Mbed-TLS/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-06-05 21:15:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10672 from Maokaman1/fix/tls12-rsa-pss-sigalgs

Browse Source 
ssl: accept TLS 1.2 rsa_pss_rsae signature algorithms
This commit is contained in:
Ronald Cron
2026-04-20 08:03:39 +00:00
committed by GitHub
parent 8426c9bc51 f90e81c7f8
commit 518ed0337d
3 changed files with 98 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ChangeLog.d/fix-tls12-rsa-pss-sigalgs.txt
+4
View File
@@ -0,0 +1,4 @@
Bugfix
* Fix a TLS 1.2 regression that caused clients to reject valid
ServerKeyExchange signatures using RSA-PSS signature algorithms.
Fixes #10668.
library/ssl_tls12_client.c
+57 -11
View File
@@ -12,6 +12,7 @@
#include "mbedtls/platform.h" #include "mbedtls/platform.h"
#include "mbedtls/ssl.h" #include "mbedtls/ssl.h"
#include "ssl_debug_helpers.h"
#include "ssl_client.h" #include "ssl_client.h"
#include "debug_internal.h" #include "debug_internal.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
@@ -1742,32 +1743,77 @@ static int ssl_parse_signature_algorithm(mbedtls_ssl_context *ssl,
{ {
if (mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg(sig_alg, pk_alg, md_alg) != 0) { if (mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg(sig_alg, pk_alg, md_alg) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, MBEDTLS_SSL_DEBUG_MSG(1,
("Server used unsupported value in SigAlg extension 0x%04x", ("Server used unsupported %s signature algorithm",
sig_alg)); mbedtls_ssl_sig_alg_to_str(sig_alg)));
return MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; return MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
} }
/* /*
* mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg() understands sig_alg code points across * mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg() understands
* TLS versions. Make sure that the received sig_alg extension is valid in TLS 1.2. * signature algorithm code points from both TLS 1.2 and TLS 1.3. Make sure
* that the selected signature algorithm is acceptable when TLS 1.2 is
* negotiated.
*
* In TLS 1.2, RSA-PSS signature algorithms (rsa_pss_rsae_*) are not
* defined by RFC 5246. However, RFC 8446 Section 4.2.3 requires that
* implementations which advertise support for RSASSA-PSS must be
* prepared to accept such signatures even when TLS 1.2 is negotiated,
* provided they were offered in the signature_algorithms extension.
*
* Therefore, we allow rsa_pss_rsae_* here if:
* - the implementation supports them, and
* - they were offered in the signature_algorithms extension (checked by
* `mbedtls_ssl_sig_alg_is_offered()` below).
*
* If we were to add full support for rsa_pss_rsae_* signature algorithms
* in TLS 1.2 (not defined by RFC 5246; RFC 8446 requires implementations
* that advertise RSASSA-PSS to accept such signatures even when TLS 1.2
* is negotiated; in practice, several TLS implementations also offer and
* use these algorithms in TLS 1.2-only configurations), we should then
* integrate RSA-PSS into the TLS 1.2 signature algorithm support logic
* (`mbedtls_ssl_tls12_sig_alg_is_supported()`) instead of handling it as a
* special case here.
*/ */
if (!mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) { if (!mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
MBEDTLS_SSL_DEBUG_MSG(1, switch (sig_alg) {
("Server used unsupported value in SigAlg extension 0x%04x", #if defined(PSA_WANT_ALG_RSA_PSS)
sig_alg)); #if defined(PSA_WANT_ALG_SHA_256)
return MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
#endif
#if defined(PSA_WANT_ALG_SHA_384)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
#endif
#if defined(PSA_WANT_ALG_SHA_512)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
#endif
#if defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_384) || defined(PSA_WANT_ALG_SHA_512)
MBEDTLS_SSL_DEBUG_MSG(3,
(
"Accepting TLS 1.2 RSA-PSS signature algorithm %s via compatibility exception",
mbedtls_ssl_sig_alg_to_str(sig_alg)));
break;
#endif
#endif /* PSA_WANT_ALG_RSA_PSS */
default:
MBEDTLS_SSL_DEBUG_MSG(1,
("Server used unsupported %s signature algorithm",
mbedtls_ssl_sig_alg_to_str(sig_alg)));
return MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
}
} }
/* /*
* Check if the signature algorithm is acceptable * Check if the signature algorithm is acceptable
*/ */
if (!mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)) { if (!mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Server used SigAlg value 0x%04x that was not offered", sig_alg)); MBEDTLS_SSL_DEBUG_MSG(1,
("Server used the signature algorithm %s that was not offered",
mbedtls_ssl_sig_alg_to_str(sig_alg)));
return MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER; return MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
} }
MBEDTLS_SSL_DEBUG_MSG(2, ("Server used SignatureAlgorithm %d", sig_alg & 0x00FF)); MBEDTLS_SSL_DEBUG_MSG(2, ("Server used the signature algorithm %s",
MBEDTLS_SSL_DEBUG_MSG(2, ("Server used HashAlgorithm %d", sig_alg >> 8)); mbedtls_ssl_sig_alg_to_str(sig_alg)));
return 0; return 0;
} }
tests/ssl-opt.sh
+37 -1
View File
@@ -13938,7 +13938,6 @@ run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->O" \
-c "Protocol is TLSv1.2" \ -c "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 [Oo][Kk]" -c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_DEBUG_C
@@ -13954,6 +13953,43 @@ run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->G" \
-c "Protocol is TLSv1.2" \ -c "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 [Oo][Kk]" -c "HTTP/1.0 200 [Oo][Kk]"
requires_openssl_tls1_3_with_compatible_ephemeral
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled PSA_WANT_ALG_RSA_PSS
requires_config_enabled PSA_WANT_ALG_SHA_256
run_test "TLS 1.2: Server forces TLS 1.2 and rsa_pss_rsae_sha256, m->O" \
"$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key
-tls1_2 -sigalgs rsa_pss_rsae_sha256 " \
"$P_CLI debug_level=3" \
0 \
-c "sent signature scheme \\[804\\] rsa_pss_rsae_sha256" \
-c "Perform .* computation of digest of ServerKeyExchange" \
-c "Server used the signature algorithm rsa_pss_rsae_sha256" \
-c "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_enabled PSA_WANT_ALG_RSA_PSS
requires_config_enabled PSA_WANT_ALG_SHA_256
run_test "TLS 1.2: Server forces TLS 1.2 and rsa_pss_rsae_sha256, m->G" \
"$G_NEXT_SRV_NO_CERT --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key
--disable-client-cert
--priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256" \
"$P_CLI debug_level=3" \
0 \
-c "sent signature scheme \\[804\\] rsa_pss_rsae_sha256" \
-c "Perform .* computation of digest of ServerKeyExchange" \
-c "Server used the signature algorithm rsa_pss_rsae_sha256" \
-c "Protocol is TLSv1.2" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED