ssl: add TLS 1.2 RSA-PSS regression coverage

Signed-off-by: Viktor Sokolovskiy <maokaman@gmail.com>
2026-05-05 17:37:58 +02:00 · 2026-04-07 20:17:49 +03:00
parent c064ba0edb
commit f75c033ead
4 changed files with 36 additions and 0 deletions
--- a/ChangeLog.d/fix-tls12-rsa-pss-sigalgs.txt
+++ b/ChangeLog.d/fix-tls12-rsa-pss-sigalgs.txt
@@ -1,3 +1,4 @@
 Bugfix
   * Fix a TLS 1.2 regression that caused clients to reject valid
     ServerKeyExchange signatures using RSA-PSS signature scheme values.
+     Fixes #10668.
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2429,6 +2429,9 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
    const uint16_t sig_alg)
 {
 #if defined(PSA_WANT_ALG_RSA_PSS)
+    /* RFC 8446 Section 4.2.3 requires implementations that support RSA-PSS in
+     * TLS 1.3 to also accept rsa_pss_rsae_* in TLS 1.2.
+     */
    switch (sig_alg) {
 #if defined(PSA_WANT_ALG_SHA_256)
        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -13938,6 +13938,26 @@ run_test    "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->O" \
            -c "Protocol is TLSv1.2" \
            -c "HTTP/1.0 200 [Oo][Kk]"

+requires_openssl_tls1_3_with_compatible_ephemeral
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+requires_config_enabled PSA_WANT_ALG_RSA_PSS
+requires_config_enabled PSA_WANT_ALG_SHA_256
+run_test    "TLS 1.2: OpenSSL chooses rsa_pss_rsae_sha256 for SKE, m->O" \
+            "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key
+                                 -msg -tls1_2
+                                 -sigalgs rsa_pss_rsae_sha256 " \
+            "$P_CLI debug_level=4 auth_mode=none ca_file=none ca_path=none crt_file=none key_file=none
+                    sig_algs=rsa_pss_rsae_sha256
+                    min_version=tls12 max_version=tls12 " \
+            0 \
+            -c "Perform .* computation of digest of ServerKeyExchange" \
+            -c "got signature scheme \\[804\\] rsa_pss_rsae_sha256" \
+            -c "Ciphersuite is TLS-ECDHE-RSA" \
+            -c "Protocol is TLSv1.2" \
+            -c "HTTP/1.0 200 [Oo][Kk]"
+

 requires_gnutls_tls1_3
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -3554,10 +3554,22 @@ TLS 1.2 accepts rsa_pss_rsae_sha256 in signature_algorithm
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256
 ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:1

+TLS 1.2 rejects rsa_pss_rsae_sha256 in signature_algorithm when RSA-PSS is disabled
+depends_on:!PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256
+ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:0
+
 TLS 1.2 accepts rsa_pss_rsae_sha384 in signature_algorithm
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_384
 ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:1

+TLS 1.2 rejects rsa_pss_rsae_sha384 in signature_algorithm when RSA-PSS is disabled
+depends_on:!PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_384
+ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:0
+
 TLS 1.2 accepts rsa_pss_rsae_sha512 in signature_algorithm
 depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512
 ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:1
+
+TLS 1.2 rejects rsa_pss_rsae_sha512 in signature_algorithm when RSA-PSS is disabled
+depends_on:!PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512
+ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:0