commit 24811fb2e0b1e8c124da7680d0e4b90ce273f02a
author Jerry Yu <jerry.h.yu@arm.com> Wed Jan 19 18:02:15 2022 +0800
committer Jerry Yu <jerry.h.yu@arm.com> Tue Jan 25 12:46:17 2022 +0800
tree bf79435ba9463d403092c0ed12da4171778d0feb
parent 1bab301c0dd6becb49a3328d009659152d6b5053

replace check_sig_hash with is_offered

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 826879c..e411b70 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2595,7 +2595,6 @@
                                           mbedtls_md_type_t *md_alg,
                                           mbedtls_pk_type_t *pk_alg )
 {
-    ((void) ssl);
     *md_alg = MBEDTLS_MD_NONE;
     *pk_alg = MBEDTLS_PK_NONE;
 
@@ -2631,9 +2630,9 @@
     }
 
     /*
-     * Check if the hash is acceptable
+     * Check if the signature algorithm is acceptable
      */
-    if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
+    if( !mbedtls_ssl_sig_alg_is_offered( ssl, MBEDTLS_GET_UINT16_BE( *p, 0 ) ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1,
             ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );

library/ssl_misc.h

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index a9e60d7..c7e24d1 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1845,6 +1845,23 @@
 }
 
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
+static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
+                                                  uint16_t proposed_sig_alg )
+{
+    const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
+    if( sig_alg == NULL )
+        return( 0 );
+
+    for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
+    {
+        if( *sig_alg == proposed_sig_alg )
+            return( 1 );
+    }
+    return( 0 );
+}
+
+
 static inline int mbedtls_ssl_sig_alg_is_supported(
                                                 const mbedtls_ssl_context *ssl,
                                                 const uint16_t sig_alg )

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 0de1177..f2f57b1 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -296,7 +296,8 @@
             continue;
         }
 
-        if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
+        if( mbedtls_ssl_sig_alg_is_offered(
+                ssl, MBEDTLS_GET_UINT16_BE( p, 0 ) ) )
         {
             mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
             MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"

library/ssl_tls13_generic.c

diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 226f8e3..a87af94 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -209,21 +209,6 @@
     *verify_buffer_len = idx;
 }
 
-static int ssl_tls13_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
-                                         uint16_t proposed_sig_alg )
-{
-    const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
-    if( sig_alg == NULL )
-        return( 0 );
-
-    for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
-    {
-        if( *sig_alg == proposed_sig_alg )
-            return( 1 );
-    }
-    return( 0 );
-}
-
 static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
                                                const unsigned char *buf,
                                                const unsigned char *end,
@@ -268,7 +253,7 @@
      *
      * Check if algorithm is an offered signature algorithm.
      */
-    if( ! ssl_tls13_sig_alg_is_offered( ssl, algorithm ) )
+    if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
     {
         /* algorithm not in offered signature algorithms list */
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "