Merge remote-tracking branch 'origin/pr/604' into baremetal

2026-05-13 15:24:05 +02:00 · 2019-07-23 16:16:24 +01:00
parent 6fe6b437da f28ce6e40e
commit 3b014fc23a
12 changed files with 167 additions and 56 deletions
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -93,6 +93,12 @@
 #error "MBEDTLS_SSL_CONF_SINGLE_EC defined, but not all prerequesites"
 #endif

+#if defined(MBEDTLS_SSL_CONF_SINGLE_SIG_HASH) &&           \
+    ( !defined(MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_MD_ID) || \
+      !defined(MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_TLS_ID) )
+#error "MBEDTLS_SSL_CONF_SINGLE_SIG_HASH defined, but not all prerequesites"
+#endif
+
 #if defined(MBEDTLS_USE_TINYCRYPT) && defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
 #error "MBEDTLS_USE_TINYCRYPT defined, but it cannot be defined with MBEDTLS_NO_64BIT_MULTIPLICATION"
 #endif
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3685,6 +3685,34 @@
 //#define MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID
 //#define MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID

+/* Enable support a single signature hash algorithm
+ * at compile-time, at the benefit of code-size.
+ *
+ * On highly constrained systems with large control
+ * over the configuration of the connection endpoints,
+ * this option can be used to hardcode the choice of
+ * hash algorithm to be used for signatures in the
+ * ServerKeyExchange and CertificateVerify messages.
+ *
+ * If this is set, you must also define the following:
+ * - MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_MD_ID
+ *   This must resolve to the Mbed TLS hash ID for the hash
+ *   algorithm to use (e.g. MBEDTLS_MD_SHA256). See
+ *   ::mbedtls_md_type_t in mbedtls/md.h for a complete
+ *   list of supported hash algorithm identifiers.
+ * - MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_TLS_ID
+ *   This must resolve to the TLS identifier for the hash
+ *   algorithm to use. See
+ *   https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
+ *   for a list of the supported identifiers.
+ *
+ * If defined, this option overwrites the effect of the
+ * runtime configuration API mbedtls_ssl_conf_sig_hashes().
+ */
+//#define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH
+//#define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_MD_ID
+//#define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_TLS_ID
+
 /* \} SECTION: Compile-time SSL configuration */

 /* Target and application specific configurations
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1078,7 +1078,9 @@ struct mbedtls_ssl_config
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */

 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_SIG_HASH)
    const int *sig_hashes;          /*!< allowed signature hashes           */
+#endif /* !MBEDTLS_SSL_CONF_SINGLE_SIG_HASH */
 #endif

 #if defined(MBEDTLS_ECP_C)
@@ -2863,6 +2865,10 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
 * \note           This list should be ordered by decreasing preference
 *                 (preferred hash first).
 *
+ * \note           On highly constrained systems, the support for a single
+ *                 fixed signature hash algorithm can be configured at compile
+ *                 time through the option MBEDTLS_SSL_CONF_SINGLE_SIG_HASH.
+ *
 * \param conf     SSL configuration
 * \param hashes   Ordered list of allowed signature hashes,
 *                 terminated by \c MBEDTLS_MD_NONE.
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -1676,4 +1676,52 @@ static inline unsigned int mbedtls_ssl_conf_get_ems_enforced(

 #endif /* MBEDTLS_SSL_CONF_SINGLE_EC */

+#if !defined(MBEDTLS_SSL_CONF_SINGLE_SIG_HASH)
+
+#define MBEDTLS_SSL_BEGIN_FOR_EACH_SIG_HASH( MD_VAR )    \
+    {                                                                   \
+        int const *__md;                                                \
+        for( __md = ssl->conf->sig_hashes;                              \
+             *__md != MBEDTLS_MD_NONE; __md++ )                         \
+        {                                                               \
+            mbedtls_md_type_t MD_VAR = (mbedtls_md_type_t) *__md;       \
+
+ #define MBEDTLS_SSL_END_FOR_EACH_SIG_HASH                              \
+        }                                                               \
+    }
+
+#define MBEDTLS_SSL_BEGIN_FOR_EACH_SIG_HASH_TLS( HASH_VAR )             \
+    {                                                                   \
+        int const *__md;                                                \
+        for( __md = ssl->conf->sig_hashes;                              \
+             *__md != MBEDTLS_MD_NONE; __md++ )                         \
+        {                                                               \
+            unsigned char HASH_VAR;                                     \
+            HASH_VAR = mbedtls_ssl_hash_from_md_alg( *__md );
+
+#define MBEDTLS_SSL_END_FOR_EACH_SIG_HASH_TLS                           \
+        }                                                               \
+    }
+
+#else /* !MBEDTLS_SSL_CONF_SINGLE_SIG_HASH */
+
+#define MBEDTLS_SSL_BEGIN_FOR_EACH_SIG_HASH( MD_VAR )                   \
+    {                                                                   \
+        mbedtls_md_type_t MD_VAR = MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_MD_ID; \
+        ((void) ssl);
+
+#define MBEDTLS_SSL_END_FOR_EACH_SIG_HASH                               \
+    }
+
+#define MBEDTLS_SSL_BEGIN_FOR_EACH_SIG_HASH_TLS( HASH_VAR )                \
+    {                                                                      \
+        unsigned char HASH_VAR = MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_TLS_ID;  \
+        ((void) ssl);
+
+
+#define MBEDTLS_SSL_END_FOR_EACH_SIG_HASH_TLS                           \
+    }
+
+#endif /* MBEDTLS_SSL_CONF_SINGLE_SIG_HASH */
+
 #endif /* ssl_internal.h */