diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 33a02b3a9..60d96ec65 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -2062,31 +2062,6 @@ */ #define POLARSSL_SHA512_C -/** - * \def MINIMAL_SUPPORTED_MD_ALG - * - * minimal supported md algorithm. - * The value should be one of the enumerations in - * md_type_t defined in md.h - * typedef enum { - * POLARSSL_MD_NONE=0, - * POLARSSL_MD_MD2, - * POLARSSL_MD_MD4, - * POLARSSL_MD_MD5, - * POLARSSL_MD_SHA1, - * POLARSSL_MD_SHA224, - * POLARSSL_MD_SHA256, - * POLARSSL_MD_SHA384, - * POLARSSL_MD_SHA512, - * POLARSSL_MD_RIPEMD160, - * } md_type_t; - * - * Module: library/x509_crt.c - * Caller: - * - */ -#define POLARSSL_MINIMAL_SUPPORTED_MD_ALG POLARSSL_MD_SHA1 - /** * \def POLARSSL_SSL_CACHE_C * @@ -2391,6 +2366,29 @@ /* X509 options */ //#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ +/** + * \def POLARSSL_X509_MIN_VERIFY_MD_ALG + * + * Minimal hash algorithm accepted in X.509 chain verification. + * + * The value should be one of the enumerations in md_type_t defined in md.h + * Only algorithms with a value equal or higher are accepted. + * + * typedef enum { + * POLARSSL_MD_NONE=0, + * POLARSSL_MD_MD2, + * POLARSSL_MD_MD4, + * POLARSSL_MD_MD5, + * POLARSSL_MD_SHA1, + * POLARSSL_MD_SHA224, + * POLARSSL_MD_SHA256, + * POLARSSL_MD_SHA384, + * POLARSSL_MD_SHA512, + * POLARSSL_MD_RIPEMD160, + * } md_type_t; + */ +//#define POLARSSL_X509_MIN_VERIFY_MD_ALG POLARSSL_MD_SHA1 + /* \} name SECTION: Module configuration options */ #include "check_config.h" diff --git a/library/x509_crt.c b/library/x509_crt.c index 186ecda9b..3c7bd154e 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -76,6 +76,10 @@ #endif /* !_WIN32 || EFIX64 || EFI32 */ #endif +#if !defined(POLARSSL_X509_MIN_VERIFY_MD_ALG) +#define POLARSSL_X509_MIN_VERIFY_MD_ALG POLARSSL_MD_SHA1 +#endif + /* Implementation that should never be optimized out by the compiler */ static void polarssl_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; @@ -1440,7 +1444,7 @@ int x509_crt_verify_info( char *buf, size_t size, const char *prefix, */ static int x509_check_md_alg( md_type_t md_alg ) { - if( md_alg >= POLARSSL_MINIMAL_SUPPORTED_MD_ALG ) + if( md_alg >= POLARSSL_X509_MIN_VERIFY_MD_ALG ) return( 0 ); return( -1 );