diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-12-11 06:01:32 +0000 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-12-11 06:01:32 +0000 |
| commit | 72014674a0d252b6196e72aa14fe913a72a4d00d (patch) | |
| tree | 4e2b55c44bcaa28aa01449ffc05cde1da9286f24 /tests | |
| parent | a58cdd20d1e6d50a47c723d3d201e2a6398ac318 (diff) | |
| parent | 46d47f79f7a4d902459f236dfc14b40bd51a78a6 (diff) | |
| download | gnutls-72014674a0d252b6196e72aa14fe913a72a4d00d.tar.gz | |
Merge branch 'tmp-ccs-tls13' into 'master'
record: make CCS handling stricter in TLS 1.3
Closes #618
See merge request gnutls/gnutls!817
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/suite/tls-fuzzer/gnutls-cert.json | 4 | ||||
| -rw-r--r-- | tests/suite/tls-fuzzer/gnutls-nocert-tls13.json | 2 | ||||
| m--------- | tests/suite/tls-fuzzer/tlsfuzzer | 0 | ||||
| m--------- | tests/suite/tls-fuzzer/tlslite-ng | 0 | ||||
| -rw-r--r-- | tests/tls13/change_cipher_spec.c | 15 |
5 files changed, 21 insertions, 0 deletions
diff --git a/tests/suite/tls-fuzzer/gnutls-cert.json b/tests/suite/tls-fuzzer/gnutls-cert.json index fe2b39f2c2..f9de174699 100644 --- a/tests/suite/tls-fuzzer/gnutls-cert.json +++ b/tests/suite/tls-fuzzer/gnutls-cert.json @@ -37,9 +37,13 @@ "-p", "@PORT@"] }, {"name" : "test-rsa-pss-sigs-on-certificate-verify.py", + "comment" : "FIXME: We shouldn't allow rsa_pss_pss* schemes as there is only RSA key #645", "arguments" : ["-k", "tests/clientX509Key.pem", "-c", "tests/clientX509Cert.pem", "-e", "check CertificateRequest sigalgs", + "-e", "rsa_pss_pss_sha256 in CertificateVerify with rsa key", + "-e", "rsa_pss_pss_sha384 in CertificateVerify with rsa key", + "-e", "rsa_pss_pss_sha512 in CertificateVerify with rsa key", "-n", "100", "-p", "@PORT@"] }, diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json index d0d142e7a2..06fbf92351 100644 --- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json +++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json @@ -14,6 +14,8 @@ "tests" : [ {"name" : "test-tls13-0rtt-garbage.py", "arguments": ["-p", "@PORT@"]}, + {"name" : "test-tls13-ccs.py", + "arguments": ["-p", "@PORT@"]}, {"name" : "test-tls13-crfg-curves.py", "comment": "We do not support x448", "arguments": ["-p", "@PORT@", diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer -Subproject 64f4a6e94c6cc1357fdb9fb36b8467456509df6 +Subproject cd624f68c671f339b3a1e0ef90db984760bcfea diff --git a/tests/suite/tls-fuzzer/tlslite-ng b/tests/suite/tls-fuzzer/tlslite-ng -Subproject af466651a7795ac5a6cf54932d496ca8e79b49b +Subproject d00ad94272be90172ecc5c422c923d679c23416 diff --git a/tests/tls13/change_cipher_spec.c b/tests/tls13/change_cipher_spec.c index 1a9b80c817..09ef786789 100644 --- a/tests/tls13/change_cipher_spec.c +++ b/tests/tls13/change_cipher_spec.c @@ -134,6 +134,11 @@ static void client(int fd, unsigned ccs_check) if (ret < 0) fail("client: recv did not succeed as expected: %s\n", gnutls_strerror(ret)); + /* send change cipher spec, this should fail in the server */ + do { + ret = send(fd, "\x14\x03\x03\x00\x01\x01", 6, 0); + } while(ret == -1 && (errno == EINTR || errno == EAGAIN)); + close(fd); gnutls_deinit(session); @@ -217,6 +222,7 @@ static void server(int fd, unsigned ccs_check) int ret; gnutls_session_t session; gnutls_certificate_credentials_t x509_cred; + char buf[64]; /* this must be called once in the program */ @@ -276,6 +282,15 @@ static void server(int fd, unsigned ccs_check) if (ret < 0) fail("server: gnutls_record_send did not succeed as expected: %s\n", gnutls_strerror(ret)); + /* receive CCS and fail */ + do { + ret = gnutls_record_recv(session, buf, sizeof(buf)); + } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); + + if (ret != GNUTLS_E_UNEXPECTED_PACKET) + fail("server: incorrect alert sent: %d != %d\n", + ret, GNUTLS_E_UNEXPECTED_PACKET); + close(fd); gnutls_deinit(session); |