Remove pkcs1 from certificate verify.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2025-01-27 06:35:22 +00:00 · 2022-06-22 19:30:32 +08:00 · 2022-06-22 19:30:32 +08:00 · 80dd5db808
commit 80dd5db808
parent d4a71a57a8
3 changed files with 35 additions and 16 deletions
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -2008,7 +2008,7 @@ static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
 }

 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
+static inline int mbedtls_ssl_tls13_sig_alg_is_supported_for_certificate(
                                                    const uint16_t sig_alg )
 {
    switch( sig_alg )
@ -2046,6 +2046,33 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
            return( 0 );
    }
    return( 1 );
+
+}
+
+static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
+                                                    const uint16_t sig_alg )
+{
+    switch( sig_alg )
+    {
+#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
+            break;
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA384_C)
+        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
+            break;
+#endif /* MBEDTLS_SHA384_C */
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
+            break;
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */
+        default:
+            return( mbedtls_ssl_tls13_sig_alg_is_supported_for_certificate(
+                                                                    sig_alg ) );
+    }
+    return( 1 );
 }

 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -8179,22 +8179,14 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,

    for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
    {
-        if( mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) ||
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
-            ( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) &&
-              ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
-              mbedtls_ssl_tls12_sig_alg_is_supported( *sig_alg ) ) ||
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
-            0 )
-        {
-            MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
-            MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
-            p += 2;
-            MBEDTLS_SSL_DEBUG_MSG( 3,
-                                  ( "sent signature scheme [%x] %s",
+        if( ! mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) )
+            continue;
+        MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+        MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
+        p += 2;
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "sent signature scheme [%x] %s",
                                    *sig_alg,
                                    mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
-        }
    }

    /* Length of supported_signature_algorithms */
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -935,7 +935,7 @@ static int ssl_tls13_select_sig_alg_for_certificate_verify(
    *algorithm = MBEDTLS_TLS1_3_SIG_NONE;
    for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ )
    {
-        if( mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg) &&
+        if( mbedtls_ssl_tls13_sig_alg_is_supported_for_certificate( *sig_alg) &&
            mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
                                                        *sig_alg, own_key ) )
        {