diff --git a/ChangeLog.d/fix-tls12-rsa-pss-sigalgs.txt b/ChangeLog.d/fix-tls12-rsa-pss-sigalgs.txt index 29400b2c46..aea5593e4b 100644 --- a/ChangeLog.d/fix-tls12-rsa-pss-sigalgs.txt +++ b/ChangeLog.d/fix-tls12-rsa-pss-sigalgs.txt @@ -1,3 +1,4 @@ Bugfix * Fix a TLS 1.2 regression that caused clients to reject valid ServerKeyExchange signatures using RSA-PSS signature scheme values. + Fixes #10668. diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 4228dc20a8..34d8850c90 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2429,6 +2429,9 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported( const uint16_t sig_alg) { #if defined(PSA_WANT_ALG_RSA_PSS) + /* RFC 8446 Section 4.2.3 requires implementations that support RSA-PSS in + * TLS 1.3 to also accept rsa_pss_rsae_* in TLS 1.2. + */ switch (sig_alg) { #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 47ff800ed1..123eb72328 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13938,6 +13938,26 @@ run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->O" \ -c "Protocol is TLSv1.2" \ -c "HTTP/1.0 200 [Oo][Kk]" +requires_openssl_tls1_3_with_compatible_ephemeral +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled PSA_WANT_ALG_RSA_PSS +requires_config_enabled PSA_WANT_ALG_SHA_256 +run_test "TLS 1.2: OpenSSL chooses rsa_pss_rsae_sha256 for SKE, m->O" \ + "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key + -msg -tls1_2 + -sigalgs rsa_pss_rsae_sha256 " \ + "$P_CLI debug_level=4 auth_mode=none ca_file=none ca_path=none crt_file=none key_file=none + sig_algs=rsa_pss_rsae_sha256 + min_version=tls12 max_version=tls12 " \ + 0 \ + -c "Perform .* computation of digest of ServerKeyExchange" \ + -c "got signature scheme \\[804\\] rsa_pss_rsae_sha256" \ + -c "Ciphersuite is TLS-ECDHE-RSA" \ + -c "Protocol is TLSv1.2" \ + -c "HTTP/1.0 200 [Oo][Kk]" + requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index a20d822f28..0d8b95cc0d 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3554,10 +3554,22 @@ TLS 1.2 accepts rsa_pss_rsae_sha256 in signature_algorithm depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256 ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:1 +TLS 1.2 rejects rsa_pss_rsae_sha256 in signature_algorithm when RSA-PSS is disabled +depends_on:!PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256 +ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:0 + TLS 1.2 accepts rsa_pss_rsae_sha384 in signature_algorithm depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_384 ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:1 +TLS 1.2 rejects rsa_pss_rsae_sha384 in signature_algorithm when RSA-PSS is disabled +depends_on:!PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_384 +ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:0 + TLS 1.2 accepts rsa_pss_rsae_sha512 in signature_algorithm depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512 ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:1 + +TLS 1.2 rejects rsa_pss_rsae_sha512 in signature_algorithm when RSA-PSS is disabled +depends_on:!PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_512 +ssl_tls12_sig_alg_supported:MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:0