yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Use common macro for the invalid signiture algorithm botn in TLS 1.2 and 1.3

Browse source 
Introduce a new macro MBEDTLS_TLS_SIG_NONE for invalid signiture algorithm.
It is intended to use in common code of TLS 1.2 and 1.3.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
This commit is contained in:
Gabor Mezei 2022-05-09 16:37:58 +02:00
parent 1a3be088bf
commit 15b95a6c52
No known key found for this signature in database
GPG key ID: 08AB7BB35012F877
3 changed files with 41 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
library/ssl_misc.h
View file

@ -243,6 +243,35 @@
#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#define MBEDTLS_SSL_SIG_ALG( sig, hash ) (( hash << 8 ) | sig)
#define MBEDTLS_SSL_SIG_FROM_SIG_ALG(alg) (alg & 0xFF)
#define MBEDTLS_SSL_HASH_FROM_SIG_ALG(alg) (alg >> 8)
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C)
#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ECDSA, hash ), \
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_RSA, hash ),
#elif defined(MBEDTLS_ECDSA_C)
#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ECDSA, hash ),
#elif defined(MBEDTLS_RSA_C)
#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_RSA, hash ),
#else
#define MBEDTLS_SSL_SIG_ALG_SET( hash )
#endif
#define MBEDTLS_TLS_SIG_NONE MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ANON, \
MBEDTLS_SSL_HASH_NONE )
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/* /*
* Check that we obey the standard's message size bounds * Check that we obey the standard's message size bounds
*/ */
@ -1916,7 +1945,7 @@ static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ss
if( sig_alg == NULL ) if( sig_alg == NULL )
return( 0 ); return( 0 );
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{ {
if( *sig_alg == own_sig_alg ) if( *sig_alg == own_sig_alg )
return( 1 ); return( 1 );
@ -1932,7 +1961,7 @@ static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl
if( sig_alg == NULL ) if( sig_alg == NULL )
return( 0 ); return( 0 );
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{ {
if( *sig_alg == proposed_sig_alg ) if( *sig_alg == proposed_sig_alg )
return( 1 ); return( 1 );
@ -2114,26 +2143,6 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
} }
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#define MBEDTLS_SSL_SIG_ALG( sig, hash ) (( hash << 8 ) | sig)
#define MBEDTLS_SSL_SIG_FROM_SIG_ALG(alg) (alg & 0xFF)
#define MBEDTLS_SSL_HASH_FROM_SIG_ALG(alg) (alg >> 8)
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C)
#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ECDSA, hash ), \
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_RSA, hash ),
#elif defined(MBEDTLS_ECDSA_C)
#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ECDSA, hash ),
#elif defined(MBEDTLS_RSA_C)
#define MBEDTLS_SSL_SIG_ALG_SET( hash ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_RSA, hash ),
#else
#define MBEDTLS_SSL_SIG_ALG_SET( hash )
#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL. /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
* Same value is used fo PSA_ALG_CATEGORY_CIPHER, hence it is * Same value is used fo PSA_ALG_CATEGORY_CIPHER, hence it is

17
library/ssl_tls.c
View file

@ -847,7 +847,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
p++; p++;
#endif #endif
} }
*p = MBEDTLS_TLS1_3_SIG_NONE; *p = MBEDTLS_TLS_SIG_NONE;
ssl->handshake->sig_algs_heap_allocated = 1; ssl->handshake->sig_algs_heap_allocated = 1;
} }
else else
@ -4138,7 +4138,7 @@ static uint16_t ssl_preset_default_sig_algs[] = {
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
MBEDTLS_TLS1_3_SIG_NONE MBEDTLS_TLS_SIG_NONE
}; };
/* NOTICE: see above */ /* NOTICE: see above */
@ -4153,7 +4153,7 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = {
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
MBEDTLS_SSL_SIG_ALG_SET( MBEDTLS_SSL_HASH_SHA256 ) MBEDTLS_SSL_SIG_ALG_SET( MBEDTLS_SSL_HASH_SHA256 )
#endif #endif
MBEDTLS_TLS1_3_SIG_NONE MBEDTLS_TLS_SIG_NONE
}; };
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
/* NOTICE: see above */ /* NOTICE: see above */
@ -4179,7 +4179,7 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = {
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
MBEDTLS_TLS1_3_SIG_NONE MBEDTLS_TLS_SIG_NONE
}; };
/* NOTICE: see above */ /* NOTICE: see above */
@ -4191,7 +4191,7 @@ static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
MBEDTLS_SSL_SIG_ALG_SET( MBEDTLS_SSL_HASH_SHA384 ) MBEDTLS_SSL_SIG_ALG_SET( MBEDTLS_SSL_HASH_SHA384 )
#endif #endif
MBEDTLS_TLS1_3_SIG_NONE MBEDTLS_TLS_SIG_NONE
}; };
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
@ -4215,7 +4215,7 @@ static int ssl_check_no_sig_alg_duplication( uint16_t * sig_algs )
size_t i, j; size_t i, j;
int ret = 0; int ret = 0;
for( i = 0; sig_algs[i] != MBEDTLS_TLS1_3_SIG_NONE; i++ ) for( i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ )
{ {
for( j = 0; j < i; j++ ) for( j = 0; j < i; j++ )
{ {
@ -4944,7 +4944,7 @@ int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
} }
ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS1_3_SIG_NONE; ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
return( 0 ); return( 0 );
} }
@ -7660,8 +7660,7 @@ mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_context *ssl,
unsigned int i; unsigned int i;
uint16_t sig_alg = mbedtls_ssl_sig_from_pk_alg( pk_alg ); uint16_t sig_alg = mbedtls_ssl_sig_from_pk_alg( pk_alg );
uint16_t *set = ssl->handshake->received_sig_algs; uint16_t *set = ssl->handshake->received_sig_algs;
uint16_t invalid_sig_alg = MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ANON, uint16_t invalid_sig_alg = MBEDTLS_TLS_SIG_NONE;
MBEDTLS_SSL_HASH_NONE );
if( sig_alg == MBEDTLS_SSL_SIG_ANON ) if( sig_alg == MBEDTLS_SSL_SIG_ANON )
return( MBEDTLS_MD_NONE ); return( MBEDTLS_MD_NONE );

4
library/ssl_tls12_server.c
View file

@ -1632,7 +1632,7 @@ read_record_header:
uint16_t *set = ssl->handshake->received_sig_algs; uint16_t *set = ssl->handshake->received_sig_algs;
const uint16_t sig_algs[] = { const uint16_t sig_algs[] = {
MBEDTLS_SSL_SIG_ALG_SET( MBEDTLS_SSL_HASH_SHA1 ) MBEDTLS_SSL_SIG_ALG_SET( MBEDTLS_SSL_HASH_SHA1 )
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_SIG_ANON, MBEDTLS_SSL_HASH_NONE ) MBEDTLS_TLS_SIG_NONE
}; };
size_t count = sizeof( sig_algs ) / sizeof( sig_algs[0] ); size_t count = sizeof( sig_algs ) / sizeof( sig_algs[0] );
@ -2647,7 +2647,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
if( sig_alg == NULL ) if( sig_alg == NULL )
return( MBEDTLS_ERR_SSL_BAD_CONFIG ); return( MBEDTLS_ERR_SSL_BAD_CONFIG );
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{ {
unsigned char hash = MBEDTLS_BYTE_1( *sig_alg ); unsigned char hash = MBEDTLS_BYTE_1( *sig_alg );