AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #5971 from yuhaoth/pr/add-rsa-pss-rsae-for-tls12

Browse Source 
Add rsa pss rsae for tls12
This commit is contained in:
Dave Rodgman 2022-08-09 10:21:45 +01:00 committed by GitHub
commit 953ce3962f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 107 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt Normal file
View File

@ -0,0 +1,8 @@
Features
* When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
`rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
for its signature in the key exchange message. As Mbed TLS 1.2 does not
support them, the handshake fails. Add `rsa_pss_rsae_*` support for TLS 1.2
to resolve the compitablity issue.

2
library/ssl_misc.h
View File

@ -2092,7 +2092,7 @@ static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl
return( 0 );
}
static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
{
*pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );

42
library/ssl_tls.c
View File

@ -4325,15 +4325,8 @@ static int ssl_preset_suiteb_ciphersuites[] = {
* rules SHOULD be upheld.
* - No duplicate entries.
* - But if there is a good reason, do not change the order of the algorithms.
* - ssl_tls12_present* is for TLS 1.2 use only.
* - ssl_tls12_preset* is for TLS 1.2 use only.
* - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
*
* When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
* declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
* `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
* the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
* for its signature in the key exchange message. As Mbed TLS 1.2 does not
* support them, the handshake fails.
*/
static uint16_t ssl_preset_default_sig_algs[] = {
@ -4355,18 +4348,6 @@ static uint16_t ssl_preset_default_sig_algs[] = {
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C &&
MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA512_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA384_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA384_C */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA512_C)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA512_C */
@ -4379,6 +4360,18 @@ static uint16_t ssl_preset_default_sig_algs[] = {
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA512_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA384_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA384_C */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
MBEDTLS_TLS_SIG_NONE
};
@ -4389,6 +4382,9 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = {
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512 ),
#endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512 ),
#endif
@ -4397,6 +4393,9 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = {
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
@ -4405,6 +4404,9 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = {
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif

121
library/ssl_tls12_client.c
View File

@ -2041,66 +2041,6 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
unsigned char **p,
unsigned char *end,
mbedtls_md_type_t *md_alg,
mbedtls_pk_type_t *pk_alg )
{
*md_alg = MBEDTLS_MD_NONE;
*pk_alg = MBEDTLS_PK_NONE;
if( (*p) + 2 > end )
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
/*
* Get hash algorithm
*/
if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) )
== MBEDTLS_MD_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
/*
* Get signature algorithm
*/
if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) )
== MBEDTLS_PK_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
/*
* Check if the signature algorithm is acceptable
*/
if( !mbedtls_ssl_sig_alg_is_offered( ssl, MBEDTLS_GET_UINT16_BE( *p, 0 ) ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d",
(*p)[1] ) );
MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d",
(*p)[0] ) );
*p += 2;
return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
@ -2398,14 +2338,31 @@ start_processing:
unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
size_t params_len = p - params;
void *rs_ctx = NULL;
uint16_t sig_alg;
mbedtls_pk_context * peer_pk;
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
peer_pk = &ssl->handshake->peer_pubkey;
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if( ssl->session_negotiate->peer_cert == NULL )
{
/* Should never happen */
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
peer_pk = &ssl->session_negotiate->peer_cert->pk;
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
/*
* Handle the digitally-signed structure
*/
if( ssl_parse_signature_algorithm( ssl, &p, end,
&md_alg, &pk_alg ) != 0 )
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
sig_alg, &pk_alg, &md_alg ) != 0 &&
! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) &&
! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "bad server key exchange message" ) );
@ -2415,9 +2372,9 @@ start_processing:
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
}
p += 2;
if( pk_alg !=
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "bad server key exchange message" ) );
@ -2475,18 +2432,6 @@ start_processing:
MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
peer_pk = &ssl->handshake->peer_pubkey;
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if( ssl->session_negotiate->peer_cert == NULL )
{
/* Should never happen */
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
peer_pk = &ssl->session_negotiate->peer_cert->pk;
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
/*
* Verify signature
*/
@ -2505,8 +2450,28 @@ start_processing:
rs_ctx = &ssl->handshake->ecrs_ctx.pk;
#endif
if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if( pk_alg == MBEDTLS_PK_RSASSA_PSS )
{
const mbedtls_md_info_t* md_info;
mbedtls_pk_rsassa_pss_options rsassa_pss_options;
rsassa_pss_options.mgf1_hash_id = md_alg;
if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
{
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
ret = mbedtls_pk_verify_ext( pk_alg, &rsassa_pss_options,
peer_pk,
md_alg, hash, hashlen,
p, sig_len );
}
else
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
ret = mbedtls_pk_verify_restartable( peer_pk,
md_alg, hash, hashlen, p, sig_len, rs_ctx );
if( ret != 0 )
{
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )

4
library/ssl_tls13_generic.c
View File

@ -213,7 +213,7 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
goto error;
}
if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
algorithm, &sig_alg, &md_alg ) != 0 )
{
goto error;
@ -1029,7 +1029,7 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify with %s",
mbedtls_ssl_sig_alg_to_str( algorithm )) );
if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
algorithm, &pk_type, &md_alg ) != 0 )
{
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );

31
tests/ssl-opt.sh
View File

@ -12726,6 +12726,37 @@ run_test "TLS 1.3: NewSessionTicket: Basic check, m->m" \
-s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
-s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->O" \
"$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key
-msg -tls1_2
-Verify 10 " \
"$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
sig_algs=rsa_pss_rsae_sha512,rsa_pkcs1_sha512
min_version=tls12 max_version=tls13 " \
0 \
-c "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->G" \
"$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key
-d 4
--priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
"$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
sig_algs=rsa_pss_rsae_sha512,rsa_pkcs1_sha512
min_version=tls12 max_version=tls13 " \
0 \
-c "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 [Oo][Kk]"
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_MEMORY_DEBUG