lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-12-14 02:22:15 +03:00
Code Activity

library: ssl: specify hash algorithm when checking signature in ssl_parse_certificate_verify

Browse Source 
Since the hash algorithm is known, this can be used when calling
"mbedtls_pk_can_do_psa()" to get a more accurate answer.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti
2025-12-09 16:18:11 +01:00
parent 5ad2bfa6c8
commit c0ac4a6933
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
library/ssl_tls12_server.c
View File

@@ -3325,6 +3325,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->handshake->ciphersuite_info; ssl->handshake->ciphersuite_info;
mbedtls_pk_context *peer_pk; mbedtls_pk_context *peer_pk;
psa_algorithm_t psa_sig_alg;
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
@@ -3422,9 +3423,8 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
/* /*
* Check the certificate's key type matches the signature alg * Check the certificate's key type matches the signature alg
*/ */
if (!mbedtls_pk_can_do_psa(peer_pk, psa_sig_alg = mbedtls_psa_alg_from_pk_sigalg(pk_alg, mbedtls_md_psa_alg_from_type(md_alg));
mbedtls_psa_alg_from_pk_sigalg(pk_alg, PSA_ALG_ANY_HASH), if (!mbedtls_pk_can_do_psa(peer_pk, psa_sig_alg, PSA_KEY_USAGE_VERIFY_HASH)) {
PSA_KEY_USAGE_VERIFY_HASH)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
} }