lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

Refactor *_sig_algs tables

Browse Source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu
2022-01-22 11:56:27 +08:00
parent b476a44fc6
commit 909df7b17b
1 changed files with 119 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

145
library/ssl_tls.c
View File

@ -6491,17 +6491,57 @@ static int ssl_preset_suiteb_hashes[] = {
}; };
#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #endif /* !MBEDTLS_DEPRECATED_REMOVED */
/* NOTICE: Make sure there are no duplicated entries when add new signature /* NOTICE:
* algorithms into ssl_preset_default_sig_algs * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, below rulers
* SHOULD be followed.
* - No duplicated entries.
* - Followup simillar order.
* - ssl_tls12_* contains tls12_only mode data.
* - ssl_preset_* contains non-tls12_only mode data, if possible, tls12_only data
* should be at the beggining of table.
*/ */
static uint16_t ssl_preset_default_sig_algs[] = { static uint16_t ssl_preset_default_sig_algs[] = {
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
/* RSA algorithms */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA512_C) && \
defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C &&
MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA512_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA384_C) && \
defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C &&
MBEDTLS_ECP_DP_SECP384R1_ENABLED */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA384_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA384_C */
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA256_C) && \
defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA256_C &&
MBEDTLS_ECP_DP_SECP256R1_ENABLED */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */
MBEDTLS_TLS1_3_SIG_NONE
};
/* NOTICE: see above */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_default_sig_algs[] = {
#if defined(MBEDTLS_SHA512_C) #if defined(MBEDTLS_SHA512_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA512 ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA512 )
#endif #endif
@ -6511,20 +6551,42 @@ static uint16_t ssl_preset_default_sig_algs[] = {
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 )
#endif #endif
MBEDTLS_TLS1_3_SIG_NONE
};
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
/* NOTICE: see above */
static uint16_t ssl_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA384_C) && \
defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA384_C &&
MBEDTLS_ECP_DP_SECP384R1_ENABLED */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA384_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA384_C */
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_SHA256_C) && \
defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_SHA256_C &&
MBEDTLS_ECP_DP_SECP256R1_ENABLED */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_SHA256_C)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_SHA256_C */
MBEDTLS_TLS1_3_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
}; };
/* NOTICE: Make sure there are no duplicated entries when add new signature /* NOTICE: see above */
* algorithms into ssl_preset_suiteb_sig_algs #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
*/ static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
static uint16_t ssl_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 ) MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 )
#endif #endif
@ -6533,6 +6595,8 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = {
#endif #endif
MBEDTLS_TLS1_3_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
}; };
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
static uint16_t ssl_preset_suiteb_groups[] = { static uint16_t ssl_preset_suiteb_groups[] = {
@ -6546,12 +6610,13 @@ static uint16_t ssl_preset_suiteb_groups[] = {
}; };
#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* Function for checking `ssl_preset_*_sig_algs` to make sure there are no duplicated /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
* signature algorithm entries */ * to make sure there are no duplicated signature algorithm entries */
static int ssl_array_has_duplicated_entries( uint16_t * array ) static int ssl_array_has_duplicated_entries( uint16_t * array )
{ {
size_t i, j; size_t i, j;
int ret = 0; int ret = 0;
for( i = 1; array[i] != MBEDTLS_TLS1_3_SIG_NONE ; i++ ) for( i = 1; array[i] != MBEDTLS_TLS1_3_SIG_NONE ; i++ )
{ {
for( j = 0 ; j < i; j++ ) for( j = 0 ; j < i; j++ )
@ -6585,19 +6650,37 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
if( ssl_array_has_duplicated_entries( ssl_preset_suiteb_sig_algs ) ) if( ssl_array_has_duplicated_entries( ssl_preset_suiteb_sig_algs ) )
{ {
#if defined(MBEDTLS_PLATFORM_C) #if defined(MBEDTLS_PLATFORM_C)
mbedtls_printf( "ssl_preset_suiteb_sig_algs has duplicated entries\n" ); mbedtls_printf( "ssl_preset_suiteb_sig_algs has duplicated entries\n" );
#endif #endif
return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED );
} }
if( ssl_array_has_duplicated_entries( ssl_preset_default_sig_algs ) ) if( ssl_array_has_duplicated_entries( ssl_preset_default_sig_algs ) )
{ {
#if defined(MBEDTLS_PLATFORM_C) #if defined(MBEDTLS_PLATFORM_C)
mbedtls_printf( "ssl_preset_default_sig_algs has duplicated entries\n" ); mbedtls_printf( "ssl_preset_default_sig_algs has duplicated entries\n" );
#endif #endif
return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED ); return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED );
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl_array_has_duplicated_entries( ssl_tls12_preset_suiteb_sig_algs ) )
{
#if defined(MBEDTLS_PLATFORM_C)
mbedtls_printf( "ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n" );
#endif
return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED );
}
if( ssl_array_has_duplicated_entries( ssl_tls12_preset_default_sig_algs ) )
{
#if defined(MBEDTLS_PLATFORM_C)
mbedtls_printf( "ssl_tls12_preset_default_sig_algs has duplicated entries\n" );
#endif
return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#endif /* MBEDTLS_DEBUG_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_DEBUG_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/* Use the functions here so that they are covered in tests, /* Use the functions here so that they are covered in tests,
@ -6699,7 +6782,12 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
#if !defined(MBEDTLS_DEPRECATED_REMOVED) #if !defined(MBEDTLS_DEPRECATED_REMOVED)
conf->sig_hashes = ssl_preset_suiteb_hashes; conf->sig_hashes = ssl_preset_suiteb_hashes;
#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #endif /* !MBEDTLS_DEPRECATED_REMOVED */
conf->sig_algs = ssl_preset_suiteb_sig_algs; #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( mbedtls_ssl_conf_is_tls12_only( conf ) )
conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
else
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
conf->sig_algs = ssl_preset_suiteb_sig_algs;
#endif #endif
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
@ -6737,7 +6825,12 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
#if !defined(MBEDTLS_DEPRECATED_REMOVED) #if !defined(MBEDTLS_DEPRECATED_REMOVED)
conf->sig_hashes = ssl_preset_default_hashes; conf->sig_hashes = ssl_preset_default_hashes;
#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #endif /* !MBEDTLS_DEPRECATED_REMOVED */
conf->sig_algs = ssl_preset_default_sig_algs; #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( mbedtls_ssl_conf_is_tls12_only( conf ) )
conf->sig_algs = ssl_tls12_preset_default_sig_algs;
else
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
conf->sig_algs = ssl_preset_default_sig_algs;
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)