TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 982d9e5db2e5dbd414dbe400d3bfdb1721a47525^! / . / library
commit982d9e5db2e5dbd414dbe400d3bfdb1721a47525[log] [tgz]
authorJerry Yu <jerry.h.yu@arm.com>Thu Oct 14 15:59:37 2021 +0800
committerJerry Yu <jerry.h.yu@arm.com>Fri Oct 29 19:57:55 2021 +0800
tree3c49023da730b582f2f537139afbef4ab2ae136e
parent133690cceff604a5836e271fb0a5e8055a1884d7 [diff]
Add ssl_tls13_sig_alg_is_offered

To keep consistent with cipher_suite check

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 24275e5..66c6678 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c

@@ -320,6 +320,18 @@
 }
 
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+static int ssl_tls13_sig_alg_is_offered( mbedtls_ssl_context *ssl, uint16_t sig_alg )
+{
+    const uint16_t *tls13_sig_alg = ssl->conf->tls13_sig_algs;
+
+    for( ; *tls13_sig_alg !=MBEDTLS_TLS13_SIG_NONE ; tls13_sig_alg++ )
+    {
+        if( *tls13_sig_alg == sig_alg )
+            return 1;
+    }
+    return 0;
+}
+
 static int ssl_tls13_process_certificate_verify_parse( mbedtls_ssl_context *ssl,
                                                        const unsigned char *buf,
                                                        const unsigned char *end,
@@ -329,7 +341,6 @@
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     const unsigned char *p = buf;
     uint16_t algorithm;
-    const uint16_t *tls13_sig_alg = ssl->conf->tls13_sig_algs;
     size_t signature_len;
     mbedtls_pk_type_t sig_alg;
     mbedtls_md_type_t md_alg;
@@ -361,26 +372,16 @@
      * Check if algorithm in offered signature algorithms. Send `unsupported_certificate`
      * alert message on failure.
      */
-    while( 1 )
+    if( ssl_tls13_sig_alg_is_offered( ssl, algorithm ) == 0 )
     {
-        /* Found algorithm in offered signature algorithms */
-        if( *tls13_sig_alg == algorithm )
-            break;
-
-        if( *tls13_sig_alg == MBEDTLS_TLS13_SIG_NONE )
-        {
-            /* End of offered signature algorithms list */
-            MBEDTLS_SSL_DEBUG_MSG( 1,
-                                   ( "signature algorithm(%04x) not in offered"
-                                     "signature algorithms ",
-                                     ( unsigned int ) algorithm ) );
-            MBEDTLS_SSL_PEND_FATAL_ALERT(
-                MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
-                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-            return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
-        }
-
-        tls13_sig_alg++;
+        /* algorithm not in offered signature algorithms list */
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
+                                    "offered.",
+                                    ( unsigned int ) algorithm ) );
+        MBEDTLS_SSL_PEND_FATAL_ALERT(
+            MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
+            MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
     }
 
     /* We currently only support ECDSA-based signatures */