Merge pull request #5785 from gabor-mezei-arm/5460_unify_parsing_sig_alg_ext
Unify parsing of the signature algorithms extension in TLS 1.2 and TLS 1.3 CI ABI API check job failure is expected as the PR do some changes in ssl_misc.h. @RcColes if you eventually want to request some changes, they can be done in a follow-up PR.
This commit is contained in:
Ronald Cron
GitHub
commit
9edf51d8cd
6 changed files with 225 additions and 304 deletions
|
|
@ -243,6 +243,18 @@
|
|||
|
||||
#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
|
||||
#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( sig, hash ) (( hash << 8 ) | sig)
|
||||
#define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
|
||||
#define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
|
||||
/*
|
||||
* Check that we obey the standard's message size bounds
|
||||
*/
|
||||
|
|
@ -423,24 +435,6 @@ static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
|
|||
extern "C" {
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
/*
|
||||
* Abstraction for a grid of allowed signature-hash-algorithm pairs.
|
||||
*/
|
||||
struct mbedtls_ssl_sig_hash_set_t
|
||||
{
|
||||
/* At the moment, we only need to remember a single suitable
|
||||
* hash algorithm per signature algorithm. As long as that's
|
||||
* the case - and we don't need a general lookup function -
|
||||
* we can implement the sig-hash-set as a map from signatures
|
||||
* to hash algorithms. */
|
||||
mbedtls_md_type_t rsa;
|
||||
mbedtls_md_type_t ecdsa;
|
||||
};
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
||||
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
|
||||
typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
|
||||
const char *label,
|
||||
const unsigned char *random, size_t rlen,
|
||||
|
|
@ -594,13 +588,7 @@ struct mbedtls_ssl_handshake_params
|
|||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
|
||||
#endif
|
||||
|
||||
|
|
@ -1115,24 +1103,21 @@ int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
|
|||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
|
||||
/* Find an entry in a signature-hash set matching a given hash algorithm. */
|
||||
mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
|
||||
mbedtls_pk_type_t sig_alg );
|
||||
/* Add a signature-hash-pair to a signature-hash set */
|
||||
void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
|
||||
mbedtls_pk_type_t sig_alg,
|
||||
mbedtls_md_type_t md_alg );
|
||||
/* Allow exactly one hash algorithm for each signature. */
|
||||
void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
|
||||
mbedtls_md_type_t md_alg );
|
||||
/**
|
||||
* \brief Find the preferred hash for a given signature algorithm.
|
||||
*
|
||||
* \param[in] ssl SSL context
|
||||
* \param[in] sig_alg A signature algorithm identifier as defined in the
|
||||
* TLS 1.2 SignatureAlgorithm enumeration.
|
||||
*
|
||||
* \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
|
||||
* identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
|
||||
*/
|
||||
unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
|
||||
mbedtls_ssl_context *ssl,
|
||||
unsigned int sig_alg );
|
||||
|
||||
/* Setup an empty signature-hash set */
|
||||
static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
|
||||
{
|
||||
mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
||||
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
|
||||
/**
|
||||
|
|
@ -1804,11 +1789,11 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
|
|||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
/*
|
||||
* Parse TLS 1.3 Signature Algorithm extension
|
||||
* Parse TLS Signature Algorithm extension
|
||||
*/
|
||||
int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
const unsigned char *end );
|
||||
int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
const unsigned char *end );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
|
||||
/* Get handshake transcript */
|
||||
|
|
@ -1954,7 +1939,7 @@ static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ss
|
|||
if( sig_alg == NULL )
|
||||
return( 0 );
|
||||
|
||||
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
|
||||
for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
|
||||
{
|
||||
if( *sig_alg == own_sig_alg )
|
||||
return( 1 );
|
||||
|
|
@ -1970,7 +1955,7 @@ static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl
|
|||
if( sig_alg == NULL )
|
||||
return( 0 );
|
||||
|
||||
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
|
||||
for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
|
||||
{
|
||||
if( *sig_alg == proposed_sig_alg )
|
||||
return( 1 );
|
||||
|
|
@ -2152,19 +2137,6 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
|
|||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C)
|
||||
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \
|
||||
(( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
|
||||
#elif defined(MBEDTLS_ECDSA_C)
|
||||
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA),
|
||||
#elif defined(MBEDTLS_RSA_C)
|
||||
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
|
||||
#else
|
||||
#define MBEDTLS_SSL_SIG_ALG( hash )
|
||||
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_RSA_C */
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
|
||||
* Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue