diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-09-13 12:14:42 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-09-13 12:14:42 +0000 |
| commit | b9c965ecbcfe873b09cd4c854119c5d6dcb0a462 (patch) | |
| tree | ff6d782f1f632d2042f4338ed8cf7f696fff2efe | |
| parent | 5b614d21be0287748f1b8418d3ac382d891f34d7 (diff) | |
| parent | 5fac5af99b418171c285ae49d3cd8381a852dfd7 (diff) | |
| download | gnutls-b9c965ecbcfe873b09cd4c854119c5d6dcb0a462.tar.gz | |
Merge branch 'tmp-interop-old-gnutls' into 'master'
Do not forbid excess random padding in TLS1.x CBC ciphersuites
Closes #811
See merge request gnutls/gnutls!1054
| -rw-r--r-- | .gitlab-ci.yml | 3 | ||||
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | configure.ac | 10 | ||||
| -rw-r--r-- | lib/constate.c | 11 | ||||
| -rw-r--r-- | lib/record.c | 4 | ||||
| -rw-r--r-- | tests/suite/Makefile.am | 4 | ||||
| -rwxr-xr-x | tests/suite/testcompat-oldgnutls.sh | 202 | ||||
| -rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert-tls13.json | 7 | ||||
| -rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert.json | 39 | ||||
| -rwxr-xr-x | tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh | 4 | ||||
| m--------- | tests/suite/tls-fuzzer/tlsfuzzer | 0 |
11 files changed, 265 insertions, 23 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9a1f28f07b..6126a8e808 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -496,13 +496,14 @@ ubsan-Werror.Fedora.x86_64: - tests/suite/*/*.log retry: 1 +# This includes interoperability testing with gnutls 2.12.x Debian.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_BUILD script: - ./bootstrap - mkdir -p build && cd build - - dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile --disable-full-test-suite LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' + - dash ../configure --enable-oldgnutls-interop --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' - make -j$(nproc) - make check -j$(nproc) - cd .. @@ -15,10 +15,14 @@ See the end for copying conditions. ** libgnutls: add gnutls_aead_cipher_encryptv2 and gnutls_aead_cipher_decryptv2 functions that will perform in-place encryption/decryption on data buffers (#718). +** libgnutls: added interoperability tests with gnutls 2.12.x; addressed + issue with large record handling due to random padding (#811). + ** API and ABI modifications: gnutls_aead_cipher_encryptv2: Added gnutls_aead_cipher_decryptv2: Added + * Version 3.6.9 (released 2019-07-25) ** libgnutls: add gnutls_hash_copy/gnutls_hmac_copy functions that will create a copy diff --git a/configure.ac b/configure.ac index 1bf9bce95e..710db7608d 100644 --- a/configure.ac +++ b/configure.ac @@ -423,6 +423,16 @@ fi AM_CONDITIONAL(WANT_TEST_SUITE, test "$full_test_suite" = "yes") +AC_ARG_ENABLE(oldgnutls-interop, + AS_HELP_STRING([--enable-oldgnutls-interop], [enable interoperability testing with old gnutls version]), + enable_oldgnutls_interop=$enableval, enable_oldgnutls_interop=no) + +if test "$enable_oldgnutls_interop" != "no" && test "$full_test_suite" != yes;then + AC_MSG_ERROR([cannot --enable-oldgnutls-interop without --enable-full-test-suite]) +fi + +AM_CONDITIONAL(ENABLE_OLDGNUTLS_INTEROP, test "$enable_oldgnutls_interop" != "no") + dnl GCC warnings to enable AC_ARG_ENABLE([gcc-warnings], diff --git a/lib/constate.c b/lib/constate.c index 51a4eca30a..4c6ca0fd0f 100644 --- a/lib/constate.c +++ b/lib/constate.c @@ -707,10 +707,17 @@ int _gnutls_epoch_set_keys(gnutls_session_t session, uint16_t epoch, hs_stage_t return gnutls_assert_val(ret); } - if (ver->tls13_sem) { + /* The TLS1.3 limit of 256 additional bytes is also enforced under CBC + * ciphers to ensure we interoperate with gnutls 2.12.x which could add padding + * data exceeding the maximum. */ + if (ver->tls13_sem || _gnutls_cipher_type(params->cipher) == CIPHER_BLOCK) { session->internals.max_recv_size = 256; } else { - session->internals.max_recv_size = _gnutls_record_overhead(ver, params->cipher, params->mac, 1); + session->internals.max_recv_size = 0; + } + + if (!ver->tls13_sem) { + session->internals.max_recv_size += _gnutls_record_overhead(ver, params->cipher, params->mac, 1); if (session->internals.allow_large_records != 0) session->internals.max_recv_size += EXTRA_COMP_SIZE; } diff --git a/lib/record.c b/lib/record.c index 39d2a16be2..7c7e365611 100644 --- a/lib/record.c +++ b/lib/record.c @@ -1219,8 +1219,8 @@ static int recv_headers(gnutls_session_t session, if (record->length == 0 || record->length > max_record_recv_size(session)) { _gnutls_audit_log - (session, "Received packet with illegal length: %u\n", - (unsigned int) record->length); + (session, "Received packet with illegal length: %u (max: %u)\n", + (unsigned int) record->length, (unsigned)max_record_recv_size(session)); if (record->length == 0) { /* Empty, unencrypted records are always unexpected. */ diff --git a/tests/suite/Makefile.am b/tests/suite/Makefile.am index b4da01a375..21966ac898 100644 --- a/tests/suite/Makefile.am +++ b/tests/suite/Makefile.am @@ -118,6 +118,10 @@ if ENABLE_TLS13_INTEROP scripts_to_test += testcompat-tls13-openssl.sh endif +if ENABLE_OLDGNUTLS_INTEROP +scripts_to_test += testcompat-oldgnutls.sh +endif + if ENABLE_DANE scripts_to_test += testdane.sh endif diff --git a/tests/suite/testcompat-oldgnutls.sh b/tests/suite/testcompat-oldgnutls.sh new file mode 100755 index 0000000000..2ec96b20c2 --- /dev/null +++ b/tests/suite/testcompat-oldgnutls.sh @@ -0,0 +1,202 @@ +#!/bin/bash + +# Copyright (c) 2010-2016, Free Software Foundation, Inc. +# Copyright (c) 2012-2018, Nikos Mavrogiannopoulos +# All rights reserved. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation and/or +# other materials provided with the distribution. +# 3. Neither the name of the copyright holder nor the names of its contributors may +# be used to endorse or promote products derived from this software without specific +# prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT +# SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +# TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY +# WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +abs_top_srcdir="${abs_top_srcdir:-$(pwd)/../../}" +srcdir="${srcdir:-.}" +CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}" +TMPFILE=testcompat-oldgnutls.$$.tmp + +# This assumes a root directory in /usr/local/OLDGNUTLS containing the +# gnutls client and server + +if ! test -x "${CLI}"; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND}" +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +LDPATH=/usr/local/OLDGNUTLS/lib/x86_64-linux-gnu:/usr/local/OLDGNUTLS/usr/lib/x86_64-linux-gnu + +. "${srcdir}/../scripts/common.sh" + +check_for_datefudge + +. "${srcdir}/testcompat-common" + +PORT="${PORT:-${RPORT}}" + +SERV=/usr/local/OLDGNUTLS/usr/bin/gnutls-serv + +if test -z "$OUTPUT";then +OUTPUT=/dev/null +fi + +>${OUTPUT} + +echo_cmd() { + tee -a ${OUTPUT} <<<$(echo $1) +} + +echo_cmd "Compatibility checks using "`${SERV} version` + +echo_cmd "####################################################" +echo_cmd "# Client mode tests (new cli-gnutls 2.12.x server) #" +echo_cmd "####################################################" + +run_client_suite() { + ADD=$1 + PREFIX="" + if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " + fi + + eval "${GETPORT}" + LD_LIBRARY_PATH=$LDPATH launch_server $$ --priority "NORMAL:+SHA256${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" + PID=$! + wait_server ${PID} + + # Test TLS 1.0 with RSA ciphersuite + echo "${PREFIX}Checking TLS 1.0 with RSA and AES-128-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.0 with RSA and AES-256-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + # Test TLS 1.0 with DHE-RSA ciphersuite + echo "${PREFIX}Checking TLS 1.0 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA and AES-128-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA and AES-256-CBC..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with DHE-RSA..." + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA, AES-CBC and long packet..." + head -c 16384 /dev/zero|tr \\0 a >${TMPFILE} + echo >>${TMPFILE} + ${VALGRIND} "${CLI}" -d 6 ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" <${TMPFILE} >/dev/null || + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA, AES-CBC-SHA256 and long packet..." + head -c 16384 /dev/zero|tr \\0 a >${TMPFILE} + echo >>${TMPFILE} + ${VALGRIND} "${CLI}" -d 6 ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+SHA256:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" <${TMPFILE} >/dev/null || + fail ${PID} "Failed" + + kill ${PID} + wait +} + +run_client_suite + +echo_cmd "${PREFIX}Client mode tests were successfully completed" +echo_cmd "${PREFIX}" +echo_cmd "${PREFIX}###############################################" +echo_cmd "${PREFIX}# Server mode tests (new server-old cli) #" +echo_cmd "${PREFIX}###############################################" +SERV="../../src/gnutls-serv${EXEEXT} -q" +CLI=/usr/local/OLDGNUTLS/usr/bin/gnutls-cli + +run_server_suite() { + ADD=$1 + PREFIX="" + if ! test -z "${ADD}"; then + PREFIX="$(echo $ADD|sed 's/://g'): " + fi + + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:+SHA256${ADD}" --x509certfile "${SERV_CERT}" --x509keyfile "${SERV_KEY}" --x509cafile "${CA_CERT}" --dhparams "${DH_PARAMS}" + PID=$! + wait_server ${PID} + + echo "${PREFIX}Checking TLS 1.0 with RSA and AES-128-CBC..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.0 with RSA and AES-256-CBC..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.0 with DHE-RSA..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.0:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA and AES-128-CBC..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA and AES-256-CBC..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-256-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with DHE-RSA..." + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+CIPHER-ALL:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+DHE-RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" </dev/null >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA, AES-CBC and long packet..." + head -c 16384 /dev/zero|tr \\0 a >${TMPFILE} + echo >>${TMPFILE} + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+MAC-ALL:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" <${TMPFILE} >/dev/null || \ + fail ${PID} "Failed" + + echo "${PREFIX}Checking TLS 1.2 with RSA, AES-CBC-SHA256 and long packet..." + head -c 16384 /dev/zero|tr \\0 a >${TMPFILE} + echo >>${TMPFILE} + LD_LIBRARY_PATH=$LDPATH "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NONE:+AES-128-CBC:+SIGN-ALL:+COMP-NULL:+SHA256:+VERS-TLS1.2:+RSA${ADD}" --insecure --x509certfile "${CLI_CERT}" --x509keyfile "${CLI_KEY}" <${TMPFILE} >/dev/null || \ + fail ${PID} "Failed" + + kill ${PID} + wait + +} + +run_server_suite + +rm -f ${TMPFILE} + +exit 0 diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json index 073c143833..31f63e5398 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json @@ -81,6 +81,11 @@ "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-nociphers.py", "arguments": ["-p", "@PORT@"]}, + {"name" : "test-tls13-non-support.py", + "arguments": ["-p", "@PORT@"], + "exp_pass" : false}, + {"name" : "test-tls13-obsolete-curves.py", + "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-pkcs-signature.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-record-padding.py", @@ -102,6 +107,8 @@ "-e", "8130 invalid schemes", "-e", "23752 invalid schemes", "-e", "32715 invalid schemes"]}, + {"name" : "test-tls13-symetric-ciphers.py", + "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-unrecognised-groups.py", "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-version-negotiation.py", diff --git a/tests/suite/tls-fuzzer/gnutls-nocert.json b/tests/suite/tls-fuzzer/gnutls-nocert.json index b56ea40163..bc3c7a88b2 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert.json @@ -32,6 +32,8 @@ "fragmented, padding ext 16213 bytes"]}, {"name" : "test-ecdsa-sig-flexibility.py", "arguments" : ["-p", "@PORT@"] }, + {"name" : "test-encrypt-then-mac.py", + "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ocsp-stapling.py", "arguments" : ["-p", "@PORT@", "--no-status"] }, @@ -99,20 +101,16 @@ {"name" : "test-cve-2016-2107.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-dhe-key-share-random.py", - "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0", "arguments" : ["-p", "@PORT@", - "-e", "Protocol (3, 1)", - "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 0)", - "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello"]}, + "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", + "-z"]}, {"name" : "test-dhe-no-shared-secret-padding.py", - "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0", "arguments" : ["-p", "@PORT@", - "-e", "Protocol (3, 1)", - "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 0)", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", - "-n", "4"]}, + "-n", "6", + "-z"]}, {"name" : "test-dhe-rsa-key-exchange.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-dhe-rsa-key-exchange-signatures.py", @@ -129,23 +127,29 @@ {"name" : "test-early-application-data.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ecdhe-padded-shared-secret.py", - "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0; we don't support x448", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 1) with x448 group", "-e", "Protocol (3, 2) with x448 group", - "-n", "4"]}, + "-e", "Protocol (3, 3) with x448 group", + "-e", "Protocol (3, 0)", + "-z", + "-n", "6"]}, {"name" : "test-ecdhe-rsa-key-exchange.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ecdhe-rsa-key-exchange-with-bad-messages.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-ecdhe-rsa-key-share-random.py", - "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0; we don't support x448", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 1) with x448 group", "-e", "Protocol (3, 2) with x448 group", - "-n", "4"]}, + "-e", "Protocol (3, 3) with x448 group", + "-e", "Protocol (3, 0)", + "-z", + "-n", "6"]}, {"name" : "test-empty-extensions.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-export-ciphers-rejected.py", @@ -201,7 +205,8 @@ {"name" : "test-invalid-client-hello.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-invalid-client-hello-w-record-overflow.py", - "arguments" : ["-p", "@PORT@"] }, + "arguments" : ["-p", "@PORT@", + "-n", "10"] }, {"name" : "test-invalid-compression-methods.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-invalid-content-type.py", @@ -256,12 +261,14 @@ {"name" : "test-sessionID-resumption.py", "arguments" : ["-p", "@PORT@"] }, {"name" : "test-serverhello-random.py", - "comment": "This test assumes that record splitting is performed under SSLv3 and TLS1.0; we don't support x448", "arguments" : ["-p", "@PORT@", "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello", - "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello", + "-e", "Protocol (3, 1) with x448 group", "-e", "Protocol (3, 2) with x448 group", - "-n", "4"]}, + "-e", "Protocol (3, 3) with x448 group", + "-e", "Protocol (3, 0)", + "-z", + "-n", "6"]}, {"name" : "test-sig-algs.py", "arguments" : ["-p", "@PORT@", "-e", "rsa_pss_pss_sha256 only", diff --git a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh index 77a1d050cd..6e6b809c57 100755 --- a/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh +++ b/tests/suite/tls-fuzzer/tls-fuzzer-nocert.sh @@ -22,10 +22,10 @@ srcdir="${srcdir:-.}" tls_fuzzer_prepare() { VERSIONS="-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0" -PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256" +PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:-CURVE-SECP192R1:${VERSIONS}:+SHA256:+SHA384" ${CLI} --list --priority "${PRIORITY}" >/dev/null 2>&1 if test $? != 0;then - PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:${VERSIONS}:+SHA256" + PRIORITY="NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1:+ARCFOUR-128:+3DES-CBC:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:${VERSIONS}:+SHA256:+SHA384" fi sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ../gnutls-nocert.json >${TMPFILE} diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer -Subproject 79936b86187ca48ced7c40b9b1a3872386c3f56 +Subproject 3d57169c83e960597d7f90f4b837858d9530d7f |