replace check_sig_hash with is_offered

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-01-19 18:02:15 +08:00 · 2022-01-19 18:02:15 +08:00 · 24811fb2e0
commit 24811fb2e0
parent 1bab301c0d
4 changed files with 22 additions and 20 deletions
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -2595,7 +2595,6 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
                                          mbedtls_md_type_t *md_alg,
                                          mbedtls_pk_type_t *pk_alg )
 {
-    ((void) ssl);
    *md_alg = MBEDTLS_MD_NONE;
    *pk_alg = MBEDTLS_PK_NONE;

@ -2631,9 +2630,9 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
    }

    /*
-     * Check if the hash is acceptable
+     * Check if the signature algorithm is acceptable
     */
-    if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
+    if( !mbedtls_ssl_sig_alg_is_offered( ssl, MBEDTLS_GET_UINT16_BE( *p, 0 ) ) )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1,
            ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -1845,6 +1845,23 @@ static inline const void *mbedtls_ssl_get_sig_algs(
 }

 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+
+static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
+                                                  uint16_t proposed_sig_alg )
+{
+    const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
+    if( sig_alg == NULL )
+        return( 0 );
+
+    for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
+    {
+        if( *sig_alg == proposed_sig_alg )
+            return( 1 );
+    }
+    return( 0 );
+}
+
+
 static inline int mbedtls_ssl_sig_alg_is_supported(
                                                const mbedtls_ssl_context *ssl,
                                                const uint16_t sig_alg )
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -296,7 +296,8 @@ static int ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
            continue;
        }

-        if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
+        if( mbedtls_ssl_sig_alg_is_offered(
+                ssl, MBEDTLS_GET_UINT16_BE( p, 0 ) ) )
        {
            mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -209,21 +209,6 @@ static void ssl_tls13_create_verify_structure( const unsigned char *transcript_h
    *verify_buffer_len = idx;
 }

-static int ssl_tls13_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
-                                         uint16_t proposed_sig_alg )
-{
-    const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
-    if( sig_alg == NULL )
-        return( 0 );
-
-    for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
-    {
-        if( *sig_alg == proposed_sig_alg )
-            return( 1 );
-    }
-    return( 0 );
-}
-
 static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
                                               const unsigned char *buf,
                                               const unsigned char *end,
@ -268,7 +253,7 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
     *
     * Check if algorithm is an offered signature algorithm.
     */
-    if( ! ssl_tls13_sig_alg_is_offered( ssl, algorithm ) )
+    if( ! mbedtls_ssl_sig_alg_is_offered( ssl, algorithm ) )
    {
        /* algorithm not in offered signature algorithms list */
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "