diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 48a6369b7a..91cc5b61b9 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6370,6 +6370,12 @@ static uint16_t ssl_preset_default_sig_algs[] = { MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512, #endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ #endif /* MBEDTLS_ECDSA_C */ + + /* RSA algorithms */ +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256, +#endif + MBEDTLS_TLS13_SIG_NONE }; @@ -6383,6 +6389,12 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = { MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384, #endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ #endif /* MBEDTLS_ECDSA_C */ + + /* RSA algorithms */ +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256, +#endif + MBEDTLS_TLS13_SIG_NONE }; #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 12ef4d58c8..6b7a6f84af 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -320,6 +320,11 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl, unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE]; size_t verify_hash_len; + void const *opts_ptr = NULL; +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + mbedtls_pk_rsassa_pss_options opts; +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ + /* * struct { * SignatureScheme algorithm; @@ -368,6 +373,13 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl, md_alg = MBEDTLS_MD_SHA512; sig_alg = MBEDTLS_PK_ECDSA; break; +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + case MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256: + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Certificate Verify: using RSA" ) ); + md_alg = MBEDTLS_MD_SHA256; + sig_alg = MBEDTLS_PK_RSASSA_PSS; + break; +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ default: MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) ); goto error; @@ -426,8 +438,21 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl, } MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len ); +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) + if( sig_alg == MBEDTLS_PK_RSASSA_PSS ) + { + const mbedtls_md_info_t* md_info; + opts.mgf1_hash_id = md_alg; + if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) + { + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + opts.expected_salt_len = mbedtls_md_get_size( md_info ); + opts_ptr = (const void*) &opts; + } +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ - if( ( ret = mbedtls_pk_verify_ext( sig_alg, NULL, + if( ( ret = mbedtls_pk_verify_ext( sig_alg, opts_ptr, &ssl->session_negotiate->peer_cert->pk, md_alg, verify_hash, verify_hash_len, p, signature_len ) ) == 0 ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index cb299b159e..204b9754aa 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1534,6 +1534,10 @@ int main( int argc, char *argv[] ) { sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512; } + else if( strcmp( q, "rsa_pss_rsae_sha256" ) == 0 ) + { + sig_alg_list[i++] = MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256; + } else { mbedtls_printf( "unknown signature algorithm %s\n", q ); @@ -1541,6 +1545,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( "ecdsa_secp256r1_sha256 " ); mbedtls_printf( "ecdsa_secp384r1_sha384 " ); mbedtls_printf( "ecdsa_secp521r1_sha512 " ); + mbedtls_printf( "rsa_pss_rsae_sha256 " ); mbedtls_printf( "\n" ); goto exit; } diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1ac34dae77..d43d66260e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -79,16 +79,20 @@ fi if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key" + O_NEXT_SRV_RSA="$OPENSSL_NEXT s_server -www -cert data_files/server2-sha256.crt -key data_files/server2.key" O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" else O_NEXT_SRV=false + O_NEXT_SRV_RSA=false O_NEXT_CLI=false fi if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" + G_NEXT_SRV_RSA="$GNUTLS_NEXT_SERV --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key" else G_NEXT_SRV=false + G_NEXT_SRV_RSA=false fi if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then @@ -264,7 +268,7 @@ requires_config_value_equals() { # Space-separated list of ciphersuites supported by this build of # Mbed TLS. P_CIPHERSUITES=" $($P_CLI --help 2>/dev/null | - grep TLS- | + grep 'TLS-\|TLS1-3' | tr -s ' \n' ' ')" requires_ciphersuite_enabled() { case $P_CIPHERSUITES in @@ -1416,11 +1420,13 @@ fi if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" + O_NEXT_SRV_RSA="$O_NEXT_SRV_RSA -accept $SRV_PORT" O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT" fi if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT" + G_NEXT_SRV_RSA="$G_NEXT_SRV_RSA -p $SRV_PORT" fi if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then @@ -8835,6 +8841,22 @@ run_test "TLS1.3: minimal feature sets - openssl" \ -c "<= parse finished message" \ -c "HTTP/1.0 200 ok" +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +run_test "TLS 1.3 m->O AES_128_GCM_SHA256 , RSA_PSS_RSAE_SHA256" \ + "$O_NEXT_SRV_RSA -ciphersuites TLS_AES_128_GCM_SHA256 -tls1_3 -msg -no_middlebox -num_tickets 0" \ + "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 allow_sha1=0" \ + 0 \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "mbedtls_ssl_tls13_process_certificate_verify() returned 0" \ + -c "HTTP/1.0 200 ok" + requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -8867,6 +8889,23 @@ run_test "TLS1.3: minimal feature sets - gnutls" \ -c "<= parse finished message" \ -c "HTTP/1.0 200 OK" +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT +requires_config_disabled MBEDTLS_USE_PSA_CRYPTO +requires_gnutls_next +run_test "TLS 1.3 m->G AES_128_GCM_SHA256 , RSA_PSS_RSAE_SHA256" \ + "$G_NEXT_SRV_RSA --disable-client-cert --priority=NORMAL:+CIPHER-ALL:+SHA256:+GROUP-SECP256R1:+ECDHE-ECDSA:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \ + "$P_CLI debug_level=4 force_version=tls1_3 server_name=localhost force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 allow_sha1=0" \ + 0 \ + -c "ECDH curve: x25519" \ + -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \ + -c "Certificate Verify: Signature algorithm ( 0804 )" \ + -c "mbedtls_ssl_tls13_process_certificate_verify() returned 0" \ + -c "HTTP/1.0 200 OK" # Test heap memory usage after handshake requires_config_enabled MBEDTLS_MEMORY_DEBUG