From 52b7d923fe341f15033ec92206f60d0b055a9768 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 1 Jul 2022 18:03:31 +0800 Subject: [PATCH] fix various issues Signed-off-by: Jerry Yu --- library/ssl_misc.h | 12 ++++++------ library/ssl_tls.c | 5 +---- tests/ssl-opt.sh | 32 ++++++++------------------------ 3 files changed, 15 insertions(+), 34 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index f788baf580..77f001a97b 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1984,7 +1984,7 @@ static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg( switch( sig_alg ) { -#if defined(MBEDTLS_RSA_C) +#if defined(MBEDTLS_PKCS1_V21) #if defined(MBEDTLS_SHA256_C) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: *md_alg = MBEDTLS_MD_SHA256; @@ -2003,7 +2003,7 @@ static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg( *pk_type = MBEDTLS_PK_RSASSA_PSS; break; #endif /* MBEDTLS_SHA512_C */ -#endif /* MBEDTLS_RSA_C */ +#endif /* MBEDTLS_PKCS1_V21 */ default: return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); } @@ -2031,7 +2031,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( #endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ #endif /* MBEDTLS_ECDSA_C */ -#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) +#if defined(MBEDTLS_PKCS1_V21) #if defined(MBEDTLS_SHA256_C) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: break; @@ -2044,7 +2044,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: break; #endif /* MBEDTLS_SHA512_C */ -#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ +#endif /* MBEDTLS_PKCS1_V21 */ default: return( 0 ); } @@ -2057,7 +2057,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported( { switch( sig_alg ) { -#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) +#if defined(MBEDTLS_PKCS1_V15) #if defined(MBEDTLS_SHA256_C) case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: break; @@ -2070,7 +2070,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported( case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: break; #endif /* MBEDTLS_SHA512_C */ -#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */ +#endif /* MBEDTLS_PKCS1_V15 */ default: return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( sig_alg ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c2f1f8562a..b40fbbbf64 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4916,10 +4916,7 @@ int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl, sig_alg, mbedtls_ssl_sig_alg_to_str( sig_alg ) ) ); #if defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && ( ! ( mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) && mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ) ) ) { diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 89565b4cb3..642e305618 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11883,7 +11883,6 @@ run_test "TLS 1.3 G->m HRR both with middlebox compat support" \ -c "SSL 3.3 ChangeCipherSpec packet received" requires_openssl_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -11893,14 +11892,13 @@ run_test "TLS 1.3: Check signature algorithm order, m->O" \ -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \ "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ - min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + force_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ 0 \ -c "Protocol is TLSv1.3" \ -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ -c "HTTP/1.0 200 [Oo][Kk]" requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -11910,13 +11908,12 @@ run_test "TLS 1.3: Check signature algorithm order, m->G" \ -d 4 --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \ "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ - min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + force_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ 0 \ -c "Protocol is TLSv1.3" \ -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ -c "HTTP/1.0 200 [Oo][Kk]" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -11929,7 +11926,7 @@ run_test "TLS 1.3: Check signature algorithm order, m->m" \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 \ - min_version=tls12 max_version=tls13 " \ + force_version=tls13" \ 0 \ -c "Protocol is TLSv1.3" \ -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ @@ -11938,12 +11935,10 @@ run_test "TLS 1.3: Check signature algorithm order, m->m" \ -c "HTTP/1.0 200 [Oo][Kk]" requires_openssl_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3: Check signature algorithm order, O->m" \ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key @@ -11958,12 +11953,10 @@ run_test "TLS 1.3: Check signature algorithm order, O->m" \ -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_CLI_C run_test "TLS 1.3: Check signature algorithm order, G->m" \ "$P_SRV debug_level=4 force_version=tls13 auth_mode=required crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key @@ -11979,7 +11972,6 @@ run_test "TLS 1.3: Check signature algorithm order, G->m" \ -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -11997,7 +11989,6 @@ run_test "TLS 1.3: Check server no suitable signature algorithm, G->m" \ -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" requires_openssl_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -12014,7 +12005,6 @@ run_test "TLS 1.3: Check server no suitable signature algorithm, O->m" \ -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -12027,13 +12017,12 @@ run_test "TLS 1.3: Check server no suitable signature algorithm, m->m" \ sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \ "$P_CLI allow_sha1=0 debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,ecdsa_secp521r1_sha512 \ - min_version=tls12 max_version=tls13 " \ + force_version=tls13" \ 1 \ -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -12048,7 +12037,6 @@ run_test "TLS 1.3: Check server no suitable certificate, G->m" \ -s "ssl_tls13_pick_key_cert:no suitable certificate found" requires_openssl_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -12062,7 +12050,6 @@ run_test "TLS 1.3: Check server no suitable certificate, O->m" \ 1 \ -s "ssl_tls13_pick_key_cert:no suitable certificate found" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -12074,12 +12061,11 @@ run_test "TLS 1.3: Check server no suitable certificate, m->m" \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ "$P_CLI allow_sha1=0 debug_level=4 \ sig_algs=ecdsa_secp521r1_sha512,ecdsa_secp256r1_sha256 \ - min_version=tls12 max_version=tls13 " \ + force_version=tls13" \ 1 \ -s "ssl_tls13_pick_key_cert:no suitable certificate found" requires_openssl_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -12089,12 +12075,11 @@ run_test "TLS 1.3: Check client no signature algorithm, m->O" \ -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp521r1_sha512" \ "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ - min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + force_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ 1 \ -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -12104,11 +12089,10 @@ run_test "TLS 1.3: Check client no signature algorithm, m->G" \ -d 4 --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \ "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ - min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + force_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ 1 \ -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C @@ -12121,7 +12105,7 @@ run_test "TLS 1.3: Check client no signature algorithm, m->m" \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp521r1_sha512" \ "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 \ - min_version=tls12 max_version=tls13 " \ + force_version=tls13" \ 1 \ -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"