AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

create sig_alg decode function

Browse Source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-03-23 13:34:04 +08:00
parent 0c23fc39c3
commit 8c3388620d
2 changed files with 139 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

195
library/ssl_misc.h
View File

@ -1954,6 +1954,115 @@ static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl
return( 0 ); return( 0 );
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg)
{
*pk_type = MBEDTLS_PK_NONE;
*md_alg = MBEDTLS_MD_NONE;
((void) sig_alg);
switch( sig_alg )
{
#if defined(MBEDTLS_SHA256_C) && \
defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \
defined(MBEDTLS_ECDSA_C)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_ECDSA;
break;
#endif /* MBEDTLS_SHA256_C &&
MBEDTLS_ECP_DP_SECP256R1_ENABLED &&
MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_SHA384_C) && \
defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) && \
defined(MBEDTLS_ECDSA_C)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
*md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_ECDSA;
break;
#endif /* MBEDTLS_SHA384_C &&
MBEDTLS_ECP_DP_SECP384R1_ENABLED &&
MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_SHA512_C) && \
defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) && \
defined(MBEDTLS_ECDSA_C)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
*md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_ECDSA;
break;
#endif /* MBEDTLS_SHA512_C &&
MBEDTLS_ECP_DP_SECP521R1_ENABLED &&
MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_SHA256_C) && \
defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA256_C && \
MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_SHA384_C) && \
defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
*md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA384_C && \
MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_SHA512_C) && \
defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
*md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA512_C && \
MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_SHA256_C) && \
defined(MBEDTLS_PKCS1_V15) && \
defined(MBEDTLS_RSA_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_RSA;
break;
#endif /* MBEDTLS_SHA256_C && \
MBEDTLS_PKCS1_V15 && \
MBEDTLS_RSA_C */
#if defined(MBEDTLS_SHA384_C) && \
defined(MBEDTLS_PKCS1_V15) && \
defined(MBEDTLS_RSA_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
*md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_RSA;
break;
#endif /* MBEDTLS_SHA384_C && \
MBEDTLS_PKCS1_V15 && \
MBEDTLS_RSA_C */
#if defined(MBEDTLS_SHA512_C) && \
defined(MBEDTLS_PKCS1_V15) && \
defined(MBEDTLS_RSA_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
*md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_RSA;
break;
#endif /* MBEDTLS_SHA384_C && \
MBEDTLS_PKCS1_V15 && \
MBEDTLS_RSA_C */
default:
return( 0 );
}
return( 1 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
static inline int mbedtls_ssl_sig_alg_is_supported( static inline int mbedtls_ssl_sig_alg_is_supported(
const mbedtls_ssl_context *ssl, const mbedtls_ssl_context *ssl,
const uint16_t sig_alg ) const uint16_t sig_alg )
@ -2025,88 +2134,10 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4)
{ {
switch( sig_alg ) mbedtls_pk_type_t pk_type;
{ mbedtls_md_type_t md_alg;
#if defined(MBEDTLS_SHA256_C) && \ return( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \ sig_alg, &pk_type, &md_alg ) );
defined(MBEDTLS_ECDSA_C)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
break;
#endif /* MBEDTLS_SHA256_C &&
MBEDTLS_ECP_DP_SECP256R1_ENABLED &&
MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_SHA384_C) && \
defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) && \
defined(MBEDTLS_ECDSA_C)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
break;
#endif /* MBEDTLS_SHA384_C &&
MBEDTLS_ECP_DP_SECP384R1_ENABLED &&
MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_SHA512_C) && \
defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) && \
defined(MBEDTLS_ECDSA_C)
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
break;
#endif /* MBEDTLS_SHA512_C &&
MBEDTLS_ECP_DP_SECP521R1_ENABLED &&
MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_SHA256_C) && \
defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
break;
#endif /* MBEDTLS_SHA256_C && \
MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_SHA384_C) && \
defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
break;
#endif /* MBEDTLS_SHA384_C && \
MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_SHA512_C) && \
defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
break;
#endif /* MBEDTLS_SHA512_C && \
MBEDTLS_X509_RSASSA_PSS_SUPPORT */
#if defined(MBEDTLS_SHA256_C) && \
defined(MBEDTLS_PKCS1_V15) && \
defined(MBEDTLS_RSA_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
break;
#endif /* MBEDTLS_SHA256_C && \
MBEDTLS_PKCS1_V15 && \
MBEDTLS_RSA_C */
#if defined(MBEDTLS_SHA384_C) && \
defined(MBEDTLS_PKCS1_V15) && \
defined(MBEDTLS_RSA_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
break;
#endif /* MBEDTLS_SHA384_C && \
MBEDTLS_PKCS1_V15 && \
MBEDTLS_RSA_C */
#if defined(MBEDTLS_SHA512_C) && \
defined(MBEDTLS_PKCS1_V15) && \
defined(MBEDTLS_RSA_C)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
break;
#endif /* MBEDTLS_SHA384_C && \
MBEDTLS_PKCS1_V15 && \
MBEDTLS_RSA_C */
default:
return( 0 );
}
return( 1 );
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
((void) ssl); ((void) ssl);

90
library/ssl_tls13_generic.c
View File

@ -336,48 +336,14 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
} }
/* We currently only support ECDSA-based signatures */ /* We currently only support ECDSA-based signatures */
switch( algorithm ) if( mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
algorithm, &sig_alg, &md_alg ) == 0 )
{ {
#if defined(MBEDTLS_ECDSA_C) /* algorithm not in offered signature algorithms list */
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: MBEDTLS_SSL_DEBUG_MSG( 1, ( "Get pk type and md algorithm from "
md_alg = MBEDTLS_MD_SHA256; "signature algorithm(%04x) fail.",
sig_alg = MBEDTLS_PK_ECDSA; ( unsigned int ) algorithm ) );
break; goto error;
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
md_alg = MBEDTLS_MD_SHA384;
sig_alg = MBEDTLS_PK_ECDSA;
break;
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
md_alg = MBEDTLS_MD_SHA512;
sig_alg = MBEDTLS_PK_ECDSA;
break;
#endif /* MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
md_alg = MBEDTLS_MD_SHA256;
sig_alg = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA384_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
md_alg = MBEDTLS_MD_SHA384;
sig_alg = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
md_alg = MBEDTLS_MD_SHA256;
sig_alg = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA512_C */
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) );
goto error;
} }
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )", MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
@ -987,9 +953,7 @@ cleanup:
*/ */
static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl, static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
mbedtls_pk_context *own_key, mbedtls_pk_context *own_key,
uint16_t *algorithm, uint16_t *algorithm )
mbedtls_pk_type_t *pk_type,
mbedtls_md_type_t *md_alg)
{ {
mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key ); mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key );
/* Determine the size of the key */ /* Determine the size of the key */
@ -1005,18 +969,12 @@ static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
{ {
case 256: case 256:
*algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256; *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_ECDSA;
return( 0 ); return( 0 );
case 384: case 384:
*algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384; *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
*md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_ECDSA;
return( 0 ); return( 0 );
case 521: case 521:
*algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512; *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
*md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_ECDSA;
return( 0 ); return( 0 );
default: default:
MBEDTLS_SSL_DEBUG_MSG( 3, MBEDTLS_SSL_DEBUG_MSG( 3,
@ -1037,8 +995,6 @@ static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 ) ) MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 ) )
{ {
*algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256; *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
return( 0 ); return( 0 );
} }
else else
@ -1049,8 +1005,6 @@ static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 ) ) MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 ) )
{ {
*algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384; *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
*md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
return( 0 ); return( 0 );
} }
else else
@ -1061,8 +1015,6 @@ static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 ) ) MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 ) )
{ {
*algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512; *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
*md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
return( 0 ); return( 0 );
} }
else else
@ -1075,8 +1027,6 @@ static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 ) ) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 ) )
{ {
*algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256; *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_RSA;
return( 0 ); return( 0 );
} }
else else
@ -1087,8 +1037,6 @@ static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 ) ) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 ) )
{ {
*algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384; *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
*md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_RSA;
return( 0 ); return( 0 );
} }
else else
@ -1099,8 +1047,6 @@ static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 ) ) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 ) )
{ {
*algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512; *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
*md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_RSA;
return( 0 ); return( 0 );
} }
else else
@ -1174,8 +1120,7 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
* opaque signature<0..2^16-1>; * opaque signature<0..2^16-1>;
* } CertificateVerify; * } CertificateVerify;
*/ */
ret = ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm, ret = ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
&pk_type, &md_alg );
if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) ) if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, MBEDTLS_SSL_DEBUG_MSG( 1,
@ -1189,6 +1134,23 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
} }
ret = mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg( algorithm,
&pk_type,
&md_alg );
if( ret == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "signature algorithm is not supported." ) );
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Signature algorithm is %s",
mbedtls_ssl_sig_alg_to_str( algorithm ) ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
/* Check there is space for the algorithm identifier (2 bytes) and the /* Check there is space for the algorithm identifier (2 bytes) and the
* signature length (2 bytes). * signature length (2 bytes).
*/ */