fix various issues

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-06-27 16:27:35 +08:00
parent 202919c23d
commit cc5391048e
5 changed files with 32 additions and 29 deletions

View file

@ -1922,8 +1922,8 @@ static inline const void *mbedtls_ssl_get_sig_algs(
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
if( ssl->handshake->sig_algs_heap_allocated == 1 &&
ssl->handshake != NULL &&
if( ssl->handshake != NULL &&
ssl->handshake->sig_algs_heap_allocated == 1 &&
ssl->handshake->sig_algs != NULL )
{
return( ssl->handshake->sig_algs );
@ -1984,6 +1984,7 @@ static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
switch( sig_alg )
{
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
@ -2002,7 +2003,7 @@ static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_SHA512_C */
#endif /* MBEDTLS_RSA_C */
default:
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
@ -2168,9 +2169,8 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
uint16_t sig_alg,
mbedtls_pk_context *key);
int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
mbedtls_pk_context *key );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

View file

@ -856,7 +856,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
ssl->handshake->sig_algs = ssl->conf->sig_algs;
ssl->handshake->sig_algs_heap_allocated = 0;
}
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
return( 0 );
}
@ -4072,8 +4072,8 @@ static int ssl_preset_suiteb_ciphersuites[] = {
* When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
* declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
* `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
* the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
* for its signature in the key exchange message and as Mbed TLS 1.2 does not
* the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
* for its signature in the key exchange message. As Mbed TLS 1.2 does not
* support them, the handshake fails.
*/
static uint16_t ssl_preset_default_sig_algs[] = {

View file

@ -940,16 +940,18 @@ static int ssl_tls13_select_sig_alg_for_certificate_verify(
mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
*sig_alg, own_key ) )
{
MBEDTLS_SSL_DEBUG_MSG(
3, ( "select_sig_alg_for_certificate_verify:"
"selected signature algorithm %s [%04x]",
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
*sig_alg ) );
MBEDTLS_SSL_DEBUG_MSG( 3,
( "select_sig_alg_for_certificate_verify:"
"selected signature algorithm %s [%04x]",
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
*sig_alg ) );
*algorithm = *sig_alg;
return( 0 );
}
}
MBEDTLS_SSL_DEBUG_MSG( 2,
( "select_sig_alg_for_certificate_verify:"
"no suitable signature algorithm found" ) );
return( -1 );
}

View file

@ -389,20 +389,21 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
continue;
}
MBEDTLS_SSL_DEBUG_MSG(
3, ( "ssl_tls13_pick_key_cert:"
"check signature algorithm %s [%04x]",
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
*sig_alg ) );
MBEDTLS_SSL_DEBUG_MSG( 3,
( "ssl_tls13_pick_key_cert:"
"check signature algorithm %s [%04x]",
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
*sig_alg ) );
if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
*sig_alg, &key_cert->cert->pk ) )
{
ssl->handshake->key_cert = key_cert;
MBEDTLS_SSL_DEBUG_MSG(
3, ( "ssl_tls13_pick_key_cert:"
"selected signature algorithm %s [%04x]",
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
*sig_alg ) );
MBEDTLS_SSL_DEBUG_MSG( 3,
( "ssl_tls13_pick_key_cert:"
"selected signature algorithm"
" %s [%04x]",
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
*sig_alg ) );
MBEDTLS_SSL_DEBUG_CRT(
3, "selected certificate (chain)",
ssl->handshake->key_cert->cert );
@ -412,7 +413,7 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
}
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert: "
"No signature algorithm found" ) );
"no suitable signature algorithm found" ) );
return( -1 );
}
#endif /* MBEDTLS_X509_CRT_PARSE_C &&

View file

@ -268,8 +268,8 @@ int send_cb( void *ctx, unsigned char const *buf, size_t len )
* When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
* declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
* `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
* the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
* for its signature in the key exchange message and as Mbed TLS 1.2 does not
* the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
* for its signature in the key exchange message. As Mbed TLS 1.2 does not
* support them, the handshake fails.
*/
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \
@ -371,4 +371,4 @@ void mbedtls_print_supported_sig_algs( void )
mbedtls_printf("rsa_pkcs1_sha1 ");
mbedtls_printf("ecdsa_sha1\n");
mbedtls_printf( "\n" );
}
}