diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index dfd649081..e83fbbf00 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -1385,6 +1385,8 @@ int ssl_write_finished( ssl_context *ssl ); void ssl_optimize_checksum( ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info ); unsigned char ssl_sig_from_pk( pk_context *pk ); +pk_type_t ssl_pk_alg_from_sig( unsigned char sig ); +md_type_t ssl_md_alg_from_hash( unsigned char hash ); #ifdef __cplusplus } diff --git a/library/ssl_cli.c b/library/ssl_cli.c index ba2c68c3d..511d61d5b 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1183,38 +1183,11 @@ static int ssl_parse_signature_algorithm( ssl_context *ssl, /* * Get hash algorithm */ - switch( (*p)[0] ) + if( ( *md_alg = ssl_md_alg_from_hash( (*p)[0] ) ) == POLARSSL_MD_NONE ) { -#if defined(POLARSSL_MD5_C) - case SSL_HASH_MD5: - *md_alg = POLARSSL_MD_MD5; - break; -#endif -#if defined(POLARSSL_SHA1_C) - case SSL_HASH_SHA1: - *md_alg = POLARSSL_MD_SHA1; - break; -#endif -#if defined(POLARSSL_SHA256_C) - case SSL_HASH_SHA224: - *md_alg = POLARSSL_MD_SHA224; - break; - case SSL_HASH_SHA256: - *md_alg = POLARSSL_MD_SHA256; - break; -#endif -#if defined(POLARSSL_SHA512_C) - case SSL_HASH_SHA384: - *md_alg = POLARSSL_MD_SHA384; - break; - case SSL_HASH_SHA512: - *md_alg = POLARSSL_MD_SHA512; - break; -#endif - default: - SSL_DEBUG_MSG( 2, ( "Server used unsupported " - "HashAlgorithm %d", *(p)[0] ) ); - return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); + SSL_DEBUG_MSG( 2, ( "Server used unsupported " + "HashAlgorithm %d", *(p)[0] ) ); + return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); } /* @@ -1232,24 +1205,11 @@ static int ssl_parse_signature_algorithm( ssl_context *ssl, /* * Get signature algorithm */ - switch( (*p)[1] ) + if( ( *pk_alg = ssl_pk_alg_from_sig( (*p)[1] ) ) == POLARSSL_PK_NONE ) { -#if defined(POLARSSL_RSA_C) - case SSL_SIG_RSA: - *pk_alg = POLARSSL_PK_RSA; - break; -#endif - -#if defined(POLARSSL_ECDSA_C) - case SSL_SIG_ECDSA: - *pk_alg = POLARSSL_PK_ECDSA; - break; -#endif - - default: - SSL_DEBUG_MSG( 2, ( "server used unsupported " - "SignatureAlgorithm %d", (*p)[1] ) ); - return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); + SSL_DEBUG_MSG( 2, ( "server used unsupported " + "SignatureAlgorithm %d", (*p)[1] ) ); + return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); } SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 6c4bdf086..f13b9c220 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1998,38 +1998,7 @@ static int ssl_write_server_key_exchange( ssl_context *ssl ) * ServerDHParams params; * }; */ - switch( ssl->handshake->sig_alg ) - { -#if defined(POLARSSL_MD5_C) - case SSL_HASH_MD5: - md_alg = POLARSSL_MD_MD5; - break; -#endif -#if defined(POLARSSL_SHA1_C) - case SSL_HASH_SHA1: - md_alg = POLARSSL_MD_SHA1; - break; -#endif -#if defined(POLARSSL_SHA256_C) - case SSL_HASH_SHA224: - md_alg = POLARSSL_MD_SHA224; - break; - case SSL_HASH_SHA256: - md_alg = POLARSSL_MD_SHA256; - break; -#endif -#if defined(POLARSSL_SHA512_C) - case SSL_HASH_SHA384: - md_alg = POLARSSL_MD_SHA384; - break; - case SSL_HASH_SHA512: - md_alg = POLARSSL_MD_SHA512; - break; -#endif - default: - /* Should never happen */ - return( -1 ); - } + md_alg = ssl_md_alg_from_hash( ssl->handshake->sig_alg ); if( ( md_info = md_info_from_type( md_alg ) ) == NULL ) { @@ -2595,8 +2564,7 @@ static int ssl_parse_certificate_verify( ssl_context *ssl ) sa_len = 2; /* - * Hash: as server we know we either have SSL_HASH_SHA384 or - * SSL_HASH_SHA256 + * Hash */ if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ) { @@ -2605,10 +2573,7 @@ static int ssl_parse_certificate_verify( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); } - if( ssl->handshake->verify_sig_alg == SSL_HASH_SHA384 ) - md_alg = POLARSSL_MD_SHA384; - else - md_alg = POLARSSL_MD_SHA256; + md_alg = ssl_md_alg_from_hash( ssl->handshake->verify_sig_alg ); /* * Get hashlen from MD @@ -2623,27 +2588,14 @@ static int ssl_parse_certificate_verify( ssl_context *ssl ) /* * Signature */ - switch( ssl->in_msg[5] ) + if( ( pk_alg = ssl_pk_alg_from_sig( ssl->in_msg[5] ) ) + == POLARSSL_PK_NONE ) { -#if defined(POLARSSL_RSA_C) - case SSL_SIG_RSA: - pk_alg = POLARSSL_PK_RSA; - break; -#endif - -#if defined(POLARSSL_ECDSA_C) - case SSL_SIG_ECDSA: - pk_alg = POLARSSL_PK_ECDSA; - break; -#endif - - default: - SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" - " for verify message" ) ); - return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" + " for verify message" ) ); + return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); } - /* * Check the certificate's key type matches the signature alg */ @@ -2663,10 +2615,9 @@ static int ssl_parse_certificate_verify( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); } - ret = pk_verify( &ssl->session_negotiate->peer_cert->pk, - md_alg, hash, hashlen, - ssl->in_msg + 6 + sa_len, sig_len ); - if( ret != 0 ) + if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk, + md_alg, hash, hashlen, + ssl->in_msg + 6 + sa_len, sig_len ) ) != 0 ) { SSL_DEBUG_RET( 1, "pk_verify", ret ); return( ret ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 527b333e6..87a135ab7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3804,4 +3804,50 @@ unsigned char ssl_sig_from_pk( pk_context *pk ) return( SSL_SIG_ANON ); } +pk_type_t ssl_pk_alg_from_sig( unsigned char sig ) +{ + switch( sig ) + { +#if defined(POLARSSL_RSA_C) + case SSL_SIG_RSA: + return( POLARSSL_PK_RSA ); +#endif +#if defined(POLARSSL_ECDSA_C) + case SSL_SIG_ECDSA: + return( POLARSSL_PK_ECDSA ); +#endif + default: + return( POLARSSL_PK_NONE ); + } +} + +md_type_t ssl_md_alg_from_hash( unsigned char hash ) +{ + switch( hash ) + { +#if defined(POLARSSL_MD5_C) + case SSL_HASH_MD5: + return( POLARSSL_MD_MD5 ); +#endif +#if defined(POLARSSL_SHA1_C) + case SSL_HASH_SHA1: + return( POLARSSL_MD_SHA1 ); +#endif +#if defined(POLARSSL_SHA256_C) + case SSL_HASH_SHA224: + return( POLARSSL_MD_SHA224 ); + case SSL_HASH_SHA256: + return( POLARSSL_MD_SHA256 ); +#endif +#if defined(POLARSSL_SHA512_C) + case SSL_HASH_SHA384: + return( POLARSSL_MD_SHA384 ); + case SSL_HASH_SHA512: + return( POLARSSL_MD_SHA512 ); +#endif + default: + return( POLARSSL_MD_NONE ); + } +} + #endif