Merge pull request #6181 from wernerlewis/ecp_set_zero
Add tests for mbedtls_ecp_set_zero
diff --git a/CMakeLists.txt b/CMakeLists.txt
index bb86788..f2741d4 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -227,7 +227,7 @@
endif(CMAKE_COMPILER_IS_CLANG)
if(CMAKE_COMPILER_IS_IAR)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts --warnings_are_errors -Ohz")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warn_about_c_style_casts -Ohz")
endif(CMAKE_COMPILER_IS_IAR)
if(CMAKE_COMPILER_IS_MSVC)
@@ -248,6 +248,10 @@
set(CMAKE_C_FLAGS_ASANDBG "${CMAKE_C_FLAGS_ASANDBG} -Wno-error=cpp")
endif(UNSAFE_BUILD)
endif(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
+
+ if (CMAKE_COMPILER_IS_IAR)
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --warning_are_errors")
+ endif(CMAKE_COMPILER_IS_IAR)
endif(MBEDTLS_FATAL_WARNINGS)
if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
diff --git a/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt b/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt
new file mode 100644
index 0000000..f88eb9e
--- /dev/null
+++ b/ChangeLog.d/add-rsa-pss-rsae-support-for-tls12.txt
@@ -0,0 +1,8 @@
+Features
+ * When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
+ declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
+ `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
+ the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
+ for its signature in the key exchange message. As Mbed TLS 1.2 does not
+ support them, the handshake fails. Add `rsa_pss_rsae_*` support for TLS 1.2
+ to resolve the compitablity issue.
diff --git a/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt b/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt
new file mode 100644
index 0000000..a70521a
--- /dev/null
+++ b/ChangeLog.d/fix_build_error_for_mbedtls_deprecated_removed.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix build error due to missing prototype
+ warning when MBEDTLS_DEPRECATED_REMOVED is enabled
diff --git a/ChangeLog.d/fix_cmake_using_iar_toolchain.txt b/ChangeLog.d/fix_cmake_using_iar_toolchain.txt
new file mode 100644
index 0000000..ecc09c2
--- /dev/null
+++ b/ChangeLog.d/fix_cmake_using_iar_toolchain.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fixed an issue that cause compile error using CMake IAR toolchain.
+ Fixes #5964.
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 88ba65d..e76086a 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2092,7 +2092,7 @@
return( 0 );
}
-static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
+static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
{
*pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index eefd89d..19b8a41 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2502,6 +2502,7 @@
}
#endif /* MBEDTLS_SSL_DTLS_SRTP */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
{
conf->max_tls_version = (major << 8) | minor;
@@ -2511,6 +2512,7 @@
{
conf->min_tls_version = (major << 8) | minor;
}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_SSL_SRV_C)
void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
@@ -4325,15 +4327,8 @@
* rules SHOULD be upheld.
* - No duplicate entries.
* - But if there is a good reason, do not change the order of the algorithms.
- * - ssl_tls12_present* is for TLS 1.2 use only.
+ * - ssl_tls12_preset* is for TLS 1.2 use only.
* - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
- *
- * When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
- * declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
- * `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
- * the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
- * for its signature in the key exchange message. As Mbed TLS 1.2 does not
- * support them, the handshake fails.
*/
static uint16_t ssl_preset_default_sig_algs[] = {
@@ -4355,18 +4350,6 @@
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C &&
MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA512_C)
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
-#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */
-
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA384_C)
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
-#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA384_C */
-
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
-#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
-
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA512_C)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA512_C */
@@ -4379,6 +4362,18 @@
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA512_C)
+ MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA384_C)
+ MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA384_C */
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
+ MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
+
MBEDTLS_TLS_SIG_NONE
};
@@ -4389,6 +4384,9 @@
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512 ),
#endif
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512 ),
#endif
@@ -4397,6 +4395,9 @@
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
@@ -4405,6 +4406,9 @@
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif
@@ -7282,7 +7286,7 @@
const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
- if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
+ if( ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
return( tls_prf_sha384 );
#else
(void) ciphersuite_id;
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index 05376db..01a0aec 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -2041,66 +2041,6 @@
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
- unsigned char **p,
- unsigned char *end,
- mbedtls_md_type_t *md_alg,
- mbedtls_pk_type_t *pk_alg )
-{
- *md_alg = MBEDTLS_MD_NONE;
- *pk_alg = MBEDTLS_PK_NONE;
-
- if( (*p) + 2 > end )
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
-
- /*
- * Get hash algorithm
- */
- if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) )
- == MBEDTLS_MD_NONE )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
- return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
- }
-
- /*
- * Get signature algorithm
- */
- if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) )
- == MBEDTLS_PK_NONE )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) );
- return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
- }
-
- /*
- * Check if the signature algorithm is acceptable
- */
- if( !mbedtls_ssl_sig_alg_is_offered( ssl, MBEDTLS_GET_UINT16_BE( *p, 0 ) ) )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
- return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
- }
-
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d",
- (*p)[1] ) );
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d",
- (*p)[0] ) );
- *p += 2;
-
- return( 0 );
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
-
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
@@ -2398,14 +2338,31 @@
unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
size_t params_len = p - params;
void *rs_ctx = NULL;
+ uint16_t sig_alg;
mbedtls_pk_context * peer_pk;
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+ peer_pk = &ssl->handshake->peer_pubkey;
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+ if( ssl->session_negotiate->peer_cert == NULL )
+ {
+ /* Should never happen */
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+ peer_pk = &ssl->session_negotiate->peer_cert->pk;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
/*
* Handle the digitally-signed structure
*/
- if( ssl_parse_signature_algorithm( ssl, &p, end,
- &md_alg, &pk_alg ) != 0 )
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
+ sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
+ if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
+ sig_alg, &pk_alg, &md_alg ) != 0 &&
+ ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) &&
+ ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "bad server key exchange message" ) );
@@ -2415,9 +2372,9 @@
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
}
+ p += 2;
- if( pk_alg !=
- mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
+ if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "bad server key exchange message" ) );
@@ -2475,18 +2432,6 @@
MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
- peer_pk = &ssl->handshake->peer_pubkey;
-#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
- if( ssl->session_negotiate->peer_cert == NULL )
- {
- /* Should never happen */
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- }
- peer_pk = &ssl->session_negotiate->peer_cert->pk;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-
/*
* Verify signature
*/
@@ -2505,8 +2450,28 @@
rs_ctx = &ssl->handshake->ecrs_ctx.pk;
#endif
- if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
- md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+ if( pk_alg == MBEDTLS_PK_RSASSA_PSS )
+ {
+ const mbedtls_md_info_t* md_info;
+ mbedtls_pk_rsassa_pss_options rsassa_pss_options;
+ rsassa_pss_options.mgf1_hash_id = md_alg;
+ if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
+ {
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+ rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
+ ret = mbedtls_pk_verify_ext( pk_alg, &rsassa_pss_options,
+ peer_pk,
+ md_alg, hash, hashlen,
+ p, sig_len );
+ }
+ else
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+ ret = mbedtls_pk_verify_restartable( peer_pk,
+ md_alg, hash, hashlen, p, sig_len, rs_ctx );
+
+ if( ret != 0 )
{
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index d1e2e49..64e134d 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -213,7 +213,7 @@
goto error;
}
- if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
+ if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
algorithm, &sig_alg, &md_alg ) != 0 )
{
goto error;
@@ -1029,7 +1029,7 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify with %s",
mbedtls_ssl_sig_alg_to_str( algorithm )) );
- if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
+ if( mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
algorithm, &pk_type, &md_alg ) != 0 )
{
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
diff --git a/programs/test/query_compile_time_config.c b/programs/test/query_compile_time_config.c
index 6d92de3..5aa0233 100644
--- a/programs/test/query_compile_time_config.c
+++ b/programs/test/query_compile_time_config.c
@@ -28,20 +28,26 @@
#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
#endif
-#define USAGE \
- "usage: %s [ <MBEDTLS_CONFIG> | -l ]\n\n" \
- "This program takes one command line argument which corresponds to\n" \
- "the string representation of a Mbed TLS compile time configuration.\n" \
- "The value 0 will be returned if this configuration is defined in the\n" \
- "Mbed TLS build and the macro expansion of that configuration will be\n" \
- "printed (if any). Otherwise, 1 will be returned.\n" \
- "-l\tPrint all available configuration.\n"
+#define USAGE \
+ "usage: %s [ -all | -any | -l ] <MBEDTLS_CONFIG> ...\n\n" \
+ "This program takes command line arguments which correspond to\n" \
+ "the string representation of Mbed TLS compile time configurations.\n\n" \
+ "If \"--all\" and \"--any\" are not used, then, if all given arguments\n" \
+ "are defined in the Mbed TLS build, 0 is returned; otherwise 1 is\n" \
+ "returned. Macro expansions of configurations will be printed (if any).\n" \
+ "-l\tPrint all available configuration.\n" \
+ "-all\tReturn 0 if all configurations are defined. Otherwise, return 1\n" \
+ "-any\tReturn 0 if any configuration is defined. Otherwise, return 1\n" \
+ "-h\tPrint this usage\n"
+
#include <string.h>
#include "query_config.h"
int main( int argc, char *argv[] )
{
- if ( argc != 2 )
+ int i;
+
+ if ( argc == 1 || strcmp( argv[1], "-h" ) == 0 )
{
mbedtls_printf( USAGE, argv[0] );
return( MBEDTLS_EXIT_FAILURE );
@@ -53,5 +59,31 @@
return( 0 );
}
- return( query_config( argv[1] ) );
+ if( strcmp( argv[1], "-all" ) == 0 )
+ {
+ for( i = 2; i < argc; i++ )
+ {
+ if( query_config( argv[i] ) != 0 )
+ return( 1 );
+ }
+ return( 0 );
+ }
+
+ if( strcmp( argv[1], "-any" ) == 0 )
+ {
+ for( i = 2; i < argc; i++ )
+ {
+ if( query_config( argv[i] ) == 0 )
+ return( 0 );
+ }
+ return( 1 );
+ }
+
+ for( i = 1; i < argc; i++ )
+ {
+ if( query_config( argv[i] ) != 0 )
+ return( 1 );
+ }
+
+ return( 0 );
}
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 7a2b58e..d498d50 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -223,6 +223,34 @@
esac
}
+requires_all_configs_enabled() {
+ if ! $P_QUERY -all $*
+ then
+ SKIP_NEXT="YES"
+ fi
+}
+
+requires_all_configs_disabled() {
+ if $P_QUERY -any $*
+ then
+ SKIP_NEXT="YES"
+ fi
+}
+
+requires_any_configs_enabled() {
+ if ! $P_QUERY -any $*
+ then
+ SKIP_NEXT="YES"
+ fi
+}
+
+requires_any_configs_disabled() {
+ if $P_QUERY -all $*
+ then
+ SKIP_NEXT="YES"
+ fi
+}
+
get_config_value_or_default() {
# This function uses the query_config command line option to query the
# required Mbed TLS compile time configuration from the ssl_server2
@@ -874,12 +902,12 @@
( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
DOG_PID=$!
- wait $CLI_PID
+ # For Ubuntu 22.04, `Terminated` message is outputed by wait command.
+ # To remove it from stdout, redirect stdout/stderr to CLI_OUT
+ wait $CLI_PID >> $CLI_OUT 2>&1
CLI_EXIT=$?
kill $DOG_PID >/dev/null 2>&1
- # For Ubuntu 22.04, `Terminated` message is outputed by wait command.
- # To remove it from stdout, redirect stdout/stderr to CLI_OUT
wait $DOG_PID >> $CLI_OUT 2>&1
echo "EXIT: $CLI_EXIT" >> $CLI_OUT
@@ -1230,7 +1258,9 @@
# terminate the server (and the proxy)
kill $SRV_PID
- wait $SRV_PID
+ # For Ubuntu 22.04, `Terminated` message is outputed by wait command.
+ # To remove it from stdout, redirect stdout/stderr to SRV_OUT
+ wait $SRV_PID >> $SRV_OUT 2>&1
SRV_RET=$?
if [ -n "$PXY_CMD" ]; then
@@ -12726,6 +12756,37 @@
-s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET" \
-s "server state: MBEDTLS_SSL_NEW_SESSION_TICKET_FLUSH"
+requires_openssl_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->O" \
+ "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key
+ -msg -tls1_2
+ -Verify 10 " \
+ "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
+ sig_algs=rsa_pss_rsae_sha512,rsa_pkcs1_sha512
+ min_version=tls12 max_version=tls13 " \
+ 0 \
+ -c "Protocol is TLSv1.2" \
+ -c "HTTP/1.0 200 [Oo][Kk]"
+
+
+requires_gnutls_tls1_3
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_DEBUG_C
+requires_config_enabled MBEDTLS_SSL_CLI_C
+run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->G" \
+ "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key
+ -d 4
+ --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
+ "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key
+ sig_algs=rsa_pss_rsae_sha512,rsa_pkcs1_sha512
+ min_version=tls12 max_version=tls13 " \
+ 0 \
+ -c "Protocol is TLSv1.2" \
+ -c "HTTP/1.0 200 [Oo][Kk]"
+
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_MEMORY_DEBUG