lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-01 10:06:53 +03:00
Code Activity

Refine ssl_tls13_pick_cert()

Browse Source 
Change-Id: I5448095e280d8968b20ade8b304d139e399e54f1
CustomizedGitHooks: yes
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
XiaokangQian
2022-06-08 06:58:05 +00:00
parent 23c5be6b94
commit 9850fa8e8d
2 changed files with 17 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
library/ssl_tls13_server.c
View File

@ -339,37 +339,31 @@ static int ssl_tls13_check_ephemeral_key_exchange( mbedtls_ssl_context *ssl )
/* /*
* Return 0 if the given key uses one of the acceptable curves, -1 otherwise * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
*/ */
#if defined(MBEDTLS_ECDSA_C) static int ssl_tls13_check_key_sigs( mbedtls_pk_context *pk,
static int ssl_check_key_curve( mbedtls_pk_context *pk, uint16_t *sig_alg )
const mbedtls_ecp_curve_info **curves )
{ {
const mbedtls_ecp_curve_info **crv = curves; mbedtls_pk_type_t pk_type;
mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id; mbedtls_md_type_t md_alg;
while( *crv != NULL ) while( *sig_alg != MBEDTLS_TLS1_3_SIG_NONE )
{ {
if( (*crv)->grp_id == grp_id ) mbedtls_ssl_tls13_get_pk_type_and_md_alg_from_sig_alg(
*sig_alg, &pk_type, &md_alg );
if( pk_type == mbedtls_pk_get_type(pk) )
return( 0 ); return( 0 );
crv++; sig_alg++;
} }
return( -1 ); return( -1 );
} }
#endif /* MBEDTLS_ECDSA_C */
/* /*
* Try picking a certificate for this ciphersuite, * Try picking a certificate for this ciphersuite,
* return 0 on success and -1 on failure. * return 0 on success and -1 on failure.
*/ */
static int ssl_pick_cert( mbedtls_ssl_context *ssl, static int ssl_tls13_pick_cert( mbedtls_ssl_context *ssl )
const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
{ {
mbedtls_ssl_key_cert *cur, *list; mbedtls_ssl_key_cert *cur, *list;
#if defined(MBEDTLS_ECDSA_C)
mbedtls_pk_type_t pk_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
#endif /* MBEDTLS_ECDSA_C */
uint32_t flags;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_key_cert != NULL ) if( ssl->handshake->sni_key_cert != NULL )
@ -386,7 +380,6 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
for( cur = list; cur != NULL; cur = cur->next ) for( cur = list; cur != NULL; cur = cur->next )
{ {
flags = 0;
MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate", MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
cur->cert ); cur->cert );
@ -394,22 +387,20 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
* This avoids sending the client a cert it'll reject based on * This avoids sending the client a cert it'll reject based on
* keyUsage or other extensions. * keyUsage or other extensions.
*/ */
if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info, if( mbedtls_x509_crt_check_key_usage( cur->cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE ) != 0 )
MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: " MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
"(extended) key usage extension" ) ); "(extended) key usage extension" ) );
continue; continue;
} }
#if defined(MBEDTLS_ECDSA_C) if( ssl_tls13_check_key_sigs( &cur->cert->pk,
if( pk_alg == MBEDTLS_PK_ECDSA && ssl->handshake->received_sig_algs ) != 0 )
ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) ); MBEDTLS_SSL_DEBUG_MSG(
3, ( "certificate key mismatch: received_sig_algs" ) );
continue; continue;
} }
#endif /* MBEDTLS_ECDSA_C */
break; break;
} }
@ -794,7 +785,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
if( (ssl_pick_cert( ssl, ssl->handshake->ciphersuite_info ) != 0) ) if( (ssl_tls13_pick_cert( ssl ) != 0) )
{ {
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: " MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
"no suitable certificate" ) ); "no suitable certificate" ) );

1
tests/ssl-opt.sh
View File

@ -5363,6 +5363,7 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
# tests for SNI # tests for SNI
requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "SNI: no SNI callback" \ run_test "SNI: no SNI callback" \
"$P_SRV debug_level=3 \ "$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key" \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \