lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-11-14 04:02:31 +03:00
Code Activity

Merge pull request #10439 from bjwtaylor/remove-all-non-ext-apis

Browse Source 
Remove all non ext apis
This commit is contained in:
Valerio Setti
2025-11-04 09:53:34 +00:00
committed by GitHub
parent 18f2661c65 42074c193f
commit 00d579e953
12 changed files with 102 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
library/pkcs7.c
View File

@@ -704,9 +704,9 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7,
* failed to validate'.
*/
for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) {
ret = mbedtls_pk_verify(&pk_cxt, md_alg, hash,
mbedtls_md_get_size(md_info),
signer->sig.p, signer->sig.len);
ret = mbedtls_pk_verify_ext(cert->sig_pk, &pk_cxt, md_alg, hash,
mbedtls_md_get_size(md_info),
signer->sig.p, signer->sig.len);
if (ret == 0) {
break;

16
library/ssl_ciphersuites.c
View File

@@ -902,17 +902,17 @@ size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersui
}
#if defined(MBEDTLS_PK_C)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info)
mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return MBEDTLS_PK_RSA;
return MBEDTLS_PK_SIGALG_RSA_PKCS1V15;
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
return MBEDTLS_PK_ECDSA;
return MBEDTLS_PK_SIGALG_ECDSA;
default:
return MBEDTLS_PK_NONE;
return MBEDTLS_PK_SIGALG_NONE;
}
}
@@ -943,17 +943,17 @@ psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_c
}
}
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info)
mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return MBEDTLS_PK_RSA;
return MBEDTLS_PK_SIGALG_RSA_PKCS1V15;
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
return MBEDTLS_PK_ECDSA;
return MBEDTLS_PK_SIGALG_ECDSA;
default:
return MBEDTLS_PK_NONE;
return MBEDTLS_PK_SIGALG_NONE;
}
}

4
library/ssl_ciphersuites_internal.h
View File

@@ -16,10 +16,10 @@
#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */
#if defined(MBEDTLS_PK_C)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info);
psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info);
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
#endif /* MBEDTLS_PK_C */
int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info);

4
library/ssl_client.c
View File

@@ -943,8 +943,8 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl)
*/
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret;
}

23
library/ssl_misc.h
View File

@@ -1436,11 +1436,6 @@ MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
int update_checksum,
int force_flush);
static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
{
return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */);
}
/*
* Write handshake message tail
*/
@@ -1515,8 +1510,8 @@ static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
#if defined(MBEDTLS_PK_C)
unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type);
mbedtls_pk_sigalg_t mbedtls_ssl_pk_sig_alg_from_sig(unsigned char sig);
#endif
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
@@ -2414,13 +2409,13 @@ static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl,
return 0;
}
static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg)
static inline int mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg(
uint16_t sig_alg, mbedtls_pk_sigalg_t *pk_type, mbedtls_md_type_t *md_alg)
{
*pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff);
*pk_type = mbedtls_ssl_pk_sig_alg_from_sig(sig_alg & 0xff);
*md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff);
if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) {
if (*pk_type != MBEDTLS_PK_SIGALG_NONE && *md_alg != MBEDTLS_MD_NONE) {
return 0;
}
@@ -2429,19 +2424,19 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
*pk_type = MBEDTLS_PK_SIGALG_RSA_PSS;
break;
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
*md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
*pk_type = MBEDTLS_PK_SIGALG_RSA_PSS;
break;
#endif /* PSA_WANT_ALG_SHA_384 */
#if defined(PSA_WANT_ALG_SHA_512)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
*md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
*pk_type = MBEDTLS_PK_SIGALG_RSA_PSS;
break;
#endif /* PSA_WANT_ALG_SHA_512 */
#endif /* PSA_WANT_ALG_RSA_PSS */

4
library/ssl_msg.c
View File

@@ -5028,8 +5028,8 @@ int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret;
}

27
library/ssl_tls.c
View File

@@ -4247,8 +4247,8 @@ static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret;
}
@@ -5619,32 +5619,31 @@ unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
return MBEDTLS_SSL_SIG_ANON;
}
unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type)
{
switch (type) {
case MBEDTLS_PK_RSA:
case MBEDTLS_PK_SIGALG_RSA_PKCS1V15:
return MBEDTLS_SSL_SIG_RSA;
case MBEDTLS_PK_ECDSA:
case MBEDTLS_PK_ECKEY:
case MBEDTLS_PK_SIGALG_ECDSA:
return MBEDTLS_SSL_SIG_ECDSA;
default:
return MBEDTLS_SSL_SIG_ANON;
}
}
mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
mbedtls_pk_sigalg_t mbedtls_ssl_pk_sig_alg_from_sig(unsigned char sig)
{
switch (sig) {
#if defined(MBEDTLS_RSA_C)
case MBEDTLS_SSL_SIG_RSA:
return MBEDTLS_PK_RSA;
return MBEDTLS_PK_SIGALG_RSA_PKCS1V15;
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
case MBEDTLS_SSL_SIG_ECDSA:
return MBEDTLS_PK_ECDSA;
return MBEDTLS_PK_SIGALG_ECDSA;
#endif
default:
return MBEDTLS_PK_NONE;
return MBEDTLS_PK_SIGALG_NONE;
}
}
#endif /* MBEDTLS_PK_C &&
@@ -6726,8 +6725,8 @@ int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret;
}
@@ -7456,8 +7455,8 @@ int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
}
#endif
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret;
}

22
library/ssl_tls12_client.c
View File

@@ -1884,7 +1884,7 @@ start_processing:
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
mbedtls_pk_sigalg_t pk_alg = MBEDTLS_PK_SIGALG_NONE;
unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
size_t params_len = (size_t) (p - params);
void *rs_ctx = NULL;
@@ -1908,7 +1908,7 @@ start_processing:
*/
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
if (mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg(
sig_alg, &pk_alg, &md_alg) != 0 &&
!mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) &&
!mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
@@ -1922,7 +1922,7 @@ start_processing:
}
p += 2;
if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) {
MBEDTLS_SSL_DEBUG_MSG(1,
("bad server key exchange message"));
mbedtls_ssl_send_alert_message(
@@ -1978,7 +1978,7 @@ start_processing:
/*
* Verify signature
*/
if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
mbedtls_ssl_send_alert_message(
ssl,
@@ -1994,7 +1994,7 @@ start_processing:
#endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
if (pk_alg == MBEDTLS_PK_SIGALG_RSA_PSS) {
ret = mbedtls_pk_verify_ext((mbedtls_pk_sigalg_t) pk_alg, peer_pk,
md_alg, hash, hashlen,
p, sig_len);
@@ -2014,7 +2014,7 @@ start_processing:
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
}
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_restartable", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
@@ -2565,8 +2565,8 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret;
}
@@ -2708,7 +2708,7 @@ sign:
out_buf_len - 6 - offset,
&n,
rs_ctx)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign_restartable", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
@@ -2725,8 +2725,8 @@ sign:
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret;
}

60
library/ssl_tls12_server.c
View File

@@ -760,7 +760,7 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
const mbedtls_ssl_ciphersuite_t *suite_info;
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
mbedtls_pk_type_t sig_type;
mbedtls_pk_sigalg_t sig_type;
#endif
suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
@@ -829,7 +829,7 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
/* If the ciphersuite requires signing, check whether
* a suitable hash algorithm is present. */
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
if (sig_type != MBEDTLS_PK_NONE &&
if (sig_type != MBEDTLS_PK_SIGALG_NONE &&
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
@@ -1608,8 +1608,8 @@ have_ciphersuite:
/* Debugging-only output for testsuite */
#if defined(MBEDTLS_DEBUG_C) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
if (sig_alg != MBEDTLS_PK_NONE) {
mbedtls_pk_sigalg_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
if (sig_alg != MBEDTLS_PK_SIGALG_NONE) {
unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
@@ -2017,8 +2017,8 @@ static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret;
}
@@ -2315,7 +2315,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
ret = mbedtls_ssl_write_handshake_msg(ssl);
ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
@@ -2505,7 +2505,7 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
ret = mbedtls_ssl_write_handshake_msg(ssl);
ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
@@ -2788,7 +2788,7 @@ curve_matching_done:
* to choose appropriate hash.
*/
mbedtls_pk_type_t sig_alg =
mbedtls_pk_sigalg_t sig_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
unsigned char sig_hash =
@@ -2799,7 +2799,7 @@ curve_matching_done:
/* For TLS 1.2, obey signature-hash-algorithm extension
* (RFC 5246, Sec. 7.4.1.4.1). */
if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) {
if (sig_alg == MBEDTLS_PK_SIGALG_NONE || md_alg == MBEDTLS_MD_NONE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
/* (... because we choose a cipher suite
* only if there is a matching hash.) */
@@ -2880,12 +2880,12 @@ curve_matching_done:
* after the call to ssl_prepare_server_key_exchange.
* ssl_write_server_key_exchange also takes care of incrementing
* ssl->out_msglen. */
if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl),
md_alg, hash, hashlen,
ssl->out_msg + ssl->out_msglen + 2,
out_buf_len - ssl->out_msglen - 2,
signature_len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
if ((ret = mbedtls_pk_sign_ext(sig_alg, mbedtls_ssl_own_key(ssl),
md_alg, hash, hashlen,
ssl->out_msg + ssl->out_msglen + 2,
out_buf_len - ssl->out_msglen - 2,
signature_len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign_ext", ret);
return ret;
}
}
@@ -2971,8 +2971,8 @@ static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret;
}
@@ -2999,8 +2999,8 @@ static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
}
#endif
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret;
}
@@ -3324,7 +3324,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
unsigned char hash[48];
unsigned char *hash_start = hash;
size_t hashlen;
mbedtls_pk_type_t pk_alg;
mbedtls_pk_sigalg_t pk_alg;
mbedtls_md_type_t md_alg;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->handshake->ciphersuite_info;
@@ -3416,8 +3416,8 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
/*
* Signature
*/
if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i]))
== MBEDTLS_PK_NONE) {
if ((pk_alg = mbedtls_ssl_pk_sig_alg_from_sig(ssl->in_msg[i]))
== MBEDTLS_PK_SIGALG_NONE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
" for verify message"));
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
@@ -3426,7 +3426,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
/*
* Check the certificate's key type matches the signature alg
*/
if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
@@ -3456,10 +3456,10 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
}
}
if ((ret = mbedtls_pk_verify(peer_pk,
md_alg, hash_start, hashlen,
ssl->in_msg + i, sig_len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
if ((ret = mbedtls_pk_verify_ext(pk_alg, peer_pk,
md_alg, hash_start, hashlen,
ssl->in_msg + i, sig_len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret);
return ret;
}
@@ -3521,8 +3521,8 @@ static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
*/
ssl->handshake->new_session_ticket = 0;
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret;
}

10
library/ssl_tls13_generic.c
View File

@@ -221,7 +221,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
const unsigned char *p = buf;
uint16_t algorithm;
size_t signature_len;
mbedtls_pk_type_t sig_alg;
mbedtls_pk_sigalg_t sig_alg;
mbedtls_md_type_t md_alg;
psa_algorithm_t hash_alg = PSA_ALG_NONE;
unsigned char verify_hash[PSA_HASH_MAX_SIZE];
@@ -261,7 +261,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
goto error;
}
if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
if (mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg(
algorithm, &sig_alg, &md_alg) != 0) {
goto error;
}
@@ -277,7 +277,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
/*
* Check the certificate's key type matches the signature alg
*/
if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, sig_alg)) {
if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, (mbedtls_pk_type_t) sig_alg)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key"));
goto error;
}
@@ -927,7 +927,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE;
mbedtls_pk_sigalg_t pk_type = MBEDTLS_PK_SIGALG_NONE;
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
unsigned char verify_hash[PSA_HASH_MAX_SIZE];
@@ -945,7 +945,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
continue;
}
if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
if (mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg(
*sig_alg, &pk_type, &md_alg) != 0) {
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}

14
library/x509write_crt.c
View File

@@ -396,7 +396,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
mbedtls_pk_type_t pk_alg;
mbedtls_pk_sigalg_t pk_alg;
int write_sig_null_par;
/*
@@ -409,9 +409,9 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
/* There's no direct way of extracting a signature algorithm
* (represented as an element of mbedtls_pk_type_t) from a PK instance. */
if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_RSA)) {
pk_alg = MBEDTLS_PK_RSA;
pk_alg = MBEDTLS_PK_SIGALG_RSA_PKCS1V15;
} else if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_ECDSA)) {
pk_alg = MBEDTLS_PK_ECDSA;
pk_alg = MBEDTLS_PK_SIGALG_ECDSA;
} else {
return MBEDTLS_ERR_X509_INVALID_ALG;
}
@@ -489,7 +489,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
/*
* Signature ::= AlgorithmIdentifier
*/
if (pk_alg == MBEDTLS_PK_ECDSA) {
if (pk_alg == MBEDTLS_PK_SIGALG_ECDSA) {
/*
* The AlgorithmIdentifier's parameters field must be absent for DSA/ECDSA signature
* algorithms, see https://www.rfc-editor.org/rfc/rfc5480#page-17 and
@@ -571,8 +571,8 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
}
if ((ret = mbedtls_pk_sign(ctx->issuer_key, ctx->md_alg,
hash, hash_length, sig, sizeof(sig), &sig_len)) != 0) {
if ((ret = mbedtls_pk_sign_ext(pk_alg, ctx->issuer_key, ctx->md_alg,
hash, hash_length, sig, sizeof(sig), &sig_len)) != 0) {
return ret;
}
@@ -588,7 +588,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, c,
sig_oid, sig_oid_len,
sig, sig_len,
(mbedtls_pk_sigalg_t) pk_alg));
pk_alg));
/*
* Memory layout after this step:

19
library/x509write_csr.c
View File

@@ -142,7 +142,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
mbedtls_pk_type_t pk_alg;
mbedtls_pk_sigalg_t pk_alg;
size_t hash_len;
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ctx->md_alg);
@@ -217,20 +217,21 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
&hash_len) != PSA_SUCCESS) {
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
if ((ret = mbedtls_pk_sign(ctx->key, ctx->md_alg, hash, 0,
sig, sig_size, &sig_len)) != 0) {
return ret;
}
if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_RSA)) {
pk_alg = MBEDTLS_PK_RSA;
pk_alg = MBEDTLS_PK_SIGALG_RSA_PKCS1V15;
} else if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_ECDSA)) {
pk_alg = MBEDTLS_PK_ECDSA;
pk_alg = MBEDTLS_PK_SIGALG_ECDSA;
} else {
return MBEDTLS_ERR_X509_INVALID_ALG;
}
if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg((mbedtls_pk_sigalg_t) pk_alg, ctx->md_alg,
if ((ret = mbedtls_pk_sign_ext(pk_alg, ctx->key, ctx->md_alg, hash, 0,
sig, sig_size, &sig_len)) != 0) {
return ret;
}
if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg(pk_alg, ctx->md_alg,
&sig_oid, &sig_oid_len)) != 0) {
return ret;
}
@@ -249,7 +250,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
c2 = buf + size;
MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len,
mbedtls_x509_write_sig(&c2, buf + len, sig_oid, sig_oid_len,
sig, sig_len, (mbedtls_pk_sigalg_t) pk_alg));
sig, sig_len, pk_alg));
/*
* Compact the space between the CSR data and signature by moving the