Make endpoint+transport args of config_defaults()

2025-01-30 23:11:10 +00:00 · 2015-05-04 19:32:36 +02:00 · 2015-05-04 19:32:36 +02:00 · 419d5ae419
parent def0bbe3ab
commit 419d5ae419
14 changed files with 98 additions and 103 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -2267,7 +2267,8 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf );
 * \return         0 if successful, or
 *                 MBEDTLS_ERR_XXX_ALLOC_FAILED on memorr allocation error.
 */
-int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf );
+int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
                                 int endpoint, int transport );
 /**
 * \brief          Free an SSL configuration context
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -4976,6 +4976,37 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
    memset( ssl-> in_buf, 0, len );
    memset( ssl->out_buf, 0, len );
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
    {
        ssl->out_hdr = ssl->out_buf;
        ssl->out_ctr = ssl->out_buf +  3;
        ssl->out_len = ssl->out_buf + 11;
        ssl->out_iv  = ssl->out_buf + 13;
        ssl->out_msg = ssl->out_buf + 13;
        ssl->in_hdr = ssl->in_buf;
        ssl->in_ctr = ssl->in_buf +  3;
        ssl->in_len = ssl->in_buf + 11;
        ssl->in_iv  = ssl->in_buf + 13;
        ssl->in_msg = ssl->in_buf + 13;
    }
    else
 #endif
    {
        ssl->out_ctr = ssl->out_buf;
        ssl->out_hdr = ssl->out_buf +  8;
        ssl->out_len = ssl->out_buf + 11;
        ssl->out_iv  = ssl->out_buf + 13;
        ssl->out_msg = ssl->out_buf + 13;
        ssl->in_ctr = ssl->in_buf;
        ssl->in_hdr = ssl->in_buf +  8;
        ssl->in_len = ssl->in_buf + 11;
        ssl->in_iv  = ssl->in_buf + 13;
        ssl->in_msg = ssl->in_buf + 13;
    }
    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
        return( ret );
@ -5140,72 +5171,13 @@ static int ssl_ticket_keys_init( mbedtls_ssl_context *ssl )
 void mbedtls_ssl_set_endpoint( mbedtls_ssl_context *ssl, int endpoint )
 {
    ssl->conf->endpoint   = endpoint;
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
    defined(MBEDTLS_SSL_CLI_C)
    if( endpoint == MBEDTLS_SSL_IS_CLIENT )
    {
        ssl->conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
        ssl->conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
    }
 #endif
 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
    if( endpoint == MBEDTLS_SSL_IS_SERVER )
        ssl->conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
 #endif
 }
 int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport )
 {
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
    {
    ssl->conf->transport = transport;
        ssl->out_hdr = ssl->out_buf;
        ssl->out_ctr = ssl->out_buf +  3;
        ssl->out_len = ssl->out_buf + 11;
        ssl->out_iv  = ssl->out_buf + 13;
        ssl->out_msg = ssl->out_buf + 13;
        ssl->in_hdr = ssl->in_buf;
        ssl->in_ctr = ssl->in_buf +  3;
        ssl->in_len = ssl->in_buf + 11;
        ssl->in_iv  = ssl->in_buf + 13;
        ssl->in_msg = ssl->in_buf + 13;
        /* DTLS starts with TLS1.1 */
        if( ssl->conf->min_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
            ssl->conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
        if( ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
            ssl->conf->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
    return( 0 );
    }
 #endif
    if( transport == MBEDTLS_SSL_TRANSPORT_STREAM )
    {
        ssl->conf->transport = transport;
        ssl->out_ctr = ssl->out_buf;
        ssl->out_hdr = ssl->out_buf +  8;
        ssl->out_len = ssl->out_buf + 11;
        ssl->out_iv  = ssl->out_buf + 13;
        ssl->out_msg = ssl->out_buf + 13;
        ssl->in_ctr = ssl->in_buf;
        ssl->in_hdr = ssl->in_buf +  8;
        ssl->in_len = ssl->in_buf + 11;
        ssl->in_iv  = ssl->in_buf + 13;
        ssl->in_msg = ssl->in_buf + 13;
        return( 0 );
    }
    return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
 }
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
@ -6641,17 +6613,42 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
 /*
 * Load default in mbetls_ssl_config
 */
-int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf )
+int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
                                 int endpoint, int transport )
 {
    int ret;
-    conf->transport = MBEDTLS_SSL_TRANSPORT_STREAM;
+    conf->endpoint  = endpoint;
    conf->transport = transport;
    conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
    conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */
    conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
    conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
    {
        /* DTLS starts with TLS 1.1 */
        conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
    }
 #endif
 #if defined(MBEDTLS_SSL_CLI_C)
    if( endpoint == MBEDTLS_SSL_IS_CLIENT )
    {
        conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
        conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
 #endif
    }
 #endif
 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_TRUNCATED_HMAC)
    if( endpoint == MBEDTLS_SSL_IS_SERVER )
        conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
 #endif
    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
--- a/programs/ssl/dtls_client.c
+++ b/programs/ssl/dtls_client.c
@ -162,7 +162,9 @@ int main( int argc, char *argv[] )
    mbedtls_printf( "  . Setting up the DTLS structure..." );
    fflush( stdout );
-    if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 )
+    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                   MBEDTLS_SSL_IS_CLIENT,
                   MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
@ -176,9 +178,6 @@ int main( int argc, char *argv[] )
    mbedtls_printf( " ok\n" );
    mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
    mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM );
    /* OPTIONAL is usually a bad choice for security, but makes interop easier
     * in this simplified example, in which the ca chain is hardcoded.
     * Production code should set a proper ca chain and use REQUIRED. */
--- a/programs/ssl/dtls_server.c
+++ b/programs/ssl/dtls_server.c
@ -192,7 +192,9 @@ int main( void )
    printf( "  . Setting up the DTLS data..." );
    fflush( stdout );
-    if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 )
+    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_SERVER,
                    MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
@ -204,8 +206,6 @@ int main( void )
        goto exit;
    }
    mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER );
    mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM );
    mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE );
    mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
--- a/programs/ssl/mini_client.c
+++ b/programs/ssl/mini_client.c
@ -188,7 +188,9 @@ int main( void )
        goto exit;
    }
-    if( mbedtls_ssl_config_defaults( &conf ) != 0 )
+    if( mbedtls_ssl_config_defaults( &conf,
                MBEDTLS_SSL_IS_CLIENT,
                MBEDTLS_SSL_TRANSPORT_STREAM) != 0 )
    {
        ret = ssl_config_defaults_failed;
        goto exit;
@ -200,8 +202,6 @@ int main( void )
        goto exit;
    }
    mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
    mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@ -150,7 +150,9 @@ int main( void )
    mbedtls_printf( "  . Setting up the SSL/TLS structure..." );
    fflush( stdout );
-    if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 )
+    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_CLIENT,
                    MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
@ -164,7 +166,6 @@ int main( void )
    mbedtls_printf( " ok\n" );
    mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
    /* OPTIONAL is not optimal for security,
     * but makes interop easier in this simplified example */
    mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL );
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -1049,7 +1049,9 @@ int main( int argc, char *argv[] )
    mbedtls_printf( "  . Setting up the SSL/TLS structure..." );
    fflush( stdout );
-    if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 )
+    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_CLIENT,
                    opt.transport ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret );
        goto exit;
@ -1066,17 +1068,10 @@ int main( int argc, char *argv[] )
        mbedtls_ssl_set_verify( &ssl, my_verify, NULL );
 #endif
    mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
    if( opt.auth_mode != DFL_AUTH_MODE )
        mbedtls_ssl_set_authmode( &ssl, opt.auth_mode );
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( ( ret = mbedtls_ssl_set_transport( &ssl, opt.transport ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! selected transport is not available\n" );
        goto exit;
    }
    if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
        mbedtls_ssl_set_handshake_timeout( &ssl, opt.hs_to_min, opt.hs_to_max );
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@ -249,7 +249,9 @@ int main( void )
            goto exit;
        }
-        if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 )
+        if( ( ret = mbedtls_ssl_config_defaults( &conf,
                        MBEDTLS_SSL_IS_SERVER,
                        MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
        {
            mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
            goto exit;
@ -263,7 +265,6 @@ int main( void )
        mbedtls_printf( " ok\n" );
        mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER );
        mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE );
        mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@ -584,7 +584,9 @@ int main( int argc, char *argv[] )
    mbedtls_printf( "  . Setting up the SSL/TLS structure..." );
    fflush( stdout );
-    if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 )
+    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_CLIENT,
                    MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
@ -598,7 +600,6 @@ int main( int argc, char *argv[] )
    mbedtls_printf( " ok\n" );
    mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
    /* OPTIONAL is not optimal for security,
     * but makes interop easier in this simplified example */
    mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL );
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@ -160,7 +160,9 @@ static void *handle_ssl_connection( void *data )
     */
    mbedtls_printf( "  [ #%d ]  Setting up the SSL data....\n", thread_id );
-    if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 )
+    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_SERVER,
                    MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
    {
        mbedtls_printf( "  [ #%d ]  failed: mbedtls_ssl_config_defaults returned -0x%04x\n",
                thread_id, -ret );
@ -174,7 +176,6 @@ static void *handle_ssl_connection( void *data )
        goto thread_exit;
    }
    mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER );
    mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE );
    mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@ -191,7 +191,9 @@ int main( void )
    mbedtls_printf( "  . Setting up the SSL data...." );
    fflush( stdout );
-    if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 )
+    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_SERVER,
                    MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
@ -203,7 +205,6 @@ int main( void )
        goto exit;
    }
    mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER );
    mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE );
    mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg );
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -1520,7 +1520,9 @@ int main( int argc, char *argv[] )
    mbedtls_printf( "  . Setting up the SSL/TLS structure..." );
    fflush( stdout );
-    if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 )
+    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_SERVER,
                    opt.transport ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret );
        goto exit;
@ -1537,12 +1539,6 @@ int main( int argc, char *argv[] )
        mbedtls_ssl_set_authmode( &ssl, opt.auth_mode );
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( ( ret = mbedtls_ssl_set_transport( &ssl, opt.transport ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! selected transport is not available\n" );
        goto exit;
    }
    if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
        mbedtls_ssl_set_handshake_timeout( &ssl, opt.hs_to_min, opt.hs_to_max );
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@ -396,7 +396,9 @@ int main( int argc, char *argv[] )
        /*
         * 3. Setup stuff
         */
-        if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 )
+        if( ( ret = mbedtls_ssl_config_defaults( &conf,
                        MBEDTLS_SSL_IS_CLIENT,
                        MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
        {
            mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
            goto exit;
@ -408,7 +410,6 @@ int main( int argc, char *argv[] )
            goto ssl_exit;
        }
        mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT );
        if( verify )
        {
            mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_REQUIRED );
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@ -17,9 +17,10 @@ void ssl_dtls_replay( char *prevs, char *new, int ret )
    mbedtls_ssl_init( &ssl );
    mbedtls_ssl_config_init( &conf );
-    TEST_ASSERT( mbedtls_ssl_config_defaults( &conf ) == 0 );
+    TEST_ASSERT( mbedtls_ssl_config_defaults( &conf,
                 MBEDTLS_SSL_IS_CLIENT,
                 MBEDTLS_SSL_TRANSPORT_DATAGRAM ) == 0 );
    TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
    TEST_ASSERT( mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM ) == 0 );
    /* Read previous record numbers */
    for( ; end_prevs - prevs >= 13; prevs += 13 )