diff --git a/library/ssl_misc.h b/library/ssl_misc.h index c7aa3b545..98cfebd5c 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -243,6 +243,35 @@ #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20 +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + +#define MBEDTLS_SSL_SIG_ALG( sig, hash ) (( hash << 8 ) | sig) +#define MBEDTLS_SSL_SIG_FROM_SIG_ALG(alg) (alg & 0xFF) +#define MBEDTLS_SSL_HASH_FROM_SIG_ALG(alg) (alg >> 8) + +#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C) +#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ECDSA, hash ), \ + MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_RSA, hash ), +#elif defined(MBEDTLS_ECDSA_C) +#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ECDSA, hash ), +#elif defined(MBEDTLS_RSA_C) +#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_RSA, hash ), +#else +#define MBEDTLS_SSL_SIG_ALG_SET( hash ) +#endif + +#define MBEDTLS_TLS_SIG_NONE MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ANON, \ + MBEDTLS_SSL_HASH_NONE ) +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) +#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ + /* * Check that we obey the standard's message size bounds */ @@ -1916,7 +1945,7 @@ static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ss if( sig_alg == NULL ) return( 0 ); - for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) + for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ ) { if( *sig_alg == own_sig_alg ) return( 1 ); @@ -1932,7 +1961,7 @@ static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl if( sig_alg == NULL ) return( 0 ); - for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) + for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ ) { if( *sig_alg == proposed_sig_alg ) return( 1 ); @@ -2114,26 +2143,6 @@ static inline int mbedtls_ssl_sig_alg_is_supported( } #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - -#define MBEDTLS_SSL_SIG_ALG( sig, hash ) (( hash << 8 ) | sig) -#define MBEDTLS_SSL_SIG_FROM_SIG_ALG(alg) (alg & 0xFF) -#define MBEDTLS_SSL_HASH_FROM_SIG_ALG(alg) (alg >> 8) - -#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C) -#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ECDSA, hash ), \ - MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_RSA, hash ), -#elif defined(MBEDTLS_ECDSA_C) -#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ECDSA, hash ), -#elif defined(MBEDTLS_RSA_C) -#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_RSA, hash ), -#else -#define MBEDTLS_SSL_SIG_ALG_SET( hash ) -#endif - -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ - #if defined(MBEDTLS_USE_PSA_CRYPTO) /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL. * Same value is used fo PSA_ALG_CATEGORY_CIPHER, hence it is diff --git a/library/ssl_tls.c b/library/ssl_tls.c index daddc5aa9..3299159f6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -847,7 +847,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) p++; #endif } - *p = MBEDTLS_TLS1_3_SIG_NONE; + *p = MBEDTLS_TLS_SIG_NONE; ssl->handshake->sig_algs_heap_allocated = 1; } else @@ -4138,7 +4138,7 @@ static uint16_t ssl_preset_default_sig_algs[] = { MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ - MBEDTLS_TLS1_3_SIG_NONE + MBEDTLS_TLS_SIG_NONE }; /* NOTICE: see above */ @@ -4153,7 +4153,7 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = { #if defined(MBEDTLS_SHA256_C) MBEDTLS_SSL_SIG_ALG_SET( MBEDTLS_SSL_HASH_SHA256 ) #endif - MBEDTLS_TLS1_3_SIG_NONE + MBEDTLS_TLS_SIG_NONE }; #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ /* NOTICE: see above */ @@ -4179,7 +4179,7 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = { MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ - MBEDTLS_TLS1_3_SIG_NONE + MBEDTLS_TLS_SIG_NONE }; /* NOTICE: see above */ @@ -4191,7 +4191,7 @@ static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { #if defined(MBEDTLS_SHA384_C) MBEDTLS_SSL_SIG_ALG_SET( MBEDTLS_SSL_HASH_SHA384 ) #endif - MBEDTLS_TLS1_3_SIG_NONE + MBEDTLS_TLS_SIG_NONE }; #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ @@ -4215,7 +4215,7 @@ static int ssl_check_no_sig_alg_duplication( uint16_t * sig_algs ) size_t i, j; int ret = 0; - for( i = 0; sig_algs[i] != MBEDTLS_TLS1_3_SIG_NONE; i++ ) + for( i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ ) { for( j = 0; j < i; j++ ) { @@ -4944,7 +4944,7 @@ int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } - ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS1_3_SIG_NONE; + ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE; return( 0 ); } @@ -7660,8 +7660,7 @@ mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_context *ssl, unsigned int i; uint16_t sig_alg = mbedtls_ssl_sig_from_pk_alg( pk_alg ); uint16_t *set = ssl->handshake->received_sig_algs; - uint16_t invalid_sig_alg = MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ANON, - MBEDTLS_SSL_HASH_NONE ); + uint16_t invalid_sig_alg = MBEDTLS_TLS_SIG_NONE; if( sig_alg == MBEDTLS_SSL_SIG_ANON ) return( MBEDTLS_MD_NONE ); diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 82b6e3a4c..6d07e267f 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -1632,7 +1632,7 @@ read_record_header: uint16_t *set = ssl->handshake->received_sig_algs; const uint16_t sig_algs[] = { MBEDTLS_SSL_SIG_ALG_SET( MBEDTLS_SSL_HASH_SHA1 ) - MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ANON, MBEDTLS_SSL_HASH_NONE ) + MBEDTLS_TLS_SIG_NONE }; size_t count = sizeof( sig_algs ) / sizeof( sig_algs[0] ); @@ -2647,7 +2647,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) if( sig_alg == NULL ) return( MBEDTLS_ERR_SSL_BAD_CONFIG ); - for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) + for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ ) { unsigned char hash = MBEDTLS_BYTE_1( *sig_alg );