ssl-opt.sh: TLS 1.3 opaque key: Add test with unsuitable sig alg

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2022-09-16 15:54:33 +02:00
parent 277cdcbcde
commit 50969e3af5
4 changed files with 51 additions and 13 deletions

View file

@ -347,7 +347,8 @@ int main( void )
#define USAGE_KEY_OPAQUE_ALGS \ #define USAGE_KEY_OPAQUE_ALGS \
" key_opaque_algs=%%s Allowed opaque key algorithms.\n" \ " key_opaque_algs=%%s Allowed opaque key algorithms.\n" \
" comma-separated pair of values among the following:\n" \ " comma-separated pair of values among the following:\n" \
" rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n" \ " rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n" \
" rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
" ecdsa-sign, ecdh, none (only acceptable for\n" \ " ecdsa-sign, ecdh, none (only acceptable for\n" \
" the second value).\n" \ " the second value).\n" \

View file

@ -460,12 +460,14 @@ int main( void )
#define USAGE_KEY_OPAQUE_ALGS \ #define USAGE_KEY_OPAQUE_ALGS \
" key_opaque_algs=%%s Allowed opaque key 1 algorithms.\n" \ " key_opaque_algs=%%s Allowed opaque key 1 algorithms.\n" \
" comma-separated pair of values among the following:\n" \ " comma-separated pair of values among the following:\n" \
" rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n" \ " rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n" \
" rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
" ecdsa-sign, ecdh, none (only acceptable for\n" \ " ecdsa-sign, ecdh, none (only acceptable for\n" \
" the second value).\n" \ " the second value).\n" \
" key_opaque_algs2=%%s Allowed opaque key 2 algorithms.\n" \ " key_opaque_algs2=%%s Allowed opaque key 2 algorithms.\n" \
" comma-separated pair of values among the following:\n" \ " comma-separated pair of values among the following:\n" \
" rsa-sign-pkcs1, rsa-sign-pss, rsa-decrypt,\n" \ " rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n" \
" rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
" ecdsa-sign, ecdh, none (only acceptable for\n" \ " ecdsa-sign, ecdh, none (only acceptable for\n" \
" the second value).\n" " the second value).\n"
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)

View file

@ -205,6 +205,9 @@ int key_opaque_alg_parse( const char *arg, const char **alg1, const char **alg2
if( strcmp( *alg1, "rsa-sign-pkcs1" ) != 0 && if( strcmp( *alg1, "rsa-sign-pkcs1" ) != 0 &&
strcmp( *alg1, "rsa-sign-pss" ) != 0 && strcmp( *alg1, "rsa-sign-pss" ) != 0 &&
strcmp( *alg1, "rsa-sign-pss-sha256" ) != 0 &&
strcmp( *alg1, "rsa-sign-pss-sha384" ) != 0 &&
strcmp( *alg1, "rsa-sign-pss-sha512" ) != 0 &&
strcmp( *alg1, "rsa-decrypt" ) != 0 && strcmp( *alg1, "rsa-decrypt" ) != 0 &&
strcmp( *alg1, "ecdsa-sign" ) != 0 && strcmp( *alg1, "ecdsa-sign" ) != 0 &&
strcmp( *alg1, "ecdh" ) != 0 ) strcmp( *alg1, "ecdh" ) != 0 )
@ -212,6 +215,9 @@ int key_opaque_alg_parse( const char *arg, const char **alg1, const char **alg2
if( strcmp( *alg2, "rsa-sign-pkcs1" ) != 0 && if( strcmp( *alg2, "rsa-sign-pkcs1" ) != 0 &&
strcmp( *alg2, "rsa-sign-pss" ) != 0 && strcmp( *alg2, "rsa-sign-pss" ) != 0 &&
strcmp( *alg1, "rsa-sign-pss-sha256" ) != 0 &&
strcmp( *alg1, "rsa-sign-pss-sha384" ) != 0 &&
strcmp( *alg1, "rsa-sign-pss-sha512" ) != 0 &&
strcmp( *alg2, "rsa-decrypt" ) != 0 && strcmp( *alg2, "rsa-decrypt" ) != 0 &&
strcmp( *alg2, "ecdsa-sign" ) != 0 && strcmp( *alg2, "ecdsa-sign" ) != 0 &&
strcmp( *alg2, "ecdh" ) != 0 && strcmp( *alg2, "ecdh" ) != 0 &&
@ -245,6 +251,21 @@ int key_opaque_set_alg_usage( const char *alg1, const char *alg2,
*psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_ANY_HASH ); *psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_ANY_HASH );
*usage |= PSA_KEY_USAGE_SIGN_HASH; *usage |= PSA_KEY_USAGE_SIGN_HASH;
} }
else if( strcmp( algs[i], "rsa-sign-pss-sha256" ) == 0 )
{
*psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 );
*usage |= PSA_KEY_USAGE_SIGN_HASH;
}
else if( strcmp( algs[i], "rsa-sign-pss-sha384" ) == 0 )
{
*psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_384 );
*usage |= PSA_KEY_USAGE_SIGN_HASH;
}
else if( strcmp( algs[i], "rsa-sign-pss-sha512" ) == 0 )
{
*psa_algs[i] = PSA_ALG_RSA_PSS( PSA_ALG_SHA_512 );
*usage |= PSA_KEY_USAGE_SIGN_HASH;
}
else if( strcmp( algs[i], "rsa-decrypt" ) == 0 ) else if( strcmp( algs[i], "rsa-decrypt" ) == 0 )
{ {
*psa_algs[i] = PSA_ALG_RSA_PKCS1V15_CRYPT; *psa_algs[i] = PSA_ALG_RSA_PKCS1V15_CRYPT;

View file

@ -2068,6 +2068,20 @@ run_test "TLS 1.3 opaque key: suitable algorithm found" \
-C "error" \ -C "error" \
-S "error" \ -S "error" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_RSA_C
run_test "TLS 1.3 opaque key: first client sig alg not suitable" \
"$P_SRV debug_level=4 force_version=tls13 auth_mode=required key_opaque=1 key_opaque_algs=rsa-sign-pss-sha512,none" \
"$P_CLI debug_level=4 sig_algs=rsa_pss_rsae_sha256,rsa_pss_rsae_sha512" \
0 \
-s "The SSL configuration is tls13 only" \
-s "key types: Opaque, Opaque" \
-s "CertificateVerify signature failed with rsa_pss_rsae_sha256" \
-s "CertificateVerify signature with rsa_pss_rsae_sha512" \
-C "error" \
-S "error" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_RSA_C