FEATURE: use psa_hash_xxx rather than mbedtls_md_xxx for TLS 1.3.
ssl_tls13_parse_certificate_verify() Signed-off-by: pespacek <peter.spacek@silabs.com>
This commit is contained in:
parent
69e348db85
commit
a1378105cf
1 changed files with 21 additions and 32 deletions
|
@ -34,6 +34,9 @@
|
|||
#include "ssl_tls13_keys.h"
|
||||
#include "ssl_debug_helpers.h"
|
||||
|
||||
#include "psa/crypto.h"
|
||||
#include "mbedtls/psa_util.h"
|
||||
|
||||
const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
|
||||
MBEDTLS_SERVER_HELLO_RANDOM_LEN ] =
|
||||
{ 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
|
||||
|
@ -160,12 +163,14 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
|
|||
size_t verify_buffer_len )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
const unsigned char *p = buf;
|
||||
uint16_t algorithm;
|
||||
size_t signature_len;
|
||||
mbedtls_pk_type_t sig_alg;
|
||||
mbedtls_md_type_t md_alg;
|
||||
unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
|
||||
psa_algorithm_t hash_alg = PSA_ALG_NONE;
|
||||
unsigned char verify_hash[PSA_HASH_MAX_SIZE];
|
||||
size_t verify_hash_len;
|
||||
|
||||
void const *options = NULL;
|
||||
|
@ -212,6 +217,12 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
|
|||
goto error;
|
||||
}
|
||||
|
||||
hash_alg = mbedtls_psa_translate_md( md_alg );
|
||||
if( hash_alg == 0 )
|
||||
{
|
||||
goto error;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
|
||||
( unsigned int ) algorithm ) );
|
||||
|
||||
|
@ -229,42 +240,20 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
|
|||
p += 2;
|
||||
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
|
||||
|
||||
/* Hash verify buffer with indicated hash function */
|
||||
switch( md_alg )
|
||||
status = psa_hash_compute( hash_alg,
|
||||
verify_buffer,
|
||||
verify_buffer_len,
|
||||
verify_hash,
|
||||
sizeof( verify_hash ),
|
||||
&verify_hash_len );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
case MBEDTLS_MD_SHA256:
|
||||
verify_hash_len = 32;
|
||||
ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
case MBEDTLS_MD_SHA384:
|
||||
verify_hash_len = 48;
|
||||
ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA384_C */
|
||||
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
case MBEDTLS_MD_SHA512:
|
||||
verify_hash_len = 64;
|
||||
ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
|
||||
break;
|
||||
#endif /* MBEDTLS_SHA512_C */
|
||||
|
||||
default:
|
||||
ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
|
||||
break;
|
||||
}
|
||||
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "hash computation PSA error", status );
|
||||
goto error;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
|
||||
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||
if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue