Merge remote-tracking branch 'restricted/pr/594' into baremetal-proposed
* restricted/pr/594:
Adapt baremetal.h and baremetal.sh
Don't incl. CAs in CertReq message in baremetal build
Allow config'n of incl of CertificateReq CA list Y/N at compile-time
Allow configuration of endpoint (cli/srv) at compile-time
Allow configuration of read timeouts at compile-time
Allow configuration of ConnectionID at compile-time
Allow compile-time configuration of legacy renegotiation
Allow compile-time configuration of authentication mode
Allow compile-time configuration of DTLS badmac limit
Allow compile-time configuration of DTLS anti replay
diff --git a/configs/baremetal.h b/configs/baremetal.h
index 60b7f0a..7ff7b07 100644
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@@ -82,6 +82,17 @@
#define MBEDTLS_SSL_DTLS_CONNECTION_ID
/* Compile-time fixed parts of the SSL configuration */
+#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
+#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0
+#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN 1000
+#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX 16000
+#define MBEDTLS_SSL_CONF_CID_LEN 2
+#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
+#define MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION \
+ MBEDTLS_SSL_SECURE_RENEGOTIATION
+#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED
+#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0
+#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED
#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET \
MBEDTLS_SSL_EXTENDED_MS_ENABLED
#define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET \
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 86f11ed..61ca0b1 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -631,6 +631,20 @@
#error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
#endif
+#if ( defined(MBEDTLS_SSL_CONF_CID_LEN) && \
+ !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) ) || \
+ ( !defined(MBEDTLS_SSL_CONF_CID_LEN) && \
+ defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) )
+#error "MBEDTLS_SSL_CONF_CID_LEN and MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID must be defined simultaneously"
+#endif
+
+#if ( defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) && \
+ !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) ) || \
+ ( !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) && \
+ defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) )
+#error "MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN and MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX must be defined simultaneously"
+#endif
+
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT defined, but not all prerequisites"
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index a1c6fde..96a877b 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3551,6 +3551,26 @@
* \{
*/
+//#define MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
+
+//#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED
+
+/* Timeout */
+//#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0
+
+/* Endpoint (Client/Server) */
+//#define MBEDTLS_SSL_CONF_ENDPOINT MBEDTLS_SSL_IS_CLIENT
+
+//#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
+
+/* DTLS-specific settings */
+//#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
+//#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX
+//#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED
+//#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0
+//#define MBEDTLS_SSL_CONF_CID_LEN 0
+//#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
+
/* ExtendedMasterSecret extension
* The following two options must be set/unset simultaneously. */
//#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 517eb4e..e7db3ff 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -959,7 +959,9 @@
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
size_t cid_len; /*!< The length of CIDs for incoming DTLS records. */
+#endif /* !MBEDTLS_SSL_CONF_CID_LEN */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -1015,14 +1017,20 @@
* Numerical settings (int then char)
*/
+#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
uint32_t read_timeout; /*!< timeout for mbedtls_ssl_read (ms) */
+#endif /* !MBEDTLS_SSL_CONF_READ_TIMEOUT */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
+#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
uint32_t hs_timeout_min; /*!< initial value of the handshake
retransmission timeout (ms) */
+#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */
+#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX)
uint32_t hs_timeout_max; /*!< maximum value of the handshake
retransmission timeout (ms) */
-#endif
+#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
int renego_max_records; /*!< grace period for renegotiation */
@@ -1031,7 +1039,9 @@
#endif
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+#if !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
unsigned int badmac_limit; /*!< limit of records with a bad MAC */
+#endif /* !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
#endif
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
@@ -1047,11 +1057,17 @@
* Flags (bitfields)
*/
+#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
unsigned int endpoint : 1; /*!< 0: client, 1: server */
+#endif /* !MBEDTLS_SSL_CONF_ENDPOINT */
unsigned int transport : 1; /*!< stream (TLS) or datagram (DTLS) */
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */
+#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
/* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */
unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX */
+#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
#if defined(MBEDTLS_ARC4_C)
unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites? */
#endif
@@ -1072,8 +1088,10 @@
#endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
#endif
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#if !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
unsigned int anti_replay : 1; /*!< detect and prevent replay? */
-#endif
+#endif /* !MBEDTLS_SSL_CONF_ANTI_REPLAY */
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
unsigned int cbc_record_splitting : 1; /*!< do cbc record splitting */
#endif
@@ -1090,13 +1108,17 @@
unsigned int fallback : 1; /*!< is this a fallback? */
#endif
#if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in
Certificate Request messages? */
+#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
* record with unexpected CID
* should lead to failure. */
+#endif /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
};
@@ -1365,13 +1387,18 @@
*/
int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl );
+#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
/**
* \brief Set the current endpoint type
*
+ * \note On constrained systems, this can also be configured
+ * at compile-time via MBEDTLS_SSL_CONF_ENDPOINT.
+ *
* \param conf SSL configuration
* \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
*/
void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint );
+#endif /* !MBEDTLS_SSL_CONF_ENDPOINT */
/**
* \brief Set the transport type (TLS or DTLS).
@@ -1682,6 +1709,7 @@
void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
/**
* \brief Set the timeout period for mbedtls_ssl_read()
* (Default: no timeout.)
@@ -1695,10 +1723,14 @@
* With non-blocking I/O, this will only work if timer
* callbacks were set with \c mbedtls_ssl_set_timer_cb().
*
+ * \note On constrained systems, this option can also be configured
+ * at compile-time via MBEDTLS_SSL_CONF_READ_TIMEOUT.
+ *
* \note With non-blocking I/O, you may also skip this function
* altogether and handle timeouts at the application layer.
*/
void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
+#endif /* !MBEDTLS_SSL_CONF_READ_TIMEOUT */
/**
* \brief Set the timer callbacks (Mandatory for DTLS.)
@@ -2018,14 +2050,16 @@
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
+ !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
/**
* \brief Enable or disable anti-replay protection for DTLS.
* (DTLS only, no effect on TLS.)
* Default: enabled.
*
* \param conf SSL configuration
- * \param mode MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
+ * \param mode MBEDTLS_SSL_ANTI_REPLAY_ENABLED or
+ * MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
*
* \warning Disabling this is a security risk unless the application
* protocol handles duplicated packets in a safe way. You
@@ -2033,11 +2067,16 @@
* However, if your application already detects duplicated
* packets and needs information about them to adjust its
* transmission strategy, then you'll want to disable this.
+ *
+ * \note On constrained systems, this option can also be
+ * fixed at compile-time by defining the constant
+ * MBEDTLS_SSL_CONF_ANTI_REPLAY.
*/
void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
-#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY && !MBEDTLS_SSL_CONF_ANTI_REPLAY */
-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
+ !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
/**
* \brief Set a limit on the number of records with a bad MAC
* before terminating the connection.
@@ -2060,9 +2099,13 @@
* connection. On the other hand, a high limit or no limit
* might make us waste resources checking authentication on
* many bogus packets.
+ *
+ * \note On constrained systems, this option can also be
+ * fixed at compile-time by defining the constant
+ * MBEDTLS_SSL_CONF_BADMAC_LIMIT.
*/
void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit );
-#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT && !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -2295,9 +2338,11 @@
void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
const int *ciphersuites );
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0
#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 1
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ !defined(MBEDTLS_SSL_CONF_CID_LEN) && \
+ !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
/**
* \brief Specify the length of Connection IDs for incoming
* encrypted DTLS records, as well as the behaviour
@@ -2326,13 +2371,19 @@
* same SSL configuration; this allows simpler parsing of
* record headers.
*
+ * \note On constrained systems, this configuration can also be
+ * fixed at compile-time via MBEDTLS_SSL_CONF_CID_LEN and
+ * MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID.
+ *
* \return \c 0 on success.
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
* is too large.
*/
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
int ignore_other_cids );
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+ !MBEDTLS_SSL_CONF_CID_LEN &&
+ !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
/**
* \brief Set the list of allowed ciphersuites and the
@@ -2918,19 +2969,22 @@
void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
#endif /* MBEDTLS_ARC4_C */
-#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
/**
* \brief Whether to send a list of acceptable CAs in
* CertificateRequest messages.
* (Default: do send)
*
+ * \note On constrained systems, this options can also be configured
+ * at compile-time via MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST.
+ *
* \param conf SSL configuration
* \param cert_req_ca_list MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or
* MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
*/
void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
char cert_req_ca_list );
-#endif /* MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
/**
@@ -3032,6 +3086,7 @@
void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation );
#endif /* MBEDTLS_SSL_RENEGOTIATION */
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
/**
* \brief Prevent or allow legacy renegotiation.
* (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION)
@@ -3058,8 +3113,14 @@
* \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
* SSL_ALLOW_LEGACY_RENEGOTIATION or
* MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE)
+ *
+ *
+ * \note On constrained systems, this option can also be
+ * fixed at compile-time by defining the constant
+ * MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION.
*/
void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy );
+#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
/**
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 8803e83..74c9f1a 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -1114,6 +1114,181 @@
* be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
*/
+#if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
+static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->cert_req_ca_list );
+}
+#else /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST );
+}
+#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
+static inline unsigned int mbedtls_ssl_conf_get_endpoint(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->endpoint );
+}
+#else /* !MBEDTLS_SSL_CONF_ENDPOINT */
+static inline unsigned int mbedtls_ssl_conf_get_endpoint(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_ENDPOINT );
+}
+#endif /* MBEDTLS_SSL_CONF_ENDPOINT */
+
+#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
+static inline uint32_t mbedtls_ssl_conf_get_read_timeout(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->read_timeout );
+}
+#else /* !MBEDTLS_SSL_CONF_READ_TIMEOUT */
+static inline uint32_t mbedtls_ssl_conf_get_read_timeout(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_READ_TIMEOUT );
+}
+#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
+static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_min(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->hs_timeout_min );
+}
+#else /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */
+static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_min(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN );
+}
+#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */
+
+#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX)
+static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_max(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->hs_timeout_max );
+}
+#else /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
+static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_max(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX );
+}
+#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
+static inline size_t mbedtls_ssl_conf_get_cid_len(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->cid_len );
+}
+#else /* !MBEDTLS_SSL_CONF_CID_LEN */
+static inline size_t mbedtls_ssl_conf_get_cid_len(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_CID_LEN );
+}
+#endif /* MBEDTLS_SSL_CONF_CID_LEN */
+
+#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
+static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->ignore_unexpected_cid );
+}
+#else /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
+static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID );
+}
+#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
+static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->allow_legacy_renegotiation );
+}
+#else /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
+static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION );
+}
+#endif /* MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
+
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
+static inline int mbedtls_ssl_conf_get_authmode(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->authmode );
+}
+#else /* !MBEDTLS_SSL_CONF_AUTHMODE */
+static inline int mbedtls_ssl_conf_get_authmode(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_AUTHMODE );
+}
+#endif /* MBEDTLS_SSL_CONF_AUTHMODE */
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+#if !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
+static inline unsigned int mbedtls_ssl_conf_get_badmac_limit(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->badmac_limit );
+}
+#else /* !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
+static inline unsigned int mbedtls_ssl_conf_get_badmac_limit(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_BADMAC_LIMIT );
+}
+#endif /* MBEDTLS_SSL_CONF_BADMAC_LIMIT */
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#if !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
+static inline unsigned int mbedtls_ssl_conf_get_anti_replay(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->anti_replay );
+}
+#else /* !MBEDTLS_SSL_CONF_ANTI_REPLAY */
+static inline unsigned int mbedtls_ssl_conf_get_anti_replay(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_ANTI_REPLAY );
+}
+#endif /* MBEDTLS_SSL_CONF_ANTI_REPLAY */
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
static inline unsigned int mbedtls_ssl_conf_get_ems(
mbedtls_ssl_config const *conf )
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 80a6da2..2749389 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2073,7 +2073,8 @@
* Renegotiation security checks
*/
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
- ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+ mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
+ MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
handshake_failure = 1;
@@ -2088,7 +2089,8 @@
}
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
- ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
+ mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
+ MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
handshake_failure = 1;
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index a69e8b4..038b77e 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -55,7 +55,7 @@
const unsigned char *info,
size_t ilen )
{
- if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_SERVER )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
mbedtls_free( ssl->cli_id );
@@ -1281,7 +1281,8 @@
* SSLv2 Client Hello relevant renegotiation security checks
*/
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
- ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+ mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
+ MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
@@ -2048,7 +2049,8 @@
* Renegotiation security checks
*/
if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
- ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+ mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
+ MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
handshake_failure = 1;
@@ -2063,7 +2065,8 @@
}
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
- ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
+ mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf )
+ == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
handshake_failure = 1;
@@ -2894,7 +2897,7 @@
authmode = ssl->handshake->sni_authmode;
else
#endif
- authmode = ssl->conf->authmode;
+ authmode = mbedtls_ssl_conf_get_authmode( ssl->conf );
if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ||
authmode == MBEDTLS_SSL_VERIFY_NONE )
@@ -2990,7 +2993,8 @@
total_dn_size = 0;
- if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
+ if( mbedtls_ssl_conf_get_cert_req_ca_list( ssl->conf )
+ == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
{
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_ca_chain != NULL )
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 79204a7..2a96043 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -117,6 +117,9 @@
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
/* Top-level Connection ID API */
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ !defined(MBEDTLS_SSL_CONF_CID_LEN) && \
+ !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
size_t len,
int ignore_other_cid )
@@ -134,6 +137,21 @@
conf->cid_len = len;
return( 0 );
}
+#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+ !MBEDTLS_SSL_CONF_CID_LEN &&
+ !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
+
+#if MBEDTLS_SSL_CONF_CID_LEN > MBEDTLS_SSL_CID_IN_LEN_MAX
+#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_CID_LEN"
+#endif
+#if MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE && \
+ MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_FAIL
+#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID"
+#endif
+
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+ !MBEDTLS_SSL_CONF_CID_LEN &&
+ !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
int enable,
@@ -152,11 +170,11 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
- if( own_cid_len != ssl->conf->cid_len )
+ if( own_cid_len != mbedtls_ssl_conf_get_cid_len( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
(unsigned) own_cid_len,
- (unsigned) ssl->conf->cid_len ) );
+ (unsigned) mbedtls_ssl_conf_get_cid_len( ssl->conf ) ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -300,8 +318,11 @@
{
uint32_t new_timeout;
- if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
+ if( ssl->handshake->retransmit_timeout >=
+ mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf ) )
+ {
return( -1 );
+ }
/* Implement the final paragraph of RFC 6347 section 4.1.1.1
* in the following way: after the initial transmission and a first
@@ -309,7 +330,8 @@
* This value is guaranteed to be deliverable (if not guaranteed to be
* delivered) of any compliant IPv4 (and IPv6) network, and should work
* on most non-IP stacks too. */
- if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
+ if( ssl->handshake->retransmit_timeout !=
+ mbedtls_ssl_conf_get_hs_timeout_min( ssl->conf ) )
{
ssl->handshake->mtu = 508;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
@@ -319,9 +341,9 @@
/* Avoid arithmetic overflow and range overflow */
if( new_timeout < ssl->handshake->retransmit_timeout ||
- new_timeout > ssl->conf->hs_timeout_max )
+ new_timeout > mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf ) )
{
- new_timeout = ssl->conf->hs_timeout_max;
+ new_timeout = mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf );
}
ssl->handshake->retransmit_timeout = new_timeout;
@@ -333,7 +355,7 @@
static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
{
- ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
+ ssl->handshake->retransmit_timeout = mbedtls_ssl_conf_get_hs_timeout_min( ssl->conf );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
ssl->handshake->retransmit_timeout ) );
}
@@ -1368,7 +1390,7 @@
ssl->handshake->tls_prf,
ssl->handshake->randbytes,
ssl->minor_ver,
- ssl->conf->endpoint,
+ mbedtls_ssl_conf_get_endpoint( ssl->conf ),
ssl );
if( ret != 0 )
{
@@ -2995,7 +3017,9 @@
* timeout if we were using the usual handshake doubling scheme */
if( ssl->conf->renego_max_records < 0 )
{
- uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
+ uint32_t ratio =
+ mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf ) /
+ mbedtls_ssl_conf_get_hs_timeout_min( ssl->conf ) + 1;
unsigned char doublings = 1;
while( ratio != 0 )
@@ -3136,7 +3160,7 @@
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
timeout = ssl->handshake->retransmit_timeout;
else
- timeout = ssl->conf->read_timeout;
+ timeout = mbedtls_ssl_conf_get_read_timeout( ssl->conf );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
@@ -3174,7 +3198,8 @@
return( MBEDTLS_ERR_SSL_WANT_READ );
}
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
- else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+ else if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_SERVER &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
{
if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
@@ -3211,8 +3236,8 @@
if( ssl->f_recv_timeout != NULL )
{
ret = ssl->f_recv_timeout( ssl->p_bio,
- ssl->in_hdr + ssl->in_left, len,
- ssl->conf->read_timeout );
+ ssl->in_hdr + ssl->in_left, len,
+ mbedtls_ssl_conf_get_read_timeout( ssl->conf ) );
}
else
{
@@ -3700,7 +3725,8 @@
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
- ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
+ mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_CLIENT ) )
#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
@@ -4324,8 +4350,11 @@
uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
uint64_t bit;
- if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+ if( mbedtls_ssl_conf_get_anti_replay( ssl->conf ) ==
+ MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+ {
return( 0 );
+ }
if( rec_seqnum > ssl->in_window_top )
return( 0 );
@@ -4348,8 +4377,11 @@
{
uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
- if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+ if( mbedtls_ssl_conf_get_anti_replay( ssl->conf ) ==
+ MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+ {
return;
+ }
if( rec_seqnum > ssl->in_window_top )
{
@@ -4613,7 +4645,7 @@
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->in_msgtype == MBEDTLS_SSL_MSG_CID &&
- ssl->conf->cid_len != 0 )
+ mbedtls_ssl_conf_get_cid_len( ssl->conf ) != 0 )
{
/* Shift pointers to account for record header including CID
* struct {
@@ -4630,7 +4662,7 @@
/* So far, we only support static CID lengths
* fixed in the configuration. */
- ssl->in_len = ssl->in_cid + ssl->conf->cid_len;
+ ssl->in_len = ssl->in_cid + mbedtls_ssl_conf_get_cid_len( ssl->conf );
ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
}
else
@@ -4726,7 +4758,8 @@
* have an active transform (possibly iv_len != 0), so use the
* fact that the record header len is 13 instead.
*/
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_SERVER &&
ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
rec_epoch == 0 &&
ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
@@ -4859,8 +4892,8 @@
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
- ssl->conf->ignore_unexpected_cid
- == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
+ mbedtls_ssl_conf_get_ignore_unexpected_cid( ssl->conf )
+ == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
@@ -5776,8 +5809,8 @@
}
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
- if( ssl->conf->badmac_limit != 0 &&
- ++ssl->badmac_seen >= ssl->conf->badmac_limit )
+ if( mbedtls_ssl_conf_get_badmac_limit( ssl->conf ) != 0 &&
+ ++ssl->badmac_seen >= mbedtls_ssl_conf_get_badmac_limit( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
return( MBEDTLS_ERR_SSL_INVALID_MAC );
@@ -5909,7 +5942,8 @@
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
- ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+ mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_SERVER &&
ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
{
@@ -6076,7 +6110,8 @@
}
#if defined(MBEDTLS_SSL_CLI_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_CLIENT )
{
if( ssl->client_auth == 0 )
{
@@ -6105,7 +6140,7 @@
}
#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
{
if( mbedtls_ssl_own_cert( ssl ) == NULL )
{
@@ -6309,7 +6344,8 @@
/* Check if we're handling the first CRT in the chain. */
#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
if( crt_cnt++ == 0 &&
- ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+ mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_CLIENT &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
{
/* During client-side renegotiation, check that the server's
@@ -6375,7 +6411,7 @@
#if defined(MBEDTLS_SSL_SRV_C)
static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
{
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
return( -1 );
#if defined(MBEDTLS_SSL_PROTO_SSL3)
@@ -6433,7 +6469,7 @@
return( SSL_CERTIFICATE_SKIP );
#if defined(MBEDTLS_SSL_SRV_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
{
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
return( SSL_CERTIFICATE_SKIP );
@@ -6532,11 +6568,11 @@
}
#endif /* MBEDTLS_ECP_C */
- ret = mbedtls_ssl_check_cert_usage( chain,
- ciphersuite_info,
- ! ssl->conf->endpoint,
- &ssl->session_negotiate->verify_result );
- if( ret != 0 )
+ if( mbedtls_ssl_check_cert_usage( chain,
+ ciphersuite_info,
+ ( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_CLIENT ),
+ &ssl->session_negotiate->verify_result ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
if( verify_ret == 0 )
@@ -6672,9 +6708,9 @@
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
? ssl->handshake->sni_authmode
- : ssl->conf->authmode;
+ : mbedtls_ssl_conf_get_authmode( ssl->conf );
#else
- const int authmode = ssl->conf->authmode;
+ const int authmode = mbedtls_ssl_conf_get_authmode( ssl->conf );
#endif
void *rs_ctx = NULL;
mbedtls_x509_crt *chain = NULL;
@@ -7355,7 +7391,8 @@
ssl_update_out_pointers( ssl, ssl->transform_negotiate );
- ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
+ ssl->handshake->calc_finished( ssl, ssl->out_msg + 4,
+ mbedtls_ssl_conf_get_endpoint( ssl->conf ) );
/*
* RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
@@ -7382,12 +7419,18 @@
if( ssl->handshake->resume != 0 )
{
#if defined(MBEDTLS_SSL_CLI_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_CLIENT )
+ {
ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+ }
#endif
#if defined(MBEDTLS_SSL_SRV_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_SERVER )
+ {
ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+ }
#endif
}
else
@@ -7485,7 +7528,8 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
- ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
+ ssl->handshake->calc_finished( ssl, buf,
+ mbedtls_ssl_conf_get_endpoint( ssl->conf ) ^ 1 );
if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
{
@@ -7536,11 +7580,11 @@
if( ssl->handshake->resume != 0 )
{
#if defined(MBEDTLS_SSL_CLI_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
#endif
#if defined(MBEDTLS_SSL_SRV_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
#endif
}
@@ -7690,7 +7734,7 @@
{
ssl->handshake->alt_transform_out = ssl->transform_out;
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
else
ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
@@ -8062,29 +8106,34 @@
/*
* SSL set accessors
*/
+#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
{
conf->endpoint = endpoint;
}
+#endif /* MBEDTLS_SSL_CONF_ENDPOINT */
void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
{
conf->transport = transport;
}
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
+ !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
{
- conf->anti_replay = mode;
+ conf->anti_replay = mode;
}
-#endif
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY && !MBEDTLS_SSL_CONF_ANTI_REPLAY */
-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
-void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
+ !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
+void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf,
+ unsigned limit )
{
conf->badmac_limit = limit;
}
-#endif
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT && !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -8094,17 +8143,36 @@
ssl->disable_datagram_packing = !allow_packing;
}
+#if !( defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) && \
+ defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) )
void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
uint32_t min, uint32_t max )
{
conf->hs_timeout_min = min;
conf->hs_timeout_max = max;
}
-#endif
+#else /* !( MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN &&
+ MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX ) */
+void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
+ uint32_t min, uint32_t max )
+{
+ ((void) conf);
+ ((void) min);
+ ((void) max);
+}
+#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN &&
+ MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
{
- conf->authmode = authmode;
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
+ conf->authmode = authmode;
+#else
+ ((void) conf);
+ ((void) authmode);
+#endif /* MBEDTLS_SSL_CONF_AUTHMODE */
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -8152,10 +8220,12 @@
}
#endif
+#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
{
conf->read_timeout = timeout;
}
+#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */
void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
void *p_timer,
@@ -8190,7 +8260,7 @@
if( ssl == NULL ||
session == NULL ||
ssl->session_negotiate == NULL ||
- ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
+ mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_CLIENT )
{
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -8318,7 +8388,7 @@
if( ssl->handshake == NULL || ssl->conf == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
role = MBEDTLS_ECJPAKE_SERVER;
else
role = MBEDTLS_ECJPAKE_CLIENT;
@@ -8612,7 +8682,7 @@
}
#endif
-#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
char cert_req_ca_list )
{
@@ -8679,10 +8749,12 @@
}
#endif
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
{
conf->allow_legacy_renegotiation = allow_legacy;
}
+#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
@@ -8986,7 +9058,7 @@
static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
{
/* Return unlimited mtu for client hello messages to avoid fragmentation. */
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT &&
( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
return ( 0 );
@@ -9068,7 +9140,7 @@
if( ssl == NULL ||
dst == NULL ||
ssl->session == NULL ||
- ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
+ mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_CLIENT )
{
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -9652,11 +9724,11 @@
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
#if defined(MBEDTLS_SSL_CLI_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
ret = mbedtls_ssl_handshake_client_step( ssl );
#endif
#if defined(MBEDTLS_SSL_SRV_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
ret = mbedtls_ssl_handshake_server_step( ssl );
#endif
@@ -9739,10 +9811,15 @@
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
{
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_SERVER )
+ {
ssl->handshake->out_msg_seq = 1;
+ }
else
+ {
ssl->handshake->in_msg_seq = 1;
+ }
}
#endif
@@ -9773,7 +9850,7 @@
#if defined(MBEDTLS_SSL_SRV_C)
/* On server, just send the request */
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
{
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@@ -9916,7 +9993,8 @@
if( ssl->f_get_timer != NULL &&
ssl->f_get_timer( ssl->p_timer ) == -1 )
{
- ssl_set_timer( ssl, ssl->conf->read_timeout );
+ ssl_set_timer( ssl,
+ mbedtls_ssl_conf_get_read_timeout( ssl->conf ) );
}
if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
@@ -9955,7 +10033,8 @@
*/
#if defined(MBEDTLS_SSL_CLI_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_CLIENT &&
( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
{
@@ -9978,7 +10057,8 @@
#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_SERVER &&
ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
@@ -10003,7 +10083,7 @@
/* Determine whether renegotiation attempt should be accepted */
if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
- ssl->conf->allow_legacy_renegotiation ==
+ mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
{
/*
@@ -10013,7 +10093,8 @@
/* DTLS clients need to know renego is server-initiated */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
- ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+ mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_CLIENT )
{
ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
}
@@ -10126,7 +10207,8 @@
* Do it now, after setting in_offt, to avoid taking this branch
* again if ssl_write_hello_request() returns WANT_WRITE */
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
- if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+ if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
+ MBEDTLS_SSL_IS_SERVER &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
{
if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
@@ -10722,7 +10804,9 @@
#if defined(MBEDTLS_SSL_CLI_C)
if( endpoint == MBEDTLS_SSL_IS_CLIENT )
{
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
#endif
@@ -10756,18 +10840,25 @@
conf->f_cookie_check = ssl_cookie_check_dummy;
#endif
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
+ !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
#endif
#if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
-#endif
+#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
+#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
+#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */
+#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX)
conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
-#endif
+#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index 8e6ef23..7154364 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -2610,6 +2610,94 @@
}
#endif /* MBEDTLS_PLATFORM_GMTIME_R_ALT */
+#if defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
+ if( strcmp( "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
+
+#if defined(MBEDTLS_SSL_CONF_AUTHMODE)
+ if( strcmp( "MBEDTLS_SSL_CONF_AUTHMODE", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_AUTHMODE );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_AUTHMODE */
+
+#if defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
+ if( strcmp( "MBEDTLS_SSL_CONF_READ_TIMEOUT", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_READ_TIMEOUT );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */
+
+#if defined(MBEDTLS_SSL_CONF_ENDPOINT)
+ if( strcmp( "MBEDTLS_SSL_CONF_ENDPOINT", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ENDPOINT );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_ENDPOINT */
+
+#if defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
+ if( strcmp( "MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+
+#if defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
+ if( strcmp( "MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */
+
+#if defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX)
+ if( strcmp( "MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
+
+#if defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
+ if( strcmp( "MBEDTLS_SSL_CONF_ANTI_REPLAY", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ANTI_REPLAY );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
+ if( strcmp( "MBEDTLS_SSL_CONF_BADMAC_LIMIT", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_BADMAC_LIMIT );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_BADMAC_LIMIT */
+
+#if defined(MBEDTLS_SSL_CONF_CID_LEN)
+ if( strcmp( "MBEDTLS_SSL_CONF_CID_LEN", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_CID_LEN );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_CID_LEN */
+
+#if defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
+ if( strcmp( "MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
+
#if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 )
{
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index dd194f3..a5d3eb1 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -293,6 +293,27 @@
#define USAGE_SERIALIZATION ""
#endif
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
+#define USAGE_AUTH_MODE \
+ " auth_mode=%%s default: (library default: none)\n" \
+ " options: none, optional, required\n"
+#else
+#define USAGE_AUTH_MODE ""
+#endif
+
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
+#define USAGE_ALLOW_LEGACY_RENEGO " allow_legacy=%%d default: (library default: no)\n"
+#else
+#define USAGE_ALLOW_LEGACY_RENEGO ""
+#endif
+
+#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
+#define USAGE_READ_TIMEOUT \
+ " read_timeout=%%d default: 0 ms (no timeout)\n"
+#else
+#define USAGE_READ_TIMEOUT ""
+#endif
+
#define USAGE \
"\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -311,21 +332,20 @@
" options: 1 (non-blocking), 2 (added delays)\n" \
" event=%%d default: 0 (loop)\n" \
" options: 1 (level-triggered, implies nbio=1),\n" \
- " read_timeout=%%d default: 0 ms (no timeout)\n" \
+ USAGE_READ_TIMEOUT \
" max_resend=%%d default: 0 (no resend on timeout)\n" \
"\n" \
USAGE_DTLS \
USAGE_CID \
"\n" \
- " auth_mode=%%s default: (library default: none)\n" \
- " options: none, optional, required\n" \
+ USAGE_AUTH_MODE \
USAGE_IO \
"\n" \
USAGE_PSK \
USAGE_ECJPAKE \
USAGE_ECRESTART \
"\n" \
- " allow_legacy=%%d default: (library default: no)\n" \
+ USAGE_ALLOW_LEGACY_RENEGO \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
" reconnect=%%d number of reconnections using session resumption\n" \
@@ -908,8 +928,10 @@
if( opt.event < 0 || opt.event > 2 )
goto usage;
}
+#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
else if( strcmp( p, "read_timeout" ) == 0 )
opt.read_timeout = atoi( q );
+#endif
else if( strcmp( p, "max_resend" ) == 0 )
{
opt.max_resend = atoi( q );
@@ -980,6 +1002,7 @@
MBEDTLS_SSL_RENEGOTIATION_ENABLED :
MBEDTLS_SSL_RENEGOTIATION_DISABLED;
}
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
else if( strcmp( p, "allow_legacy" ) == 0 )
{
switch( atoi( q ) )
@@ -996,6 +1019,7 @@
default: goto usage;
}
}
+#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
else if( strcmp( p, "renegotiate" ) == 0 )
{
opt.renegotiate = atoi( q );
@@ -1175,6 +1199,7 @@
else
goto usage;
}
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
else if( strcmp( p, "auth_mode" ) == 0 )
{
if( strcmp( q, "none" ) == 0 )
@@ -1186,6 +1211,7 @@
else
goto usage;
}
+#endif
else if( strcmp( p, "max_frag_len" ) == 0 )
{
if( strcmp( q, "512" ) == 0 )
@@ -1655,7 +1681,9 @@
memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ !defined(MBEDTLS_SSL_CONF_CID_LEN) && \
+ !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
{
if( opt.cid_enabled == 1 &&
@@ -1680,7 +1708,9 @@
goto exit;
}
}
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+ !MBEDTLS_SSL_CONF_CID_LEN &&
+ !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
if( opt.auth_mode != DFL_AUTH_MODE )
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
@@ -1748,7 +1778,9 @@
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
+#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout );
+#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_session_tickets( &conf, opt.tickets );
@@ -1762,8 +1794,10 @@
mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 );
#endif
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
+#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
#endif
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index cd2fa93..72b5189 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -317,14 +317,16 @@
#define USAGE_COOKIES ""
#endif
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
+ !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
#define USAGE_ANTI_REPLAY \
" anti_replay=0/1 default: (library default: enabled)\n"
#else
#define USAGE_ANTI_REPLAY ""
#endif
-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
+ !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
#define USAGE_BADMAC_LIMIT \
" badmac_limit=%%d default: (library default: disabled)\n"
#else
@@ -398,6 +400,36 @@
#define USAGE_SERIALIZATION ""
#endif
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
+#define USAGE_AUTH_MODE \
+ " auth_mode=%%s default: (library default: none)\n" \
+ " options: none, optional, required\n"
+#else
+#define USAGE_AUTH_MODE ""
+#endif
+
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
+#define USAGE_ALLOW_LEGACY_RENEGO \
+ " allow_legacy=%%d default: (library default: no)\n"
+#else
+#define USAGE_ALLOW_LEGACY_RENEGO ""
+#endif
+
+#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
+#define USAGE_READ_TIMEOUT \
+ " read_timeout=%%d default: 0 ms (no timeout)\n"
+#else
+#define USAGE_READ_TIMEOUT ""
+#endif
+
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
+#define USAGE_CERT_REQ_CA_LIST \
+ " cert_req_ca_list=%%d default: 1 (send ca list)\n" \
+ " options: 1 (send ca list), 0 (don't send)\n"
+#else
+#define USAGE_CERT_REQ_CA_LIST ""
+#endif
+
#define USAGE \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -413,17 +445,15 @@
" options: 1 (non-blocking), 2 (added delays)\n" \
" event=%%d default: 0 (loop)\n" \
" options: 1 (level-triggered, implies nbio=1),\n" \
- " read_timeout=%%d default: 0 ms (no timeout)\n" \
+ USAGE_READ_TIMEOUT \
"\n" \
USAGE_DTLS \
USAGE_COOKIES \
USAGE_ANTI_REPLAY \
USAGE_BADMAC_LIMIT \
"\n" \
- " auth_mode=%%s default: (library default: none)\n" \
- " options: none, optional, required\n" \
- " cert_req_ca_list=%%d default: 1 (send ca list)\n" \
- " options: 1 (send ca list), 0 (don't send)\n" \
+ USAGE_AUTH_MODE \
+ USAGE_CERT_REQ_CA_LIST \
USAGE_IO \
USAGE_SSL_ASYNC \
USAGE_SNI \
@@ -431,7 +461,7 @@
USAGE_PSK \
USAGE_ECJPAKE \
"\n" \
- " allow_legacy=%%d default: (library default: no)\n" \
+ USAGE_ALLOW_LEGACY_RENEGO \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
"\n" \
@@ -617,6 +647,7 @@
return( ret );
}
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
/*
* Return authmode from string, or -1 on error
*/
@@ -631,6 +662,7 @@
return( -1 );
}
+#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
/*
* Used by sni_parse and psk_parse to handle coma-separated lists
@@ -1572,8 +1604,10 @@
if( opt.event < 0 || opt.event > 2 )
goto usage;
}
+#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
else if( strcmp( p, "read_timeout" ) == 0 )
opt.read_timeout = atoi( q );
+#endif
else if( strcmp( p, "buffer_size" ) == 0 )
{
opt.buffer_size = atoi( q );
@@ -1672,6 +1706,7 @@
MBEDTLS_SSL_RENEGOTIATION_ENABLED :
MBEDTLS_SSL_RENEGOTIATION_DISABLED;
}
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
else if( strcmp( p, "allow_legacy" ) == 0 )
{
switch( atoi( q ) )
@@ -1688,6 +1723,7 @@
default: goto usage;
}
}
+#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
else if( strcmp( p, "renegotiate" ) == 0 )
{
opt.renegotiate = atoi( q );
@@ -1800,11 +1836,13 @@
else
goto usage;
}
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
else if( strcmp( p, "auth_mode" ) == 0 )
{
if( ( opt.auth_mode = get_auth_mode( q ) ) < 0 )
goto usage;
}
+#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
else if( strcmp( p, "cert_req_ca_list" ) == 0 )
{
opt.cert_req_ca_list = atoi( q );
@@ -1904,18 +1942,22 @@
if( opt.cookies < -1 || opt.cookies > 1)
goto usage;
}
+#if !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
else if( strcmp( p, "anti_replay" ) == 0 )
{
opt.anti_replay = atoi( q );
if( opt.anti_replay < 0 || opt.anti_replay > 1)
goto usage;
}
+#endif /* !MBEDTLS_SSL_CONF_ANTI_REPLAY */
+#if !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
else if( strcmp( p, "badmac_limit" ) == 0 )
{
opt.badmac_limit = atoi( q );
if( opt.badmac_limit < 0 )
goto usage;
}
+#endif /* !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
else if( strcmp( p, "hs_timeout" ) == 0 )
{
if( ( p = strchr( q, '-' ) ) == NULL )
@@ -2454,11 +2496,15 @@
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
if( opt.auth_mode != DFL_AUTH_MODE )
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
+#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST )
mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list );
+#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
@@ -2476,7 +2522,9 @@
};
#endif
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+ !defined(MBEDTLS_SSL_CONF_CID_LEN) && \
+ !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
{
if( opt.cid_enabled == 1 &&
@@ -2501,7 +2549,9 @@
goto exit;
}
}
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+ !MBEDTLS_SSL_CONF_CID_LEN &&
+ !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
if( opt.trunc_hmac != DFL_TRUNC_HMAC )
@@ -2597,12 +2647,14 @@
; /* Nothing to do */
}
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
+ !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
if( opt.anti_replay != DFL_ANTI_REPLAY )
mbedtls_ssl_conf_dtls_anti_replay( &conf, opt.anti_replay );
#endif
-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
+ !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
if( opt.badmac_limit != DFL_BADMAC_LIMIT )
mbedtls_ssl_conf_dtls_badmac_limit( &conf, opt.badmac_limit );
#endif
@@ -2633,8 +2685,10 @@
MBEDTLS_SSL_MINOR_VERSION_3 );
}
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
+#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
@@ -2908,7 +2962,9 @@
goto exit;
}
+#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout );
+#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
diff --git a/scripts/baremetal.sh b/scripts/baremetal.sh
index be5fd04..7cd1e70 100755
--- a/scripts/baremetal.sh
+++ b/scripts/baremetal.sh
@@ -213,7 +213,8 @@
: ${CLI:=./programs/ssl/ssl_client2}
: ${CLI_PARAMS:="dtls=1 cid=1 cid_val=beef"}
: ${SRV:=./programs/ssl/ssl_server2}
- : ${SRV_PARAMS:="dtls=1 renegotiation=1 auth_mode=required cid=1 cid_val=dead"}
+ : ${SRV_PARAMS:="dtls=1 cid=1 cid_val=dead"} # renegotiation=1 auth_mode=required implicit
+ # compile-time hardcoding of configuration
: ${VALGRIND:=valgrind}
: ${VALGRIND_MASSIF_PARAMS="--time-unit=B --threshold=0.01 --detailed-freq=1"}
@@ -271,7 +272,8 @@
: ${CLI:=./programs/ssl/ssl_client2}
: ${CLI_PARAMS:="dtls=1"}
: ${SRV:=./programs/ssl/ssl_server2}
- : ${SRV_PARAMS:="dtls=1 renegotiation=1 auth_mode=required"}
+ : ${SRV_PARAMS:="dtls=1"} # renegotiation=1 auth_mode=required implicit
+ # compile-time hardcoding of configuration
: ${VALGRIND:=valgrind}
: ${VALGRIND_CALLGRIND_PARAMS:="--separate-callers=100"}
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index d35b9bf..e76b3ed 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -529,6 +529,34 @@
fi
}
+check_cmdline_authmode_compat() {
+ __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_AUTHMODE" )"
+ if [ ! -z "$__VAL" ]; then
+ extract_cmdline_argument "auth_mode"
+ if [ "$__ARG" = "none" ] && [ "$__VAL" != "0" ]; then
+ SKIP_NEXT="YES";
+ elif [ "$__ARG" = "optional" ] && [ "$__VAL" != "1" ]; then
+ SKIP_NEXT="YES"
+ elif [ "$__ARG" = "required" ] && [ "$__VAL" != "2" ]; then
+ SKIP_NEXT="YES"
+ fi
+ fi
+}
+
+check_cmdline_legacy_renego_compat() {
+ __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION" )"
+ if [ ! -z "$__VAL" ]; then
+ extract_cmdline_argument "allow_legacy"
+ if [ "$__ARG" = "-1" ] && [ "$__VAL" != "2" ]; then
+ SKIP_NEXT="YES";
+ elif [ "$__ARG" = "0" ] && [ "$__VAL" != "0" ]; then
+ SKIP_NEXT="YES"
+ elif [ "$__ARG" = "1" ] && [ "$__VAL" != "1" ]; then
+ SKIP_NEXT="YES"
+ fi
+ fi
+}
+
# Go through all options that can be hardcoded at compile-time and
# detect whether the command line configures them in a conflicting
# way. If so, skip the test. Otherwise, remove the corresponding
@@ -544,6 +572,20 @@
"MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET"
check_cmdline_param_compat "enforce_extended_master_secret" \
"MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET"
+
+ # DTLS anti replay protection configuration
+ check_cmdline_param_compat "anti_replay" \
+ "MBEDTLS_SSL_CONF_ANTI_REPLAY"
+
+ # DTLS bad MAC limit
+ check_cmdline_param_compat "badmac_limit" \
+ "MBEDTLS_SSL_CONF_BADMAC_LIMIT"
+
+ # Authentication mode
+ check_cmdline_authmode_compat
+
+ # Legacy renegotiation
+ check_cmdline_legacy_renego_compat
}
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
@@ -7740,7 +7782,7 @@
not_with_valgrind # spurious resend due to timeout
run_test "DTLS proxy: duplicate every packet" \
-p "$P_PXY duplicate=1" \
- "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
+ "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=1" \
"$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
0 \
-c "replayed record" \