lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-11-14 04:02:31 +03:00
Code Activity

Merge pull request #10439 from bjwtaylor/remove-all-non-ext-apis

Browse Source 
Remove all non ext apis
This commit is contained in:
Valerio Setti
2025-11-04 09:53:34 +00:00
committed by GitHub
parent 18f2661c65 42074c193f
commit 00d579e953
12 changed files with 102 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
library/pkcs7.c
View File

@@ -704,7 +704,7 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7,
* failed to validate'. * failed to validate'.
*/ */
for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) { for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) {
ret = mbedtls_pk_verify(&pk_cxt, md_alg, hash, ret = mbedtls_pk_verify_ext(cert->sig_pk, &pk_cxt, md_alg, hash,
mbedtls_md_get_size(md_info), mbedtls_md_get_size(md_info),
signer->sig.p, signer->sig.len); signer->sig.p, signer->sig.len);

16
library/ssl_ciphersuites.c
View File

@@ -902,17 +902,17 @@ size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersui
} }
#if defined(MBEDTLS_PK_C) #if defined(MBEDTLS_PK_C)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info) mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info)
{ {
switch (info->key_exchange) { switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return MBEDTLS_PK_RSA; return MBEDTLS_PK_SIGALG_RSA_PKCS1V15;
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
return MBEDTLS_PK_ECDSA; return MBEDTLS_PK_SIGALG_ECDSA;
default: default:
return MBEDTLS_PK_NONE; return MBEDTLS_PK_SIGALG_NONE;
} }
} }
@@ -943,17 +943,17 @@ psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_c
} }
} }
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info) mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info)
{ {
switch (info->key_exchange) { switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return MBEDTLS_PK_RSA; return MBEDTLS_PK_SIGALG_RSA_PKCS1V15;
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
return MBEDTLS_PK_ECDSA; return MBEDTLS_PK_SIGALG_ECDSA;
default: default:
return MBEDTLS_PK_NONE; return MBEDTLS_PK_SIGALG_NONE;
} }
} }

4
library/ssl_ciphersuites_internal.h
View File

@@ -16,10 +16,10 @@
#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ #endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */
#if defined(MBEDTLS_PK_C) #if defined(MBEDTLS_PK_C)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info); mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info); psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info);
psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info); psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info);
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info); mbedtls_pk_sigalg_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
#endif /* MBEDTLS_PK_C */ #endif /* MBEDTLS_PK_C */
int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info); int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info);

4
library/ssl_client.c
View File

@@ -943,8 +943,8 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl)
*/ */
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret; return ret;
} }

23
library/ssl_misc.h
View File

@@ -1436,11 +1436,6 @@ MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl, int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
int update_checksum, int update_checksum,
int force_flush); int force_flush);
static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
{
return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */);
}
/* /*
* Write handshake message tail * Write handshake message tail
*/ */
@@ -1515,8 +1510,8 @@ static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
#if defined(MBEDTLS_PK_C) #if defined(MBEDTLS_PK_C)
unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk); unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type); unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type);
mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig); mbedtls_pk_sigalg_t mbedtls_ssl_pk_sig_alg_from_sig(unsigned char sig);
#endif #endif
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash); mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
@@ -2414,13 +2409,13 @@ static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl,
return 0; return 0;
} }
static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( static inline int mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg(
uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg) uint16_t sig_alg, mbedtls_pk_sigalg_t *pk_type, mbedtls_md_type_t *md_alg)
{ {
*pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff); *pk_type = mbedtls_ssl_pk_sig_alg_from_sig(sig_alg & 0xff);
*md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff); *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff);
if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) { if (*pk_type != MBEDTLS_PK_SIGALG_NONE && *md_alg != MBEDTLS_MD_NONE) {
return 0; return 0;
} }
@@ -2429,19 +2424,19 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
#if defined(PSA_WANT_ALG_SHA_256) #if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*md_alg = MBEDTLS_MD_SHA256; *md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_RSASSA_PSS; *pk_type = MBEDTLS_PK_SIGALG_RSA_PSS;
break; break;
#endif /* PSA_WANT_ALG_SHA_256 */ #endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384) #if defined(PSA_WANT_ALG_SHA_384)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
*md_alg = MBEDTLS_MD_SHA384; *md_alg = MBEDTLS_MD_SHA384;
*pk_type = MBEDTLS_PK_RSASSA_PSS; *pk_type = MBEDTLS_PK_SIGALG_RSA_PSS;
break; break;
#endif /* PSA_WANT_ALG_SHA_384 */ #endif /* PSA_WANT_ALG_SHA_384 */
#if defined(PSA_WANT_ALG_SHA_512) #if defined(PSA_WANT_ALG_SHA_512)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
*md_alg = MBEDTLS_MD_SHA512; *md_alg = MBEDTLS_MD_SHA512;
*pk_type = MBEDTLS_PK_RSASSA_PSS; *pk_type = MBEDTLS_PK_SIGALG_RSA_PSS;
break; break;
#endif /* PSA_WANT_ALG_SHA_512 */ #endif /* PSA_WANT_ALG_SHA_512 */
#endif /* PSA_WANT_ALG_RSA_PSS */ #endif /* PSA_WANT_ALG_RSA_PSS */

4
library/ssl_msg.c
View File

@@ -5028,8 +5028,8 @@ int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_increment_state(ssl); mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret; return ret;
} }

27
library/ssl_tls.c
View File

@@ -4247,8 +4247,8 @@ static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret; return ret;
} }
@@ -5619,32 +5619,31 @@ unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
return MBEDTLS_SSL_SIG_ANON; return MBEDTLS_SSL_SIG_ANON;
} }
unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type) unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type)
{ {
switch (type) { switch (type) {
case MBEDTLS_PK_RSA: case MBEDTLS_PK_SIGALG_RSA_PKCS1V15:
return MBEDTLS_SSL_SIG_RSA; return MBEDTLS_SSL_SIG_RSA;
case MBEDTLS_PK_ECDSA: case MBEDTLS_PK_SIGALG_ECDSA:
case MBEDTLS_PK_ECKEY:
return MBEDTLS_SSL_SIG_ECDSA; return MBEDTLS_SSL_SIG_ECDSA;
default: default:
return MBEDTLS_SSL_SIG_ANON; return MBEDTLS_SSL_SIG_ANON;
} }
} }
mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) mbedtls_pk_sigalg_t mbedtls_ssl_pk_sig_alg_from_sig(unsigned char sig)
{ {
switch (sig) { switch (sig) {
#if defined(MBEDTLS_RSA_C) #if defined(MBEDTLS_RSA_C)
case MBEDTLS_SSL_SIG_RSA: case MBEDTLS_SSL_SIG_RSA:
return MBEDTLS_PK_RSA; return MBEDTLS_PK_SIGALG_RSA_PKCS1V15;
#endif #endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
case MBEDTLS_SSL_SIG_ECDSA: case MBEDTLS_SSL_SIG_ECDSA:
return MBEDTLS_PK_ECDSA; return MBEDTLS_PK_SIGALG_ECDSA;
#endif #endif
default: default:
return MBEDTLS_PK_NONE; return MBEDTLS_PK_SIGALG_NONE;
} }
} }
#endif /* MBEDTLS_PK_C && #endif /* MBEDTLS_PK_C &&
@@ -6726,8 +6725,8 @@ int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_increment_state(ssl); mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret; return ret;
} }
@@ -7456,8 +7455,8 @@ int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
} }
#endif #endif
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret; return ret;
} }

22
library/ssl_tls12_client.c
View File

@@ -1884,7 +1884,7 @@ start_processing:
unsigned char hash[MBEDTLS_MD_MAX_SIZE]; unsigned char hash[MBEDTLS_MD_MAX_SIZE];
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; mbedtls_pk_sigalg_t pk_alg = MBEDTLS_PK_SIGALG_NONE;
unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
size_t params_len = (size_t) (p - params); size_t params_len = (size_t) (p - params);
void *rs_ctx = NULL; void *rs_ctx = NULL;
@@ -1908,7 +1908,7 @@ start_processing:
*/ */
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
sig_alg = MBEDTLS_GET_UINT16_BE(p, 0); sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( if (mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg(
sig_alg, &pk_alg, &md_alg) != 0 && sig_alg, &pk_alg, &md_alg) != 0 &&
!mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) && !mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg) &&
!mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) { !mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg)) {
@@ -1922,7 +1922,7 @@ start_processing:
} }
p += 2; p += 2;
if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) {
MBEDTLS_SSL_DEBUG_MSG(1, MBEDTLS_SSL_DEBUG_MSG(1,
("bad server key exchange message")); ("bad server key exchange message"));
mbedtls_ssl_send_alert_message( mbedtls_ssl_send_alert_message(
@@ -1978,7 +1978,7 @@ start_processing:
/* /*
* Verify signature * Verify signature
*/ */
if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
mbedtls_ssl_send_alert_message( mbedtls_ssl_send_alert_message(
ssl, ssl,
@@ -1994,7 +1994,7 @@ start_processing:
#endif #endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { if (pk_alg == MBEDTLS_PK_SIGALG_RSA_PSS) {
ret = mbedtls_pk_verify_ext((mbedtls_pk_sigalg_t) pk_alg, peer_pk, ret = mbedtls_pk_verify_ext((mbedtls_pk_sigalg_t) pk_alg, peer_pk,
md_alg, hash, hashlen, md_alg, hash, hashlen,
p, sig_len); p, sig_len);
@@ -2014,7 +2014,7 @@ start_processing:
MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
} }
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_restartable", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
@@ -2565,8 +2565,8 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_increment_state(ssl); mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret; return ret;
} }
@@ -2708,7 +2708,7 @@ sign:
out_buf_len - 6 - offset, out_buf_len - 6 - offset,
&n, &n,
rs_ctx)) != 0) { rs_ctx)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign_restartable", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
@@ -2725,8 +2725,8 @@ sign:
mbedtls_ssl_handshake_increment_state(ssl); mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret; return ret;
} }

48
library/ssl_tls12_server.c
View File

@@ -760,7 +760,7 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
const mbedtls_ssl_ciphersuite_t *suite_info; const mbedtls_ssl_ciphersuite_t *suite_info;
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
mbedtls_pk_type_t sig_type; mbedtls_pk_sigalg_t sig_type;
#endif #endif
suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id); suite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
@@ -829,7 +829,7 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
/* If the ciphersuite requires signing, check whether /* If the ciphersuite requires signing, check whether
* a suitable hash algorithm is present. */ * a suitable hash algorithm is present. */
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info); sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
if (sig_type != MBEDTLS_PK_NONE && if (sig_type != MBEDTLS_PK_SIGALG_NONE &&
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) { ssl, mbedtls_ssl_sig_from_pk_alg(sig_type)) == MBEDTLS_SSL_HASH_NONE) {
MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm " MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite mismatch: no suitable hash algorithm "
@@ -1608,8 +1608,8 @@ have_ciphersuite:
/* Debugging-only output for testsuite */ /* Debugging-only output for testsuite */
#if defined(MBEDTLS_DEBUG_C) && \ #if defined(MBEDTLS_DEBUG_C) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info); mbedtls_pk_sigalg_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(ciphersuite_info);
if (sig_alg != MBEDTLS_PK_NONE) { if (sig_alg != MBEDTLS_PK_SIGALG_NONE) {
unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( unsigned int sig_hash = mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg)); ssl, mbedtls_ssl_sig_from_pk_alg(sig_alg));
MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u", MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, signature_algorithm ext: %u",
@@ -2017,8 +2017,8 @@ static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret; return ret;
} }
@@ -2315,7 +2315,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
ret = mbedtls_ssl_write_handshake_msg(ssl); ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello")); MBEDTLS_SSL_DEBUG_MSG(2, ("<= write server hello"));
@@ -2505,7 +2505,7 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST; ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len); MBEDTLS_PUT_UINT16_BE(total_dn_size, ssl->out_msg, 4 + ct_len + sa_len);
ret = mbedtls_ssl_write_handshake_msg(ssl); ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request")); MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate request"));
@@ -2788,7 +2788,7 @@ curve_matching_done:
* to choose appropriate hash. * to choose appropriate hash.
*/ */
mbedtls_pk_type_t sig_alg = mbedtls_pk_sigalg_t sig_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info); mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
unsigned char sig_hash = unsigned char sig_hash =
@@ -2799,7 +2799,7 @@ curve_matching_done:
/* For TLS 1.2, obey signature-hash-algorithm extension /* For TLS 1.2, obey signature-hash-algorithm extension
* (RFC 5246, Sec. 7.4.1.4.1). */ * (RFC 5246, Sec. 7.4.1.4.1). */
if (sig_alg == MBEDTLS_PK_NONE || md_alg == MBEDTLS_MD_NONE) { if (sig_alg == MBEDTLS_PK_SIGALG_NONE || md_alg == MBEDTLS_MD_NONE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
/* (... because we choose a cipher suite /* (... because we choose a cipher suite
* only if there is a matching hash.) */ * only if there is a matching hash.) */
@@ -2880,12 +2880,12 @@ curve_matching_done:
* after the call to ssl_prepare_server_key_exchange. * after the call to ssl_prepare_server_key_exchange.
* ssl_write_server_key_exchange also takes care of incrementing * ssl_write_server_key_exchange also takes care of incrementing
* ssl->out_msglen. */ * ssl->out_msglen. */
if ((ret = mbedtls_pk_sign(mbedtls_ssl_own_key(ssl), if ((ret = mbedtls_pk_sign_ext(sig_alg, mbedtls_ssl_own_key(ssl),
md_alg, hash, hashlen, md_alg, hash, hashlen,
ssl->out_msg + ssl->out_msglen + 2, ssl->out_msg + ssl->out_msglen + 2,
out_buf_len - ssl->out_msglen - 2, out_buf_len - ssl->out_msglen - 2,
signature_len)) != 0) { signature_len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign_ext", ret);
return ret; return ret;
} }
} }
@@ -2971,8 +2971,8 @@ static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_increment_state(ssl); mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret; return ret;
} }
@@ -2999,8 +2999,8 @@ static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
} }
#endif #endif
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret; return ret;
} }
@@ -3324,7 +3324,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
unsigned char hash[48]; unsigned char hash[48];
unsigned char *hash_start = hash; unsigned char *hash_start = hash;
size_t hashlen; size_t hashlen;
mbedtls_pk_type_t pk_alg; mbedtls_pk_sigalg_t pk_alg;
mbedtls_md_type_t md_alg; mbedtls_md_type_t md_alg;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->handshake->ciphersuite_info; ssl->handshake->ciphersuite_info;
@@ -3416,8 +3416,8 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
/* /*
* Signature * Signature
*/ */
if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i])) if ((pk_alg = mbedtls_ssl_pk_sig_alg_from_sig(ssl->in_msg[i]))
== MBEDTLS_PK_NONE) { == MBEDTLS_PK_SIGALG_NONE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg"
" for verify message")); " for verify message"));
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
@@ -3426,7 +3426,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
/* /*
* Check the certificate's key type matches the signature alg * Check the certificate's key type matches the signature alg
*/ */
if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
} }
@@ -3456,10 +3456,10 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
} }
} }
if ((ret = mbedtls_pk_verify(peer_pk, if ((ret = mbedtls_pk_verify_ext(pk_alg, peer_pk,
md_alg, hash_start, hashlen, md_alg, hash_start, hashlen,
ssl->in_msg + i, sig_len)) != 0) { ssl->in_msg + i, sig_len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret);
return ret; return ret;
} }
@@ -3521,8 +3521,8 @@ static int ssl_write_new_session_ticket(mbedtls_ssl_context *ssl)
*/ */
ssl->handshake->new_session_ticket = 0; ssl->handshake->new_session_ticket = 0;
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { if ((ret = mbedtls_ssl_write_handshake_msg_ext(ssl, 1, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg_ext", ret);
return ret; return ret;
} }

10
library/ssl_tls13_generic.c
View File

@@ -221,7 +221,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
const unsigned char *p = buf; const unsigned char *p = buf;
uint16_t algorithm; uint16_t algorithm;
size_t signature_len; size_t signature_len;
mbedtls_pk_type_t sig_alg; mbedtls_pk_sigalg_t sig_alg;
mbedtls_md_type_t md_alg; mbedtls_md_type_t md_alg;
psa_algorithm_t hash_alg = PSA_ALG_NONE; psa_algorithm_t hash_alg = PSA_ALG_NONE;
unsigned char verify_hash[PSA_HASH_MAX_SIZE]; unsigned char verify_hash[PSA_HASH_MAX_SIZE];
@@ -261,7 +261,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
goto error; goto error;
} }
if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( if (mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg(
algorithm, &sig_alg, &md_alg) != 0) { algorithm, &sig_alg, &md_alg) != 0) {
goto error; goto error;
} }
@@ -277,7 +277,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
/* /*
* Check the certificate's key type matches the signature alg * Check the certificate's key type matches the signature alg
*/ */
if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, sig_alg)) { if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, (mbedtls_pk_type_t) sig_alg)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key")); MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key"));
goto error; goto error;
} }
@@ -927,7 +927,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) { for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE; mbedtls_pk_sigalg_t pk_type = MBEDTLS_PK_SIGALG_NONE;
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
psa_algorithm_t psa_algorithm = PSA_ALG_NONE; psa_algorithm_t psa_algorithm = PSA_ALG_NONE;
unsigned char verify_hash[PSA_HASH_MAX_SIZE]; unsigned char verify_hash[PSA_HASH_MAX_SIZE];
@@ -945,7 +945,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
continue; continue;
} }
if (mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( if (mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg(
*sig_alg, &pk_type, &md_alg) != 0) { *sig_alg, &pk_type, &md_alg) != 0) {
return MBEDTLS_ERR_SSL_INTERNAL_ERROR; return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
} }

12
library/x509write_crt.c
View File

@@ -396,7 +396,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len; size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0; size_t len = 0;
mbedtls_pk_type_t pk_alg; mbedtls_pk_sigalg_t pk_alg;
int write_sig_null_par; int write_sig_null_par;
/* /*
@@ -409,9 +409,9 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
/* There's no direct way of extracting a signature algorithm /* There's no direct way of extracting a signature algorithm
* (represented as an element of mbedtls_pk_type_t) from a PK instance. */ * (represented as an element of mbedtls_pk_type_t) from a PK instance. */
if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_RSA)) { if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_RSA)) {
pk_alg = MBEDTLS_PK_RSA; pk_alg = MBEDTLS_PK_SIGALG_RSA_PKCS1V15;
} else if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_ECDSA)) { } else if (mbedtls_pk_can_do(ctx->issuer_key, MBEDTLS_PK_ECDSA)) {
pk_alg = MBEDTLS_PK_ECDSA; pk_alg = MBEDTLS_PK_SIGALG_ECDSA;
} else { } else {
return MBEDTLS_ERR_X509_INVALID_ALG; return MBEDTLS_ERR_X509_INVALID_ALG;
} }
@@ -489,7 +489,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
/* /*
* Signature ::= AlgorithmIdentifier * Signature ::= AlgorithmIdentifier
*/ */
if (pk_alg == MBEDTLS_PK_ECDSA) { if (pk_alg == MBEDTLS_PK_SIGALG_ECDSA) {
/* /*
* The AlgorithmIdentifier's parameters field must be absent for DSA/ECDSA signature * The AlgorithmIdentifier's parameters field must be absent for DSA/ECDSA signature
* algorithms, see https://www.rfc-editor.org/rfc/rfc5480#page-17 and * algorithms, see https://www.rfc-editor.org/rfc/rfc5480#page-17 and
@@ -571,7 +571,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
} }
if ((ret = mbedtls_pk_sign(ctx->issuer_key, ctx->md_alg, if ((ret = mbedtls_pk_sign_ext(pk_alg, ctx->issuer_key, ctx->md_alg,
hash, hash_length, sig, sizeof(sig), &sig_len)) != 0) { hash, hash_length, sig, sizeof(sig), &sig_len)) != 0) {
return ret; return ret;
} }
@@ -588,7 +588,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, c, MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, c,
sig_oid, sig_oid_len, sig_oid, sig_oid_len,
sig, sig_len, sig, sig_len,
(mbedtls_pk_sigalg_t) pk_alg)); pk_alg));
/* /*
* Memory layout after this step: * Memory layout after this step:

19
library/x509write_csr.c
View File

@@ -142,7 +142,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
unsigned char hash[MBEDTLS_MD_MAX_SIZE]; unsigned char hash[MBEDTLS_MD_MAX_SIZE];
size_t pub_len = 0, sig_and_oid_len = 0, sig_len; size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0; size_t len = 0;
mbedtls_pk_type_t pk_alg; mbedtls_pk_sigalg_t pk_alg;
size_t hash_len; size_t hash_len;
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ctx->md_alg); psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ctx->md_alg);
@@ -217,20 +217,21 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
&hash_len) != PSA_SUCCESS) { &hash_len) != PSA_SUCCESS) {
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
} }
if ((ret = mbedtls_pk_sign(ctx->key, ctx->md_alg, hash, 0,
sig, sig_size, &sig_len)) != 0) {
return ret;
}
if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_RSA)) { if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_RSA)) {
pk_alg = MBEDTLS_PK_RSA; pk_alg = MBEDTLS_PK_SIGALG_RSA_PKCS1V15;
} else if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_ECDSA)) { } else if (mbedtls_pk_can_do(ctx->key, MBEDTLS_PK_ECDSA)) {
pk_alg = MBEDTLS_PK_ECDSA; pk_alg = MBEDTLS_PK_SIGALG_ECDSA;
} else { } else {
return MBEDTLS_ERR_X509_INVALID_ALG; return MBEDTLS_ERR_X509_INVALID_ALG;
} }
if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg((mbedtls_pk_sigalg_t) pk_alg, ctx->md_alg, if ((ret = mbedtls_pk_sign_ext(pk_alg, ctx->key, ctx->md_alg, hash, 0,
sig, sig_size, &sig_len)) != 0) {
return ret;
}
if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg(pk_alg, ctx->md_alg,
&sig_oid, &sig_oid_len)) != 0) { &sig_oid, &sig_oid_len)) != 0) {
return ret; return ret;
} }
@@ -249,7 +250,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
c2 = buf + size; c2 = buf + size;
MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len,
mbedtls_x509_write_sig(&c2, buf + len, sig_oid, sig_oid_len, mbedtls_x509_write_sig(&c2, buf + len, sig_oid, sig_oid_len,
sig, sig_len, (mbedtls_pk_sigalg_t) pk_alg)); sig, sig_len, pk_alg));
/* /*
* Compact the space between the CSR data and signature by moving the * Compact the space between the CSR data and signature by moving the