From f55886a21777a9974fb01390c1cb3e6dba746cbe Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sun, 19 Jun 2022 11:48:56 +0800 Subject: [PATCH] fix various issues Signed-off-by: Jerry Yu --- library/ssl_tls.c | 7 ------- library/ssl_tls13_generic.c | 8 +++++--- library/ssl_tls13_server.c | 4 ++-- tests/ssl-opt.sh | 2 +- 4 files changed, 8 insertions(+), 13 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index eb5297df94..ec276fde44 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4412,9 +4412,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #endif #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) - conf->sig_hashes = NULL; -#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( mbedtls_ssl_conf_is_tls12_only( conf ) ) conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs; @@ -4441,9 +4438,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #endif #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) - conf->sig_hashes = NULL; -#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( mbedtls_ssl_conf_is_tls12_only( conf ) ) conf->sig_algs = ssl_tls12_preset_default_sig_algs; @@ -8177,7 +8171,6 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf, MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 ); p += 2; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) ); } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 738b278ab1..a488faf405 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -855,7 +855,8 @@ cleanup: * STATE HANDLING: Output Certificate Verify */ -static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl, +static int ssl_tls13_select_sig_alg_for_certificate_verify( + mbedtls_ssl_context *ssl, mbedtls_pk_context *own_key, uint16_t *algorithm ) { @@ -935,8 +936,9 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl, * opaque signature<0..2^16-1>; * } CertificateVerify; */ - ret = ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm ); - if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) ) + ret = ssl_tls13_select_sig_alg_for_certificate_verify( ssl, own_key, + &algorithm ); + if( ret != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm not in received or offered list." ) ); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index e75a778d5a..a9ef6b4883 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -389,7 +389,6 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl ) continue; } - MBEDTLS_SSL_DEBUG_MSG( 2,("Try get sig alg %04x",*sig_alg)); if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match( ssl, *sig_alg, &key_cert->cert->pk ) ) { @@ -402,7 +401,8 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl ) } } - MBEDTLS_SSL_DEBUG_MSG( 2,("No signature algorithm found")); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert: " + "No signature algorithm found" ) ); return( -1 ); } #endif /* MBEDTLS_X509_CRT_PARSE_C && diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 8de3728335..afabb64529 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1600,7 +1600,7 @@ requires_config_enabled MBEDTLS_SHA512_C # "signature_algorithm ext: 6" requires_config_enabled MBEDTLS_ECP_DP_CURVE25519_ENABLED run_test "Default" \ "$P_SRV debug_level=3" \ - "$P_CLI debug_level=4" \ + "$P_CLI" \ 0 \ -s "Protocol is TLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \