From a3d016ce41a0fb9b862e99611c7786e4ab0ece8b Mon Sep 17 00:00:00 2001
From: Gabor Mezei <gabor.mezei@arm.com>
Date: Tue, 10 May 2022 12:44:09 +0200
Subject: [PATCH] Rename and rewrite `mbedtls_ssl_sig_hash_set_find` function

Rename `mbedtls_ssl_sig_hash_set_find` function to a suitable name
and rewrite to operate TLS signature algorithm identifiers.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
---
 library/ssl_misc.h         | 17 ++++++++++++++---
 library/ssl_tls.c          | 21 ++++++++++-----------
 library/ssl_tls12_server.c | 16 ++++++++++++----
 3 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 98cfebd5ce..4d5663a33c 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1120,9 +1120,20 @@ int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
     defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 
-/* Find an entry in a signature-hash set matching a given hash algorithm. */
-mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_context *ssl,
-                                                 mbedtls_pk_type_t pk_alg );
+/**
+ * \brief Find the preferred hash for a given signature algorithm.
+ *
+ * \param[in]   ssl     SSL context
+ * \param[in]   sig_alg A signature algorithm identifier as defined in the
+ *                      TLS 1.2 SignatureAlgorithm enumeration.
+ *
+ * \return  The preferred hash algorithm for \p sig_alg. It is a hash algorithm
+ *          identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
+ */
+unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+                mbedtls_ssl_context *ssl,
+                unsigned int sig_alg );
+
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
           MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3299159f60..ea1e6badac 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7653,25 +7653,24 @@ exit:
 
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 
-/* Find an entry in a signature-hash set matching a given sign algorithm. */
-mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_context *ssl,
-                                                 mbedtls_pk_type_t pk_alg )
+/* Find the preferred hash for a given signature algorithm. */
+unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+                mbedtls_ssl_context *ssl,
+                unsigned int sig_alg )
 {
     unsigned int i;
-    uint16_t sig_alg = mbedtls_ssl_sig_from_pk_alg( pk_alg );
-    uint16_t *set = ssl->handshake->received_sig_algs;
-    uint16_t invalid_sig_alg = MBEDTLS_TLS_SIG_NONE;
+    uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
 
     if( sig_alg == MBEDTLS_SSL_SIG_ANON )
-        return( MBEDTLS_MD_NONE );
+        return( MBEDTLS_SSL_HASH_NONE );
 
-    for( i = 0; set[i] != invalid_sig_alg; i++ )
+    for( i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ )
     {
-        if( sig_alg == MBEDTLS_SSL_SIG_FROM_SIG_ALG( set[i] ) )
-            return MBEDTLS_SSL_HASH_FROM_SIG_ALG( set[i] );
+        if( sig_alg == MBEDTLS_SSL_SIG_FROM_SIG_ALG( received_sig_algs[i] ) )
+            return MBEDTLS_SSL_HASH_FROM_SIG_ALG( received_sig_algs[i] );
     }
 
-    return( MBEDTLS_MD_NONE );
+    return( MBEDTLS_SSL_HASH_NONE );
 }
 
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 14dc8e1f72..449b63570a 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -988,7 +988,8 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
      * a suitable hash algorithm is present. */
     sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
     if( sig_type != MBEDTLS_PK_NONE &&
-        mbedtls_ssl_sig_hash_set_find( ssl, sig_type ) == MBEDTLS_MD_NONE )
+        mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+            ssl, mbedtls_ssl_sig_from_pk_alg( sig_type ) ) == MBEDTLS_SSL_HASH_NONE )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
                                     "for signature algorithm %u", (unsigned) sig_type ) );
@@ -1810,7 +1811,9 @@ have_ciphersuite:
     mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
     if( sig_alg != MBEDTLS_PK_NONE )
     {
-        mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( ssl, sig_alg );
+        unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+                                    ssl, mbedtls_ssl_sig_from_pk_alg( sig_alg ) );
+        mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash( sig_hash );
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
                                     mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
     }
@@ -3175,14 +3178,19 @@ curve_matching_done:
          *      to choose appropriate hash.
          */
 
-        mbedtls_md_type_t md_alg;
         mbedtls_pk_type_t sig_alg =
             mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
 
+        unsigned int sig_hash =
+            mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+                ssl, mbedtls_ssl_sig_from_pk_alg( sig_alg ) );
+
+        mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash( sig_hash );
+
         /*    For TLS 1.2, obey signature-hash-algorithm extension
          *    (RFC 5246, Sec. 7.4.1.4.1). */
         if( sig_alg == MBEDTLS_PK_NONE ||
-            ( md_alg = mbedtls_ssl_sig_hash_set_find( ssl, sig_alg ) ) == MBEDTLS_MD_NONE )
+            md_alg == MBEDTLS_MD_NONE )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
             /* (... because we choose a cipher suite