diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 140b749a2..f8e7cc28d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4094,6 +4094,14 @@ static int ssl_preset_suiteb_ciphersuites[] = { * - But if there is a good reason, do not change the order of the algorithms. * - ssl_tls12_present* is for TLS 1.2 use only. * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes. + * + * `rsa_pss_rsae_*` MUST BE PUT ARTER `rsa_pkcs1_*` before below compitable fixed + * The compitable issue is When + * - GnuTLS/OpenSSL is configured as tls12 server with rsa key + * - `mebedTLS` is configured as hybrid mode. + * - The order is `rsa_pss_rsae_*`, `rsa_pkcs1_*`. + * GnuTLS/OpenSSL will return `rsa_pss_rsae_*` which are not supported by + * TLS 1.2 in mbedTLS. */ static uint16_t ssl_preset_default_sig_algs[] = { @@ -4115,18 +4123,6 @@ static uint16_t ssl_preset_default_sig_algs[] = { #endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA512_C) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA512_C */ - -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA384_C) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA384_C */ - -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C) - MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */ - #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA512_C) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512, #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */ @@ -4139,6 +4135,18 @@ static uint16_t ssl_preset_default_sig_algs[] = { MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA512_C) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA512_C */ + +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA384_C) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA384_C */ + +#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C) + MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, +#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */ + MBEDTLS_TLS_SIG_NONE }; diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 25c1797cf..f516efab1 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2010,6 +2010,65 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, + unsigned char **p, + unsigned char *end, + mbedtls_md_type_t *md_alg, + mbedtls_pk_type_t *pk_alg ) +{ + *md_alg = MBEDTLS_MD_NONE; + *pk_alg = MBEDTLS_PK_NONE; + + if( (*p) + 2 > end ) + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + + /* + * Get hash algorithm + */ + if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) + == MBEDTLS_MD_NONE ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + /* + * Get signature algorithm + */ + if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) + == MBEDTLS_PK_NONE ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + /* + * Check if the signature algorithm is acceptable + */ + if( !mbedtls_ssl_sig_alg_is_offered( ssl, MBEDTLS_GET_UINT16_BE( *p, 0 ) ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", + (*p)[1] ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", + (*p)[0] ) ); + *p += 2; + + return( 0 ); +} +#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ + #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) @@ -2303,31 +2362,14 @@ start_processing: unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); size_t params_len = p - params; void *rs_ctx = NULL; - uint16_t sig_alg; mbedtls_pk_context * peer_pk; -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - peer_pk = &ssl->handshake->peer_pubkey; -#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - if( ssl->session_negotiate->peer_cert == NULL ) - { - /* Should never happen */ - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - peer_pk = &ssl->session_negotiate->peer_cert->pk; -#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - /* * Handle the digitally-signed structure */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); - sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 ); - if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg( - sig_alg, &pk_alg, &md_alg ) != 0 && - ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) && - ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ) + if( ssl_parse_signature_algorithm( ssl, &p, end, + &md_alg, &pk_alg ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); @@ -2337,9 +2379,9 @@ start_processing: MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } - p += 2; - if( !mbedtls_pk_can_do( peer_pk, pk_alg ) ) + if( pk_alg != + mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); @@ -2397,6 +2439,18 @@ start_processing: MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + peer_pk = &ssl->handshake->peer_pubkey; +#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + if( ssl->session_negotiate->peer_cert == NULL ) + { + /* Should never happen */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + peer_pk = &ssl->session_negotiate->peer_cert->pk; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + /* * Verify signature */ @@ -2415,28 +2469,8 @@ start_processing: rs_ctx = &ssl->handshake->ecrs_ctx.pk; #endif -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - if( pk_alg == MBEDTLS_PK_RSASSA_PSS ) - { - const mbedtls_md_info_t* md_info; - mbedtls_pk_rsassa_pss_options rsassa_pss_options; - rsassa_pss_options.mgf1_hash_id = md_alg; - if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL ) - { - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info ); - ret = mbedtls_pk_verify_ext( pk_alg, &rsassa_pss_options, - peer_pk, - md_alg, hash, hashlen, - p, sig_len ); - } - else -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ - ret = mbedtls_pk_verify_restartable( peer_pk, - md_alg, hash, hashlen, p, sig_len, rs_ctx ); - - if( ret != 0 ) + if( ( ret = mbedtls_pk_verify_restartable( peer_pk, + md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 ) { #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS ) diff --git a/programs/ssl/ssl_test_common_source.c b/programs/ssl/ssl_test_common_source.c index 1efbbdb5c..b720fd3b0 100644 --- a/programs/ssl/ssl_test_common_source.c +++ b/programs/ssl/ssl_test_common_source.c @@ -264,10 +264,14 @@ int send_cb( void *ctx, unsigned char const *buf, size_t len ) #if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) -/* To fix version negotiation fail with RSA server key. - * - With TLS1.3 server, `rsa_pss_rsae_*` must be sent. - * - With TLS1.2 server, `rsa_pkcs1_*` must be sent before `rsa_pss_rsae_*` - * - This point is only tested with OpenSSL now. +/* + * `rsa_pss_rsae_*` MUST BE PUT ARTER `rsa_pkcs1_*` before below compitable fixed + * The compitable issue is When + * - GnuTLS/OpenSSL is configured as tls12 server with rsa key + * - `mebedTLS` is configured as hybrid mode. + * - The order is `rsa_pss_rsae_*`, `rsa_pkcs1_*`. + * GnuTLS/OpenSSL will return `rsa_pss_rsae_*` which are not supported by + * TLS 1.2 in mbedTLS. */ #define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \ (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA), \