Correction according to code review (function and param. names change
and docs rewording)
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
diff --git a/ChangeLog.d/issue4398.txt b/ChangeLog.d/issue4398.txt
index 67acbf5..b7f2413 100644
--- a/ChangeLog.d/issue4398.txt
+++ b/ChangeLog.d/issue4398.txt
@@ -1,9 +1,3 @@
API changes
- * Remove the MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE option from config.h.
- Replace it with SSL runtime option which can be enabled or disabled using
- new added API function mbedtls_ssl_conf_respect_client_preference(). Add
- a new field respect_cli_pref in the mbedtls_ssl_config structure and two
- defines used as a parameter: MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED
- and MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED. Adapt the code used for
- searching for a matching ciphersuite to use the new field instead of the
- removed config.h option. Fixes #3498.
+ * Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
+ configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.
diff --git a/docs/3.0-migration-guide.d/turn_SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt.md b/docs/3.0-migration-guide.d/turn_SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt.md
index 6b1db9e..6a6554d 100644
--- a/docs/3.0-migration-guide.d/turn_SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt.md
+++ b/docs/3.0-migration-guide.d/turn_SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt.md
@@ -1,13 +1,14 @@
Turn MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE configuration option into a runtime option
--
-This change affects users who see the change of the SSL server vs. client
-preferred set of ciphersuites in runtime useful.
+This change affects users who were enabling MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+option in the `config.h`
-The `MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE` `config.h` option has been
-removed and a new function with similar functionality has been introduced into the
-SSL API.
+This option has been removed and a new function with similar functionality has
+been introduced into the SSL API.
-This new function `mbedtls_ssl_conf_respect_client_preference()` can be used to
-change the preferred set of ciphersuites on the server to those used on the client.
-The default state is to use the server set of suites.
+This new function `mbedtls_ssl_conf_preference_order()` can be used to
+change the preferred order of ciphersuites on the server to those used on the client,
+e.g.: `mbedtls_ssl_conf_preference_order(ssl_config, MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)`
+has the same effect as enabling the removed option. The default state is to use
+the server order of suites.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 364239a..f0ae778 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -200,8 +200,8 @@
#define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED 0
#define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED 1
-#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED 1
-#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED 0
+#define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT 1
+#define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER 0
/*
* Default range for DTLS retransmission timer value, in milliseconds.
@@ -2498,9 +2498,12 @@
* The ciphersuites array is not copied, and must remain
* valid for the lifetime of the ssl_config.
*
- * Note: The server uses its own preferences
- * over the preference of the client unless
- * conf->respect_cli_pref is enabled!
+ * Note: By default, the server chooses its preferred
+ * ciphersuite among those that the client supports. If
+ * mbedtls_ssl_conf_preference_order() is called to prefer
+ * the client's preferences, the server instead chooses
+ * the client's preferred ciphersuite among those that
+ * the server supports.
*
* \param conf SSL configuration
* \param ciphersuites 0-terminated list of allowed ciphersuites
@@ -3300,15 +3303,15 @@
#if defined(MBEDTLS_SSL_SRV_C)
/**
- * \brief Pick the ciphersuite according to the client's preferences
- * rather than ours in the SSL Server module (MBEDTLS_SSL_SRV_C).
- * (Default: MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED)
+ * \brief Pick the ciphersuites order according to the second parameter
+ * in the SSL Server module (MBEDTLS_SSL_SRV_C).
+ * (Default, if never called: MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER)
*
* \param conf SSL configuration
- * \param enable Enable or disable (MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED
- * or MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED)
+ * \param order Server or client (MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER
+ * or MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)
*/
-void mbedtls_ssl_conf_respect_client_preference( mbedtls_ssl_config *conf, int enable );
+void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order );
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index c7ec4fe..c70c21f 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1873,7 +1873,7 @@
ciphersuites = ssl->conf->ciphersuite_list;
ciphersuite_info = NULL;
- if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED)
+ if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)
{
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
for( i = 0; ciphersuites[i] != 0; i++ )
@@ -4433,9 +4433,9 @@
return( ret );
}
-void mbedtls_ssl_conf_respect_client_preference( mbedtls_ssl_config *conf, int enable )
+void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order )
{
- conf->respect_cli_pref = enable;
+ conf->respect_cli_pref = order;
}
#endif /* MBEDTLS_SSL_SRV_C */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ab11391..8ef98af 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6189,7 +6189,7 @@
#if defined(MBEDTLS_SSL_SRV_C)
conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
- conf->respect_cli_pref = MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED;
+ conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)