From 67ea2543edd3b6eeb6e400a46b6c27dcef7f83fa Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 15 Sep 2022 17:34:42 +0200 Subject: [PATCH] tls13: server: Add sig alg checks when selecting best certificate When selecting the server certificate based on the signature algorithms supported by the client, check the signature algorithms as close as possible to the way they are checked to compute the signature for the server to prove it possesses the private key associated to the certificate. That way we minimize the odds of selecting a certificate for which the server will not be able to compute the signature to prove it possesses the private key associated to the certificate. Signed-off-by: Ronald Cron --- library/ssl_tls13_server.c | 50 +++++++++++++++++++++++++++++++++++++- tests/ssl-opt.sh | 9 +++---- 2 files changed, 52 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index a10e59bbc..a85408084 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -898,6 +898,34 @@ static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + +#if defined(MBEDTLS_USE_PSA_CRYPTO) +static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg( uint16_t sig_alg ) +{ + switch( sig_alg ) + { + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: + return( PSA_ALG_ECDSA( PSA_ALG_SHA_256 ) ); + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: + return( PSA_ALG_ECDSA( PSA_ALG_SHA_384 ) ); + case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: + return( PSA_ALG_ECDSA( PSA_ALG_SHA_512 ) ); + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: + return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 ) ); + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: + return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_384 ) ); + case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: + return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_512 ) ); + case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: + case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: + case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: + return( PSA_ALG_RSA_PKCS1V15_CRYPT ); + default: + return( PSA_ALG_NONE ); + } +} +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + /* * Pick best ( private key, certificate chain ) pair based on the signature * algorithms supported by the client. @@ -923,9 +951,19 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl ) for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) { + if( !mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) ) + continue; + + if( !mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) ) + continue; + for( key_cert = key_cert_list; key_cert != NULL; key_cert = key_cert->next ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_algorithm_t psa_alg = PSA_ALG_NONE; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate", key_cert->cert ); @@ -949,8 +987,18 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl ) "check signature algorithm %s [%04x]", mbedtls_ssl_sig_alg_to_str( *sig_alg ), *sig_alg ) ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg( *sig_alg ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match( - *sig_alg, &key_cert->cert->pk ) ) + *sig_alg, &key_cert->cert->pk ) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + && psa_alg != PSA_ALG_NONE && + mbedtls_pk_can_do_ext( &key_cert->cert->pk, psa_alg, + PSA_KEY_USAGE_SIGN_HASH ) == 1 +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + ) { ssl->handshake->key_cert = key_cert; MBEDTLS_SSL_DEBUG_MSG( 3, diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 11fc3572c..1ddd74231 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -12671,8 +12671,7 @@ run_test "TLS 1.3: Check server no suitable signature algorithm, G->m" \ --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \ --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-ECDSA-SECP521R1-SHA512" \ 1 \ - -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ - -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + -S "ssl_tls13_pick_key_cert:check signature algorithm" requires_openssl_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -12688,8 +12687,7 @@ run_test "TLS 1.3: Check server no suitable signature algorithm, O->m" \ -cert data_files/server2-sha256.crt -key data_files/server2.key \ -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:ecdsa_secp521r1_sha512" \ 1 \ - -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ - -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + -S "ssl_tls13_pick_key_cert:check signature algorithm" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE @@ -12704,8 +12702,7 @@ run_test "TLS 1.3: Check server no suitable signature algorithm, m->m" \ "$P_CLI allow_sha1=0 debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,ecdsa_secp521r1_sha512" \ 1 \ - -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ - -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + -S "ssl_tls13_pick_key_cert:check signature algorithm" requires_gnutls_tls1_3 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3