Merge pull request #6051 from mprse/permissions_2b_v2

Permissions 2b: TLS 1.3 sigalg selection
2025-07-29 11:41:15 +03:00 · 2022-09-28 09:50:04 +02:00
parent f3f9e450b6 cba39a386f
commit e3358e14b2
7 changed files with 235 additions and 126 deletions
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -346,10 +346,11 @@ int main( void )

 #define USAGE_KEY_OPAQUE_ALGS \
    "    key_opaque_algs=%%s  Allowed opaque key algorithms.\n"                      \
-    "                        comma-separated pair of values among the following:\n"   \
-    "                        rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n"           \
-    "                        ecdsa-sign, ecdh, none (only acceptable for\n"          \
-    "                        the second value).\n"                                   \
+    "                        comma-separated pair of values among the following:\n"    \
+    "                        rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n"     \
+    "                        rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
+    "                        ecdsa-sign, ecdh, none (only acceptable for\n"            \
+    "                        the second value).\n"                                     \

 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 #define USAGE_TLS1_3_KEY_EXCHANGE_MODES \
@ -1821,7 +1822,8 @@ int main( int argc, char *argv[] )
 #endif /* MBEDTLS_USE_PSA_CRYPTO */

    mbedtls_printf( " ok (key type: %s)\n",
-                    strlen( opt.key_file ) ? mbedtls_pk_get_name( &pkey ) : "none" );
+                    strlen( opt.key_file ) || strlen( opt.key_opaque_alg1 ) ?
+                            mbedtls_pk_get_name( &pkey ) : "none" );
 #endif /* MBEDTLS_X509_CRT_PARSE_C */

    /*
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -458,15 +458,17 @@ int main( void )
 #endif

 #define USAGE_KEY_OPAQUE_ALGS \
-    "    key_opaque_algs=%%s  Allowed opaque key 1 algorithms.\n"                    \
-    "                        comma-separated pair of values among the following:\n"  \
-    "                        rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n"           \
-    "                        ecdsa-sign, ecdh, none (only acceptable for\n"          \
-    "                        the second value).\n"                                   \
-    "    key_opaque_algs2=%%s Allowed opaque key 2 algorithms.\n"                    \
-    "                        comma-separated pair of values among the following:\n"  \
-    "                        rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n"           \
-    "                        ecdsa-sign, ecdh, none (only acceptable for\n"          \
+    "    key_opaque_algs=%%s  Allowed opaque key 1 algorithms.\n"                      \
+    "                        comma-separated pair of values among the following:\n"    \
+    "                        rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n"     \
+    "                        rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
+    "                        ecdsa-sign, ecdh, none (only acceptable for\n"            \
+    "                        the second value).\n"                                     \
+    "    key_opaque_algs2=%%s Allowed opaque key 2 algorithms.\n"                      \
+    "                        comma-separated pair of values among the following:\n"    \
+    "                        rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n"     \
+    "                        rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
+    "                        ecdsa-sign, ecdh, none (only acceptable for\n"            \
    "                        the second value).\n"
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 #define USAGE_TLS1_3_KEY_EXCHANGE_MODES \
--- a/programs/ssl/ssl_test_lib.c
+++ b/programs/ssl/ssl_test_lib.c
@ -205,6 +205,9 @@ int key_opaque_alg_parse( const char *arg, const char **alg1, const char **alg2

    if( strcmp( *alg1, "rsa-sign-pkcs1" ) != 0 &&
        strcmp( *alg1, "rsa-sign-pss" ) != 0 &&
+        strcmp( *alg1, "rsa-sign-pss-sha256" ) != 0 &&
+        strcmp( *alg1, "rsa-sign-pss-sha384" ) != 0 &&
+        strcmp( *alg1, "rsa-sign-pss-sha512" ) != 0 &&
        strcmp( *alg1, "rsa-decrypt" ) != 0 &&
        strcmp( *alg1, "ecdsa-sign" ) != 0 &&
        strcmp( *alg1, "ecdh" ) != 0 )
@ -212,6 +215,9 @@ int key_opaque_alg_parse( const char *arg, const char **alg1, const char **alg2

    if( strcmp( *alg2, "rsa-sign-pkcs1" ) != 0 &&
        strcmp( *alg2, "rsa-sign-pss" ) != 0 &&
+        strcmp( *alg1, "rsa-sign-pss-sha256" ) != 0 &&
+        strcmp( *alg1, "rsa-sign-pss-sha384" ) != 0 &&
+        strcmp( *alg1, "rsa-sign-pss-sha512" ) != 0 &&
        strcmp( *alg2, "rsa-decrypt" ) != 0 &&
        strcmp( *alg2, "ecdsa-sign" ) != 0 &&
        strcmp( *alg2, "ecdh" ) != 0 &&
@ -245,6 +251,21 @@ int key_opaque_set_alg_usage( const char *alg1, const char *alg2,
                *psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_ANY_HASH );
                *usage |= PSA_KEY_USAGE_SIGN_HASH;
            }
+            else if( strcmp( algs[i], "rsa-sign-pss-sha256" ) == 0 )
+            {
+                *psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 );
+                *usage |= PSA_KEY_USAGE_SIGN_HASH;
+            }
+            else if( strcmp( algs[i], "rsa-sign-pss-sha384" ) == 0 )
+            {
+                *psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_384 );
+                *usage |= PSA_KEY_USAGE_SIGN_HASH;
+            }
+            else if( strcmp( algs[i], "rsa-sign-pss-sha512" ) == 0 )
+            {
+                *psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_512 );
+                *usage |= PSA_KEY_USAGE_SIGN_HASH;
+            }
            else if( strcmp( algs[i], "rsa-decrypt" ) == 0 )
            {
                *psa_algs[i] = PSA_ALG_RSA_PKCS1V15_CRYPT;