Allow compile-time configuration of legacy renegotiation
Introduces MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION
allowing to configure enforcing secure renegotiation at
compile-time.
Impact on code-size:
| | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` after | 23379 | 23929 | 27727 |
| `libmbedtls.a` before | 23307 | 23865 | 27615 |
| gain in Bytes | 72 | 64 | 112 |
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index 2557675..2871fd7 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -2578,6 +2578,14 @@
}
#endif /* MBEDTLS_PLATFORM_GMTIME_R_ALT */
+#if defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
+ if( strcmp( "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
+
#if defined(MBEDTLS_SSL_CONF_AUTHMODE)
if( strcmp( "MBEDTLS_SSL_CONF_AUTHMODE", config ) == 0 )
{
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index dc5542e..879fcf4 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -301,6 +301,12 @@
#define USAGE_AUTH_MODE ""
#endif
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
+#define USAGE_ALLOW_LEGACY_RENEGO " allow_legacy=%%d default: (library default: no)\n"
+#else
+#define USAGE_ALLOW_LEGACY_RENEGO ""
+#endif
+
#define USAGE \
"\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -332,7 +338,7 @@
USAGE_ECJPAKE \
USAGE_ECRESTART \
"\n" \
- " allow_legacy=%%d default: (library default: no)\n" \
+ USAGE_ALLOW_LEGACY_RENEGO \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
" reconnect=%%d number of reconnections using session resumption\n" \
@@ -987,6 +993,7 @@
MBEDTLS_SSL_RENEGOTIATION_ENABLED :
MBEDTLS_SSL_RENEGOTIATION_DISABLED;
}
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
else if( strcmp( p, "allow_legacy" ) == 0 )
{
switch( atoi( q ) )
@@ -1003,6 +1010,7 @@
default: goto usage;
}
}
+#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
else if( strcmp( p, "renegotiate" ) == 0 )
{
opt.renegotiate = atoi( q );
@@ -1771,8 +1779,10 @@
mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 );
#endif
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
+#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
#endif
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 89bd4f4..2196dd1 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -408,6 +408,13 @@
#define USAGE_AUTH_MODE ""
#endif
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
+#define USAGE_ALLOW_LEGACY_RENEGO \
+ " allow_legacy=%%d default: (library default: no)\n"
+#else
+#define USAGE_ALLOW_LEGACY_RENEGO ""
+#endif
+
#define USAGE \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -440,7 +447,7 @@
USAGE_PSK \
USAGE_ECJPAKE \
"\n" \
- " allow_legacy=%%d default: (library default: no)\n" \
+ USAGE_ALLOW_LEGACY_RENEGO \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
"\n" \
@@ -1668,6 +1675,7 @@
MBEDTLS_SSL_RENEGOTIATION_ENABLED :
MBEDTLS_SSL_RENEGOTIATION_DISABLED;
}
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
else if( strcmp( p, "allow_legacy" ) == 0 )
{
switch( atoi( q ) )
@@ -1684,6 +1692,7 @@
default: goto usage;
}
}
+#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
else if( strcmp( p, "renegotiate" ) == 0 )
{
opt.renegotiate = atoi( q );
@@ -2637,8 +2646,10 @@
MBEDTLS_SSL_MINOR_VERSION_3 );
}
+#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
+#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );