mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-31 01:20:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix various issues

Browse Source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-01-17 18:16:35 +08:00
parent e12f1ddcfa
commit 713013fa80
4 changed files with 38 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/mbedtls/ssl.h
View File

@ -3298,7 +3298,7 @@ void mbedtls_ssl_conf_groups( mbedtls_ssl_config *conf,
* terminated by \c MBEDTLS_MD_NONE. * terminated by \c MBEDTLS_MD_NONE.
*/ */
void MBEDTLS_DEPRECATED mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, void MBEDTLS_DEPRECATED mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
const int *hashes ); const int *hashes );
#endif /* MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_DEPRECATED_REMOVED */
/** /**

17
library/ssl_misc.h
View File

@ -1728,7 +1728,7 @@ void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
* Write Signature Algorithm extension * Write Signature Algorithm extension
*/ */
int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf, int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
const unsigned char *end, size_t *out_len); const unsigned char *end, size_t *out_len );
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
@ -1813,9 +1813,18 @@ int mbedtls_ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
/* /*
* Return supported sig_algs. * Return supported signature algorithms.
*
* In future, invocations can be changed to ssl->conf->sig_algs when
* mbedtls_ssl_conf_sig_hashes() is deleted.
*
* ssl->handshake->sig_algs is either a translation of sig_hases to IANA TLS group
* identifiers when mbedtls_ssl_conf_sig_hashes() has been used, or a pointer to
* ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has been more recently
* invoked.
*/ */
static inline const void *mbedtls_ssl_get_sig_algs( const mbedtls_ssl_context *ssl ) static inline const void *mbedtls_ssl_get_sig_algs(
const mbedtls_ssl_context *ssl )
{ {
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if !defined(MBEDTLS_DEPRECATED_REMOVED) #if !defined(MBEDTLS_DEPRECATED_REMOVED)
@ -1826,7 +1835,7 @@ static inline const void *mbedtls_ssl_get_sig_algs( const mbedtls_ssl_context *s
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
((void) ssl); ((void) ssl);
return NULL; return( NULL );
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \

6
library/ssl_srv.c
View File

@ -2803,10 +2803,10 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
{ {
/* High byte is hash */ /* High byte is hash */
unsigned char hash = ( *sig_alg >> 8 ) & 0xff; unsigned char hash = MBEDTLS_BYTE_1( *sig_alg );
unsigned char sig = ( *sig_alg ) & 0xff; unsigned char sig = MBEDTLS_BYTE_0( *sig_alg );
if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) ) if( mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
continue; continue;
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_ECDSA_C)
if( sig != MBEDTLS_SSL_SIG_RSA && sig != MBEDTLS_SSL_SIG_ECDSA ) if( sig != MBEDTLS_SSL_SIG_RSA && sig != MBEDTLS_SSL_SIG_ECDSA )

45
library/ssl_tls.c
View File

@ -3152,8 +3152,9 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if !defined(MBEDTLS_DEPRECATED_REMOVED) #if !defined(MBEDTLS_DEPRECATED_REMOVED)
/* Heap allocate and translate curve_list from internal to IANA group ids */ /* Heap allocate and translate sig_hashes from internal hash identifiers to
if ( mbedtls_ssl_conf_is_tls12_enabled( ssl->conf ) && signature algorithms IANA identifiers. */
if ( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) &&
ssl->conf->sig_hashes != NULL ) ssl->conf->sig_hashes != NULL )
{ {
const int *md; const int *md;
@ -6467,30 +6468,18 @@ static int ssl_preset_suiteb_ciphersuites[] = {
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if !defined(MBEDTLS_DEPRECATED_REMOVED) #if !defined(MBEDTLS_DEPRECATED_REMOVED)
static int ssl_preset_suiteb_hashes[] = { static int ssl_preset_suiteb_hashes[] = {
#if defined(MBEDTLS_SHA384_C)
MBEDTLS_MD_SHA384,
#endif
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
MBEDTLS_MD_SHA256, MBEDTLS_MD_SHA256,
#endif
#if defined(MBEDTLS_SHA384_C)
MBEDTLS_MD_SHA384,
#endif #endif
MBEDTLS_MD_NONE MBEDTLS_MD_NONE
}; };
#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #endif /* !MBEDTLS_DEPRECATED_REMOVED */
static uint16_t ssl_preset_default_sig_algs[] = { static uint16_t ssl_preset_default_sig_algs[] = {
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA512 )
#endif
#if defined(MBEDTLS_SHA384_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 )
#endif
#if defined(MBEDTLS_SHA256_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 )
#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
/* ECDSA algorithms */ /* ECDSA algorithms */
#if defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_ECDSA_C)
#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) #if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
@ -6510,12 +6499,10 @@ static uint16_t ssl_preset_default_sig_algs[] = {
#endif #endif
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
MBEDTLS_TLS1_3_SIG_NONE
};
static uint16_t ssl_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA512 )
#endif
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 )
#endif #endif
@ -6523,7 +6510,10 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = {
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 )
#endif #endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
MBEDTLS_TLS1_3_SIG_NONE
};
static uint16_t ssl_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
/* ECDSA algorithms */ /* ECDSA algorithms */
#if defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_ECDSA_C)
@ -6541,7 +6531,14 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = {
#endif #endif
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA384_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 )
#endif
#if defined(MBEDTLS_SHA256_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 )
#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
MBEDTLS_TLS1_3_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
}; };
#endif #endif
@ -6965,7 +6962,7 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
{ {
mbedtls_md_type_t hash = mbedtls_ssl_md_alg_from_hash( mbedtls_md_type_t hash = mbedtls_ssl_md_alg_from_hash(
( *sig_alg >> 8 ) & 0xff ); MBEDTLS_BYTE_1( *sig_alg ) );
if( hash == md ) if( hash == md )
return( 0 ); return( 0 );
} }