Fixed alerts returned on TLS1.3 corner cases

This enables the tls-fuzzer tests 'test-tls13-certificate-verify.py'.

Resolves: #682

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

diff --git a/lib/alert.c b/lib/alert.c
index 047c976d1b77251c53012cc511dbaad89cb758eb..cfd1205d01fbacf6b248f5c47e1f40cb18b9c4d4 100644 (file)
--- a/lib/alert.c
+++ b/lib/alert.c
@@ -227,6 +227,7 @@ int gnutls_error_to_alert(int err, int *level)
        case GNUTLS_E_PK_INVALID_PUBKEY:
        case GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM:
        case GNUTLS_E_RECEIVED_DISALLOWED_NAME:
+       case GNUTLS_E_INCOMPATIBLE_SIG_WITH_KEY:
                ret = GNUTLS_A_ILLEGAL_PARAMETER;
                _level = GNUTLS_AL_FATAL;
                break;

diff --git a/lib/tls13-sig.c b/lib/tls13-sig.c
index aee15eaf87b33098b1c0bab917e8282a00b96c12..61f9d58209163e7752ffdc75156876f28109f33a 100644 (file)
--- a/lib/tls13-sig.c
+++ b/lib/tls13-sig.c
@@ -72,7 +72,7 @@ _gnutls13_handshake_verify_data(gnutls_session_t session,
        ret =
            _gnutls_session_sign_algo_enabled(session, se->id);
        if (ret < 0)
-               return gnutls_assert_val(ret);
+               return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
 
        if (se->tls13_ok == 0) /* explicitly prohibited */
                return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);

diff --git a/lib/tls13/certificate_verify.c b/lib/tls13/certificate_verify.c
index 7300f88f5d79f2db560fe4a8a2185dd263d6e05a..6c3617c026fde533b3eada7d33e9b023d3b81315 100644 (file)
--- a/lib/tls13/certificate_verify.c
+++ b/lib/tls13/certificate_verify.c
@@ -85,7 +85,7 @@ int _gnutls13_recv_certificate_verify(gnutls_session_t session)
        se = _gnutls_tls_aid_to_sign_entry(buf.data[0], buf.data[1], get_version(session));
        if (se == NULL) {
                _gnutls_handshake_log("Found unsupported signature (%d.%d)\n", (int)buf.data[0], (int)buf.data[1]);
-               ret = gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+               ret = gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
                goto cleanup;
        }
 

diff --git a/tests/suite/tls-fuzzer/gnutls-cert.json b/tests/suite/tls-fuzzer/gnutls-cert.json
index c2b28c5569fc6baec6f35e02c2b315b856b2f307..f0443d8a7de3586e9835fb73fe06012ddcf057d6 100644 (file)
--- a/tests/suite/tls-fuzzer/gnutls-cert.json
+++ b/tests/suite/tls-fuzzer/gnutls-cert.json
@@ -9,6 +9,20 @@
      "server_hostname": "localhost",
      "server_port": @PORT@,
      "tests" : [
+        {"name" : "test-tls13-certificate-verify.py",
+          "comment" : "tlsfuzzer doesn't like our set of algorithms (e.g., ed25519)",
+          "arguments" : ["-k", "tests/clientX509Key.pem",
+                         "-c", "tests/clientX509Cert.pem",
+                         "-n", "10",
+                         "-e", "check sigalgs in cert request",
+                        "-p", "@PORT@"]},
+        {"name" : "test-tls13-certificate-verify.py",
+          "comment" : "tlsfuzzer doesn't like our set of algorithms (e.g., ed25519)",
+          "arguments" : ["-k", "tests/clientRSAPSSKey.pem",
+                         "-c", "tests/clientRSAPSSCert.pem",
+                         "-n", "10",
+                         "-e", "check sigalgs in cert request",
+                        "-p", "@PORT@"]},
          {"name": "test-rsa-sigs-on-certificate-verify.py",
           "arguments" : ["-k", "tests/clientX509Key.pem",
                          "-c", "tests/clientX509Cert.pem",
@@ -45,6 +59,15 @@
                          "-n", "100",
                          "-p", "@PORT@"]
           },
+         {"name" : "test-rsa-pss-sigs-on-certificate-verify.py",
+         "comment": "tlsfuzzer doesn't know ed25519 scheme which we advertise",
+          "arguments" : ["-k", "tests/clientRSAPSSKey.pem",
+                         "-c", "tests/clientRSAPSSCert.pem",
+                         "-e", "check CertificateRequest sigalgs",
+                         "--illegpar",
+                         "-n", "100",
+                         "-p", "@PORT@"]
+          },
          {"name": "test-certificate-malformed.py",
           "comment" : "tlsfuzzer doesn't like the alerts we send",
           "arguments" : ["-k", "tests/clientX509Key.pem",