Remember suitable hash function for any signature algorithm. This commit changes `ssl_parse_signature_algorithms_ext` to remember one suitable ( := supported by client and by our config ) hash algorithm per signature algorithm. It also modifies the ciphersuite checking function `ssl_ciphersuite_match` to refuse a suite if there is no suitable hash algorithm. Finally, it adds the corresponding entry to the ChangeLog.

commit: 7e5437a972e287d7ec3e4ee7379e55fdca7250b3 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Fri Apr 28 17:15:26 2017 +0100
committer: Hanno Becker <hanno.becker@arm.com> Mon May 15 11:50:11 2017 +0100
tree: 7835fc059f8af88158bb245de43382112d5602ec
parent: 1aa267cbc39316127e39cc7e63552e30a0a66764 [diff] [blame]
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 3b25182..c1a92d6 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c

@@ -1817,6 +1817,23 @@
             return( MBEDTLS_PK_NONE );
     }
 }
+
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+            return( MBEDTLS_PK_RSA );
+
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( MBEDTLS_PK_ECDSA );
+
+        default:
+            return( MBEDTLS_PK_NONE );
+    }
+}
 #endif /* MBEDTLS_PK_C */
 
 #endif /* MBEDTLS_SSL_TLS_C */
commit	7e5437a972e287d7ec3e4ee7379e55fdca7250b3	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Fri Apr 28 17:15:26 2017 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Mon May 15 11:50:11 2017 +0100
tree	7835fc059f8af88158bb245de43382112d5602ec
parent	1aa267cbc39316127e39cc7e63552e30a0a66764 [diff] [blame]