Add pre-defined profiles for cert verification
diff --git a/library/ecp.c b/library/ecp.c
index 31197ce..b733bcc 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -124,6 +124,8 @@
*
* Curves are listed in order: largest curves first, and for a given size,
* fastest curves first. This provides the default order for the SSL module.
+ *
+ * Reminder: update profiles in x509_crt.c when adding a new curves!
*/
static const mbedtls_ecp_curve_info ecp_supported_curves[] =
{
diff --git a/library/md.c b/library/md.c
index 381ffc4..1d6191f 100644
--- a/library/md.c
+++ b/library/md.c
@@ -54,6 +54,9 @@
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}
+/*
+ * Reminder: update profiles in x509_crt.c when adding a new hash!
+ */
static const int supported_digests[] = {
#if defined(MBEDTLS_SHA512_C)
diff --git a/library/x509_crt.c b/library/x509_crt.c
index e3d7cc7..8ed3468 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -82,6 +82,122 @@
}
/*
+ * Default profile
+ */
+static const mbedtls_md_type_t x509_prof_default_mds[] =
+{
+ MBEDTLS_MD_SHA1,
+ MBEDTLS_MD_RIPEMD160,
+ MBEDTLS_MD_SHA224,
+ MBEDTLS_MD_SHA256,
+ MBEDTLS_MD_SHA384,
+ MBEDTLS_MD_SHA512,
+ MBEDTLS_MD_NONE
+};
+
+static const mbedtls_pk_type_t x509_prof_default_pks[] =
+{
+ MBEDTLS_PK_RSA,
+ MBEDTLS_PK_ECDSA,
+ MBEDTLS_PK_NONE
+};
+
+#if defined(MBEDTLS_ECP_C)
+static const mbedtls_ecp_group_id x509_prof_default_curves[] =
+{
+ MBEDTLS_ECP_DP_SECP192R1,
+ MBEDTLS_ECP_DP_SECP224R1,
+ MBEDTLS_ECP_DP_SECP256R1,
+ MBEDTLS_ECP_DP_SECP384R1,
+ MBEDTLS_ECP_DP_SECP521R1,
+ MBEDTLS_ECP_DP_BP256R1,
+ MBEDTLS_ECP_DP_BP384R1,
+ MBEDTLS_ECP_DP_BP512R1,
+ MBEDTLS_ECP_DP_SECP192K1,
+ MBEDTLS_ECP_DP_SECP224K1,
+ MBEDTLS_ECP_DP_SECP256K1,
+};
+#else
+static const mbedtls_ecp_group_id *x509_prof_default_curves = NULL;
+#endif
+
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
+{
+ x509_prof_default_mds,
+ x509_prof_default_pks,
+ x509_prof_default_curves,
+ 2048,
+};
+
+/*
+ * Next-default profile
+ */
+static const mbedtls_md_type_t x509_prof_next_mds[] =
+{
+ MBEDTLS_MD_SHA256,
+ MBEDTLS_MD_SHA384,
+ MBEDTLS_MD_SHA512,
+ MBEDTLS_MD_NONE
+};
+
+#if defined(MBEDTLS_ECP_C)
+static const mbedtls_ecp_group_id x509_prof_next_curves[] =
+{
+ MBEDTLS_ECP_DP_SECP256R1,
+ MBEDTLS_ECP_DP_SECP384R1,
+ MBEDTLS_ECP_DP_SECP521R1,
+ MBEDTLS_ECP_DP_BP256R1,
+ MBEDTLS_ECP_DP_BP384R1,
+ MBEDTLS_ECP_DP_BP512R1,
+ MBEDTLS_ECP_DP_SECP256K1,
+};
+#else
+static const mbedtls_ecp_group_id *x509_prof_next_curves = NULL;
+#endif
+
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
+{
+ x509_prof_next_mds,
+ x509_prof_default_pks,
+ x509_prof_next_curves,
+ 2048,
+};
+
+/*
+ * NSA Suite B Profile
+ */
+static const mbedtls_md_type_t x509_prof_suiteb_mds[] =
+{
+ MBEDTLS_MD_SHA256,
+ MBEDTLS_MD_SHA384,
+ MBEDTLS_MD_NONE
+};
+
+static const mbedtls_pk_type_t x509_prof_suiteb_pks[] =
+{
+ MBEDTLS_PK_ECDSA,
+ MBEDTLS_PK_NONE
+};
+
+#if defined(MBEDTLS_ECP_C)
+static const mbedtls_ecp_group_id x509_prof_suiteb_curves[] =
+{
+ MBEDTLS_ECP_DP_SECP256R1,
+ MBEDTLS_ECP_DP_SECP384R1,
+};
+#else
+static const mbedtls_ecp_group_id *x509_prof_suiteb_curves = NULL;
+#endif
+
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
+{
+ x509_prof_suiteb_mds,
+ x509_prof_suiteb_pks,
+ x509_prof_suiteb_curves,
+ 2048,
+};
+
+/*
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/
static int x509_get_version( unsigned char **p,
@@ -1995,7 +2111,7 @@
void *p_vrfy )
{
return( mbedtls_x509_crt_verify_with_profile( crt, trust_ca, ca_crl,
- NULL /* WIP */, cn, flags, f_vrfy, p_vrfy ) );
+ &mbedtls_x509_crt_profile_default, cn, flags, f_vrfy, p_vrfy ) );
}