From 7be14065e2d727feff6adebe69c8b7d13a80c349 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 18 Jun 2019 13:07:17 +0300 Subject: [PATCH 01/27] Add config MBEDTLS_SSL_SESSION_CACHE Add configuration option MBEDTLS_SSL_SESSION_CACHE to control enabling/disabling of the cache based session resumption. --- include/mbedtls/config.h | 8 ++++++++ include/mbedtls/ssl.h | 10 ++++++---- library/ssl_srv.c | 2 ++ library/ssl_tls.c | 12 ++++++++---- programs/ssl/dtls_server.c | 4 ++-- programs/ssl/query_config.c | 8 ++++++++ programs/ssl/ssl_client2.c | 2 ++ programs/ssl/ssl_server.c | 4 ++-- programs/ssl/ssl_server2.c | 2 ++ 9 files changed, 40 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 2116521dc..2a0bbfbf1 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1668,6 +1668,14 @@ */ #define MBEDTLS_SSL_SESSION_TICKETS +/** + * \def MBEDTLS_SSL_SESSION_CACHE + * + * + * Comment this macro to disable support for SSL session cache + */ +//#define MBEDTLS_SSL_SESSION_CACHE + /** * \def MBEDTLS_SSL_EXPORT_KEYS * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b51708970..4471a2403 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -906,11 +906,13 @@ struct mbedtls_ssl_config int (*f_rng)(void *, unsigned char *, size_t); void *p_rng; /*!< context for the RNG function */ +#if defined(MBEDTLS_SSL_SESSION_CACHE) /** Callback to retrieve a session from the cache */ int (*f_get_cache)(void *, mbedtls_ssl_session *); /** Callback to store a session into the cache */ int (*f_set_cache)(void *, const mbedtls_ssl_session *); void *p_cache; /*!< context for cache callbacks */ +#endif #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /** Callback for setting cert according to SNI extension */ @@ -2129,7 +2131,7 @@ void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl, void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_SRV_C) +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_CACHE) /** * \brief Set the session cache callbacks (server-side only) * If not set, no session resuming is done (except if session @@ -2171,9 +2173,9 @@ void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, void *p_cache, int (*f_get_cache)(void *, mbedtls_ssl_session *), int (*f_set_cache)(void *, const mbedtls_ssl_session *) ); -#endif /* MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_SESSION_CACHE */ -#if defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_CACHE) /** * \brief Request resumption of session (client-side only) * Session data is copied from presented session structure. @@ -2189,7 +2191,7 @@ void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, * \sa mbedtls_ssl_get_session() */ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ); -#endif /* MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_CACHE */ /** * \brief Load serialized session data into a session structure. diff --git a/library/ssl_srv.c b/library/ssl_srv.c index ecde1b0b5..55a59765a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2637,6 +2637,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); +#if defined(MBEDTLS_SSL_SESSION_CACHE) /* * Resume is 0 by default, see ssl_handshake_init(). * It may be already set to 1 by ssl_parse_session_ticket_ext(). @@ -2653,6 +2654,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); ssl->handshake->resume = 1; } +#endif /* MBEDTLS_SSL_SESSION_CACHE */ if( ssl->handshake->resume == 0 ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fff20ff1b..10232bb30 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7273,7 +7273,9 @@ static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) { +#if defined(MBEDTLS_SSL_SESSION_CACHE) int resume = ssl->handshake->resume; +#endif /* MBEDTLS_SSL_SESSION_CACHE */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); @@ -7302,6 +7304,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) ssl->session = ssl->session_negotiate; ssl->session_negotiate = NULL; +#if defined(MBEDTLS_SSL_SESSION_CACHE) /* * Add cache entry */ @@ -7312,6 +7315,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); } +#endif /* MBEDTLS_SSL_SESSION_CACHE */ #if defined(MBEDTLS_SSL_PROTO_DTLS) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && @@ -8152,7 +8156,7 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, ssl_set_timer( ssl, 0 ); } -#if defined(MBEDTLS_SSL_SRV_C) +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_CACHE) void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, void *p_cache, int (*f_get_cache)(void *, mbedtls_ssl_session *), @@ -8162,9 +8166,9 @@ void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, conf->f_get_cache = f_get_cache; conf->f_set_cache = f_set_cache; } -#endif /* MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_SESSION_CACHE */ -#if defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_CACHE) int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ) { int ret; @@ -8185,7 +8189,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session return( 0 ); } -#endif /* MBEDTLS_SSL_CLI_C */ +#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_CACHE */ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ) diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index dd21fbf47..799da9af9 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -236,11 +236,11 @@ int main( void ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); -#if defined(MBEDTLS_SSL_CACHE_C) +#if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SESSION_CACHE) mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); -#endif +#endif /* MBEDTLS_SSL_CACHE_C && MBEDTLS_SSL_SESSION_CACHE */ mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index d45a6634f..30b9d7975 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1410,6 +1410,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_SESSION_CACHE) + if( strcmp( "MBEDTLS_SSL_SESSION_CACHE", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SESSION_CACHE ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_SESSION_CACHE */ + #if defined(MBEDTLS_SSL_EXPORT_KEYS) if( strcmp( "MBEDTLS_SSL_EXPORT_KEYS", config ) == 0 ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 982857659..a3f5d609d 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2545,12 +2545,14 @@ reconnect: } } +#if defined(MBEDTLS_SSL_SESSION_CACHE) if( ( ret = mbedtls_ssl_set_session( &ssl, &saved_session ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_session returned -0x%x\n\n", -ret ); goto exit; } +#endif /* MBEDTLS_SSL_SESSION_CACHE */ if( ( ret = mbedtls_net_connect( &server_fd, opt.server_addr, opt.server_port, diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 97918562a..005d3e85d 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -224,11 +224,11 @@ int main( void ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); -#if defined(MBEDTLS_SSL_CACHE_C) +#if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SESSION_CACHE) mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); -#endif +#endif /* MBEDTLS_SSL_CACHE_C && MBEDTLS_SSL_SESSION_CACHE */ mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 5d751b6a7..4049a27a5 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2527,9 +2527,11 @@ int main( int argc, char *argv[] ) if( opt.cache_timeout != -1 ) mbedtls_ssl_cache_set_timeout( &cache, opt.cache_timeout ); +#if defined(MBEDTLS_SSL_SESSION_CACHE) mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); +#endif /* MBEDTLS_SSL_SESSION_CACHE */ #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) From 590bf51cbbdcd50add14a318daad15f396c6346f Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 18 Jun 2019 13:09:49 +0300 Subject: [PATCH 02/27] Enable MBEDTLS_SSL_SESSION_CACHE by default --- include/mbedtls/config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 2a0bbfbf1..81c1340d7 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1674,7 +1674,7 @@ * * Comment this macro to disable support for SSL session cache */ -//#define MBEDTLS_SSL_SESSION_CACHE +#define MBEDTLS_SSL_SESSION_CACHE /** * \def MBEDTLS_SSL_EXPORT_KEYS From 59bd12bf141b43a50142398d3b6aff5828face23 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 18 Jun 2019 13:49:02 +0300 Subject: [PATCH 03/27] Add new config MBEDTLS_SSL_SESSION_RESUMPTION Add a new configuration option MBEDTLS_SSL_SESSION_RESUMPTION to enable/disable the session resumption feature including ticket and cache based session resumption. --- include/mbedtls/check_config.h | 6 ++++++ include/mbedtls/config.h | 8 ++++++++ include/mbedtls/ssl_internal.h | 2 ++ library/ssl_cli.c | 8 ++++++++ library/ssl_srv.c | 6 ++++++ library/ssl_tls.c | 6 ++++++ programs/ssl/query_config.c | 8 ++++++++ 7 files changed, 44 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 88f47011b..e3d13e6ef 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -671,6 +671,12 @@ #error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites" #endif +#if ( defined(MBEDTLS_SSL_SESSION_TICKETS) || \ + defined(MBEDTLS_SSL_SESSION_CACHE) ) && \ + !defined(MBEDTLS_SSL_SESSION_RESUMPTION) +#error "MBEDTLS_SSL_SESSION_TICKETS/MBEDTLS_SESSION_CACHE cannot be defined without MBEDTLS_SSL_SESSION_RESUMPTION" +#endif + #if defined(MBEDTLS_THREADING_PTHREAD) #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL) #error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 81c1340d7..7ceccee35 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1676,6 +1676,14 @@ */ #define MBEDTLS_SSL_SESSION_CACHE +/** + * \def MBEDTLS_SSL_SESSION_RESUMPTION + * + * + * Comment this macro to disable support for SSL session resumption + */ +#define MBEDTLS_SSL_SESSION_RESUMPTION + /** * \def MBEDTLS_SSL_EXPORT_KEYS * diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 7009c4f8b..439994334 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -509,7 +509,9 @@ struct mbedtls_ssl_handshake_params unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; /*!< premaster secret */ +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) int resume; /*!< session resume indicator*/ +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ int max_major_ver; /*!< max. major version client*/ int max_minor_ver; /*!< max. minor version client*/ int cli_exts; /*!< client extension presence*/ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 17611d6fc..f47d34e8c 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -888,7 +888,11 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_RENEGOTIATION) ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || #endif +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) ssl->handshake->resume == 0 ) +#else /* MBEDTLS_SSL_SESSION_RESUMPTION */ + 0 ) +#endif { n = 0; } @@ -1795,6 +1799,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) /* * Check if the session can be resumed */ @@ -1818,6 +1823,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) memcpy( ssl->session_negotiate->id, buf + 35, n ); } else +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ { ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; @@ -1830,8 +1836,10 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } } +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", ssl->handshake->resume ? "a" : "no" ) ); +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 55a59765a..a76ce1675 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2656,7 +2656,9 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_SESSION_CACHE */ +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) if( ssl->handshake->resume == 0 ) +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ { /* * New session, create a new session id, @@ -2683,6 +2685,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) return( ret ); } } +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) else { /* @@ -2697,6 +2700,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) return( ret ); } } +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ /* * 38 . 38 session id length @@ -2712,8 +2716,10 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", ssl->handshake->resume ? "a" : "no" ) ); +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 10232bb30..420eba29d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1263,11 +1263,13 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, (void) ssl; #endif +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) if( handshake->resume != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) ); return( 0 ); } +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster, handshake->pmslen ); @@ -7364,6 +7366,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) /* * In case of session resuming, invert the client and server * ChangeCipherSpec messages order. @@ -7380,6 +7383,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) #endif } else +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ ssl->state++; /* @@ -7520,6 +7524,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) memcpy( ssl->peer_verify_data, buf, hash_len ); #endif +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) if( ssl->handshake->resume != 0 ) { #if defined(MBEDTLS_SSL_CLI_C) @@ -7532,6 +7537,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) #endif } else +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 30b9d7975..5a1f69e2e 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1418,6 +1418,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_SESSION_CACHE */ +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) + if( strcmp( "MBEDTLS_SSL_SESSION_RESUMPTION", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SESSION_RESUMPTION ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ + #if defined(MBEDTLS_SSL_EXPORT_KEYS) if( strcmp( "MBEDTLS_SSL_EXPORT_KEYS", config ) == 0 ) { From 085e8a507eaab848f044bdfb7ddf6a3f3dac6696 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Tue, 18 Jun 2019 13:50:30 +0300 Subject: [PATCH 04/27] Enable new configs in baremetal config Enable MBEDTLS_SSL_SESSION_CACHE and MBEDTLS_SESSION_RESUMPTION in baremetal config. --- configs/baremetal.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configs/baremetal.h b/configs/baremetal.h index 330b513fc..cd0202eaa 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -71,6 +71,8 @@ #define MBEDTLS_SSL_TLS_C #define MBEDTLS_SSL_PROTO_TLS1_2 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#define MBEDTLS_SSL_SESSION_CACHE +#define MBEDTLS_SSL_SESSION_RESUMPTION #define MBEDTLS_SSL_COOKIE_C #define MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_PROTO_NO_TLS From 5165169a054b273398df9982447e48429352bdcf Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 19 Jun 2019 10:21:08 +0300 Subject: [PATCH 05/27] Fix test issues --- library/ssl_cli.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index f47d34e8c..01025cae5 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1799,11 +1799,15 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) + /* * Check if the session can be resumed */ +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) if( ssl->handshake->resume == 0 || n == 0 || +#else + if( n == 0 || +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ #if defined(MBEDTLS_SSL_RENEGOTIATION) ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || #endif @@ -1813,7 +1817,9 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) { ssl->state++; +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) ssl->handshake->resume = 0; +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ #if defined(MBEDTLS_HAVE_TIME) ssl->session_negotiate->start = mbedtls_time( NULL ); #endif @@ -1823,7 +1829,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) memcpy( ssl->session_negotiate->id, buf + 35, n ); } else -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ { ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; From 5b52b27519395bf6738de49f808f4bd90f7d9679 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 19 Jun 2019 10:21:37 +0300 Subject: [PATCH 06/27] Skip resumption tests if resumption not defined --- tests/ssl-opt.sh | 76 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7bcba2438..a3c189d86 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -916,7 +916,7 @@ trap cleanup INT TERM HUP # ("signature_algorithm ext: 6" means SHA-512 (highest common hash)) run_test "Default" \ "$P_SRV debug_level=3" \ - "$P_CLI" \ + "$P_CLI debug_level=3" \ 0 \ -s "Protocol is TLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \ @@ -2206,6 +2206,8 @@ run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \ # Tests for Session Tickets +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: basic" \ "$P_SRV debug_level=3 tickets=1" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -2220,6 +2222,8 @@ run_test "Session resume using tickets: basic" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: cache disabled" \ "$P_SRV debug_level=3 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -2234,6 +2238,8 @@ run_test "Session resume using tickets: cache disabled" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: timeout" \ "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \ "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \ @@ -2248,6 +2254,8 @@ run_test "Session resume using tickets: timeout" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: session copy" \ "$P_SRV debug_level=3 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_mode=0" \ @@ -2262,6 +2270,8 @@ run_test "Session resume using tickets: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: openssl server" \ "$O_SRV" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -2271,6 +2281,8 @@ run_test "Session resume using tickets: openssl server" \ -c "parse new session ticket" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: openssl client" \ "$P_SRV debug_level=3 tickets=1" \ "( $O_CLI -sess_out $SESSION; \ @@ -2285,6 +2297,8 @@ run_test "Session resume using tickets: openssl client" \ # Tests for Session Tickets with DTLS +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: basic" \ "$P_SRV debug_level=3 dtls=1 tickets=1" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \ @@ -2299,6 +2313,8 @@ run_test "Session resume using tickets, DTLS: basic" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: cache disabled" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \ @@ -2313,6 +2329,8 @@ run_test "Session resume using tickets, DTLS: cache disabled" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: timeout" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \ @@ -2327,6 +2345,8 @@ run_test "Session resume using tickets, DTLS: timeout" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: session copy" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_mode=0" \ @@ -2341,6 +2361,8 @@ run_test "Session resume using tickets, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: openssl server" \ "$O_SRV -dtls1" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ @@ -2350,6 +2372,8 @@ run_test "Session resume using tickets, DTLS: openssl server" \ -c "parse new session ticket" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ "( $O_CLI -dtls1 -sess_out $SESSION; \ @@ -2364,6 +2388,9 @@ run_test "Session resume using tickets, DTLS: openssl client" \ # Tests for Session Resume based on session-ID and cache +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache: tickets enabled on client" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -2378,6 +2405,9 @@ run_test "Session resume using cache: tickets enabled on client" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache: tickets enabled on server" \ "$P_SRV debug_level=3 tickets=1" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -2392,6 +2422,8 @@ run_test "Session resume using cache: tickets enabled on server" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache: cache_max=0" \ "$P_SRV debug_level=3 tickets=0 cache_max=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -2401,6 +2433,8 @@ run_test "Session resume using cache: cache_max=0" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache: cache_max=1" \ "$P_SRV debug_level=3 tickets=0 cache_max=1" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -2410,6 +2444,8 @@ run_test "Session resume using cache: cache_max=1" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache: timeout > delay" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \ @@ -2419,6 +2455,8 @@ run_test "Session resume using cache: timeout > delay" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache: timeout < delay" \ "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -2428,6 +2466,8 @@ run_test "Session resume using cache: timeout < delay" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache: no timeout" \ "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -2437,6 +2477,8 @@ run_test "Session resume using cache: no timeout" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache: session copy" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_mode=0" \ @@ -2446,6 +2488,8 @@ run_test "Session resume using cache: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache: openssl client" \ "$P_SRV debug_level=3 tickets=0" \ "( $O_CLI -sess_out $SESSION; \ @@ -2458,6 +2502,8 @@ run_test "Session resume using cache: openssl client" \ -S "session successfully restored from ticket" \ -s "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache: openssl server" \ "$O_SRV" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -2468,6 +2514,9 @@ run_test "Session resume using cache: openssl server" \ # Tests for Session Resume based on session-ID and cache, DTLS +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache, DTLS: tickets enabled on client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ @@ -2482,6 +2531,9 @@ run_test "Session resume using cache, DTLS: tickets enabled on client" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache, DTLS: tickets enabled on server" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -2496,6 +2548,8 @@ run_test "Session resume using cache, DTLS: tickets enabled on server" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache, DTLS: cache_max=0" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -2505,6 +2559,8 @@ run_test "Session resume using cache, DTLS: cache_max=0" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache, DTLS: cache_max=1" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -2514,6 +2570,8 @@ run_test "Session resume using cache, DTLS: cache_max=1" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache, DTLS: timeout > delay" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \ @@ -2523,6 +2581,8 @@ run_test "Session resume using cache, DTLS: timeout > delay" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache, DTLS: timeout < delay" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -2532,6 +2592,8 @@ run_test "Session resume using cache, DTLS: timeout < delay" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache, DTLS: no timeout" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -2541,6 +2603,8 @@ run_test "Session resume using cache, DTLS: no timeout" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache, DTLS: session copy" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_mode=0" \ @@ -2550,6 +2614,8 @@ run_test "Session resume using cache, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "( $O_CLI -dtls1 -sess_out $SESSION; \ @@ -2562,6 +2628,8 @@ run_test "Session resume using cache, DTLS: openssl client" \ -S "session successfully restored from ticket" \ -s "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "Session resume using cache, DTLS: openssl server" \ "$O_SRV -dtls1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -8006,6 +8074,9 @@ run_test "DTLS proxy: 3d, max handshake, nbio" \ -c "HTTP/1.0 200 OK" client_needs_more_time 4 +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "DTLS proxy: 3d, min handshake, resumption" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ @@ -8020,6 +8091,9 @@ run_test "DTLS proxy: 3d, min handshake, resumption" \ -c "HTTP/1.0 200 OK" client_needs_more_time 4 +requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS +requires_config_enabled MBEDTLS_SSL_SESSION_CACHE run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ From ac57e82c7dccf38b646f01b53f25be2aeceeaedd Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 19 Jun 2019 10:26:43 +0300 Subject: [PATCH 07/27] Doxygen for new config options --- include/mbedtls/config.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 7ceccee35..cfb2094da 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1664,6 +1664,8 @@ * tickets, including authenticated encryption and key management. Example * callbacks are provided by MBEDTLS_SSL_TICKET_C. * + * Requires: MBEDTLS_SSL_SESSION_RESUMPTION + * * Comment this macro to disable support for SSL session tickets */ #define MBEDTLS_SSL_SESSION_TICKETS @@ -1671,6 +1673,9 @@ /** * \def MBEDTLS_SSL_SESSION_CACHE * + * Enable support for cache based session resumption. + * + * Requires: MBEDTLS_SSL_SESSION_RESUMPTION * * Comment this macro to disable support for SSL session cache */ @@ -1679,6 +1684,10 @@ /** * \def MBEDTLS_SSL_SESSION_RESUMPTION * + * Enable support for session resumption. This is the main feature flag and + * enabling this allow to enable following flags: + * MBEDTLS_SSL_SESSION_TICKETS + * MBEDTLS_SSL_SESSION_CACHE * * Comment this macro to disable support for SSL session resumption */ From 18f06625411d53d32859272a50cd86255a95fdd5 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 19 Jun 2019 14:01:05 +0300 Subject: [PATCH 08/27] Add changelog entry --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 49c3acf5f..e9dc52c86 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,10 @@ Features ServerHello. * Add new configuration option MBEDTLS_SSL_PROTO_NO_TLS that enables code size savings in configurations where only DTLS is used. + * Add new configuration option MBEDTLS_SSL_SESSION_CACHE that can be used + to enable/disable cache based session resumption + * Add new configuration option MBEDTLS_SSL_SESSION_RESUMPTION that can be + used to enable/disable session resumption feature entirely. API Changes * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. From 0905c3da111a5c24c81b95b440518b159e9a3a7a Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 19 Jun 2019 14:04:31 +0300 Subject: [PATCH 09/27] Add test to all.sh --- tests/scripts/all.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 2f1a1b54e..78e123cf2 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -682,6 +682,21 @@ component_test_rsa_no_crt () { if_build_succeeded tests/compat.sh -t RSA } +component_test_no_resumption () { + msg "build: Default + !MBEDTLS_SSL_SESSION_RESUMPTION (ASan build)" # ~ 6 min + scripts/config.pl unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.pl unset MBEDTLS_SSL_SESSION_CACHE + scripts/config.pl unset MBEDTLS_SSL_SESSION_RESUMPTION + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: !MBEDTLS_SSL_SESSION_RESUMPTION - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: !MBEDTLS_SSL_SESSION_RESUMPTION - ssl-opt.sh (ASan build)" # ~ 6 min + if_build_succeeded tests/ssl-opt.sh +} + component_test_small_ssl_out_content_len () { msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 16384 From 4f74f6d3010322b0f573e6908d4e4b45e5cd4a8c Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 19 Jun 2019 14:56:44 +0300 Subject: [PATCH 10/27] Fix check-files, check-names and check-generated-features --- include/mbedtls/check_config.h | 2 +- library/version_features.c | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index e3d13e6ef..27dd8aab9 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -674,7 +674,7 @@ #if ( defined(MBEDTLS_SSL_SESSION_TICKETS) || \ defined(MBEDTLS_SSL_SESSION_CACHE) ) && \ !defined(MBEDTLS_SSL_SESSION_RESUMPTION) -#error "MBEDTLS_SSL_SESSION_TICKETS/MBEDTLS_SESSION_CACHE cannot be defined without MBEDTLS_SSL_SESSION_RESUMPTION" +#error "MBEDTLS_SSL_SESSION_TICKETS/MBEDTLS_SSL_SESSION_CACHE cannot be defined without MBEDTLS_SSL_SESSION_RESUMPTION" #endif #if defined(MBEDTLS_THREADING_PTHREAD) diff --git a/library/version_features.c b/library/version_features.c index 5e9d9239b..7deb41717 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -513,6 +513,12 @@ static const char *features[] = { #if defined(MBEDTLS_SSL_SESSION_TICKETS) "MBEDTLS_SSL_SESSION_TICKETS", #endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_SESSION_CACHE) + "MBEDTLS_SSL_SESSION_CACHE", +#endif /* MBEDTLS_SSL_SESSION_CACHE */ +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) + "MBEDTLS_SSL_SESSION_RESUMPTION", +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ #if defined(MBEDTLS_SSL_EXPORT_KEYS) "MBEDTLS_SSL_EXPORT_KEYS", #endif /* MBEDTLS_SSL_EXPORT_KEYS */ From dbf6073fa34121e61742ab8102fafe87f2cc5436 Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Wed, 19 Jun 2019 16:20:30 +0300 Subject: [PATCH 11/27] Fix ssl_cli resumption guards --- library/ssl_cli.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 01025cae5..710ffa4db 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1805,9 +1805,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) */ #if defined(MBEDTLS_SSL_SESSION_RESUMPTION) if( ssl->handshake->resume == 0 || n == 0 || -#else - if( n == 0 || -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ #if defined(MBEDTLS_SSL_RENEGOTIATION) ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || #endif @@ -1815,6 +1812,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) ssl->session_negotiate->compression != comp || ssl->session_negotiate->id_len != n || memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ { ssl->state++; #if defined(MBEDTLS_SSL_SESSION_RESUMPTION) @@ -1828,6 +1826,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) ssl->session_negotiate->id_len = n; memcpy( ssl->session_negotiate->id, buf + 35, n ); } +#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) else { ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; @@ -1840,6 +1839,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) return( ret ); } } +#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ #if defined(MBEDTLS_SSL_SESSION_RESUMPTION) MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", From 29f2dd0a7b0d5370b50d65cd7413986a6dbbacdb Mon Sep 17 00:00:00 2001 From: Jarno Lamsa Date: Thu, 20 Jun 2019 15:31:52 +0300 Subject: [PATCH 12/27] Address review comments --- ChangeLog | 8 +-- configs/baremetal.h | 4 +- include/mbedtls/check_config.h | 12 ++-- include/mbedtls/config.h | 54 ++++++++++++---- include/mbedtls/ssl.h | 12 ++-- include/mbedtls/ssl_internal.h | 4 +- library/ssl_cli.c | 44 ++++++------- library/ssl_srv.c | 44 ++++++------- library/ssl_tls.c | 28 ++++---- library/version_features.c | 12 ++-- programs/ssl/dtls_server.c | 4 +- programs/ssl/query_config.c | 16 ++--- programs/ssl/ssl_client2.c | 4 +- programs/ssl/ssl_server.c | 4 +- programs/ssl/ssl_server2.c | 4 +- tests/scripts/all.sh | 10 +-- tests/ssl-opt.sh | 114 ++++++++++++++++----------------- 17 files changed, 203 insertions(+), 175 deletions(-) diff --git a/ChangeLog b/ChangeLog index e9dc52c86..796ff2212 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,10 +38,10 @@ Features ServerHello. * Add new configuration option MBEDTLS_SSL_PROTO_NO_TLS that enables code size savings in configurations where only DTLS is used. - * Add new configuration option MBEDTLS_SSL_SESSION_CACHE that can be used - to enable/disable cache based session resumption - * Add new configuration option MBEDTLS_SSL_SESSION_RESUMPTION that can be - used to enable/disable session resumption feature entirely. + * Add new configuration option MBEDTLS_SSL_NO_SESSION_CACHE that can be used + to disable cache based session resumption + * Add new configuration option MBEDTLS_SSL_NO_SESSION_RESUMPTION that can be + used to disable session resumption feature entirely. API Changes * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. diff --git a/configs/baremetal.h b/configs/baremetal.h index cd0202eaa..b8bf3e0f1 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -71,8 +71,8 @@ #define MBEDTLS_SSL_TLS_C #define MBEDTLS_SSL_PROTO_TLS1_2 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET -#define MBEDTLS_SSL_SESSION_CACHE -#define MBEDTLS_SSL_SESSION_RESUMPTION +#define MBEDTLS_SSL_NO_SESSION_CACHE +#define MBEDTLS_SSL_NO_SESSION_RESUMPTION #define MBEDTLS_SSL_COOKIE_C #define MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_PROTO_NO_TLS diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 27dd8aab9..030236a0a 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -671,10 +671,14 @@ #error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites" #endif -#if ( defined(MBEDTLS_SSL_SESSION_TICKETS) || \ - defined(MBEDTLS_SSL_SESSION_CACHE) ) && \ - !defined(MBEDTLS_SSL_SESSION_RESUMPTION) -#error "MBEDTLS_SSL_SESSION_TICKETS/MBEDTLS_SSL_SESSION_CACHE cannot be defined without MBEDTLS_SSL_SESSION_RESUMPTION" +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) +#error "MBEDTLS_SSL_SESSION_TICKETS cannot be defined with MBEDTLS_SSL_NO_SESSION_RESUMPTION" +#endif + +#if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) && \ + defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) +#error "MBEDTLS_NO_SESSION_CACHE needs to be defined with MBEDTLS_SSL_NO_SESSION_RESUMPTION" #endif #if defined(MBEDTLS_THREADING_PTHREAD) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index cfb2094da..5f2028a9f 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1664,34 +1664,60 @@ * tickets, including authenticated encryption and key management. Example * callbacks are provided by MBEDTLS_SSL_TICKET_C. * - * Requires: MBEDTLS_SSL_SESSION_RESUMPTION + * Requires: !MBEDTLS_SSL_NO_SESSION_RESUMPTION * * Comment this macro to disable support for SSL session tickets */ -#define MBEDTLS_SSL_SESSION_TICKETS +//#define MBEDTLS_SSL_SESSION_TICKETS /** - * \def MBEDTLS_SSL_SESSION_CACHE + * \def MBEDTLS_SSL_NO_SESSION_CACHE * - * Enable support for cache based session resumption. + * Disable support for cache based session resumption. * - * Requires: MBEDTLS_SSL_SESSION_RESUMPTION + * This option is only about the server-side support of the session caches. + * Client will only need the MBEDTLS_SSL_SESSION_RESUMPTION to support + * cache based session resumption. * - * Comment this macro to disable support for SSL session cache + * Server-side, you also need to provide callbacks for storing and reading + * sessions from cache. Example callbacks are provided by MBEDTLS_SSL_CACHE_C. + * + * If MBEDTLS_SSL_NO_SESSION_RESUMPTION is defined, this needs to be defined + * as well. + * + * Uncomment this macro to disable support for SSL session cache */ -#define MBEDTLS_SSL_SESSION_CACHE +#define MBEDTLS_SSL_NO_SESSION_CACHE /** - * \def MBEDTLS_SSL_SESSION_RESUMPTION + * \def MBEDTLS_SSL_NO_SESSION_RESUMPTION * - * Enable support for session resumption. This is the main feature flag and - * enabling this allow to enable following flags: - * MBEDTLS_SSL_SESSION_TICKETS - * MBEDTLS_SSL_SESSION_CACHE + * Disable support for session resumption. This is useful in constrained + * devices where session resumption isn't used. * - * Comment this macro to disable support for SSL session resumption + * \note Session resumption is part of the TLS standard, disabling this + * option means that the full implementation of the standard is no longer + * used. This shouldn't cause any interoperability issues as by the standard + * mandates that peers who want to resume a session need to be prepared to + * fall back to a full handshake. + * + * When this flag is enabled, following needs to be true: + * MBEDTLS_SSL_NO_SESSION_CACHE enabled + * MBEDTLS_SSL_SESSION_TICKETS disabled + * + * Client-side, this is enough to enable support for cache-based session + * resumption (as defined by the TLS standard); for ticket-based resumption + * you'll also need to enable MBEDTLS_SSL_SESSION_TICKETS. + * + * Server-side, this option is only useful in conjunction with at least + * one of `!MBEDTLS_SSL_NO_SESSION_CACHE` or `MBEDTLS_SSL_SESSION_TICKETS`. + * Each one of these additionally requires an implementation of the cache + * or tickets, examples of which are provided by `MBEDTLS_SSL_CACHE_C` + * and `MBEDTLS_SSL_TICKETS_C` respectively. + * + * Uncomment this macro to disable support for SSL session resumption */ -#define MBEDTLS_SSL_SESSION_RESUMPTION +#define MBEDTLS_SSL_NO_SESSION_RESUMPTION /** * \def MBEDTLS_SSL_EXPORT_KEYS diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 4471a2403..716f35af2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -906,13 +906,13 @@ struct mbedtls_ssl_config int (*f_rng)(void *, unsigned char *, size_t); void *p_rng; /*!< context for the RNG function */ -#if defined(MBEDTLS_SSL_SESSION_CACHE) +#if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) /** Callback to retrieve a session from the cache */ int (*f_get_cache)(void *, mbedtls_ssl_session *); /** Callback to store a session into the cache */ int (*f_set_cache)(void *, const mbedtls_ssl_session *); void *p_cache; /*!< context for cache callbacks */ -#endif +#endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /** Callback for setting cert according to SNI extension */ @@ -2131,7 +2131,7 @@ void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl, void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_CACHE) +#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_NO_SESSION_CACHE) /** * \brief Set the session cache callbacks (server-side only) * If not set, no session resuming is done (except if session @@ -2173,9 +2173,9 @@ void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, void *p_cache, int (*f_get_cache)(void *, mbedtls_ssl_session *), int (*f_set_cache)(void *, const mbedtls_ssl_session *) ); -#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_SESSION_CACHE */ +#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_NO_SESSION_CACHE */ -#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_CACHE) +#if defined(MBEDTLS_SSL_CLI_C) && !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) /** * \brief Request resumption of session (client-side only) * Session data is copied from presented session structure. @@ -2191,7 +2191,7 @@ void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, * \sa mbedtls_ssl_get_session() */ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ); -#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_CACHE */ +#endif /* MBEDTLS_SSL_CLI_C && !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ /** * \brief Load serialized session data into a session structure. diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 439994334..cca71e745 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -509,9 +509,9 @@ struct mbedtls_ssl_handshake_params unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; /*!< premaster secret */ -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) int resume; /*!< session resume indicator*/ -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ +#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ int max_major_ver; /*!< max. major version client*/ int max_minor_ver; /*!< max. minor version client*/ int cli_exts; /*!< client extension presence*/ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 710ffa4db..3b7e7224c 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -888,9 +888,9 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_RENEGOTIATION) ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || #endif -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) ssl->handshake->resume == 0 ) -#else /* MBEDTLS_SSL_SESSION_RESUMPTION */ +#else /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ 0 ) #endif { @@ -1803,8 +1803,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) /* * Check if the session can be resumed */ -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) - if( ssl->handshake->resume == 0 || n == 0 || +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) + if( n == 0 || #if defined(MBEDTLS_SSL_RENEGOTIATION) ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || #endif @@ -1812,22 +1812,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) ssl->session_negotiate->compression != comp || ssl->session_negotiate->id_len != n || memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ - { - ssl->state++; -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) ssl->handshake->resume = 0; -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ -#if defined(MBEDTLS_HAVE_TIME) - ssl->session_negotiate->start = mbedtls_time( NULL ); -#endif - ssl->session_negotiate->ciphersuite = i; - ssl->session_negotiate->compression = comp; - ssl->session_negotiate->id_len = n; - memcpy( ssl->session_negotiate->id, buf + 35, n ); - } -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) - else + if( ssl->handshake->resume == 1 ) { ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; @@ -1839,12 +1825,26 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) return( ret ); } } -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ + else +#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ + { + ssl->state++; +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) + ssl->handshake->resume = 0; +#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ +#if defined(MBEDTLS_HAVE_TIME) + ssl->session_negotiate->start = mbedtls_time( NULL ); +#endif + ssl->session_negotiate->ciphersuite = i; + ssl->session_negotiate->compression = comp; + ssl->session_negotiate->id_len = n; + memcpy( ssl->session_negotiate->id, buf + 35, n ); + } -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", ssl->handshake->resume ? "a" : "no" ) ); -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ +#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index a76ce1675..778618601 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2637,7 +2637,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 ); -#if defined(MBEDTLS_SSL_SESSION_CACHE) +#if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) /* * Resume is 0 by default, see ssl_handshake_init(). * It may be already set to 1 by ssl_parse_session_ticket_ext(). @@ -2654,11 +2654,25 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); ssl->handshake->resume = 1; } -#endif /* MBEDTLS_SSL_SESSION_CACHE */ +#endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */ -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) - if( ssl->handshake->resume == 0 ) -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) + if( ssl->handshake->resume == 1 ) + { + /* + * Resuming a session + */ + n = ssl->session_negotiate->id_len; + ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; + + if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); + return( ret ); + } + } + else +#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ { /* * New session, create a new session id, @@ -2685,22 +2699,6 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) return( ret ); } } -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) - else - { - /* - * Resuming a session - */ - n = ssl->session_negotiate->id_len; - ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; - - if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret ); - return( ret ); - } - } -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ /* * 38 . 38 session id length @@ -2716,10 +2714,10 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", ssl->handshake->resume ? "a" : "no" ) ); -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ +#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 420eba29d..316d537ac 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1263,13 +1263,13 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, (void) ssl; #endif -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) if( handshake->resume != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) ); return( 0 ); } -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ +#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster, handshake->pmslen ); @@ -7275,9 +7275,9 @@ static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_SESSION_CACHE) +#if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) int resume = ssl->handshake->resume; -#endif /* MBEDTLS_SSL_SESSION_CACHE */ +#endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); @@ -7306,7 +7306,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) ssl->session = ssl->session_negotiate; ssl->session_negotiate = NULL; -#if defined(MBEDTLS_SSL_SESSION_CACHE) +#if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) /* * Add cache entry */ @@ -7317,7 +7317,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); } -#endif /* MBEDTLS_SSL_SESSION_CACHE */ +#endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */ #if defined(MBEDTLS_SSL_PROTO_DTLS) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && @@ -7366,7 +7366,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) /* * In case of session resuming, invert the client and server * ChangeCipherSpec messages order. @@ -7383,7 +7383,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) #endif } else -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ +#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ ssl->state++; /* @@ -7524,7 +7524,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) memcpy( ssl->peer_verify_data, buf, hash_len ); #endif -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) if( ssl->handshake->resume != 0 ) { #if defined(MBEDTLS_SSL_CLI_C) @@ -7537,7 +7537,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) #endif } else -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ +#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -8162,7 +8162,7 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, ssl_set_timer( ssl, 0 ); } -#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_CACHE) +#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_NO_SESSION_CACHE) void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, void *p_cache, int (*f_get_cache)(void *, mbedtls_ssl_session *), @@ -8172,9 +8172,9 @@ void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, conf->f_get_cache = f_get_cache; conf->f_set_cache = f_set_cache; } -#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_SESSION_CACHE */ +#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_NO_SESSION_CACHE */ -#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_CACHE) +#if defined(MBEDTLS_SSL_CLI_C) && !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ) { int ret; @@ -8195,7 +8195,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session return( 0 ); } -#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_CACHE */ +#endif /* MBEDTLS_SSL_CLI_C && !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ) diff --git a/library/version_features.c b/library/version_features.c index 7deb41717..8bc42e39f 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -513,12 +513,12 @@ static const char *features[] = { #if defined(MBEDTLS_SSL_SESSION_TICKETS) "MBEDTLS_SSL_SESSION_TICKETS", #endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_SSL_SESSION_CACHE) - "MBEDTLS_SSL_SESSION_CACHE", -#endif /* MBEDTLS_SSL_SESSION_CACHE */ -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) - "MBEDTLS_SSL_SESSION_RESUMPTION", -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ +#if defined(MBEDTLS_SSL_NO_SESSION_CACHE) + "MBEDTLS_SSL_NO_SESSION_CACHE", +#endif /* MBEDTLS_SSL_NO_SESSION_CACHE */ +#if defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) + "MBEDTLS_SSL_NO_SESSION_RESUMPTION", +#endif /* MBEDTLS_SSL_NO_SESSION_RESUMPTION */ #if defined(MBEDTLS_SSL_EXPORT_KEYS) "MBEDTLS_SSL_EXPORT_KEYS", #endif /* MBEDTLS_SSL_EXPORT_KEYS */ diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 799da9af9..6566baef5 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -236,11 +236,11 @@ int main( void ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); -#if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SESSION_CACHE) +#if defined(MBEDTLS_SSL_CACHE_C) && !defined(MBEDTLS_SSL_NO_SESSION_CACHE) mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); -#endif /* MBEDTLS_SSL_CACHE_C && MBEDTLS_SSL_SESSION_CACHE */ +#endif /* MBEDTLS_SSL_CACHE_C && !MBEDTLS_SSL_NO_SESSION_CACHE */ mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 5a1f69e2e..7e84d5c6d 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1410,21 +1410,21 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ -#if defined(MBEDTLS_SSL_SESSION_CACHE) - if( strcmp( "MBEDTLS_SSL_SESSION_CACHE", config ) == 0 ) +#if defined(MBEDTLS_SSL_NO_SESSION_CACHE) + if( strcmp( "MBEDTLS_SSL_NO_SESSION_CACHE", config ) == 0 ) { - MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SESSION_CACHE ); + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_NO_SESSION_CACHE ); return( 0 ); } -#endif /* MBEDTLS_SSL_SESSION_CACHE */ +#endif /* MBEDTLS_SSL_NO_SESSION_CACHE */ -#if defined(MBEDTLS_SSL_SESSION_RESUMPTION) - if( strcmp( "MBEDTLS_SSL_SESSION_RESUMPTION", config ) == 0 ) +#if defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) + if( strcmp( "MBEDTLS_SSL_NO_SESSION_RESUMPTION", config ) == 0 ) { - MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_SESSION_RESUMPTION ); + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_NO_SESSION_RESUMPTION ); return( 0 ); } -#endif /* MBEDTLS_SSL_SESSION_RESUMPTION */ +#endif /* MBEDTLS_SSL_NO_SESSION_RESUMPTION */ #if defined(MBEDTLS_SSL_EXPORT_KEYS) if( strcmp( "MBEDTLS_SSL_EXPORT_KEYS", config ) == 0 ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index a3f5d609d..dd194f316 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2545,14 +2545,14 @@ reconnect: } } -#if defined(MBEDTLS_SSL_SESSION_CACHE) +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) if( ( ret = mbedtls_ssl_set_session( &ssl, &saved_session ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_session returned -0x%x\n\n", -ret ); goto exit; } -#endif /* MBEDTLS_SSL_SESSION_CACHE */ +#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ if( ( ret = mbedtls_net_connect( &server_fd, opt.server_addr, opt.server_port, diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 005d3e85d..5052435fa 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -224,11 +224,11 @@ int main( void ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); -#if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SESSION_CACHE) +#if defined(MBEDTLS_SSL_CACHE_C) && !defined(MBEDTLS_SSL_NO_SESSION_CACHE) mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); -#endif /* MBEDTLS_SSL_CACHE_C && MBEDTLS_SSL_SESSION_CACHE */ +#endif /* MBEDTLS_SSL_CACHE_C && !MBEDTLS_SSL_NO_SESSION_CACHE */ mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 4049a27a5..3f11328cf 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2527,11 +2527,11 @@ int main( int argc, char *argv[] ) if( opt.cache_timeout != -1 ) mbedtls_ssl_cache_set_timeout( &cache, opt.cache_timeout ); -#if defined(MBEDTLS_SSL_SESSION_CACHE) +#if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); -#endif /* MBEDTLS_SSL_SESSION_CACHE */ +#endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */ #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 78e123cf2..63fbea2ce 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -683,17 +683,17 @@ component_test_rsa_no_crt () { } component_test_no_resumption () { - msg "build: Default + !MBEDTLS_SSL_SESSION_RESUMPTION (ASan build)" # ~ 6 min + msg "build: Default + MBEDTLS_SSL_NO_SESSION_RESUMPTION (ASan build)" # ~ 6 min scripts/config.pl unset MBEDTLS_SSL_SESSION_TICKETS - scripts/config.pl unset MBEDTLS_SSL_SESSION_CACHE - scripts/config.pl unset MBEDTLS_SSL_SESSION_RESUMPTION + scripts/config.pl set MBEDTLS_SSL_NO_SESSION_CACHE + scripts/config.pl set MBEDTLS_SSL_NO_SESSION_RESUMPTION CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: !MBEDTLS_SSL_SESSION_RESUMPTION - main suites (inc. selftests) (ASan build)" # ~ 50s + msg "test: MBEDTLS_SSL_NO_SESSION_RESUMPTION - main suites (inc. selftests) (ASan build)" # ~ 50s make test - msg "test: !MBEDTLS_SSL_SESSION_RESUMPTION - ssl-opt.sh (ASan build)" # ~ 6 min + msg "test: MBEDTLS_SSL_NO_SESSION_RESUMPTION - ssl-opt.sh (ASan build)" # ~ 6 min if_build_succeeded tests/ssl-opt.sh } diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a3c189d86..0dd9a878e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -916,7 +916,7 @@ trap cleanup INT TERM HUP # ("signature_algorithm ext: 6" means SHA-512 (highest common hash)) run_test "Default" \ "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3" \ + "$P_CLI" \ 0 \ -s "Protocol is TLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \ @@ -2206,7 +2206,7 @@ run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \ # Tests for Session Tickets -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: basic" \ "$P_SRV debug_level=3 tickets=1" \ @@ -2222,7 +2222,7 @@ run_test "Session resume using tickets: basic" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: cache disabled" \ "$P_SRV debug_level=3 tickets=1 cache_max=0" \ @@ -2238,7 +2238,7 @@ run_test "Session resume using tickets: cache disabled" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: timeout" \ "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \ @@ -2254,7 +2254,7 @@ run_test "Session resume using tickets: timeout" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: session copy" \ "$P_SRV debug_level=3 tickets=1 cache_max=0" \ @@ -2270,7 +2270,7 @@ run_test "Session resume using tickets: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: openssl server" \ "$O_SRV" \ @@ -2281,7 +2281,7 @@ run_test "Session resume using tickets: openssl server" \ -c "parse new session ticket" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: openssl client" \ "$P_SRV debug_level=3 tickets=1" \ @@ -2297,7 +2297,7 @@ run_test "Session resume using tickets: openssl client" \ # Tests for Session Tickets with DTLS -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: basic" \ "$P_SRV debug_level=3 dtls=1 tickets=1" \ @@ -2313,7 +2313,7 @@ run_test "Session resume using tickets, DTLS: basic" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: cache disabled" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ @@ -2329,7 +2329,7 @@ run_test "Session resume using tickets, DTLS: cache disabled" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: timeout" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \ @@ -2345,7 +2345,7 @@ run_test "Session resume using tickets, DTLS: timeout" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: session copy" \ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ @@ -2361,7 +2361,7 @@ run_test "Session resume using tickets, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: openssl server" \ "$O_SRV -dtls1" \ @@ -2372,7 +2372,7 @@ run_test "Session resume using tickets, DTLS: openssl server" \ -c "parse new session ticket" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ @@ -2388,9 +2388,9 @@ run_test "Session resume using tickets, DTLS: openssl client" \ # Tests for Session Resume based on session-ID and cache -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: tickets enabled on client" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -2405,9 +2405,9 @@ run_test "Session resume using cache: tickets enabled on client" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: tickets enabled on server" \ "$P_SRV debug_level=3 tickets=1" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -2422,8 +2422,8 @@ run_test "Session resume using cache: tickets enabled on server" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: cache_max=0" \ "$P_SRV debug_level=3 tickets=0 cache_max=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -2433,8 +2433,8 @@ run_test "Session resume using cache: cache_max=0" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: cache_max=1" \ "$P_SRV debug_level=3 tickets=0 cache_max=1" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -2444,8 +2444,8 @@ run_test "Session resume using cache: cache_max=1" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: timeout > delay" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \ @@ -2455,8 +2455,8 @@ run_test "Session resume using cache: timeout > delay" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: timeout < delay" \ "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -2466,8 +2466,8 @@ run_test "Session resume using cache: timeout < delay" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: no timeout" \ "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -2477,8 +2477,8 @@ run_test "Session resume using cache: no timeout" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: session copy" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_mode=0" \ @@ -2488,8 +2488,8 @@ run_test "Session resume using cache: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: openssl client" \ "$P_SRV debug_level=3 tickets=0" \ "( $O_CLI -sess_out $SESSION; \ @@ -2502,8 +2502,8 @@ run_test "Session resume using cache: openssl client" \ -S "session successfully restored from ticket" \ -s "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: openssl server" \ "$O_SRV" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -2514,9 +2514,9 @@ run_test "Session resume using cache: openssl server" \ # Tests for Session Resume based on session-ID and cache, DTLS -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: tickets enabled on client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ @@ -2531,9 +2531,9 @@ run_test "Session resume using cache, DTLS: tickets enabled on client" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: tickets enabled on server" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -2548,8 +2548,8 @@ run_test "Session resume using cache, DTLS: tickets enabled on server" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: cache_max=0" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -2559,8 +2559,8 @@ run_test "Session resume using cache, DTLS: cache_max=0" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: cache_max=1" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -2570,8 +2570,8 @@ run_test "Session resume using cache, DTLS: cache_max=1" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: timeout > delay" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \ @@ -2581,8 +2581,8 @@ run_test "Session resume using cache, DTLS: timeout > delay" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: timeout < delay" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -2592,8 +2592,8 @@ run_test "Session resume using cache, DTLS: timeout < delay" \ -S "a session has been resumed" \ -C "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: no timeout" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -2603,8 +2603,8 @@ run_test "Session resume using cache, DTLS: no timeout" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: session copy" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_mode=0" \ @@ -2614,8 +2614,8 @@ run_test "Session resume using cache, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "( $O_CLI -dtls1 -sess_out $SESSION; \ @@ -2628,8 +2628,8 @@ run_test "Session resume using cache, DTLS: openssl client" \ -S "session successfully restored from ticket" \ -s "a session has been resumed" -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: openssl server" \ "$O_SRV -dtls1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -8074,9 +8074,9 @@ run_test "DTLS proxy: 3d, max handshake, nbio" \ -c "HTTP/1.0 200 OK" client_needs_more_time 4 -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "DTLS proxy: 3d, min handshake, resumption" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ @@ -8091,9 +8091,9 @@ run_test "DTLS proxy: 3d, min handshake, resumption" \ -c "HTTP/1.0 200 OK" client_needs_more_time 4 -requires_config_enabled MBEDTLS_SSL_SESSION_RESUMPTION +requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS -requires_config_enabled MBEDTLS_SSL_SESSION_CACHE +requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ From f130b1024a97ae4a4c0e3d941cc6349761a7133e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 10:05:28 +0200 Subject: [PATCH 13/27] Restore config.h defaults We want those changes only in config/baremetal.h, not in the default config. --- include/mbedtls/config.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 5f2028a9f..ccb6bec3d 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1668,7 +1668,7 @@ * * Comment this macro to disable support for SSL session tickets */ -//#define MBEDTLS_SSL_SESSION_TICKETS +#define MBEDTLS_SSL_SESSION_TICKETS /** * \def MBEDTLS_SSL_NO_SESSION_CACHE @@ -1687,7 +1687,7 @@ * * Uncomment this macro to disable support for SSL session cache */ -#define MBEDTLS_SSL_NO_SESSION_CACHE +//#define MBEDTLS_SSL_NO_SESSION_CACHE /** * \def MBEDTLS_SSL_NO_SESSION_RESUMPTION @@ -1717,7 +1717,7 @@ * * Uncomment this macro to disable support for SSL session resumption */ -#define MBEDTLS_SSL_NO_SESSION_RESUMPTION +//#define MBEDTLS_SSL_NO_SESSION_RESUMPTION /** * \def MBEDTLS_SSL_EXPORT_KEYS From 26ac9c4d1ffe10db2b661a8f3f8f6e644d710470 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 10:07:28 +0200 Subject: [PATCH 14/27] Exclude new negative options from config.pl full --- scripts/config.pl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/config.pl b/scripts/config.pl index c10a3b316..1c7c736c6 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -32,6 +32,8 @@ # MBEDTLS_REMOVE_3DES_CIPHERSUITES # MBEDTLS_SSL_HW_RECORD_ACCEL # MBEDTLS_SSL_PROTO_NO_DTLS +# MBEDTLS_SSL_NO_SESSION_CACHE +# MBEDTLS_SSL_NO_SESSION_RESUMPTION # MBEDTLS_RSA_NO_CRT # MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 # MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION @@ -95,6 +97,8 @@ MBEDTLS_REMOVE_ARC4_CIPHERSUITES MBEDTLS_REMOVE_3DES_CIPHERSUITES MBEDTLS_SSL_HW_RECORD_ACCEL MBEDTLS_SSL_PROTO_NO_TLS +MBEDTLS_SSL_NO_SESSION_CACHE +MBEDTLS_SSL_NO_SESSION_RESUMPTION MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION MBEDTLS_X509_REMOVE_INFO From f1c6ad4c5f2d3d7a7bc115f313e3507ad0876b3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 10:13:04 +0200 Subject: [PATCH 15/27] Declare dependency on tickets for two ssl-opt.sh tests See https://github.com/ARMmbed/mbedtls/issues/2712 --- tests/ssl-opt.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0dd9a878e..d35b9bfc7 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2130,6 +2130,9 @@ run_test "Fallback SCSV: end of list" \ -s "inapropriate fallback" ## Here the expected response is a valid ServerHello prefix, up to the random. +## Due to the way the clienthello was generated, this currently needs the +## server to have support for session tickets. +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS requires_openssl_with_fallback_scsv run_test "Fallback SCSV: not in list" \ "$P_SRV debug_level=2" \ @@ -7932,6 +7935,8 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on server" \ -S "Injecting buffered CCS message" \ -S "Remember CCS message" +# This needs session tickets; otherwise CCS is the first message in its flight +requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "DTLS reordering: Buffer out-of-order CCS message on client"\ -p "$P_PXY delay_srv=NewSessionTicket" \ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ From e431563269f46f8568dcaca03009a7e18236d875 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 10:57:27 +0200 Subject: [PATCH 16/27] Remove backticks in doxygen in config.h --- include/mbedtls/config.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index ccb6bec3d..c70381ec1 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1278,8 +1278,8 @@ * which allows to identify DTLS connections across changes * in the underlying transport. * - * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, - * `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`. + * Setting this option enables the SSL APIs mbedtls_ssl_set_cid(), + * mbedtls_ssl_get_peer_cid() and mbedtls_ssl_conf_cid(). * See the corresponding documentation for more information. * * \warning The Connection ID extension is still in draft state. @@ -1710,10 +1710,10 @@ * you'll also need to enable MBEDTLS_SSL_SESSION_TICKETS. * * Server-side, this option is only useful in conjunction with at least - * one of `!MBEDTLS_SSL_NO_SESSION_CACHE` or `MBEDTLS_SSL_SESSION_TICKETS`. + * one of !MBEDTLS_SSL_NO_SESSION_CACHE or MBEDTLS_SSL_SESSION_TICKETS. * Each one of these additionally requires an implementation of the cache - * or tickets, examples of which are provided by `MBEDTLS_SSL_CACHE_C` - * and `MBEDTLS_SSL_TICKETS_C` respectively. + * or tickets, examples of which are provided by MBEDTLS_SSL_CACHE_C + * and MBEDTLS_SSL_TICKETS_C respectively. * * Uncomment this macro to disable support for SSL session resumption */ From 8a0944cb99e7514eab4d297e82f4e60d8accbfcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 10:59:17 +0200 Subject: [PATCH 17/27] Fix renaming oversight in documentation --- include/mbedtls/config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index c70381ec1..734a38ffd 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1676,7 +1676,7 @@ * Disable support for cache based session resumption. * * This option is only about the server-side support of the session caches. - * Client will only need the MBEDTLS_SSL_SESSION_RESUMPTION to support + * Client will only need !MBEDTLS_SSL_NO_SESSION_RESUMPTION to support * cache based session resumption. * * Server-side, you also need to provide callbacks for storing and reading From 320eb7ac4e10d0f1bc3b2e05b730cc23d5f7c1f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 11:06:35 +0200 Subject: [PATCH 18/27] Expand documentation of new options a bit --- ChangeLog | 10 ++++++---- include/mbedtls/config.h | 16 +++++++++------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 796ff2212..9fb42024d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,10 +38,12 @@ Features ServerHello. * Add new configuration option MBEDTLS_SSL_PROTO_NO_TLS that enables code size savings in configurations where only DTLS is used. - * Add new configuration option MBEDTLS_SSL_NO_SESSION_CACHE that can be used - to disable cache based session resumption - * Add new configuration option MBEDTLS_SSL_NO_SESSION_RESUMPTION that can be - used to disable session resumption feature entirely. + * Add new configuration option MBEDTLS_SSL_NO_SESSION_CACHE that enables + code size savings in configurations where cache-based session resumption is + not used. + * Add new configuration option MBEDTLS_SSL_NO_SESSION_RESUMPTION that + enables code size savings in configurations where no form of session + resumption is used. API Changes * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`. diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 734a38ffd..29ff97a02 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1666,14 +1666,16 @@ * * Requires: !MBEDTLS_SSL_NO_SESSION_RESUMPTION * - * Comment this macro to disable support for SSL session tickets + * Comment this macro to disable support for SSL session tickets. */ #define MBEDTLS_SSL_SESSION_TICKETS /** * \def MBEDTLS_SSL_NO_SESSION_CACHE * - * Disable support for cache based session resumption. + * Disable support for cache based session resumption. This is useful to + * reduce code size in configurations where cache-based session resumption is + * not used. * * This option is only about the server-side support of the session caches. * Client will only need !MBEDTLS_SSL_NO_SESSION_RESUMPTION to support @@ -1685,19 +1687,19 @@ * If MBEDTLS_SSL_NO_SESSION_RESUMPTION is defined, this needs to be defined * as well. * - * Uncomment this macro to disable support for SSL session cache + * Uncomment this macro to disable support for SSL session cache. */ //#define MBEDTLS_SSL_NO_SESSION_CACHE /** * \def MBEDTLS_SSL_NO_SESSION_RESUMPTION * - * Disable support for session resumption. This is useful in constrained - * devices where session resumption isn't used. + * Disable support for session resumption. This is useful to reduce code size + * in configurations where no form of session resumption is used. * * \note Session resumption is part of the TLS standard, disabling this * option means that the full implementation of the standard is no longer - * used. This shouldn't cause any interoperability issues as by the standard + * used. This shouldn't cause any interoperability issues as the standard * mandates that peers who want to resume a session need to be prepared to * fall back to a full handshake. * @@ -1715,7 +1717,7 @@ * or tickets, examples of which are provided by MBEDTLS_SSL_CACHE_C * and MBEDTLS_SSL_TICKETS_C respectively. * - * Uncomment this macro to disable support for SSL session resumption + * Uncomment this macro to disable support for SSL session resumption. */ //#define MBEDTLS_SSL_NO_SESSION_RESUMPTION From 594a1bbc4f4622a60a63c63ee5e53c16f3b61b79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 11:10:32 +0200 Subject: [PATCH 19/27] Fix a few style issues --- library/ssl_cli.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 3b7e7224c..65f7c2cac 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1799,7 +1799,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n ); - /* * Check if the session can be resumed */ @@ -1812,7 +1811,9 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) ssl->session_negotiate->compression != comp || ssl->session_negotiate->id_len != n || memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 ) + { ssl->handshake->resume = 0; + } if( ssl->handshake->resume == 1 ) { ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; From 33cb3e1c7e04b607fc4e580eb1aff61166fc018b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 11:14:18 +0200 Subject: [PATCH 20/27] Remove cache callbacks from config on client The session cache is only server-side. This also aligns the conditions guarding those fields with the condition guarding the function setting them - no need to have the fields if we can't set them. This preserves the API and ABI in the default config as it only affects non-default configs. --- include/mbedtls/ssl.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 716f35af2..517eb4e77 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -906,13 +906,13 @@ struct mbedtls_ssl_config int (*f_rng)(void *, unsigned char *, size_t); void *p_rng; /*!< context for the RNG function */ -#if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) +#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_NO_SESSION_CACHE) /** Callback to retrieve a session from the cache */ int (*f_get_cache)(void *, mbedtls_ssl_session *); /** Callback to store a session into the cache */ int (*f_set_cache)(void *, const mbedtls_ssl_session *); void *p_cache; /*!< context for cache callbacks */ -#endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */ +#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_NO_SESSION_CACHE */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /** Callback for setting cert according to SNI extension */ From 44b10761cc9825b1847eaf081b460f75ab20b2e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 11:18:53 +0200 Subject: [PATCH 21/27] Remove now-redundant code Due to previous change of conditions, this is now in the 'else' branch of 'if resume == 1' and the only allowed values are 0 or 1, so setting to 0 is redundant. --- library/ssl_cli.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 65f7c2cac..083ea3119 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1830,9 +1830,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) #endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ { ssl->state++; -#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) - ssl->handshake->resume = 0; -#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ #if defined(MBEDTLS_HAVE_TIME) ssl->session_negotiate->start = mbedtls_time( NULL ); #endif From 3652e99100045727731910834d04a9e4e9f85a23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 12:09:22 +0200 Subject: [PATCH 22/27] Add getter function for handshake->resume This makes the code more readable by having fewer #ifdefs all over the place. --- include/mbedtls/ssl_internal.h | 16 ++++++++++++++++ library/ssl_cli.c | 10 ++-------- library/ssl_srv.c | 8 +++----- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index cca71e745..c36c2ad6e 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -1111,4 +1111,20 @@ static inline unsigned int mbedtls_ssl_conf_get_ems_enforced( } #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ + +/* + * Accessor functions for optional fields of various structures + */ + +static inline int mbedtls_ssl_handshake_get_resume( + const mbedtls_ssl_handshake_params *handshake ) +{ +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) + return( handshake->resume ); +#else + (void) handshake; + return( 0 ); +#endif +} + #endif /* ssl_internal.h */ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 083ea3119..6731b97ab 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -888,11 +888,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_RENEGOTIATION) ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || #endif -#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) - ssl->handshake->resume == 0 ) -#else /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ - 0 ) -#endif + mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 ) { n = 0; } @@ -1839,10 +1835,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) memcpy( ssl->session_negotiate->id, buf + 35, n ); } -#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", - ssl->handshake->resume ? "a" : "no" ) ); -#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ + mbedtls_ssl_handshake_get_resume( ssl->handshake ) ? "a" : "no" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 778618601..07bbe2d9a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2643,7 +2643,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) * It may be already set to 1 by ssl_parse_session_ticket_ext(). * If not, try looking up session ID in our cache. */ - if( ssl->handshake->resume == 0 && + if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 && #if defined(MBEDTLS_SSL_RENEGOTIATION) ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && #endif @@ -2657,7 +2657,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) #endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */ #if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) - if( ssl->handshake->resume == 1 ) + if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 ) { /* * Resuming a session @@ -2714,10 +2714,8 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) ); MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n ); -#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed", - ssl->handshake->resume ? "a" : "no" ) ); -#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ + mbedtls_ssl_handshake_get_resume( ssl->handshake ) ? "a" : "no" ) ); *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 ); *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite ); From 754b9f32dbb47f5c6fd2be2619d877ba65973027 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 12:20:54 +0200 Subject: [PATCH 23/27] Introduce getter function for renego_status While not strictly related to this PR, this change improves readability in some resumption-related runtime conditions that previously had rather ugly preprocessor directives in the middle of already complex predicates. --- include/mbedtls/ssl_internal.h | 11 +++++++++++ library/ssl_cli.c | 34 +++++++++++----------------------- library/ssl_srv.c | 32 ++++++++++---------------------- 3 files changed, 32 insertions(+), 45 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index c36c2ad6e..a8aa75b8e 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -1127,4 +1127,15 @@ static inline int mbedtls_ssl_handshake_get_resume( #endif } +static inline int mbedtls_ssl_get_renego_status( + const mbedtls_ssl_context *ssl ) +{ +#if defined(MBEDTLS_SSL_RENEGOTIATION) + return( ssl->renego_status ); +#else + (void) ssl; + return( MBEDTLS_SSL_INITIAL_HANDSHAKE ); +#endif +} + #endif /* ssl_internal.h */ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 6731b97ab..e39ddc97a 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -828,9 +828,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_NO_RNG ); } -#if defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) -#endif + if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE ) { ssl->major_ver = ssl->conf->min_major_ver; ssl->minor_ver = ssl->conf->min_minor_ver; @@ -885,9 +883,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) n = ssl->session_negotiate->id_len; if( n < 16 || n > 32 || -#if defined(MBEDTLS_SSL_RENEGOTIATION) - ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || -#endif + mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE || mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 ) { n = 0; @@ -898,20 +894,16 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) * RFC 5077 section 3.4: "When presenting a ticket, the client MAY * generate and include a Session ID in the TLS ClientHello." */ -#if defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) -#endif + if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE && + ssl->session_negotiate->ticket != NULL && + ssl->session_negotiate->ticket_len != 0 ) { - if( ssl->session_negotiate->ticket != NULL && - ssl->session_negotiate->ticket_len != 0 ) - { - ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); + ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); - if( ret != 0 ) - return( ret ); + if( ret != 0 ) + return( ret ); - ssl->session_negotiate->id_len = n = 32; - } + ssl->session_negotiate->id_len = n = 32; } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ @@ -985,9 +977,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) /* * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ -#if defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) -#endif + if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) ); *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); @@ -1800,9 +1790,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) */ #if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) if( n == 0 || -#if defined(MBEDTLS_SSL_RENEGOTIATION) - ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE || -#endif + mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE || ssl->session_negotiate->ciphersuite != i || ssl->session_negotiate->compression != comp || ssl->session_negotiate->id_len != n || diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 07bbe2d9a..d2145fee1 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1287,16 +1287,12 @@ read_record_header: * otherwise read it ourselves manually in order to support SSLv2 * ClientHello, which doesn't use the same record layer format. */ -#if defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) -#endif + if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE && + ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) { - if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 ) - { - /* No alert on a read error. */ - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); - return( ret ); - } + /* No alert on a read error. */ + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); + return( ret ); } buf = ssl->in_hdr; @@ -1351,11 +1347,8 @@ read_record_header: /* For DTLS if this is the initial handshake, remember the client sequence * number to use it in our next message (RFC 6347 4.2.1) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) -#if defined(MBEDTLS_SSL_RENEGOTIATION) - && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE -#endif - ) + if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && + mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE ) { /* Epoch should be 0 for initial handshakes */ if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) @@ -1616,11 +1609,8 @@ read_record_header: buf + cookie_offset + 1, cookie_len ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) - if( ssl->conf->f_cookie_check != NULL -#if defined(MBEDTLS_SSL_RENEGOTIATION) - && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE -#endif - ) + if( ssl->conf->f_cookie_check != NULL && + mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE ) { if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, buf + cookie_offset + 1, cookie_len, @@ -2644,9 +2634,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) * If not, try looking up session ID in our cache. */ if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 && -#if defined(MBEDTLS_SSL_RENEGOTIATION) - ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && -#endif + mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE && ssl->session_negotiate->id_len != 0 && ssl->conf->f_get_cache != NULL && ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 ) From 93c8262d4aef6032352778292f3054be4d952032 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 12:47:27 +0200 Subject: [PATCH 24/27] Clarify conditions related to resumption in client --- library/ssl_cli.c | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index e39ddc97a..34c9c9dbc 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -880,14 +880,24 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) * .. . .. extensions length (2 bytes) * .. . .. extensions */ - n = ssl->session_negotiate->id_len; - if( n < 16 || n > 32 || + /* + * We'll write a session of non-zero length if resumption was requested + * by the user, we're not renegotiating, and the session ID is of + * appropriate length. Otherwise make the length 0 (for now, see next code + * block for behaviour with tickets). + */ + if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 || mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE || - mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 ) + ssl->session_negotiate->id_len < 16 || + ssl->session_negotiate->id_len > 32 ) { n = 0; } + else + { + n = ssl->session_negotiate->id_len; + } #if defined(MBEDTLS_SSL_SESSION_TICKETS) /* @@ -1787,6 +1797,14 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) /* * Check if the session can be resumed + * + * We're only resuming a session if it was requested (handshake->resume + * already set to 1 by mbedtls_ssl_set_session()), and further conditions + * are satisfied (not renegotiating, ID and ciphersuite match, etc). + * + * Update handshake->resume to the value it will keep for the rest of the + * handshake, and that will be used to determine the relative order + * client/server last flights, as well as in handshake_wrapup(). */ #if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) if( n == 0 || @@ -1798,8 +1816,11 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) { ssl->handshake->resume = 0; } - if( ssl->handshake->resume == 1 ) +#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ + + if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 ) { + /* Resume a session */ ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC; if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 ) @@ -1811,8 +1832,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } } else -#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ { + /* Start a new session */ ssl->state++; #if defined(MBEDTLS_HAVE_TIME) ssl->session_negotiate->start = mbedtls_time( NULL ); From c27fabfb6f756030da7ced47b6381adf1517bab1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 1 Jul 2019 13:05:39 +0200 Subject: [PATCH 25/27] Fix typos caught by check-names.sh --- include/mbedtls/check_config.h | 2 +- include/mbedtls/config.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 030236a0a..86f11ed3b 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -678,7 +678,7 @@ #if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) && \ defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) -#error "MBEDTLS_NO_SESSION_CACHE needs to be defined with MBEDTLS_SSL_NO_SESSION_RESUMPTION" +#error "MBEDTLS_SSL_NO_SESSION_CACHE needs to be defined with MBEDTLS_SSL_NO_SESSION_RESUMPTION" #endif #if defined(MBEDTLS_THREADING_PTHREAD) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 29ff97a02..25e061e7d 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1715,7 +1715,7 @@ * one of !MBEDTLS_SSL_NO_SESSION_CACHE or MBEDTLS_SSL_SESSION_TICKETS. * Each one of these additionally requires an implementation of the cache * or tickets, examples of which are provided by MBEDTLS_SSL_CACHE_C - * and MBEDTLS_SSL_TICKETS_C respectively. + * and MBEDTLS_SSL_TICKET_C respectively. * * Uncomment this macro to disable support for SSL session resumption. */ From 1772c9fac5b24f700e2335bce34be4d36922534d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 2 Jul 2019 15:18:36 +0200 Subject: [PATCH 26/27] Move code to reduce probability of conflicts There are a number of PRs in flight that are going to append to the list of getter functions for harcodeable SSL conf items, so leave that list at the end in order to avoid conflicts between this PR and the SSL conf ones. --- include/mbedtls/ssl_internal.h | 54 +++++++++++++++++----------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index a8aa75b8e..8803e8322 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -1082,6 +1082,33 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl, mbedtls_record *rec ); +/* + * Accessor functions for optional fields of various structures + */ + +static inline int mbedtls_ssl_handshake_get_resume( + const mbedtls_ssl_handshake_params *handshake ) +{ +#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) + return( handshake->resume ); +#else + (void) handshake; + return( 0 ); +#endif +} + +static inline int mbedtls_ssl_get_renego_status( + const mbedtls_ssl_context *ssl ) +{ +#if defined(MBEDTLS_SSL_RENEGOTIATION) + return( ssl->renego_status ); +#else + (void) ssl; + return( MBEDTLS_SSL_INITIAL_HANDSHAKE ); +#endif +} + + /* * Getter functions for fields in mbedtls_ssl_config which may * be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX. @@ -1111,31 +1138,4 @@ static inline unsigned int mbedtls_ssl_conf_get_ems_enforced( } #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ - -/* - * Accessor functions for optional fields of various structures - */ - -static inline int mbedtls_ssl_handshake_get_resume( - const mbedtls_ssl_handshake_params *handshake ) -{ -#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) - return( handshake->resume ); -#else - (void) handshake; - return( 0 ); -#endif -} - -static inline int mbedtls_ssl_get_renego_status( - const mbedtls_ssl_context *ssl ) -{ -#if defined(MBEDTLS_SSL_RENEGOTIATION) - return( ssl->renego_status ); -#else - (void) ssl; - return( MBEDTLS_SSL_INITIAL_HANDSHAKE ); -#endif -} - #endif /* ssl_internal.h */ From 7b80c64de424e26013e790dfad0703ebbb0a1f42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 2 Jul 2019 16:21:30 +0200 Subject: [PATCH 27/27] Fix compile-time guard for optional field in struct --- library/ssl_tls.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 316d537ac..d25942bfc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7275,10 +7275,6 @@ static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) { -#if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) - int resume = ssl->handshake->resume; -#endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */ - MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) ); #if defined(MBEDTLS_SSL_RENEGOTIATION) @@ -7306,18 +7302,18 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) ssl->session = ssl->session_negotiate; ssl->session_negotiate = NULL; -#if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) +#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_NO_SESSION_CACHE) /* * Add cache entry */ if( ssl->conf->f_set_cache != NULL && ssl->session->id_len != 0 && - resume == 0 ) + ssl->handshake->resume == 0 ) { if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); } -#endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */ +#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_NO_SESSION_CACHE */ #if defined(MBEDTLS_SSL_PROTO_DTLS) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&