Merge pull request #8554 from yanrayw/issue/8221/fix-tls-suiteB-profile
TLS: remove RSA signature algorithms in `suite B` profile
This commit is contained in:
Tom Cosgrove
GitHub
commit
bc5d9165ae
3 changed files with 26 additions and 37 deletions
3
ChangeLog.d/fix-tls-SuiteB.txt
Normal file
3
ChangeLog.d/fix-tls-SuiteB.txt
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
Bugfix
|
||||
* Remove accidental introduction of RSA signature algorithms
|
||||
in TLS Suite B Profile. Fixes #8221.
|
||||
|
|
@ -447,7 +447,7 @@
|
|||
|
||||
/*
|
||||
* TLS 1.3 signature algorithms
|
||||
* RFC 8446, Section 4.2.2
|
||||
* RFC 8446, Section 4.2.3
|
||||
*/
|
||||
|
||||
/* RSASSA-PKCS1-v1_5 algorithms */
|
||||
|
|
|
|||
|
|
@ -5118,23 +5118,17 @@ static uint16_t ssl_preset_default_sig_algs[] = {
|
|||
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
|
||||
defined(MBEDTLS_MD_CAN_SHA512)
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
|
||||
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
|
||||
#endif \
|
||||
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA512 */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
|
||||
defined(MBEDTLS_MD_CAN_SHA384)
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384)
|
||||
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
|
||||
#endif \
|
||||
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA384 */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
|
||||
defined(MBEDTLS_MD_CAN_SHA256)
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
|
||||
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
|
||||
#endif \
|
||||
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256 */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
|
||||
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
|
||||
|
|
@ -5154,42 +5148,47 @@ static uint16_t ssl_preset_default_sig_algs[] = {
|
|||
/* NOTICE: see above */
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
static uint16_t ssl_tls12_preset_default_sig_algs[] = {
|
||||
|
||||
#if defined(MBEDTLS_MD_CAN_SHA512)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
|
||||
#endif
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
|
||||
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
|
||||
#endif
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
|
||||
#endif
|
||||
#endif /* MBEDTLS_MD_CAN_SHA512 */
|
||||
|
||||
#if defined(MBEDTLS_MD_CAN_SHA384)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
|
||||
#endif
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
|
||||
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
|
||||
#endif
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
|
||||
#endif
|
||||
#endif /* MBEDTLS_MD_CAN_SHA384 */
|
||||
|
||||
#if defined(MBEDTLS_MD_CAN_SHA256)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
|
||||
#endif
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
|
||||
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
|
||||
#endif
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
|
||||
#endif
|
||||
#endif /* MBEDTLS_MD_CAN_SHA256 */
|
||||
|
||||
MBEDTLS_TLS_SIG_NONE
|
||||
};
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
/* NOTICE: see above */
|
||||
static uint16_t ssl_preset_suiteb_sig_algs[] = {
|
||||
|
||||
|
|
@ -5207,38 +5206,25 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = {
|
|||
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
|
||||
defined(MBEDTLS_MD_CAN_SHA256)
|
||||
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
|
||||
#endif \
|
||||
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256*/
|
||||
|
||||
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
|
||||
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
|
||||
#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256*/
|
||||
|
||||
MBEDTLS_TLS_SIG_NONE
|
||||
};
|
||||
|
||||
/* NOTICE: see above */
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
|
||||
|
||||
#if defined(MBEDTLS_MD_CAN_SHA256)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
|
||||
#endif
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
|
||||
#endif
|
||||
#endif /* MBEDTLS_MD_CAN_SHA256 */
|
||||
|
||||
#if defined(MBEDTLS_MD_CAN_SHA384)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
|
||||
#endif
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
|
||||
#endif
|
||||
#endif /* MBEDTLS_MD_CAN_SHA256*/
|
||||
#endif /* MBEDTLS_MD_CAN_SHA384 */
|
||||
|
||||
MBEDTLS_TLS_SIG_NONE
|
||||
};
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
|
|
|||
Loading…
Reference in a new issue