yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix various issues

Browse source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-07-01 18:03:31 +08:00
parent aae28f178b
commit 52b7d923fe
3 changed files with 15 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
library/ssl_misc.h
View file

@ -1984,7 +1984,7 @@ static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
switch( sig_alg )
{
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PKCS1_V21)
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
@ -2003,7 +2003,7 @@ static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA512_C */
#endif /* MBEDTLS_RSA_C */
#endif /* MBEDTLS_PKCS1_V21 */
default:
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
@ -2031,7 +2031,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#endif /* MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
#if defined(MBEDTLS_PKCS1_V21)
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
break;
@ -2044,7 +2044,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
break;
#endif /* MBEDTLS_SHA512_C */
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#endif /* MBEDTLS_PKCS1_V21 */
default:
return( 0 );
}
@ -2057,7 +2057,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
{
switch( sig_alg )
{
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PKCS1_V15)
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
break;
@ -2070,7 +2070,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
break;
#endif /* MBEDTLS_SHA512_C */
#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */
#endif /* MBEDTLS_PKCS1_V15 */
default:
return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
sig_alg ) );

5
library/ssl_tls.c
View file

@ -4916,10 +4916,7 @@ int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
sig_alg,
mbedtls_ssl_sig_alg_to_str( sig_alg ) ) );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if(
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
( ! ( mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) &&
mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ) ) )
{

32
tests/ssl-opt.sh
View file

@ -11883,7 +11883,6 @@ run_test "TLS 1.3 G->m HRR both with middlebox compat support" \
-c "SSL 3.3 ChangeCipherSpec packet received"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -11893,14 +11892,13 @@ run_test "TLS 1.3: Check signature algorithm order, m->O" \
-msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache
-Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \
"$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
force_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
0 \
-c "Protocol is TLSv1.3" \
-c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -11910,13 +11908,12 @@ run_test "TLS 1.3: Check signature algorithm order, m->G" \
-d 4
--priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \
"$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
force_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
0 \
-c "Protocol is TLSv1.3" \
-c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -11929,7 +11926,7 @@ run_test "TLS 1.3: Check signature algorithm order, m->m" \
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
"$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 \
min_version=tls12 max_version=tls13 " \
force_version=tls13" \
0 \
-c "Protocol is TLSv1.3" \
-c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \
@ -11938,12 +11935,10 @@ run_test "TLS 1.3: Check signature algorithm order, m->m" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3: Check signature algorithm order, O->m" \
"$P_SRV debug_level=4 force_version=tls13 auth_mode=required
crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
@ -11958,12 +11953,10 @@ run_test "TLS 1.3: Check signature algorithm order, O->m" \
-s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3: Check signature algorithm order, G->m" \
"$P_SRV debug_level=4 force_version=tls13 auth_mode=required
crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key
@ -11979,7 +11972,6 @@ run_test "TLS 1.3: Check signature algorithm order, G->m" \
-s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -11997,7 +11989,6 @@ run_test "TLS 1.3: Check server no suitable signature algorithm, G->m" \
-s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -12014,7 +12005,6 @@ run_test "TLS 1.3: Check server no suitable signature algorithm, O->m" \
-s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \
-s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -12027,13 +12017,12 @@ run_test "TLS 1.3: Check server no suitable signature algorithm, m->m" \
sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \
"$P_CLI allow_sha1=0 debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,ecdsa_secp521r1_sha512 \
min_version=tls12 max_version=tls13 " \
force_version=tls13" \
1 \
-s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \
-s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -12048,7 +12037,6 @@ run_test "TLS 1.3: Check server no suitable certificate, G->m" \
-s "ssl_tls13_pick_key_cert:no suitable certificate found"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -12062,7 +12050,6 @@ run_test "TLS 1.3: Check server no suitable certificate, O->m" \
1 \
-s "ssl_tls13_pick_key_cert:no suitable certificate found"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -12074,12 +12061,11 @@ run_test "TLS 1.3: Check server no suitable certificate, m->m" \
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
"$P_CLI allow_sha1=0 debug_level=4 \
sig_algs=ecdsa_secp521r1_sha512,ecdsa_secp256r1_sha256 \
min_version=tls12 max_version=tls13 " \
force_version=tls13" \
1 \
-s "ssl_tls13_pick_key_cert:no suitable certificate found"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -12089,12 +12075,11 @@ run_test "TLS 1.3: Check client no signature algorithm, m->O" \
-msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache
-Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp521r1_sha512" \
"$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
force_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
1 \
-c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -12104,11 +12089,10 @@ run_test "TLS 1.3: Check client no signature algorithm, m->G" \
-d 4
--priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \
"$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
force_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
1 \
-c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
@ -12121,7 +12105,7 @@ run_test "TLS 1.3: Check client no signature algorithm, m->m" \
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp521r1_sha512" \
"$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \
sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 \
min_version=tls12 max_version=tls13 " \
force_version=tls13" \
1 \
-c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found"