fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu
parent
202919c23d
commit
cc5391048e
5 changed files with 32 additions and 29 deletions
|
|
@ -1922,8 +1922,8 @@ static inline const void *mbedtls_ssl_get_sig_algs(
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||||
|
|
||||||
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||||
if( ssl->handshake->sig_algs_heap_allocated == 1 &&
|
if( ssl->handshake != NULL &&
|
||||||
ssl->handshake != NULL &&
|
ssl->handshake->sig_algs_heap_allocated == 1 &&
|
||||||
ssl->handshake->sig_algs != NULL )
|
ssl->handshake->sig_algs != NULL )
|
||||||
{
|
{
|
||||||
return( ssl->handshake->sig_algs );
|
return( ssl->handshake->sig_algs );
|
||||||
|
|
@ -1984,6 +1984,7 @@ static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
|
||||||
|
|
||||||
switch( sig_alg )
|
switch( sig_alg )
|
||||||
{
|
{
|
||||||
|
#if defined(MBEDTLS_RSA_C)
|
||||||
#if defined(MBEDTLS_SHA256_C)
|
#if defined(MBEDTLS_SHA256_C)
|
||||||
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
|
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
|
||||||
*md_alg = MBEDTLS_MD_SHA256;
|
*md_alg = MBEDTLS_MD_SHA256;
|
||||||
|
|
@ -2002,7 +2003,7 @@ static inline int mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
|
||||||
*pk_type = MBEDTLS_PK_RSASSA_PSS;
|
*pk_type = MBEDTLS_PK_RSASSA_PSS;
|
||||||
break;
|
break;
|
||||||
#endif /* MBEDTLS_SHA512_C */
|
#endif /* MBEDTLS_SHA512_C */
|
||||||
|
#endif /* MBEDTLS_RSA_C */
|
||||||
default:
|
default:
|
||||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||||
}
|
}
|
||||||
|
|
@ -2168,9 +2169,8 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||||
|
|
||||||
int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
|
int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
|
||||||
uint16_t sig_alg,
|
mbedtls_pk_context *key );
|
||||||
mbedtls_pk_context *key);
|
|
||||||
|
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -856,7 +856,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
|
||||||
ssl->handshake->sig_algs = ssl->conf->sig_algs;
|
ssl->handshake->sig_algs = ssl->conf->sig_algs;
|
||||||
ssl->handshake->sig_algs_heap_allocated = 0;
|
ssl->handshake->sig_algs_heap_allocated = 0;
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
@ -4072,8 +4072,8 @@ static int ssl_preset_suiteb_ciphersuites[] = {
|
||||||
* When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
|
* When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
|
||||||
* declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
|
* declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
|
||||||
* `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
|
* `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
|
||||||
* the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
|
* the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
|
||||||
* for its signature in the key exchange message and as Mbed TLS 1.2 does not
|
* for its signature in the key exchange message. As Mbed TLS 1.2 does not
|
||||||
* support them, the handshake fails.
|
* support them, the handshake fails.
|
||||||
*/
|
*/
|
||||||
static uint16_t ssl_preset_default_sig_algs[] = {
|
static uint16_t ssl_preset_default_sig_algs[] = {
|
||||||
|
|
|
||||||
|
|
@ -940,16 +940,18 @@ static int ssl_tls13_select_sig_alg_for_certificate_verify(
|
||||||
mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
|
mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
|
||||||
*sig_alg, own_key ) )
|
*sig_alg, own_key ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG(
|
MBEDTLS_SSL_DEBUG_MSG( 3,
|
||||||
3, ( "select_sig_alg_for_certificate_verify:"
|
( "select_sig_alg_for_certificate_verify:"
|
||||||
"selected signature algorithm %s [%04x]",
|
"selected signature algorithm %s [%04x]",
|
||||||
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
|
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
|
||||||
*sig_alg ) );
|
*sig_alg ) );
|
||||||
*algorithm = *sig_alg;
|
*algorithm = *sig_alg;
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 2,
|
||||||
|
( "select_sig_alg_for_certificate_verify:"
|
||||||
|
"no suitable signature algorithm found" ) );
|
||||||
return( -1 );
|
return( -1 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -389,20 +389,21 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG(
|
MBEDTLS_SSL_DEBUG_MSG( 3,
|
||||||
3, ( "ssl_tls13_pick_key_cert:"
|
( "ssl_tls13_pick_key_cert:"
|
||||||
"check signature algorithm %s [%04x]",
|
"check signature algorithm %s [%04x]",
|
||||||
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
|
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
|
||||||
*sig_alg ) );
|
*sig_alg ) );
|
||||||
if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
|
if( mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
|
||||||
*sig_alg, &key_cert->cert->pk ) )
|
*sig_alg, &key_cert->cert->pk ) )
|
||||||
{
|
{
|
||||||
ssl->handshake->key_cert = key_cert;
|
ssl->handshake->key_cert = key_cert;
|
||||||
MBEDTLS_SSL_DEBUG_MSG(
|
MBEDTLS_SSL_DEBUG_MSG( 3,
|
||||||
3, ( "ssl_tls13_pick_key_cert:"
|
( "ssl_tls13_pick_key_cert:"
|
||||||
"selected signature algorithm %s [%04x]",
|
"selected signature algorithm"
|
||||||
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
|
" %s [%04x]",
|
||||||
*sig_alg ) );
|
mbedtls_ssl_sig_alg_to_str( *sig_alg ),
|
||||||
|
*sig_alg ) );
|
||||||
MBEDTLS_SSL_DEBUG_CRT(
|
MBEDTLS_SSL_DEBUG_CRT(
|
||||||
3, "selected certificate (chain)",
|
3, "selected certificate (chain)",
|
||||||
ssl->handshake->key_cert->cert );
|
ssl->handshake->key_cert->cert );
|
||||||
|
|
@ -412,7 +413,7 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
|
||||||
}
|
}
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert: "
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ssl_tls13_pick_key_cert: "
|
||||||
"No signature algorithm found" ) );
|
"no suitable signature algorithm found" ) );
|
||||||
return( -1 );
|
return( -1 );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C &&
|
#endif /* MBEDTLS_X509_CRT_PARSE_C &&
|
||||||
|
|
|
||||||
|
|
@ -268,8 +268,8 @@ int send_cb( void *ctx, unsigned char const *buf, size_t len )
|
||||||
* When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
|
* When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
|
||||||
* declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
|
* declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
|
||||||
* `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
|
* `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
|
||||||
* the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
|
* the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
|
||||||
* for its signature in the key exchange message and as Mbed TLS 1.2 does not
|
* for its signature in the key exchange message. As Mbed TLS 1.2 does not
|
||||||
* support them, the handshake fails.
|
* support them, the handshake fails.
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \
|
#define MBEDTLS_SSL_SIG_ALG( hash ) (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA), \
|
||||||
|
|
@ -371,4 +371,4 @@ void mbedtls_print_supported_sig_algs( void )
|
||||||
mbedtls_printf("rsa_pkcs1_sha1 ");
|
mbedtls_printf("rsa_pkcs1_sha1 ");
|
||||||
mbedtls_printf("ecdsa_sha1\n");
|
mbedtls_printf("ecdsa_sha1\n");
|
||||||
mbedtls_printf( "\n" );
|
mbedtls_printf( "\n" );
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue