Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jonas/extend bogo coverage #68

Merged
merged 10 commits into from
Nov 14, 2023
Merged

Jonas/extend bogo coverage #68

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
40af24d
Add unsupported arguments to shim exlude list. Comment some failing t…
jallmann Nov 8, 2023
96cd5ac
Fix and clarify bogo shim error mapping.
jallmann Nov 8, 2023
912a443
Re-structure bogo-test config.
jallmann Nov 8, 2023
fad19c6
Annotate some test cases. Add one ignored shim argument.
jallmann Nov 9, 2023
f0afb7c
Introduce new Error code for decoding errors expected by bogo.
jallmann Nov 9, 2023
4a5f324
Merge branch 'main' into jonas/extend-bogo-coverage
jallmann Nov 9, 2023
cdc878d
Categorize more bogo test cases.
jallmann Nov 13, 2023
d990a0e
Pass BadECDSA bogo tests by returning the correct error.
jallmann Nov 13, 2023
77a9fc5
Minor additions to the bogo config.
jallmann Nov 13, 2023
80aa471
Apply cargo fmt.
jallmann Nov 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
304 changes: 132 additions & 172 deletions bogo_shim/assets/config.json
View file
Open in desktop

Large diffs are not rendered by default.

9 changes: 9 additions & 0 deletions bogo_shim/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,15 @@ const UNHANDLED_ARGUMENTS: &[&str] = &[
"-verify-peer",
"-verify-prefs",
"-write-settings",
"-select-alpn",
"-expect-advertised-alpn",
"-select-empty-alpn",
"-reject-alpn",
"-server-preference",
"-ignore-rsa-key-usage",
"-wpa-202304",
"-max-cert-list",
"-enable-signed-cert-timestamps",
];

/// The BoGo shim receives command-line parameters from the BoGo test runner.
Expand Down
16 changes: 9 additions & 7 deletions simple_https_client/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
false,
);

const SHA256_Chacha20Poly1305_RsaPssRsaSha256_X25519: Algorithms = Algorithms(

Check warning on line 37 in simple_https_client/src/lib.rs

View workflow job for this annotation

GitHub Actions / lint 

constant `SHA256_Chacha20Poly1305_RsaPssRsaSha256_X25519` is never used
HashAlgorithm::SHA256,
AeadAlgorithm::Chacha20Poly1305,
SignatureScheme::RsaPssRsaSha256,
Expand All @@ -52,7 +52,7 @@
false,
);

const SHA256_Chacha20Poly1305_RsaPssRsaSha256_P256: Algorithms = Algorithms(

Check warning on line 55 in simple_https_client/src/lib.rs

View workflow job for this annotation

GitHub Actions / lint 

constant `SHA256_Chacha20Poly1305_RsaPssRsaSha256_P256` is never used
HashAlgorithm::SHA256,
AeadAlgorithm::Chacha20Poly1305,
SignatureScheme::RsaPssRsaSha256,
Expand All @@ -61,7 +61,7 @@
false,
);

const SHA256_Aes128Gcm_EcdsaSecp256r1Sha256_P256: Algorithms = Algorithms(

Check warning on line 64 in simple_https_client/src/lib.rs

View workflow job for this annotation

GitHub Actions / lint 

constant `SHA256_Aes128Gcm_EcdsaSecp256r1Sha256_P256` is never used
HashAlgorithm::SHA256,
AeadAlgorithm::Aes128Gcm,
SignatureScheme::EcdsaSecp256r1Sha256,
Expand All @@ -70,7 +70,7 @@
false,
);

const SHA256_Aes128Gcm_RsaPssRsaSha256_P256: Algorithms = Algorithms(

Check warning on line 73 in simple_https_client/src/lib.rs

View workflow job for this annotation

GitHub Actions / lint 

constant `SHA256_Aes128Gcm_RsaPssRsaSha256_P256` is never used
HashAlgorithm::SHA256,
AeadAlgorithm::Aes128Gcm,
SignatureScheme::RsaPssRsaSha256,
Expand All @@ -79,7 +79,7 @@
false,
);

const SHA256_Aes128Gcm_RsaPssRsaSha256_X25519: Algorithms = Algorithms(

Check warning on line 82 in simple_https_client/src/lib.rs

View workflow job for this annotation

GitHub Actions / lint 

constant `SHA256_Aes128Gcm_RsaPssRsaSha256_X25519` is never used
HashAlgorithm::SHA256,
AeadAlgorithm::Aes128Gcm,
SignatureScheme::RsaPssRsaSha256,
Expand All @@ -88,7 +88,7 @@
false,
);

const SHA384_Aes256Gcm_RsaPssRsaSha256_X25519: Algorithms = Algorithms(

Check warning on line 91 in simple_https_client/src/lib.rs

View workflow job for this annotation

GitHub Actions / lint 

constant `SHA384_Aes256Gcm_RsaPssRsaSha256_X25519` is never used
HashAlgorithm::SHA384,
AeadAlgorithm::Aes256Gcm,
SignatureScheme::RsaPssRsaSha256,
Expand All @@ -97,7 +97,7 @@
false,
);

const SHA384_Aes256Gcm_EcdsaSecp256r1Sha256_X25519: Algorithms = Algorithms(

Check warning on line 100 in simple_https_client/src/lib.rs

View workflow job for this annotation

GitHub Actions / lint 

constant `SHA384_Aes256Gcm_EcdsaSecp256r1Sha256_X25519` is never used
HashAlgorithm::SHA384,
AeadAlgorithm::Aes256Gcm,
SignatureScheme::EcdsaSecp256r1Sha256,
Expand All @@ -106,7 +106,7 @@
false,
);

const SHA384_Aes256Gcm_RsaPssRsaSha256_P256: Algorithms = Algorithms(

Check warning on line 109 in simple_https_client/src/lib.rs

View workflow job for this annotation

GitHub Actions / lint 

constant `SHA384_Aes256Gcm_RsaPssRsaSha256_P256` is never used
HashAlgorithm::SHA384,
AeadAlgorithm::Aes256Gcm,
SignatureScheme::RsaPssRsaSha256,
Expand All @@ -129,7 +129,7 @@
// SHA256_Chacha20Poly1305_RsaPssRsaSha256_X25519,
SHA256_Chacha20Poly1305_EcdsaSecp256r1Sha256_X25519,
SHA256_Chacha20Poly1305_EcdsaSecp256r1Sha256_P256,
SHA256_Chacha20Poly1305_RsaPssRsaSha256_P256,
// SHA256_Chacha20Poly1305_RsaPssRsaSha256_P256,
// SHA256_Aes128Gcm_EcdsaSecp256r1Sha256_P256,
// SHA256_Aes128Gcm_EcdsaSecp256r1Sha256_X25519,
// SHA256_Aes128Gcm_RsaPssRsaSha256_P256,
Expand Down Expand Up @@ -190,10 +190,13 @@
Ok((_, cstate)) => cstate,
Err(e) => {
match e {
6 => eprintln!("Server does not support proposed algorithms."),
137 => eprintln!("Wrong TLS protocol version TLS({:?})", e),
138 => eprintln!("Server sent application data instead of a handshake message."),
139 => eprintln!("Hello message was missing a key share."),
UNSUPPORTED_ALGORITHM => eprintln!("Server does not support proposed algorithms."),
PROTOCOL_VERSION_ALERT => eprintln!("Wrong TLS protocol version TLS({:?})", e),
APPLICATION_DATA_INSTEAD_OF_HANDSHAKE => {
eprintln!("Server sent application data instead of a handshake message.")
}
MISSING_KEY_SHARE => eprintln!("Hello message was missing a key share."),
DECODE_ERROR => eprintln!("Decode error."), // parsing of the server hello failed
_ => eprintln!("Bertie client error {}", e),
}
return Err(e.into());
Expand All @@ -212,8 +215,7 @@
Ok((new_cf_rec, new_cstate)) => (new_cf_rec, new_cstate),
Err(e) => {
match e {
7 => eprintln!("Invalid server signature"), // signature verification failed
140 => eprintln!("Invalid server signature"), // parsing of the certificate failed
INVALID_SIGNATURE => eprintln!("Invalid server signature"), // parsing of the certificate failed
_ => eprintln!("Bertie client error {}", e),
}
return Err(e.into());
Expand Down
6 changes: 3 additions & 3 deletions simple_https_server/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,13 +124,13 @@ where
Err(x) => {
println!("ServerInit Error {}", x);
match x {
136 => {
INVALID_COMPRESSION_LIST => {
stream.write_record(Bytes::from(&[21, 03, 03, 00, 02, 2, 47]))?;
}
137 => {
PROTOCOL_VERSION_ALERT => {
stream.write_record(Bytes::from(&[21, 03, 03, 00, 02, 2, 70]))?;
}
139 => {
MISSING_KEY_SHARE => {
// alerts here are optional
eprintln!("Hello message was missing a key share.");
}
Expand Down
8 changes: 5 additions & 3 deletions src/tls13crypto.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ use libcrux::{
*,
};

use crate::{eq, tlserr, Bytes, Declassify, TLSError, CRYPTO_ERROR, UNSUPPORTED_ALGORITHM};
use crate::{
eq, tlserr, Bytes, Declassify, TLSError, CRYPTO_ERROR, INVALID_SIGNATURE, UNSUPPORTED_ALGORITHM,
};

pub type Random = Bytes; //was [U8;32]
pub type Entropy = Bytes;
Expand Down Expand Up @@ -271,7 +273,7 @@ pub fn verify(
);
match res {
Ok(res) => Ok(res),
Err(_) => tlserr(CRYPTO_ERROR),
Err(_) => tlserr(INVALID_SIGNATURE),
}
}
(SignatureScheme::EcdsaSecp256r1Sha256, PublicVerificationKey::EcDsa(pk)) => {
Expand All @@ -285,7 +287,7 @@ pub fn verify(
);
match res {
Ok(res) => Ok(res),
Err(_) => tlserr(CRYPTO_ERROR),
Err(_) => tlserr(INVALID_SIGNATURE),
}
}
_ => tlserr(UNSUPPORTED_ALGORITHM),
Expand Down
9 changes: 8 additions & 1 deletion src/tls13formats.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -777,6 +777,10 @@ fn unsupported_cipher_alert() -> Result<(), TLSError> {
tlserr(UNSUPPORTED_ALGORITHM)
}

fn invalid_compression_method_alert() -> Result<(), TLSError> {
tlserr(DECODE_ERROR)
}

pub fn parse_server_hello(
algs: &Algorithms,
sh: &HandshakeData,
Expand All @@ -800,7 +804,10 @@ pub fn parse_server_hello(
Err(_) => unsupported_cipher_alert()?,
};
next = next + 2;
check_eq(&comp, &sh.slice_range(next..next + 1))?;
match check_eq(&comp, &sh.slice_range(next..next + 1)) {
Ok(_) => (),
Err(_) => invalid_compression_method_alert()?,
};
next = next + 1;
check_lbytes2_full(&sh.slice_range(next..sh.len()))?;
next = next + 2;
Expand Down
1 change: 1 addition & 0 deletions src/tls13utils.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ pub const APPLICATION_DATA_INSTEAD_OF_HANDSHAKE: TLSError = 138u8;
pub const MISSING_KEY_SHARE: TLSError = 139u8;
pub const INVALID_SIGNATURE: TLSError = 140u8;
pub const GOT_HANDSHAKE_FAILURE_ALERT: TLSError = 141u8;
pub const DECODE_ERROR: TLSError = 142u8;

pub fn error_string(c: u8) -> String {
format!("{}", c)
Expand Down
Loading