diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 826879c12..e411b7049 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2595,7 +2595,6 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg ) { - ((void) ssl); *md_alg = MBEDTLS_MD_NONE; *pk_alg = MBEDTLS_PK_NONE; @@ -2631,9 +2630,9 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, } /* - * Check if the hash is acceptable + * Check if the signature algorithm is acceptable */ - if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 ) + if( !mbedtls_ssl_sig_alg_is_offered( ssl, MBEDTLS_GET_UINT16_BE( *p, 0 ) ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) ); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index a9e60d70e..c7e24d127 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1845,6 +1845,23 @@ static inline const void *mbedtls_ssl_get_sig_algs( } #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + +static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl, + uint16_t proposed_sig_alg ) +{ + const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl ); + if( sig_alg == NULL ) + return( 0 ); + + for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) + { + if( *sig_alg == proposed_sig_alg ) + return( 1 ); + } + return( 0 ); +} + + static inline int mbedtls_ssl_sig_alg_is_supported( const mbedtls_ssl_context *ssl, const uint16_t sig_alg ) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 0de11772a..f2f57b14d 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -296,7 +296,8 @@ static int ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl, continue; } - if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 ) + if( mbedtls_ssl_sig_alg_is_offered( + ssl, MBEDTLS_GET_UINT16_BE( p, 0 ) ) ) { mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:" diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 226f8e33f..a87af94dc 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -209,21 +209,6 @@ static void ssl_tls13_create_verify_structure( const unsigned char *transcript_h *verify_buffer_len = idx; } -static int ssl_tls13_sig_alg_is_offered( const mbedtls_ssl_context *ssl, - uint16_t proposed_sig_alg ) -{ - const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl ); - if( sig_alg == NULL ) - return( 0 ); - - for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) - { - if( *sig_alg == proposed_sig_alg ) - return( 1 ); - } - return( 0 ); -} - static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl, const unsigned char *buf, const unsigned char *end, @@ -268,7 +253,7 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl, * * Check if algorithm is an offered signature algorithm. */ - if( ! ssl_tls13_sig_alg_is_offered( ssl, algorithm ) ) + if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) ) { /* algorithm not in offered signature algorithms list */ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "