eden-emu/mbedtls
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #5916 from yuhaoth/pr/tls13-refactor-get-sig-alg-from-pk

Browse source 
Refactor signature algorithm chooser
This commit is contained in:
Ronald Cron 2022-07-04 09:10:08 +02:00 committed by GitHub
commit 0e39ece23f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 624 additions and 309 deletions
Download patch file Download diff file Expand all files Collapse all files

281
library/ssl_misc.h
View file

@ -1925,8 +1925,12 @@ static inline const void *mbedtls_ssl_get_sig_algs(
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
if( ssl->handshake != NULL && ssl->handshake->sig_algs != NULL )
if( ssl->handshake != NULL &&
ssl->handshake->sig_algs_heap_allocated == 1 &&
ssl->handshake->sig_algs != NULL )
{
return( ssl->handshake->sig_algs );
}
#endif
return( ssl->conf->sig_algs );
@ -1972,97 +1976,177 @@ static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl
return( 0 );
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
{
*pk_type = MBEDTLS_PK_NONE;
*md_alg = MBEDTLS_MD_NONE;
*pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );
*md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff );
if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE )
return( 0 );
switch( sig_alg )
{
#if defined(MBEDTLS_ECDSA_C)
#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_ECDSA;
break;
#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
*md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_ECDSA;
break;
#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
*md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_ECDSA;
break;
#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#endif /* MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
#if defined(MBEDTLS_PKCS1_V21)
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA384_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
*md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
*md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA512_C */
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_RSA;
break;
#endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA384_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
*md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_RSA;
break;
#endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
*md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_RSA;
break;
#endif /* MBEDTLS_SHA512_C */
#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */
#endif /* MBEDTLS_PKCS1_V21 */
default:
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
return( 0 );
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
const uint16_t sig_alg )
{
switch( sig_alg )
{
#if defined(MBEDTLS_ECDSA_C)
#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
break;
#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
break;
#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
break;
#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#endif /* MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_PKCS1_V21)
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
break;
#endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA384_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
break;
#endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
break;
#endif /* MBEDTLS_SHA512_C */
#endif /* MBEDTLS_PKCS1_V21 */
default:
return( 0 );
}
return( 1 );
}
static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
const uint16_t sig_alg )
{
switch( sig_alg )
{
#if defined(MBEDTLS_PKCS1_V15)
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
break;
#endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA384_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
break;
#endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
break;
#endif /* MBEDTLS_SHA512_C */
#endif /* MBEDTLS_PKCS1_V15 */
default:
return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
sig_alg ) );
}
return( 1 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
const uint16_t sig_alg )
{
/* High byte is hash */
unsigned char hash = MBEDTLS_BYTE_1( sig_alg );
unsigned char sig = MBEDTLS_BYTE_0( sig_alg );
switch( hash )
{
#if defined(MBEDTLS_MD5_C)
case MBEDTLS_SSL_HASH_MD5:
break;
#endif
#if defined(MBEDTLS_SHA1_C)
case MBEDTLS_SSL_HASH_SHA1:
break;
#endif
#if defined(MBEDTLS_SHA224_C)
case MBEDTLS_SSL_HASH_SHA224:
break;
#endif
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_SSL_HASH_SHA256:
break;
#endif
#if defined(MBEDTLS_SHA384_C)
case MBEDTLS_SSL_HASH_SHA384:
break;
#endif
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_SSL_HASH_SHA512:
break;
#endif
default:
return( 0 );
}
switch( sig )
{
#if defined(MBEDTLS_RSA_C)
case MBEDTLS_SSL_SIG_RSA:
break;
#endif
#if defined(MBEDTLS_ECDSA_C)
case MBEDTLS_SSL_SIG_ECDSA:
break;
#endif
default:
return( 0 );
}
return( 1 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
static inline int mbedtls_ssl_sig_alg_is_supported(
const mbedtls_ssl_context *ssl,
const uint16_t sig_alg )
@ -2071,79 +2155,28 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 )
{
/* High byte is hash */
unsigned char hash = MBEDTLS_BYTE_1( sig_alg );
unsigned char sig = MBEDTLS_BYTE_0( sig_alg );
switch( hash )
{
#if defined(MBEDTLS_MD5_C)
case MBEDTLS_SSL_HASH_MD5:
break;
#endif
#if defined(MBEDTLS_SHA1_C)
case MBEDTLS_SSL_HASH_SHA1:
break;
#endif
#if defined(MBEDTLS_SHA224_C)
case MBEDTLS_SSL_HASH_SHA224:
break;
#endif
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_SSL_HASH_SHA256:
break;
#endif
#if defined(MBEDTLS_SHA384_C)
case MBEDTLS_SSL_HASH_SHA384:
break;
#endif
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_SSL_HASH_SHA512:
break;
#endif
default:
return( 0 );
}
switch( sig )
{
#if defined(MBEDTLS_RSA_C)
case MBEDTLS_SSL_SIG_RSA:
break;
#endif
#if defined(MBEDTLS_ECDSA_C)
case MBEDTLS_SSL_SIG_ECDSA:
break;
#endif
default:
return( 0 );
}
return( 1 );
return( mbedtls_ssl_tls12_sig_alg_is_supported( sig_alg ) );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{
mbedtls_pk_type_t pk_type;
mbedtls_md_type_t md_alg;
return( ! mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
sig_alg, &pk_type, &md_alg ) );
return( mbedtls_ssl_tls13_sig_alg_is_supported( sig_alg ) );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
((void) ssl);
((void) sig_alg);
return( 0 );
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
mbedtls_pk_context *key );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
@ -2279,10 +2312,6 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
const unsigned char *end );
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
int mbedtls_ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
mbedtls_pk_context *own_key,
uint16_t *algorithm );
#if defined(MBEDTLS_SSL_ALPN)
int mbedtls_ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,