mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-01 04:20:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Rename and rewrite mbedtls_ssl_sig_hash_set_find function

Browse Source 
Rename `mbedtls_ssl_sig_hash_set_find` function to a suitable name
and rewrite to operate TLS signature algorithm identifiers.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
This commit is contained in:
Gabor Mezei 2022-05-10 12:44:09 +02:00
parent 1226590c88
commit a3d016ce41
No known key found for this signature in database
GPG Key ID: 08AB7BB35012F877
3 changed files with 36 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
library/ssl_misc.h
View File

@ -1120,9 +1120,20 @@ int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* Find an entry in a signature-hash set matching a given hash algorithm. */ /**
mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_context *ssl, * \brief Find the preferred hash for a given signature algorithm.
mbedtls_pk_type_t pk_alg ); *
* \param[in] ssl SSL context
* \param[in] sig_alg A signature algorithm identifier as defined in the
* TLS 1.2 SignatureAlgorithm enumeration.
*
* \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
* identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
*/
unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
mbedtls_ssl_context *ssl,
unsigned int sig_alg );
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */

21
library/ssl_tls.c
View File

@ -7653,25 +7653,24 @@ exit:
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* Find an entry in a signature-hash set matching a given sign algorithm. */ /* Find the preferred hash for a given signature algorithm. */
mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_context *ssl, unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
mbedtls_pk_type_t pk_alg ) mbedtls_ssl_context *ssl,
unsigned int sig_alg )
{ {
unsigned int i; unsigned int i;
uint16_t sig_alg = mbedtls_ssl_sig_from_pk_alg( pk_alg ); uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
uint16_t *set = ssl->handshake->received_sig_algs;
uint16_t invalid_sig_alg = MBEDTLS_TLS_SIG_NONE;
if( sig_alg == MBEDTLS_SSL_SIG_ANON ) if( sig_alg == MBEDTLS_SSL_SIG_ANON )
return( MBEDTLS_MD_NONE ); return( MBEDTLS_SSL_HASH_NONE );
for( i = 0; set[i] != invalid_sig_alg; i++ ) for( i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ )
{ {
if( sig_alg == MBEDTLS_SSL_SIG_FROM_SIG_ALG( set[i] ) ) if( sig_alg == MBEDTLS_SSL_SIG_FROM_SIG_ALG( received_sig_algs[i] ) )
return MBEDTLS_SSL_HASH_FROM_SIG_ALG( set[i] ); return MBEDTLS_SSL_HASH_FROM_SIG_ALG( received_sig_algs[i] );
} }
return( MBEDTLS_MD_NONE ); return( MBEDTLS_SSL_HASH_NONE );
} }
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */

16
library/ssl_tls12_server.c
View File

@ -988,7 +988,8 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
* a suitable hash algorithm is present. */ * a suitable hash algorithm is present. */
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info ); sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
if( sig_type != MBEDTLS_PK_NONE && if( sig_type != MBEDTLS_PK_NONE &&
mbedtls_ssl_sig_hash_set_find( ssl, sig_type ) == MBEDTLS_MD_NONE ) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg( sig_type ) ) == MBEDTLS_SSL_HASH_NONE )
{ {
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm " MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
"for signature algorithm %u", (unsigned) sig_type ) ); "for signature algorithm %u", (unsigned) sig_type ) );
@ -1810,7 +1811,9 @@ have_ciphersuite:
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info ); mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
if( sig_alg != MBEDTLS_PK_NONE ) if( sig_alg != MBEDTLS_PK_NONE )
{ {
mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( ssl, sig_alg ); unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg( sig_alg ) );
mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash( sig_hash );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
mbedtls_ssl_hash_from_md_alg( md_alg ) ) ); mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
} }
@ -3175,14 +3178,19 @@ curve_matching_done:
* to choose appropriate hash. * to choose appropriate hash.
*/ */
mbedtls_md_type_t md_alg;
mbedtls_pk_type_t sig_alg = mbedtls_pk_type_t sig_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
unsigned int sig_hash =
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg( sig_alg ) );
mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash( sig_hash );
/* For TLS 1.2, obey signature-hash-algorithm extension /* For TLS 1.2, obey signature-hash-algorithm extension
* (RFC 5246, Sec. 7.4.1.4.1). */ * (RFC 5246, Sec. 7.4.1.4.1). */
if( sig_alg == MBEDTLS_PK_NONE || if( sig_alg == MBEDTLS_PK_NONE ||
( md_alg = mbedtls_ssl_sig_hash_set_find( ssl, sig_alg ) ) == MBEDTLS_MD_NONE ) md_alg == MBEDTLS_MD_NONE )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
/* (... because we choose a cipher suite /* (... because we choose a cipher suite