mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-20 18:11:00 +00:00
Change selection of hash algorithm for TLS 1.2
This commit is contained in:
parent
bd77254b18
commit
08e81e0c8f
|
@ -31,6 +31,8 @@ Changes
|
||||||
* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
|
* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
|
||||||
against unwanted compiler optimizations
|
against unwanted compiler optimizations
|
||||||
* md_list() now returns hashes strongest first
|
* md_list() now returns hashes strongest first
|
||||||
|
* Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
|
||||||
|
strongest offered by client.
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Fix in debug_print_msg()
|
* Fix in debug_print_msg()
|
||||||
|
|
|
@ -587,7 +587,7 @@ struct _ssl_handshake_params
|
||||||
/*
|
/*
|
||||||
* Handshake specific crypto variables
|
* Handshake specific crypto variables
|
||||||
*/
|
*/
|
||||||
int sig_alg; /*!< Signature algorithm */
|
int sig_alg; /*!< Hash algorithm for signature */
|
||||||
int cert_type; /*!< Requested cert type */
|
int cert_type; /*!< Requested cert type */
|
||||||
int verify_sig_alg; /*!< Signature algorithm for verify */
|
int verify_sig_alg; /*!< Signature algorithm for verify */
|
||||||
#if defined(POLARSSL_DHM_C)
|
#if defined(POLARSSL_DHM_C)
|
||||||
|
|
|
@ -470,59 +470,31 @@ static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
|
||||||
{
|
{
|
||||||
size_t sig_alg_list_size;
|
size_t sig_alg_list_size;
|
||||||
const unsigned char *p;
|
const unsigned char *p;
|
||||||
|
const unsigned char *end = buf + len;
|
||||||
|
const int *md_cur;
|
||||||
|
|
||||||
|
|
||||||
sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
|
||||||
if( sig_alg_list_size + 2 != len ||
|
if( sig_alg_list_size + 2 != len ||
|
||||||
sig_alg_list_size %2 != 0 )
|
sig_alg_list_size % 2 != 0 )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||||
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
}
|
}
|
||||||
|
|
||||||
p = buf + 2;
|
|
||||||
while( sig_alg_list_size > 0 )
|
|
||||||
{
|
|
||||||
/*
|
/*
|
||||||
* For now, just ignore signature algorithm and rely on offered
|
* For now, ignore the SignatureAlgorithm part and rely on offered
|
||||||
* ciphersuites only. To be fixed later.
|
* ciphersuites only for that part. To be fixed later.
|
||||||
|
*
|
||||||
|
* So, just look at the HashAlgorithm part.
|
||||||
*/
|
*/
|
||||||
#if defined(POLARSSL_SHA512_C)
|
for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) {
|
||||||
if( p[0] == SSL_HASH_SHA512 )
|
for( p = buf + 2; p < end; p += 2 ) {
|
||||||
{
|
if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) {
|
||||||
ssl->handshake->sig_alg = SSL_HASH_SHA512;
|
ssl->handshake->sig_alg = p[0];
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if( p[0] == SSL_HASH_SHA384 )
|
|
||||||
{
|
|
||||||
ssl->handshake->sig_alg = SSL_HASH_SHA384;
|
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_SHA512_C */
|
|
||||||
#if defined(POLARSSL_SHA256_C)
|
|
||||||
if( p[0] == SSL_HASH_SHA256 )
|
|
||||||
{
|
|
||||||
ssl->handshake->sig_alg = SSL_HASH_SHA256;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if( p[0] == SSL_HASH_SHA224 )
|
|
||||||
{
|
|
||||||
ssl->handshake->sig_alg = SSL_HASH_SHA224;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
#endif /* POLARSSL_SHA256_C */
|
|
||||||
if( p[0] == SSL_HASH_SHA1 )
|
|
||||||
{
|
|
||||||
ssl->handshake->sig_alg = SSL_HASH_SHA1;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if( p[0] == SSL_HASH_MD5 )
|
|
||||||
{
|
|
||||||
ssl->handshake->sig_alg = SSL_HASH_MD5;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
sig_alg_list_size -= 2;
|
|
||||||
p += 2;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
|
SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
|
||||||
|
|
Loading…
Reference in a new issue