From 660cb4209c15a0d0e82567b8b73a92d769a00f14 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 28 Jun 2022 16:17:58 +0800 Subject: [PATCH] Remove pkcs1 from key cert and sig alg map Signed-off-by: Jerry Yu --- library/ssl_tls.c | 3 +-- library/ssl_tls13_generic.c | 38 ++----------------------------------- 2 files changed, 3 insertions(+), 38 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3fa303b29..c5717c0f1 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4916,8 +4916,7 @@ int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl, sig_alg, mbedtls_ssl_sig_alg_to_str( sig_alg ) ) ); - if( ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) || - ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ) + if( ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ) continue; MBEDTLS_SSL_DEBUG_MSG( 4, ( "valid signature algorithm: %s", diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 39bd9f258..fa68730e4 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -863,76 +863,41 @@ int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg, switch( pk_type ) { -#if defined(MBEDTLS_ECDSA_C) case MBEDTLS_SSL_SIG_ECDSA: switch( key_size ) { -#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) case 256: return( sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256 ); -#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ -#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) case 384: return( sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384 ); -#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ -#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) case 521: return( sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512 ); -#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ default: break; } break; -#endif /* MBEDTLS_ECDSA_C */ -#if defined(MBEDTLS_RSA_C) case MBEDTLS_SSL_SIG_RSA: switch( sig_alg ) { -#if defined(MBEDTLS_PKCS1_V21) -#if defined(MBEDTLS_SHA256_C) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: return( key_size <= 3072 ); -#endif /* MBEDTLS_SHA256_C */ -#if defined(MBEDTLS_SHA384_C) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: return( key_size <= 7680 ); -#endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_SHA512_C) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: return( 1 ); -#endif /* MBEDTLS_SHA512_C */ -#endif /* MBEDTLS_PKCS1_V21 */ - -#if defined(MBEDTLS_PKCS1_V15) -#if defined(MBEDTLS_SHA256_C) - case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: - return( key_size <= 3072 ); -#endif /* MBEDTLS_SHA256_C */ - -#if defined(MBEDTLS_SHA384_C) - case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: - return( key_size <= 7680 ); -#endif /* MBEDTLS_SHA384_C */ - -#if defined(MBEDTLS_SHA512_C) - case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: - return( 1 ); -#endif /* MBEDTLS_SHA512_C */ -#endif /* MBEDTLS_PKCS1_V15 */ default: break; } break; -#endif /* MBEDTLS_RSA_C */ default: break; @@ -951,7 +916,8 @@ static int ssl_tls13_select_sig_alg_for_certificate_verify( *algorithm = MBEDTLS_TLS1_3_SIG_NONE; for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ ) { - if( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( + if( mbedtls_ssl_sig_alg_is_offered( ssl, *sig_alg ) && + mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( *sig_alg ) && mbedtls_ssl_tls13_check_sig_alg_cert_key_match( *sig_alg, own_key ) )