diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 8230163a13..bd8c14d377 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1925,8 +1925,12 @@ static inline const void *mbedtls_ssl_get_sig_algs( #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if !defined(MBEDTLS_DEPRECATED_REMOVED) - if( ssl->handshake != NULL && ssl->handshake->sig_algs != NULL ) + if( ssl->handshake != NULL && + ssl->handshake->sig_algs_heap_allocated == 1 && + ssl->handshake->sig_algs != NULL ) + { return( ssl->handshake->sig_algs ); + } #endif return( ssl->conf->sig_algs ); @@ -1972,97 +1976,177 @@ static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl return( 0 ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg( uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg ) { - *pk_type = MBEDTLS_PK_NONE; - *md_alg = MBEDTLS_MD_NONE; + *pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff ); + *md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff ); + + if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE ) + return( 0 ); switch( sig_alg ) { -#if defined(MBEDTLS_ECDSA_C) - -#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) - case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: - *md_alg = MBEDTLS_MD_SHA256; - *pk_type = MBEDTLS_PK_ECDSA; - break; -#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ - -#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) - case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: - *md_alg = MBEDTLS_MD_SHA384; - *pk_type = MBEDTLS_PK_ECDSA; - break; -#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ - -#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) - case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: - *md_alg = MBEDTLS_MD_SHA512; - *pk_type = MBEDTLS_PK_ECDSA; - break; -#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ - -#endif /* MBEDTLS_ECDSA_C */ - -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - +#if defined(MBEDTLS_PKCS1_V21) #if defined(MBEDTLS_SHA256_C) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: *md_alg = MBEDTLS_MD_SHA256; *pk_type = MBEDTLS_PK_RSASSA_PSS; break; #endif /* MBEDTLS_SHA256_C */ - #if defined(MBEDTLS_SHA384_C) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: *md_alg = MBEDTLS_MD_SHA384; *pk_type = MBEDTLS_PK_RSASSA_PSS; break; #endif /* MBEDTLS_SHA384_C */ - #if defined(MBEDTLS_SHA512_C) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: *md_alg = MBEDTLS_MD_SHA512; *pk_type = MBEDTLS_PK_RSASSA_PSS; break; #endif /* MBEDTLS_SHA512_C */ - -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ - -#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) - -#if defined(MBEDTLS_SHA256_C) - case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: - *md_alg = MBEDTLS_MD_SHA256; - *pk_type = MBEDTLS_PK_RSA; - break; -#endif /* MBEDTLS_SHA256_C */ - -#if defined(MBEDTLS_SHA384_C) - case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: - *md_alg = MBEDTLS_MD_SHA384; - *pk_type = MBEDTLS_PK_RSA; - break; -#endif /* MBEDTLS_SHA384_C */ - -#if defined(MBEDTLS_SHA512_C) - case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: - *md_alg = MBEDTLS_MD_SHA512; - *pk_type = MBEDTLS_PK_RSA; - break; -#endif /* MBEDTLS_SHA512_C */ - -#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */ - +#endif /* MBEDTLS_PKCS1_V21 */ default: return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } return( 0 ); } + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( + const uint16_t sig_alg ) +{ + switch( sig_alg ) + { +#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: + break; +#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: + break; +#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ +#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: + break; +#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ +#endif /* MBEDTLS_ECDSA_C */ + +#if defined(MBEDTLS_PKCS1_V21) +#if defined(MBEDTLS_SHA256_C) + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: + break; +#endif /* MBEDTLS_SHA256_C */ +#if defined(MBEDTLS_SHA384_C) + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: + break; +#endif /* MBEDTLS_SHA384_C */ +#if defined(MBEDTLS_SHA512_C) + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: + break; +#endif /* MBEDTLS_SHA512_C */ +#endif /* MBEDTLS_PKCS1_V21 */ + default: + return( 0 ); + } + return( 1 ); + +} + +static inline int mbedtls_ssl_tls13_sig_alg_is_supported( + const uint16_t sig_alg ) +{ + switch( sig_alg ) + { +#if defined(MBEDTLS_PKCS1_V15) +#if defined(MBEDTLS_SHA256_C) + case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: + break; +#endif /* MBEDTLS_SHA256_C */ +#if defined(MBEDTLS_SHA384_C) + case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: + break; +#endif /* MBEDTLS_SHA384_C */ +#if defined(MBEDTLS_SHA512_C) + case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: + break; +#endif /* MBEDTLS_SHA512_C */ +#endif /* MBEDTLS_PKCS1_V15 */ + default: + return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( + sig_alg ) ); + } + return( 1 ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +static inline int mbedtls_ssl_tls12_sig_alg_is_supported( + const uint16_t sig_alg ) +{ + /* High byte is hash */ + unsigned char hash = MBEDTLS_BYTE_1( sig_alg ); + unsigned char sig = MBEDTLS_BYTE_0( sig_alg ); + + switch( hash ) + { +#if defined(MBEDTLS_MD5_C) + case MBEDTLS_SSL_HASH_MD5: + break; +#endif + +#if defined(MBEDTLS_SHA1_C) + case MBEDTLS_SSL_HASH_SHA1: + break; +#endif + +#if defined(MBEDTLS_SHA224_C) + case MBEDTLS_SSL_HASH_SHA224: + break; +#endif + +#if defined(MBEDTLS_SHA256_C) + case MBEDTLS_SSL_HASH_SHA256: + break; +#endif + +#if defined(MBEDTLS_SHA384_C) + case MBEDTLS_SSL_HASH_SHA384: + break; +#endif + +#if defined(MBEDTLS_SHA512_C) + case MBEDTLS_SSL_HASH_SHA512: + break; +#endif + + default: + return( 0 ); + } + + switch( sig ) + { +#if defined(MBEDTLS_RSA_C) + case MBEDTLS_SSL_SIG_RSA: + break; +#endif + +#if defined(MBEDTLS_ECDSA_C) + case MBEDTLS_SSL_SIG_ECDSA: + break; +#endif + + default: + return( 0 ); + } + + return( 1 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + static inline int mbedtls_ssl_sig_alg_is_supported( const mbedtls_ssl_context *ssl, const uint16_t sig_alg ) @@ -2071,79 +2155,28 @@ static inline int mbedtls_ssl_sig_alg_is_supported( #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 ) { - /* High byte is hash */ - unsigned char hash = MBEDTLS_BYTE_1( sig_alg ); - unsigned char sig = MBEDTLS_BYTE_0( sig_alg ); - - switch( hash ) - { -#if defined(MBEDTLS_MD5_C) - case MBEDTLS_SSL_HASH_MD5: - break; -#endif - -#if defined(MBEDTLS_SHA1_C) - case MBEDTLS_SSL_HASH_SHA1: - break; -#endif - -#if defined(MBEDTLS_SHA224_C) - case MBEDTLS_SSL_HASH_SHA224: - break; -#endif - -#if defined(MBEDTLS_SHA256_C) - case MBEDTLS_SSL_HASH_SHA256: - break; -#endif - -#if defined(MBEDTLS_SHA384_C) - case MBEDTLS_SSL_HASH_SHA384: - break; -#endif - -#if defined(MBEDTLS_SHA512_C) - case MBEDTLS_SSL_HASH_SHA512: - break; -#endif - - default: - return( 0 ); - } - - switch( sig ) - { -#if defined(MBEDTLS_RSA_C) - case MBEDTLS_SSL_SIG_RSA: - break; -#endif - -#if defined(MBEDTLS_ECDSA_C) - case MBEDTLS_SSL_SIG_ECDSA: - break; -#endif - - default: - return( 0 ); - } - - return( 1 ); + return( mbedtls_ssl_tls12_sig_alg_is_supported( sig_alg ) ); } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 ) { - mbedtls_pk_type_t pk_type; - mbedtls_md_type_t md_alg; - return( ! mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg( - sig_alg, &pk_type, &md_alg ) ); + return( mbedtls_ssl_tls13_sig_alg_is_supported( sig_alg ) ); } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ ((void) ssl); ((void) sig_alg); return( 0 ); } + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + +int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg, + mbedtls_pk_context *key ); + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -2279,10 +2312,6 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl, const unsigned char *end ); #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ -int mbedtls_ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl, - mbedtls_pk_context *own_key, - uint16_t *algorithm ); - #if defined(MBEDTLS_SSL_ALPN) int mbedtls_ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1969738572..89faa50bd3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -853,10 +853,9 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ { - ssl->handshake->sig_algs = ssl->conf->sig_algs; ssl->handshake->sig_algs_heap_allocated = 0; } -#endif /* MBEDTLS_DEPRECATED_REMOVED */ +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ return( 0 ); } @@ -4027,28 +4026,6 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) memset( conf, 0, sizeof( mbedtls_ssl_config ) ); } -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -/* The selection should be the same as mbedtls_x509_crt_profile_default in - * x509_crt.c. Here, the order matters. Currently we favor stronger hashes, - * for no fundamental reason. - * See the documentation of mbedtls_ssl_conf_curves() for what we promise - * about this list. */ -static int ssl_preset_default_hashes[] = { -#if defined(MBEDTLS_SHA512_C) - MBEDTLS_MD_SHA512, -#endif -#if defined(MBEDTLS_SHA384_C) - MBEDTLS_MD_SHA384, -#endif -#if defined(MBEDTLS_SHA256_C) - MBEDTLS_MD_SHA256, -#endif - MBEDTLS_MD_NONE -}; -#endif /* !MBEDTLS_DEPRECATED_REMOVED */ -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ - /* The selection should be the same as mbedtls_x509_crt_profile_default in * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: * curves with a lower resource usage come first. @@ -4090,17 +4067,6 @@ static int ssl_preset_suiteb_ciphersuites[] = { }; #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -static int ssl_preset_suiteb_hashes[] = { -#if defined(MBEDTLS_SHA256_C) - MBEDTLS_MD_SHA256, -#endif -#if defined(MBEDTLS_SHA384_C) - MBEDTLS_MD_SHA384, -#endif - MBEDTLS_MD_NONE -}; -#endif /* !MBEDTLS_DEPRECATED_REMOVED */ /* NOTICE: * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following @@ -4109,6 +4075,13 @@ static int ssl_preset_suiteb_hashes[] = { * - But if there is a good reason, do not change the order of the algorithms. * - ssl_tls12_present* is for TLS 1.2 use only. * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes. + * + * When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate + * declaring an RSA public key and Mbed TLS is configured in hybrid mode, if + * `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then + * the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm + * for its signature in the key exchange message. As Mbed TLS 1.2 does not + * support them, the handshake fails. */ static uint16_t ssl_preset_default_sig_algs[] = { @@ -4130,10 +4103,6 @@ static uint16_t ssl_preset_default_sig_algs[] = { #endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */ - #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA512_C) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512, #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */ @@ -4146,6 +4115,18 @@ static uint16_t ssl_preset_default_sig_algs[] = { MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA512_C) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA512_C */ + +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA384_C) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA384_C */ + +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */ + MBEDTLS_TLS_SIG_NONE }; @@ -4429,9 +4410,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #endif #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) - conf->sig_hashes = ssl_preset_suiteb_hashes; -#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( mbedtls_ssl_conf_is_tls12_only( conf ) ) conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs; @@ -4458,9 +4436,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #endif #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) - conf->sig_hashes = ssl_preset_default_hashes; -#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( mbedtls_ssl_conf_is_tls12_only( conf ) ) conf->sig_algs = ssl_tls12_preset_default_sig_algs; @@ -4945,13 +4920,20 @@ int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 ); sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 ); p += 2; - - MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x", - sig_alg ) ); - - if( ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) || - ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ) + MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x %s", + sig_alg, + mbedtls_ssl_sig_alg_to_str( sig_alg ) ) ); +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && + ( ! ( mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) && + mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ) ) ) + { continue; + } +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + + MBEDTLS_SSL_DEBUG_MSG( 4, ( "valid signature algorithm: %s", + mbedtls_ssl_sig_alg_to_str( sig_alg ) ) ); if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE ) { @@ -8189,12 +8171,17 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf, for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) { + MBEDTLS_SSL_DEBUG_MSG( 3, ( "got signature scheme [%x] %s", + *sig_alg, + mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) ); if( ! mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) ) continue; MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 ); p += 2; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "sent signature scheme [%x] %s", + *sig_alg, + mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) ); } /* Length of supported_signature_algorithms */ diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 10024143ba..8ec9f90bb0 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -850,120 +850,84 @@ cleanup: /* * STATE HANDLING: Output Certificate Verify */ -int mbedtls_ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl, - mbedtls_pk_context *own_key, - uint16_t *algorithm ) -{ - mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key ); - /* Determine the size of the key */ - size_t own_key_size = mbedtls_pk_get_bitlen( own_key ); - *algorithm = MBEDTLS_TLS1_3_SIG_NONE; - ((void) own_key_size); - switch( sig ) +int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg, + mbedtls_pk_context *key ) +{ + mbedtls_pk_type_t pk_type = mbedtls_ssl_sig_from_pk( key ); + size_t key_size = mbedtls_pk_get_bitlen( key ); + + switch( pk_type ) { -#if defined(MBEDTLS_ECDSA_C) case MBEDTLS_SSL_SIG_ECDSA: - switch( own_key_size ) + switch( key_size ) { case 256: - *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256; - return( 0 ); + return( + sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256 ); + case 384: - *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384; - return( 0 ); + return( + sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384 ); + case 521: - *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512; - return( 0 ); + return( + sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512 ); default: - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "unknown key size: %" - MBEDTLS_PRINTF_SIZET " bits", - own_key_size ) ); break; } break; -#endif /* MBEDTLS_ECDSA_C */ -#if defined(MBEDTLS_RSA_C) case MBEDTLS_SSL_SIG_RSA: -#if defined(MBEDTLS_PKCS1_V21) -#if defined(MBEDTLS_SHA256_C) - if( own_key_size <= 2048 && - mbedtls_ssl_sig_alg_is_received( ssl, - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 ) ) + switch( sig_alg ) { - *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256; - return( 0 ); - } - else -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) - if( own_key_size <= 3072 && - mbedtls_ssl_sig_alg_is_received( ssl, - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 ) ) - { - *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384; - return( 0 ); - } - else -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) - if( own_key_size <= 4096 && - mbedtls_ssl_sig_alg_is_received( ssl, - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 ) ) - { - *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512; - return( 0 ); - } - else -#endif /* MBEDTLS_SHA512_C */ -#endif /* MBEDTLS_PKCS1_V21 */ -#if defined(MBEDTLS_PKCS1_V15) -#if defined(MBEDTLS_SHA256_C) - if( own_key_size <= 2048 && - mbedtls_ssl_sig_alg_is_received( ssl, - MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 ) ) - { - *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256; - return( 0 ); - } - else -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) - if( own_key_size <= 3072 && - mbedtls_ssl_sig_alg_is_received( ssl, - MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 ) ) - { - *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384; - return( 0 ); - } - else -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) - if( own_key_size <= 4096 && - mbedtls_ssl_sig_alg_is_received( ssl, - MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 ) ) - { - *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512; - return( 0 ); - } - else -#endif /* MBEDTLS_SHA512_C */ -#endif /* MBEDTLS_PKCS1_V15 */ - { - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "unknown key size: %" - MBEDTLS_PRINTF_SIZET " bits", - own_key_size ) ); + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: + return( key_size <= 3072 ); + + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: + return( key_size <= 7680 ); + + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: + return( 1 ); + + default: + break; } break; -#endif /* MBEDTLS_RSA_C */ + default: - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "unknown signature type : %u", sig ) ); break; } + + return( 0 ); +} + +static int ssl_tls13_select_sig_alg_for_certificate_verify( + mbedtls_ssl_context *ssl, + mbedtls_pk_context *own_key, + uint16_t *algorithm ) +{ + uint16_t *sig_alg = ssl->handshake->received_sig_algs; + + *algorithm = MBEDTLS_TLS1_3_SIG_NONE; + for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ ) + { + if( mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) && + mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) && + mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "select_sig_alg_for_certificate_verify:" + "selected signature algorithm %s [%04x]", + mbedtls_ssl_sig_alg_to_str( *sig_alg ), + *sig_alg ) ); + *algorithm = *sig_alg; + return( 0 ); + } + } + MBEDTLS_SSL_DEBUG_MSG( 2, + ( "select_sig_alg_for_certificate_verify:" + "no suitable signature algorithm found" ) ); return( -1 ); } @@ -1020,8 +984,9 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl, * opaque signature<0..2^16-1>; * } CertificateVerify; */ - ret = mbedtls_ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm ); - if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) ) + ret = ssl_tls13_select_sig_alg_for_certificate_verify( ssl, own_key, + &algorithm ); + if( ret != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm not in received or offered list." ) ); @@ -1034,6 +999,9 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify with %s", + mbedtls_ssl_sig_alg_to_str( algorithm )) ); + if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg( algorithm, &pk_type, &md_alg ) != 0 ) { diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index ffbbbcfa5e..144c70d472 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -352,7 +352,6 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl ) { mbedtls_ssl_key_cert *key_cert, *key_cert_list; const uint16_t *sig_alg = ssl->handshake->received_sig_algs; - uint16_t key_sig_alg; #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) if( ssl->handshake->sni_key_cert != NULL ) @@ -372,7 +371,6 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl ) for( key_cert = key_cert_list; key_cert != NULL; key_cert = key_cert->next ) { - int ret; MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate", key_cert->cert ); @@ -391,13 +389,21 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl ) continue; } - ret = mbedtls_ssl_tls13_get_sig_alg_from_pk( - ssl, &key_cert->cert->pk, &key_sig_alg ); - if( ret != 0 ) - continue; - if( *sig_alg == key_sig_alg ) + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "ssl_tls13_pick_key_cert:" + "check signature algorithm %s [%04x]", + mbedtls_ssl_sig_alg_to_str( *sig_alg ), + *sig_alg ) ); + if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match( + *sig_alg, &key_cert->cert->pk ) ) { ssl->handshake->key_cert = key_cert; + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "ssl_tls13_pick_key_cert:" + "selected signature algorithm" + " %s [%04x]", + mbedtls_ssl_sig_alg_to_str( *sig_alg ), + *sig_alg ) ); MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate (chain)", ssl->handshake->key_cert->cert ); @@ -406,6 +412,8 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl ) } } + MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert:" + "no suitable certificate found" ) ); return( -1 ); } #endif /* MBEDTLS_X509_CRT_PARSE_C && diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 97b786a763..d6724dfb11 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1534,7 +1534,19 @@ int main( int argc, char *argv[] ) if( *p == ',' ) *p++ = '\0'; - if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 ) + if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256; + } + else if( strcmp( q, "rsa_pkcs1_sha384" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384; + } + else if( strcmp( q, "rsa_pkcs1_sha512" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512; + } + else if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 ) { sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256; } @@ -1558,22 +1570,39 @@ int main( int argc, char *argv[] ) { sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512; } - else if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 ) + else if( strcmp( q, "ed25519" ) == 0 ) { - sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256; + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ED25519; + } + else if( strcmp( q, "ed448" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ED448; + } + else if( strcmp( q, "rsa_pss_pss_sha256" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA256; + } + else if( strcmp( q, "rsa_pss_pss_sha384" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA384; + } + else if( strcmp( q, "rsa_pss_pss_sha512" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA512; + } + else if( strcmp( q, "rsa_pkcs1_sha1" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA1; + } + else if( strcmp( q, "ecdsa_sha1" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SHA1; } else { - mbedtls_printf( "unknown signature algorithm %s\n", q ); - mbedtls_printf( "supported signature algorithms: " ); - mbedtls_printf( "ecdsa_secp256r1_sha256 " ); - mbedtls_printf( "ecdsa_secp384r1_sha384 " ); - mbedtls_printf( "ecdsa_secp521r1_sha512 " ); - mbedtls_printf( "rsa_pss_rsae_sha256 " ); - mbedtls_printf( "rsa_pss_rsae_sha384 " ); - mbedtls_printf( "rsa_pss_rsae_sha512 " ); - mbedtls_printf( "rsa_pkcs1_sha256 " ); - mbedtls_printf( "\n" ); + ret = -1; + mbedtls_printf( "unknown signature algorithm \"%s\"\n", q ); + mbedtls_print_supported_sig_algs(); goto exit; } } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 5231fe4d37..8e432bde89 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2379,7 +2379,19 @@ int main( int argc, char *argv[] ) if( *p == ',' ) *p++ = '\0'; - if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 ) + if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256; + } + else if( strcmp( q, "rsa_pkcs1_sha384" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384; + } + else if( strcmp( q, "rsa_pkcs1_sha512" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512; + } + else if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 ) { sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256; } @@ -2403,22 +2415,39 @@ int main( int argc, char *argv[] ) { sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512; } - else if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 ) + else if( strcmp( q, "ed25519" ) == 0 ) { - sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256; + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ED25519; + } + else if( strcmp( q, "ed448" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ED448; + } + else if( strcmp( q, "rsa_pss_pss_sha256" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA256; + } + else if( strcmp( q, "rsa_pss_pss_sha384" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA384; + } + else if( strcmp( q, "rsa_pss_pss_sha512" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA512; + } + else if( strcmp( q, "rsa_pkcs1_sha1" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA1; + } + else if( strcmp( q, "ecdsa_sha1" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SHA1; } else { - mbedtls_printf( "unknown signature algorithm %s\n", q ); - mbedtls_printf( "supported signature algorithms: " ); - mbedtls_printf( "ecdsa_secp256r1_sha256 " ); - mbedtls_printf( "ecdsa_secp384r1_sha384 " ); - mbedtls_printf( "ecdsa_secp521r1_sha512 " ); - mbedtls_printf( "rsa_pss_rsae_sha256 " ); - mbedtls_printf( "rsa_pss_rsae_sha384 " ); - mbedtls_printf( "rsa_pss_rsae_sha512 " ); - mbedtls_printf( "rsa_pkcs1_sha256 " ); - mbedtls_printf( "\n" ); + ret = -1; + mbedtls_printf( "unknown signature algorithm \"%s\"\n", q ); + mbedtls_print_supported_sig_algs(); goto exit; } } diff --git a/programs/ssl/ssl_test_common_source.c b/programs/ssl/ssl_test_common_source.c index 0e66895dbd..ad9dcdd5bf 100644 --- a/programs/ssl/ssl_test_common_source.c +++ b/programs/ssl/ssl_test_common_source.c @@ -263,12 +263,32 @@ int send_cb( void *ctx, unsigned char const *buf, size_t len ) #if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +/* + * When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate + * declaring an RSA public key and Mbed TLS is configured in hybrid mode, if + * `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then + * the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm + * for its signature in the key exchange message. As Mbed TLS 1.2 does not + * support them, the handshake fails. + */ +#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \ + (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA), \ + ( 0x800 | hash ), +#else #define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \ (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA), +#endif #elif defined(MBEDTLS_ECDSA_C) #define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), #elif defined(MBEDTLS_RSA_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +/* See above */ +#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA), \ + ( 0x800 | hash ), +#else #define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA), +#endif #else #define MBEDTLS_SSL_SIG_ALG( hash ) #endif @@ -330,3 +350,25 @@ int x509_crt_verify_info( char *buf, size_t size, const char *prefix, #endif /* MBEDTLS_X509_REMOVE_INFO */ } #endif /* MBEDTLS_X509_CRT_PARSE_C */ + +void mbedtls_print_supported_sig_algs( void ) +{ + mbedtls_printf( "supported signature algorithms:\n" ); + mbedtls_printf("\trsa_pkcs1_sha256 "); + mbedtls_printf("rsa_pkcs1_sha384 "); + mbedtls_printf("rsa_pkcs1_sha512\n"); + mbedtls_printf("\tecdsa_secp256r1_sha256 "); + mbedtls_printf("ecdsa_secp384r1_sha384 "); + mbedtls_printf("ecdsa_secp521r1_sha512\n"); + mbedtls_printf("\trsa_pss_rsae_sha256 "); + mbedtls_printf("rsa_pss_rsae_sha384 "); + mbedtls_printf("rsa_pss_rsae_sha512\n"); + mbedtls_printf("\trsa_pss_pss_sha256 "); + mbedtls_printf("rsa_pss_pss_sha384 "); + mbedtls_printf("rsa_pss_pss_sha512\n"); + mbedtls_printf("\ted25519 "); + mbedtls_printf("ed448 "); + mbedtls_printf("rsa_pkcs1_sha1 "); + mbedtls_printf("ecdsa_sha1\n"); + mbedtls_printf( "\n" ); +} diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index af327911b3..46ba653a43 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11915,6 +11915,229 @@ run_test "TLS 1.3 G->m HRR both with middlebox compat support" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \ -c "SSL 3.3 ChangeCipherSpec packet received" +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check signature algorithm order, m->O" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key + -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache + -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \ + "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + 0 \ + -c "Protocol is TLSv1.3" \ + -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -c "HTTP/1.0 200 [Oo][Kk]" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check signature algorithm order, m->G" \ + "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key + -d 4 + --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \ + "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + 0 \ + -c "Protocol is TLSv1.3" \ + -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -c "HTTP/1.0 200 [Oo][Kk]" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check signature algorithm order, m->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + 0 \ + -c "Protocol is TLSv1.3" \ + -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ + -c "HTTP/1.0 200 [Oo][Kk]" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3: Check signature algorithm order, O->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \ + -cert data_files/server2-sha256.crt -key data_files/server2.key \ + -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \ + 0 \ + -c "TLSv1.3" \ + -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3: Check signature algorithm order, G->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \ + --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \ + --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384" \ + 0 \ + -c "Negotiated version: 3.4" \ + -c "HTTP/1.0 200 [Oo][Kk]" \ + -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3: Check server no suitable signature algorithm, G->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \ + "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \ + --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \ + --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-ECDSA-SECP521R1-SHA512" \ + 1 \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3: Check server no suitable signature algorithm, O->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256" \ + "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \ + -cert data_files/server2-sha256.crt -key data_files/server2.key \ + -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:ecdsa_secp521r1_sha512" \ + 1 \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check server no suitable signature algorithm, m->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \ + "$P_CLI allow_sha1=0 debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,ecdsa_secp521r1_sha512" \ + 1 \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3: Check server no suitable certificate, G->m" \ + "$P_SRV debug_level=4 force_version=tls13 + crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \ + --priority=NORMAL:-SIGN-ALL:+SIGN-ECDSA-SECP521R1-SHA512:+SIGN-ECDSA-SECP256R1-SHA256" \ + 1 \ + -s "ssl_tls13_pick_key_cert:no suitable certificate found" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3: Check server no suitable certificate, O->m" \ + "$P_SRV debug_level=4 force_version=tls13 + crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \ + -sigalgs ecdsa_secp521r1_sha512:ecdsa_secp256r1_sha256" \ + 1 \ + -s "ssl_tls13_pick_key_cert:no suitable certificate found" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check server no suitable certificate, m->m" \ + "$P_SRV debug_level=4 force_version=tls13 + crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$P_CLI allow_sha1=0 debug_level=4 \ + sig_algs=ecdsa_secp521r1_sha512,ecdsa_secp256r1_sha256" \ + 1 \ + -s "ssl_tls13_pick_key_cert:no suitable certificate found" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check client no signature algorithm, m->O" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key + -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache + -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp521r1_sha512" \ + "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + 1 \ + -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check client no signature algorithm, m->G" \ + "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key + -d 4 + --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \ + "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + 1 \ + -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check client no signature algorithm, m->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp521r1_sha512" \ + "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + 1 \ + -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index f643335cc0..9932b27a96 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -246,7 +246,7 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2 handshake_version:0:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_VERSION_TLS1_2 Handshake, tls1_3 -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2 handshake_version:0:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_VERSION_TLS1_3 Handshake, ECDHE-RSA-WITH-AES-256-GCM-SHA384