diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index c9b58dd53..bd2c1a3b8 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -41,6 +41,7 @@ /* mbed TLS feature support */ #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED #define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_PROTO_TLS /* mbed TLS modules */ #define MBEDTLS_AES_C diff --git a/configs/config-mini-tls1_1.h b/configs/config-mini-tls1_1.h index 013bc0300..349ea8e57 100644 --- a/configs/config-mini-tls1_1.h +++ b/configs/config-mini-tls1_1.h @@ -40,6 +40,7 @@ #define MBEDTLS_PKCS1_V15 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED #define MBEDTLS_SSL_PROTO_TLS1_1 +#define MBEDTLS_SSL_PROTO_TLS /* mbed TLS modules */ #define MBEDTLS_AES_C diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index 18e2c4036..e6fad1c0e 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -47,6 +47,7 @@ #define MBEDTLS_ECP_DP_SECP384R1_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_PROTO_TLS /* mbed TLS modules */ #define MBEDTLS_AES_C diff --git a/configs/config-thread.h b/configs/config-thread.h index 25db16bf0..3166aa970 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -29,6 +29,7 @@ * Distinguishing features: * - no RSA or classic DH, fully based on ECC * - no X.509 + * - no TLS, only DTLS * - support for experimental EC J-PAKE key exchange * * See README.txt for usage instructions. diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 48555f68a..b3677b528 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -562,7 +562,12 @@ #if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \ !defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2)) -#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active" +#error "MBEDTLS_SSL_TLS_C defined, but no protocol version is active" +#endif + +#if defined(MBEDTLS_SSL_TLS_C) && \ + ( !defined(MBEDTLS_SSL_PROTO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS) ) +#error "MBEDTLS_SSL_TLS_C defined, but neither TLS or DTLS is active" #endif #if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \ diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index f5b2de90c..e0b5ba41c 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1453,7 +1453,7 @@ /** * \def MBEDTLS_SSL_PROTO_SSL3 * - * Enable support for SSL 3.0. + * Enable support for SSL 3.0 (if TLS is enabled). * * Requires: MBEDTLS_MD5_C * MBEDTLS_SHA1_C @@ -1465,7 +1465,7 @@ /** * \def MBEDTLS_SSL_PROTO_TLS1 * - * Enable support for TLS 1.0. + * Enable support for TLS 1.0 (if TLS is enabled). * * Requires: MBEDTLS_MD5_C * MBEDTLS_SHA1_C @@ -1477,7 +1477,8 @@ /** * \def MBEDTLS_SSL_PROTO_TLS1_1 * - * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). + * Enable support for TLS 1.1 (if TLS is enabled) and DTLS 1.0 (if DTLS is + * enabled). * * Requires: MBEDTLS_MD5_C * MBEDTLS_SHA1_C @@ -1489,7 +1490,8 @@ /** * \def MBEDTLS_SSL_PROTO_TLS1_2 * - * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). + * Enable support for TLS 1.2 (if TLS is enabled) and DTLS 1.2 (if DTLS is + * enabled). * * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C * (Depends on ciphersuites) @@ -1503,8 +1505,10 @@ * * Enable support for DTLS (all available versions). * - * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, - * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. + * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2, + * and/or this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0. + * + * \see MBEDTLS_SSL_PROTO_TLS * * Requires: MBEDTLS_SSL_PROTO_TLS1_1 * or MBEDTLS_SSL_PROTO_TLS1_2 @@ -1513,6 +1517,27 @@ */ #define MBEDTLS_SSL_PROTO_DTLS +/** + * \def MBEDTLS_SSL_PROTO_TLS + * + * Enable support for SSL/TLS (all available versions). + * + * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2; + * enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1; + * enable this and MBEDTLS_SSL_PROTO_TLS1 to enable TLS 1.0; + * and/or this and MBEDTLS_SSL_PROTO_SSL3 to enable SSL 3.0 (deprecated). + * + * \see MBEDTLS_SSL_PROTO_DTLS + * + * Requires: MBEDTLS_SSL_PROTO_TLS1_2 + * or MBEDTLS_SSL_PROTO_TLS1_1 + * or MBEDTLS_SSL_PROTO_TLS1 + * or MBEDTLS_SSL_PROTO_SSL3 (deprecated) + * + * Comment this macro to disable support for TLS + */ +#define MBEDTLS_SSL_PROTO_TLS + /** * \def MBEDTLS_SSL_ALPN * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 7f073afba..653f857cc 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1337,7 +1337,8 @@ void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ); /** * \brief Set the transport type (TLS or DTLS). - * Default: TLS + * Default: TLS if #MBEDTLS_SSL_PROTO_TLS is defined, else + * DTLS. * * \note For DTLS, you must either provide a recv callback that * doesn't block, or one that handles timeouts, see diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 45ea26ae2..1c8709f3f 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -264,6 +264,57 @@ #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1) +/* + * Helpers for code specific to TLS or DTLS. + * + * Goals for these helpers: + * - generate minimal code, eg don't test if mode is DTLS in a DTLS-only build + * - make the flow clear to the compiler, so that in TLS and DTLS combined + * builds, when there are two branches, it knows exactly one of them is taken + * - preserve readability + * + * There are three macros: + * - MBEDTLS_SSL_TRANSPORT_IS_TLS( transport ) + * - MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) + * - MBEDTLS_SSL_TRANSPORT_ELSE + * + * The first two are macros rather than static inline functions because some + * compilers (eg arm-none-eabi-gcc 5.4.1 20160919) don't propagate constants + * well enough for us with static inline functions. + * + * Usage 1 (can replace DTLS with TLS): + * #if defined(MBEDTLS_SSL_PROTO_DTLS) + * if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) ) + * // DTLS-specific code + * #endif + * + * Usage 2 (can swap DTLS and TLS); + * #if defined(MBEDTLS_SSL_PROTO_DTLS) + * if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) ) + * // DTLS-specific code + * MBEDTLS_SSL_TRANSPORT_ELSE + * #endif + * #if defined(MBEDTLS_SSL_PROTO_TLS) + * // TLS-specific code + * #endif + */ +#if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_PROTO_TLS) /* both */ +#define MBEDTLS_SSL_TRANSPORT__BOTH /* shortcut for future tests */ +#define MBEDTLS_SSL_TRANSPORT_IS_TLS( transport ) \ + ( (transport) == MBEDTLS_SSL_TRANSPORT_STREAM ) +#define MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) \ + ( (transport) == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) +#define MBEDTLS_SSL_TRANSPORT_ELSE else +#elif defined(MBEDTLS_SSL_PROTO_DTLS) /* DTLS only */ +#define MBEDTLS_SSL_TRANSPORT_IS_TLS( transport ) 0 +#define MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) 1 +#define MBEDTLS_SSL_TRANSPORT_ELSE /* empty: no other branch */ +#else /* TLS only */ +#define MBEDTLS_SSL_TRANSPORT_IS_TLS( transport ) 1 +#define MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) 0 +#define MBEDTLS_SSL_TRANSPORT_ELSE /* empty: no other branch */ +#endif /* TLS and/or DTLS */ + #ifdef __cplusplus extern "C" { #endif @@ -905,12 +956,14 @@ static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl ) static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - return( 12 ); -#else +#if !defined(MBEDTLS_SSL_PROTO__BOTH) ((void) ssl); #endif + +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) + return( 12 ); +#endif return( 4 ); } diff --git a/library/ssl_cli.c b/library/ssl_cli.c index c6e64a4b6..97aeac4ee 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -452,7 +452,7 @@ static void ssl_write_cid_ext( mbedtls_ssl_context *ssl, */ *olen = 0; - if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || + if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED ) { return; @@ -734,7 +734,7 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl ) * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->handshake->verify_cookie != NULL ) { return( 0 ); @@ -785,7 +785,7 @@ static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_inf return( 1 ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) return( 1 ); #endif @@ -926,7 +926,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) * DTLS cookie */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { if( ssl->handshake->verify_cookie == NULL ) { @@ -1021,7 +1021,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) * an actual need for it. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) offer_compress = 0; #endif @@ -1137,7 +1137,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) mbedtls_ssl_send_flight_completed( ssl ); #endif @@ -1148,7 +1148,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); @@ -1252,7 +1252,7 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl, size_t peer_cid_len; if( /* CID extension only makes sense in DTLS */ - ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || + MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) || /* The server must only send the CID extension if we have offered it. */ ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED ) { @@ -1645,7 +1645,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) { @@ -1762,12 +1762,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_ZLIB_SUPPORT) /* See comments in ssl_write_client_hello() */ -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - accept_comp = 0; - else -#endif - accept_comp = 1; + accept_comp = MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ); if( comp != MBEDTLS_SSL_COMPRESS_NULL && ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) @@ -3001,7 +2996,7 @@ static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) mbedtls_ssl_recv_flight_completed( ssl ); #endif @@ -3642,7 +3637,7 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) return( ret ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) { if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index c152bc3a8..a8fd49b6c 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -441,7 +441,7 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl, size_t peer_cid_len; /* CID extension only makes sense in DTLS */ - if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, @@ -899,7 +899,7 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) return( 0 ); #endif @@ -1304,12 +1304,13 @@ read_record_header: buf = ssl->in_hdr; -#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) -#endif - if( ( buf[0] & 0x80 ) != 0 ) - return( ssl_parse_client_hello_v2( ssl ) ); +#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) && \ + defined(MBEDTLS_SSL_PROTO_TLS) + if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) && + ( buf[0] & 0x80 ) != 0 ) + { + return( ssl_parse_client_hello_v2( ssl ) ); + } #endif MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_in_hdr_len( ssl ) ); @@ -1353,7 +1354,7 @@ read_record_header: /* For DTLS if this is the initial handshake, remember the client sequence * number to use it in our next message (RFC 6347 4.2.1) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) #if defined(MBEDTLS_SSL_RENEGOTIATION) && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE #endif @@ -1407,13 +1408,19 @@ read_record_header: return( ret ); } - /* Done reading this record, get ready for the next one */ + /* Done reading this record, get ready for the next one */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) + { ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len( ssl ); - else + } + MBEDTLS_SSL_TRANSPORT_ELSE #endif +#if defined(MBEDTLS_SSL_PROTO_TLS) + { ssl->in_left = 0; + } +#endif } buf = ssl->in_msg; @@ -1456,7 +1463,7 @@ read_record_header: } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { /* * Copy the client's handshake message_seq on initial handshakes, @@ -1595,7 +1602,7 @@ read_record_header: * Check the cookie length and content */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { cookie_offset = 35 + sess_len; cookie_len = buf[cookie_offset]; @@ -1650,9 +1657,13 @@ read_record_header: */ ciph_offset = cookie_offset + 1 + cookie_len; } - else + MBEDTLS_SSL_TRANSPORT_ELSE #endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_PROTO_TLS) + { ciph_offset = 35 + sess_len; + } +#endif /* MBEDTLS_SSL_PROTO_TLS */ ciph_len = ( buf[ciph_offset + 0] << 8 ) | ( buf[ciph_offset + 1] ); @@ -1704,7 +1715,7 @@ read_record_header: /* See comments in ssl_write_client_hello() */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; #endif @@ -2086,7 +2097,7 @@ have_ciphersuite: ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) mbedtls_ssl_recv_flight_completed( ssl ); #endif @@ -2521,7 +2532,7 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); @@ -2547,7 +2558,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->handshake->verify_cookie_len != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); @@ -3505,7 +3516,7 @@ static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) mbedtls_ssl_send_flight_completed( ssl ); #endif @@ -3516,7 +3527,7 @@ static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); @@ -4401,7 +4412,7 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) return( ret ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) { if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ede295462..bab00bb41 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -61,12 +61,14 @@ static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ); /* Length of the "epoch" field in the record header */ static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - return( 2 ); -#else +#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH) ((void) ssl); #endif + +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) + return( 2 ); +#endif return( 0 ); } @@ -135,7 +137,7 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl, unsigned char const *own_cid, size_t own_cid_len ) { - if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); ssl->negotiate_cid = enable; @@ -170,7 +172,7 @@ int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl, { *enabled = MBEDTLS_SSL_CID_DISABLED; - if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || + if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) || ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -3023,7 +3025,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { uint32_t timeout; @@ -3164,8 +3166,9 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) ssl->in_left = ret; } - else -#endif + MBEDTLS_SSL_TRANSPORT_ELSE +#endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_PROTO_TLS) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", ssl->in_left, nb_want ) ); @@ -3212,6 +3215,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) ssl->in_left += ret; } } +#endif /* MBEDTLS_SSL_PROTO_TLS */ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); @@ -3267,15 +3271,17 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { ssl->out_hdr = ssl->out_buf; } - else + MBEDTLS_SSL_TRANSPORT_ELSE #endif +#if defined(MBEDTLS_SSL_PROTO_TLS) { ssl->out_hdr = ssl->out_buf + 8; } +#endif ssl_update_out_pointers( ssl, ssl->transform_out ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); @@ -3686,7 +3692,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->handshake != NULL && ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) { @@ -3729,7 +3735,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) * uint24 fragment_length; */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { /* Make room for the additional DTLS fields */ if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 ) @@ -3771,7 +3777,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) /* Either send now, or just save to be sent (and resent) later */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) ) { @@ -3909,7 +3915,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) #if defined(MBEDTLS_SSL_PROTO_DTLS) /* In case of DTLS, double-check that we don't exceed * the remaining space in the datagram. */ - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { ret = ssl_get_remaining_space_in_datagram( ssl ); if( ret < 0 ) @@ -3951,7 +3957,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && flush == SSL_DONT_FORCE_FLUSH ) { size_t remaining; @@ -4135,7 +4141,7 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { int ret; unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; @@ -4199,14 +4205,18 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); } } - else + MBEDTLS_SSL_TRANSPORT_ELSE #endif /* MBEDTLS_SSL_PROTO_DTLS */ - /* With TLS we don't handle fragmentation (for now) */ - if( ssl->in_msglen < ssl->in_hslen ) +#if defined(MBEDTLS_SSL_PROTO_TLS) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); - return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + /* With TLS we don't handle fragmentation (for now) */ + if( ssl->in_msglen < ssl->in_hslen ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } } +#endif /* MBEDTLS_SSL_PROTO_TLS */ return( 0 ); } @@ -4222,7 +4232,7 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ) /* Handshake message is complete, increment counter */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->handshake != NULL ) { unsigned offset; @@ -4574,7 +4584,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) /* Check record type */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->in_msgtype == MBEDTLS_SSL_MSG_CID && ssl->conf->cid_len != 0 ) { @@ -4602,13 +4612,15 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); -#if defined(MBEDTLS_SSL_PROTO_DTLS) +#if defined(MBEDTLS_SSL_PROTO_TLS) /* Silently ignore invalid DTLS records as recommended by RFC 6347 - * Section 4.1.2.7 */ - if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) -#endif /* MBEDTLS_SSL_PROTO_DTLS */ + * Section 4.1.2.7, that is, send alert only with TLS */ + if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ) + { mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); + } +#endif /* MBEDTLS_SSL_PROTO_TLS */ return( MBEDTLS_ERR_SSL_INVALID_RECORD ); } @@ -4669,7 +4681,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) * record leads to the entire datagram being dropped. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; @@ -4904,26 +4916,23 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) else ssl->nb_zero = 0; -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - { - ; /* in_ctr read from peer, not maintained internally */ - } - else -#endif + /* Only needed for TLS, as with DTLS in_ctr is read from the header */ +#if defined(MBEDTLS_SSL_PROTO_TLS) + if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ) { unsigned i; - for( i = 8; i > ssl_ep_len( ssl ); i-- ) + for( i = 8; i > 0; i-- ) if( ++ssl->in_ctr[i - 1] != 0 ) break; - /* The loop goes to its end iff the counter is wrapping */ - if( i == ssl_ep_len( ssl ) ) + /* The loop goes to its end only if the counter is wrapping around */ + if( i == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); } } +#endif /* MBEDTLS_SSL_PROTO_TLS */ } @@ -4940,7 +4949,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_ZLIB_SUPPORT */ #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { mbedtls_ssl_dtls_replay_update( ssl ); } @@ -4986,7 +4995,7 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl, /* We only check for buffered messages if the * current datagram is fully consumed. */ - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl_next_record_is_in_datagram( ssl ) == 0 ) { if( ssl_load_buffered_message( ssl ) == 0 ) @@ -5509,7 +5518,7 @@ static int ssl_load_buffered_record( mbedtls_ssl_context *ssl ) size_t rec_len; unsigned rec_epoch; - if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ) return( 0 ); if( hs == NULL ) @@ -5647,7 +5656,7 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl ) if( ( ret = ssl_parse_record_header( ssl ) ) != 0 ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT ) { if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) @@ -5698,7 +5707,7 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl ) /* Done reading this record, get ready for the next one */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_in_hdr_len( ssl ); if( ssl->next_record_offset < ssl->in_left ) @@ -5706,14 +5715,18 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) ); } } - else + MBEDTLS_SSL_TRANSPORT_ELSE #endif +#if defined(MBEDTLS_SSL_PROTO_TLS) + { ssl->in_left = 0; + } +#endif if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { /* Silently discard invalid records */ if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) @@ -5756,8 +5769,9 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl ) return( ret ); } - else -#endif + MBEDTLS_SSL_TRANSPORT_ELSE +#endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_PROTO_TLS) { /* Error out (and send alert) on invalid records */ #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) @@ -5770,6 +5784,7 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl ) #endif return( ret ); } +#endif /* MBEDTLS_SSL_PROTO_TLS */ } return( 0 ); @@ -5807,7 +5822,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) { @@ -5882,7 +5897,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { /* Drop unexpected ApplicationData records, * except at the beginning of renegotiations */ @@ -6655,7 +6670,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) ssl->session_in = ssl->session_negotiate; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) ssl_dtls_replay_reset( ssl ); @@ -6670,9 +6685,13 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); } } - else + MBEDTLS_SSL_TRANSPORT_ELSE #endif /* MBEDTLS_SSL_PROTO_DTLS */ - memset( ssl->in_ctr, 0, 8 ); +#if defined(MBEDTLS_SSL_PROTO_TLS) + { + memset( ssl->in_ctr, 0, 8 ); + } +#endif ssl_update_in_pointers( ssl ); @@ -7100,7 +7119,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->handshake->flight != NULL ) { /* Cancel handshake timer */ @@ -7171,7 +7190,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { unsigned char i; @@ -7194,9 +7213,13 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); } } - else + MBEDTLS_SSL_TRANSPORT_ELSE #endif /* MBEDTLS_SSL_PROTO_DTLS */ - memset( ssl->cur_out_ctr, 0, 8 ); +#if defined(MBEDTLS_SSL_PROTO_TLS) + { + memset( ssl->cur_out_ctr, 0, 8 ); + } +#endif ssl->transform_out = ssl->transform_negotiate; ssl->session_out = ssl->session_negotiate; @@ -7213,7 +7236,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) mbedtls_ssl_send_flight_completed( ssl ); #endif @@ -7224,7 +7247,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); @@ -7313,7 +7336,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) mbedtls_ssl_recv_flight_completed( ssl ); #endif @@ -7445,7 +7468,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) ssl_handshake_params_init( ssl->handshake ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { ssl->handshake->alt_transform_out = ssl->transform_out; @@ -7502,7 +7525,7 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { ssl->out_ctr = ssl->out_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -7515,8 +7538,9 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ ssl->out_iv = ssl->out_len + 2; } - else -#endif + MBEDTLS_SSL_TRANSPORT_ELSE +#endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_PROTO_TLS) { ssl->out_ctr = ssl->out_hdr - 8; ssl->out_len = ssl->out_hdr + 3; @@ -7525,6 +7549,7 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl, #endif ssl->out_iv = ssl->out_hdr + 5; } +#endif /* MBEDTLS_SSL_PROTO_TLS */ /* Adjust out_msg to make space for explicit IV, if used. */ if( transform != NULL && @@ -7557,7 +7582,7 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl ) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { /* This sets the header pointers to match records * without CID. When we receive a record containing @@ -7572,8 +7597,9 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ ssl->in_iv = ssl->in_len + 2; } - else -#endif + MBEDTLS_SSL_TRANSPORT_ELSE +#endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_PROTO_TLS) { ssl->in_ctr = ssl->in_hdr - 8; ssl->in_len = ssl->in_hdr + 3; @@ -7582,6 +7608,7 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl ) #endif ssl->in_iv = ssl->in_hdr + 5; } +#endif /* MBEDTLS_SSL_PROTO_TLS */ /* This will be adjusted at record decryption time. */ ssl->in_msg = ssl->in_iv; @@ -7603,17 +7630,19 @@ static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl ) { /* Set the incoming and outgoing record pointers. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { ssl->out_hdr = ssl->out_buf; ssl->in_hdr = ssl->in_buf; } - else + MBEDTLS_SSL_TRANSPORT_ELSE #endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_PROTO_TLS) { ssl->out_hdr = ssl->out_buf + 8; ssl->in_hdr = ssl->in_buf + 8; } +#endif /* MBEDTLS_SSL_PROTO_TLS */ /* Derive other internal pointers. */ ssl_update_out_pointers( ssl, NULL /* no transform enabled */ ); @@ -8539,7 +8568,7 @@ int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl ) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->in_left > ssl->next_record_offset ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) ); @@ -8598,7 +8627,7 @@ const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ) const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { switch( ssl->minor_ver ) { @@ -9393,7 +9422,7 @@ static int ssl_start_renegotiation( mbedtls_ssl_context *ssl ) /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and * the ServerHello will have message_seq = 1" */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) @@ -9519,7 +9548,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) return( ret ); @@ -9620,7 +9649,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* With DTLS, drop the packet (probably from last handshake) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { continue; } @@ -9637,7 +9666,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* With DTLS, drop the packet (probably from last handshake) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { continue; } @@ -9659,7 +9688,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* DTLS clients need to know renego is server-initiated */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; @@ -9836,16 +9865,20 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, if( len > max_len ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " "maximum fragment length: %d > %d", len, max_len ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - else + MBEDTLS_SSL_TRANSPORT_ELSE #endif +#if defined(MBEDTLS_SSL_PROTO_TLS) + { len = max_len; + } +#endif } if( ssl->out_left != 0 ) @@ -10259,6 +10292,10 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) { memset( conf, 0, sizeof( mbedtls_ssl_config ) ); + +#if !defined(MBEDTLS_SSL_PROTO_TLS) + conf->transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; +#endif } #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) @@ -10434,7 +10471,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) ) conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; #endif @@ -10807,8 +10844,12 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, void mbedtls_ssl_write_version( int major, int minor, int transport, unsigned char ver[2] ) { +#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH) + ((void) transport); +#endif + #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) ) { if( minor == MBEDTLS_SSL_MINOR_VERSION_2 ) --minor; /* DTLS 1.0 stored as TLS 1.1 internally */ @@ -10816,21 +10857,25 @@ void mbedtls_ssl_write_version( int major, int minor, int transport, ver[0] = (unsigned char)( 255 - ( major - 2 ) ); ver[1] = (unsigned char)( 255 - ( minor - 1 ) ); } - else -#else - ((void) transport); + MBEDTLS_SSL_TRANSPORT_ELSE #endif +#if defined(MBEDTLS_SSL_PROTO_TLS) { ver[0] = (unsigned char) major; ver[1] = (unsigned char) minor; } +#endif } void mbedtls_ssl_read_version( int *major, int *minor, int transport, const unsigned char ver[2] ) { +#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH) + ((void) transport); +#endif + #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) ) { *major = 255 - ver[0] + 2; *minor = 255 - ver[1] + 1; @@ -10838,14 +10883,14 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport, if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 ) ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */ } - else -#else - ((void) transport); -#endif + MBEDTLS_SSL_TRANSPORT_ELSE +#endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_PROTO_TLS) { *major = ver[0]; *minor = ver[1]; } +#endif /* MBEDTLS_SSL_PROTO_TLS */ } int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) diff --git a/library/version_features.c b/library/version_features.c index 7494b4287..fc0b1f8f0 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -486,6 +486,9 @@ static const char *features[] = { #if defined(MBEDTLS_SSL_PROTO_DTLS) "MBEDTLS_SSL_PROTO_DTLS", #endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_PROTO_TLS) + "MBEDTLS_SSL_PROTO_TLS", +#endif /* MBEDTLS_SSL_PROTO_TLS */ #if defined(MBEDTLS_SSL_ALPN) "MBEDTLS_SSL_ALPN", #endif /* MBEDTLS_SSL_ALPN */ diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index e1d1332f2..be35a76ce 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1338,6 +1338,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_PROTO_TLS) + if( strcmp( "MBEDTLS_SSL_PROTO_TLS", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_PROTO_TLS */ + #if defined(MBEDTLS_SSL_ALPN) if( strcmp( "MBEDTLS_SSL_ALPN", config ) == 0 ) { diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 646909f11..fc601ecd6 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -43,14 +43,15 @@ !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \ !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \ !defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C) || \ - !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) + !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \ + !defined(MBEDTLS_SSL_PROTO_TLS) int main( void ) { mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or " "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " - "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C " - "not defined.\n"); + "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or" + "MBEDTLS_SSL_PROTO_TLS not defined.\n"); return( 0 ); } #else diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 38c94be60..166578428 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -223,7 +223,7 @@ int main( void ) #if defined(MBEDTLS_SSL_PROTO_DTLS) #define USAGE_DTLS \ - " dtls=%%d default: 0 (TLS)\n" \ + " dtls=%%d default: 0 (TLS) (if both enabled)\n" \ " hs_timeout=%%d-%%d default: (library default: 1000-60000)\n" \ " range of DTLS handshake timeouts in millisecs\n" \ " mtu=%%d default: (library default: unlimited)\n" \ diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index b6f1cc4fd..62b4c4098 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -43,7 +43,8 @@ !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) || \ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_TIMING_C) || \ - !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_PEM_PARSE_C) + !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_PEM_PARSE_C) || \ + !defined(MBEDTLS_SSL_PROTO_TLS) int main( int argc, char *argv[] ) { ((void) argc); @@ -53,7 +54,8 @@ int main( int argc, char *argv[] ) "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or " - "MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C not defined.\n"); + "MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C and/or " + "MBEDTLS_SSL_PROTO_TLS not defined.\n"); return( 0 ); } #elif defined(_WIN32) diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index c73297c2a..55c90c645 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -48,14 +48,14 @@ !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \ !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \ !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \ - !defined(MBEDTLS_FS_IO) + !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_SSL_PROTO_TLS) int main( void ) { mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or " "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " - "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C " - "not defined.\n"); + "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or " + "MBEDTLS_SSL_PROTO_TLS not defined.\n"); return( 0 ); } #else diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index b5026959a..b00f47617 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -45,7 +45,7 @@ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \ !defined(MBEDTLS_THREADING_C) || !defined(MBEDTLS_THREADING_PTHREAD) || \ - !defined(MBEDTLS_PEM_PARSE_C) + !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_SSL_PROTO_TLS) int main( void ) { mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C " @@ -53,7 +53,8 @@ int main( void ) "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or " "MBEDTLS_THREADING_C and/or MBEDTLS_THREADING_PTHREAD " - "and/or MBEDTLS_PEM_PARSE_C not defined.\n"); + "and/or MBEDTLS_PEM_PARSE_C and/or " + "MBEDTLS_SSL_PROTO_TLS not defined.\n"); return( 0 ); } #else diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 1852b2bad..05d58fa74 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -44,14 +44,15 @@ !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) || \ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \ - !defined(MBEDTLS_PEM_PARSE_C) + !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_SSL_PROTO_TLS) int main( void ) { mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C " "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C " - "and/or MBEDTLS_PEM_PARSE_C not defined.\n"); + "and/or MBEDTLS_PEM_PARSE_C and/or " + "MBEDTLS_SSL_PROTO_TLS not defined.\n"); return( 0 ); } #else diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index ec18dd91c..6d6293adc 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -329,7 +329,7 @@ int main( void ) #if defined(MBEDTLS_SSL_PROTO_DTLS) #define USAGE_DTLS \ - " dtls=%%d default: 0 (TLS)\n" \ + " dtls=%%d default: 0 (TLS) (if both enabled)\n" \ " hs_timeout=%%d-%%d default: (library default: 1000-60000)\n" \ " range of DTLS handshake timeouts in millisecs\n" \ " mtu=%%d default: (library default: unlimited)\n" \