eden-emu/mbedtls
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move preferred_hash_for_sig_alg() check after ssl_pick_cert() and check if hash alg is supported with mbedtls_pk_can_do_ext()

Browse source 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
This commit is contained in:
Neil Armstrong 2022-06-24 18:19:19 +02:00
parent ed917bf548
commit 9f1176a793
2 changed files with 62 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

51
library/ssl_tls.c
View file

@ -7691,10 +7691,53 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
for( i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ ) for( i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ )
{ {
if( sig_alg == MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG( unsigned int hash_alg_received =
received_sig_algs[i] ) ) MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
return( MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG( received_sig_algs[i] );
received_sig_algs[i] ) ); unsigned int sig_alg_received =
MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
received_sig_algs[i] );
if( sig_alg == sig_alg_received )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ssl->handshake->key_cert && ssl->handshake->key_cert->key )
{
psa_algorithm_t alg = PSA_ALG_NONE;
psa_algorithm_t alg2 = PSA_ALG_NONE;
psa_key_usage_t usage = 0;
psa_key_usage_t usage2 = 0;
if( sig_alg_received == MBEDTLS_SSL_SIG_ECDSA )
{
alg = PSA_ALG_ECDSA(
mbedtls_psa_translate_md( hash_alg_received ) );
usage = PSA_KEY_USAGE_SIGN_HASH;
alg2 = PSA_ALG_ECDH;
usage2 = PSA_KEY_USAGE_DERIVE;
}
else if( sig_alg_received == MBEDTLS_SSL_SIG_RSA )
{
alg = PSA_ALG_RSA_PKCS1V15_SIGN(
mbedtls_psa_translate_md( hash_alg_received ) );
usage = PSA_KEY_USAGE_SIGN_HASH;
alg2 = PSA_ALG_RSA_PKCS1V15_CRYPT;
usage2 = PSA_KEY_USAGE_DECRYPT;
}
else
continue;
if( ! mbedtls_pk_can_do_ext( ssl->handshake->key_cert->key,
alg, usage ) &&
! mbedtls_pk_can_do_ext( ssl->handshake->key_cert->key,
alg2, usage2 ) )
continue;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( hash_alg_received );
}
} }
return( MBEDTLS_SSL_HASH_NONE ); return( MBEDTLS_SSL_HASH_NONE );

30
library/ssl_tls12_server.c
View file

@ -843,21 +843,6 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
} }
#endif #endif
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* If the ciphersuite requires signing, check whether
* a suitable hash algorithm is present. */
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
if( sig_type != MBEDTLS_PK_NONE &&
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg( sig_type ) ) == MBEDTLS_SSL_HASH_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
"for signature algorithm %u", (unsigned) sig_type ) );
return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
/* /*
* Final check: if ciphersuite requires us to have a * Final check: if ciphersuite requires us to have a
@ -874,6 +859,21 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
} }
#endif #endif
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* If the ciphersuite requires signing, check whether
* a suitable hash algorithm is present. */
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
if( sig_type != MBEDTLS_PK_NONE &&
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg( sig_type ) ) == MBEDTLS_SSL_HASH_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
"for signature algorithm %u", (unsigned) sig_type ) );
return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
*ciphersuite_info = suite_info; *ciphersuite_info = suite_info;
return( 0 ); return( 0 );
} }