TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 56595f4f7b6ba3d0ec4933dd11cb518b8988d893^! / . / include / mbedtls / config.h
commit56595f4f7b6ba3d0ec4933dd11cb518b8988d893[log] [tgz]
authorHanno Becker <hanno.becker@arm.com>Wed Jun 19 16:31:38 2019 +0100
committerHanno Becker <hanno.becker@arm.com>Wed Jul 17 10:19:27 2019 +0100
treed414bf53d6b051daf47eadc916e5431e57ac17dc
parentf1bc9e1c6968facfde877678761cfd599643abe3 [diff] [blame]
Allow hardcoding single signature hash at compile-time

This commit introduces the option MBEDTLS_SSL_CONF_SINGLE_HASH
which can be used to register a single supported signature hash
algorithm at compile time. It replaces the runtime configuration
API mbedtls_ssl_conf_sig_hashes() which allows to register a _list_
of supported signature hash algorithms.

In contrast to other options used to hardcode configuration options,
MBEDTLS_SSL_CONF_SINGLE_HASH isn't a numeric option, but instead it's
only relevant if it's defined or not. To actually set the single
supported hash algorithm that should be supported, numeric options

MBEDTLS_SSL_CONF_SINGLE_HASH_TLS_ID
MBEDTLS_SSL_CONF_SINGLE_HASH_MD_ID

must both be defined and provide the TLS ID and the Mbed TLS internal
ID and the chosen hash algorithm, respectively.

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 5b17238..65819ca 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h

@@ -3685,6 +3685,34 @@
 //#define MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID
 //#define MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID
 
+/* Enable support a single signature hash algorithm
+ * at compile-time, at the benefit of code-size.
+ *
+ * On highly constrained systems which large control
+ * over the configuration of the connection endpoints,
+ * this option can be used to hardcode the choice of
+ * hash algorithm to be used for signatures in the
+ * ServerKeyExchange and CertificateVerify messages.
+ *
+ * If this is set, you must also define the following:
+ * - MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_MD_ID
+ *   This must resolve to the Mbed TLS hash ID for the hash
+ *   algorithm to use (e.g. MBEDTLS_MD_SHA256). See
+ *   ::mbedtls_md_type_t in mbedtls/md.h for a complete
+ *   list of supported hash algorithm identifiers.
+ * - MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_TLS_ID
+ *   This must resolve to the TLS identifier for the hash
+ *   algorithm to use. See
+ *   https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
+ *   for a list of the supported identifiers.
+ *
+ * If defined, this option overwrites the effect of the
+ * runtime configuration API mbedtls_ssl_conf_sig_hashes().
+ */
+//#define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH
+//#define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_MD_ID
+//#define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_TLS_ID
+
 /* \} SECTION: Compile-time SSL configuration */
 
 /* Target and application specific configurations