Partially support -verify-prefs

This exits with BOGO_NACK if an unsupported verification algorithm is requested. That is enough to enable 78 more test cases.
2024-01-10 12:04:25 +00:00 · 2024-01-10 12:04:25 +00:00 · 432ceca9b8
parent 235008b8d5
commit 432ceca9b8
2 changed files with 12 additions and 17 deletions
--- a/bogo/config.json.in
+++ b/bogo/config.json.in
@ -61,6 +61,8 @@
    "*-ECDSA_SHA1-*": "no ecdsa-sha1",
    "*-Sign-RSA_PKCS1_SHA1-*": "no sha1",
    "*-VerifyDefault-RSA_PKCS1_SHA1-*": "no sha1",
+    "VerifyPreferences-NoCommonAlgorithms": "we validate but don't actually implement -verify-prefs",
+    "VerifyPreferences-Enforced": "",
    "*_P224_*": "no p224",
    "*-P-224-*": "",
 #ifdef RING
@ -186,12 +188,9 @@
    "ALPNClient-EmptyProtocolName-TLS-TLS13": ":PEER_MISBEHAVIOUR:",
    "ALPNServer-EmptyProtocolName-TLS-TLS12": ":PEER_MISBEHAVIOUR:",
    "ALPNServer-EmptyProtocolName-TLS-TLS13": ":PEER_MISBEHAVIOUR:",
-    "Verify-ServerAuth-SignatureType": ":PEER_MISBEHAVIOUR:",
    "Verify-ClientAuth-SignatureType": ":BAD_SIGNATURE:",
    "Verify-ServerAuth-SignatureType-TLS13": ":BAD_SIGNATURE:",
    "Verify-ClientAuth-SignatureType-TLS13": ":BAD_SIGNATURE:",
-    "ClientAuth-Enforced": ":PEER_MISBEHAVIOUR:",
-    "ServerAuth-Enforced": ":PEER_MISBEHAVIOUR:",
    "UnofferedExtension-Client": ":PEER_MISBEHAVIOUR:",
    "UnknownExtension-Client": ":PEER_MISBEHAVIOUR:",
    "KeyUpdate-InvalidRequestMode": ":BAD_HANDSHAKE_MSG:",
@ -226,14 +225,6 @@
    "NoSupportedVersions": ":INCOMPATIBLE:",
    "Client-VerifyDefault-RSA_PKCS1_SHA1-TLS12": ":PEER_ALERT_INTERNAL_ERROR:",
    "Server-VerifyDefault-RSA_PKCS1_SHA1-TLS12": ":HANDSHAKE_FAILURE:",
-    "Client-VerifyDefault-RSA_PKCS1_SHA1-TLS13": ":PEER_MISBEHAVIOUR:",
-    "Server-VerifyDefault-RSA_PKCS1_SHA1-TLS13": ":PEER_MISBEHAVIOUR:",
-    "Client-VerifyDefault-RSA_PKCS1_SHA256-TLS13": ":PEER_MISBEHAVIOUR:",
-    "Server-VerifyDefault-RSA_PKCS1_SHA256-TLS13": ":PEER_MISBEHAVIOUR:",
-    "Client-VerifyDefault-RSA_PKCS1_SHA384-TLS13": ":PEER_MISBEHAVIOUR:",
-    "Server-VerifyDefault-RSA_PKCS1_SHA384-TLS13": ":PEER_MISBEHAVIOUR:",
-    "Client-VerifyDefault-RSA_PKCS1_SHA512-TLS13": ":PEER_MISBEHAVIOUR:",
-    "Server-VerifyDefault-RSA_PKCS1_SHA512-TLS13": ":PEER_MISBEHAVIOUR:",
    "ClientAuth-InvalidSignature-RSA-PKCS1-SHA1-TLS12": ":PEER_MISBEHAVIOUR:",
    "ServerAuth-InvalidSignature-RSA-PKCS1-SHA1-TLS12": ":PEER_MISBEHAVIOUR:",
    "Server-Sign-RSA_PKCS1_SHA256-TLS13": ":INCOMPATIBLE:",
@ -252,8 +243,6 @@
    "ClientAuth-NoFallback-ECDSA": ":BAD_HANDSHAKE_MSG:",
    "ClientAuth-NoFallback-TLS13": ":BAD_HANDSHAKE_MSG:",
    "ServerAuth-NoFallback-TLS13": ":INCOMPATIBLE:",
-    "ClientAuth-Enforced-TLS13": ":PEER_MISBEHAVIOUR:",
-    "ServerAuth-Enforced-TLS13": ":PEER_MISBEHAVIOUR:",
    "SecondClientHelloWrongCurve-TLS13": ":PEER_MISBEHAVIOUR:",
    "SecondClientHelloMissingKeyShare-TLS13": ":INCOMPATIBLE:",
    "Resume-Server-BinderWrongLength-SecondBinder": ":PEER_MISBEHAVIOUR:",
@ -347,9 +336,9 @@
    "SendExtensionOnClientCertificate-TLS13": ":PEER_MISBEHAVIOUR:",
    "SendBogusAlertType": ":BAD_ALERT:",
    "TLS13-HRR-InvalidCompressionMethod": ":BAD_HANDSHAKE_MSG:",
-    "CertificateCipherMismatch-RSA": ":PEER_MISBEHAVIOUR:",
-    "CertificateCipherMismatch-ECDSA": ":PEER_MISBEHAVIOUR:",
-    "CertificateCipherMismatch-Ed25519": ":PEER_MISBEHAVIOUR:",
+    "CertificateCipherMismatch-RSA": ":WRONG_SIGNATURE_TYPE:",
+    "CertificateCipherMismatch-ECDSA": ":WRONG_SIGNATURE_TYPE:",
+    "CertificateCipherMismatch-Ed25519": ":WRONG_SIGNATURE_TYPE:",
    "ServerCipherFilter-RSA": ":INCOMPATIBLE:",
    "ServerCipherFilter-ECDSA": ":INCOMPATIBLE:",
    "ServerCipherFilter-Ed25519": ":INCOMPATIBLE:",
--- a/rustls/examples/internal/bogo_shim_impl.rs
+++ b/rustls/examples/internal/bogo_shim_impl.rs
@ -760,6 +760,10 @@ fn handle_err(err: Error) -> ! {
        Error::PeerMisbehaved(PeerMisbehaved::TooMuchEarlyDataReceived) => {
            quit(":TOO_MUCH_READ_EARLY_DATA:")
        }
+        Error::PeerMisbehaved(PeerMisbehaved::SignedHandshakeWithUnadvertisedSigScheme)
+        | Error::PeerMisbehaved(PeerMisbehaved::SignedKxWithWrongAlgorithm) => {
+            quit(":WRONG_SIGNATURE_TYPE:")
+        }
        Error::PeerMisbehaved(_) => quit(":PEER_MISBEHAVIOUR:"),
        Error::NoCertificatesPresented => quit(":NO_CERTS:"),
        Error::AlertReceived(AlertDescription::UnexpectedMessage) => quit(":BAD_ALERT:"),
@ -1091,6 +1095,9 @@ pub fn main() {
                    }
                }
            }
+            "-verify-prefs" => {
+                lookup_scheme(args.remove(0).parse::<u16>().unwrap());
+            }
            "-max-cert-list" |
            "-expect-curve-id" |
            "-expect-resume-curve-id" |
@ -1314,7 +1321,6 @@ pub fn main() {
            "-handshake-twice" |
            "-on-resume-verify-fail" |
            "-reverify-on-resume" |
-            "-verify-prefs" |
            "-no-op-extra-handshake" |
            "-expect-peer-cert-file" |
            "-no-rsa-pss-rsae-certs" |