yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-25 16:55:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Change selection of hash algorithm for TLS 1.2

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-07-08 12:56:25 +02:00
parent bd77254b18
commit 08e81e0c8f
3 changed files with 20 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@ -31,6 +31,8 @@ Changes
* Migrate zeroizing of data to polarssl_zeroize() instead of memset() * Migrate zeroizing of data to polarssl_zeroize() instead of memset()
against unwanted compiler optimizations against unwanted compiler optimizations
* md_list() now returns hashes strongest first * md_list() now returns hashes strongest first
* Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
strongest offered by client.
Bugfix Bugfix
* Fix in debug_print_msg() * Fix in debug_print_msg()

4
include/polarssl/ssl.h
View File

@ -587,8 +587,8 @@ struct _ssl_handshake_params
/* /*
* Handshake specific crypto variables * Handshake specific crypto variables
*/ */
int sig_alg; /*!< Signature algorithm */ int sig_alg; /*!< Hash algorithm for signature */
int cert_type; /*!< Requested cert type */ int cert_type; /*!< Requested cert type */
int verify_sig_alg; /*!< Signature algorithm for verify */ int verify_sig_alg; /*!< Signature algorithm for verify */
#if defined(POLARSSL_DHM_C) #if defined(POLARSSL_DHM_C)
dhm_context dhm_ctx; /*!< DHM key exchange */ dhm_context dhm_ctx; /*!< DHM key exchange */

60
library/ssl_srv.c
View File

@ -470,59 +470,31 @@ static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
{ {
size_t sig_alg_list_size; size_t sig_alg_list_size;
const unsigned char *p; const unsigned char *p;
const unsigned char *end = buf + len;
const int *md_cur;
sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) ); sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
if( sig_alg_list_size + 2 != len || if( sig_alg_list_size + 2 != len ||
sig_alg_list_size %2 != 0 ) sig_alg_list_size % 2 != 0 )
{ {
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
} }
p = buf + 2; /*
while( sig_alg_list_size > 0 ) * For now, ignore the SignatureAlgorithm part and rely on offered
{ * ciphersuites only for that part. To be fixed later.
/* *
* For now, just ignore signature algorithm and rely on offered * So, just look at the HashAlgorithm part.
* ciphersuites only. To be fixed later. */
*/ for( md_cur = md_list(); *md_cur != POLARSSL_MD_NONE; md_cur++ ) {
#if defined(POLARSSL_SHA512_C) for( p = buf + 2; p < end; p += 2 ) {
if( p[0] == SSL_HASH_SHA512 ) if( *md_cur == (int) ssl_md_alg_from_hash( p[0] ) ) {
{ ssl->handshake->sig_alg = p[0];
ssl->handshake->sig_alg = SSL_HASH_SHA512; break;
break; }
} }
if( p[0] == SSL_HASH_SHA384 )
{
ssl->handshake->sig_alg = SSL_HASH_SHA384;
break;
}
#endif /* POLARSSL_SHA512_C */
#if defined(POLARSSL_SHA256_C)
if( p[0] == SSL_HASH_SHA256 )
{
ssl->handshake->sig_alg = SSL_HASH_SHA256;
break;
}
if( p[0] == SSL_HASH_SHA224 )
{
ssl->handshake->sig_alg = SSL_HASH_SHA224;
break;
}
#endif /* POLARSSL_SHA256_C */
if( p[0] == SSL_HASH_SHA1 )
{
ssl->handshake->sig_alg = SSL_HASH_SHA1;
break;
}
if( p[0] == SSL_HASH_MD5 )
{
ssl->handshake->sig_alg = SSL_HASH_MD5;
break;
}
sig_alg_list_size -= 2;
p += 2;
} }
SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d", SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",