diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c1fca1904..49ef310e1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -70,6 +70,12 @@ #define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED #endif +#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#define MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED +#endif + /* * SSL Error codes */ @@ -529,12 +535,16 @@ struct mbedtls_ssl_config #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) - const mbedtls_x509_crt_profile *cert_profile; /*!< verification profile */ + const mbedtls_x509_crt_profile *cert_profile; /*!< verification profile */ mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */ mbedtls_x509_crt *ca_chain; /*!< trusted CAs */ mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) + const int *sig_hashes; /*!< allowed signature hashes */ +#endif + #if defined(MBEDTLS_ECP_C) const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */ #endif @@ -1527,13 +1537,40 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, * controlled by \c mbedtls_ssl_conf_curves() but for CA_int * and CA_root it's \c mbedtls_ssl_conf_cert_profile(). * + * \note This list should be ordered by decreasing preference + * (preferred curve first). + * * \param conf SSL configuration * \param curves Ordered list of allowed curves, * terminated by MBEDTLS_ECP_DP_NONE. */ -void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); +void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, + const mbedtls_ecp_group_id *curves ); #endif /* MBEDTLS_ECP_C */ +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +/** + * \brief Set the allowed hashes for signatures during the handshake. + * (Default: all available hashes.) + * + * \note This only affects which hashes are offered and can be used + * for signatures during the handshake. Hashes for message + * authentication and the TLS PRF are controlled by the + * ciphersuite, see \c mbedtls_ssl_conf_ciphersuites(). Hashes + * used for certificate signature are controlled by the + * verification profile, see \c mbedtls_ssl_conf_cert_profile(). + * + * \note This list should be ordered by decreasing preference + * (preferred hash first). + * + * \param conf SSL configuration + * \param hashes Ordered list of allowed signature hashes, + * terminated by \c MBEDTLS_MD_NONE. + */ +void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, + const int *hashes ); +#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */ + #if defined(MBEDTLS_X509_CRT_PARSE_C) /** * \brief Set hostname for ServerName TLS extension diff --git a/library/ssl_cli.c b/library/ssl_cli.c index e4f06864e..40c2d4c86 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1836,9 +1836,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) -#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, unsigned char **p, unsigned char *end, @@ -1884,12 +1882,9 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9f241576d..63d2e83a6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5478,6 +5478,17 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +/* + * Set allowed/preferred hashes for handshake signatures + */ +void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, + const int *hashes ) +{ + conf->sig_hashes = hashes; +} +#endif + #if defined(MBEDTLS_ECP_C) /* * Set the allowed elliptic curves @@ -6665,8 +6676,12 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; #endif +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) + conf->sig_hashes = mbedtls_md_list(); +#endif + #if defined(MBEDTLS_ECP_C) - conf->curve_list = mbedtls_ecp_grp_id_list( ); + conf->curve_list = mbedtls_ecp_grp_id_list(); #endif #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)