TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 56595f4f7b6ba3d0ec4933dd11cb518b8988d893^! / . / library / ssl_tls.c
commit56595f4f7b6ba3d0ec4933dd11cb518b8988d893[log] [tgz]
authorHanno Becker <hanno.becker@arm.com>Wed Jun 19 16:31:38 2019 +0100
committerHanno Becker <hanno.becker@arm.com>Wed Jul 17 10:19:27 2019 +0100
treed414bf53d6b051daf47eadc916e5431e57ac17dc
parentf1bc9e1c6968facfde877678761cfd599643abe3 [diff] [blame]
Allow hardcoding single signature hash at compile-time

This commit introduces the option MBEDTLS_SSL_CONF_SINGLE_HASH
which can be used to register a single supported signature hash
algorithm at compile time. It replaces the runtime configuration
API mbedtls_ssl_conf_sig_hashes() which allows to register a _list_
of supported signature hash algorithms.

In contrast to other options used to hardcode configuration options,
MBEDTLS_SSL_CONF_SINGLE_HASH isn't a numeric option, but instead it's
only relevant if it's defined or not. To actually set the single
supported hash algorithm that should be supported, numeric options

MBEDTLS_SSL_CONF_SINGLE_HASH_TLS_ID
MBEDTLS_SSL_CONF_SINGLE_HASH_MD_ID

must both be defined and provide the TLS ID and the Mbed TLS internal
ID and the chosen hash algorithm, respectively.

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9359be6..78a15fe 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -8630,7 +8630,12 @@
 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
                                   const int *hashes )
 {
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_SIG_HASH)
     conf->sig_hashes = hashes;
+#else
+    ((void) conf);
+    ((void) hashes);
+#endif /* MBEDTLS_SSL_CONF_SINGLE_SIG_HASH */
 }
 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
 
@@ -10839,6 +10844,7 @@
 }
 
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_SIG_HASH)
 static int ssl_preset_default_hashes[] = {
 #if defined(MBEDTLS_SHA512_C)
     MBEDTLS_MD_SHA512,
@@ -10854,6 +10860,7 @@
     MBEDTLS_MD_NONE
 };
 #endif
+#endif
 
 #if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
 static int ssl_preset_suiteb_ciphersuites[] = {
@@ -10864,12 +10871,14 @@
 #endif /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
 
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_SIG_HASH)
 static int ssl_preset_suiteb_hashes[] = {
     MBEDTLS_MD_SHA256,
     MBEDTLS_MD_SHA384,
     MBEDTLS_MD_NONE
 };
 #endif
+#endif
 
 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
 static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
@@ -11018,8 +11027,10 @@
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_SIG_HASH)
             conf->sig_hashes = ssl_preset_suiteb_hashes;
 #endif
+#endif
 
 #if defined(MBEDTLS_ECP_C)
 #if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
@@ -11068,8 +11079,10 @@
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_SIG_HASH)
             conf->sig_hashes = ssl_preset_default_hashes;
 #endif
+#endif
 
 #if defined(MBEDTLS_ECP_C)
 #if !defined(MBEDTLS_SSL_CONF_SINGLE_EC)
@@ -11308,9 +11321,6 @@
 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
                                 mbedtls_md_type_t md )
 {
-    if( ssl->conf->sig_hashes == NULL )
-        return( -1 );
-
     MBEDTLS_SSL_BEGIN_FOR_EACH_SIG_HASH( md_alg )
     if( md_alg == md )
         return( 0 );