AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #5785 from gabor-mezei-arm/5460_unify_parsing_sig_alg_ext

Browse Source 
Unify parsing of the signature algorithms extension in TLS 1.2 and TLS 1.3
CI ABI API check job failure is expected as the PR do some changes in ssl_misc.h.
@RcColes if you eventually want to request some changes, they can be done in a follow-up PR.
This commit is contained in:
Ronald Cron 2022-05-17 17:01:55 +02:00 committed by GitHub
commit 9edf51d8cd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 225 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
library/ssl_misc.h
View File

@ -243,6 +243,18 @@
#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( sig, hash ) (( hash << 8 ) | sig)
#define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
#define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/*
* Check that we obey the standard's message size bounds
*/
@ -423,24 +435,6 @@ static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
extern "C" {
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*
* Abstraction for a grid of allowed signature-hash-algorithm pairs.
*/
struct mbedtls_ssl_sig_hash_set_t
{
/* At the moment, we only need to remember a single suitable
* hash algorithm per signature algorithm. As long as that's
* the case - and we don't need a general lookup function -
* we can implement the sig-hash-set as a map from signatures
* to hash algorithms. */
mbedtls_md_type_t rsa;
mbedtls_md_type_t ecdsa;
};
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
const char *label,
const unsigned char *random, size_t rlen,
@ -594,13 +588,7 @@ struct mbedtls_ssl_handshake_params
#endif /* MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
#endif
@ -1115,24 +1103,21 @@ int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* Find an entry in a signature-hash set matching a given hash algorithm. */
mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
mbedtls_pk_type_t sig_alg );
/* Add a signature-hash-pair to a signature-hash set */
void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
mbedtls_pk_type_t sig_alg,
mbedtls_md_type_t md_alg );
/* Allow exactly one hash algorithm for each signature. */
void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
mbedtls_md_type_t md_alg );
/**
* \brief Find the preferred hash for a given signature algorithm.
*
* \param[in] ssl SSL context
* \param[in] sig_alg A signature algorithm identifier as defined in the
* TLS 1.2 SignatureAlgorithm enumeration.
*
* \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
* identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
*/
unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
mbedtls_ssl_context *ssl,
unsigned int sig_alg );
/* Setup an empty signature-hash set */
static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
{
mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/**
@ -1804,9 +1789,9 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*
* Parse TLS 1.3 Signature Algorithm extension
* Parse TLS Signature Algorithm extension
*/
int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end );
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
@ -1954,7 +1939,7 @@ static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ss
if( sig_alg == NULL )
return( 0 );
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{
if( *sig_alg == own_sig_alg )
return( 1 );
@ -1970,7 +1955,7 @@ static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl
if( sig_alg == NULL )
return( 0 );
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{
if( *sig_alg == proposed_sig_alg )
return( 1 );
@ -2152,19 +2137,6 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C)
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \
(( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
#elif defined(MBEDTLS_ECDSA_C)
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA),
#elif defined(MBEDTLS_RSA_C)
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
#else
#define MBEDTLS_SSL_SIG_ALG( hash )
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_RSA_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
* Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is

210
library/ssl_tls.c
View File

@ -616,11 +616,6 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
handshake->update_checksum = ssl_update_checksum_start;
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
#endif
#if defined(MBEDTLS_DHM_C)
mbedtls_dhm_init( &handshake->dhm_ctx );
#endif
@ -852,7 +847,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
p++;
#endif
}
*p = MBEDTLS_TLS1_3_SIG_NONE;
*p = MBEDTLS_TLS_SIG_NONE;
ssl->handshake->sig_algs_heap_allocated = 1;
}
else
@ -4143,22 +4138,37 @@ static uint16_t ssl_preset_default_sig_algs[] = {
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
MBEDTLS_TLS1_3_SIG_NONE
MBEDTLS_TLS_SIG_NONE
};
/* NOTICE: see above */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_default_sig_algs[] = {
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA512 )
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512 ),
#endif
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512 ),
#endif
#endif /* MBEDTLS_SHA512_C */
#if defined(MBEDTLS_SHA384_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 )
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
#endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA256_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 )
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif
MBEDTLS_TLS1_3_SIG_NONE
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif
#endif /* MBEDTLS_SHA256_C */
MBEDTLS_TLS_SIG_NONE
};
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
/* NOTICE: see above */
@ -4184,19 +4194,29 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = {
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
MBEDTLS_TLS1_3_SIG_NONE
MBEDTLS_TLS_SIG_NONE
};
/* NOTICE: see above */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_SHA256_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 )
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif
#endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA384_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 )
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
MBEDTLS_TLS1_3_SIG_NONE
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
#endif /* MBEDTLS_SHA256_C */
MBEDTLS_TLS_SIG_NONE
};
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
@ -4220,7 +4240,7 @@ static int ssl_check_no_sig_alg_duplication( uint16_t * sig_algs )
size_t i, j;
int ret = 0;
for( i = 0; sig_algs[i] != MBEDTLS_TLS1_3_SIG_NONE; i++ )
for( i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ )
{
for( j = 0; j < i; j++ )
{
@ -4852,6 +4872,109 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* mbedtls_ssl_parse_sig_alg_ext()
*
* The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
* value (TLS 1.3 RFC8446):
* enum {
* ....
* ecdsa_secp256r1_sha256( 0x0403 ),
* ecdsa_secp384r1_sha384( 0x0503 ),
* ecdsa_secp521r1_sha512( 0x0603 ),
* ....
* } SignatureScheme;
*
* struct {
* SignatureScheme supported_signature_algorithms<2..2^16-2>;
* } SignatureSchemeList;
*
* The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
* value (TLS 1.2 RFC5246):
* enum {
* none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
* sha512(6), (255)
* } HashAlgorithm;
*
* enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
* SignatureAlgorithm;
*
* struct {
* HashAlgorithm hash;
* SignatureAlgorithm signature;
* } SignatureAndHashAlgorithm;
*
* SignatureAndHashAlgorithm
* supported_signature_algorithms<2..2^16-2>;
*
* The TLS 1.3 signature algorithm extension was defined to be a compatible
* generalization of the TLS 1.2 signature algorithm extension.
* `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
* `SignatureScheme` field of TLS 1.3
*
*/
int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
{
const unsigned char *p = buf;
size_t supported_sig_algs_len = 0;
const unsigned char *supported_sig_algs_end;
uint16_t sig_alg;
uint32_t common_idx = 0;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
supported_sig_algs_len = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
memset( ssl->handshake->received_sig_algs, 0,
sizeof(ssl->handshake->received_sig_algs) );
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
supported_sig_algs_end = p + supported_sig_algs_len;
while( p < supported_sig_algs_end )
{
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
sig_alg ) );
if( ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ||
! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) )
continue;
if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
{
ssl->handshake->received_sig_algs[common_idx] = sig_alg;
common_idx += 1;
}
}
/* Check that we consumed all the message. */
if( p != end )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "Signature algorithms extension length misaligned" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
MBEDTLS_ERR_SSL_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
if( common_idx == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@ -7555,49 +7678,26 @@ exit:
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* Find an entry in a signature-hash set matching a given hash algorithm. */
mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
mbedtls_pk_type_t sig_alg )
/* Find the preferred hash for a given signature algorithm. */
unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
mbedtls_ssl_context *ssl,
unsigned int sig_alg )
{
switch( sig_alg )
unsigned int i;
uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
if( sig_alg == MBEDTLS_SSL_SIG_ANON )
return( MBEDTLS_SSL_HASH_NONE );
for( i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ )
{
case MBEDTLS_PK_RSA:
return( set->rsa );
case MBEDTLS_PK_ECDSA:
return( set->ecdsa );
default:
return( MBEDTLS_MD_NONE );
if( sig_alg == MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
received_sig_algs[i] ) )
return( MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
received_sig_algs[i] ) );
}
}
/* Add a signature-hash-pair to a signature-hash set */
void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
mbedtls_pk_type_t sig_alg,
mbedtls_md_type_t md_alg )
{
switch( sig_alg )
{
case MBEDTLS_PK_RSA:
if( set->rsa == MBEDTLS_MD_NONE )
set->rsa = md_alg;
break;
case MBEDTLS_PK_ECDSA:
if( set->ecdsa == MBEDTLS_MD_NONE )
set->ecdsa = md_alg;
break;
default:
break;
}
}
/* Allow exactly one hash algorithm for each signature. */
void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
mbedtls_md_type_t md_alg )
{
set->rsa = md_alg;
set->ecdsa = md_alg;
return( MBEDTLS_SSL_HASH_NONE );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */

145
library/ssl_tls12_server.c
View File

@ -209,96 +209,6 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
return( 0 );
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*
* Status of the implementation of signature-algorithms extension:
*
* Currently, we are only considering the signature-algorithm extension
* to pick a ciphersuite which allows us to send the ServerKeyExchange
* message with a signature-hash combination that the user allows.
*
* We do *not* check whether all certificates in our certificate
* chain are signed with an allowed signature-hash pair.
* This needs to be done at a later stage.
*
*/
static int ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
size_t sig_alg_list_size;
const unsigned char *p;
const unsigned char *end = buf + len;
mbedtls_md_type_t md_cur;
mbedtls_pk_type_t sig_cur;
if ( len < 2 ) {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
if( sig_alg_list_size + 2 != len ||
sig_alg_list_size % 2 != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
/* Currently we only guarantee signing the ServerKeyExchange message according
* to the constraints specified in this extension (see above), so it suffices
* to remember only one suitable hash for each possible signature algorithm.
*
* This will change when we also consider certificate signatures,
* in which case we will need to remember the whole signature-hash
* pair list from the extension.
*/
for( p = buf + 2; p < end; p += 2 )
{
/* Silently ignore unknown signature or hash algorithms. */
if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
" unknown sig alg encoding %d", p[1] ) );
continue;
}
/* Check if we support the hash the user proposes */
md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
if( md_cur == MBEDTLS_MD_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
" unknown hash alg encoding %d", p[0] ) );
continue;
}
if( mbedtls_ssl_sig_alg_is_offered(
ssl, MBEDTLS_GET_UINT16_BE( p, 0 ) ) )
{
mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
" match sig %u and hash %u",
(unsigned) sig_cur, (unsigned) md_cur ) );
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
"hash alg %u not supported", (unsigned) md_cur ) );
}
}
return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
/*
@ -1078,7 +988,8 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
* a suitable hash algorithm is present. */
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
if( sig_type != MBEDTLS_PK_NONE &&
mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg( sig_type ) ) == MBEDTLS_SSL_HASH_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
"for signature algorithm %u", (unsigned) sig_type ) );
@ -1593,7 +1504,7 @@ read_record_header:
case MBEDTLS_TLS_EXT_SIG_ALG:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
ret = ssl_parse_sig_alg_ext( ssl, ext + 4, ext_size );
ret = mbedtls_ssl_parse_sig_alg_ext( ssl, ext + 4, ext + 4 + ext_size );
if( ret != 0 )
return( ret );
@ -1717,18 +1628,27 @@ read_record_header:
* Try to fall back to default hash SHA1 if the client
* hasn't provided any preferred signature-hash combinations.
*/
if( sig_hash_alg_ext_present == 0 )
if( ! sig_hash_alg_ext_present )
{
uint16_t sig_algs[] = { MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA1) };
mbedtls_md_type_t md_default = MBEDTLS_MD_NONE;
for( i = 0; i < sizeof( sig_algs ) / sizeof( sig_algs[0] ) ; i++ )
{
if( mbedtls_ssl_sig_alg_is_offered( ssl, sig_algs[ i ] ) )
md_default = MBEDTLS_MD_SHA1;
}
uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
const uint16_t default_sig_algs[] = {
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA,
MBEDTLS_SSL_HASH_SHA1 ),
#endif
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA,
MBEDTLS_SSL_HASH_SHA1 ),
#endif
MBEDTLS_TLS_SIG_NONE
};
mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs,
md_default );
#if defined(static_assert)
static_assert( sizeof( default_sig_algs ) / sizeof( default_sig_algs[0] ) <=
MBEDTLS_RECEIVED_SIG_ALGS_SIZE, "default_sig_algs is too big" );
#endif
memcpy( received_sig_algs, default_sig_algs, sizeof( default_sig_algs ) );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
@ -1889,10 +1809,10 @@ have_ciphersuite:
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
if( sig_alg != MBEDTLS_PK_NONE )
{
mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
sig_alg );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg( sig_alg ) );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %u",
sig_hash ) );
}
else
{
@ -2728,7 +2648,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
if( sig_alg == NULL )
return( MBEDTLS_ERR_SSL_BAD_CONFIG );
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{
unsigned char hash = MBEDTLS_BYTE_1( *sig_alg );
@ -3255,15 +3175,18 @@ curve_matching_done:
* to choose appropriate hash.
*/
mbedtls_md_type_t md_alg;
mbedtls_pk_type_t sig_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
unsigned int sig_hash =
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg( sig_alg ) );
mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash( sig_hash );
/* For TLS 1.2, obey signature-hash-algorithm extension
* (RFC 5246, Sec. 7.4.1.4.1). */
if( sig_alg == MBEDTLS_PK_NONE ||
( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
sig_alg ) ) == MBEDTLS_MD_NONE )
if( sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
/* (... because we choose a cipher suite

2
library/ssl_tls13_client.c
View File

@ -1612,7 +1612,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
case MBEDTLS_TLS_EXT_SIG_ALG:
MBEDTLS_SSL_DEBUG_MSG( 3,
( "found signature algorithms extension" ) );
ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ssl, p,
ret = mbedtls_ssl_parse_sig_alg_ext( ssl, p,
p + extension_data_len );
if( ret != 0 )
return( ret );

74
library/ssl_tls13_generic.c
View File

@ -80,80 +80,6 @@ cleanup:
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* mbedtls_ssl_tls13_parse_sig_alg_ext()
*
* enum {
* ....
* ecdsa_secp256r1_sha256( 0x0403 ),
* ecdsa_secp384r1_sha384( 0x0503 ),
* ecdsa_secp521r1_sha512( 0x0603 ),
* ....
* } SignatureScheme;
*
* struct {
* SignatureScheme supported_signature_algorithms<2..2^16-2>;
* } SignatureSchemeList;
*/
int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
{
const unsigned char *p = buf;
size_t supported_sig_algs_len = 0;
const unsigned char *supported_sig_algs_end;
uint16_t sig_alg;
uint32_t common_idx = 0;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
supported_sig_algs_len = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
memset( ssl->handshake->received_sig_algs, 0,
sizeof(ssl->handshake->received_sig_algs) );
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
supported_sig_algs_end = p + supported_sig_algs_len;
while( p < supported_sig_algs_end )
{
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
sig_alg ) );
if( ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ||
! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) )
continue;
if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
{
ssl->handshake->received_sig_algs[common_idx] = sig_alg;
common_idx += 1;
}
}
/* Check that we consumed all the message. */
if( p != end )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "Signature algorithms extension length misaligned" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
MBEDTLS_ERR_SSL_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
if( common_idx == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS1_3_SIG_NONE;
return( 0 );
}
/*
* STATE HANDLING: Read CertificateVerify
*/

2
library/ssl_tls13_server.c
View File

@ -651,7 +651,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
case MBEDTLS_TLS_EXT_SIG_ALG:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
ret = mbedtls_ssl_tls13_parse_sig_alg_ext(
ret = mbedtls_ssl_parse_sig_alg_ext(
ssl, p, extension_data_end );
if( ret != 0 )
{