Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2 individually
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 5aee165..9fc5458 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -538,6 +538,54 @@
#define POLARSSL_SSL_MAX_FRAGMENT_LENGTH
/**
+ * \def POLARSSL_SSL_PROTO_SSL3
+ *
+ * Enable support for SSL 3.0
+ *
+ * Requires: POLARSSL_MD5_C
+ * POLARSSL_SHA1_C
+ *
+ * Comment this macro to disable support for SSL 3.0
+ */
+#define POLARSSL_SSL_PROTO_SSL3
+
+/**
+ * \def POLARSSL_SSL_PROTO_TLS1
+ *
+ * Enable support for TLS 1.0
+ *
+ * Requires: POLARSSL_MD5_C
+ * POLARSSL_SHA1_C
+ *
+ * Comment this macro to disable support for TLS 1.0
+ */
+#define POLARSSL_SSL_PROTO_TLS1
+
+/**
+ * \def POLARSSL_SSL_PROTO_TLS1_1
+ *
+ * Enable support for TLS 1.1
+ *
+ * Requires: POLARSSL_MD5_C
+ * POLARSSL_SHA1_C
+ *
+ * Comment this macro to disable support for TLS 1.1
+ */
+#define POLARSSL_SSL_PROTO_TLS1_1
+
+/**
+ * \def POLARSSL_SSL_PROTO_TLS1_2
+ *
+ * Enable support for TLS 1.2
+ *
+ * Requires: POLARSSL_SHA256_C or POLARSSL_SHA512_C
+ * (Depends on ciphersuites)
+ *
+ * Comment this macro to disable support for TLS 1.2
+ */
+#define POLARSSL_SSL_PROTO_TLS1_2
+
+/**
* \def POLARSSL_SSL_SESSION_TICKETS
*
* Enable support for RFC 5077 session tickets in SSL
@@ -1226,7 +1274,8 @@
* Caller: library/ssl_cli.c
* library/ssl_srv.c
*
- * Requires: POLARSSL_MD5_C, POLARSSL_SHA1_C, POLARSSL_CIPHER_C
+ * Requires: POLARSSL_CIPHER_C and at least one of the
+ * POLARSSL_SSL_PROTO_* defines
*
* This module is required for SSL/TLS.
*/
@@ -1454,8 +1503,7 @@
#error "POLARSSL_SSL_CLI_C defined, but not all prerequisites"
#endif
-#if defined(POLARSSL_SSL_TLS_C) && ( !defined(POLARSSL_MD5_C) || \
- !defined(POLARSSL_SHA1_C) || !defined(POLARSSL_CIPHER_C) )
+#if defined(POLARSSL_SSL_TLS_C) && !defined(POLARSSL_CIPHER_C)
#error "POLARSSL_SSL_TLS_C defined, but not all prerequisites"
#endif
@@ -1463,6 +1511,28 @@
#error "POLARSSL_SSL_SRV_C defined, but not all prerequisites"
#endif
+#if defined(POLARSSL_SSL_TLS_C) && (!defined(POLARSSL_SSL_PROTO_SSL3) && \
+ !defined(POLARSSL_SSL_PROTO_TLS1) && !defined(POLARSSL_SSL_PROTO_TLS1_1) && \
+ !defined(POLARSSL_SSL_PROTO_TLS1_2))
+#error "POLARSSL_SSL_TLS_C defined, but no protocols are active"
+#endif
+
+#if defined(POLARSSL_SSL_TLS_C) && (defined(POLARSSL_SSL_PROTO_SSL3) && \
+ defined(POLARSSL_SSL_PROTO_TLS1_1) && !defined(POLARSSL_SSL_PROTO_TLS1))
+#error "Illegal protocol selection"
+#endif
+
+#if defined(POLARSSL_SSL_TLS_C) && (defined(POLARSSL_SSL_PROTO_TLS1) && \
+ defined(POLARSSL_SSL_PROTO_TLS1_2) && !defined(POLARSSL_SSL_PROTO_TLS1_1))
+#error "Illegal protocol selection"
+#endif
+
+#if defined(POLARSSL_SSL_TLS_C) && (defined(POLARSSL_SSL_PROTO_SSL3) && \
+ defined(POLARSSL_SSL_PROTO_TLS1_2) && (!defined(POLARSSL_SSL_PROTO_TLS1) || \
+ !defined(POLARSSL_SSL_PROTO_TLS1_1)))
+#error "Illegal protocol selection"
+#endif
+
#if defined(POLARSSL_SSL_SESSION_TICKETS) && defined(POLARSSL_SSL_TLS_C) && \
( !defined(POLARSSL_AES_C) || !defined(POLARSSL_SHA256_C) )
#error "POLARSSL_SSL_SESSION_TICKETS_C defined, but not all prerequisites"
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 8383b7f..1576fcb 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -31,14 +31,28 @@
#include "net.h"
#include "bignum.h"
-#include "md5.h"
-#include "sha1.h"
-#include "sha256.h"
-#include "sha512.h"
-#include "aes.h"
-
#include "ssl_ciphersuites.h"
+#if defined(POLARSSL_MD5_C)
+#include "md5.h"
+#endif
+
+#if defined(POLARSSL_SHA1_C)
+#include "sha1.h"
+#endif
+
+#if defined(POLARSSL_SHA256_C)
+#include "sha256.h"
+#endif
+
+#if defined(POLARSSL_SHA512_C)
+#include "sha512.h"
+#endif
+
+#if defined(POLARSSL_AES_C)
+#include "aes.h"
+#endif
+
#if defined(POLARSSL_X509_PARSE_C)
#include "x509.h"
#endif
@@ -121,6 +135,44 @@
#define SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 */
#define SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */
+/* Determine minimum supported version */
+#define SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3
+
+#if defined(POLARSSL_SSL_PROTO_SSL3)
+#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0
+#else
+#if defined(POLARSSL_SSL_PROTO_TLS1)
+#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_1
+#else
+#if defined(POLARSSL_SSL_PROTO_TLS1_1)
+#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_2
+#else
+#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_3
+#endif
+#endif
+#endif
+#endif
+
+/* Determine maximum supported version */
+#define SSL_MAX_MAJOR_VERSION SSL_MAJOR_VERSION_3
+
+#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_3
+#else
+#if defined(POLARSSL_SSL_PROTO_TLS1_1)
+#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_2
+#else
+#if defined(POLARSSL_SSL_PROTO_TLS1)
+#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_1
+#else
+#if defined(POLARSSL_SSL_PROTO_SSL3)
+#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_0
+#endif
+#endif
+#endif
+#endif
+
/* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
* NONE must be zero so that memset()ing structure to zero works */
#define SSL_MAX_FRAG_LEN_NONE 0 /*!< don't use this extension */
@@ -392,9 +444,11 @@
unsigned char iv_enc[16]; /*!< IV (encryption) */
unsigned char iv_dec[16]; /*!< IV (decryption) */
+#if defined(POLARSSL_SSL_PROTO_SSL3)
/* Needed only for SSL v3.0 secret */
unsigned char mac_enc[32]; /*!< SSL v3.0 secret (enc) */
unsigned char mac_dec[32]; /*!< SSL v3.0 secret (dec) */
+#endif /* POLARSSL_SSL_PROTO_SSL3 */
md_context_t md_ctx_enc; /*!< MAC (encryption) */
md_context_t md_ctx_dec; /*!< MAC (decryption) */
@@ -436,12 +490,19 @@
/*
* Checksum contexts
*/
+#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
+ defined(POLARSSL_SSL_PROTO_TLS1_1)
md5_context fin_md5;
sha1_context fin_sha1;
+#endif
+#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+#if defined(POLARSSL_SHA256_C)
sha256_context fin_sha256;
+#endif
#if defined(POLARSSL_SHA512_C)
sha512_context fin_sha512;
#endif
+#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
void (*update_checksum)(ssl_context *, const unsigned char *, size_t);
void (*calc_verify)(ssl_context *, unsigned char *);
@@ -1010,11 +1071,12 @@
/**
* \brief Set the maximum supported version sent from the client side
* and/or accepted at the server side
- * (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3)
+ * (Default: SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION)
*
- * Note: This prevents ciphersuites from 'higher' versions to
- * be ignored.
- *
+ * Note: This ignores ciphersuites from 'higher' versions.
+ * Note: Input outside of the SSL_MAX_XXXXX_VERSION and
+ * SSL_MIN_XXXXX_VERSION range is ignored.
+ *
* \param ssl SSL context
* \param major Major version number (only SSL_MAJOR_VERSION_3 supported)
* \param minor Minor version number (SSL_MINOR_VERSION_0,
@@ -1026,7 +1088,10 @@
/**
* \brief Set the minimum accepted SSL/TLS protocol version
- * (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0)
+ * (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
+ *
+ * Note: Input outside of the SSL_MAX_XXXXX_VERSION and
+ * SSL_MIN_XXXXX_VERSION range is ignored.
*
* \param ssl SSL context
* \param major Major version number (only SSL_MAJOR_VERSION_3 supported)