);
if (dconcat.data == NULL)
const mac_entry_st *me;
gnutls_pk_algorithm_t pk_algo;
- if (gnutls_privkey_get_pk_algorithm(pkey, NULL) == GNUTLS_PK_RSA)
+ pk_algo = gnutls_privkey_get_pk_algorithm(pkey, NULL);
+ if (pk_algo == GNUTLS_PK_RSA)
me = hash_to_entry(GNUTLS_DIG_MD5_SHA1);
else
me = hash_to_entry(
if (me == NULL)
return gnutls_assert_val(GNUTLS_E_UNKNOWN_HASH_ALGORITHM);
+ if (unlikely(gnutls_sign_supports_pk_algorithm(sign_algo, pk_algo) == 0))
+ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
pk_algo = gnutls_sign_get_pk_algorithm(sign_algo);
if (pk_algo == GNUTLS_PK_UNKNOWN)
return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
/*
- * Copyright (C) 2017 Red Hat, Inc.
+ * Copyright (C) 2017-2018 Red Hat, Inc.
*
* Author: Nikos Mavrogiannopoulos
*
if (ret < 0)
return gnutls_assert_val(ret);
+ if (unlikely(sign_supports_cert_pk_algorithm(se, cert->pubkey->params.algo) == 0)) {
+ _gnutls_handshake_log("HSK[%p]: certificate of %s cannot be combined with %s sig\n",
+ session, gnutls_pk_get_name(cert->pubkey->params.algo), se->name);
+ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+ }
+
ret =
_gnutls_session_sign_algo_enabled(session, se->id);
if (ret < 0)
return gnutls_assert_val(ret);
- if (se->hash == GNUTLS_DIG_SHA1) /* explicitly prohibited */
- return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
- if (se->pk == GNUTLS_PK_RSA) /* explicitly prohibited */
+ if (se->tls13_ok == 0) /* explicitly prohibited */
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
_gnutls_buffer_init(&buf);
gnutls_buffer_st buf;
uint8_t prefix[PREFIX_SIZE];
- if (unlikely(se == NULL || se->hash == GNUTLS_DIG_SHA1 || se->pk == GNUTLS_PK_RSA))
+ if (unlikely(se == NULL || se->tls13_ok == 0))
+ return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+
+ if (unlikely(sign_supports_priv_pk_algorithm(se, pkey->pk_algorithm) == 0))
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
_gnutls_handshake_log
&server_ca3_localhost_cert, &server_ca3_key, NULL, NULL, 0)
#define try_ks(name, client_prio, client_kx, group) \
- try_with_key_ks(name, client_prio, client_kx, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN, \
+ try_with_key_ks(name, client_prio, client_kx, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN, \
&server_ca3_localhost_cert, &server_ca3_key, NULL, NULL, 0, group)
#define try_cli(name, client_prio, client_kx, server_sign_algo, client_sign_algo, client_cert) \
dtls_try_with_key("DTLS 1.2 with ecdhe ecdsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-KX-ALL:+ECDHE-ECDSA", GNUTLS_KX_ECDHE_ECDSA, GNUTLS_SIGN_ECDSA_SHA256, GNUTLS_SIGN_UNKNOWN,
&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, NULL, NULL, 0);
- dtls_try("DTLS 1.2 with ecdhe rsa-pss sig no-cli-cert", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
- dtls_try("DTLS 1.2 with ecdhe rsa-pss no-cli-cert", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
+ dtls_try("DTLS 1.2 with ecdhe rsa-pss sig no-cli-cert", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
+ dtls_try("DTLS 1.2 with ecdhe rsa-pss no-cli-cert", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
dtls_try_with_key("TLS 1.2 with ecdhe rsa-pss/rsa-pss no-cli-cert", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN,
&server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, NULL, NULL, 0);
dtls_try("DTLS 1.2 with rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-KX-ALL:+RSA", GNUTLS_KX_RSA, GNUTLS_SIGN_UNKNOWN, GNUTLS_SIGN_UNKNOWN);
&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, &server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, USE_CERT);
- dtls_try_cli("DTLS 1.2 with ecdhe-rsa-pss cli-cert", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_RSA_PSS_SHA256, USE_CERT);
+ dtls_try_cli("DTLS 1.2 with ecdhe-rsa-pss cli-cert", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, USE_CERT);
dtls_try_with_key("DTLS 1.2 with ecdhe-rsa-pss/rsa-pss cli-cert", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_RSA_PSS_SHA256,
&server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, &cli_ca3_rsa_pss_cert, &cli_ca3_rsa_pss_key, USE_CERT);
dtls_try_cli("DTLS 1.2 with dhe-rsa ask cli-cert", "NORMAL:-VERS-ALL:+VERS-DTLS1.2:-KX-ALL:+DHE-RSA", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_SHA256, GNUTLS_SIGN_UNKNOWN, ASK_CERT);
},
{.name = "tls1.2: rsa-pss cert, rsa-sign key no PSS signatures",
.pk = GNUTLS_PK_RSA,
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512",
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA256:-SIGN-RSA-PSS-RSAE-SHA384:-SIGN-RSA-PSS-RSAE-SHA512",
.cert = &server_ca3_rsa_pss_cert,
.key = &server_ca3_rsa_pss_key,
.exp_kx = GNUTLS_KX_ECDHE_RSA,
if (sign_verify_data(pkey, GNUTLS_SIGN_RSA_SHA3_256, 0) < 0)
fail("failed verification with SHA3-256!\n");
- if (sign_verify_data(pkey, GNUTLS_SIGN_RSA_PSS_SHA256, 0) < 0)
+ if (sign_verify_data(pkey, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, 0) < 0)
fail("failed verification with SHA256 with PSS!\n");
gnutls_x509_privkey_deinit(pkey);
11
};
-static void inv_sign_check(gnutls_pk_algorithm_t algorithm, unsigned sigalgo,
- gnutls_privkey_t privkey, int exp_error)
+static void inv_sign_check(unsigned sigalgo,
+ gnutls_privkey_t privkey, int exp_error)
{
int ret;
gnutls_datum_t signature;
ret = gnutls_privkey_sign_data2(privkey, sigalgo, 0,
&raw_data, &signature);
if (ret != exp_error)
- fail("gnutls_privkey_sign_data succeeded with %s and %s: %s\n", gnutls_pk_get_name(algorithm),
+ fail("gnutls_privkey_sign_data succeeded with %s and %s: %s\n", gnutls_pk_get_name(gnutls_privkey_get_pk_algorithm(privkey, NULL)),
gnutls_sign_get_name(sigalgo), gnutls_strerror(ret));
+ if (ret == 0)
+ gnutls_free(signature.data);
}
static void inv_encryption_check(gnutls_pk_algorithm_t algorithm,
}
-static void sign_verify_data(gnutls_pk_algorithm_t algorithm, unsigned sigalgo,
- gnutls_privkey_t privkey)
+static void sign_verify_data(unsigned sigalgo, gnutls_privkey_t privkey)
{
int ret;
gnutls_pubkey_t pubkey;
void doit(void)
{
- gnutls_privkey_t pkey;
+ gnutls_privkey_t pkey_rsa_pss;
+ gnutls_privkey_t pkey_rsa;
gnutls_x509_privkey_t tkey;
int ret;
gnutls_x509_spki_t spki;
assert(gnutls_x509_spki_init(&spki)>=0);
- assert(gnutls_privkey_init(&pkey) >=0);
+ assert(gnutls_privkey_init(&pkey_rsa) >=0);
gnutls_x509_spki_set_rsa_pss_params(spki, GNUTLS_DIG_SHA256, 32);
ret =
- gnutls_privkey_generate(pkey, GNUTLS_PK_RSA, 2048, 0);
+ gnutls_privkey_generate(pkey_rsa, GNUTLS_PK_RSA, 2048, 0);
if (ret < 0) {
fail("gnutls_privkey_generate: %s\n", gnutls_strerror(ret));
}
- assert(gnutls_privkey_set_spki(pkey, spki, 0)>=0);
- assert(gnutls_privkey_export_x509(pkey, &tkey) >=0);
+ assert(gnutls_privkey_set_spki(pkey_rsa, spki, 0)>=0);
+ assert(gnutls_privkey_export_x509(pkey_rsa, &tkey) >=0);
gnutls_x509_privkey_export2_pkcs8(tkey, GNUTLS_X509_FMT_PEM, NULL, 0, &tmp);
- gnutls_x509_privkey_deinit(tkey);
- gnutls_privkey_deinit(pkey);
+ /* import RSA-PSS version of key */
+ assert(gnutls_privkey_init(&pkey_rsa_pss) >=0);
+ assert(gnutls_privkey_import_x509_raw(pkey_rsa_pss, &tmp, GNUTLS_X509_FMT_PEM, NULL, 0) >= 0);
- assert(gnutls_privkey_init(&pkey) >=0);
+ gnutls_free(tmp.data);
- assert(gnutls_privkey_import_x509_raw(pkey, &tmp, GNUTLS_X509_FMT_PEM, NULL, 0) >= 0);
+ /* import RSA-PSS version of key */
+ gnutls_privkey_deinit(pkey_rsa);
+ gnutls_x509_privkey_export2(tkey, GNUTLS_X509_FMT_PEM, &tmp);
+ assert(gnutls_privkey_init(&pkey_rsa) >=0);
+ assert(gnutls_privkey_import_x509_raw(pkey_rsa, &tmp, GNUTLS_X509_FMT_PEM, NULL, 0) >= 0);
- if (debug)
- printf("%s", tmp.data);
+ gnutls_x509_privkey_deinit(tkey);
+ gnutls_free(tmp.data);
- sign_verify_data(GNUTLS_PK_RSA_PSS, GNUTLS_SIGN_RSA_PSS_SHA256, pkey);
+ sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa_pss);
+ sign_verify_data(GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, pkey_rsa);
+ sign_verify_data(GNUTLS_SIGN_RSA_PSS_SHA256, pkey_rsa);
if (debug)
success("success signing with RSA-PSS-SHA256\n");
- /* check whether the RSA-PSS restrictions are being followed */
- inv_encryption_check(GNUTLS_PK_RSA_PSS, pkey, GNUTLS_E_INVALID_REQUEST);
- inv_sign_check(GNUTLS_PK_RSA, GNUTLS_SIGN_RSA_SHA512, pkey, GNUTLS_E_CONSTRAINT_ERROR);
- inv_sign_check(GNUTLS_PK_RSA, GNUTLS_SIGN_RSA_SHA256, pkey, GNUTLS_E_CONSTRAINT_ERROR);
- inv_sign_check(GNUTLS_PK_RSA_PSS, GNUTLS_SIGN_RSA_PSS_SHA384, pkey, GNUTLS_E_CONSTRAINT_ERROR);
- inv_sign_check(GNUTLS_PK_RSA_PSS, GNUTLS_SIGN_RSA_PSS_SHA512, pkey, GNUTLS_E_CONSTRAINT_ERROR);
-
- gnutls_privkey_deinit(pkey);
+ /* check whether the RSA-PSS key restrictions are being followed */
+ inv_encryption_check(GNUTLS_PK_RSA_PSS, pkey_rsa_pss, GNUTLS_E_INVALID_REQUEST);
+ inv_sign_check(GNUTLS_SIGN_RSA_SHA512, pkey_rsa_pss, GNUTLS_E_CONSTRAINT_ERROR);
+ inv_sign_check(GNUTLS_SIGN_RSA_SHA256, pkey_rsa_pss, GNUTLS_E_CONSTRAINT_ERROR);
+ inv_sign_check(GNUTLS_SIGN_RSA_PSS_SHA384, pkey_rsa_pss, GNUTLS_E_CONSTRAINT_ERROR);
+ inv_sign_check(GNUTLS_SIGN_RSA_PSS_SHA512, pkey_rsa_pss, GNUTLS_E_CONSTRAINT_ERROR);
+ inv_sign_check(GNUTLS_SIGN_RSA_PSS_RSAE_SHA384, pkey_rsa_pss, GNUTLS_E_CONSTRAINT_ERROR);
+ inv_sign_check(GNUTLS_SIGN_RSA_PSS_RSAE_SHA512, pkey_rsa_pss, GNUTLS_E_CONSTRAINT_ERROR);
+
+ /* check whether the RSA key is not being restricted */
+ inv_sign_check(GNUTLS_SIGN_RSA_SHA512, pkey_rsa, 0);
+ inv_sign_check(GNUTLS_SIGN_RSA_SHA256, pkey_rsa, 0);
+ inv_sign_check(GNUTLS_SIGN_RSA_PSS_RSAE_SHA384, pkey_rsa, 0);
+ inv_sign_check(GNUTLS_SIGN_RSA_PSS_RSAE_SHA512, pkey_rsa, 0);
+ /* an RSA key can also generate "pure" for TLS RSA-PSS signatures
+ * as they are essentially the same thing, and we cannot always
+ * know whether a key is RSA-PSS only, or not (e.g., in PKCS#11
+ * keys). */
+ inv_sign_check(GNUTLS_SIGN_RSA_PSS_SHA384, pkey_rsa, 0);
+ inv_sign_check(GNUTLS_SIGN_RSA_PSS_SHA512, pkey_rsa, 0);
+
+ gnutls_privkey_deinit(pkey_rsa);
+ gnutls_privkey_deinit(pkey_rsa_pss);
gnutls_x509_spki_deinit(spki);
- gnutls_free(tmp.data);
gnutls_global_deinit();
}
"-e", "check sigalgs in cert request"]
},
{"name" : "test-rsa-pss-sigs-on-certificate-verify.py",
- "comment" : "tlsfuzzer doesn't like our set of algorithms",
+ "comment" : "tlsfuzzer doesn't yet support draft-22 RSA-PSS",
"arguments" : ["-k", "tests/clientX509Key.pem",
"-c", "tests/clientX509Cert.pem",
- "-e", "check CertificateRequest sigalgs"]
+ "-e", "check CertificateRequest sigalgs"],
+ "exp_pass" : false
},
{"name": "test-certificate-malformed.py",
"comment" : "tlsfuzzer doesn't like the alerts we send",
"-e", "medium, maximum fragmentation: 1 fragment - 1024B extension"]},
{"name" : "test-sessionID-resumption.py"},
{"name" : "test-sig-algs.py",
- "comment" : "FIXME: these fail, but most likely due to tls-fuzzer issue",
+ "comment" : "tlsfuzzer doesn't yet support draft-22 RSA-PSS",
"arguments" : ["-e", "RSA-PSS only - fails in verify if server selects PSS",
- "-e", "with RSA-PSS - fails in verify if server selects PSS"]},
+ "-e", "with RSA-PSS - fails in verify if server selects PSS"],
+ "exp_pass" : false
+ },
{"name" : "test-signature-algorithms.py",
"comment" : "gnutls doesn't tolerate that much",
"arguments" : ["-e", "tolerance max (32764) number of methods"]
},
{.name = "rsa-sign key with rsa-pss sigs prioritized",
.pk = GNUTLS_PK_RSA,
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512",
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512",
.cert = &server_ca3_localhost_cert,
.key = &server_ca3_key,
.exp_kx = GNUTLS_KX_ECDHE_RSA
.exp_kx = GNUTLS_KX_ECDHE_RSA,
.exp_key_err = GNUTLS_E_INVALID_REQUEST
},
- {.name = "rsa-pss cert, rsa-sign key", /* we expect the server to refuse negotiating */
+ {.name = "rsa-pss cert, rsa-sign key, no rsa-pss-rsae sigs", /* we expect the server to refuse negotiating */
.pk = GNUTLS_PK_RSA,
- .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
+ .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512",
.cert = &server_ca3_rsa_pss_cert,
.key = &server_ca3_rsa_pss_key,
.exp_kx = GNUTLS_KX_ECDHE_RSA,
try("TLS 1.2 with ecdhe rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_SHA256, GNUTLS_SIGN_UNKNOWN);
try_with_key("TLS 1.2 with ecdhe ecdsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-ECDSA", GNUTLS_KX_ECDHE_ECDSA, GNUTLS_SIGN_ECDSA_SHA256, GNUTLS_SIGN_UNKNOWN,
&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, NULL, NULL, 0);
- try("TLS 1.2 with ecdhe rsa-pss sig no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
+ try("TLS 1.2 with ecdhe rsa-pss sig no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
/* Test RSA-PSS cert/key combo issues */
try_with_key("TLS 1.2 with ecdhe with rsa-pss-sha256 key no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN,
try_with_key("TLS 1.2 with ecdhe with rsa-pss-sha256 key and rsa-pss-sha512 first sig no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN,
&server_ca3_rsa_pss2_cert, &server_ca3_rsa_pss2_key, NULL, NULL, 0);
- try("TLS 1.2 with ecdhe rsa-pss no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
+ try("TLS 1.2 with ecdhe rsa-pss no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
try_with_key("TLS 1.2 with ecdhe rsa-pss/rsa-pss no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN,
&server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, NULL, NULL, 0);
try("TLS 1.2 with rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+RSA", GNUTLS_KX_RSA, GNUTLS_SIGN_UNKNOWN, GNUTLS_SIGN_UNKNOWN);
try_cli("TLS 1.2 with rsa cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+RSA", GNUTLS_KX_RSA, GNUTLS_SIGN_UNKNOWN, GNUTLS_SIGN_RSA_SHA256, USE_CERT);
try_with_key("TLS 1.2 with ecdhe ecdsa cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-ECDSA", GNUTLS_KX_ECDHE_ECDSA, GNUTLS_SIGN_ECDSA_SHA256, GNUTLS_SIGN_RSA_SHA256,
&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, &cli_ca3_cert, &cli_ca3_key, USE_CERT);
- try_cli("TLS 1.2 with ecdhe-rsa-pss cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_RSA_PSS_SHA256, USE_CERT);
+ try_cli("TLS 1.2 with ecdhe-rsa-pss cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, USE_CERT);
try_with_key("TLS 1.2 with ecdhe-rsa-pss/rsa-pss cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_RSA_PSS_SHA256,
&server_ca3_rsa_pss_cert, &server_ca3_rsa_pss_key, &cli_ca3_rsa_pss_cert, &cli_ca3_rsa_pss_key, USE_CERT);
global_init();
/* TLS 1.3 no clin cert */
- try("TLS 1.3 with ffdhe2048 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
- try("TLS 1.3 with ffdhe3072 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE3072", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
- try("TLS 1.3 with ffdhe4096 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE4096", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
- try("TLS 1.3 with secp256r1 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
- try("TLS 1.3 with secp384r1 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP384R1", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
- try("TLS 1.3 with secp521r1 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP521R1", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
- try("TLS 1.3 with x25519 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_SHA256, GNUTLS_SIGN_UNKNOWN);
+ try("TLS 1.3 with ffdhe2048 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
+ try("TLS 1.3 with ffdhe3072 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE3072", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
+ try("TLS 1.3 with ffdhe4096 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE4096", GNUTLS_KX_DHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
+ try("TLS 1.3 with secp256r1 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
+ try("TLS 1.3 with secp384r1 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP384R1", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
+ try("TLS 1.3 with secp521r1 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP521R1", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
+ try("TLS 1.3 with x25519 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, GNUTLS_SIGN_UNKNOWN);
try_with_key_ks("TLS 1.3 with secp256r1 ecdsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, GNUTLS_SIGN_UNKNOWN,
&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, NULL, NULL, 0, GNUTLS_GROUP_SECP256R1);
/* client authentication */
try_with_key("TLS 1.3 with rsa-pss cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-RSA", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, GNUTLS_SIGN_RSA_PSS_SHA256,
&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, &cli_ca3_rsa_pss_cert, &cli_ca3_rsa_pss_key, USE_CERT);
- try_with_key("TLS 1.3 with rsa cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-RSA", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, GNUTLS_SIGN_RSA_PSS_SHA256,
+ try_with_key("TLS 1.3 with rsa cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-RSA", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256,
&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, &cli_ca3_cert, &cli_ca3_key, USE_CERT);
try_with_key("TLS 1.3 with ecdsa cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-RSA", GNUTLS_KX_ECDHE_RSA, GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, GNUTLS_SIGN_ECDSA_SECP256R1_SHA256,
&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, &server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, USE_CERT);
} \
}
+#define KEY_EXP_VALUE "\x12\xbc\xfe\x50\x17\x79\x0f\x9b\x46\xf6\x07\xe7\x33\x55\x61\xf1\x15\xd0\x4e\xca\x99\xd6\xad\xa3\xcc\x67\xbf\xf1\x7c\x6c\x4c\xa8\x85\xd9"
+#define HELLO_VALUE "\xa6\x60\x26\xeb\xf9\x53\x05\xb4\x7c\x43\x32\x92\xce\x1f\xe5\x0e\x02\xfd\x57\x04\x5c\x06\x45\x9f\x78\x61\xad\xb8\x74\x9f\xfc"
static void check_prfs(gnutls_session_t session)
{
unsigned char key_material[512];
int ret;
- TRY_OLD(13, "key expansion", 34, (uint8_t*)"\xac\x43\xa8\x49\x8f\x36\x3b\xbd\xcb\x3f\x45\x20\xac\xd5\x99\xf5\x4c\x92\x2a\x4d\xd6\x0b\xc2\x3f\xc2\xfe\xf3\xc7\x9e\x04\x70\xd3\xe1\x92");
- TRY_OLD(6, "hello", 31, (uint8_t*)"\x49\x74\x07\x6f\x2c\xed\xfa\xff\xda\xe8\x20\x1f\xc7\xce\xe7\x78\x66\xb9\x75\x3f\x5d\x6e\xb0\xa9\xb8\xb2\x46\xd1\xa1\xd6\x39");
+ TRY_OLD(13, "key expansion", 34, (uint8_t*)KEY_EXP_VALUE);
+ TRY_OLD(6, "hello", 31, (uint8_t*)HELLO_VALUE);
- TRY(13, "key expansion", 0, NULL, 34, (uint8_t*)"\xac\x43\xa8\x49\x8f\x36\x3b\xbd\xcb\x3f\x45\x20\xac\xd5\x99\xf5\x4c\x92\x2a\x4d\xd6\x0b\xc2\x3f\xc2\xfe\xf3\xc7\x9e\x04\x70\xd3\xe1\x92");
- TRY(6, "hello", 0, NULL, 31, (uint8_t*)"\x49\x74\x07\x6f\x2c\xed\xfa\xff\xda\xe8\x20\x1f\xc7\xce\xe7\x78\x66\xb9\x75\x3f\x5d\x6e\xb0\xa9\xb8\xb2\x46\xd1\xa1\xd6\x39");
- TRY(7, "context", 5, "abcd\xfa", 31, (uint8_t*)"\x0a\xa9\x28\xc7\x00\xf9\x49\xe8\x5a\xd0\xb8\x68\xba\x49\xd6\x04\x78\x61\x0b\xac\x45\xe3\xfb\x9c\x82\x94\x23\x24\xa4\x02\x8e");
- TRY(12, "null-context", 0, "", 31, (uint8_t*)"\xb1\xfa\x57\x28\x1a\x57\x20\xfd\x73\xed\xdd\xda\xf4\xf8\x9b\xec\x4d\xf5\x2d\x23\xd5\xe3\xd3\x77\x89\xeb\x54\xdd\x0e\x17\x49");
+ TRY(13, "key expansion", 0, NULL, 34, (uint8_t*)KEY_EXP_VALUE);
+ TRY(6, "hello", 0, NULL, 31, (uint8_t*)HELLO_VALUE);
+ TRY(7, "context", 5, "abcd\xfa", 31, (uint8_t*)"\x1a\x7e\xc4\x88\x85\x6b\x93\x4e\x20\x7d\x82\xd3\xd9\xe6\xb8\xf9\x88\x22\x3e\x49\xb3\x1b\x3d\xd6\xd8\xaa\x9c\xb6\xb6\x9e\x09");
+ TRY(12, "null-context", 0, "", 31, (uint8_t*)"\x2e\x7e\xbd\x18\x3d\x69\xd6\x2f\x03\xad\x40\xdc\x8d\x7a\x60\xc2\xfb\x35\xa4\x26\xd0\x02\x19\xb2\x12\x8b\x03\x1e\x58\x09\x0e");
/* Try whether calling gnutls_prf() with non-null context or server-first
* param, will fail */
/* Use default priorities */
ret = gnutls_priority_set_direct(session,
- "NONE:+VERS-TLS1.3:+AES-256-GCM:+AEAD:+SIGN-RSA-PSS-SHA384:+GROUP-SECP256R1",
+ "NONE:+VERS-TLS1.3:+AES-256-GCM:+AEAD:+SIGN-RSA-PSS-RSAE-SHA384:+GROUP-SECP256R1",
&err);
if (ret < 0) {
fail("client: priority set failed (%s): %s\n",
* are adequate.
*/
ret = gnutls_priority_set_direct(session,
- "NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL", NULL);
+ "NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA384:-GROUP-ALL:+GROUP-SECP256R1", NULL);
if (ret < 0) {
fail("server: priority set failed (%s)\n\n",
gnutls_strerror(ret));
projects / thirdparty / gnutls.git / commitdiff
