Remove pkcs1 from certificate verify.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index f5f46cb..6786632 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2008,7 +2008,7 @@
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
+static inline int mbedtls_ssl_tls13_sig_alg_is_supported_for_certificate(
const uint16_t sig_alg )
{
switch( sig_alg )
@@ -2046,6 +2046,33 @@
return( 0 );
}
return( 1 );
+
+}
+
+static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
+ const uint16_t sig_alg )
+{
+ switch( sig_alg )
+ {
+#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
+ break;
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
+ break;
+#endif /* MBEDTLS_SHA384_C */
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
+ break;
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C */
+ default:
+ return( mbedtls_ssl_tls13_sig_alg_is_supported_for_certificate(
+ sig_alg ) );
+ }
+ return( 1 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 6a4087a..a6e4e38 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8179,22 +8179,14 @@
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
{
- if( mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) ||
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
- ( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) &&
- ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
- mbedtls_ssl_tls12_sig_alg_is_supported( *sig_alg ) ) ||
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
- 0 )
- {
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
- MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
- p += 2;
- MBEDTLS_SSL_DEBUG_MSG( 3,
- ( "sent signature scheme [%x] %s",
+ if( ! mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg ) )
+ continue;
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+ MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
+ p += 2;
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "sent signature scheme [%x] %s",
*sig_alg,
mbedtls_ssl_sig_alg_to_str( *sig_alg ) ) );
- }
}
/* Length of supported_signature_algorithms */
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 202f363..7ac785e 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -935,7 +935,7 @@
*algorithm = MBEDTLS_TLS1_3_SIG_NONE;
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ )
{
- if( mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg) &&
+ if( mbedtls_ssl_tls13_sig_alg_is_supported_for_certificate( *sig_alg) &&
mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
*sig_alg, own_key ) )
{