From 3a58b462b6c64435c233a13c766ca6169c09eb65 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 22 Feb 2022 16:42:29 +0800 Subject: [PATCH] add pss_rsae_sha{384,512} Signed-off-by: Jerry Yu --- library/ssl_misc.h | 4 +++ library/ssl_tls13_generic.c | 23 ++++++++++++- programs/ssl/ssl_client2.c | 10 ++++++ tests/ssl-opt.sh | 66 +++++++++++++++++++++++++++++++++++++ 4 files changed, 102 insertions(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index a02b712ceb..cb9b6aaa79 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2058,6 +2058,10 @@ static inline int mbedtls_ssl_sig_alg_is_supported( defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: break; + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: + break; + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: + break; #endif /* MBEDTLS_SHA256_C && MBEDTLS_X509_RSASSA_PSS_SUPPORT */ diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 8b0f668e9c..913280e0e5 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -350,11 +350,26 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl, sig_alg = MBEDTLS_PK_ECDSA; break; #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) +#if defined(MBEDTLS_SHA256_C) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: - MBEDTLS_SSL_DEBUG_MSG( 4, ( "Certificate Verify: using RSA PSS" ) ); md_alg = MBEDTLS_MD_SHA256; sig_alg = MBEDTLS_PK_RSASSA_PSS; break; +#endif /* MBEDTLS_SHA256_C */ + +#if defined(MBEDTLS_SHA384_C) + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: + md_alg = MBEDTLS_MD_SHA384; + sig_alg = MBEDTLS_PK_RSASSA_PSS; + break; +#endif /* MBEDTLS_SHA384_C */ + +#if defined(MBEDTLS_SHA512_C) + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: + md_alg = MBEDTLS_MD_SHA256; + sig_alg = MBEDTLS_PK_RSASSA_PSS; + break; +#endif /* MBEDTLS_SHA512_C */ #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ default: MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) ); @@ -1062,6 +1077,8 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl, { md_alg = MBEDTLS_MD_SHA256; algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256; + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "signature algorthm is rsa_pss_rsae_sha256" ) ); } else if( own_key_size <= 3072 && mbedtls_ssl_sig_alg_is_received( ssl, @@ -1069,6 +1086,8 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl, { md_alg = MBEDTLS_MD_SHA384; algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384; + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "signature algorthm is rsa_pss_rsae_sha384" ) ); } else if( own_key_size <= 4096 && mbedtls_ssl_sig_alg_is_received( ssl, @@ -1076,6 +1095,8 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl, { md_alg = MBEDTLS_MD_SHA512; algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512; + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "signature algorthm is rsa_pss_rsae_sha512" ) ); } else { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index f83af070b8..d8a3a4e540 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1542,6 +1542,14 @@ int main( int argc, char *argv[] ) { sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256; } + else if( strcmp( q, "rsa_pss_rsae_sha384" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384; + } + else if( strcmp( q, "rsa_pss_rsae_sha512" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512; + } else if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 ) { sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256; @@ -1554,6 +1562,8 @@ int main( int argc, char *argv[] ) mbedtls_printf( "ecdsa_secp384r1_sha384 " ); mbedtls_printf( "ecdsa_secp521r1_sha512 " ); mbedtls_printf( "rsa_pss_rsae_sha256 " ); + mbedtls_printf( "rsa_pss_rsae_sha384 " ); + mbedtls_printf( "rsa_pss_rsae_sha512 " ); mbedtls_printf( "rsa_pkcs1_sha256 " ); mbedtls_printf( "\n" ); goto exit; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 44a754650d..aff2411e6e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -10060,6 +10060,72 @@ run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - gnutls" \ -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \ -c "Protocol is TLSv1.3" +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - openssl" \ + "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ + "$P_CLI debug_level=4 force_version=tls13 crt_file=data_files/cert_sha256.crt \ + key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \ + 0 \ + -c "got a certificate request" \ + -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ + -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \ + -c "Protocol is TLSv1.3" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - gnutls" \ + "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ + "$P_CLI debug_level=3 force_version=tls13 crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \ + 0 \ + -c "got a certificate request" \ + -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ + -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \ + -c "Protocol is TLSv1.3" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - openssl" \ + "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ + "$P_CLI debug_level=4 force_version=tls13 crt_file=data_files/cert_sha256.crt \ + key_file=data_files/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \ + 0 \ + -c "got a certificate request" \ + -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ + -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \ + -c "Protocol is TLSv1.3" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - gnutls" \ + "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ + "$P_CLI debug_level=3 force_version=tls13 crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \ + 0 \ + -c "got a certificate request" \ + -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \ + -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \ + -c "Protocol is TLSv1.3" + requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_DEBUG_C