diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 4b46cf89b4..489bfdcebd 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3301,7 +3301,6 @@ void MBEDTLS_DEPRECATED mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, const int *hashes ); #endif /* MBEDTLS_DEPRECATED_REMOVED */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /** * \brief Configure allowed signature algorithms for use in TLS 1.3 * @@ -3313,7 +3312,6 @@ void MBEDTLS_DEPRECATED mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, */ void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf, const uint16_t* sig_algs ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 44f69cbe97..10aa8ef292 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1815,24 +1815,17 @@ int mbedtls_ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl, /* * Return supported sig_algs. */ -static inline const void *mbedtls_ssl_conf_get_sig_algs( - const mbedtls_ssl_config *conf ) +static inline const void *mbedtls_ssl_get_sig_algs( const mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( mbedtls_ssl_conf_is_tls12_enabled( conf )) - return( conf->sig_hashes ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - if( mbedtls_ssl_conf_is_tls13_enabled( conf )) - return( conf->sig_algs ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + if( ssl->handshake != NULL && ssl->handshake->sig_algs != NULL ) + return( ssl->handshake->sig_algs ); +#endif + return( ssl->conf->sig_algs ); #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ - ((void) conf); + ((void) ssl); return NULL; } diff --git a/library/ssl_srv.c b/library/ssl_srv.c index eb3550eb5b..97199e1f52 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2796,8 +2796,11 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) /* * Supported signature algorithms */ - for( const uint16_t *sig_alg = mbedtls_ssl_conf_get_sig_algs( ssl->conf ); - *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) + const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl ); + if( sig_alg == NULL ) + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); + + for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) { /* High byte is hash */ unsigned char hash = ( *sig_alg >> 8 ) & 0xff; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 336e47941c..9a8fe45ec7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3187,14 +3187,14 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) unsigned char hash = mbedtls_ssl_hash_from_md_alg( *md ); if( hash == MBEDTLS_SSL_HASH_NONE ) continue; - #if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_ECDSA_C) *p = (( hash << 8 ) | MBEDTLS_SSL_SIG_ECDSA); p++; - #endif - #if defined(MBEDTLS_RSA_C) +#endif +#if defined(MBEDTLS_RSA_C) *p = (( hash << 8 ) | MBEDTLS_SSL_SIG_RSA); p++; - #endif +#endif } *p = MBEDTLS_TLS1_3_SIG_NONE; ssl->handshake->sig_algs_heap_allocated = 1; @@ -4055,7 +4055,6 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, const int *hashes ) { conf->sig_hashes = hashes; - conf->sig_algs = NULL; } #endif /* !MBEDTLS_DEPRECATED_REMOVED */ @@ -6478,8 +6477,9 @@ static int ssl_preset_suiteb_hashes[] = { }; #endif /* !MBEDTLS_DEPRECATED_REMOVED */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) static uint16_t ssl_preset_default_sig_algs[] = { +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + /* ECDSA algorithms */ #if defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) @@ -6498,11 +6498,14 @@ static uint16_t ssl_preset_default_sig_algs[] = { MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, #endif MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ MBEDTLS_TLS1_3_SIG_NONE }; static uint16_t ssl_preset_suiteb_sig_algs[] = { + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* ECDSA algorithms */ #if defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) @@ -6518,10 +6521,10 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = { MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, #endif MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, +#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ MBEDTLS_TLS1_3_SIG_NONE }; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif static uint16_t ssl_preset_suiteb_groups[] = { @@ -6936,7 +6939,7 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, mbedtls_md_type_t md ) { - const uint16_t *sig_alg = mbedtls_ssl_conf_get_sig_algs( ssl->conf ); + const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl ); if( sig_alg == NULL ) return( -1 ); @@ -7450,8 +7453,11 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf, * Write supported_signature_algorithms */ supported_sig_alg = p; - for( const uint16_t *sig_alg = mbedtls_ssl_conf_get_sig_algs( ssl->conf ); - *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) + const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl ); + if( sig_alg == NULL ) + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); + + for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) { MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 ); diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 1d31ce9218..226f8e33f7 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -212,8 +212,11 @@ static void ssl_tls13_create_verify_structure( const unsigned char *transcript_h static int ssl_tls13_sig_alg_is_offered( const mbedtls_ssl_context *ssl, uint16_t proposed_sig_alg ) { - for( const uint16_t *sig_alg = mbedtls_ssl_conf_get_sig_algs( ssl->conf ); - *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) + const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl ); + if( sig_alg == NULL ) + return( 0 ); + + for( ; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ ) { if( *sig_alg == proposed_sig_alg ) return( 1 );