eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #6051 from mprse/permissions_2b_v2

Browse source 
Permissions 2b: TLS 1.3 sigalg selection
This commit is contained in:
Manuel Pégourié-Gonnard 2022-09-28 09:50:04 +02:00 committed by GitHub
commit e3358e14b2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 235 additions and 126 deletions
Download patch file Download diff file Expand all files Collapse all files

165
library/ssl_tls13_generic.c
View file

@ -906,12 +906,8 @@ int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
case MBEDTLS_SSL_SIG_RSA:
switch( sig_alg )
{
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
return( key_size <= 3072 );
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
return( key_size <= 7680 );
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: /* Intentional fallthrough */
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: /* Intentional fallthrough */
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
return( 1 );
@ -927,43 +923,13 @@ int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
return( 0 );
}
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_select_sig_alg_for_certificate_verify(
mbedtls_ssl_context *ssl,
mbedtls_pk_context *own_key,
uint16_t *algorithm )
{
uint16_t *sig_alg = ssl->handshake->received_sig_algs;
*algorithm = MBEDTLS_TLS1_3_SIG_NONE;
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ )
{
if( mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) &&
mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) &&
mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) )
{
MBEDTLS_SSL_DEBUG_MSG( 3,
( "select_sig_alg_for_certificate_verify:"
"selected signature algorithm %s [%04x]",
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
*sig_alg ) );
*algorithm = *sig_alg;
return( 0 );
}
}
MBEDTLS_SSL_DEBUG_MSG( 2,
( "select_sig_alg_for_certificate_verify:"
"no suitable signature algorithm found" ) );
return( -1 );
}
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *out_len )
{
int ret;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *p = buf;
mbedtls_pk_context *own_key;
@ -971,14 +937,9 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
size_t handshake_hash_len;
unsigned char verify_buffer[ SSL_VERIFY_STRUCT_MAX_SIZE ];
size_t verify_buffer_len;
mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
uint16_t algorithm = MBEDTLS_TLS1_3_SIG_NONE;
uint16_t *sig_alg = ssl->handshake->received_sig_algs;
size_t signature_len = 0;
unsigned char verify_hash[PSA_HASH_MAX_SIZE];
size_t verify_hash_len;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
*out_len = 0;
@ -1011,64 +972,84 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
* opaque signature<0..2^16-1>;
* } CertificateVerify;
*/
ret = ssl_tls13_select_sig_alg_for_certificate_verify( ssl, own_key,
&algorithm );
if( ret != 0 )
/* Check there is space for the algorithm identifier (2 bytes) and the
* signature length (2 bytes).
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "signature algorithm not in received or offered list." ) );
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
unsigned char verify_hash[PSA_HASH_MAX_SIZE];
size_t verify_hash_len;
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Signature algorithm is %s",
mbedtls_ssl_sig_alg_to_str( algorithm ) ) );
if( !mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) )
continue;
if( !mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) )
continue;
if( !mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) )
continue;
if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
*sig_alg, &pk_type, &md_alg ) != 0 )
{
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
/* Hash verify buffer with indicated hash function */
psa_algorithm = mbedtls_hash_info_psa_from_md( md_alg );
status = psa_hash_compute( psa_algorithm,
verify_buffer,
verify_buffer_len,
verify_hash, sizeof( verify_hash ),
&verify_hash_len );
if( status != PSA_SUCCESS )
return( psa_ssl_status_to_mbedtls( status ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
md_alg, verify_hash, verify_hash_len,
p + 4, (size_t)( end - ( p + 4 ) ), &signature_len,
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify signature failed with %s",
mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
MBEDTLS_SSL_DEBUG_RET( 2, "mbedtls_pk_sign_ext", ret );
/* The signature failed. This is possible if the private key
* was not suitable for the signature operation as purposely we
* did not check its suitability completely. Let's try with
* another signature algorithm.
*/
continue;
}
MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify signature with %s",
mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
break;
}
if( *sig_alg == MBEDTLS_TLS1_3_SIG_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "no suitable signature algorithm" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify with %s",
mbedtls_ssl_sig_alg_to_str( algorithm )) );
MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
MBEDTLS_PUT_UINT16_BE( signature_len, p, 2 );
if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
algorithm, &pk_type, &md_alg ) != 0 )
{
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
*out_len = 4 + signature_len;
/* Check there is space for the algorithm identifier (2 bytes) and the
* signature length (2 bytes).
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
MBEDTLS_PUT_UINT16_BE( algorithm, p, 0 );
p += 2;
/* Hash verify buffer with indicated hash function */
psa_algorithm = mbedtls_hash_info_psa_from_md( md_alg );
status = psa_hash_compute( psa_algorithm,
verify_buffer,
verify_buffer_len,
verify_hash,sizeof( verify_hash ),
&verify_hash_len );
if( status != PSA_SUCCESS )
return( psa_ssl_status_to_mbedtls( status ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
if( ( ret = mbedtls_pk_sign_ext( pk_type, own_key,
md_alg, verify_hash, verify_hash_len,
p + 2, (size_t)( end - ( p + 2 ) ), &signature_len,
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
return( ret );
}
MBEDTLS_PUT_UINT16_BE( signature_len, p, 0 );
p += 2 + signature_len;
*out_len = (size_t)( p - buf );
return( ret );
return( 0 );
}
int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )

52
library/ssl_tls13_server.c
View file

@ -1111,6 +1111,36 @@ static int ssl_tls13_determine_key_exchange_mode( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg( uint16_t sig_alg )
{
switch( sig_alg )
{
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
return( PSA_ALG_ECDSA( PSA_ALG_SHA_256 ) );
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
return( PSA_ALG_ECDSA( PSA_ALG_SHA_384 ) );
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
return( PSA_ALG_ECDSA( PSA_ALG_SHA_512 ) );
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_256 ) );
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_384 ) );
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
return( PSA_ALG_RSA_PSS( PSA_ALG_SHA_512 ) );
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_256 ) );
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_384 ) );
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
return( PSA_ALG_RSA_PKCS1V15_SIGN( PSA_ALG_SHA_512 ) );
default:
return( PSA_ALG_NONE );
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* Pick best ( private key, certificate chain ) pair based on the signature
* algorithms supported by the client.
@ -1136,9 +1166,19 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
{
if( !mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) )
continue;
if( !mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) )
continue;
for( key_cert = key_cert_list; key_cert != NULL;
key_cert = key_cert->next )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t psa_alg = PSA_ALG_NONE;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate",
key_cert->cert );
@ -1162,8 +1202,18 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
"check signature algorithm %s [%04x]",
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
*sig_alg ) );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg( *sig_alg );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
*sig_alg, &key_cert->cert->pk ) )
*sig_alg, &key_cert->cert->pk )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
&& psa_alg != PSA_ALG_NONE &&
mbedtls_pk_can_do_ext( &key_cert->cert->pk, psa_alg,
PSA_KEY_USAGE_SIGN_HASH ) == 1
#endif /* MBEDTLS_USE_PSA_CRYPTO */
)
{
ssl->handshake->key_cert = key_cert;
MBEDTLS_SSL_DEBUG_MSG( 3,