mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 00:35:33 +00:00
Fix order of ssl_conf vs ssl_setup in programs
Except ssl_phtread_server that will be done later
This commit is contained in:
parent
9a1a4d6903
commit
06939cebef
|
@ -16,12 +16,14 @@ API Changes
|
|||
* Headers are now found in the 'mbedtls' directory (previously 'polarssl').
|
||||
* The following _init() functions that could return errors have
|
||||
been split into an _init() that returns void and another function that
|
||||
should generally called shortly after init and can return errors:
|
||||
should generally be the first function called on this context after init:
|
||||
mbedtls_ssl_init() -> mbedtls_ssl_setup()
|
||||
mbedtls_ccm_init() -> mbedtls_ccm_setkey()
|
||||
mbedtls_gcm_init() -> mbedtls_gcm_setkey()
|
||||
mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
|
||||
mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
|
||||
Note that for mbetls_ssl_setup(), you need to be done setting up the
|
||||
ssl_config structure before calling it.
|
||||
* Most ssl_set_xxx() functions (all except ssl_set_hostname(),
|
||||
ssl_set_session() and ssl_set_client_transport_id(), plus
|
||||
ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
|
||||
|
|
|
@ -1152,6 +1152,12 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl );
|
|||
/**
|
||||
* \brief Set up an SSL context for use
|
||||
*
|
||||
* \note No copy of the configuration context is made, it can be
|
||||
* shared by many ssl_context structures.
|
||||
*
|
||||
* \warning Modifying the conf structure after is has been used in this
|
||||
* function is unsupported!
|
||||
*
|
||||
* \param ssl SSL context
|
||||
* \param conf SSL configuration to use
|
||||
*
|
||||
|
|
|
@ -4915,18 +4915,16 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
|
|||
ssl_transform_init( ssl->transform_negotiate );
|
||||
ssl_handshake_params_init( ssl->handshake );
|
||||
|
||||
/*
|
||||
* We may not know yet if we're using DTLS,
|
||||
* so always initiliase DTLS-specific fields.
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||
ssl->handshake->alt_transform_out = ssl->transform_out;
|
||||
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
||||
{
|
||||
ssl->handshake->alt_transform_out = ssl->transform_out;
|
||||
|
||||
// TODO: not the right place, we may not know endpoint yet
|
||||
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
|
||||
ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
|
||||
else
|
||||
ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
|
||||
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
|
||||
ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
|
||||
else
|
||||
ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
|
||||
}
|
||||
#endif
|
||||
|
||||
return( 0 );
|
||||
|
|
|
@ -170,26 +170,26 @@ int main( int argc, char *argv[] )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
/* OPTIONAL is usually a bad choice for security, but makes interop easier
|
||||
* in this simplified example, in which the ca chain is hardcoded.
|
||||
* Production code should set a proper ca chain and use REQUIRED. */
|
||||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
|
||||
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
|
||||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* OPTIONAL is usually a bad choice for security, but makes interop easier
|
||||
* in this simplified example, in which the ca chain is hardcoded.
|
||||
* Production code should set a proper ca chain and use REQUIRED. */
|
||||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
|
||||
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
|
||||
if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
|
||||
|
||||
mbedtls_ssl_set_bio( &ssl, &server_fd,
|
||||
mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout );
|
||||
|
||||
|
|
|
@ -200,12 +200,6 @@ int main( void )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
|
||||
|
||||
|
@ -232,6 +226,12 @@ int main( void )
|
|||
mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check,
|
||||
&cookie_ctx );
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
printf( " ok\n" );
|
||||
|
||||
reset:
|
||||
|
|
|
@ -197,12 +197,6 @@ int main( void )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
|
||||
{
|
||||
ret = ssl_setup_failed;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
|
@ -218,13 +212,20 @@ int main( void )
|
|||
}
|
||||
|
||||
mbedtls_ssl_conf_ca_chain( &conf, &ca, NULL );
|
||||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
|
||||
#endif
|
||||
|
||||
if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
|
||||
{
|
||||
ret = ssl_setup_failed;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 )
|
||||
{
|
||||
ret = hostname_failed;
|
||||
goto exit;
|
||||
}
|
||||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
|
||||
#endif
|
||||
|
||||
/*
|
||||
* 1. Start the connection
|
||||
|
|
|
@ -158,26 +158,27 @@ int main( void )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
||||
/* OPTIONAL is not optimal for security,
|
||||
* but makes interop easier in this simplified example */
|
||||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
|
||||
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
|
||||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
|
||||
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
|
||||
|
||||
/*
|
||||
|
|
|
@ -1057,12 +1057,6 @@ int main( int argc, char *argv[] )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
if( opt.debug_level > 0 )
|
||||
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
|
||||
|
@ -1118,16 +1112,6 @@ int main( int argc, char *argv[] )
|
|||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
|
||||
|
||||
if( opt.nbio == 2 )
|
||||
mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL );
|
||||
else
|
||||
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv,
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL
|
||||
#else
|
||||
NULL
|
||||
#endif
|
||||
);
|
||||
mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout );
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
|
@ -1193,6 +1177,31 @@ int main( int argc, char *argv[] )
|
|||
mbedtls_ssl_conf_fallback( &conf, opt.fallback );
|
||||
#endif
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
#endif
|
||||
|
||||
if( opt.nbio == 2 )
|
||||
mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL );
|
||||
else
|
||||
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv,
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL
|
||||
#else
|
||||
NULL
|
||||
#endif
|
||||
);
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
||||
/*
|
||||
|
|
|
@ -257,17 +257,10 @@ int main( void )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
||||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
|
||||
mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
|
||||
|
||||
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
|
||||
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
|
||||
|
@ -276,6 +269,14 @@ int main( void )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
|
||||
|
||||
/*
|
||||
* 5. Handshake
|
||||
*/
|
||||
|
|
|
@ -592,21 +592,12 @@ int main( int argc, char *argv[] )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
||||
/* OPTIONAL is not optimal for security,
|
||||
* but makes interop easier in this simplified example */
|
||||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
|
||||
|
||||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
|
||||
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
|
||||
|
||||
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
|
||||
mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );
|
||||
|
@ -623,7 +614,13 @@ int main( int argc, char *argv[] )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_x509_CRT_PARSE_C)
|
||||
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
|
||||
|
@ -631,6 +628,10 @@ int main( int argc, char *argv[] )
|
|||
}
|
||||
#endif
|
||||
|
||||
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
||||
if( opt.mode == MODE_SSL_TLS )
|
||||
{
|
||||
if( do_handshake( &ssl ) != 0 )
|
||||
|
|
|
@ -199,12 +199,6 @@ int main( void )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
|
||||
|
||||
|
@ -221,6 +215,12 @@ int main( void )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
||||
reset:
|
||||
|
|
|
@ -1527,12 +1527,6 @@ int main( int argc, char *argv[] )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if( opt.auth_mode != DFL_AUTH_MODE )
|
||||
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
|
||||
|
||||
|
@ -1740,6 +1734,23 @@ int main( int argc, char *argv[] )
|
|||
if( opt.max_version != DFL_MIN_VERSION )
|
||||
mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version );
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret );
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if( opt.nbio == 2 )
|
||||
mbedtls_ssl_set_bio( &ssl, &client_fd, my_send, my_recv, NULL );
|
||||
else
|
||||
mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv,
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL
|
||||
#else
|
||||
NULL
|
||||
#endif
|
||||
);
|
||||
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
||||
reset:
|
||||
|
@ -1799,16 +1810,6 @@ reset:
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( opt.nbio == 2 )
|
||||
mbedtls_ssl_set_bio( &ssl, &client_fd, my_send, my_recv, NULL );
|
||||
else
|
||||
mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv,
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL
|
||||
#else
|
||||
NULL
|
||||
#endif
|
||||
);
|
||||
mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout );
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
|
||||
|
|
|
@ -404,12 +404,6 @@ int main( int argc, char *argv[] )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto ssl_exit;
|
||||
}
|
||||
|
||||
if( verify )
|
||||
{
|
||||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
|
||||
|
@ -421,7 +415,6 @@ int main( int argc, char *argv[] )
|
|||
|
||||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
|
||||
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
|
||||
|
||||
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 )
|
||||
{
|
||||
|
@ -429,12 +422,20 @@ int main( int argc, char *argv[] )
|
|||
goto ssl_exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
|
||||
goto ssl_exit;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
|
||||
goto ssl_exit;
|
||||
}
|
||||
|
||||
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
|
||||
|
||||
/*
|
||||
* 4. Handshake
|
||||
*/
|
||||
|
|
Loading…
Reference in a new issue