TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-04-23 04:05:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

ssl: narrow TLS 1.2 RSA-PSS handling and add interop coverage

Browse Source 
Narrow TLS 1.2 RSA-PSS handling to the client ServerKeyExchange parse path and add OpenSSL and GnuTLS interoperability tests.

Signed-off-by: Viktor Sokolovskiy <maokaman@gmail.com>
This commit is contained in:
Viktor Sokolovskiy
2026-04-17 18:52:34 +03:00
parent c4738fab06
commit 3833db7c7c
6 changed files with 91 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
tests/ssl-opt.sh
View File

@@ -14948,7 +14948,6 @@ run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->O" \
-c "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_DEBUG_C
@@ -14964,6 +14963,43 @@ run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->G" \
-c "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled PSA_WANT_ALG_RSA_PSS
requires_config_enabled PSA_WANT_ALG_SHA_256
run_test "TLS 1.2: Server forces TLS 1.2 and rsa_pss_rsae_sha256, m->O" \
"$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key
-tls1_2 -sigalgs rsa_pss_rsae_sha256 " \
"$P_CLI debug_level=3" \
0 \
-c "sent signature scheme \\[804\\] rsa_pss_rsae_sha256" \
-c "Perform .* computation of digest of ServerKeyExchange" \
-c "Server used the signature algorithm rsa_pss_rsae_sha256" \
-c "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled PSA_WANT_ALG_RSA_PSS
requires_config_enabled PSA_WANT_ALG_SHA_256
run_test "TLS 1.2: Server forces TLS 1.2 and rsa_pss_rsae_sha256, m->G" \
"$G_NEXT_SRV_NO_CERT --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key
--disable-client-cert
--priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256" \
"$P_CLI debug_level=3" \
0 \
-c "sent signature scheme \\[804\\] rsa_pss_rsae_sha256" \
-c "Perform .* computation of digest of ServerKeyExchange" \
-c "Server used the signature algorithm rsa_pss_rsae_sha256" \
-c "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED

12
tests/suites/test_suite_ssl.data
View File

@@ -3546,15 +3546,3 @@ send_invalid_sig_alg:MBEDTLS_SSL_SIG_ECDSA:MBEDTLS_SSL_HASH_SHA512:MBEDTLS_ERR_S
Default verify_result before doing a handshake
verify_result_without_handshake
TLS 1.2 accepts rsa_pss_rsae_sha256 in signature_algorithm
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256
ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:1
TLS 1.2 accepts rsa_pss_rsae_sha384 in signature_algorithm
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_384
ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:1
TLS 1.2 accepts rsa_pss_rsae_sha512 in signature_algorithm
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512
ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:1

8
tests/suites/test_suite_ssl.function
View File

@@ -5861,14 +5861,6 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
void ssl_tls12_sig_alg_supported(int sig_alg, int expected)
{
TEST_EQUAL(mbedtls_ssl_tls12_sig_alg_is_supported((uint16_t) sig_alg),
expected);
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int use_context)
{