Allow SHA-1 in X.509 and TLS tests

SHA-1 is now disabled by default in the X.509 layer. Explicitly enable it in our tests for now. Updating all the test data to SHA-256 should be done over time.
2025-07-28 00:21:48 +03:00 · 2017-05-05 18:59:02 +02:00
parent 750c353c5c
commit ef86ab238f
4 changed files with 130 additions and 98 deletions
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -816,6 +816,9 @@ int main( int argc, char *argv[] )
    mbedtls_ssl_cookie_ctx cookie_ctx;
 #endif

+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
+#endif
    mbedtls_entropy_context entropy;
    mbedtls_ctr_drbg_context ctr_drbg;
    mbedtls_ssl_context ssl;
@ -1642,6 +1645,14 @@ int main( int argc, char *argv[] )
        goto exit;
    }

+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /* The default algorithms profile disables SHA-1, but our tests still
+       rely on it heavily. Hence we allow it here. A real-world server
+       should use the default profile unless there is a good reason not to. */
+    crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 );
+    mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
    if( opt.auth_mode != DFL_AUTH_MODE )
        mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );