Merge pull request #5916 from yuhaoth/pr/tls13-refactor-get-sig-alg-from-pk

Refactor signature algorithm chooser
2022-07-04 09:10:08 +02:00 · 2022-07-04 09:10:08 +02:00 · 0e39ece23f
commit 0e39ece23f
parent 7c6b0e4464 7ac0d498de
9 changed files with 624 additions and 309 deletions
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -1925,8 +1925,12 @@ static inline const void *mbedtls_ssl_get_sig_algs(
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)

 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
-    if( ssl->handshake != NULL && ssl->handshake->sig_algs != NULL )
+    if( ssl->handshake != NULL &&
+        ssl->handshake->sig_algs_heap_allocated == 1 &&
+        ssl->handshake->sig_algs != NULL )
+    {
        return( ssl->handshake->sig_algs );
+    }
 #endif
    return( ssl->conf->sig_algs );

@ -1972,97 +1976,177 @@ static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl
    return( 0 );
 }

-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
    uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
 {
-    *pk_type = MBEDTLS_PK_NONE;
-    *md_alg = MBEDTLS_MD_NONE;
+    *pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );
+    *md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff );
+
+    if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE )
+        return( 0 );

    switch( sig_alg )
    {
-#if defined(MBEDTLS_ECDSA_C)
-
-#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
-            *md_alg = MBEDTLS_MD_SHA256;
-            *pk_type = MBEDTLS_PK_ECDSA;
-            break;
-#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
-
-#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
-            *md_alg = MBEDTLS_MD_SHA384;
-            *pk_type = MBEDTLS_PK_ECDSA;
-            break;
-#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
-
-#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
-            *md_alg = MBEDTLS_MD_SHA512;
-            *pk_type = MBEDTLS_PK_ECDSA;
-            break;
-#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
-
-#endif /* MBEDTLS_ECDSA_C */
-
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
-
+#if defined(MBEDTLS_PKCS1_V21)
 #if defined(MBEDTLS_SHA256_C)
        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
            *md_alg = MBEDTLS_MD_SHA256;
            *pk_type = MBEDTLS_PK_RSASSA_PSS;
            break;
 #endif /* MBEDTLS_SHA256_C  */
-
 #if defined(MBEDTLS_SHA384_C)
        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
            *md_alg = MBEDTLS_MD_SHA384;
            *pk_type = MBEDTLS_PK_RSASSA_PSS;
            break;
 #endif /* MBEDTLS_SHA384_C */
-
 #if defined(MBEDTLS_SHA512_C)
        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
            *md_alg = MBEDTLS_MD_SHA512;
            *pk_type = MBEDTLS_PK_RSASSA_PSS;
            break;
 #endif /* MBEDTLS_SHA512_C */
-
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
-
-#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
-
-#if defined(MBEDTLS_SHA256_C)
-        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
-            *md_alg = MBEDTLS_MD_SHA256;
-            *pk_type = MBEDTLS_PK_RSA;
-            break;
-#endif /* MBEDTLS_SHA256_C */
-
-#if defined(MBEDTLS_SHA384_C)
-        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
-            *md_alg = MBEDTLS_MD_SHA384;
-            *pk_type = MBEDTLS_PK_RSA;
-            break;
-#endif /* MBEDTLS_SHA384_C */
-
-#if defined(MBEDTLS_SHA512_C)
-        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
-            *md_alg = MBEDTLS_MD_SHA512;
-            *pk_type = MBEDTLS_PK_RSA;
-            break;
-#endif /* MBEDTLS_SHA512_C */
-
-#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */
-
+#endif /* MBEDTLS_PKCS1_V21 */
            default:
                return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
        }
        return( 0 );
 }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
+                                                    const uint16_t sig_alg )
+{
+    switch( sig_alg )
+    {
+#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
+            break;
+#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
+            break;
+#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+        case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
+            break;
+#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+#endif /* MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_PKCS1_V21)
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
+            break;
+#endif /* MBEDTLS_SHA256_C  */
+#if defined(MBEDTLS_SHA384_C)
+        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
+            break;
+#endif /* MBEDTLS_SHA384_C */
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+            break;
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_PKCS1_V21 */
+        default:
+            return( 0 );
+    }
+    return( 1 );
+
+}
+
+static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
+                                                    const uint16_t sig_alg )
+{
+    switch( sig_alg )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
+            break;
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA384_C)
+        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
+            break;
+#endif /* MBEDTLS_SHA384_C */
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
+            break;
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_PKCS1_V15 */
+        default:
+            return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
+                                                                    sig_alg ) );
+    }
+    return( 1 );
+}
+
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
+                                                    const uint16_t sig_alg )
+{
+    /* High byte is hash */
+    unsigned char hash = MBEDTLS_BYTE_1( sig_alg );
+    unsigned char sig = MBEDTLS_BYTE_0( sig_alg );
+
+    switch( hash )
+    {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_SSL_HASH_MD5:
+            break;
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_SSL_HASH_SHA1:
+            break;
+#endif
+
+#if defined(MBEDTLS_SHA224_C)
+        case MBEDTLS_SSL_HASH_SHA224:
+            break;
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_SSL_HASH_SHA256:
+            break;
+#endif
+
+#if defined(MBEDTLS_SHA384_C)
+        case MBEDTLS_SSL_HASH_SHA384:
+            break;
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_SSL_HASH_SHA512:
+            break;
+#endif
+
+        default:
+            return( 0 );
+    }
+
+    switch( sig )
+    {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_SSL_SIG_RSA:
+            break;
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+        case MBEDTLS_SSL_SIG_ECDSA:
+            break;
+#endif
+
+    default:
+        return( 0 );
+    }
+
+    return( 1 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
 static inline int mbedtls_ssl_sig_alg_is_supported(
                                                const mbedtls_ssl_context *ssl,
                                                const uint16_t sig_alg )
@ -2071,79 +2155,28 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
    if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 )
    {
-        /* High byte is hash */
-        unsigned char hash = MBEDTLS_BYTE_1( sig_alg );
-        unsigned char sig = MBEDTLS_BYTE_0( sig_alg );
-
-        switch( hash )
-        {
-#if defined(MBEDTLS_MD5_C)
-            case MBEDTLS_SSL_HASH_MD5:
-                break;
-#endif
-
-#if defined(MBEDTLS_SHA1_C)
-            case MBEDTLS_SSL_HASH_SHA1:
-                break;
-#endif
-
-#if defined(MBEDTLS_SHA224_C)
-            case MBEDTLS_SSL_HASH_SHA224:
-                break;
-#endif
-
-#if defined(MBEDTLS_SHA256_C)
-            case MBEDTLS_SSL_HASH_SHA256:
-                break;
-#endif
-
-#if defined(MBEDTLS_SHA384_C)
-            case MBEDTLS_SSL_HASH_SHA384:
-                break;
-#endif
-
-#if defined(MBEDTLS_SHA512_C)
-            case MBEDTLS_SSL_HASH_SHA512:
-                break;
-#endif
-
-            default:
-                return( 0 );
-        }
-
-        switch( sig )
-        {
-#if defined(MBEDTLS_RSA_C)
-            case MBEDTLS_SSL_SIG_RSA:
-                break;
-#endif
-
-#if defined(MBEDTLS_ECDSA_C)
-            case MBEDTLS_SSL_SIG_ECDSA:
-                break;
-#endif
-
-        default:
-            return( 0 );
-        }
-
-        return( 1 );
+        return( mbedtls_ssl_tls12_sig_alg_is_supported( sig_alg ) );
    }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */

 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
    if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
    {
-        mbedtls_pk_type_t pk_type;
-        mbedtls_md_type_t md_alg;
-        return( ! mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
-                                                sig_alg, &pk_type, &md_alg ) );
+       return( mbedtls_ssl_tls13_sig_alg_is_supported( sig_alg ) );
    }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
    ((void) ssl);
    ((void) sig_alg);
    return( 0 );
 }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
+                                                    mbedtls_pk_context *key );
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */

 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
@ -2279,10 +2312,6 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
                                       const unsigned char *end );
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */

-int mbedtls_ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
-                                           mbedtls_pk_context *own_key,
-                                           uint16_t *algorithm );
-
 #if defined(MBEDTLS_SSL_ALPN)
 int mbedtls_ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
                                const unsigned char *buf,
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -853,10 +853,9 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
    else
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
    {
-        ssl->handshake->sig_algs = ssl->conf->sig_algs;
        ssl->handshake->sig_algs_heap_allocated = 0;
    }
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
    return( 0 );
 }
@ -4027,28 +4026,6 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
    memset( conf, 0, sizeof( mbedtls_ssl_config ) );
 }

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/* The selection should be the same as mbedtls_x509_crt_profile_default in
- * x509_crt.c. Here, the order matters. Currently we favor stronger hashes,
- * for no fundamental reason.
- * See the documentation of mbedtls_ssl_conf_curves() for what we promise
- * about this list. */
-static int ssl_preset_default_hashes[] = {
-#if defined(MBEDTLS_SHA512_C)
-    MBEDTLS_MD_SHA512,
-#endif
-#if defined(MBEDTLS_SHA384_C)
-    MBEDTLS_MD_SHA384,
-#endif
-#if defined(MBEDTLS_SHA256_C)
-    MBEDTLS_MD_SHA256,
-#endif
-    MBEDTLS_MD_NONE
-};
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
 /* The selection should be the same as mbedtls_x509_crt_profile_default in
 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
 * curves with a lower resource usage come first.
@ -4090,17 +4067,6 @@ static int ssl_preset_suiteb_ciphersuites[] = {
 };

 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-static int ssl_preset_suiteb_hashes[] = {
-#if defined(MBEDTLS_SHA256_C)
-    MBEDTLS_MD_SHA256,
-#endif
-#if defined(MBEDTLS_SHA384_C)
-    MBEDTLS_MD_SHA384,
-#endif
-    MBEDTLS_MD_NONE
-};
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */

 /* NOTICE:
 *   For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
@ -4109,6 +4075,13 @@ static int ssl_preset_suiteb_hashes[] = {
 *   - But if there is a good reason, do not change the order of the algorithms.
 *   - ssl_tls12_present* is for TLS 1.2 use only.
 *   - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
+ *
+ *   When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
+ *   declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
+ *   `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
+ *   the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
+ *   for its signature in the key exchange message. As Mbed TLS 1.2 does not
+ *   support them, the handshake fails.
 */
 static uint16_t ssl_preset_default_sig_algs[] = {

@ -4130,10 +4103,6 @@ static uint16_t ssl_preset_default_sig_algs[] = {
 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C &&
          MBEDTLS_ECP_DP_SECP521R1_ENABLED */

-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C)
-    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
-#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */
-
 #if defined(MBEDTLS_RSA_C) &&  defined(MBEDTLS_SHA512_C)
    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
 #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */
@ -4146,6 +4115,18 @@ static uint16_t ssl_preset_default_sig_algs[] = {
    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
 #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */

+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA512_C)
+    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA384_C)
+    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA384_C */
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C)
+    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */
+
    MBEDTLS_TLS_SIG_NONE
 };

@ -4429,9 +4410,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
 #endif

 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-            conf->sig_hashes = ssl_preset_suiteb_hashes;
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
            if( mbedtls_ssl_conf_is_tls12_only( conf ) )
                conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
@ -4458,9 +4436,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
 #endif

 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-            conf->sig_hashes = ssl_preset_default_hashes;
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
            if( mbedtls_ssl_conf_is_tls12_only( conf ) )
                conf->sig_algs = ssl_tls12_preset_default_sig_algs;
@ -4945,13 +4920,20 @@ int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
        MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
        sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
        p += 2;
-
-        MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
-                                    sig_alg ) );
-
-        if( ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ||
-            ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) )
+        MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x %s",
+                                    sig_alg,
+                                    mbedtls_ssl_sig_alg_to_str( sig_alg ) ) );
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
+            ( ! ( mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) &&
+                  mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ) ) )
+        {
            continue;
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        MBEDTLS_SSL_DEBUG_MSG( 4, ( "valid signature algorithm: %s",
+                                    mbedtls_ssl_sig_alg_to_str( sig_alg ) ) );

        if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
        {
@ -8189,12 +8171,17 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,

    for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "got signature scheme [%x] %s",
+                                    *sig_alg,
+                                    mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
        if( ! mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) )
            continue;
        MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
        MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
        p += 2;
-        MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) );
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "sent signature scheme [%x] %s",
+                                    *sig_alg,
+                                    mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
    }

    /* Length of supported_signature_algorithms */
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -850,120 +850,84 @@ cleanup:
 /*
 * STATE HANDLING: Output Certificate Verify
 */
-int mbedtls_ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
-                                           mbedtls_pk_context *own_key,
-                                           uint16_t *algorithm )
-{
-    mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key );
-    /* Determine the size of the key */
-    size_t own_key_size = mbedtls_pk_get_bitlen( own_key );
-    *algorithm = MBEDTLS_TLS1_3_SIG_NONE;
-    ((void) own_key_size);

-    switch( sig )
+int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
+                                                    mbedtls_pk_context *key )
+{
+    mbedtls_pk_type_t pk_type = mbedtls_ssl_sig_from_pk( key );
+    size_t key_size = mbedtls_pk_get_bitlen( key );
+
+    switch( pk_type )
    {
-#if defined(MBEDTLS_ECDSA_C)
        case MBEDTLS_SSL_SIG_ECDSA:
-            switch( own_key_size )
+            switch( key_size )
            {
                case 256:
-                    *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
-                    return( 0 );
+                    return(
+                        sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256 );
+
                case 384:
-                    *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
-                    return( 0 );
+                    return(
+                        sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384 );
+
                case 521:
-                    *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
-                    return( 0 );
+                    return(
+                        sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512 );
                default:
-                    MBEDTLS_SSL_DEBUG_MSG( 3,
-                                           ( "unknown key size: %"
-                                             MBEDTLS_PRINTF_SIZET " bits",
-                                             own_key_size ) );
                    break;
            }
            break;
-#endif /* MBEDTLS_ECDSA_C */

-#if defined(MBEDTLS_RSA_C)
        case MBEDTLS_SSL_SIG_RSA:
-#if defined(MBEDTLS_PKCS1_V21)
-#if defined(MBEDTLS_SHA256_C)
-            if( own_key_size <= 2048 &&
-                mbedtls_ssl_sig_alg_is_received( ssl,
-                                    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 ) )
+            switch( sig_alg )
            {
-                *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
-                return( 0 );
-            }
-            else
-#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA384_C)
-            if( own_key_size <= 3072 &&
-                mbedtls_ssl_sig_alg_is_received( ssl,
-                                    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 ) )
-            {
-                *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
-                return( 0 );
-            }
-            else
-#endif /* MBEDTLS_SHA384_C */
-#if defined(MBEDTLS_SHA512_C)
-            if( own_key_size <= 4096 &&
-                mbedtls_ssl_sig_alg_is_received( ssl,
-                                    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 ) )
-            {
-                *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
-                return( 0 );
-            }
-            else
-#endif /* MBEDTLS_SHA512_C */
-#endif /* MBEDTLS_PKCS1_V21 */
-#if defined(MBEDTLS_PKCS1_V15)
-#if defined(MBEDTLS_SHA256_C)
-            if( own_key_size <= 2048 &&
-                mbedtls_ssl_sig_alg_is_received( ssl,
-                                    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 ) )
-            {
-                *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
-                return( 0 );
-            }
-            else
-#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA384_C)
-            if( own_key_size <= 3072 &&
-                mbedtls_ssl_sig_alg_is_received( ssl,
-                                    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 ) )
-            {
-                *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
-                return( 0 );
-            }
-            else
-#endif /* MBEDTLS_SHA384_C */
-#if defined(MBEDTLS_SHA512_C)
-            if( own_key_size <= 4096 &&
-                mbedtls_ssl_sig_alg_is_received( ssl,
-                                    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 ) )
-            {
-                *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
-                return( 0 );
-            }
-            else
-#endif /* MBEDTLS_SHA512_C */
-#endif /* MBEDTLS_PKCS1_V15 */
-            {
-                MBEDTLS_SSL_DEBUG_MSG( 3,
-                                       ( "unknown key size: %"
-                                         MBEDTLS_PRINTF_SIZET " bits",
-                                         own_key_size ) );
+                case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
+                    return( key_size <= 3072 );
+
+                case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
+                    return( key_size <= 7680 );
+
+                case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+                    return( 1 );
+
+                default:
+                    break;
            }
            break;
-#endif /* MBEDTLS_RSA_C */
+
        default:
-            MBEDTLS_SSL_DEBUG_MSG( 1,
-                                   ( "unknown signature type : %u", sig ) );
            break;
    }
+
+    return( 0 );
+}
+
+static int ssl_tls13_select_sig_alg_for_certificate_verify(
+                                          mbedtls_ssl_context *ssl,
+                                          mbedtls_pk_context *own_key,
+                                          uint16_t *algorithm )
+{
+    uint16_t *sig_alg = ssl->handshake->received_sig_algs;
+
+    *algorithm = MBEDTLS_TLS1_3_SIG_NONE;
+    for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ )
+    {
+        if( mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) &&
+            mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) &&
+            mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3,
+                                   ( "select_sig_alg_for_certificate_verify:"
+                                     "selected signature algorithm %s [%04x]",
+                                     mbedtls_ssl_sig_alg_to_str( *sig_alg ),
+                                     *sig_alg ) );
+            *algorithm = *sig_alg;
+            return( 0 );
+        }
+    }
+    MBEDTLS_SSL_DEBUG_MSG( 2,
+                           ( "select_sig_alg_for_certificate_verify:"
+                             "no suitable signature algorithm found" ) );
    return( -1 );
 }

@ -1020,8 +984,9 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
     *    opaque signature<0..2^16-1>;
     *  } CertificateVerify;
     */
-    ret = mbedtls_ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
-    if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) )
+    ret = ssl_tls13_select_sig_alg_for_certificate_verify( ssl, own_key,
+                                                           &algorithm );
+    if( ret != 0 )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1,
                    ( "signature algorithm not in received or offered list." ) );
@ -1034,6 +999,9 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
    }

+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "CertificateVerify with %s",
+                                mbedtls_ssl_sig_alg_to_str( algorithm )) );
+
    if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
                                        algorithm, &pk_type, &md_alg ) != 0 )
    {
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@ -352,7 +352,6 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
 {
    mbedtls_ssl_key_cert *key_cert, *key_cert_list;
    const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
-    uint16_t key_sig_alg;

 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
    if( ssl->handshake->sni_key_cert != NULL )
@ -372,7 +371,6 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
        for( key_cert = key_cert_list; key_cert != NULL;
             key_cert = key_cert->next )
        {
-            int ret;
            MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate",
                                   key_cert->cert );

@ -391,13 +389,21 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
                continue;
            }

-            ret = mbedtls_ssl_tls13_get_sig_alg_from_pk(
-                    ssl, &key_cert->cert->pk, &key_sig_alg );
-            if( ret != 0 )
-                continue;
-            if( *sig_alg == key_sig_alg )
+            MBEDTLS_SSL_DEBUG_MSG( 3,
+                                   ( "ssl_tls13_pick_key_cert:"
+                                     "check signature algorithm %s [%04x]",
+                                     mbedtls_ssl_sig_alg_to_str( *sig_alg ),
+                                     *sig_alg ) );
+            if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
+                                            *sig_alg, &key_cert->cert->pk ) )
            {
                ssl->handshake->key_cert = key_cert;
+                MBEDTLS_SSL_DEBUG_MSG( 3,
+                                       ( "ssl_tls13_pick_key_cert:"
+                                         "selected signature algorithm"
+                                         " %s [%04x]",
+                                         mbedtls_ssl_sig_alg_to_str( *sig_alg ),
+                                         *sig_alg ) );
                MBEDTLS_SSL_DEBUG_CRT(
                        3, "selected certificate (chain)",
                        ssl->handshake->key_cert->cert );
@ -406,6 +412,8 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
        }
    }

+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert:"
+                                "no suitable certificate found" ) );
    return( -1 );
 }
 #endif /* MBEDTLS_X509_CRT_PARSE_C &&