yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-03-30 09:16:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'restricted/pr/594' into baremetal-proposed

Browse source 
* restricted/pr/594:
  Adapt baremetal.h and baremetal.sh
  Don't incl. CAs in CertReq message in baremetal build
  Allow config'n of incl of CertificateReq CA list Y/N at compile-time
  Allow configuration of endpoint (cli/srv) at compile-time
  Allow configuration of read timeouts at compile-time
  Allow configuration of ConnectionID at compile-time
  Allow compile-time configuration of legacy renegotiation
  Allow compile-time configuration of authentication mode
  Allow compile-time configuration of DTLS badmac limit
  Allow compile-time configuration of DTLS anti replay
This commit is contained in:
Manuel Pégourié-Gonnard 2019-07-03 10:22:28 +02:00
parent 37261e6f6b 3b876acff4
commit 44ba6b0d26
13 changed files with 709 additions and 109 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
configs/baremetal.h
View file

@ -82,6 +82,17 @@
#define MBEDTLS_SSL_DTLS_CONNECTION_ID
/* Compile-time fixed parts of the SSL configuration */
#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0
#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN 1000
#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX 16000
#define MBEDTLS_SSL_CONF_CID_LEN 2
#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
#define MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION \
MBEDTLS_SSL_SECURE_RENEGOTIATION
#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED
#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0
#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED
#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET \
MBEDTLS_SSL_EXTENDED_MS_ENABLED
#define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET \

14
include/mbedtls/check_config.h
View file

@ -631,6 +631,20 @@
#error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
#endif
#if ( defined(MBEDTLS_SSL_CONF_CID_LEN) && \
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) ) || \
( !defined(MBEDTLS_SSL_CONF_CID_LEN) && \
defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) )
#error "MBEDTLS_SSL_CONF_CID_LEN and MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID must be defined simultaneously"
#endif
#if ( defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) && \
!defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) ) || \
( !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) && \
defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) )
#error "MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN and MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX must be defined simultaneously"
#endif
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT defined, but not all prerequisites"

20
include/mbedtls/config.h
View file

@ -3551,6 +3551,26 @@
* \{
*/
//#define MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
//#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED
/* Timeout */
//#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0
/* Endpoint (Client/Server) */
//#define MBEDTLS_SSL_CONF_ENDPOINT MBEDTLS_SSL_IS_CLIENT
//#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
/* DTLS-specific settings */
//#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
//#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX
//#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED
//#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0
//#define MBEDTLS_SSL_CONF_CID_LEN 0
//#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
/* ExtendedMasterSecret extension
* The following two options must be set/unset simultaneously. */
//#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED

83
include/mbedtls/ssl.h
View file

@ -959,7 +959,9 @@ struct mbedtls_ssl_config
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
size_t cid_len; /*!< The length of CIDs for incoming DTLS records. */
#endif /* !MBEDTLS_SSL_CONF_CID_LEN */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@ -1015,14 +1017,20 @@ struct mbedtls_ssl_config
* Numerical settings (int then char)
*/
#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
uint32_t read_timeout; /*!< timeout for mbedtls_ssl_read (ms) */
#endif /* !MBEDTLS_SSL_CONF_READ_TIMEOUT */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
uint32_t hs_timeout_min; /*!< initial value of the handshake
retransmission timeout (ms) */
#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */
#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX)
uint32_t hs_timeout_max; /*!< maximum value of the handshake
retransmission timeout (ms) */
#endif
#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
int renego_max_records; /*!< grace period for renegotiation */
@ -1031,7 +1039,9 @@ struct mbedtls_ssl_config
#endif
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
#if !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
unsigned int badmac_limit; /*!< limit of records with a bad MAC */
#endif /* !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
#endif
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
@ -1047,11 +1057,17 @@ struct mbedtls_ssl_config
* Flags (bitfields)
*/
#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
unsigned int endpoint : 1; /*!< 0: client, 1: server */
#endif /* !MBEDTLS_SSL_CONF_ENDPOINT */
unsigned int transport : 1; /*!< stream (TLS) or datagram (DTLS) */
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */
#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
/* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */
unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX */
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
#if defined(MBEDTLS_ARC4_C)
unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites? */
#endif
@ -1072,8 +1088,10 @@ struct mbedtls_ssl_config
#endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
#endif
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
#if !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
unsigned int anti_replay : 1; /*!< detect and prevent replay? */
#endif
#endif /* !MBEDTLS_SSL_CONF_ANTI_REPLAY */
#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
unsigned int cbc_record_splitting : 1; /*!< do cbc record splitting */
#endif
@ -1090,13 +1108,17 @@ struct mbedtls_ssl_config
unsigned int fallback : 1; /*!< is this a fallback? */
#endif
#if defined(MBEDTLS_SSL_SRV_C)
#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in
Certificate Request messages? */
#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
* record with unexpected CID
* should lead to failure. */
#endif /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
};
@ -1365,13 +1387,18 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
*/
int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl );
#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
/**
* \brief Set the current endpoint type
*
* \note On constrained systems, this can also be configured
* at compile-time via MBEDTLS_SSL_CONF_ENDPOINT.
*
* \param conf SSL configuration
* \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
*/
void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint );
#endif /* !MBEDTLS_SSL_CONF_ENDPOINT */
/**
* \brief Set the transport type (TLS or DTLS).
@ -1682,6 +1709,7 @@ int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
/**
* \brief Set the timeout period for mbedtls_ssl_read()
* (Default: no timeout.)
@ -1695,10 +1723,14 @@ void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
* With non-blocking I/O, this will only work if timer
* callbacks were set with \c mbedtls_ssl_set_timer_cb().
*
* \note On constrained systems, this option can also be configured
* at compile-time via MBEDTLS_SSL_CONF_READ_TIMEOUT.
*
* \note With non-blocking I/O, you may also skip this function
* altogether and handle timeouts at the application layer.
*/
void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
#endif /* !MBEDTLS_SSL_CONF_READ_TIMEOUT */
/**
* \brief Set the timer callbacks (Mandatory for DTLS.)
@ -2018,14 +2050,16 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
!defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
/**
* \brief Enable or disable anti-replay protection for DTLS.
* (DTLS only, no effect on TLS.)
* Default: enabled.
*
* \param conf SSL configuration
* \param mode MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
* \param mode MBEDTLS_SSL_ANTI_REPLAY_ENABLED or
* MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
*
* \warning Disabling this is a security risk unless the application
* protocol handles duplicated packets in a safe way. You
@ -2033,11 +2067,16 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
* However, if your application already detects duplicated
* packets and needs information about them to adjust its
* transmission strategy, then you'll want to disable this.
*
* \note On constrained systems, this option can also be
* fixed at compile-time by defining the constant
* MBEDTLS_SSL_CONF_ANTI_REPLAY.
*/
void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY && !MBEDTLS_SSL_CONF_ANTI_REPLAY */
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
!defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
/**
* \brief Set a limit on the number of records with a bad MAC
* before terminating the connection.
@ -2060,9 +2099,13 @@ void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
* connection. On the other hand, a high limit or no limit
* might make us waste resources checking authentication on
* many bogus packets.
*
* \note On constrained systems, this option can also be
* fixed at compile-time by defining the constant
* MBEDTLS_SSL_CONF_BADMAC_LIMIT.
*/
void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit );
#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT && !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@ -2295,9 +2338,11 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co
void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
const int *ciphersuites );
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0
#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 1
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
/**
* \brief Specify the length of Connection IDs for incoming
* encrypted DTLS records, as well as the behaviour
@ -2326,13 +2371,19 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
* same SSL configuration; this allows simpler parsing of
* record headers.
*
* \note On constrained systems, this configuration can also be
* fixed at compile-time via MBEDTLS_SSL_CONF_CID_LEN and
* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
* is too large.
*/
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
int ignore_other_cids );
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
!MBEDTLS_SSL_CONF_CID_LEN &&
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
/**
* \brief Set the list of allowed ciphersuites and the
@ -2918,19 +2969,22 @@ void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
#endif /* MBEDTLS_ARC4_C */
#if defined(MBEDTLS_SSL_SRV_C)
#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
/**
* \brief Whether to send a list of acceptable CAs in
* CertificateRequest messages.
* (Default: do send)
*
* \note On constrained systems, this options can also be configured
* at compile-time via MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST.
*
* \param conf SSL configuration
* \param cert_req_ca_list MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or
* MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
*/
void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
char cert_req_ca_list );
#endif /* MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
/**
@ -3032,6 +3086,7 @@ void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets
void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation );
#endif /* MBEDTLS_SSL_RENEGOTIATION */
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
/**
* \brief Prevent or allow legacy renegotiation.
* (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION)
@ -3058,8 +3113,14 @@ void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation
* \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
* SSL_ALLOW_LEGACY_RENEGOTIATION or
* MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE)
*
*
* \note On constrained systems, this option can also be
* fixed at compile-time by defining the constant
* MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION.
*/
void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy );
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
/**

175
include/mbedtls/ssl_internal.h
View file

@ -1114,6 +1114,181 @@ static inline int mbedtls_ssl_get_renego_status(
* be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
*/
#if defined(MBEDTLS_SSL_SRV_C)
#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
mbedtls_ssl_config const *conf )
{
return( conf->cert_req_ca_list );
}
#else /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST );
}
#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
#endif /* MBEDTLS_SSL_SRV_C */
#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
static inline unsigned int mbedtls_ssl_conf_get_endpoint(
mbedtls_ssl_config const *conf )
{
return( conf->endpoint );
}
#else /* !MBEDTLS_SSL_CONF_ENDPOINT */
static inline unsigned int mbedtls_ssl_conf_get_endpoint(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_ENDPOINT );
}
#endif /* MBEDTLS_SSL_CONF_ENDPOINT */
#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
static inline uint32_t mbedtls_ssl_conf_get_read_timeout(
mbedtls_ssl_config const *conf )
{
return( conf->read_timeout );
}
#else /* !MBEDTLS_SSL_CONF_READ_TIMEOUT */
static inline uint32_t mbedtls_ssl_conf_get_read_timeout(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_READ_TIMEOUT );
}
#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_min(
mbedtls_ssl_config const *conf )
{
return( conf->hs_timeout_min );
}
#else /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */
static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_min(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN );
}
#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */
#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX)
static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_max(
mbedtls_ssl_config const *conf )
{
return( conf->hs_timeout_max );
}
#else /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_max(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX );
}
#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
static inline size_t mbedtls_ssl_conf_get_cid_len(
mbedtls_ssl_config const *conf )
{
return( conf->cid_len );
}
#else /* !MBEDTLS_SSL_CONF_CID_LEN */
static inline size_t mbedtls_ssl_conf_get_cid_len(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_CID_LEN );
}
#endif /* MBEDTLS_SSL_CONF_CID_LEN */
#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
mbedtls_ssl_config const *conf )
{
return( conf->ignore_unexpected_cid );
}
#else /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID );
}
#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation(
mbedtls_ssl_config const *conf )
{
return( conf->allow_legacy_renegotiation );
}
#else /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION );
}
#endif /* MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
static inline int mbedtls_ssl_conf_get_authmode(
mbedtls_ssl_config const *conf )
{
return( conf->authmode );
}
#else /* !MBEDTLS_SSL_CONF_AUTHMODE */
static inline int mbedtls_ssl_conf_get_authmode(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_AUTHMODE );
}
#endif /* MBEDTLS_SSL_CONF_AUTHMODE */
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
#if !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
static inline unsigned int mbedtls_ssl_conf_get_badmac_limit(
mbedtls_ssl_config const *conf )
{
return( conf->badmac_limit );
}
#else /* !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
static inline unsigned int mbedtls_ssl_conf_get_badmac_limit(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_BADMAC_LIMIT );
}
#endif /* MBEDTLS_SSL_CONF_BADMAC_LIMIT */
#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
#if !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
static inline unsigned int mbedtls_ssl_conf_get_anti_replay(
mbedtls_ssl_config const *conf )
{
return( conf->anti_replay );
}
#else /* !MBEDTLS_SSL_CONF_ANTI_REPLAY */
static inline unsigned int mbedtls_ssl_conf_get_anti_replay(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_ANTI_REPLAY );
}
#endif /* MBEDTLS_SSL_CONF_ANTI_REPLAY */
#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
static inline unsigned int mbedtls_ssl_conf_get_ems(
mbedtls_ssl_config const *conf )

6
library/ssl_cli.c
View file

@ -2073,7 +2073,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
* Renegotiation security checks
*/
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
handshake_failure = 1;
@ -2088,7 +2089,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
}
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
handshake_failure = 1;

16
library/ssl_srv.c
View file

@ -55,7 +55,7 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
const unsigned char *info,
size_t ilen )
{
if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_SERVER )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
mbedtls_free( ssl->cli_id );
@ -1281,7 +1281,8 @@ have_ciphersuite_v2:
* SSLv2 Client Hello relevant renegotiation security checks
*/
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
@ -2048,7 +2049,8 @@ read_record_header:
* Renegotiation security checks
*/
if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
handshake_failure = 1;
@ -2063,7 +2065,8 @@ read_record_header:
}
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf )
== MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
handshake_failure = 1;
@ -2894,7 +2897,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
authmode = ssl->handshake->sni_authmode;
else
#endif
authmode = ssl->conf->authmode;
authmode = mbedtls_ssl_conf_get_authmode( ssl->conf );
if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ||
authmode == MBEDTLS_SSL_VERIFY_NONE )
@ -2990,7 +2993,8 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
total_dn_size = 0;
if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
if( mbedtls_ssl_conf_get_cert_req_ca_list( ssl->conf )
== MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
{
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_ca_chain != NULL )

229
library/ssl_tls.c
View file

@ -117,6 +117,9 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl );
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
/* Top-level Connection ID API */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
size_t len,
int ignore_other_cid )
@ -134,6 +137,21 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
conf->cid_len = len;
return( 0 );
}
#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
!MBEDTLS_SSL_CONF_CID_LEN &&
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#if MBEDTLS_SSL_CONF_CID_LEN > MBEDTLS_SSL_CID_IN_LEN_MAX
#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_CID_LEN"
#endif
#if MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE && \
MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_FAIL
#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID"
#endif
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
!MBEDTLS_SSL_CONF_CID_LEN &&
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
int enable,
@ -152,11 +170,11 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
if( own_cid_len != ssl->conf->cid_len )
if( own_cid_len != mbedtls_ssl_conf_get_cid_len( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
(unsigned) own_cid_len,
(unsigned) ssl->conf->cid_len ) );
(unsigned) mbedtls_ssl_conf_get_cid_len( ssl->conf ) ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@ -300,8 +318,11 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
{
uint32_t new_timeout;
if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
if( ssl->handshake->retransmit_timeout >=
mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf ) )
{
return( -1 );
}
/* Implement the final paragraph of RFC 6347 section 4.1.1.1
* in the following way: after the initial transmission and a first
@ -309,7 +330,8 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
* This value is guaranteed to be deliverable (if not guaranteed to be
* delivered) of any compliant IPv4 (and IPv6) network, and should work
* on most non-IP stacks too. */
if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
if( ssl->handshake->retransmit_timeout !=
mbedtls_ssl_conf_get_hs_timeout_min( ssl->conf ) )
{
ssl->handshake->mtu = 508;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
@ -319,9 +341,9 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
/* Avoid arithmetic overflow and range overflow */
if( new_timeout < ssl->handshake->retransmit_timeout ||
new_timeout > ssl->conf->hs_timeout_max )
new_timeout > mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf ) )
{
new_timeout = ssl->conf->hs_timeout_max;
new_timeout = mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf );
}
ssl->handshake->retransmit_timeout = new_timeout;
@ -333,7 +355,7 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
{
ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
ssl->handshake->retransmit_timeout = mbedtls_ssl_conf_get_hs_timeout_min( ssl->conf );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
ssl->handshake->retransmit_timeout ) );
}
@ -1368,7 +1390,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
ssl->handshake->tls_prf,
ssl->handshake->randbytes,
ssl->minor_ver,
ssl->conf->endpoint,
mbedtls_ssl_conf_get_endpoint( ssl->conf ),
ssl );
if( ret != 0 )
{
@ -2995,7 +3017,9 @@ static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
* timeout if we were using the usual handshake doubling scheme */
if( ssl->conf->renego_max_records < 0 )
{
uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
uint32_t ratio =
mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf ) /
mbedtls_ssl_conf_get_hs_timeout_min( ssl->conf ) + 1;
unsigned char doublings = 1;
while( ratio != 0 )
@ -3136,7 +3160,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
timeout = ssl->handshake->retransmit_timeout;
else
timeout = ssl->conf->read_timeout;
timeout = mbedtls_ssl_conf_get_read_timeout( ssl->conf );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
@ -3174,7 +3198,8 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
return( MBEDTLS_ERR_SSL_WANT_READ );
}
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
else if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
{
if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
@ -3211,8 +3236,8 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
if( ssl->f_recv_timeout != NULL )
{
ret = ssl->f_recv_timeout( ssl->p_bio,
ssl->in_hdr + ssl->in_left, len,
ssl->conf->read_timeout );
ssl->in_hdr + ssl->in_left, len,
mbedtls_ssl_conf_get_read_timeout( ssl->conf ) );
}
else
{
@ -3700,7 +3725,8 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT ) )
#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
@ -4324,8 +4350,11 @@ int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
uint64_t bit;
if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
if( mbedtls_ssl_conf_get_anti_replay( ssl->conf ) ==
MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
{
return( 0 );
}
if( rec_seqnum > ssl->in_window_top )
return( 0 );
@ -4348,8 +4377,11 @@ void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
{
uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
if( mbedtls_ssl_conf_get_anti_replay( ssl->conf ) ==
MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
{
return;
}
if( rec_seqnum > ssl->in_window_top )
{
@ -4613,7 +4645,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->in_msgtype == MBEDTLS_SSL_MSG_CID &&
ssl->conf->cid_len != 0 )
mbedtls_ssl_conf_get_cid_len( ssl->conf ) != 0 )
{
/* Shift pointers to account for record header including CID
* struct {
@ -4630,7 +4662,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
/* So far, we only support static CID lengths
* fixed in the configuration. */
ssl->in_len = ssl->in_cid + ssl->conf->cid_len;
ssl->in_len = ssl->in_cid + mbedtls_ssl_conf_get_cid_len( ssl->conf );
ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
}
else
@ -4726,7 +4758,8 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
* have an active transform (possibly iv_len != 0), so use the
* fact that the record header len is 13 instead.
*/
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
rec_epoch == 0 &&
ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
@ -4859,8 +4892,8 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
ssl->conf->ignore_unexpected_cid
== MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
mbedtls_ssl_conf_get_ignore_unexpected_cid( ssl->conf )
== MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
@ -5776,8 +5809,8 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
}
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
if( ssl->conf->badmac_limit != 0 &&
++ssl->badmac_seen >= ssl->conf->badmac_limit )
if( mbedtls_ssl_conf_get_badmac_limit( ssl->conf ) != 0 &&
++ssl->badmac_seen >= mbedtls_ssl_conf_get_badmac_limit( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
return( MBEDTLS_ERR_SSL_INVALID_MAC );
@ -5909,7 +5942,8 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
{
@ -6076,7 +6110,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
}
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT )
{
if( ssl->client_auth == 0 )
{
@ -6105,7 +6140,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
}
#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
{
if( mbedtls_ssl_own_cert( ssl ) == NULL )
{
@ -6309,7 +6344,8 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
/* Check if we're handling the first CRT in the chain. */
#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
if( crt_cnt++ == 0 &&
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
{
/* During client-side renegotiation, check that the server's
@ -6375,7 +6411,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_SRV_C)
static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
{
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
return( -1 );
#if defined(MBEDTLS_SSL_PROTO_SSL3)
@ -6433,7 +6469,7 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
return( SSL_CERTIFICATE_SKIP );
#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
{
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
return( SSL_CERTIFICATE_SKIP );
@ -6532,11 +6568,11 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
}
#endif /* MBEDTLS_ECP_C */
ret = mbedtls_ssl_check_cert_usage( chain,
ciphersuite_info,
! ssl->conf->endpoint,
&ssl->session_negotiate->verify_result );
if( ret != 0 )
if( mbedtls_ssl_check_cert_usage( chain,
ciphersuite_info,
( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT ),
&ssl->session_negotiate->verify_result ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
if( verify_ret == 0 )
@ -6672,9 +6708,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
? ssl->handshake->sni_authmode
: ssl->conf->authmode;
: mbedtls_ssl_conf_get_authmode( ssl->conf );
#else
const int authmode = ssl->conf->authmode;
const int authmode = mbedtls_ssl_conf_get_authmode( ssl->conf );
#endif
void *rs_ctx = NULL;
mbedtls_x509_crt *chain = NULL;
@ -7355,7 +7391,8 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
ssl_update_out_pointers( ssl, ssl->transform_negotiate );
ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
ssl->handshake->calc_finished( ssl, ssl->out_msg + 4,
mbedtls_ssl_conf_get_endpoint( ssl->conf ) );
/*
* RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
@ -7382,12 +7419,18 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
if( ssl->handshake->resume != 0 )
{
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT )
{
ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
}
#endif
#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER )
{
ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
}
#endif
}
else
@ -7485,7 +7528,8 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
ssl->handshake->calc_finished( ssl, buf,
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ^ 1 );
if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
{
@ -7536,11 +7580,11 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
if( ssl->handshake->resume != 0 )
{
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
#endif
#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
#endif
}
@ -7690,7 +7734,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
{
ssl->handshake->alt_transform_out = ssl->transform_out;
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
else
ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
@ -8062,29 +8106,34 @@ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
/*
* SSL set accessors
*/
#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
{
conf->endpoint = endpoint;
}
#endif /* MBEDTLS_SSL_CONF_ENDPOINT */
void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
{
conf->transport = transport;
}
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
!defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
{
conf->anti_replay = mode;
conf->anti_replay = mode;
}
#endif
#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY && !MBEDTLS_SSL_CONF_ANTI_REPLAY */
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
!defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf,
unsigned limit )
{
conf->badmac_limit = limit;
}
#endif
#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT && !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@ -8094,17 +8143,36 @@ void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
ssl->disable_datagram_packing = !allow_packing;
}
#if !( defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) && \
defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) )
void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
uint32_t min, uint32_t max )
{
conf->hs_timeout_min = min;
conf->hs_timeout_max = max;
}
#endif
#else /* !( MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN &&
MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX ) */
void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
uint32_t min, uint32_t max )
{
((void) conf);
((void) min);
((void) max);
}
#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN &&
MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
{
conf->authmode = authmode;
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
conf->authmode = authmode;
#else
((void) conf);
((void) authmode);
#endif /* MBEDTLS_SSL_CONF_AUTHMODE */
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@ -8152,10 +8220,12 @@ void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
}
#endif
#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
{
conf->read_timeout = timeout;
}
#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */
void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
void *p_timer,
@ -8190,7 +8260,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session
if( ssl == NULL ||
session == NULL ||
ssl->session_negotiate == NULL ||
ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_CLIENT )
{
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@ -8318,7 +8388,7 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
if( ssl->handshake == NULL || ssl->conf == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
role = MBEDTLS_ECJPAKE_SERVER;
else
role = MBEDTLS_ECJPAKE_CLIENT;
@ -8612,7 +8682,7 @@ void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
}
#endif
#if defined(MBEDTLS_SSL_SRV_C)
#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
char cert_req_ca_list )
{
@ -8679,10 +8749,12 @@ void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split
}
#endif
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
{
conf->allow_legacy_renegotiation = allow_legacy;
}
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
@ -8986,7 +9058,7 @@ size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
{
/* Return unlimited mtu for client hello messages to avoid fragmentation. */
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT &&
( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
return ( 0 );
@ -9068,7 +9140,7 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
if( ssl == NULL ||
dst == NULL ||
ssl->session == NULL ||
ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_CLIENT )
{
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@ -9652,11 +9724,11 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
ret = mbedtls_ssl_handshake_client_step( ssl );
#endif
#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
ret = mbedtls_ssl_handshake_server_step( ssl );
#endif
@ -9739,10 +9811,15 @@ static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
{
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER )
{
ssl->handshake->out_msg_seq = 1;
}
else
{
ssl->handshake->in_msg_seq = 1;
}
}
#endif
@ -9773,7 +9850,7 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_SRV_C)
/* On server, just send the request */
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
{
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@ -9916,7 +9993,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
if( ssl->f_get_timer != NULL &&
ssl->f_get_timer( ssl->p_timer ) == -1 )
{
ssl_set_timer( ssl, ssl->conf->read_timeout );
ssl_set_timer( ssl,
mbedtls_ssl_conf_get_read_timeout( ssl->conf ) );
}
if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
@ -9955,7 +10033,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
*/
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT &&
( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
{
@ -9978,7 +10057,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
@ -10003,7 +10083,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
/* Determine whether renegotiation attempt should be accepted */
if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
ssl->conf->allow_legacy_renegotiation ==
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
{
/*
@ -10013,7 +10093,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
/* DTLS clients need to know renego is server-initiated */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT )
{
ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
}
@ -10126,7 +10207,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
* Do it now, after setting in_offt, to avoid taking this branch
* again if ssl_write_hello_request() returns WANT_WRITE */
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
{
if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
@ -10722,7 +10804,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
#if defined(MBEDTLS_SSL_CLI_C)
if( endpoint == MBEDTLS_SSL_IS_CLIENT )
{
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
#endif
@ -10756,18 +10840,25 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->f_cookie_check = ssl_cookie_check_dummy;
#endif
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
!defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
#endif
#if defined(MBEDTLS_SSL_SRV_C)
#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
#endif
#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */
#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX)
conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
#endif
#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;

88
programs/ssl/query_config.c
View file

@ -2610,6 +2610,94 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_PLATFORM_GMTIME_R_ALT */
#if defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
if( strcmp( "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
#if defined(MBEDTLS_SSL_CONF_AUTHMODE)
if( strcmp( "MBEDTLS_SSL_CONF_AUTHMODE", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_AUTHMODE );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_AUTHMODE */
#if defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
if( strcmp( "MBEDTLS_SSL_CONF_READ_TIMEOUT", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_READ_TIMEOUT );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */
#if defined(MBEDTLS_SSL_CONF_ENDPOINT)
if( strcmp( "MBEDTLS_SSL_CONF_ENDPOINT", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ENDPOINT );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_ENDPOINT */
#if defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
if( strcmp( "MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
#if defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
if( strcmp( "MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */
#if defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX)
if( strcmp( "MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */
#if defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
if( strcmp( "MBEDTLS_SSL_CONF_ANTI_REPLAY", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ANTI_REPLAY );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_ANTI_REPLAY */
#if defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
if( strcmp( "MBEDTLS_SSL_CONF_BADMAC_LIMIT", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_BADMAC_LIMIT );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_BADMAC_LIMIT */
#if defined(MBEDTLS_SSL_CONF_CID_LEN)
if( strcmp( "MBEDTLS_SSL_CONF_CID_LEN", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_CID_LEN );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_CID_LEN */
#if defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
if( strcmp( "MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 )
{

46
programs/ssl/ssl_client2.c
View file

@ -293,6 +293,27 @@ int main( void )
#define USAGE_SERIALIZATION ""
#endif
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
#define USAGE_AUTH_MODE \
" auth_mode=%%s default: (library default: none)\n" \
" options: none, optional, required\n"
#else
#define USAGE_AUTH_MODE ""
#endif
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
#define USAGE_ALLOW_LEGACY_RENEGO " allow_legacy=%%d default: (library default: no)\n"
#else
#define USAGE_ALLOW_LEGACY_RENEGO ""
#endif
#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
#define USAGE_READ_TIMEOUT \
" read_timeout=%%d default: 0 ms (no timeout)\n"
#else
#define USAGE_READ_TIMEOUT ""
#endif
#define USAGE \
"\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \
@ -311,21 +332,20 @@ int main( void )
" options: 1 (non-blocking), 2 (added delays)\n" \
" event=%%d default: 0 (loop)\n" \
" options: 1 (level-triggered, implies nbio=1),\n" \
" read_timeout=%%d default: 0 ms (no timeout)\n" \
USAGE_READ_TIMEOUT \
" max_resend=%%d default: 0 (no resend on timeout)\n" \
"\n" \
USAGE_DTLS \
USAGE_CID \
"\n" \
" auth_mode=%%s default: (library default: none)\n" \
" options: none, optional, required\n" \
USAGE_AUTH_MODE \
USAGE_IO \
"\n" \
USAGE_PSK \
USAGE_ECJPAKE \
USAGE_ECRESTART \
"\n" \
" allow_legacy=%%d default: (library default: no)\n" \
USAGE_ALLOW_LEGACY_RENEGO \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
" reconnect=%%d number of reconnections using session resumption\n" \
@ -908,8 +928,10 @@ int main( int argc, char *argv[] )
if( opt.event < 0 || opt.event > 2 )
goto usage;
}
#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
else if( strcmp( p, "read_timeout" ) == 0 )
opt.read_timeout = atoi( q );
#endif
else if( strcmp( p, "max_resend" ) == 0 )
{
opt.max_resend = atoi( q );
@ -980,6 +1002,7 @@ int main( int argc, char *argv[] )
MBEDTLS_SSL_RENEGOTIATION_ENABLED :
MBEDTLS_SSL_RENEGOTIATION_DISABLED;
}
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
else if( strcmp( p, "allow_legacy" ) == 0 )
{
switch( atoi( q ) )
@ -996,6 +1019,7 @@ int main( int argc, char *argv[] )
default: goto usage;
}
}
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
else if( strcmp( p, "renegotiate" ) == 0 )
{
opt.renegotiate = atoi( q );
@ -1175,6 +1199,7 @@ int main( int argc, char *argv[] )
else
goto usage;
}
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
else if( strcmp( p, "auth_mode" ) == 0 )
{
if( strcmp( q, "none" ) == 0 )
@ -1186,6 +1211,7 @@ int main( int argc, char *argv[] )
else
goto usage;
}
#endif
else if( strcmp( p, "max_frag_len" ) == 0 )
{
if( strcmp( q, "512" ) == 0 )
@ -1655,7 +1681,9 @@ int main( int argc, char *argv[] )
memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
{
if( opt.cid_enabled == 1 &&
@ -1680,7 +1708,9 @@ int main( int argc, char *argv[] )
goto exit;
}
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
!MBEDTLS_SSL_CONF_CID_LEN &&
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
if( opt.auth_mode != DFL_AUTH_MODE )
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
@ -1748,7 +1778,9 @@ int main( int argc, char *argv[] )
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout );
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_session_tickets( &conf, opt.tickets );
@ -1762,8 +1794,10 @@ int main( int argc, char *argv[] )
mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 );
#endif
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
#endif

80
programs/ssl/ssl_server2.c
View file

@ -317,14 +317,16 @@ int main( void )
#define USAGE_COOKIES ""
#endif
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
!defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
#define USAGE_ANTI_REPLAY \
" anti_replay=0/1 default: (library default: enabled)\n"
#else
#define USAGE_ANTI_REPLAY ""
#endif
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
!defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
#define USAGE_BADMAC_LIMIT \
" badmac_limit=%%d default: (library default: disabled)\n"
#else
@ -398,6 +400,36 @@ int main( void )
#define USAGE_SERIALIZATION ""
#endif
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
#define USAGE_AUTH_MODE \
" auth_mode=%%s default: (library default: none)\n" \
" options: none, optional, required\n"
#else
#define USAGE_AUTH_MODE ""
#endif
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
#define USAGE_ALLOW_LEGACY_RENEGO \
" allow_legacy=%%d default: (library default: no)\n"
#else
#define USAGE_ALLOW_LEGACY_RENEGO ""
#endif
#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
#define USAGE_READ_TIMEOUT \
" read_timeout=%%d default: 0 ms (no timeout)\n"
#else
#define USAGE_READ_TIMEOUT ""
#endif
#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
#define USAGE_CERT_REQ_CA_LIST \
" cert_req_ca_list=%%d default: 1 (send ca list)\n" \
" options: 1 (send ca list), 0 (don't send)\n"
#else
#define USAGE_CERT_REQ_CA_LIST ""
#endif
#define USAGE \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
@ -413,17 +445,15 @@ int main( void )
" options: 1 (non-blocking), 2 (added delays)\n" \
" event=%%d default: 0 (loop)\n" \
" options: 1 (level-triggered, implies nbio=1),\n" \
" read_timeout=%%d default: 0 ms (no timeout)\n" \
USAGE_READ_TIMEOUT \
"\n" \
USAGE_DTLS \
USAGE_COOKIES \
USAGE_ANTI_REPLAY \
USAGE_BADMAC_LIMIT \
"\n" \
" auth_mode=%%s default: (library default: none)\n" \
" options: none, optional, required\n" \
" cert_req_ca_list=%%d default: 1 (send ca list)\n" \
" options: 1 (send ca list), 0 (don't send)\n" \
USAGE_AUTH_MODE \
USAGE_CERT_REQ_CA_LIST \
USAGE_IO \
USAGE_SSL_ASYNC \
USAGE_SNI \
@ -431,7 +461,7 @@ int main( void )
USAGE_PSK \
USAGE_ECJPAKE \
"\n" \
" allow_legacy=%%d default: (library default: no)\n" \
USAGE_ALLOW_LEGACY_RENEGO \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
"\n" \
@ -617,6 +647,7 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
return( ret );
}
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
/*
* Return authmode from string, or -1 on error
*/
@ -631,6 +662,7 @@ static int get_auth_mode( const char *s )
return( -1 );
}
#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
/*
* Used by sni_parse and psk_parse to handle coma-separated lists
@ -1572,8 +1604,10 @@ int main( int argc, char *argv[] )
if( opt.event < 0 || opt.event > 2 )
goto usage;
}
#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
else if( strcmp( p, "read_timeout" ) == 0 )
opt.read_timeout = atoi( q );
#endif
else if( strcmp( p, "buffer_size" ) == 0 )
{
opt.buffer_size = atoi( q );
@ -1672,6 +1706,7 @@ int main( int argc, char *argv[] )
MBEDTLS_SSL_RENEGOTIATION_ENABLED :
MBEDTLS_SSL_RENEGOTIATION_DISABLED;
}
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
else if( strcmp( p, "allow_legacy" ) == 0 )
{
switch( atoi( q ) )
@ -1688,6 +1723,7 @@ int main( int argc, char *argv[] )
default: goto usage;
}
}
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
else if( strcmp( p, "renegotiate" ) == 0 )
{
opt.renegotiate = atoi( q );
@ -1800,11 +1836,13 @@ int main( int argc, char *argv[] )
else
goto usage;
}
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
else if( strcmp( p, "auth_mode" ) == 0 )
{
if( ( opt.auth_mode = get_auth_mode( q ) ) < 0 )
goto usage;
}
#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
else if( strcmp( p, "cert_req_ca_list" ) == 0 )
{
opt.cert_req_ca_list = atoi( q );
@ -1904,18 +1942,22 @@ int main( int argc, char *argv[] )
if( opt.cookies < -1 || opt.cookies > 1)
goto usage;
}
#if !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
else if( strcmp( p, "anti_replay" ) == 0 )
{
opt.anti_replay = atoi( q );
if( opt.anti_replay < 0 || opt.anti_replay > 1)
goto usage;
}
#endif /* !MBEDTLS_SSL_CONF_ANTI_REPLAY */
#if !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
else if( strcmp( p, "badmac_limit" ) == 0 )
{
opt.badmac_limit = atoi( q );
if( opt.badmac_limit < 0 )
goto usage;
}
#endif /* !MBEDTLS_SSL_CONF_BADMAC_LIMIT */
else if( strcmp( p, "hs_timeout" ) == 0 )
{
if( ( p = strchr( q, '-' ) ) == NULL )
@ -2454,11 +2496,15 @@ int main( int argc, char *argv[] )
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
if( opt.auth_mode != DFL_AUTH_MODE )
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST )
mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list );
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
@ -2476,7 +2522,9 @@ int main( int argc, char *argv[] )
};
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
{
if( opt.cid_enabled == 1 &&
@ -2501,7 +2549,9 @@ int main( int argc, char *argv[] )
goto exit;
}
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
!MBEDTLS_SSL_CONF_CID_LEN &&
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
if( opt.trunc_hmac != DFL_TRUNC_HMAC )
@ -2597,12 +2647,14 @@ int main( int argc, char *argv[] )
; /* Nothing to do */
}
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
!defined(MBEDTLS_SSL_CONF_ANTI_REPLAY)
if( opt.anti_replay != DFL_ANTI_REPLAY )
mbedtls_ssl_conf_dtls_anti_replay( &conf, opt.anti_replay );
#endif
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
!defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT)
if( opt.badmac_limit != DFL_BADMAC_LIMIT )
mbedtls_ssl_conf_dtls_badmac_limit( &conf, opt.badmac_limit );
#endif
@ -2633,8 +2685,10 @@ int main( int argc, char *argv[] )
MBEDTLS_SSL_MINOR_VERSION_3 );
}
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
@ -2908,7 +2962,9 @@ reset:
goto exit;
}
#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout );
#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )

6
scripts/baremetal.sh
View file

@ -213,7 +213,8 @@ baremetal_ram_heap() {
: ${CLI:=./programs/ssl/ssl_client2}
: ${CLI_PARAMS:="dtls=1 cid=1 cid_val=beef"}
: ${SRV:=./programs/ssl/ssl_server2}
: ${SRV_PARAMS:="dtls=1 renegotiation=1 auth_mode=required cid=1 cid_val=dead"}
: ${SRV_PARAMS:="dtls=1 cid=1 cid_val=dead"} # renegotiation=1 auth_mode=required implicit
# compile-time hardcoding of configuration
: ${VALGRIND:=valgrind}
: ${VALGRIND_MASSIF_PARAMS="--time-unit=B --threshold=0.01 --detailed-freq=1"}
@ -271,7 +272,8 @@ baremetal_ram_stack() {
: ${CLI:=./programs/ssl/ssl_client2}
: ${CLI_PARAMS:="dtls=1"}
: ${SRV:=./programs/ssl/ssl_server2}
: ${SRV_PARAMS:="dtls=1 renegotiation=1 auth_mode=required"}
: ${SRV_PARAMS:="dtls=1"} # renegotiation=1 auth_mode=required implicit
# compile-time hardcoding of configuration
: ${VALGRIND:=valgrind}
: ${VALGRIND_CALLGRIND_PARAMS:="--separate-callers=100"}

44
tests/ssl-opt.sh
View file

@ -529,6 +529,34 @@ check_cmdline_param_compat() {
fi
}
check_cmdline_authmode_compat() {
__VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_AUTHMODE" )"
if [ ! -z "$__VAL" ]; then
extract_cmdline_argument "auth_mode"
if [ "$__ARG" = "none" ] && [ "$__VAL" != "0" ]; then
SKIP_NEXT="YES";
elif [ "$__ARG" = "optional" ] && [ "$__VAL" != "1" ]; then
SKIP_NEXT="YES"
elif [ "$__ARG" = "required" ] && [ "$__VAL" != "2" ]; then
SKIP_NEXT="YES"
fi
fi
}
check_cmdline_legacy_renego_compat() {
__VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION" )"
if [ ! -z "$__VAL" ]; then
extract_cmdline_argument "allow_legacy"
if [ "$__ARG" = "-1" ] && [ "$__VAL" != "2" ]; then
SKIP_NEXT="YES";
elif [ "$__ARG" = "0" ] && [ "$__VAL" != "0" ]; then
SKIP_NEXT="YES"
elif [ "$__ARG" = "1" ] && [ "$__VAL" != "1" ]; then
SKIP_NEXT="YES"
fi
fi
}
# Go through all options that can be hardcoded at compile-time and
# detect whether the command line configures them in a conflicting
# way. If so, skip the test. Otherwise, remove the corresponding
@ -544,6 +572,20 @@ check_cmdline_compat() {
"MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET"
check_cmdline_param_compat "enforce_extended_master_secret" \
"MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET"
# DTLS anti replay protection configuration
check_cmdline_param_compat "anti_replay" \
"MBEDTLS_SSL_CONF_ANTI_REPLAY"
# DTLS bad MAC limit
check_cmdline_param_compat "badmac_limit" \
"MBEDTLS_SSL_CONF_BADMAC_LIMIT"
# Authentication mode
check_cmdline_authmode_compat
# Legacy renegotiation
check_cmdline_legacy_renego_compat
}
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
@ -7740,7 +7782,7 @@ run_test "DTLS proxy: reference" \
not_with_valgrind # spurious resend due to timeout
run_test "DTLS proxy: duplicate every packet" \
-p "$P_PXY duplicate=1" \
"$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
"$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=1" \
"$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
0 \
-c "replayed record" \