commit a771160799d325b2b0aef10270959a2d4707a5bd
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Mar 18 10:18:37 2019 +0100
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Jun 06 12:59:48 2019 +0200
tree 3d6b4aff5b119c5386c185c6dddcab05aa0af154
parent 21d1c32b2b167a64a987e30378f70f8eaac6bec6

Introduce new config.h flag for TLS

For now the option has no effect.

Adapted existing example config files. The fact that I needed to do this
highlights that this is a slightly incompatible change: existing users need to
update their existing custom configs (if standalone as opposed to based on the
default config) in order to still get the same behaviour.

The alternative would be to have a negative config option (eg NO_TLS or
DTLS_ONLY) but this doesn't fit as nicely with the existing options, so
hopefully the minor incompatibility is acceptable.

I don't think it's worth adding a new component to all.sh:
- builds with both DTLS and TLS are done in the default (and full) config
- TLS-only builds are done with eg config-suite-b.h in test-ref-configs
- a DTLS-only build is done with config-thread.h in test-ref-configs
- builds with none of them (and SSL_TLS_C enabled) are forbidden

include/mbedtls/check_config.h

diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 48555f6..fccf104 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -562,7 +562,12 @@
 #if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \
     !defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
     !defined(MBEDTLS_SSL_PROTO_TLS1_2))
-#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active"
+#error "MBEDTLS_SSL_TLS_C defined, but no protocol version is active"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && \
+    (!defined(MBEDTLS_SSL_PROTO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS))
+#error "MBEDTLS_SSL_TLS_C defined, but neither TLS or DTLS is active"
 #endif
 
 #if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \

include/mbedtls/config.h

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index f5b2de9..69f68dd 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1453,7 +1453,7 @@
 /**
  * \def MBEDTLS_SSL_PROTO_SSL3
  *
- * Enable support for SSL 3.0.
+ * Enable support for SSL 3.0 (if TLS is enabled).
  *
  * Requires: MBEDTLS_MD5_C
  *           MBEDTLS_SHA1_C
@@ -1465,7 +1465,7 @@
 /**
  * \def MBEDTLS_SSL_PROTO_TLS1
  *
- * Enable support for TLS 1.0.
+ * Enable support for TLS 1.0 (if TLS is enabled).
  *
  * Requires: MBEDTLS_MD5_C
  *           MBEDTLS_SHA1_C
@@ -1477,7 +1477,8 @@
 /**
  * \def MBEDTLS_SSL_PROTO_TLS1_1
  *
- * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
+ * Enable support for TLS 1.1 (if TLS is enabled) and DTLS 1.0 (if DTLS is
+ * enabled).
  *
  * Requires: MBEDTLS_MD5_C
  *           MBEDTLS_SHA1_C
@@ -1489,7 +1490,8 @@
 /**
  * \def MBEDTLS_SSL_PROTO_TLS1_2
  *
- * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
+ * Enable support for TLS 1.2 (if TLS is enabled) and DTLS 1.2 (if DTLS is
+ * enabled).
  *
  * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
  *           (Depends on ciphersuites)
@@ -1514,6 +1516,23 @@
 #define MBEDTLS_SSL_PROTO_DTLS
 
 /**
+ * \def MBEDTLS_SSL_PROTO_TLS
+ *
+ * Enable support for TLS (all available versions).
+ *
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1   to enable TLS 1.0,
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1,
+ * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1_1
+ *        or MBEDTLS_SSL_PROTO_TLS1_1
+ *        or MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for TLS
+ */
+#define MBEDTLS_SSL_PROTO_TLS
+
+/**
  * \def MBEDTLS_SSL_ALPN
  *
  * Enable support for RFC 7301 Application Layer Protocol Negotiation.