mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-16 17:43:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #8554 from yanrayw/issue/8221/fix-tls-suiteB-profile

Browse Source 
TLS: remove RSA signature algorithms in `suite B` profile
This commit is contained in:
Tom Cosgrove 2024-01-12 14:34:28 +00:00 committed by GitHub
commit bc5d9165ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 26 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog.d/fix-tls-SuiteB.txt Normal file
View File

@ -0,0 +1,3 @@
Bugfix
* Remove accidental introduction of RSA signature algorithms
in TLS Suite B Profile. Fixes #8221.

2
include/mbedtls/ssl.h
View File

@ -447,7 +447,7 @@
/* /*
* TLS 1.3 signature algorithms * TLS 1.3 signature algorithms
* RFC 8446, Section 4.2.2 * RFC 8446, Section 4.2.3
*/ */
/* RSASSA-PKCS1-v1_5 algorithms */ /* RSASSA-PKCS1-v1_5 algorithms */

58
library/ssl_tls.c
View File

@ -5118,23 +5118,17 @@ static uint16_t ssl_preset_default_sig_algs[] = {
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512) // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
#endif #endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \ #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
defined(MBEDTLS_MD_CAN_SHA512)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
#endif \ #endif
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA512 */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \ #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384)
defined(MBEDTLS_MD_CAN_SHA384)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
#endif \ #endif
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA384 */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \ #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
defined(MBEDTLS_MD_CAN_SHA256)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif \ #endif
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256 */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512) #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512, MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
@ -5154,42 +5148,47 @@ static uint16_t ssl_preset_default_sig_algs[] = {
/* NOTICE: see above */ /* NOTICE: see above */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_default_sig_algs[] = { static uint16_t ssl_tls12_preset_default_sig_algs[] = {
#if defined(MBEDTLS_MD_CAN_SHA512) #if defined(MBEDTLS_MD_CAN_SHA512)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512), MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
#endif #endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ #endif
#if defined(MBEDTLS_RSA_C) #if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512), MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
#endif #endif
#endif /* MBEDTLS_MD_CAN_SHA512*/ #endif /* MBEDTLS_MD_CAN_SHA512 */
#if defined(MBEDTLS_MD_CAN_SHA384) #if defined(MBEDTLS_MD_CAN_SHA384)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
#endif #endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ #endif
#if defined(MBEDTLS_RSA_C) #if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384), MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
#endif #endif
#endif /* MBEDTLS_MD_CAN_SHA384*/ #endif /* MBEDTLS_MD_CAN_SHA384 */
#if defined(MBEDTLS_MD_CAN_SHA256) #if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
#endif #endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ #endif
#if defined(MBEDTLS_RSA_C) #if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256), MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
#endif #endif
#endif /* MBEDTLS_MD_CAN_SHA256*/ #endif /* MBEDTLS_MD_CAN_SHA256 */
MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS_SIG_NONE
}; };
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
/* NOTICE: see above */ /* NOTICE: see above */
static uint16_t ssl_preset_suiteb_sig_algs[] = { static uint16_t ssl_preset_suiteb_sig_algs[] = {
@ -5207,38 +5206,25 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = {
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384) // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
#endif #endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
defined(MBEDTLS_MD_CAN_SHA256)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif \
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256*/
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256*/
MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS_SIG_NONE
}; };
/* NOTICE: see above */ /* NOTICE: see above */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_MD_CAN_SHA256) #if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
#endif #endif
#if defined(MBEDTLS_RSA_C) #endif /* MBEDTLS_MD_CAN_SHA256 */
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
#endif
#endif /* MBEDTLS_MD_CAN_SHA256*/
#if defined(MBEDTLS_MD_CAN_SHA384) #if defined(MBEDTLS_MD_CAN_SHA384)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
#endif #endif
#if defined(MBEDTLS_RSA_C) #endif /* MBEDTLS_MD_CAN_SHA384 */
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
#endif
#endif /* MBEDTLS_MD_CAN_SHA256*/
MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS_SIG_NONE
}; };
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */