cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-04 04:32:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add ssl_tls13_sig_alg_is_offered

Browse Source 
To keep consistent with cipher_suite check

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2021-10-14 15:59:37 +08:00
parent 133690ccef
commit 982d9e5db2
1 changed files with 21 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
library/ssl_tls13_generic.c
View File

@ -320,6 +320,18 @@ static int ssl_tls13_process_certificate_verify_coordinate(
} }
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
static int ssl_tls13_sig_alg_is_offered( mbedtls_ssl_context *ssl, uint16_t sig_alg )
{
const uint16_t *tls13_sig_alg = ssl->conf->tls13_sig_algs;
for( ; *tls13_sig_alg !=MBEDTLS_TLS13_SIG_NONE ; tls13_sig_alg++ )
{
if( *tls13_sig_alg == sig_alg )
return 1;
}
return 0;
}
static int ssl_tls13_process_certificate_verify_parse( mbedtls_ssl_context *ssl, static int ssl_tls13_process_certificate_verify_parse( mbedtls_ssl_context *ssl,
const unsigned char *buf, const unsigned char *buf,
const unsigned char *end, const unsigned char *end,
@ -329,7 +341,6 @@ static int ssl_tls13_process_certificate_verify_parse( mbedtls_ssl_context *ssl,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const unsigned char *p = buf; const unsigned char *p = buf;
uint16_t algorithm; uint16_t algorithm;
const uint16_t *tls13_sig_alg = ssl->conf->tls13_sig_algs;
size_t signature_len; size_t signature_len;
mbedtls_pk_type_t sig_alg; mbedtls_pk_type_t sig_alg;
mbedtls_md_type_t md_alg; mbedtls_md_type_t md_alg;
@ -361,26 +372,16 @@ static int ssl_tls13_process_certificate_verify_parse( mbedtls_ssl_context *ssl,
* Check if algorithm in offered signature algorithms. Send `unsupported_certificate` * Check if algorithm in offered signature algorithms. Send `unsupported_certificate`
* alert message on failure. * alert message on failure.
*/ */
while( 1 ) if( ssl_tls13_sig_alg_is_offered( ssl, algorithm ) == 0 )
{ {
/* Found algorithm in offered signature algorithms */ /* algorithm not in offered signature algorithms list */
if( *tls13_sig_alg == algorithm ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
break; "offered.",
( unsigned int ) algorithm ) );
if( *tls13_sig_alg == MBEDTLS_TLS13_SIG_NONE ) MBEDTLS_SSL_PEND_FATAL_ALERT(
{ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
/* End of offered signature algorithms list */ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
MBEDTLS_SSL_DEBUG_MSG( 1, return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
( "signature algorithm(%04x) not in offered"
"signature algorithms ",
( unsigned int ) algorithm ) );
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
tls13_sig_alg++;
} }
/* We currently only support ECDSA-based signatures */ /* We currently only support ECDSA-based signatures */