yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-12-23 18:25:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/pr/585' into baremetal

Browse source
This commit is contained in:
Simon Butcher 2019-06-17 17:53:41 +01:00
parent c107850c2c ec1c222947
commit 01a8eb21d3
20 changed files with 308 additions and 153 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
configs/config-ccm-psk-tls1_2.h
View file

@ -41,6 +41,7 @@
/* mbed TLS feature support */ /* mbed TLS feature support */
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
#define MBEDTLS_SSL_PROTO_TLS1_2 #define MBEDTLS_SSL_PROTO_TLS1_2
#define MBEDTLS_SSL_PROTO_TLS
/* mbed TLS modules */ /* mbed TLS modules */
#define MBEDTLS_AES_C #define MBEDTLS_AES_C

1
configs/config-mini-tls1_1.h
View file

@ -40,6 +40,7 @@
#define MBEDTLS_PKCS1_V15 #define MBEDTLS_PKCS1_V15
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
#define MBEDTLS_SSL_PROTO_TLS1_1 #define MBEDTLS_SSL_PROTO_TLS1_1
#define MBEDTLS_SSL_PROTO_TLS
/* mbed TLS modules */ /* mbed TLS modules */
#define MBEDTLS_AES_C #define MBEDTLS_AES_C

1
configs/config-suite-b.h
View file

@ -47,6 +47,7 @@
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#define MBEDTLS_SSL_PROTO_TLS1_2 #define MBEDTLS_SSL_PROTO_TLS1_2
#define MBEDTLS_SSL_PROTO_TLS
/* mbed TLS modules */ /* mbed TLS modules */
#define MBEDTLS_AES_C #define MBEDTLS_AES_C

1
configs/config-thread.h
View file

@ -29,6 +29,7 @@
* Distinguishing features: * Distinguishing features:
* - no RSA or classic DH, fully based on ECC * - no RSA or classic DH, fully based on ECC
* - no X.509 * - no X.509
* - no TLS, only DTLS
* - support for experimental EC J-PAKE key exchange * - support for experimental EC J-PAKE key exchange
* *
* See README.txt for usage instructions. * See README.txt for usage instructions.

7
include/mbedtls/check_config.h
View file

@ -562,7 +562,12 @@
#if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \ #if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \
!defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \ !defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
!defined(MBEDTLS_SSL_PROTO_TLS1_2)) !defined(MBEDTLS_SSL_PROTO_TLS1_2))
#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active" #error "MBEDTLS_SSL_TLS_C defined, but no protocol version is active"
#endif
#if defined(MBEDTLS_SSL_TLS_C) && \
( !defined(MBEDTLS_SSL_PROTO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS) )
#error "MBEDTLS_SSL_TLS_C defined, but neither TLS or DTLS is active"
#endif #endif
#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \ #if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \

37
include/mbedtls/config.h
View file

@ -1453,7 +1453,7 @@
/** /**
* \def MBEDTLS_SSL_PROTO_SSL3 * \def MBEDTLS_SSL_PROTO_SSL3
* *
* Enable support for SSL 3.0. * Enable support for SSL 3.0 (if TLS is enabled).
* *
* Requires: MBEDTLS_MD5_C * Requires: MBEDTLS_MD5_C
* MBEDTLS_SHA1_C * MBEDTLS_SHA1_C
@ -1465,7 +1465,7 @@
/** /**
* \def MBEDTLS_SSL_PROTO_TLS1 * \def MBEDTLS_SSL_PROTO_TLS1
* *
* Enable support for TLS 1.0. * Enable support for TLS 1.0 (if TLS is enabled).
* *
* Requires: MBEDTLS_MD5_C * Requires: MBEDTLS_MD5_C
* MBEDTLS_SHA1_C * MBEDTLS_SHA1_C
@ -1477,7 +1477,8 @@
/** /**
* \def MBEDTLS_SSL_PROTO_TLS1_1 * \def MBEDTLS_SSL_PROTO_TLS1_1
* *
* Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). * Enable support for TLS 1.1 (if TLS is enabled) and DTLS 1.0 (if DTLS is
* enabled).
* *
* Requires: MBEDTLS_MD5_C * Requires: MBEDTLS_MD5_C
* MBEDTLS_SHA1_C * MBEDTLS_SHA1_C
@ -1489,7 +1490,8 @@
/** /**
* \def MBEDTLS_SSL_PROTO_TLS1_2 * \def MBEDTLS_SSL_PROTO_TLS1_2
* *
* Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). * Enable support for TLS 1.2 (if TLS is enabled) and DTLS 1.2 (if DTLS is
* enabled).
* *
* Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
* (Depends on ciphersuites) * (Depends on ciphersuites)
@ -1503,8 +1505,10 @@
* *
* Enable support for DTLS (all available versions). * Enable support for DTLS (all available versions).
* *
* Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2,
* and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. * and/or this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0.
*
* \see MBEDTLS_SSL_PROTO_TLS
* *
* Requires: MBEDTLS_SSL_PROTO_TLS1_1 * Requires: MBEDTLS_SSL_PROTO_TLS1_1
* or MBEDTLS_SSL_PROTO_TLS1_2 * or MBEDTLS_SSL_PROTO_TLS1_2
@ -1513,6 +1517,27 @@
*/ */
#define MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_PROTO_DTLS
/**
* \def MBEDTLS_SSL_PROTO_TLS
*
* Enable support for SSL/TLS (all available versions).
*
* Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2;
* enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1;
* enable this and MBEDTLS_SSL_PROTO_TLS1 to enable TLS 1.0;
* and/or this and MBEDTLS_SSL_PROTO_SSL3 to enable SSL 3.0 (deprecated).
*
* \see MBEDTLS_SSL_PROTO_DTLS
*
* Requires: MBEDTLS_SSL_PROTO_TLS1_2
* or MBEDTLS_SSL_PROTO_TLS1_1
* or MBEDTLS_SSL_PROTO_TLS1
* or MBEDTLS_SSL_PROTO_SSL3 (deprecated)
*
* Comment this macro to disable support for TLS
*/
#define MBEDTLS_SSL_PROTO_TLS
/** /**
* \def MBEDTLS_SSL_ALPN * \def MBEDTLS_SSL_ALPN
* *

3
include/mbedtls/ssl.h
View file

@ -1337,7 +1337,8 @@ void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint );
/** /**
* \brief Set the transport type (TLS or DTLS). * \brief Set the transport type (TLS or DTLS).
* Default: TLS * Default: TLS if #MBEDTLS_SSL_PROTO_TLS is defined, else
* DTLS.
* *
* \note For DTLS, you must either provide a recv callback that * \note For DTLS, you must either provide a recv callback that
* doesn't block, or one that handles timeouts, see * doesn't block, or one that handles timeouts, see

61
include/mbedtls/ssl_internal.h
View file

@ -264,6 +264,57 @@
#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1) #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
/*
* Helpers for code specific to TLS or DTLS.
*
* Goals for these helpers:
* - generate minimal code, eg don't test if mode is DTLS in a DTLS-only build
* - make the flow clear to the compiler, so that in TLS and DTLS combined
* builds, when there are two branches, it knows exactly one of them is taken
* - preserve readability
*
* There are three macros:
* - MBEDTLS_SSL_TRANSPORT_IS_TLS( transport )
* - MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport )
* - MBEDTLS_SSL_TRANSPORT_ELSE
*
* The first two are macros rather than static inline functions because some
* compilers (eg arm-none-eabi-gcc 5.4.1 20160919) don't propagate constants
* well enough for us with static inline functions.
*
* Usage 1 (can replace DTLS with TLS):
* #if defined(MBEDTLS_SSL_PROTO_DTLS)
* if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
* // DTLS-specific code
* #endif
*
* Usage 2 (can swap DTLS and TLS);
* #if defined(MBEDTLS_SSL_PROTO_DTLS)
* if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
* // DTLS-specific code
* MBEDTLS_SSL_TRANSPORT_ELSE
* #endif
* #if defined(MBEDTLS_SSL_PROTO_TLS)
* // TLS-specific code
* #endif
*/
#if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_PROTO_TLS) /* both */
#define MBEDTLS_SSL_TRANSPORT__BOTH /* shortcut for future tests */
#define MBEDTLS_SSL_TRANSPORT_IS_TLS( transport ) \
( (transport) == MBEDTLS_SSL_TRANSPORT_STREAM )
#define MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) \
( (transport) == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
#define MBEDTLS_SSL_TRANSPORT_ELSE else
#elif defined(MBEDTLS_SSL_PROTO_DTLS) /* DTLS only */
#define MBEDTLS_SSL_TRANSPORT_IS_TLS( transport ) 0
#define MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) 1
#define MBEDTLS_SSL_TRANSPORT_ELSE /* empty: no other branch */
#else /* TLS only */
#define MBEDTLS_SSL_TRANSPORT_IS_TLS( transport ) 1
#define MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) 0
#define MBEDTLS_SSL_TRANSPORT_ELSE /* empty: no other branch */
#endif /* TLS and/or DTLS */
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
#endif #endif
@ -905,12 +956,14 @@ static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl ) static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
{ {
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if !defined(MBEDTLS_SSL_PROTO__BOTH)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
return( 12 );
#else
((void) ssl); ((void) ssl);
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
return( 12 );
#endif
return( 4 ); return( 4 );
} }

29
library/ssl_cli.c
View file

@ -452,7 +452,7 @@ static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
*/ */
*olen = 0; *olen = 0;
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED ) ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
{ {
return; return;
@ -734,7 +734,7 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
* When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
*/ */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->handshake->verify_cookie != NULL ) ssl->handshake->verify_cookie != NULL )
{ {
return( 0 ); return( 0 );
@ -785,7 +785,7 @@ static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_inf
return( 1 ); return( 1 );
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
return( 1 ); return( 1 );
#endif #endif
@ -926,7 +926,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
* DTLS cookie * DTLS cookie
*/ */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
if( ssl->handshake->verify_cookie == NULL ) if( ssl->handshake->verify_cookie == NULL )
{ {
@ -1021,7 +1021,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
* an actual need for it. * an actual need for it.
*/ */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
offer_compress = 0; offer_compress = 0;
#endif #endif
@ -1137,7 +1137,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
ssl->state++; ssl->state++;
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
mbedtls_ssl_send_flight_completed( ssl ); mbedtls_ssl_send_flight_completed( ssl );
#endif #endif
@ -1148,7 +1148,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
@ -1252,7 +1252,7 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
size_t peer_cid_len; size_t peer_cid_len;
if( /* CID extension only makes sense in DTLS */ if( /* CID extension only makes sense in DTLS */
ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
/* The server must only send the CID extension if we have offered it. */ /* The server must only send the CID extension if we have offered it. */
ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED ) ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
{ {
@ -1645,7 +1645,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
{ {
@ -1762,12 +1762,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_ZLIB_SUPPORT) #if defined(MBEDTLS_ZLIB_SUPPORT)
/* See comments in ssl_write_client_hello() */ /* See comments in ssl_write_client_hello() */
#if defined(MBEDTLS_SSL_PROTO_DTLS) accept_comp = MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport );
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
accept_comp = 0;
else
#endif
accept_comp = 1;
if( comp != MBEDTLS_SSL_COMPRESS_NULL && if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) ) ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
@ -3001,7 +2996,7 @@ static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
ssl->state++; ssl->state++;
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
mbedtls_ssl_recv_flight_completed( ssl ); mbedtls_ssl_recv_flight_completed( ssl );
#endif #endif
@ -3642,7 +3637,7 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
return( ret ); return( ret );
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
{ {
if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )

55
library/ssl_srv.c
View file

@ -441,7 +441,7 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
size_t peer_cid_len; size_t peer_cid_len;
/* CID extension only makes sense in DTLS */ /* CID extension only makes sense in DTLS */
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
@ -899,7 +899,7 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
return( 0 ); return( 0 );
#endif #endif
@ -1304,12 +1304,13 @@ read_record_header:
buf = ssl->in_hdr; buf = ssl->in_hdr;
#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) && \
#if defined(MBEDTLS_SSL_PROTO_DTLS) defined(MBEDTLS_SSL_PROTO_TLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) &&
#endif ( buf[0] & 0x80 ) != 0 )
if( ( buf[0] & 0x80 ) != 0 ) {
return( ssl_parse_client_hello_v2( ssl ) ); return( ssl_parse_client_hello_v2( ssl ) );
}
#endif #endif
MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_in_hdr_len( ssl ) ); MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_in_hdr_len( ssl ) );
@ -1353,7 +1354,7 @@ read_record_header:
/* For DTLS if this is the initial handshake, remember the client sequence /* For DTLS if this is the initial handshake, remember the client sequence
* number to use it in our next message (RFC 6347 4.2.1) */ * number to use it in our next message (RFC 6347 4.2.1) */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport )
#if defined(MBEDTLS_SSL_RENEGOTIATION) #if defined(MBEDTLS_SSL_RENEGOTIATION)
&& ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
#endif #endif
@ -1407,13 +1408,19 @@ read_record_header:
return( ret ); return( ret );
} }
/* Done reading this record, get ready for the next one */ /* Done reading this record, get ready for the next one */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{
ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len( ssl ); ssl->next_record_offset = msg_len + mbedtls_ssl_in_hdr_len( ssl );
else }
MBEDTLS_SSL_TRANSPORT_ELSE
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS)
{
ssl->in_left = 0; ssl->in_left = 0;
}
#endif
} }
buf = ssl->in_msg; buf = ssl->in_msg;
@ -1456,7 +1463,7 @@ read_record_header:
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
/* /*
* Copy the client's handshake message_seq on initial handshakes, * Copy the client's handshake message_seq on initial handshakes,
@ -1595,7 +1602,7 @@ read_record_header:
* Check the cookie length and content * Check the cookie length and content
*/ */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
cookie_offset = 35 + sess_len; cookie_offset = 35 + sess_len;
cookie_len = buf[cookie_offset]; cookie_len = buf[cookie_offset];
@ -1650,9 +1657,13 @@ read_record_header:
*/ */
ciph_offset = cookie_offset + 1 + cookie_len; ciph_offset = cookie_offset + 1 + cookie_len;
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif /* MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS)
{
ciph_offset = 35 + sess_len; ciph_offset = 35 + sess_len;
}
#endif /* MBEDTLS_SSL_PROTO_TLS */
ciph_len = ( buf[ciph_offset + 0] << 8 ) ciph_len = ( buf[ciph_offset + 0] << 8 )
| ( buf[ciph_offset + 1] ); | ( buf[ciph_offset + 1] );
@ -1704,7 +1715,7 @@ read_record_header:
/* See comments in ssl_write_client_hello() */ /* See comments in ssl_write_client_hello() */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
#endif #endif
@ -2086,7 +2097,7 @@ have_ciphersuite:
ssl->state++; ssl->state++;
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
mbedtls_ssl_recv_flight_completed( ssl ); mbedtls_ssl_recv_flight_completed( ssl );
#endif #endif
@ -2521,7 +2532,7 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
@ -2547,7 +2558,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->handshake->verify_cookie_len != 0 ) ssl->handshake->verify_cookie_len != 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
@ -3505,7 +3516,7 @@ static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
ssl->state++; ssl->state++;
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
mbedtls_ssl_send_flight_completed( ssl ); mbedtls_ssl_send_flight_completed( ssl );
#endif #endif
@ -3516,7 +3527,7 @@ static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
@ -4401,7 +4412,7 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
return( ret ); return( ret );
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
{ {
if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )

221
library/ssl_tls.c
View file

@ -61,12 +61,14 @@ static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
/* Length of the "epoch" field in the record header */ /* Length of the "epoch" field in the record header */
static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl ) static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
{ {
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if !defined(MBEDTLS_SSL_TRANSPORT__BOTH)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
return( 2 );
#else
((void) ssl); ((void) ssl);
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
return( 2 );
#endif
return( 0 ); return( 0 );
} }
@ -135,7 +137,7 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
unsigned char const *own_cid, unsigned char const *own_cid,
size_t own_cid_len ) size_t own_cid_len )
{ {
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
ssl->negotiate_cid = enable; ssl->negotiate_cid = enable;
@ -170,7 +172,7 @@ int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
{ {
*enabled = MBEDTLS_SSL_CID_DISABLED; *enabled = MBEDTLS_SSL_CID_DISABLED;
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) ||
ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
{ {
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@ -3023,7 +3025,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
uint32_t timeout; uint32_t timeout;
@ -3164,8 +3166,9 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
ssl->in_left = ret; ssl->in_left = ret;
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS)
{ {
MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
ssl->in_left, nb_want ) ); ssl->in_left, nb_want ) );
@ -3212,6 +3215,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
ssl->in_left += ret; ssl->in_left += ret;
} }
} }
#endif /* MBEDTLS_SSL_PROTO_TLS */
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
@ -3267,15 +3271,17 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
ssl->out_hdr = ssl->out_buf; ssl->out_hdr = ssl->out_buf;
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS)
{ {
ssl->out_hdr = ssl->out_buf + 8; ssl->out_hdr = ssl->out_buf + 8;
} }
#endif
ssl_update_out_pointers( ssl, ssl->transform_out ); ssl_update_out_pointers( ssl, ssl->transform_out );
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
@ -3686,7 +3692,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->handshake != NULL && ssl->handshake != NULL &&
ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
{ {
@ -3729,7 +3735,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
* uint24 fragment_length; * uint24 fragment_length;
*/ */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
/* Make room for the additional DTLS fields */ /* Make room for the additional DTLS fields */
if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 ) if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
@ -3771,7 +3777,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
/* Either send now, or just save to be sent (and resent) later */ /* Either send now, or just save to be sent (and resent) later */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) ) hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
{ {
@ -3909,7 +3915,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
/* In case of DTLS, double-check that we don't exceed /* In case of DTLS, double-check that we don't exceed
* the remaining space in the datagram. */ * the remaining space in the datagram. */
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
ret = ssl_get_remaining_space_in_datagram( ssl ); ret = ssl_get_remaining_space_in_datagram( ssl );
if( ret < 0 ) if( ret < 0 )
@ -3951,7 +3957,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
flush == SSL_DONT_FORCE_FLUSH ) flush == SSL_DONT_FORCE_FLUSH )
{ {
size_t remaining; size_t remaining;
@ -4135,7 +4141,7 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
int ret; int ret;
unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
@ -4199,14 +4205,18 @@ int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
} }
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif /* MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_DTLS */
/* With TLS we don't handle fragmentation (for now) */ #if defined(MBEDTLS_SSL_PROTO_TLS)
if( ssl->in_msglen < ssl->in_hslen )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); /* With TLS we don't handle fragmentation (for now) */
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); if( ssl->in_msglen < ssl->in_hslen )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
} }
#endif /* MBEDTLS_SSL_PROTO_TLS */
return( 0 ); return( 0 );
} }
@ -4222,7 +4232,7 @@ void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
/* Handshake message is complete, increment counter */ /* Handshake message is complete, increment counter */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->handshake != NULL ) ssl->handshake != NULL )
{ {
unsigned offset; unsigned offset;
@ -4574,7 +4584,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
/* Check record type */ /* Check record type */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->in_msgtype == MBEDTLS_SSL_MSG_CID && ssl->in_msgtype == MBEDTLS_SSL_MSG_CID &&
ssl->conf->cid_len != 0 ) ssl->conf->cid_len != 0 )
{ {
@ -4602,13 +4612,15 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_TLS)
/* Silently ignore invalid DTLS records as recommended by RFC 6347 /* Silently ignore invalid DTLS records as recommended by RFC 6347
* Section 4.1.2.7 */ * Section 4.1.2.7, that is, send alert only with TLS */
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) )
#endif /* MBEDTLS_SSL_PROTO_DTLS */ {
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
}
#endif /* MBEDTLS_SSL_PROTO_TLS */
return( MBEDTLS_ERR_SSL_INVALID_RECORD ); return( MBEDTLS_ERR_SSL_INVALID_RECORD );
} }
@ -4669,7 +4681,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
* record leads to the entire datagram being dropped. * record leads to the entire datagram being dropped.
*/ */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
@ -4904,26 +4916,23 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
else else
ssl->nb_zero = 0; ssl->nb_zero = 0;
#if defined(MBEDTLS_SSL_PROTO_DTLS) /* Only needed for TLS, as with DTLS in_ctr is read from the header */
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) #if defined(MBEDTLS_SSL_PROTO_TLS)
{ if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) )
; /* in_ctr read from peer, not maintained internally */
}
else
#endif
{ {
unsigned i; unsigned i;
for( i = 8; i > ssl_ep_len( ssl ); i-- ) for( i = 8; i > 0; i-- )
if( ++ssl->in_ctr[i - 1] != 0 ) if( ++ssl->in_ctr[i - 1] != 0 )
break; break;
/* The loop goes to its end iff the counter is wrapping */ /* The loop goes to its end only if the counter is wrapping around */
if( i == ssl_ep_len( ssl ) ) if( i == 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
} }
} }
#endif /* MBEDTLS_SSL_PROTO_TLS */
} }
@ -4940,7 +4949,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
#endif /* MBEDTLS_ZLIB_SUPPORT */ #endif /* MBEDTLS_ZLIB_SUPPORT */
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
mbedtls_ssl_dtls_replay_update( ssl ); mbedtls_ssl_dtls_replay_update( ssl );
} }
@ -4986,7 +4995,7 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
/* We only check for buffered messages if the /* We only check for buffered messages if the
* current datagram is fully consumed. */ * current datagram is fully consumed. */
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl_next_record_is_in_datagram( ssl ) == 0 ) ssl_next_record_is_in_datagram( ssl ) == 0 )
{ {
if( ssl_load_buffered_message( ssl ) == 0 ) if( ssl_load_buffered_message( ssl ) == 0 )
@ -5509,7 +5518,7 @@ static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
size_t rec_len; size_t rec_len;
unsigned rec_epoch; unsigned rec_epoch;
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_TLS( ssl->conf->transport ) )
return( 0 ); return( 0 );
if( hs == NULL ) if( hs == NULL )
@ -5647,7 +5656,7 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
if( ( ret = ssl_parse_record_header( ssl ) ) != 0 ) if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
{ {
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT ) ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
{ {
if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
@ -5698,7 +5707,7 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
/* Done reading this record, get ready for the next one */ /* Done reading this record, get ready for the next one */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_in_hdr_len( ssl ); ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_in_hdr_len( ssl );
if( ssl->next_record_offset < ssl->in_left ) if( ssl->next_record_offset < ssl->in_left )
@ -5706,14 +5715,18 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
} }
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS)
{
ssl->in_left = 0; ssl->in_left = 0;
}
#endif
if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
{ {
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
/* Silently discard invalid records */ /* Silently discard invalid records */
if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
@ -5756,8 +5769,9 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
return( ret ); return( ret );
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS)
{ {
/* Error out (and send alert) on invalid records */ /* Error out (and send alert) on invalid records */
#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
@ -5770,6 +5784,7 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
#endif #endif
return( ret ); return( ret );
} }
#endif /* MBEDTLS_SSL_PROTO_TLS */
} }
return( 0 ); return( 0 );
@ -5807,7 +5822,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
{ {
@ -5882,7 +5897,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
/* Drop unexpected ApplicationData records, /* Drop unexpected ApplicationData records,
* except at the beginning of renegotiations */ * except at the beginning of renegotiations */
@ -6655,7 +6670,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
ssl->session_in = ssl->session_negotiate; ssl->session_in = ssl->session_negotiate;
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
ssl_dtls_replay_reset( ssl ); ssl_dtls_replay_reset( ssl );
@ -6670,9 +6685,13 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
} }
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif /* MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_DTLS */
memset( ssl->in_ctr, 0, 8 ); #if defined(MBEDTLS_SSL_PROTO_TLS)
{
memset( ssl->in_ctr, 0, 8 );
}
#endif
ssl_update_in_pointers( ssl ); ssl_update_in_pointers( ssl );
@ -7100,7 +7119,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->handshake->flight != NULL ) ssl->handshake->flight != NULL )
{ {
/* Cancel handshake timer */ /* Cancel handshake timer */
@ -7171,7 +7190,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
unsigned char i; unsigned char i;
@ -7194,9 +7213,13 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
} }
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif /* MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_DTLS */
memset( ssl->cur_out_ctr, 0, 8 ); #if defined(MBEDTLS_SSL_PROTO_TLS)
{
memset( ssl->cur_out_ctr, 0, 8 );
}
#endif
ssl->transform_out = ssl->transform_negotiate; ssl->transform_out = ssl->transform_negotiate;
ssl->session_out = ssl->session_negotiate; ssl->session_out = ssl->session_negotiate;
@ -7213,7 +7236,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
mbedtls_ssl_send_flight_completed( ssl ); mbedtls_ssl_send_flight_completed( ssl );
#endif #endif
@ -7224,7 +7247,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
} }
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
@ -7313,7 +7336,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
ssl->state++; ssl->state++;
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
mbedtls_ssl_recv_flight_completed( ssl ); mbedtls_ssl_recv_flight_completed( ssl );
#endif #endif
@ -7445,7 +7468,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
ssl_handshake_params_init( ssl->handshake ); ssl_handshake_params_init( ssl->handshake );
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
ssl->handshake->alt_transform_out = ssl->transform_out; ssl->handshake->alt_transform_out = ssl->transform_out;
@ -7502,7 +7525,7 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform ) mbedtls_ssl_transform *transform )
{ {
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
ssl->out_ctr = ssl->out_hdr + 3; ssl->out_ctr = ssl->out_hdr + 3;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@ -7515,8 +7538,9 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
ssl->out_iv = ssl->out_len + 2; ssl->out_iv = ssl->out_len + 2;
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS)
{ {
ssl->out_ctr = ssl->out_hdr - 8; ssl->out_ctr = ssl->out_hdr - 8;
ssl->out_len = ssl->out_hdr + 3; ssl->out_len = ssl->out_hdr + 3;
@ -7525,6 +7549,7 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
#endif #endif
ssl->out_iv = ssl->out_hdr + 5; ssl->out_iv = ssl->out_hdr + 5;
} }
#endif /* MBEDTLS_SSL_PROTO_TLS */
/* Adjust out_msg to make space for explicit IV, if used. */ /* Adjust out_msg to make space for explicit IV, if used. */
if( transform != NULL && if( transform != NULL &&
@ -7557,7 +7582,7 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl )
*/ */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
/* This sets the header pointers to match records /* This sets the header pointers to match records
* without CID. When we receive a record containing * without CID. When we receive a record containing
@ -7572,8 +7597,9 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl )
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
ssl->in_iv = ssl->in_len + 2; ssl->in_iv = ssl->in_len + 2;
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS)
{ {
ssl->in_ctr = ssl->in_hdr - 8; ssl->in_ctr = ssl->in_hdr - 8;
ssl->in_len = ssl->in_hdr + 3; ssl->in_len = ssl->in_hdr + 3;
@ -7582,6 +7608,7 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl )
#endif #endif
ssl->in_iv = ssl->in_hdr + 5; ssl->in_iv = ssl->in_hdr + 5;
} }
#endif /* MBEDTLS_SSL_PROTO_TLS */
/* This will be adjusted at record decryption time. */ /* This will be adjusted at record decryption time. */
ssl->in_msg = ssl->in_iv; ssl->in_msg = ssl->in_iv;
@ -7603,17 +7630,19 @@ static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
{ {
/* Set the incoming and outgoing record pointers. */ /* Set the incoming and outgoing record pointers. */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
ssl->out_hdr = ssl->out_buf; ssl->out_hdr = ssl->out_buf;
ssl->in_hdr = ssl->in_buf; ssl->in_hdr = ssl->in_buf;
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif /* MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS)
{ {
ssl->out_hdr = ssl->out_buf + 8; ssl->out_hdr = ssl->out_buf + 8;
ssl->in_hdr = ssl->in_buf + 8; ssl->in_hdr = ssl->in_buf + 8;
} }
#endif /* MBEDTLS_SSL_PROTO_TLS */
/* Derive other internal pointers. */ /* Derive other internal pointers. */
ssl_update_out_pointers( ssl, NULL /* no transform enabled */ ); ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
@ -8539,7 +8568,7 @@ int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
*/ */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->in_left > ssl->next_record_offset ) ssl->in_left > ssl->next_record_offset )
{ {
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
@ -8598,7 +8627,7 @@ const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
{ {
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
switch( ssl->minor_ver ) switch( ssl->minor_ver )
{ {
@ -9393,7 +9422,7 @@ static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
/* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
* the ServerHello will have message_seq = 1" */ * the ServerHello will have message_seq = 1" */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
{ {
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
@ -9519,7 +9548,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
return( ret ); return( ret );
@ -9620,7 +9649,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
/* With DTLS, drop the packet (probably from last handshake) */ /* With DTLS, drop the packet (probably from last handshake) */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
continue; continue;
} }
@ -9637,7 +9666,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
/* With DTLS, drop the packet (probably from last handshake) */ /* With DTLS, drop the packet (probably from last handshake) */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
continue; continue;
} }
@ -9659,7 +9688,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
/* DTLS clients need to know renego is server-initiated */ /* DTLS clients need to know renego is server-initiated */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
{ {
ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
@ -9836,16 +9865,20 @@ static int ssl_write_real( mbedtls_ssl_context *ssl,
if( len > max_len ) if( len > max_len )
{ {
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
"maximum fragment length: %d > %d", "maximum fragment length: %d > %d",
len, max_len ) ); len, max_len ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS)
{
len = max_len; len = max_len;
}
#endif
} }
if( ssl->out_left != 0 ) if( ssl->out_left != 0 )
@ -10259,6 +10292,10 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
{ {
memset( conf, 0, sizeof( mbedtls_ssl_config ) ); memset( conf, 0, sizeof( mbedtls_ssl_config ) );
#if !defined(MBEDTLS_SSL_PROTO_TLS)
conf->transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM;
#endif
} }
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
@ -10434,7 +10471,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
#endif #endif
@ -10807,8 +10844,12 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
void mbedtls_ssl_write_version( int major, int minor, int transport, void mbedtls_ssl_write_version( int major, int minor, int transport,
unsigned char ver[2] ) unsigned char ver[2] )
{ {
#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH)
((void) transport);
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
{ {
if( minor == MBEDTLS_SSL_MINOR_VERSION_2 ) if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
--minor; /* DTLS 1.0 stored as TLS 1.1 internally */ --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
@ -10816,21 +10857,25 @@ void mbedtls_ssl_write_version( int major, int minor, int transport,
ver[0] = (unsigned char)( 255 - ( major - 2 ) ); ver[0] = (unsigned char)( 255 - ( major - 2 ) );
ver[1] = (unsigned char)( 255 - ( minor - 1 ) ); ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#else
((void) transport);
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS)
{ {
ver[0] = (unsigned char) major; ver[0] = (unsigned char) major;
ver[1] = (unsigned char) minor; ver[1] = (unsigned char) minor;
} }
#endif
} }
void mbedtls_ssl_read_version( int *major, int *minor, int transport, void mbedtls_ssl_read_version( int *major, int *minor, int transport,
const unsigned char ver[2] ) const unsigned char ver[2] )
{ {
#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH)
((void) transport);
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
{ {
*major = 255 - ver[0] + 2; *major = 255 - ver[0] + 2;
*minor = 255 - ver[1] + 1; *minor = 255 - ver[1] + 1;
@ -10838,14 +10883,14 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport,
if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 ) if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */ ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
} }
else MBEDTLS_SSL_TRANSPORT_ELSE
#else #endif /* MBEDTLS_SSL_PROTO_DTLS */
((void) transport); #if defined(MBEDTLS_SSL_PROTO_TLS)
#endif
{ {
*major = ver[0]; *major = ver[0];
*minor = ver[1]; *minor = ver[1];
} }
#endif /* MBEDTLS_SSL_PROTO_TLS */
} }
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )

3
library/version_features.c
View file

@ -486,6 +486,9 @@ static const char *features[] = {
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
"MBEDTLS_SSL_PROTO_DTLS", "MBEDTLS_SSL_PROTO_DTLS",
#endif /* MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS)
"MBEDTLS_SSL_PROTO_TLS",
#endif /* MBEDTLS_SSL_PROTO_TLS */
#if defined(MBEDTLS_SSL_ALPN) #if defined(MBEDTLS_SSL_ALPN)
"MBEDTLS_SSL_ALPN", "MBEDTLS_SSL_ALPN",
#endif /* MBEDTLS_SSL_ALPN */ #endif /* MBEDTLS_SSL_ALPN */

8
programs/ssl/query_config.c
View file

@ -1338,6 +1338,14 @@ int query_config( const char *config )
} }
#endif /* MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS)
if( strcmp( "MBEDTLS_SSL_PROTO_TLS", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS );
return( 0 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS */
#if defined(MBEDTLS_SSL_ALPN) #if defined(MBEDTLS_SSL_ALPN)
if( strcmp( "MBEDTLS_SSL_ALPN", config ) == 0 ) if( strcmp( "MBEDTLS_SSL_ALPN", config ) == 0 )
{ {

7
programs/ssl/ssl_client1.c
View file

@ -43,14 +43,15 @@
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \ !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \ !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C) || \ !defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C) || \
!defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_SSL_PROTO_TLS)
int main( void ) int main( void )
{ {
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or " mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or " "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or"
"not defined.\n"); "MBEDTLS_SSL_PROTO_TLS not defined.\n");
return( 0 ); return( 0 );
} }
#else #else

2
programs/ssl/ssl_client2.c
View file

@ -223,7 +223,7 @@ int main( void )
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
#define USAGE_DTLS \ #define USAGE_DTLS \
" dtls=%%d default: 0 (TLS)\n" \ " dtls=%%d default: 0 (TLS) (if both enabled)\n" \
" hs_timeout=%%d-%%d default: (library default: 1000-60000)\n" \ " hs_timeout=%%d-%%d default: (library default: 1000-60000)\n" \
" range of DTLS handshake timeouts in millisecs\n" \ " range of DTLS handshake timeouts in millisecs\n" \
" mtu=%%d default: (library default: unlimited)\n" \ " mtu=%%d default: (library default: unlimited)\n" \

6
programs/ssl/ssl_fork_server.c
View file

@ -43,7 +43,8 @@
!defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) || \ !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_TIMING_C) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_TIMING_C) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_PEM_PARSE_C) !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_PEM_PARSE_C) || \
!defined(MBEDTLS_SSL_PROTO_TLS)
int main( int argc, char *argv[] ) int main( int argc, char *argv[] )
{ {
((void) argc); ((void) argc);
@ -53,7 +54,8 @@ int main( int argc, char *argv[] )
"and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or " "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
"MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C not defined.\n"); "MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C and/or "
"MBEDTLS_SSL_PROTO_TLS not defined.\n");
return( 0 ); return( 0 );
} }
#elif defined(_WIN32) #elif defined(_WIN32)

6
programs/ssl/ssl_mail_client.c
View file

@ -48,14 +48,14 @@
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \ !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \ !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \ !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_FS_IO) !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_SSL_PROTO_TLS)
int main( void ) int main( void )
{ {
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or " mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or " "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
"not defined.\n"); "MBEDTLS_SSL_PROTO_TLS not defined.\n");
return( 0 ); return( 0 );
} }
#else #else

5
programs/ssl/ssl_pthread_server.c
View file

@ -45,7 +45,7 @@
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_THREADING_C) || !defined(MBEDTLS_THREADING_PTHREAD) || \ !defined(MBEDTLS_THREADING_C) || !defined(MBEDTLS_THREADING_PTHREAD) || \
!defined(MBEDTLS_PEM_PARSE_C) !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_SSL_PROTO_TLS)
int main( void ) int main( void )
{ {
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C " mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C "
@ -53,7 +53,8 @@ int main( void )
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
"MBEDTLS_THREADING_C and/or MBEDTLS_THREADING_PTHREAD " "MBEDTLS_THREADING_C and/or MBEDTLS_THREADING_PTHREAD "
"and/or MBEDTLS_PEM_PARSE_C not defined.\n"); "and/or MBEDTLS_PEM_PARSE_C and/or "
"MBEDTLS_SSL_PROTO_TLS not defined.\n");
return( 0 ); return( 0 );
} }
#else #else

5
programs/ssl/ssl_server.c
View file

@ -44,14 +44,15 @@
!defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) || \ !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_PEM_PARSE_C) !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_SSL_PROTO_TLS)
int main( void ) int main( void )
{ {
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C " mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or " "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
"and/or MBEDTLS_PEM_PARSE_C not defined.\n"); "and/or MBEDTLS_PEM_PARSE_C and/or "
"MBEDTLS_SSL_PROTO_TLS not defined.\n");
return( 0 ); return( 0 );
} }
#else #else

2
programs/ssl/ssl_server2.c
View file

@ -329,7 +329,7 @@ int main( void )
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
#define USAGE_DTLS \ #define USAGE_DTLS \
" dtls=%%d default: 0 (TLS)\n" \ " dtls=%%d default: 0 (TLS) (if both enabled)\n" \
" hs_timeout=%%d-%%d default: (library default: 1000-60000)\n" \ " hs_timeout=%%d-%%d default: (library default: 1000-60000)\n" \
" range of DTLS handshake timeouts in millisecs\n" \ " range of DTLS handshake timeouts in millisecs\n" \
" mtu=%%d default: (library default: unlimited)\n" \ " mtu=%%d default: (library default: unlimited)\n" \