Allow hardcoding single signature hash at compile-time
This commit introduces the option MBEDTLS_SSL_CONF_SINGLE_HASH
which can be used to register a single supported signature hash
algorithm at compile time. It replaces the runtime configuration
API mbedtls_ssl_conf_sig_hashes() which allows to register a _list_
of supported signature hash algorithms.
In contrast to other options used to hardcode configuration options,
MBEDTLS_SSL_CONF_SINGLE_HASH isn't a numeric option, but instead it's
only relevant if it's defined or not. To actually set the single
supported hash algorithm that should be supported, numeric options
MBEDTLS_SSL_CONF_SINGLE_HASH_TLS_ID
MBEDTLS_SSL_CONF_SINGLE_HASH_MD_ID
must both be defined and provide the TLS ID and the Mbed TLS internal
ID and the chosen hash algorithm, respectively.
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 87454b2..bb84207 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -569,6 +569,7 @@
return( 0 );
}
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_HASH)
static int ssl_sig_hashes_for_test[] = {
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_MD_SHA512,
@@ -584,6 +585,7 @@
#endif
MBEDTLS_MD_NONE
};
+#endif /* !MBEDTLS_SSL_CONF_SINGLE_HASH */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/*
@@ -1693,7 +1695,9 @@
{
crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 );
mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_HASH)
mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test );
+#endif
}
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );