refactor get sig algo from pk
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 119826f..783b823 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2058,6 +2058,8 @@
}
return( 0 );
}
+
+
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
static inline int mbedtls_ssl_sig_alg_is_supported(
@@ -2141,6 +2143,102 @@
((void) sig_alg);
return( 0 );
}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
+static inline int mbedtls_ssl_tls13_sig_alg_is_available_for_pk(
+ mbedtls_ssl_context *ssl,
+ uint16_t sig_alg,
+ mbedtls_pk_context *key)
+{
+ mbedtls_pk_type_t pk_type = mbedtls_ssl_sig_from_pk( key );
+ size_t key_size = mbedtls_pk_get_bitlen( key );
+
+ if( !mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
+ return( 0 );
+
+ switch( pk_type )
+ {
+#if defined(MBEDTLS_ECDSA_C)
+ case MBEDTLS_SSL_SIG_ECDSA:
+ switch( key_size )
+ {
+#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+ case 256:
+ return(
+ sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256 );
+#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_SHA384_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+ case 384:
+ return(
+ sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384 );
+#endif /* MBEDTLS_SHA384_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+ case 521:
+ return(
+ sig_alg == MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512 );
+#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+ default:
+ break;
+ }
+ break;
+#endif /* MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_RSA_C)
+ case MBEDTLS_SSL_SIG_RSA:
+ switch( sig_alg )
+ {
+#if defined(MBEDTLS_PKCS1_V21)
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
+ return( key_size <= 2048 );
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
+ return( key_size <= 3072 );
+#endif /* MBEDTLS_SHA384_C */
+
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+ return( key_size <= 4096 );
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+#if defined(MBEDTLS_SHA256_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
+ return( key_size <= 2048 );
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA384_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
+ return( key_size <= 3072 );
+#endif /* MBEDTLS_SHA384_C */
+
+#if defined(MBEDTLS_SHA512_C)
+ case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
+ return( key_size <= 4096 );
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_PKCS1_V15 */
+
+ default:
+ break;
+ }
+ break;
+#endif /* MBEDTLS_RSA_C */
+
+ default:
+ break;
+ }
+
+ return( 0 );
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
@@ -2276,10 +2374,6 @@
const unsigned char *end );
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-int mbedtls_ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
- mbedtls_pk_context *own_key,
- uint16_t *algorithm );
-
#if defined(MBEDTLS_SSL_ALPN)
int mbedtls_ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 893de43..3ab6cc2 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -854,120 +854,25 @@
/*
* STATE HANDLING: Output Certificate Verify
*/
-int mbedtls_ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
- mbedtls_pk_context *own_key,
- uint16_t *algorithm )
+
+static int ssl_tls13_get_sig_alg_from_pk( mbedtls_ssl_context *ssl,
+ mbedtls_pk_context *own_key,
+ uint16_t *algorithm )
{
- mbedtls_pk_type_t sig = mbedtls_ssl_sig_from_pk( own_key );
- /* Determine the size of the key */
- size_t own_key_size = mbedtls_pk_get_bitlen( own_key );
+ uint16_t *sig_alg = ssl->handshake->received_sig_algs;
+
*algorithm = MBEDTLS_TLS1_3_SIG_NONE;
- ((void) own_key_size);
-
- switch( sig )
+ for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE ; sig_alg++ )
{
-#if defined(MBEDTLS_ECDSA_C)
- case MBEDTLS_SSL_SIG_ECDSA:
- switch( own_key_size )
- {
- case 256:
- *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
- return( 0 );
- case 384:
- *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
- return( 0 );
- case 521:
- *algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
- return( 0 );
- default:
- MBEDTLS_SSL_DEBUG_MSG( 3,
- ( "unknown key size: %"
- MBEDTLS_PRINTF_SIZET " bits",
- own_key_size ) );
- break;
- }
- break;
-#endif /* MBEDTLS_ECDSA_C */
-
-#if defined(MBEDTLS_RSA_C)
- case MBEDTLS_SSL_SIG_RSA:
-#if defined(MBEDTLS_PKCS1_V21)
-#if defined(MBEDTLS_SHA256_C)
- if( own_key_size <= 2048 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256 ) )
- {
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA384_C)
- if( own_key_size <= 3072 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384 ) )
- {
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA384_C */
-#if defined(MBEDTLS_SHA512_C)
- if( own_key_size <= 4096 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512 ) )
- {
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA512_C */
-#endif /* MBEDTLS_PKCS1_V21 */
-#if defined(MBEDTLS_PKCS1_V15)
-#if defined(MBEDTLS_SHA256_C)
- if( own_key_size <= 2048 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256 ) )
- {
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA384_C)
- if( own_key_size <= 3072 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384 ) )
- {
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA384_C */
-#if defined(MBEDTLS_SHA512_C)
- if( own_key_size <= 4096 &&
- mbedtls_ssl_sig_alg_is_received( ssl,
- MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512 ) )
- {
- *algorithm = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
- return( 0 );
- }
- else
-#endif /* MBEDTLS_SHA512_C */
-#endif /* MBEDTLS_PKCS1_V15 */
- {
- MBEDTLS_SSL_DEBUG_MSG( 3,
- ( "unknown key size: %"
- MBEDTLS_PRINTF_SIZET " bits",
- own_key_size ) );
- }
- break;
-#endif /* MBEDTLS_RSA_C */
- default:
- MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "unknown signature type : %u", sig ) );
- break;
+ if( mbedtls_ssl_sig_alg_is_supported( ssl, *sig_alg) &&
+ mbedtls_ssl_tls13_sig_alg_is_available_for_pk(
+ ssl, *sig_alg, own_key ) )
+ {
+ *algorithm = *sig_alg;
+ return( 0 );
+ }
}
+
return( -1 );
}
@@ -1024,7 +929,7 @@
* opaque signature<0..2^16-1>;
* } CertificateVerify;
*/
- ret = mbedtls_ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
+ ret = ssl_tls13_get_sig_alg_from_pk( ssl, own_key, &algorithm );
if( ret != 0 || ! mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index ffbbbcf..0ebad93 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -352,7 +352,6 @@
{
mbedtls_ssl_key_cert *key_cert, *key_cert_list;
const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
- uint16_t key_sig_alg;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_key_cert != NULL )
@@ -372,7 +371,6 @@
for( key_cert = key_cert_list; key_cert != NULL;
key_cert = key_cert->next )
{
- int ret;
MBEDTLS_SSL_DEBUG_CRT( 3, "certificate (chain) candidate",
key_cert->cert );
@@ -391,11 +389,9 @@
continue;
}
- ret = mbedtls_ssl_tls13_get_sig_alg_from_pk(
- ssl, &key_cert->cert->pk, &key_sig_alg );
- if( ret != 0 )
- continue;
- if( *sig_alg == key_sig_alg )
+ MBEDTLS_SSL_DEBUG_MSG( 2,("Try get sig alg %04x",*sig_alg));
+ if( mbedtls_ssl_tls13_sig_alg_is_available_for_pk(
+ ssl, *sig_alg, &key_cert->cert->pk ) )
{
ssl->handshake->key_cert = key_cert;
MBEDTLS_SSL_DEBUG_CRT(
@@ -406,6 +402,7 @@
}
}
+ MBEDTLS_SSL_DEBUG_MSG( 2,("No signature algorithm found"));
return( -1 );
}
#endif /* MBEDTLS_X509_CRT_PARSE_C &&