Create API for mbedtls_ssl_conf_sig_hashes().

Not implemented yet.
parent 9d412d87
...@@ -70,6 +70,12 @@ ...@@ -70,6 +70,12 @@
#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED #define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
#endif #endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
#define MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED
#endif
/* /*
* SSL Error codes * SSL Error codes
*/ */
...@@ -529,12 +535,16 @@ struct mbedtls_ssl_config ...@@ -529,12 +535,16 @@ struct mbedtls_ssl_config
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
const mbedtls_x509_crt_profile *cert_profile; /*!< verification profile */ const mbedtls_x509_crt_profile *cert_profile; /*!< verification profile */
mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */ mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */
mbedtls_x509_crt *ca_chain; /*!< trusted CAs */ mbedtls_x509_crt *ca_chain; /*!< trusted CAs */
mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */ mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
const int *sig_hashes; /*!< allowed signature hashes */
#endif
#if defined(MBEDTLS_ECP_C) #if defined(MBEDTLS_ECP_C)
const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */ const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */
#endif #endif
...@@ -1527,13 +1537,40 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, ...@@ -1527,13 +1537,40 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
* controlled by \c mbedtls_ssl_conf_curves() but for CA_int * controlled by \c mbedtls_ssl_conf_curves() but for CA_int
* and CA_root it's \c mbedtls_ssl_conf_cert_profile(). * and CA_root it's \c mbedtls_ssl_conf_cert_profile().
* *
* \note This list should be ordered by decreasing preference
* (preferred curve first).
*
* \param conf SSL configuration * \param conf SSL configuration
* \param curves Ordered list of allowed curves, * \param curves Ordered list of allowed curves,
* terminated by MBEDTLS_ECP_DP_NONE. * terminated by MBEDTLS_ECP_DP_NONE.
*/ */
void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
const mbedtls_ecp_group_id *curves );
#endif /* MBEDTLS_ECP_C */ #endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
/**
* \brief Set the allowed hashes for signatures during the handshake.
* (Default: all available hashes.)
*
* \note This only affects which hashes are offered and can be used
* for signatures during the handshake. Hashes for message
* authentication and the TLS PRF are controlled by the
* ciphersuite, see \c mbedtls_ssl_conf_ciphersuites(). Hashes
* used for certificate signature are controlled by the
* verification profile, see \c mbedtls_ssl_conf_cert_profile().
*
* \note This list should be ordered by decreasing preference
* (preferred hash first).
*
* \param conf SSL configuration
* \param hashes Ordered list of allowed signature hashes,
* terminated by \c MBEDTLS_MD_NONE.
*/
void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
const int *hashes );
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
/** /**
* \brief Set hostname for ServerName TLS extension * \brief Set hostname for ServerName TLS extension
......
...@@ -1836,9 +1836,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, ...@@ -1836,9 +1836,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
unsigned char **p, unsigned char **p,
unsigned char *end, unsigned char *end,
...@@ -1884,12 +1882,9 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, ...@@ -1884,12 +1882,9 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
return( 0 ); return( 0 );
} }
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || #endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
......
...@@ -5478,6 +5478,17 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, ...@@ -5478,6 +5478,17 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
} }
#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
/*
* Set allowed/preferred hashes for handshake signatures
*/
void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
const int *hashes )
{
conf->sig_hashes = hashes;
}
#endif
#if defined(MBEDTLS_ECP_C) #if defined(MBEDTLS_ECP_C)
/* /*
* Set the allowed elliptic curves * Set the allowed elliptic curves
...@@ -6665,8 +6676,12 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, ...@@ -6665,8 +6676,12 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
#endif #endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
conf->sig_hashes = mbedtls_md_list();
#endif
#if defined(MBEDTLS_ECP_C) #if defined(MBEDTLS_ECP_C)
conf->curve_list = mbedtls_ecp_grp_id_list( ); conf->curve_list = mbedtls_ecp_grp_id_list();
#endif #endif
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment