diff --git a/library/ssl_misc.h b/library/ssl_misc.h index cf3791e900..41b3cd0e3e 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1511,7 +1511,7 @@ static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( #if defined(MBEDTLS_PK_C) unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk); unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type); -mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig); +mbedtls_pk_sigalg_t mbedtls_ssl_pk_alg_from_sig_pk_alg(unsigned char sig); #endif mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash); @@ -2410,12 +2410,12 @@ static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl, } static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( - uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg) + uint16_t sig_alg, mbedtls_pk_sigalg_t *pk_type, mbedtls_md_type_t *md_alg) { - *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff); + *pk_type = mbedtls_ssl_pk_alg_from_sig_pk_alg(sig_alg & 0xff); *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff); - if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) { + if (*pk_type != MBEDTLS_PK_SIGALG_NONE && *md_alg != MBEDTLS_MD_NONE) { return 0; } @@ -2424,19 +2424,19 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( #if defined(PSA_WANT_ALG_SHA_256) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: *md_alg = MBEDTLS_MD_SHA256; - *pk_type = MBEDTLS_PK_RSASSA_PSS; + *pk_type = MBEDTLS_PK_SIGALG_RSA_PSS; break; #endif /* PSA_WANT_ALG_SHA_256 */ #if defined(PSA_WANT_ALG_SHA_384) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: *md_alg = MBEDTLS_MD_SHA384; - *pk_type = MBEDTLS_PK_RSASSA_PSS; + *pk_type = MBEDTLS_PK_SIGALG_RSA_PSS; break; #endif /* PSA_WANT_ALG_SHA_384 */ #if defined(PSA_WANT_ALG_SHA_512) case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: *md_alg = MBEDTLS_MD_SHA512; - *pk_type = MBEDTLS_PK_RSASSA_PSS; + *pk_type = MBEDTLS_PK_SIGALG_RSA_PSS; break; #endif /* PSA_WANT_ALG_SHA_512 */ #endif /* PSA_WANT_ALG_RSA_PSS */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9c6f236ded..07e5824858 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5631,19 +5631,19 @@ unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type) } } -mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) +mbedtls_pk_sigalg_t mbedtls_ssl_pk_alg_from_sig_pk_alg(unsigned char sig) { switch (sig) { #if defined(MBEDTLS_RSA_C) case MBEDTLS_SSL_SIG_RSA: - return MBEDTLS_PK_RSA; + return MBEDTLS_PK_SIGALG_RSA_PKCS1V15; #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) case MBEDTLS_SSL_SIG_ECDSA: - return MBEDTLS_PK_ECDSA; + return MBEDTLS_PK_SIGALG_ECDSA; #endif default: - return MBEDTLS_PK_NONE; + return MBEDTLS_PK_SIGALG_NONE; } } #endif /* MBEDTLS_PK_C && diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 165ef760ac..482fd46182 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -1884,7 +1884,7 @@ start_processing: unsigned char hash[MBEDTLS_MD_MAX_SIZE]; mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; - mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; + mbedtls_pk_sigalg_t pk_alg = MBEDTLS_PK_SIGALG_NONE; unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); size_t params_len = (size_t) (p - params); void *rs_ctx = NULL; @@ -1922,7 +1922,7 @@ start_processing: } p += 2; - if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { + if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) { MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); mbedtls_ssl_send_alert_message( @@ -1978,7 +1978,7 @@ start_processing: /* * Verify signature */ - if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { + if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) { MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); mbedtls_ssl_send_alert_message( ssl, @@ -1994,7 +1994,7 @@ start_processing: #endif #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { + if (pk_alg == MBEDTLS_PK_SIGALG_RSA_PSS) { ret = mbedtls_pk_verify_ext((mbedtls_pk_sigalg_t) pk_alg, peer_pk, md_alg, hash, hashlen, p, sig_len); diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 0dffb91064..09d872bfbb 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -3324,7 +3324,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) unsigned char hash[48]; unsigned char *hash_start = hash; size_t hashlen; - mbedtls_pk_type_t pk_alg; + mbedtls_pk_sigalg_t pk_alg; mbedtls_md_type_t md_alg; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info; @@ -3416,8 +3416,8 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) /* * Signature */ - if ((pk_alg = mbedtls_ssl_pk_alg_from_sig(ssl->in_msg[i])) - == MBEDTLS_PK_NONE) { + if ((pk_alg = mbedtls_ssl_pk_alg_from_sig_pk_alg(ssl->in_msg[i])) + == MBEDTLS_PK_SIGALG_NONE) { MBEDTLS_SSL_DEBUG_MSG(1, ("peer not adhering to requested sig_alg" " for verify message")); return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; @@ -3426,7 +3426,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) /* * Check the certificate's key type matches the signature alg */ - if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { + if (!mbedtls_pk_can_do(peer_pk, (mbedtls_pk_type_t) pk_alg)) { MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key")); return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; } @@ -3456,7 +3456,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl) } } - if ((ret = mbedtls_pk_verify_ext((mbedtls_pk_sigalg_t) pk_alg, peer_pk, + if ((ret = mbedtls_pk_verify_ext(pk_alg, peer_pk, md_alg, hash_start, hashlen, ssl->in_msg + i, sig_len)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret); diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 748efb4815..6aabf4e58e 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -221,7 +221,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, const unsigned char *p = buf; uint16_t algorithm; size_t signature_len; - mbedtls_pk_type_t sig_alg; + mbedtls_pk_sigalg_t sig_alg; mbedtls_md_type_t md_alg; psa_algorithm_t hash_alg = PSA_ALG_NONE; unsigned char verify_hash[PSA_HASH_MAX_SIZE]; @@ -277,7 +277,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl, /* * Check the certificate's key type matches the signature alg */ - if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, sig_alg)) { + if (!mbedtls_pk_can_do(&ssl->session_negotiate->peer_cert->pk, (mbedtls_pk_type_t) sig_alg)) { MBEDTLS_SSL_DEBUG_MSG(1, ("signature algorithm doesn't match cert key")); goto error; } @@ -927,7 +927,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl, for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - mbedtls_pk_type_t pk_type = MBEDTLS_PK_NONE; + mbedtls_pk_sigalg_t pk_type = MBEDTLS_PK_SIGALG_NONE; mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; psa_algorithm_t psa_algorithm = PSA_ALG_NONE; unsigned char verify_hash[PSA_HASH_MAX_SIZE];