diff --git a/crypto/src/tls/crypto/TlsCrypto.cs b/crypto/src/tls/crypto/TlsCrypto.cs
index bd003aefa..4dab6bc57 100644
--- a/crypto/src/tls/crypto/TlsCrypto.cs
+++ b/crypto/src/tls/crypto/TlsCrypto.cs
@@ -16,6 +16,17 @@ namespace Org.BouncyCastle.Tls.Crypto
/// false otherwise.</returns>
bool HasAllRawSignatureAlgorithms();
+ /// <summary>Return true if this TlsCrypto can support the passed in hash algorithm.</summary>
+ /// <param name="cryptoHashAlgorithm">the algorithm of interest.</param>
+ /// <returns>true if cryptoHashAlgorithm is supported, false otherwise.</returns>
+ bool HasCryptoHashAlgorithm(int cryptoHashAlgorithm);
+
+ /// <summary>Return true if this TlsCrypto can support the passed in signature algorithm (not necessarily in
+ /// combination with EVERY hash algorithm).</summary>
+ /// <param name="cryptoSignatureAlgorithm">the algorithm of interest.</param>
+ /// <returns>true if cryptoSignatureAlgorithm is supported, false otherwise.</returns>
+ bool HasCryptoSignatureAlgorithm(int cryptoSignatureAlgorithm);
+
/// <summary>Return true if this TlsCrypto can support DH key agreement.</summary>
/// <returns>true if this instance can support DH key agreement, false otherwise.</returns>
bool HasDHAgreement();
@@ -30,16 +41,10 @@ namespace Org.BouncyCastle.Tls.Crypto
/// <returns>true if encryptionAlgorithm is supported, false otherwise.</returns>
bool HasEncryptionAlgorithm(int encryptionAlgorithm);
- /// <summary>Return true if this TlsCrypto can support the passed in hash algorithm.</summary>
+ /// <summary>Return true if this TlsCrypto can support HKDF with the passed in hash algorithm.</summary>
/// <param name="cryptoHashAlgorithm">the algorithm of interest.</param>
- /// <returns>true if cryptoHashAlgorithm is supported, false otherwise.</returns>
- bool HasCryptoHashAlgorithm(int cryptoHashAlgorithm);
-
- /// <summary>Return true if this TlsCrypto can support the passed in signature algorithm (not necessarily in
- /// combination with EVERY hash algorithm).</summary>
- /// <param name="cryptoSignatureAlgorithm">the algorithm of interest.</param>
- /// <returns>true if cryptoSignatureAlgorithm is supported, false otherwise.</returns>
- bool HasCryptoSignatureAlgorithm(int cryptoSignatureAlgorithm);
+ /// <returns>true if HKDF is supported with cryptoHashAlgorithm, false otherwise.</returns>
+ bool HasHkdfAlgorithm(int cryptoHashAlgorithm);
/// <summary>Return true if this TlsCrypto can support the passed in MAC algorithm.</summary>
/// <param name="macAlgorithm">the algorithm of interest.</param>
diff --git a/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs b/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs
index 0a634fffe..39d86c241 100644
--- a/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs
+++ b/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs
@@ -14,15 +14,17 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl
{
public abstract bool HasAllRawSignatureAlgorithms();
+ public abstract bool HasCryptoHashAlgorithm(int cryptoHashAlgorithm);
+
+ public abstract bool HasCryptoSignatureAlgorithm(int cryptoSignatureAlgorithm);
+
public abstract bool HasDHAgreement();
public abstract bool HasECDHAgreement();
public abstract bool HasEncryptionAlgorithm(int encryptionAlgorithm);
- public abstract bool HasCryptoHashAlgorithm(int cryptoHashAlgorithm);
-
- public abstract bool HasCryptoSignatureAlgorithm(int cryptoSignatureAlgorithm);
+ public abstract bool HasHkdfAlgorithm(int cryptoHashAlgorithm);
public abstract bool HasMacAlgorithm(int macAlgorithm);
diff --git a/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs b/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs
index 59a3a25ed..a56835105 100644
--- a/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs
+++ b/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs
@@ -155,35 +155,7 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
public override bool HasAllRawSignatureAlgorithms()
{
// TODO[RFC 8422] Revisit the need to buffer the handshake for "Intrinsic" hash signatures
- return !HasSignatureAlgorithm(SignatureAlgorithm.ed25519)
- && !HasSignatureAlgorithm(SignatureAlgorithm.ed448);
- }
-
- public override bool HasDHAgreement()
- {
- return true;
- }
-
- public override bool HasECDHAgreement()
- {
- return true;
- }
-
- public override bool HasEncryptionAlgorithm(int encryptionAlgorithm)
- {
- switch (encryptionAlgorithm)
- {
- case EncryptionAlgorithm.DES40_CBC:
- case EncryptionAlgorithm.DES_CBC:
- case EncryptionAlgorithm.IDEA_CBC:
- case EncryptionAlgorithm.RC2_CBC_40:
- case EncryptionAlgorithm.RC4_128:
- case EncryptionAlgorithm.RC4_40:
- return false;
-
- default:
- return true;
- }
+ return false;
}
public override bool HasCryptoHashAlgorithm(int cryptoHashAlgorithm)
@@ -233,6 +205,48 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
}
}
+ public override bool HasDHAgreement()
+ {
+ return true;
+ }
+
+ public override bool HasECDHAgreement()
+ {
+ return true;
+ }
+
+ public override bool HasEncryptionAlgorithm(int encryptionAlgorithm)
+ {
+ switch (encryptionAlgorithm)
+ {
+ case EncryptionAlgorithm.DES40_CBC:
+ case EncryptionAlgorithm.DES_CBC:
+ case EncryptionAlgorithm.IDEA_CBC:
+ case EncryptionAlgorithm.RC2_CBC_40:
+ case EncryptionAlgorithm.RC4_128:
+ case EncryptionAlgorithm.RC4_40:
+ return false;
+
+ default:
+ return true;
+ }
+ }
+
+ public override bool HasHkdfAlgorithm(int cryptoHashAlgorithm)
+ {
+ switch (cryptoHashAlgorithm)
+ {
+ case CryptoHashAlgorithm.sha256:
+ case CryptoHashAlgorithm.sha384:
+ case CryptoHashAlgorithm.sha512:
+ case CryptoHashAlgorithm.sm3:
+ return true;
+
+ default:
+ return false;
+ }
+ }
+
public override bool HasMacAlgorithm(int macAlgorithm)
{
switch (macAlgorithm)
diff --git a/crypto/test/src/tls/crypto/test/BcTlsCryptoTest.cs b/crypto/test/src/tls/crypto/test/BcTlsCryptoTest.cs
index a274cc5ba..ddbe4c6b8 100644
--- a/crypto/test/src/tls/crypto/test/BcTlsCryptoTest.cs
+++ b/crypto/test/src/tls/crypto/test/BcTlsCryptoTest.cs
@@ -408,6 +408,9 @@ namespace Org.BouncyCastle.Tls.Crypto.Tests
for (int i = 0; i < hashes.Length; ++i)
{
int hash = hashes[i];
+ if (!m_crypto.HasHkdfAlgorithm(hash))
+ continue;
+
int hashLen = TlsCryptoUtilities.GetHashOutputSize(hash);
TlsSecret zeros = m_crypto.HkdfInit(hash);
|
