Merge pull request #5785 from gabor-mezei-arm/5460_unify_parsing_sig_alg_ext

Unify parsing of the signature algorithms extension in TLS 1.2 and TLS 1.3
CI ABI API check job failure is expected as the PR do some changes in ssl_misc.h.
@RcColes if you eventually want to request some changes, they can be done in a follow-up PR.
This commit is contained in:
Ronald Cron 2022-05-17 17:01:55 +02:00 committed by GitHub
commit 9edf51d8cd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 225 additions and 304 deletions

View file

@ -243,6 +243,18 @@
#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( sig, hash ) (( hash << 8 ) | sig)
#define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
#define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/* /*
* Check that we obey the standard's message size bounds * Check that we obey the standard's message size bounds
*/ */
@ -423,24 +435,6 @@ static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
extern "C" { extern "C" {
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*
* Abstraction for a grid of allowed signature-hash-algorithm pairs.
*/
struct mbedtls_ssl_sig_hash_set_t
{
/* At the moment, we only need to remember a single suitable
* hash algorithm per signature algorithm. As long as that's
* the case - and we don't need a general lookup function -
* we can implement the sig-hash-set as a map from signatures
* to hash algorithms. */
mbedtls_md_type_t rsa;
mbedtls_md_type_t ecdsa;
};
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
const char *label, const char *label,
const unsigned char *random, size_t rlen, const unsigned char *random, size_t rlen,
@ -594,13 +588,7 @@ struct mbedtls_ssl_handshake_params
#endif /* MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE]; uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
#endif #endif
@ -1115,24 +1103,21 @@ int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* Find an entry in a signature-hash set matching a given hash algorithm. */ /**
mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set, * \brief Find the preferred hash for a given signature algorithm.
mbedtls_pk_type_t sig_alg ); *
/* Add a signature-hash-pair to a signature-hash set */ * \param[in] ssl SSL context
void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set, * \param[in] sig_alg A signature algorithm identifier as defined in the
mbedtls_pk_type_t sig_alg, * TLS 1.2 SignatureAlgorithm enumeration.
mbedtls_md_type_t md_alg ); *
/* Allow exactly one hash algorithm for each signature. */ * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set, * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
mbedtls_md_type_t md_alg ); */
unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
mbedtls_ssl_context *ssl,
unsigned int sig_alg );
/* Setup an empty signature-hash set */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
{
mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/** /**
@ -1804,11 +1789,11 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* /*
* Parse TLS 1.3 Signature Algorithm extension * Parse TLS Signature Algorithm extension
*/ */
int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl, int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf, const unsigned char *buf,
const unsigned char *end ); const unsigned char *end );
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/* Get handshake transcript */ /* Get handshake transcript */
@ -1954,7 +1939,7 @@ static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ss
if( sig_alg == NULL ) if( sig_alg == NULL )
return( 0 ); return( 0 );
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{ {
if( *sig_alg == own_sig_alg ) if( *sig_alg == own_sig_alg )
return( 1 ); return( 1 );
@ -1970,7 +1955,7 @@ static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl
if( sig_alg == NULL ) if( sig_alg == NULL )
return( 0 ); return( 0 );
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{ {
if( *sig_alg == proposed_sig_alg ) if( *sig_alg == proposed_sig_alg )
return( 1 ); return( 1 );
@ -2152,19 +2137,6 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
} }
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C)
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \
(( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
#elif defined(MBEDTLS_ECDSA_C)
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA),
#elif defined(MBEDTLS_RSA_C)
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA),
#else
#define MBEDTLS_SSL_SIG_ALG( hash )
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_RSA_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL. /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
* Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is

View file

@ -616,11 +616,6 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
handshake->update_checksum = ssl_update_checksum_start; handshake->update_checksum = ssl_update_checksum_start;
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
#endif
#if defined(MBEDTLS_DHM_C) #if defined(MBEDTLS_DHM_C)
mbedtls_dhm_init( &handshake->dhm_ctx ); mbedtls_dhm_init( &handshake->dhm_ctx );
#endif #endif
@ -852,7 +847,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
p++; p++;
#endif #endif
} }
*p = MBEDTLS_TLS1_3_SIG_NONE; *p = MBEDTLS_TLS_SIG_NONE;
ssl->handshake->sig_algs_heap_allocated = 1; ssl->handshake->sig_algs_heap_allocated = 1;
} }
else else
@ -4143,22 +4138,37 @@ static uint16_t ssl_preset_default_sig_algs[] = {
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
MBEDTLS_TLS1_3_SIG_NONE MBEDTLS_TLS_SIG_NONE
}; };
/* NOTICE: see above */ /* NOTICE: see above */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_default_sig_algs[] = { static uint16_t ssl_tls12_preset_default_sig_algs[] = {
#if defined(MBEDTLS_SHA512_C) #if defined(MBEDTLS_SHA512_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA512 ) #if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512 ),
#endif #endif
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512 ),
#endif
#endif /* MBEDTLS_SHA512_C */
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 ) #if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif #endif
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
#endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 ) #if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif #endif
MBEDTLS_TLS1_3_SIG_NONE #if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif
#endif /* MBEDTLS_SHA256_C */
MBEDTLS_TLS_SIG_NONE
}; };
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
/* NOTICE: see above */ /* NOTICE: see above */
@ -4184,19 +4194,29 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = {
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
MBEDTLS_TLS1_3_SIG_NONE MBEDTLS_TLS_SIG_NONE
}; };
/* NOTICE: see above */ /* NOTICE: see above */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 ) #if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif #endif
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256 ),
#endif
#endif /* MBEDTLS_SHA256_C */
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 ) #if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif #endif
MBEDTLS_TLS1_3_SIG_NONE #if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384 ),
#endif
#endif /* MBEDTLS_SHA256_C */
MBEDTLS_TLS_SIG_NONE
}; };
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
@ -4220,7 +4240,7 @@ static int ssl_check_no_sig_alg_duplication( uint16_t * sig_algs )
size_t i, j; size_t i, j;
int ret = 0; int ret = 0;
for( i = 0; sig_algs[i] != MBEDTLS_TLS1_3_SIG_NONE; i++ ) for( i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ )
{ {
for( j = 0; j < i; j++ ) for( j = 0; j < i; j++ )
{ {
@ -4852,6 +4872,109 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
#endif /* !MBEDTLS_USE_PSA_CRYPTO */ #endif /* !MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* mbedtls_ssl_parse_sig_alg_ext()
*
* The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
* value (TLS 1.3 RFC8446):
* enum {
* ....
* ecdsa_secp256r1_sha256( 0x0403 ),
* ecdsa_secp384r1_sha384( 0x0503 ),
* ecdsa_secp521r1_sha512( 0x0603 ),
* ....
* } SignatureScheme;
*
* struct {
* SignatureScheme supported_signature_algorithms<2..2^16-2>;
* } SignatureSchemeList;
*
* The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
* value (TLS 1.2 RFC5246):
* enum {
* none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
* sha512(6), (255)
* } HashAlgorithm;
*
* enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
* SignatureAlgorithm;
*
* struct {
* HashAlgorithm hash;
* SignatureAlgorithm signature;
* } SignatureAndHashAlgorithm;
*
* SignatureAndHashAlgorithm
* supported_signature_algorithms<2..2^16-2>;
*
* The TLS 1.3 signature algorithm extension was defined to be a compatible
* generalization of the TLS 1.2 signature algorithm extension.
* `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
* `SignatureScheme` field of TLS 1.3
*
*/
int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
{
const unsigned char *p = buf;
size_t supported_sig_algs_len = 0;
const unsigned char *supported_sig_algs_end;
uint16_t sig_alg;
uint32_t common_idx = 0;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
supported_sig_algs_len = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
memset( ssl->handshake->received_sig_algs, 0,
sizeof(ssl->handshake->received_sig_algs) );
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
supported_sig_algs_end = p + supported_sig_algs_len;
while( p < supported_sig_algs_end )
{
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
sig_alg ) );
if( ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ||
! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) )
continue;
if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
{
ssl->handshake->received_sig_algs[common_idx] = sig_alg;
common_idx += 1;
}
}
/* Check that we consumed all the message. */
if( p != end )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "Signature algorithms extension length misaligned" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
MBEDTLS_ERR_SSL_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
if( common_idx == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
@ -7555,49 +7678,26 @@ exit:
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* Find an entry in a signature-hash set matching a given hash algorithm. */ /* Find the preferred hash for a given signature algorithm. */
mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set, unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
mbedtls_pk_type_t sig_alg ) mbedtls_ssl_context *ssl,
unsigned int sig_alg )
{ {
switch( sig_alg ) unsigned int i;
uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
if( sig_alg == MBEDTLS_SSL_SIG_ANON )
return( MBEDTLS_SSL_HASH_NONE );
for( i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++ )
{ {
case MBEDTLS_PK_RSA: if( sig_alg == MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
return( set->rsa ); received_sig_algs[i] ) )
case MBEDTLS_PK_ECDSA: return( MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
return( set->ecdsa ); received_sig_algs[i] ) );
default:
return( MBEDTLS_MD_NONE );
} }
}
/* Add a signature-hash-pair to a signature-hash set */ return( MBEDTLS_SSL_HASH_NONE );
void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
mbedtls_pk_type_t sig_alg,
mbedtls_md_type_t md_alg )
{
switch( sig_alg )
{
case MBEDTLS_PK_RSA:
if( set->rsa == MBEDTLS_MD_NONE )
set->rsa = md_alg;
break;
case MBEDTLS_PK_ECDSA:
if( set->ecdsa == MBEDTLS_MD_NONE )
set->ecdsa = md_alg;
break;
default:
break;
}
}
/* Allow exactly one hash algorithm for each signature. */
void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
mbedtls_md_type_t md_alg )
{
set->rsa = md_alg;
set->ecdsa = md_alg;
} }
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */

View file

@ -209,96 +209,6 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
return( 0 ); return( 0 );
} }
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*
* Status of the implementation of signature-algorithms extension:
*
* Currently, we are only considering the signature-algorithm extension
* to pick a ciphersuite which allows us to send the ServerKeyExchange
* message with a signature-hash combination that the user allows.
*
* We do *not* check whether all certificates in our certificate
* chain are signed with an allowed signature-hash pair.
* This needs to be done at a later stage.
*
*/
static int ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
size_t sig_alg_list_size;
const unsigned char *p;
const unsigned char *end = buf + len;
mbedtls_md_type_t md_cur;
mbedtls_pk_type_t sig_cur;
if ( len < 2 ) {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
if( sig_alg_list_size + 2 != len ||
sig_alg_list_size % 2 != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
/* Currently we only guarantee signing the ServerKeyExchange message according
* to the constraints specified in this extension (see above), so it suffices
* to remember only one suitable hash for each possible signature algorithm.
*
* This will change when we also consider certificate signatures,
* in which case we will need to remember the whole signature-hash
* pair list from the extension.
*/
for( p = buf + 2; p < end; p += 2 )
{
/* Silently ignore unknown signature or hash algorithms. */
if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
" unknown sig alg encoding %d", p[1] ) );
continue;
}
/* Check if we support the hash the user proposes */
md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
if( md_cur == MBEDTLS_MD_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
" unknown hash alg encoding %d", p[0] ) );
continue;
}
if( mbedtls_ssl_sig_alg_is_offered(
ssl, MBEDTLS_GET_UINT16_BE( p, 0 ) ) )
{
mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
" match sig %u and hash %u",
(unsigned) sig_cur, (unsigned) md_cur ) );
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
"hash alg %u not supported", (unsigned) md_cur ) );
}
}
return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
/* /*
@ -1078,7 +988,8 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
* a suitable hash algorithm is present. */ * a suitable hash algorithm is present. */
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info ); sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
if( sig_type != MBEDTLS_PK_NONE && if( sig_type != MBEDTLS_PK_NONE &&
mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE ) mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg( sig_type ) ) == MBEDTLS_SSL_HASH_NONE )
{ {
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm " MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
"for signature algorithm %u", (unsigned) sig_type ) ); "for signature algorithm %u", (unsigned) sig_type ) );
@ -1593,7 +1504,7 @@ read_record_header:
case MBEDTLS_TLS_EXT_SIG_ALG: case MBEDTLS_TLS_EXT_SIG_ALG:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
ret = ssl_parse_sig_alg_ext( ssl, ext + 4, ext_size ); ret = mbedtls_ssl_parse_sig_alg_ext( ssl, ext + 4, ext + 4 + ext_size );
if( ret != 0 ) if( ret != 0 )
return( ret ); return( ret );
@ -1717,18 +1628,27 @@ read_record_header:
* Try to fall back to default hash SHA1 if the client * Try to fall back to default hash SHA1 if the client
* hasn't provided any preferred signature-hash combinations. * hasn't provided any preferred signature-hash combinations.
*/ */
if( sig_hash_alg_ext_present == 0 ) if( ! sig_hash_alg_ext_present )
{ {
uint16_t sig_algs[] = { MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA1) }; uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
mbedtls_md_type_t md_default = MBEDTLS_MD_NONE; const uint16_t default_sig_algs[] = {
for( i = 0; i < sizeof( sig_algs ) / sizeof( sig_algs[0] ) ; i++ ) #if defined(MBEDTLS_ECDSA_C)
{ MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA,
if( mbedtls_ssl_sig_alg_is_offered( ssl, sig_algs[ i ] ) ) MBEDTLS_SSL_HASH_SHA1 ),
md_default = MBEDTLS_MD_SHA1; #endif
} #if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_RSA,
MBEDTLS_SSL_HASH_SHA1 ),
#endif
MBEDTLS_TLS_SIG_NONE
};
mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, #if defined(static_assert)
md_default ); static_assert( sizeof( default_sig_algs ) / sizeof( default_sig_algs[0] ) <=
MBEDTLS_RECEIVED_SIG_ALGS_SIZE, "default_sig_algs is too big" );
#endif
memcpy( received_sig_algs, default_sig_algs, sizeof( default_sig_algs ) );
} }
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
@ -1889,10 +1809,10 @@ have_ciphersuite:
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info ); mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
if( sig_alg != MBEDTLS_PK_NONE ) if( sig_alg != MBEDTLS_PK_NONE )
{ {
mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
sig_alg ); ssl, mbedtls_ssl_sig_from_pk_alg( sig_alg ) );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %u",
mbedtls_ssl_hash_from_md_alg( md_alg ) ) ); sig_hash ) );
} }
else else
{ {
@ -2728,7 +2648,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
if( sig_alg == NULL ) if( sig_alg == NULL )
return( MBEDTLS_ERR_SSL_BAD_CONFIG ); return( MBEDTLS_ERR_SSL_BAD_CONFIG );
for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
{ {
unsigned char hash = MBEDTLS_BYTE_1( *sig_alg ); unsigned char hash = MBEDTLS_BYTE_1( *sig_alg );
@ -3255,15 +3175,18 @@ curve_matching_done:
* to choose appropriate hash. * to choose appropriate hash.
*/ */
mbedtls_md_type_t md_alg;
mbedtls_pk_type_t sig_alg = mbedtls_pk_type_t sig_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
unsigned int sig_hash =
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg( sig_alg ) );
mbedtls_md_type_t md_alg = mbedtls_ssl_md_alg_from_hash( sig_hash );
/* For TLS 1.2, obey signature-hash-algorithm extension /* For TLS 1.2, obey signature-hash-algorithm extension
* (RFC 5246, Sec. 7.4.1.4.1). */ * (RFC 5246, Sec. 7.4.1.4.1). */
if( sig_alg == MBEDTLS_PK_NONE || if( sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE )
( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
sig_alg ) ) == MBEDTLS_MD_NONE )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
/* (... because we choose a cipher suite /* (... because we choose a cipher suite

View file

@ -1612,8 +1612,8 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
case MBEDTLS_TLS_EXT_SIG_ALG: case MBEDTLS_TLS_EXT_SIG_ALG:
MBEDTLS_SSL_DEBUG_MSG( 3, MBEDTLS_SSL_DEBUG_MSG( 3,
( "found signature algorithms extension" ) ); ( "found signature algorithms extension" ) );
ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ssl, p, ret = mbedtls_ssl_parse_sig_alg_ext( ssl, p,
p + extension_data_len ); p + extension_data_len );
if( ret != 0 ) if( ret != 0 )
return( ret ); return( ret );
if( ! sig_alg_ext_found ) if( ! sig_alg_ext_found )

View file

@ -80,80 +80,6 @@ cleanup:
} }
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* mbedtls_ssl_tls13_parse_sig_alg_ext()
*
* enum {
* ....
* ecdsa_secp256r1_sha256( 0x0403 ),
* ecdsa_secp384r1_sha384( 0x0503 ),
* ecdsa_secp521r1_sha512( 0x0603 ),
* ....
* } SignatureScheme;
*
* struct {
* SignatureScheme supported_signature_algorithms<2..2^16-2>;
* } SignatureSchemeList;
*/
int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
{
const unsigned char *p = buf;
size_t supported_sig_algs_len = 0;
const unsigned char *supported_sig_algs_end;
uint16_t sig_alg;
uint32_t common_idx = 0;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
supported_sig_algs_len = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
memset( ssl->handshake->received_sig_algs, 0,
sizeof(ssl->handshake->received_sig_algs) );
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
supported_sig_algs_end = p + supported_sig_algs_len;
while( p < supported_sig_algs_end )
{
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
sig_alg ) );
if( ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ||
! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) )
continue;
if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
{
ssl->handshake->received_sig_algs[common_idx] = sig_alg;
common_idx += 1;
}
}
/* Check that we consumed all the message. */
if( p != end )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "Signature algorithms extension length misaligned" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
MBEDTLS_ERR_SSL_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
if( common_idx == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithm in common" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS1_3_SIG_NONE;
return( 0 );
}
/* /*
* STATE HANDLING: Read CertificateVerify * STATE HANDLING: Read CertificateVerify
*/ */

View file

@ -651,7 +651,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
case MBEDTLS_TLS_EXT_SIG_ALG: case MBEDTLS_TLS_EXT_SIG_ALG:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
ret = mbedtls_ssl_tls13_parse_sig_alg_ext( ret = mbedtls_ssl_parse_sig_alg_ext(
ssl, p, extension_data_end ); ssl, p, extension_data_end );
if( ret != 0 ) if( ret != 0 )
{ {