Merge pull request #5785 from gabor-mezei-arm/5460_unify_parsing_sig_alg_ext
Unify parsing of the signature algorithms extension in TLS 1.2 and TLS 1.3
CI ABI API check job failure is expected as the PR do some changes in ssl_misc.h.
@RcColes if you eventually want to request some changes, they can be done in a follow-up PR.
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index ce41a45..6f9100b 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -243,6 +243,18 @@
#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
+#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( sig, hash ) (( hash << 8 ) | sig)
+#define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
+#define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
/*
* Check that we obey the standard's message size bounds
*/
@@ -423,24 +435,6 @@
extern "C" {
#endif
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
- defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-/*
- * Abstraction for a grid of allowed signature-hash-algorithm pairs.
- */
-struct mbedtls_ssl_sig_hash_set_t
-{
- /* At the moment, we only need to remember a single suitable
- * hash algorithm per signature algorithm. As long as that's
- * the case - and we don't need a general lookup function -
- * we can implement the sig-hash-set as a map from signatures
- * to hash algorithms. */
- mbedtls_md_type_t rsa;
- mbedtls_md_type_t ecdsa;
-};
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
- MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
const char *label,
const unsigned char *random, size_t rlen,
@@ -594,13 +588,7 @@
#endif /* MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
- defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
- mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
- defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
#endif
@@ -1115,24 +1103,21 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-/* Find an entry in a signature-hash set matching a given hash algorithm. */
-mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
- mbedtls_pk_type_t sig_alg );
-/* Add a signature-hash-pair to a signature-hash set */
-void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
- mbedtls_pk_type_t sig_alg,
- mbedtls_md_type_t md_alg );
-/* Allow exactly one hash algorithm for each signature. */
-void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
- mbedtls_md_type_t md_alg );
+/**
+ * \brief Find the preferred hash for a given signature algorithm.
+ *
+ * \param[in] ssl SSL context
+ * \param[in] sig_alg A signature algorithm identifier as defined in the
+ * TLS 1.2 SignatureAlgorithm enumeration.
+ *
+ * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
+ * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
+ */
+unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+ mbedtls_ssl_context *ssl,
+ unsigned int sig_alg );
-/* Setup an empty signature-hash set */
-static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
-{
- mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
-}
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/**
@@ -1804,11 +1789,11 @@
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*
- * Parse TLS 1.3 Signature Algorithm extension
+ * Parse TLS Signature Algorithm extension
*/
-int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end );
+int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end );
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/* Get handshake transcript */
@@ -1954,7 +1939,7 @@
if( sig_alg == NULL )
return( 0 );
- for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
+ for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{
if( *sig_alg == own_sig_alg )
return( 1 );
@@ -1970,7 +1955,7 @@
if( sig_alg == NULL )
return( 0 );
- for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
+ for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{
if( *sig_alg == proposed_sig_alg )
return( 1 );
@@ -2152,19 +2137,6 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
- defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C)
-#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \
- (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
-#elif defined(MBEDTLS_ECDSA_C)
-#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA),
-#elif defined(MBEDTLS_RSA_C)
-#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
-#else
-#define MBEDTLS_SSL_SIG_ALG( hash )
-#endif /* MBEDTLS_ECDSA_C && MBEDTLS_RSA_C */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
* Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a1a0003..8d6d379 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -616,11 +616,6 @@
handshake->update_checksum = ssl_update_checksum_start;
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
- defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
- mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
-#endif
-
#if defined(MBEDTLS_DHM_C)
mbedtls_dhm_init( &handshake->dhm_ctx );
#endif
@@ -852,7 +847,7 @@
p++;
#endif
}
- *p = MBEDTLS_TLS1_3_SIG_NONE;
+ *p = MBEDTLS_TLS_SIG_NONE;
ssl->handshake->sig_algs_heap_allocated = 1;
}
else
@@ -4143,22 +4138,37 @@
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
- MBEDTLS_TLS1_3_SIG_NONE
+ MBEDTLS_TLS_SIG_NONE
};
/* NOTICE: see above */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_default_sig_algs[] = {
#if defined(MBEDTLS_SHA512_C)
- MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA512 )
+#if defined(MBEDTLS_ECDSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512 ),
#endif
+#if defined(MBEDTLS_RSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512 ),
+#endif
+#endif /* MBEDTLS_SHA512_C */
#if defined(MBEDTLS_SHA384_C)
- MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 )
+#if defined(MBEDTLS_ECDSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
+#if defined(MBEDTLS_RSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384 ),
+#endif
+#endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA256_C)
- MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 )
+#if defined(MBEDTLS_ECDSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif
- MBEDTLS_TLS1_3_SIG_NONE
+#if defined(MBEDTLS_RSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256 ),
+#endif
+#endif /* MBEDTLS_SHA256_C */
+ MBEDTLS_TLS_SIG_NONE
};
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
/* NOTICE: see above */
@@ -4184,19 +4194,29 @@
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
- MBEDTLS_TLS1_3_SIG_NONE
+ MBEDTLS_TLS_SIG_NONE
};
/* NOTICE: see above */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_SHA256_C)
- MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 )
+#if defined(MBEDTLS_ECDSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif
+#if defined(MBEDTLS_RSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256 ),
+#endif
+#endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA384_C)
- MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 )
+#if defined(MBEDTLS_ECDSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
- MBEDTLS_TLS1_3_SIG_NONE
+#if defined(MBEDTLS_RSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384 ),
+#endif
+#endif /* MBEDTLS_SHA256_C */
+ MBEDTLS_TLS_SIG_NONE
};
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
@@ -4220,7 +4240,7 @@
size_t i, j;
int ret = 0;
- for( i = 0; sig_algs[i] != MBEDTLS_TLS1_3_SIG_NONE; i++ )
+ for( i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ )
{
for( j = 0; j < i; j++ )
{
@@ -4852,6 +4872,109 @@
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+/* mbedtls_ssl_parse_sig_alg_ext()
+ *
+ * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
+ * value (TLS 1.3 RFC8446):
+ * enum {
+ * ....
+ * ecdsa_secp256r1_sha256( 0x0403 ),
+ * ecdsa_secp384r1_sha384( 0x0503 ),
+ * ecdsa_secp521r1_sha512( 0x0603 ),
+ * ....
+ * } SignatureScheme;
+ *
+ * struct {
+ * SignatureScheme supported_signature_algorithms<2..2^16-2>;
+ * } SignatureSchemeList;
+ *
+ * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
+ * value (TLS 1.2 RFC5246):
+ * enum {
+ * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
+ * sha512(6), (255)
+ * } HashAlgorithm;
+ *
+ * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
+ * SignatureAlgorithm;
+ *
+ * struct {
+ * HashAlgorithm hash;
+ * SignatureAlgorithm signature;
+ * } SignatureAndHashAlgorithm;
+ *
+ * SignatureAndHashAlgorithm
+ * supported_signature_algorithms<2..2^16-2>;
+ *
+ * The TLS 1.3 signature algorithm extension was defined to be a compatible
+ * generalization of the TLS 1.2 signature algorithm extension.
+ * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
+ * `SignatureScheme` field of TLS 1.3
+ *
+ */
+int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end )
+{
+ const unsigned char *p = buf;
+ size_t supported_sig_algs_len = 0;
+ const unsigned char *supported_sig_algs_end;
+ uint16_t sig_alg;
+ uint32_t common_idx = 0;
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
+ supported_sig_algs_len = MBEDTLS_GET_UINT16_BE( p, 0 );
+ p += 2;
+
+ memset( ssl->handshake->received_sig_algs, 0,
+ sizeof(ssl->handshake->received_sig_algs) );
+
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
+ supported_sig_algs_end = p + supported_sig_algs_len;
+ while( p < supported_sig_algs_end )
+ {
+ MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
+ sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
+ p += 2;
+
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
+ sig_alg ) );
+
+ if( ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ||
+ ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) )
+ continue;
+
+ if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
+ {
+ ssl->handshake->received_sig_algs[common_idx] = sig_alg;
+ common_idx += 1;
+ }
+ }
+ /* Check that we consumed all the message. */
+ if( p != end )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "Signature algorithms extension length misaligned" ) );
+ MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ }
+
+ if( common_idx == 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) );
+ MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
+ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+ return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+ }
+
+ ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
+ return( 0 );
+}
+
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -7555,49 +7678,26 @@
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-/* Find an entry in a signature-hash set matching a given hash algorithm. */
-mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
- mbedtls_pk_type_t sig_alg )
+/* Find the preferred hash for a given signature algorithm. */
+unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+ mbedtls_ssl_context *ssl,
+ unsigned int sig_alg )
{
- switch( sig_alg )
+ unsigned int i;
+ uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
+
+ if( sig_alg == MBEDTLS_SSL_SIG_ANON )
+ return( MBEDTLS_SSL_HASH_NONE );
+
+ for( i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ )
{
- case MBEDTLS_PK_RSA:
- return( set->rsa );
- case MBEDTLS_PK_ECDSA:
- return( set->ecdsa );
- default:
- return( MBEDTLS_MD_NONE );
+ if( sig_alg == MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
+ received_sig_algs[i] ) )
+ return( MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
+ received_sig_algs[i] ) );
}
-}
-/* Add a signature-hash-pair to a signature-hash set */
-void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
- mbedtls_pk_type_t sig_alg,
- mbedtls_md_type_t md_alg )
-{
- switch( sig_alg )
- {
- case MBEDTLS_PK_RSA:
- if( set->rsa == MBEDTLS_MD_NONE )
- set->rsa = md_alg;
- break;
-
- case MBEDTLS_PK_ECDSA:
- if( set->ecdsa == MBEDTLS_MD_NONE )
- set->ecdsa = md_alg;
- break;
-
- default:
- break;
- }
-}
-
-/* Allow exactly one hash algorithm for each signature. */
-void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
- mbedtls_md_type_t md_alg )
-{
- set->rsa = md_alg;
- set->ecdsa = md_alg;
+ return( MBEDTLS_SSL_HASH_NONE );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 590c874..d092633 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -209,96 +209,6 @@
return( 0 );
}
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-
-/*
- * Status of the implementation of signature-algorithms extension:
- *
- * Currently, we are only considering the signature-algorithm extension
- * to pick a ciphersuite which allows us to send the ServerKeyExchange
- * message with a signature-hash combination that the user allows.
- *
- * We do *not* check whether all certificates in our certificate
- * chain are signed with an allowed signature-hash pair.
- * This needs to be done at a later stage.
- *
- */
-static int ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- size_t len )
-{
- size_t sig_alg_list_size;
-
- const unsigned char *p;
- const unsigned char *end = buf + len;
-
- mbedtls_md_type_t md_cur;
- mbedtls_pk_type_t sig_cur;
-
- if ( len < 2 ) {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
- }
- sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
- if( sig_alg_list_size + 2 != len ||
- sig_alg_list_size % 2 != 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
- }
-
- /* Currently we only guarantee signing the ServerKeyExchange message according
- * to the constraints specified in this extension (see above), so it suffices
- * to remember only one suitable hash for each possible signature algorithm.
- *
- * This will change when we also consider certificate signatures,
- * in which case we will need to remember the whole signature-hash
- * pair list from the extension.
- */
-
- for( p = buf + 2; p < end; p += 2 )
- {
- /* Silently ignore unknown signature or hash algorithms. */
-
- if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
- " unknown sig alg encoding %d", p[1] ) );
- continue;
- }
-
- /* Check if we support the hash the user proposes */
- md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
- if( md_cur == MBEDTLS_MD_NONE )
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
- " unknown hash alg encoding %d", p[0] ) );
- continue;
- }
-
- if( mbedtls_ssl_sig_alg_is_offered(
- ssl, MBEDTLS_GET_UINT16_BE( p, 0 ) ) )
- {
- mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
- " match sig %u and hash %u",
- (unsigned) sig_cur, (unsigned) md_cur ) );
- }
- else
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
- "hash alg %u not supported", (unsigned) md_cur ) );
- }
- }
-
- return( 0 );
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
/*
@@ -1078,7 +988,8 @@
* a suitable hash algorithm is present. */
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
if( sig_type != MBEDTLS_PK_NONE &&
- mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
+ mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+ ssl, mbedtls_ssl_sig_from_pk_alg( sig_type ) ) == MBEDTLS_SSL_HASH_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
"for signature algorithm %u", (unsigned) sig_type ) );
@@ -1593,7 +1504,7 @@
case MBEDTLS_TLS_EXT_SIG_ALG:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
- ret = ssl_parse_sig_alg_ext( ssl, ext + 4, ext_size );
+ ret = mbedtls_ssl_parse_sig_alg_ext( ssl, ext + 4, ext + 4 + ext_size );
if( ret != 0 )
return( ret );
@@ -1717,18 +1628,27 @@
* Try to fall back to default hash SHA1 if the client
* hasn't provided any preferred signature-hash combinations.
*/
- if( sig_hash_alg_ext_present == 0 )
+ if( ! sig_hash_alg_ext_present )
{
- uint16_t sig_algs[] = { MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA1) };
- mbedtls_md_type_t md_default = MBEDTLS_MD_NONE;
- for( i = 0; i < sizeof( sig_algs ) / sizeof( sig_algs[0] ) ; i++ )
- {
- if( mbedtls_ssl_sig_alg_is_offered( ssl, sig_algs[ i ] ) )
- md_default = MBEDTLS_MD_SHA1;
- }
+ uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
+ const uint16_t default_sig_algs[] = {
+#if defined(MBEDTLS_ECDSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA,
+ MBEDTLS_SSL_HASH_SHA1 ),
+#endif
+#if defined(MBEDTLS_RSA_C)
+ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA,
+ MBEDTLS_SSL_HASH_SHA1 ),
+#endif
+ MBEDTLS_TLS_SIG_NONE
+ };
- mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs,
- md_default );
+#if defined(static_assert)
+ static_assert( sizeof( default_sig_algs ) / sizeof( default_sig_algs[0] ) <=
+ MBEDTLS_RECEIVED_SIG_ALGS_SIZE, "default_sig_algs is too big" );
+#endif
+
+ memcpy( received_sig_algs, default_sig_algs, sizeof( default_sig_algs ) );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
@@ -1889,10 +1809,10 @@
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
if( sig_alg != MBEDTLS_PK_NONE )
{
- mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
- sig_alg );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
- mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
+ unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+ ssl, mbedtls_ssl_sig_from_pk_alg( sig_alg ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %u",
+ sig_hash ) );
}
else
{
@@ -2728,7 +2648,7 @@
if( sig_alg == NULL )
return( MBEDTLS_ERR_SSL_BAD_CONFIG );
- for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
+ for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{
unsigned char hash = MBEDTLS_BYTE_1( *sig_alg );
@@ -3255,15 +3175,18 @@
* to choose appropriate hash.
*/
- mbedtls_md_type_t md_alg;
mbedtls_pk_type_t sig_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+ unsigned int sig_hash =
+ mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
+ ssl, mbedtls_ssl_sig_from_pk_alg( sig_alg ) );
+
+ mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash( sig_hash );
+
/* For TLS 1.2, obey signature-hash-algorithm extension
* (RFC 5246, Sec. 7.4.1.4.1). */
- if( sig_alg == MBEDTLS_PK_NONE ||
- ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
- sig_alg ) ) == MBEDTLS_MD_NONE )
+ if( sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
/* (... because we choose a cipher suite
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 320c5b4..305ac00 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1612,8 +1612,8 @@
case MBEDTLS_TLS_EXT_SIG_ALG:
MBEDTLS_SSL_DEBUG_MSG( 3,
( "found signature algorithms extension" ) );
- ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ssl, p,
- p + extension_data_len );
+ ret = mbedtls_ssl_parse_sig_alg_ext( ssl, p,
+ p + extension_data_len );
if( ret != 0 )
return( ret );
if( ! sig_alg_ext_found )
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 9de9d6d..f5e38ab 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -80,80 +80,6 @@
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-/* mbedtls_ssl_tls13_parse_sig_alg_ext()
- *
- * enum {
- * ....
- * ecdsa_secp256r1_sha256( 0x0403 ),
- * ecdsa_secp384r1_sha384( 0x0503 ),
- * ecdsa_secp521r1_sha512( 0x0603 ),
- * ....
- * } SignatureScheme;
- *
- * struct {
- * SignatureScheme supported_signature_algorithms<2..2^16-2>;
- * } SignatureSchemeList;
- */
-int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end )
-{
- const unsigned char *p = buf;
- size_t supported_sig_algs_len = 0;
- const unsigned char *supported_sig_algs_end;
- uint16_t sig_alg;
- uint32_t common_idx = 0;
-
- MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
- supported_sig_algs_len = MBEDTLS_GET_UINT16_BE( p, 0 );
- p += 2;
-
- memset( ssl->handshake->received_sig_algs, 0,
- sizeof(ssl->handshake->received_sig_algs) );
-
- MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
- supported_sig_algs_end = p + supported_sig_algs_len;
- while( p < supported_sig_algs_end )
- {
- MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
- sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
- p += 2;
-
- MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
- sig_alg ) );
-
- if( ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ||
- ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) )
- continue;
-
- if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
- {
- ssl->handshake->received_sig_algs[common_idx] = sig_alg;
- common_idx += 1;
- }
- }
- /* Check that we consumed all the message. */
- if( p != end )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "Signature algorithms extension length misaligned" ) );
- MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
- MBEDTLS_ERR_SSL_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
- }
-
- if( common_idx == 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) );
- MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
- MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
- return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
- }
-
- ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS1_3_SIG_NONE;
- return( 0 );
-}
-
/*
* STATE HANDLING: Read CertificateVerify
*/
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index ca19908..769ed48 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -651,7 +651,7 @@
case MBEDTLS_TLS_EXT_SIG_ALG:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
- ret = mbedtls_ssl_tls13_parse_sig_alg_ext(
+ ret = mbedtls_ssl_parse_sig_alg_ext(
ssl, p, extension_data_end );
if( ret != 0 )
{