From 94f1628aca013c39100cc7c33ac38cbf880a7263 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 2 Oct 2025 13:29:19 +0100 Subject: [PATCH 01/19] Remove dependencies on mbedtls_pk_sign Replace mbedtls_pk_sign with mbedtls_pk_sign_restartable, as mbedtls_pk_sign has now been removed and was origonally a pass through call to mbedtls_pk_sign_restartable. Signed-off-by: Ben Taylor --- library/ssl_tls12_server.c | 4 ++-- library/x509write_crt.c | 4 ++-- library/x509write_csr.c | 4 ++-- programs/ssl/ssl_server2.c | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 07641cb3e8..14b63aadbf 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2880,11 +2880,11 @@ curve_matching_done: * after the call to ssl_prepare_server_key_exchange. * ssl_write_server_key_exchange also takes care of incrementing * ssl->out_msglen. */ - if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl), + if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl), md_alg, hash, hashlen, ssl->out_msg + ssl->out_msglen + 2, out_buf_len - ssl->out_msglen - 2, - signature_len)) != 0) { + signature_len, NULL)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); return ret; } diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 663b308d62..e34a4636bb 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -571,8 +571,8 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, } - if ((ret = mbedtls_pk_sign(ctx->issuer_key, ctx->md_alg, - hash, hash_length, sig, sizeof(sig), &sig_len)) != 0) { + if ((ret = mbedtls_pk_sign_restartable(ctx->issuer_key, ctx->md_alg, + hash, hash_length, sig, sizeof(sig), &sig_len, NULL)) != 0) { return ret; } diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 8e37278f95..a7d0cb513b 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -217,8 +217,8 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, &hash_len) != PSA_SUCCESS) { return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; } - if ((ret = mbedtls_pk_sign(ctx->key, ctx->md_alg, hash, 0, - sig, sig_size, &sig_len)) != 0) { + if ((ret = mbedtls_pk_sign_restartable(ctx->key, ctx->md_alg, hash, 0, + sig, sig_size, &sig_len, NULL)) != 0) { return ret; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 64fd45952f..3db13132d1 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1243,10 +1243,10 @@ static int ssl_async_resume(mbedtls_ssl_context *ssl, switch (ctx->operation_type) { case ASYNC_OP_SIGN: - ret = mbedtls_pk_sign(key_slot->pk, + ret = mbedtls_pk_sign_restartable(key_slot->pk, ctx->md_alg, ctx->input, ctx->input_len, - output, output_size, output_len); + output, output_size, output_len, NULL); break; default: mbedtls_printf( From 279dd4ab5938cb8d2fe565f89685c141e9da6767 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 2 Oct 2025 13:39:33 +0100 Subject: [PATCH 02/19] Remove dependencies on mbedtls_pk_verify Replace mbedtls_pk_verify with mbedtls_pk_verify_restartable, as mbedtls_pk_verify has now been removed and was origonally a pass through call to mbedtls_pk_verify_restartable. Signed-off-by: Ben Taylor --- library/pkcs7.c | 4 ++-- library/ssl_tls12_server.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 3481cbdb1b..5810506c34 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -704,9 +704,9 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7, * failed to validate'. */ for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) { - ret = mbedtls_pk_verify(&pk_cxt, md_alg, hash, + ret = mbedtls_pk_verify_restartable(&pk_cxt, md_alg, hash, mbedtls_md_get_size(md_info), - signer->sig.p, signer->sig.len); + signer->sig.p, signer->sig.len, NULL); if (ret == 0) { break; diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 14b63aadbf..9faf74134e 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -3456,9 +3456,9 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) } } - if ((ret = mbedtls_pk_verify(peer_pk, + if ((ret = mbedtls_pk_verify_restartable(peer_pk, md_alg, hash_start, hashlen, - ssl->in_msg + i, sig_len)) != 0) { + ssl->in_msg + i, sig_len, NULL)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); return ret; } From c3e2b375305a9d3f0cc550eca80c9bf856a0823c Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 2 Oct 2025 14:48:16 +0100 Subject: [PATCH 03/19] Remove mbedtls_ssl_write_handshake_msg as it now replaced by mbedtls_ssl_write_handshake_msg_ext Signed-off-by: Ben Taylor --- library/ssl_client.c | 2 +- library/ssl_misc.h | 5 ----- library/ssl_msg.c | 2 +- library/ssl_tls.c | 6 +++--- library/ssl_tls12_client.c | 4 ++-- library/ssl_tls12_server.c | 12 ++++++------ 6 files changed, 13 insertions(+), 18 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 307da0fabb..10d4952198 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -943,7 +943,7 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) */ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); return ret; } diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 0df7f96360..6462917093 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1436,11 +1436,6 @@ MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl, int update_checksum, int force_flush); -static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl) -{ - return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */); -} - /* * Write handshake message tail */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 731cbc8ece..6f7d2b9b9b 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5028,7 +5028,7 @@ int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_increment_state(ssl); - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); return ret; } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 833af9f973..6259f2d4db 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4247,7 +4247,7 @@ static int ssl_write_hello_request(mbedtls_ssl_context *ssl) ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); return ret; } @@ -6726,7 +6726,7 @@ int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_increment_state(ssl); - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); return ret; } @@ -7456,7 +7456,7 @@ int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl) } #endif - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); return ret; } diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 91f500294f..a05b107f80 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2565,7 +2565,7 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_increment_state(ssl); - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); return ret; } @@ -2725,7 +2725,7 @@ sign: mbedtls_ssl_handshake_increment_state(ssl); - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); return ret; } diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 9faf74134e..cdbf917f20 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2017,7 +2017,7 @@ static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT); - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); return ret; } @@ -2315,7 +2315,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl) ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; - ret = mbedtls_ssl_write_handshake_msg(ssl); + ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1); MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); @@ -2505,7 +2505,7 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len); - ret = mbedtls_ssl_write_handshake_msg(ssl); + ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1); MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request")); @@ -2971,7 +2971,7 @@ static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_increment_state(ssl); - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); return ret; } @@ -2999,7 +2999,7 @@ static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl) } #endif - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); return ret; } @@ -3521,7 +3521,7 @@ static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl) */ ssl->handshake->new_session_ticket = 0; - if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { + if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); return ret; } From 5e230932854ee6eb2c9a0590f58b5579842dcf43 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 2 Oct 2025 15:29:51 +0100 Subject: [PATCH 04/19] Fix code style issues Signed-off-by: Ben Taylor --- library/pkcs7.c | 4 ++-- library/ssl_tls12_server.c | 12 ++++++------ library/x509write_crt.c | 3 ++- library/x509write_csr.c | 2 +- programs/ssl/ssl_server2.c | 6 +++--- 5 files changed, 14 insertions(+), 13 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 5810506c34..dda15725a6 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -705,8 +705,8 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7, */ for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) { ret = mbedtls_pk_verify_restartable(&pk_cxt, md_alg, hash, - mbedtls_md_get_size(md_info), - signer->sig.p, signer->sig.len, NULL); + mbedtls_md_get_size(md_info), + signer->sig.p, signer->sig.len, NULL); if (ret == 0) { break; diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index cdbf917f20..a8bd02e539 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2881,10 +2881,10 @@ curve_matching_done: * ssl_write_server_key_exchange also takes care of incrementing * ssl->out_msglen. */ if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl), - md_alg, hash, hashlen, - ssl->out_msg + ssl->out_msglen + 2, - out_buf_len - ssl->out_msglen - 2, - signature_len, NULL)) != 0) { + md_alg, hash, hashlen, + ssl->out_msg + ssl->out_msglen + 2, + out_buf_len - ssl->out_msglen - 2, + signature_len, NULL)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); return ret; } @@ -3457,8 +3457,8 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) } if ((ret = mbedtls_pk_verify_restartable(peer_pk, - md_alg, hash_start, hashlen, - ssl->in_msg + i, sig_len, NULL)) != 0) { + md_alg, hash_start, hashlen, + ssl->in_msg + i, sig_len, NULL)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); return ret; } diff --git a/library/x509write_crt.c b/library/x509write_crt.c index e34a4636bb..d06e5f5232 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -572,7 +572,8 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, if ((ret = mbedtls_pk_sign_restartable(ctx->issuer_key, ctx->md_alg, - hash, hash_length, sig, sizeof(sig), &sig_len, NULL)) != 0) { + hash, hash_length, sig, sizeof(sig), &sig_len, + NULL)) != 0) { return ret; } diff --git a/library/x509write_csr.c b/library/x509write_csr.c index a7d0cb513b..c50482ddcd 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -218,7 +218,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; } if ((ret = mbedtls_pk_sign_restartable(ctx->key, ctx->md_alg, hash, 0, - sig, sig_size, &sig_len, NULL)) != 0) { + sig, sig_size, &sig_len, NULL)) != 0) { return ret; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 3db13132d1..de27d6eec8 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1244,9 +1244,9 @@ static int ssl_async_resume(mbedtls_ssl_context *ssl, switch (ctx->operation_type) { case ASYNC_OP_SIGN: ret = mbedtls_pk_sign_restartable(key_slot->pk, - ctx->md_alg, - ctx->input, ctx->input_len, - output, output_size, output_len, NULL); + ctx->md_alg, + ctx->input, ctx->input_len, + output, output_size, output_len, NULL); break; default: mbedtls_printf( From cef9d2d31f83ee90bf6c2891fa8d52ebd75adc38 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 13 Oct 2025 11:29:27 +0100 Subject: [PATCH 05/19] Revert change to mbedtls_pk_{sign,verify}_restartable and replace with ext version Signed-off-by: Ben Taylor --- library/pkcs7.c | 6 +++--- library/ssl_tls12_server.c | 16 ++++++++-------- library/x509write_crt.c | 5 ++--- programs/ssl/ssl_server2.c | 8 ++++---- 4 files changed, 17 insertions(+), 18 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index dda15725a6..ba4529d3e9 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -704,9 +704,9 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7, * failed to validate'. */ for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) { - ret = mbedtls_pk_verify_restartable(&pk_cxt, md_alg, hash, - mbedtls_md_get_size(md_info), - signer->sig.p, signer->sig.len, NULL); + ret = mbedtls_pk_verify_ext(MBEDTLS_PK_SIGALG_RSA_PKCS1V15, &pk_cxt, md_alg, hash, + mbedtls_md_get_size(md_info), + signer->sig.p, signer->sig.len); if (ret == 0) { break; diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index a8bd02e539..8f3b5d2492 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2880,11 +2880,11 @@ curve_matching_done: * after the call to ssl_prepare_server_key_exchange. * ssl_write_server_key_exchange also takes care of incrementing * ssl->out_msglen. */ - if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl), - md_alg, hash, hashlen, - ssl->out_msg + ssl->out_msglen + 2, - out_buf_len - ssl->out_msglen - 2, - signature_len, NULL)) != 0) { + if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) sig_alg, mbedtls_ssl_own_key(ssl), + md_alg, hash, hashlen, + ssl->out_msg + ssl->out_msglen + 2, + out_buf_len - ssl->out_msglen - 2, + signature_len)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); return ret; } @@ -3456,9 +3456,9 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) } } - if ((ret = mbedtls_pk_verify_restartable(peer_pk, - md_alg, hash_start, hashlen, - ssl->in_msg + i, sig_len, NULL)) != 0) { + if ((ret = mbedtls_pk_verify_ext((mbedtls_pk_sigalg_t) pk_alg, peer_pk, + md_alg, hash_start, hashlen, + ssl->in_msg + i, sig_len)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); return ret; } diff --git a/library/x509write_crt.c b/library/x509write_crt.c index d06e5f5232..ba2387e046 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -571,9 +571,8 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, } - if ((ret = mbedtls_pk_sign_restartable(ctx->issuer_key, ctx->md_alg, - hash, hash_length, sig, sizeof(sig), &sig_len, - NULL)) != 0) { + if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) pk_alg, ctx->issuer_key, ctx->md_alg, + hash, hash_length, sig, sizeof(sig), &sig_len)) != 0) { return ret; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index de27d6eec8..64fd45952f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1243,10 +1243,10 @@ static int ssl_async_resume(mbedtls_ssl_context *ssl, switch (ctx->operation_type) { case ASYNC_OP_SIGN: - ret = mbedtls_pk_sign_restartable(key_slot->pk, - ctx->md_alg, - ctx->input, ctx->input_len, - output, output_size, output_len, NULL); + ret = mbedtls_pk_sign(key_slot->pk, + ctx->md_alg, + ctx->input, ctx->input_len, + output, output_size, output_len); break; default: mbedtls_printf( From 2c056721d152f11a485aa2ff20933c7ce79cd2f8 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 13 Oct 2025 11:43:54 +0100 Subject: [PATCH 06/19] Tidy up debug of non ext functions Signed-off-by: Ben Taylor --- library/ssl_client.c | 2 +- library/ssl_msg.c | 2 +- library/ssl_tls.c | 6 +++--- library/ssl_tls12_client.c | 8 ++++---- library/ssl_tls12_server.c | 12 ++++++------ 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 10d4952198..6fe6dd8fe6 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -944,7 +944,7 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret); return ret; } diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 6f7d2b9b9b..0cb2f00c12 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5029,7 +5029,7 @@ int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_increment_state(ssl); if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret); return ret; } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6259f2d4db..8a35a5753e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4248,7 +4248,7 @@ static int ssl_write_hello_request(mbedtls_ssl_context *ssl) ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret); return ret; } @@ -6727,7 +6727,7 @@ int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_increment_state(ssl); if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret); return ret; } @@ -7457,7 +7457,7 @@ int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl) #endif if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret); return ret; } diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index a05b107f80..a8800904f7 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2014,7 +2014,7 @@ start_processing: MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); } - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret); #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; @@ -2566,7 +2566,7 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_increment_state(ssl); if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret); return ret; } @@ -2708,7 +2708,7 @@ sign: out_buf_len - 6 - offset, &n, rs_ctx)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign_ext", ret); #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; @@ -2726,7 +2726,7 @@ sign: mbedtls_ssl_handshake_increment_state(ssl); if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret); return ret; } diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 8f3b5d2492..34971dfab2 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2018,7 +2018,7 @@ static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT); if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret); return ret; } @@ -2885,7 +2885,7 @@ curve_matching_done: ssl->out_msg + ssl->out_msglen + 2, out_buf_len - ssl->out_msglen - 2, signature_len)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign_ext", ret); return ret; } } @@ -2972,7 +2972,7 @@ static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_increment_state(ssl); if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret); return ret; } @@ -3000,7 +3000,7 @@ static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl) #endif if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret); return ret; } @@ -3459,7 +3459,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) if ((ret = mbedtls_pk_verify_ext((mbedtls_pk_sigalg_t) pk_alg, peer_pk, md_alg, hash_start, hashlen, ssl->in_msg + i, sig_len)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret); return ret; } @@ -3522,7 +3522,7 @@ static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl) ssl->handshake->new_session_ticket = 0; if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret); return ret; } From 1b32994bef6e7e8b43aa190d183256a1bab9de4d Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 13 Oct 2025 12:00:21 +0100 Subject: [PATCH 07/19] Fix style issues Signed-off-by: Ben Taylor --- library/pkcs7.c | 4 ++-- library/ssl_tls12_server.c | 12 ++++++------ library/x509write_crt.c | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index ba4529d3e9..10d008a923 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -705,8 +705,8 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7, */ for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) { ret = mbedtls_pk_verify_ext(MBEDTLS_PK_SIGALG_RSA_PKCS1V15, &pk_cxt, md_alg, hash, - mbedtls_md_get_size(md_info), - signer->sig.p, signer->sig.len); + mbedtls_md_get_size(md_info), + signer->sig.p, signer->sig.len); if (ret == 0) { break; diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 34971dfab2..3511016080 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2881,10 +2881,10 @@ curve_matching_done: * ssl_write_server_key_exchange also takes care of incrementing * ssl->out_msglen. */ if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) sig_alg, mbedtls_ssl_own_key(ssl), - md_alg, hash, hashlen, - ssl->out_msg + ssl->out_msglen + 2, - out_buf_len - ssl->out_msglen - 2, - signature_len)) != 0) { + md_alg, hash, hashlen, + ssl->out_msg + ssl->out_msglen + 2, + out_buf_len - ssl->out_msglen - 2, + signature_len)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign_ext", ret); return ret; } @@ -3457,8 +3457,8 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) } if ((ret = mbedtls_pk_verify_ext((mbedtls_pk_sigalg_t) pk_alg, peer_pk, - md_alg, hash_start, hashlen, - ssl->in_msg + i, sig_len)) != 0) { + md_alg, hash_start, hashlen, + ssl->in_msg + i, sig_len)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret); return ret; } diff --git a/library/x509write_crt.c b/library/x509write_crt.c index ba2387e046..6399527f82 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -572,7 +572,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) pk_alg, ctx->issuer_key, ctx->md_alg, - hash, hash_length, sig, sizeof(sig), &sig_len)) != 0) { + hash, hash_length, sig, sizeof(sig), &sig_len)) != 0) { return ret; } From b190c1bb0b9ddbe69c58f86f6316231219b2af5c Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 21 Oct 2025 08:32:33 +0100 Subject: [PATCH 08/19] Replace change to restartable with ext Signed-off-by: Ben Taylor --- library/x509write_csr.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/library/x509write_csr.c b/library/x509write_csr.c index c50482ddcd..5755a42b49 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -217,10 +217,6 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, &hash_len) != PSA_SUCCESS) { return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; } - if ((ret = mbedtls_pk_sign_restartable(ctx->key, ctx->md_alg, hash, 0, - sig, sig_size, &sig_len, NULL)) != 0) { - return ret; - } if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_RSA)) { pk_alg = MBEDTLS_PK_RSA; @@ -230,6 +226,11 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, return MBEDTLS_ERR_X509_INVALID_ALG; } + if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) pk_alg, ctx->key, ctx->md_alg, hash, 0, + sig, sig_size, &sig_len)) != 0) { + return ret; + } + if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg((mbedtls_pk_sigalg_t) pk_alg, ctx->md_alg, &sig_oid, &sig_oid_len)) != 0) { return ret; From 10d471a14dd324ff0abb2f34916d6c8c8aa76cf6 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 21 Oct 2025 08:36:02 +0100 Subject: [PATCH 09/19] Correct debug return Signed-off-by: Ben Taylor --- library/ssl_tls12_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index a8800904f7..140e00555b 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2014,7 +2014,7 @@ start_processing: MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); } - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_restartable", ret); #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; From 4b4ca812e51940df8dd5d58b15ba48f0c774e330 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 21 Oct 2025 08:37:41 +0100 Subject: [PATCH 10/19] Corrected debug return Signed-off-by: Ben Taylor --- library/ssl_tls12_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 140e00555b..165ef760ac 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2708,7 +2708,7 @@ sign: out_buf_len - 6 - offset, &n, rs_ctx)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign_ext", ret); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign_restartable", ret); #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; From a2de40a1009552adece510fcd22916ab9ed3ff59 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 21 Oct 2025 10:42:09 +0100 Subject: [PATCH 11/19] Change the return type of mbedtls_ssl_get_ciphersuite_sig_pk_alg to mbedtls_pk_sigalg_t Signed-off-by: Ben Taylor --- library/ssl_ciphersuites.c | 16 ++++++++-------- library/ssl_ciphersuites_internal.h | 4 ++-- library/ssl_misc.h | 2 +- library/ssl_tls.c | 7 +++---- library/ssl_tls12_server.c | 12 ++++++------ 5 files changed, 20 insertions(+), 21 deletions(-) diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index d61932cb95..2809a1424a 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -902,17 +902,17 @@ size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersui } #if defined(MBEDTLS_PK_C) -mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info) +mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info) { switch (info->key_exchange) { case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: - return MBEDTLS_PK_RSA; + return MBEDTLS_PK_SIGALG_RSA_PKCS1V15; case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - return MBEDTLS_PK_ECDSA; + return MBEDTLS_PK_SIGALG_ECDSA; default: - return MBEDTLS_PK_NONE; + return MBEDTLS_PK_SIGALG_NONE; } } @@ -943,17 +943,17 @@ psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_c } } -mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info) +mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info) { switch (info->key_exchange) { case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: - return MBEDTLS_PK_RSA; + return MBEDTLS_PK_SIGALG_RSA_PKCS1V15; case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: - return MBEDTLS_PK_ECDSA; + return MBEDTLS_PK_SIGALG_ECDSA; default: - return MBEDTLS_PK_NONE; + return MBEDTLS_PK_SIGALG_NONE; } } diff --git a/library/ssl_ciphersuites_internal.h b/library/ssl_ciphersuites_internal.h index 524e419f47..9a9b42b998 100644 --- a/library/ssl_ciphersuites_internal.h +++ b/library/ssl_ciphersuites_internal.h @@ -16,10 +16,10 @@ #endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ #if defined(MBEDTLS_PK_C) -mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info); +mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info); psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info); psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info); -mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info); +mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info); #endif /* MBEDTLS_PK_C */ int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 6462917093..cf3791e900 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1510,7 +1510,7 @@ static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( #if defined(MBEDTLS_PK_C) unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk); -unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type); +unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type); mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig); #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8a35a5753e..9c6f236ded 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5619,13 +5619,12 @@ unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk) return MBEDTLS_SSL_SIG_ANON; } -unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type) +unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type) { switch (type) { - case MBEDTLS_PK_RSA: + case MBEDTLS_PK_SIGALG_RSA_PKCS1V15: return MBEDTLS_SSL_SIG_RSA; - case MBEDTLS_PK_ECDSA: - case MBEDTLS_PK_ECKEY: + case MBEDTLS_PK_SIGALG_ECDSA: return MBEDTLS_SSL_SIG_ECDSA; default: return MBEDTLS_SSL_SIG_ANON; diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 3511016080..6f88d31e3e 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -760,7 +760,7 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id, const mbedtls_ssl_ciphersuite_t *suite_info; #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - mbedtls_pk_type_t sig_type; + mbedtls_pk_sigalg_t sig_type; #endif suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id); @@ -829,7 +829,7 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id, /* If the ciphersuite requires signing, check whether * a suitable hash algorithm is present. */ sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info); - if (sig_type != MBEDTLS_PK_NONE && + if (sig_type != MBEDTLS_PK_SIGALG_NONE && mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) { MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm " @@ -1608,8 +1608,8 @@ have_ciphersuite: /* Debugging-only output for testsuite */ #if defined(MBEDTLS_DEBUG_C) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info); - if (sig_alg != MBEDTLS_PK_NONE) { + mbedtls_pk_sigalg_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info); + if (sig_alg != MBEDTLS_PK_SIGALG_NONE) { unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u", @@ -2788,7 +2788,7 @@ curve_matching_done: * to choose appropriate hash. */ - mbedtls_pk_type_t sig_alg = + mbedtls_pk_sigalg_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); unsigned char sig_hash = @@ -2799,7 +2799,7 @@ curve_matching_done: /* For TLS 1.2, obey signature-hash-algorithm extension * (RFC 5246, Sec. 7.4.1.4.1). */ - if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) { + if (sig_alg == MBEDTLS_PK_SIGALG_NONE || md_alg == MBEDTLS_MD_NONE) { MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); /* (... because we choose a cipher suite * only if there is a matching hash.) */ From bc076f9f76f4a2cef01d92b242a2cc2111fd91ca Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 21 Oct 2025 10:49:47 +0100 Subject: [PATCH 12/19] fix style isses Signed-off-by: Ben Taylor --- library/x509write_csr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 5755a42b49..e7f547f03b 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -227,7 +227,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, } if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) pk_alg, ctx->key, ctx->md_alg, hash, 0, - sig, sig_size, &sig_len)) != 0) { + sig, sig_size, &sig_len)) != 0) { return ret; } From 4565d5d4e613ed412d2a2235c2c4d2fa84ef69bd Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 30 Oct 2025 13:37:09 +0000 Subject: [PATCH 13/19] Change the call to mbedtls_pk_verify_ext in pkcs7 to have a variable input cert->sig_pk Signed-off-by: Ben Taylor --- library/pkcs7.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pkcs7.c b/library/pkcs7.c index 10d008a923..2cc7812bf0 100644 --- a/library/pkcs7.c +++ b/library/pkcs7.c @@ -704,7 +704,7 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7, * failed to validate'. */ for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) { - ret = mbedtls_pk_verify_ext(MBEDTLS_PK_SIGALG_RSA_PKCS1V15, &pk_cxt, md_alg, hash, + ret = mbedtls_pk_verify_ext(cert->sig_pk, &pk_cxt, md_alg, hash, mbedtls_md_get_size(md_info), signer->sig.p, signer->sig.len); From 0035cfb1f05b7a90fc786169349cc1eccc61f6f1 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 30 Oct 2025 13:42:30 +0000 Subject: [PATCH 14/19] Removed unnecessary cast in mbedtls_pk_sign_ext Signed-off-by: Ben Taylor --- library/ssl_tls12_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 6f88d31e3e..0dffb91064 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2880,7 +2880,7 @@ curve_matching_done: * after the call to ssl_prepare_server_key_exchange. * ssl_write_server_key_exchange also takes care of incrementing * ssl->out_msglen. */ - if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) sig_alg, mbedtls_ssl_own_key(ssl), + if ((ret = mbedtls_pk_sign_ext(sig_alg, mbedtls_ssl_own_key(ssl), md_alg, hash, hashlen, ssl->out_msg + ssl->out_msglen + 2, out_buf_len - ssl->out_msglen - 2, From 5f037c7fb3e71ec7e6160cc329e362bc42ca9018 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 30 Oct 2025 14:59:24 +0000 Subject: [PATCH 15/19] Rename mbedtls_ssl_pk_alg_from_sig to mbedtls_ssl_pk_alg_from_sig_pk_alg and update to use mbedtls_pk_sigalg_t Signed-off-by: Ben Taylor --- library/ssl_misc.h | 14 +++++++------- library/ssl_tls.c | 8 ++++---- library/ssl_tls12_client.c | 8 ++++---- library/ssl_tls12_server.c | 10 +++++----- library/ssl_tls13_generic.c | 6 +++--- 5 files changed, 23 insertions(+), 23 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index cf3791e900..41b3cd0e3e 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1511,7 +1511,7 @@ static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( #if defined(MBEDTLS_PK_C) unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk); unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type); -mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig); +mbedtls_pk_sigalg_t mbedtls_ssl_pk_alg_from_sig_pk_alg(unsigned char sig); #endif mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash); @@ -2410,12 +2410,12 @@ static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl, } static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( - uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg) + uint16_t sig_alg, mbedtls_pk_sigalg_t *pk_type, mbedtls_md_type_t *md_alg) { - *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff); + *pk_type = mbedtls_ssl_pk_alg_from_sig_pk_alg(sig_alg & 0xff); *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff); - if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) { + if (*pk_type != MBEDTLS_PK_SIGALG_NONE && *md_alg != MBEDTLS_MD_NONE) { return 0; } @@ -2424,19 +2424,19 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: *md_alg = MBEDTLS_MD_SHA256; - *pk_type = MBEDTLS_PK_RSASSA_PSS; + *pk_type = MBEDTLS_PK_SIGALG_RSA_PSS; break; #endif /* PSA_WANT_ALG_SHA_256 */ #if defined(PSA_WANT_ALG_SHA_384) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: *md_alg = MBEDTLS_MD_SHA384; - *pk_type = MBEDTLS_PK_RSASSA_PSS; + *pk_type = MBEDTLS_PK_SIGALG_RSA_PSS; break; #endif /* PSA_WANT_ALG_SHA_384 */ #if defined(PSA_WANT_ALG_SHA_512) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: *md_alg = MBEDTLS_MD_SHA512; - *pk_type = MBEDTLS_PK_RSASSA_PSS; + *pk_type = MBEDTLS_PK_SIGALG_RSA_PSS; break; #endif /* PSA_WANT_ALG_SHA_512 */ #endif /* PSA_WANT_ALG_RSA_PSS */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9c6f236ded..07e5824858 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5631,19 +5631,19 @@ unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type) } } -mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) +mbedtls_pk_sigalg_t mbedtls_ssl_pk_alg_from_sig_pk_alg(unsigned char sig) { switch (sig) { #if defined(MBEDTLS_RSA_C) case MBEDTLS_SSL_SIG_RSA: - return MBEDTLS_PK_RSA; + return MBEDTLS_PK_SIGALG_RSA_PKCS1V15; #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) case MBEDTLS_SSL_SIG_ECDSA: - return MBEDTLS_PK_ECDSA; + return MBEDTLS_PK_SIGALG_ECDSA; #endif default: - return MBEDTLS_PK_NONE; + return MBEDTLS_PK_SIGALG_NONE; } } #endif /* MBEDTLS_PK_C && diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 165ef760ac..482fd46182 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -1884,7 +1884,7 @@ start_processing: unsigned char hash[MBEDTLS_MD_MAX_SIZE]; mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; - mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; + mbedtls_pk_sigalg_t pk_alg = MBEDTLS_PK_SIGALG_NONE; unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); size_t params_len = (size_t) (p - params); void *rs_ctx = NULL; @@ -1922,7 +1922,7 @@ start_processing: } p += 2; - if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { + if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) { MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); mbedtls_ssl_send_alert_message( @@ -1978,7 +1978,7 @@ start_processing: /* * Verify signature */ - if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { + if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) { MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); mbedtls_ssl_send_alert_message( ssl, @@ -1994,7 +1994,7 @@ start_processing: #endif #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { + if (pk_alg == MBEDTLS_PK_SIGALG_RSA_PSS) { ret = mbedtls_pk_verify_ext((mbedtls_pk_sigalg_t) pk_alg, peer_pk, md_alg, hash, hashlen, p, sig_len); diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 0dffb91064..09d872bfbb 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -3324,7 +3324,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) unsigned char hash[48]; unsigned char *hash_start = hash; size_t hashlen; - mbedtls_pk_type_t pk_alg; + mbedtls_pk_sigalg_t pk_alg; mbedtls_md_type_t md_alg; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info; @@ -3416,8 +3416,8 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) /* * Signature */ - if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i])) - == MBEDTLS_PK_NONE) { + if ((pk_alg = mbedtls_ssl_pk_alg_from_sig_pk_alg(ssl->in_msg[i])) + == MBEDTLS_PK_SIGALG_NONE) { MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" " for verify message")); return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; @@ -3426,7 +3426,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) /* * Check the certificate's key type matches the signature alg */ - if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { + if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) { MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; } @@ -3456,7 +3456,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) } } - if ((ret = mbedtls_pk_verify_ext((mbedtls_pk_sigalg_t) pk_alg, peer_pk, + if ((ret = mbedtls_pk_verify_ext(pk_alg, peer_pk, md_alg, hash_start, hashlen, ssl->in_msg + i, sig_len)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret); diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 748efb4815..6aabf4e58e 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -221,7 +221,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, const unsigned char *p = buf; uint16_t algorithm; size_t signature_len; - mbedtls_pk_type_t sig_alg; + mbedtls_pk_sigalg_t sig_alg; mbedtls_md_type_t md_alg; psa_algorithm_t hash_alg = PSA_ALG_NONE; unsigned char verify_hash[PSA_HASH_MAX_SIZE]; @@ -277,7 +277,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, /* * Check the certificate's key type matches the signature alg */ - if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, sig_alg)) { + if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, (mbedtls_pk_type_t) sig_alg)) { MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key")); goto error; } @@ -927,7 +927,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl, for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE; + mbedtls_pk_sigalg_t pk_type = MBEDTLS_PK_SIGALG_NONE; mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; psa_algorithm_t psa_algorithm = PSA_ALG_NONE; unsigned char verify_hash[PSA_HASH_MAX_SIZE]; From 00b04a6590d078d2e3cef1837dbf6b36fc5ec9a8 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 30 Oct 2025 15:11:09 +0000 Subject: [PATCH 16/19] Update mbedtls_pk_sign_ext in x509write_crt.c to use mbedtls_pk_sigalg_t directly and remove casts Signed-off-by: Ben Taylor --- library/x509write_crt.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 6399527f82..e4cdd5064b 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -396,7 +396,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len; size_t len = 0; - mbedtls_pk_type_t pk_alg; + mbedtls_pk_sigalg_t pk_alg; int write_sig_null_par; /* @@ -409,9 +409,9 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, /* There's no direct way of extracting a signature algorithm * (represented as an element of mbedtls_pk_type_t) from a PK instance. */ if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_RSA)) { - pk_alg = MBEDTLS_PK_RSA; + pk_alg = MBEDTLS_PK_SIGALG_RSA_PKCS1V15; } else if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_ECDSA)) { - pk_alg = MBEDTLS_PK_ECDSA; + pk_alg = MBEDTLS_PK_SIGALG_ECDSA; } else { return MBEDTLS_ERR_X509_INVALID_ALG; } @@ -489,7 +489,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, /* * Signature ::= AlgorithmIdentifier */ - if (pk_alg == MBEDTLS_PK_ECDSA) { + if (pk_alg == MBEDTLS_PK_SIGALG_ECDSA) { /* * The AlgorithmIdentifier's parameters field must be absent for DSA/ECDSA signature * algorithms, see https://www.rfc-editor.org/rfc/rfc5480#page-17 and @@ -571,7 +571,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, } - if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) pk_alg, ctx->issuer_key, ctx->md_alg, + if ((ret = mbedtls_pk_sign_ext(pk_alg, ctx->issuer_key, ctx->md_alg, hash, hash_length, sig, sizeof(sig), &sig_len)) != 0) { return ret; } @@ -588,7 +588,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, c, sig_oid, sig_oid_len, sig, sig_len, - (mbedtls_pk_sigalg_t) pk_alg)); + pk_alg)); /* * Memory layout after this step: From f21e63c6d026364537b21046daf3b5eef7040ea1 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 30 Oct 2025 15:29:02 +0000 Subject: [PATCH 17/19] Update pk_alg to use mbedtls_pk_sigalg_t and remove casts in library/x509write_csr.c Signed-off-by: Ben Taylor --- library/x509write_csr.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/library/x509write_csr.c b/library/x509write_csr.c index e7f547f03b..0fac775106 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -142,7 +142,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, unsigned char hash[MBEDTLS_MD_MAX_SIZE]; size_t pub_len = 0, sig_and_oid_len = 0, sig_len; size_t len = 0; - mbedtls_pk_type_t pk_alg; + mbedtls_pk_sigalg_t pk_alg; size_t hash_len; psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ctx->md_alg); @@ -219,19 +219,19 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, } if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_RSA)) { - pk_alg = MBEDTLS_PK_RSA; + pk_alg = MBEDTLS_PK_SIGALG_RSA_PKCS1V15; } else if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_ECDSA)) { - pk_alg = MBEDTLS_PK_ECDSA; + pk_alg = MBEDTLS_PK_SIGALG_ECDSA; } else { return MBEDTLS_ERR_X509_INVALID_ALG; } - if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) pk_alg, ctx->key, ctx->md_alg, hash, 0, + if ((ret = mbedtls_pk_sign_ext(pk_alg, ctx->key, ctx->md_alg, hash, 0, sig, sig_size, &sig_len)) != 0) { return ret; } - if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg((mbedtls_pk_sigalg_t) pk_alg, ctx->md_alg, + if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg(pk_alg, ctx->md_alg, &sig_oid, &sig_oid_len)) != 0) { return ret; } @@ -250,7 +250,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, c2 = buf + size; MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, buf + len, sig_oid, sig_oid_len, - sig, sig_len, (mbedtls_pk_sigalg_t) pk_alg)); + sig, sig_len, pk_alg)); /* * Compact the space between the CSR data and signature by moving the From b76c38334a4f13eb92b74047683ee29e5a053685 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Fri, 31 Oct 2025 07:55:02 +0000 Subject: [PATCH 18/19] Update name of mbedtls_ssl_pk_alg_from_sig_pk_alg to mbedtls_ssl_pk_sig_alg_from_sig Signed-off-by: Ben Taylor --- library/ssl_misc.h | 4 ++-- library/ssl_tls.c | 2 +- library/ssl_tls12_server.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 41b3cd0e3e..60c5dea35e 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1511,7 +1511,7 @@ static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( #if defined(MBEDTLS_PK_C) unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk); unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type); -mbedtls_pk_sigalg_t mbedtls_ssl_pk_alg_from_sig_pk_alg(unsigned char sig); +mbedtls_pk_sigalg_t mbedtls_ssl_pk_sig_alg_from_sig(unsigned char sig); #endif mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash); @@ -2412,7 +2412,7 @@ static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl, static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( uint16_t sig_alg, mbedtls_pk_sigalg_t *pk_type, mbedtls_md_type_t *md_alg) { - *pk_type = mbedtls_ssl_pk_alg_from_sig_pk_alg(sig_alg & 0xff); + *pk_type = mbedtls_ssl_pk_sig_alg_from_sig(sig_alg & 0xff); *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff); if (*pk_type != MBEDTLS_PK_SIGALG_NONE && *md_alg != MBEDTLS_MD_NONE) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 07e5824858..550f79de29 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5631,7 +5631,7 @@ unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type) } } -mbedtls_pk_sigalg_t mbedtls_ssl_pk_alg_from_sig_pk_alg(unsigned char sig) +mbedtls_pk_sigalg_t mbedtls_ssl_pk_sig_alg_from_sig(unsigned char sig) { switch (sig) { #if defined(MBEDTLS_RSA_C) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 09d872bfbb..0856dcfdd2 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -3416,7 +3416,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) /* * Signature */ - if ((pk_alg = mbedtls_ssl_pk_alg_from_sig_pk_alg(ssl->in_msg[i])) + if ((pk_alg = mbedtls_ssl_pk_sig_alg_from_sig(ssl->in_msg[i])) == MBEDTLS_PK_SIGALG_NONE) { MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" " for verify message")); From 42074c193fc2bca0a15039b3d0949518c49f1a08 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Fri, 31 Oct 2025 08:38:53 +0000 Subject: [PATCH 19/19] Rename mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg to mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg Signed-off-by: Ben Taylor --- library/ssl_misc.h | 2 +- library/ssl_tls12_client.c | 2 +- library/ssl_tls13_generic.c | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 60c5dea35e..237475ff1b 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2409,7 +2409,7 @@ static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl, return 0; } -static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( +static inline int mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg( uint16_t sig_alg, mbedtls_pk_sigalg_t *pk_type, mbedtls_md_type_t *md_alg) { *pk_type = mbedtls_ssl_pk_sig_alg_from_sig(sig_alg & 0xff); diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 482fd46182..35ae891c1d 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -1908,7 +1908,7 @@ start_processing: */ MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); sig_alg = MBEDTLS_GET_UINT16_BE(p, 0); - if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( + if (mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg( sig_alg, &pk_alg, &md_alg) != 0 && !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) && !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) { diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 6aabf4e58e..f8aca908c4 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -261,7 +261,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, goto error; } - if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( + if (mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg( algorithm, &sig_alg, &md_alg) != 0) { goto error; } @@ -945,7 +945,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl, continue; } - if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( + if (mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg( *sig_alg, &pk_type, &md_alg) != 0) { return MBEDTLS_ERR_SSL_INTERNAL_ERROR; }