Introduce new config.h flag for TLS
For now the option has no effect.
Adapted existing example config files. The fact that I needed to do this
highlights that this is a slightly incompatible change: existing users need to
update their existing custom configs (if standalone as opposed to based on the
default config) in order to still get the same behaviour.
The alternative would be to have a negative config option (eg NO_TLS or
DTLS_ONLY) but this doesn't fit as nicely with the existing options, so
hopefully the minor incompatibility is acceptable.
I don't think it's worth adding a new component to all.sh:
- builds with both DTLS and TLS are done in the default (and full) config
- TLS-only builds are done with eg config-suite-b.h in test-ref-configs
- a DTLS-only build is done with config-thread.h in test-ref-configs
- builds with none of them (and SSL_TLS_C enabled) are forbidden
diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index c9b58dd..bd2c1a3 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -41,6 +41,7 @@
/* mbed TLS feature support */
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
#define MBEDTLS_SSL_PROTO_TLS1_2
+#define MBEDTLS_SSL_PROTO_TLS
/* mbed TLS modules */
#define MBEDTLS_AES_C
diff --git a/configs/config-mini-tls1_1.h b/configs/config-mini-tls1_1.h
index 013bc03..349ea8e 100644
--- a/configs/config-mini-tls1_1.h
+++ b/configs/config-mini-tls1_1.h
@@ -40,6 +40,7 @@
#define MBEDTLS_PKCS1_V15
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
#define MBEDTLS_SSL_PROTO_TLS1_1
+#define MBEDTLS_SSL_PROTO_TLS
/* mbed TLS modules */
#define MBEDTLS_AES_C
diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h
index 18e2c40..e6fad1c 100644
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@@ -47,6 +47,7 @@
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#define MBEDTLS_SSL_PROTO_TLS1_2
+#define MBEDTLS_SSL_PROTO_TLS
/* mbed TLS modules */
#define MBEDTLS_AES_C
diff --git a/configs/config-thread.h b/configs/config-thread.h
index 25db16b..3166aa9 100644
--- a/configs/config-thread.h
+++ b/configs/config-thread.h
@@ -29,6 +29,7 @@
* Distinguishing features:
* - no RSA or classic DH, fully based on ECC
* - no X.509
+ * - no TLS, only DTLS
* - support for experimental EC J-PAKE key exchange
*
* See README.txt for usage instructions.
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 48555f6..fccf104 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -562,7 +562,12 @@
#if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \
!defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
!defined(MBEDTLS_SSL_PROTO_TLS1_2))
-#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active"
+#error "MBEDTLS_SSL_TLS_C defined, but no protocol version is active"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && \
+ (!defined(MBEDTLS_SSL_PROTO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS))
+#error "MBEDTLS_SSL_TLS_C defined, but neither TLS or DTLS is active"
#endif
#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index f5b2de9..69f68dd 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1453,7 +1453,7 @@
/**
* \def MBEDTLS_SSL_PROTO_SSL3
*
- * Enable support for SSL 3.0.
+ * Enable support for SSL 3.0 (if TLS is enabled).
*
* Requires: MBEDTLS_MD5_C
* MBEDTLS_SHA1_C
@@ -1465,7 +1465,7 @@
/**
* \def MBEDTLS_SSL_PROTO_TLS1
*
- * Enable support for TLS 1.0.
+ * Enable support for TLS 1.0 (if TLS is enabled).
*
* Requires: MBEDTLS_MD5_C
* MBEDTLS_SHA1_C
@@ -1477,7 +1477,8 @@
/**
* \def MBEDTLS_SSL_PROTO_TLS1_1
*
- * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
+ * Enable support for TLS 1.1 (if TLS is enabled) and DTLS 1.0 (if DTLS is
+ * enabled).
*
* Requires: MBEDTLS_MD5_C
* MBEDTLS_SHA1_C
@@ -1489,7 +1490,8 @@
/**
* \def MBEDTLS_SSL_PROTO_TLS1_2
*
- * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
+ * Enable support for TLS 1.2 (if TLS is enabled) and DTLS 1.2 (if DTLS is
+ * enabled).
*
* Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
* (Depends on ciphersuites)
@@ -1514,6 +1516,23 @@
#define MBEDTLS_SSL_PROTO_DTLS
/**
+ * \def MBEDTLS_SSL_PROTO_TLS
+ *
+ * Enable support for TLS (all available versions).
+ *
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1 to enable TLS 1.0,
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1,
+ * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1_1
+ * or MBEDTLS_SSL_PROTO_TLS1_1
+ * or MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for TLS
+ */
+#define MBEDTLS_SSL_PROTO_TLS
+
+/**
* \def MBEDTLS_SSL_ALPN
*
* Enable support for RFC 7301 Application Layer Protocol Negotiation.
diff --git a/library/version_features.c b/library/version_features.c
index 7494b42..fc0b1f8 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -486,6 +486,9 @@
#if defined(MBEDTLS_SSL_PROTO_DTLS)
"MBEDTLS_SSL_PROTO_DTLS",
#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_PROTO_TLS)
+ "MBEDTLS_SSL_PROTO_TLS",
+#endif /* MBEDTLS_SSL_PROTO_TLS */
#if defined(MBEDTLS_SSL_ALPN)
"MBEDTLS_SSL_ALPN",
#endif /* MBEDTLS_SSL_ALPN */
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index e1d1332..be35a76 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -1338,6 +1338,14 @@
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_PROTO_TLS)
+ if( strcmp( "MBEDTLS_SSL_PROTO_TLS", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS */
+
#if defined(MBEDTLS_SSL_ALPN)
if( strcmp( "MBEDTLS_SSL_ALPN", config ) == 0 )
{