From b1caa48e4bb3f15e7eb749e0c3470436ebff3435 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Sun, 2 Aug 2015 16:54:24 +0100 Subject: [crypto] Support SHA-{224,384,512} in X.509 certificates Add support for SHA-224, SHA-384, and SHA-512 as digest algorithms in X.509 certificates, and allow the choice of public-key, cipher, and digest algorithms to be configured at build time via config/crypto.h. Originally-implemented-by: Tufan Karadere Signed-off-by: Michael Brown --- src/config/config_crypto.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++ src/config/crypto.h | 33 ++++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 src/config/config_crypto.c (limited to 'src/config') diff --git a/src/config/config_crypto.c b/src/config/config_crypto.c new file mode 100644 index 00000000..1e125d8a --- /dev/null +++ b/src/config/config_crypto.c @@ -0,0 +1,76 @@ +/* + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include + +/** @file + * + * Cryptographic configuration + * + * Cryptographic configuration is slightly messy since we need to drag + * in objects based on combinations of build options. + */ + +PROVIDE_REQUIRING_SYMBOL(); + +/* RSA and MD5 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_MD5 ) +REQUIRE_OBJECT ( rsa_md5 ); +#endif + +/* RSA and SHA-1 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA1 ) +REQUIRE_OBJECT ( rsa_sha1 ); +#endif + +/* RSA and SHA-224 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA224 ) +REQUIRE_OBJECT ( rsa_sha224 ); +#endif + +/* RSA and SHA-256 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA256 ) +REQUIRE_OBJECT ( rsa_sha256 ); +#endif + +/* RSA and SHA-384 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA384 ) +REQUIRE_OBJECT ( rsa_sha384 ); +#endif + +/* RSA and SHA-512 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_DIGEST_SHA512 ) +REQUIRE_OBJECT ( rsa_sha512 ); +#endif + +/* RSA, AES-CBC, and SHA-1 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_CIPHER_AES_CBC ) && \ + defined ( CRYPTO_DIGEST_SHA1 ) +REQUIRE_OBJECT ( rsa_aes_cbc_sha1 ); +#endif + +/* RSA, AES-CBC, and SHA-256 */ +#if defined ( CRYPTO_PUBKEY_RSA ) && defined ( CRYPTO_CIPHER_AES_CBC ) && \ + defined ( CRYPTO_DIGEST_SHA256 ) +REQUIRE_OBJECT ( rsa_aes_cbc_sha256 ); +#endif diff --git a/src/config/crypto.h b/src/config/crypto.h index 9e1f8b2f..bccfc04b 100644 --- a/src/config/crypto.h +++ b/src/config/crypto.h @@ -9,6 +9,39 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); +/** RSA public-key algorithm */ +#define CRYPTO_PUBKEY_RSA + +/** AES-CBC block cipher */ +#define CRYPTO_CIPHER_AES_CBC + +/** MD5 digest algorithm + * + * Note that use of MD5 is implicit when using TLSv1.1 or earlier. + */ +#define CRYPTO_DIGEST_MD5 + +/** SHA-1 digest algorithm + * + * Note that use of SHA-1 is implicit when using TLSv1.1 or earlier. + */ +#define CRYPTO_DIGEST_SHA1 + +/** SHA-224 digest algorithm */ +#define CRYPTO_DIGEST_SHA224 + +/** SHA-256 digest algorithm + * + * Note that use of SHA-256 is implicit when using TLSv1.2. + */ +#define CRYPTO_DIGEST_SHA256 + +/** SHA-384 digest algorithm */ +#define CRYPTO_DIGEST_SHA384 + +/** SHA-512 digest algorithm */ +#define CRYPTO_DIGEST_SHA512 + /** Margin of error (in seconds) allowed in signed timestamps * * We default to allowing a reasonable margin of error: 12 hours to -- cgit v1.2.3-55-g7522