diff --git a/configs/baremetal.h b/configs/baremetal.h index 60b7f0aeb..7ff7b07c9 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -82,6 +82,17 @@ #define MBEDTLS_SSL_DTLS_CONNECTION_ID /* Compile-time fixed parts of the SSL configuration */ +#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED +#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0 +#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN 1000 +#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX 16000 +#define MBEDTLS_SSL_CONF_CID_LEN 2 +#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE +#define MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION \ + MBEDTLS_SSL_SECURE_RENEGOTIATION +#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED +#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0 +#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED #define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET \ MBEDTLS_SSL_EXTENDED_MS_ENABLED #define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET \ diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 86f11ed3b..61ca0b1c2 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -631,6 +631,20 @@ #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)" #endif +#if ( defined(MBEDTLS_SSL_CONF_CID_LEN) && \ + !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) ) || \ + ( !defined(MBEDTLS_SSL_CONF_CID_LEN) && \ + defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) ) +#error "MBEDTLS_SSL_CONF_CID_LEN and MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID must be defined simultaneously" +#endif + +#if ( defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) && \ + !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) ) || \ + ( !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) && \ + defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) ) +#error "MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN and MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX must be defined simultaneously" +#endif + #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \ ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) ) #error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index a1c6fde7b..96a877b2c 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3551,6 +3551,26 @@ * \{ */ +//#define MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION + +//#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED + +/* Timeout */ +//#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0 + +/* Endpoint (Client/Server) */ +//#define MBEDTLS_SSL_CONF_ENDPOINT MBEDTLS_SSL_IS_CLIENT + +//#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED + +/* DTLS-specific settings */ +//#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN +//#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX +//#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED +//#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0 +//#define MBEDTLS_SSL_CONF_CID_LEN 0 +//#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE + /* ExtendedMasterSecret extension * The following two options must be set/unset simultaneously. */ //#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 517eb4e77..e7db3ffe0 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -959,7 +959,9 @@ struct mbedtls_ssl_config #endif #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) +#if !defined(MBEDTLS_SSL_CONF_CID_LEN) size_t cid_len; /*!< The length of CIDs for incoming DTLS records. */ +#endif /* !MBEDTLS_SSL_CONF_CID_LEN */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -1015,14 +1017,20 @@ struct mbedtls_ssl_config * Numerical settings (int then char) */ +#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) uint32_t read_timeout; /*!< timeout for mbedtls_ssl_read (ms) */ +#endif /* !MBEDTLS_SSL_CONF_READ_TIMEOUT */ #if defined(MBEDTLS_SSL_PROTO_DTLS) +#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) uint32_t hs_timeout_min; /*!< initial value of the handshake retransmission timeout (ms) */ +#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */ +#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) uint32_t hs_timeout_max; /*!< maximum value of the handshake retransmission timeout (ms) */ -#endif +#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */ +#endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_RENEGOTIATION) int renego_max_records; /*!< grace period for renegotiation */ @@ -1031,7 +1039,9 @@ struct mbedtls_ssl_config #endif #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) +#if !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT) unsigned int badmac_limit; /*!< limit of records with a bad MAC */ +#endif /* !MBEDTLS_SSL_CONF_BADMAC_LIMIT */ #endif #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) @@ -1047,11 +1057,17 @@ struct mbedtls_ssl_config * Flags (bitfields) */ +#if !defined(MBEDTLS_SSL_CONF_ENDPOINT) unsigned int endpoint : 1; /*!< 0: client, 1: server */ +#endif /* !MBEDTLS_SSL_CONF_ENDPOINT */ unsigned int transport : 1; /*!< stream (TLS) or datagram (DTLS) */ +#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */ +#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */ +#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */ unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX */ +#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */ #if defined(MBEDTLS_ARC4_C) unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites? */ #endif @@ -1072,8 +1088,10 @@ struct mbedtls_ssl_config #endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */ #endif #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) +#if !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY) unsigned int anti_replay : 1; /*!< detect and prevent replay? */ -#endif +#endif /* !MBEDTLS_SSL_CONF_ANTI_REPLAY */ +#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) unsigned int cbc_record_splitting : 1; /*!< do cbc record splitting */ #endif @@ -1090,13 +1108,17 @@ struct mbedtls_ssl_config unsigned int fallback : 1; /*!< is this a fallback? */ #endif #if defined(MBEDTLS_SSL_SRV_C) +#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST) unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in Certificate Request messages? */ +#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */ #endif #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) +#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS * record with unexpected CID * should lead to failure. */ +#endif /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ }; @@ -1365,13 +1387,18 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, */ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ); +#if !defined(MBEDTLS_SSL_CONF_ENDPOINT) /** * \brief Set the current endpoint type * + * \note On constrained systems, this can also be configured + * at compile-time via MBEDTLS_SSL_CONF_ENDPOINT. + * * \param conf SSL configuration * \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER */ void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ); +#endif /* !MBEDTLS_SSL_CONF_ENDPOINT */ /** * \brief Set the transport type (TLS or DTLS). @@ -1682,6 +1709,7 @@ int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl, void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) /** * \brief Set the timeout period for mbedtls_ssl_read() * (Default: no timeout.) @@ -1695,10 +1723,14 @@ void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu ); * With non-blocking I/O, this will only work if timer * callbacks were set with \c mbedtls_ssl_set_timer_cb(). * + * \note On constrained systems, this option can also be configured + * at compile-time via MBEDTLS_SSL_CONF_READ_TIMEOUT. + * * \note With non-blocking I/O, you may also skip this function * altogether and handle timeouts at the application layer. */ void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ); +#endif /* !MBEDTLS_SSL_CONF_READ_TIMEOUT */ /** * \brief Set the timer callbacks (Mandatory for DTLS.) @@ -2018,14 +2050,16 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ -#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \ + !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY) /** * \brief Enable or disable anti-replay protection for DTLS. * (DTLS only, no effect on TLS.) * Default: enabled. * * \param conf SSL configuration - * \param mode MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED. + * \param mode MBEDTLS_SSL_ANTI_REPLAY_ENABLED or + * MBEDTLS_SSL_ANTI_REPLAY_DISABLED. * * \warning Disabling this is a security risk unless the application * protocol handles duplicated packets in a safe way. You @@ -2033,11 +2067,16 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, * However, if your application already detects duplicated * packets and needs information about them to adjust its * transmission strategy, then you'll want to disable this. + * + * \note On constrained systems, this option can also be + * fixed at compile-time by defining the constant + * MBEDTLS_SSL_CONF_ANTI_REPLAY. */ void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ); -#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ +#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY && !MBEDTLS_SSL_CONF_ANTI_REPLAY */ -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) +#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \ + !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT) /** * \brief Set a limit on the number of records with a bad MAC * before terminating the connection. @@ -2060,9 +2099,13 @@ void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ); * connection. On the other hand, a high limit or no limit * might make us waste resources checking authentication on * many bogus packets. + * + * \note On constrained systems, this option can also be + * fixed at compile-time by defining the constant + * MBEDTLS_SSL_CONF_BADMAC_LIMIT. */ void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ); -#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ +#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT && !MBEDTLS_SSL_CONF_BADMAC_LIMIT */ #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -2295,9 +2338,11 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ); -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0 #define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 1 +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + !defined(MBEDTLS_SSL_CONF_CID_LEN) && \ + !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) /** * \brief Specify the length of Connection IDs for incoming * encrypted DTLS records, as well as the behaviour @@ -2326,13 +2371,19 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, * same SSL configuration; this allows simpler parsing of * record headers. * + * \note On constrained systems, this configuration can also be + * fixed at compile-time via MBEDTLS_SSL_CONF_CID_LEN and + * MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID. + * * \return \c 0 on success. * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len * is too large. */ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len, int ignore_other_cids ); -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID && + !MBEDTLS_SSL_CONF_CID_LEN && + !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ /** * \brief Set the list of allowed ciphersuites and the @@ -2918,19 +2969,22 @@ void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf, void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ); #endif /* MBEDTLS_ARC4_C */ -#if defined(MBEDTLS_SSL_SRV_C) +#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST) /** * \brief Whether to send a list of acceptable CAs in * CertificateRequest messages. * (Default: do send) * + * \note On constrained systems, this options can also be configured + * at compile-time via MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST. + * * \param conf SSL configuration * \param cert_req_ca_list MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or * MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED */ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, char cert_req_ca_list ); -#endif /* MBEDTLS_SSL_SRV_C */ +#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /** @@ -3032,6 +3086,7 @@ void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation ); #endif /* MBEDTLS_SSL_RENEGOTIATION */ +#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) /** * \brief Prevent or allow legacy renegotiation. * (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) @@ -3058,8 +3113,14 @@ void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation * \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION, * SSL_ALLOW_LEGACY_RENEGOTIATION or * MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) + * + * + * \note On constrained systems, this option can also be + * fixed at compile-time by defining the constant + * MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION. */ void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ); +#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */ #if defined(MBEDTLS_SSL_RENEGOTIATION) /** diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 8803e8322..74c9f1a94 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -1114,6 +1114,181 @@ static inline int mbedtls_ssl_get_renego_status( * be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX. */ +#if defined(MBEDTLS_SSL_SRV_C) +#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST) +static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list( + mbedtls_ssl_config const *conf ) +{ + return( conf->cert_req_ca_list ); +} +#else /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */ +static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST ); +} +#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */ +#endif /* MBEDTLS_SSL_SRV_C */ + +#if !defined(MBEDTLS_SSL_CONF_ENDPOINT) +static inline unsigned int mbedtls_ssl_conf_get_endpoint( + mbedtls_ssl_config const *conf ) +{ + return( conf->endpoint ); +} +#else /* !MBEDTLS_SSL_CONF_ENDPOINT */ +static inline unsigned int mbedtls_ssl_conf_get_endpoint( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return( MBEDTLS_SSL_CONF_ENDPOINT ); +} +#endif /* MBEDTLS_SSL_CONF_ENDPOINT */ + +#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) +static inline uint32_t mbedtls_ssl_conf_get_read_timeout( + mbedtls_ssl_config const *conf ) +{ + return( conf->read_timeout ); +} +#else /* !MBEDTLS_SSL_CONF_READ_TIMEOUT */ +static inline uint32_t mbedtls_ssl_conf_get_read_timeout( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return( MBEDTLS_SSL_CONF_READ_TIMEOUT ); +} +#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */ + +#if defined(MBEDTLS_SSL_PROTO_DTLS) +#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) +static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_min( + mbedtls_ssl_config const *conf ) +{ + return( conf->hs_timeout_min ); +} +#else /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */ +static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_min( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return( MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN ); +} +#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */ + +#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) +static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_max( + mbedtls_ssl_config const *conf ) +{ + return( conf->hs_timeout_max ); +} +#else /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */ +static inline uint32_t mbedtls_ssl_conf_get_hs_timeout_max( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return( MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX ); +} +#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */ +#endif /* MBEDTLS_SSL_PROTO_DTLS */ + +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) +#if !defined(MBEDTLS_SSL_CONF_CID_LEN) +static inline size_t mbedtls_ssl_conf_get_cid_len( + mbedtls_ssl_config const *conf ) +{ + return( conf->cid_len ); +} +#else /* !MBEDTLS_SSL_CONF_CID_LEN */ +static inline size_t mbedtls_ssl_conf_get_cid_len( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return( MBEDTLS_SSL_CONF_CID_LEN ); +} +#endif /* MBEDTLS_SSL_CONF_CID_LEN */ + +#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) +static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid( + mbedtls_ssl_config const *conf ) +{ + return( conf->ignore_unexpected_cid ); +} +#else /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ +static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID ); +} +#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ + +#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) +static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation( + mbedtls_ssl_config const *conf ) +{ + return( conf->allow_legacy_renegotiation ); +} +#else /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */ +static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return( MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION ); +} +#endif /* MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */ + +#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) +static inline int mbedtls_ssl_conf_get_authmode( + mbedtls_ssl_config const *conf ) +{ + return( conf->authmode ); +} +#else /* !MBEDTLS_SSL_CONF_AUTHMODE */ +static inline int mbedtls_ssl_conf_get_authmode( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return( MBEDTLS_SSL_CONF_AUTHMODE ); +} +#endif /* MBEDTLS_SSL_CONF_AUTHMODE */ + +#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) +#if !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT) +static inline unsigned int mbedtls_ssl_conf_get_badmac_limit( + mbedtls_ssl_config const *conf ) +{ + return( conf->badmac_limit ); +} +#else /* !MBEDTLS_SSL_CONF_BADMAC_LIMIT */ +static inline unsigned int mbedtls_ssl_conf_get_badmac_limit( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return( MBEDTLS_SSL_CONF_BADMAC_LIMIT ); +} +#endif /* MBEDTLS_SSL_CONF_BADMAC_LIMIT */ +#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ + +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) +#if !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY) +static inline unsigned int mbedtls_ssl_conf_get_anti_replay( + mbedtls_ssl_config const *conf ) +{ + return( conf->anti_replay ); +} +#else /* !MBEDTLS_SSL_CONF_ANTI_REPLAY */ +static inline unsigned int mbedtls_ssl_conf_get_anti_replay( + mbedtls_ssl_config const *conf ) +{ + ((void) conf); + return( MBEDTLS_SSL_CONF_ANTI_REPLAY ); +} +#endif /* MBEDTLS_SSL_CONF_ANTI_REPLAY */ +#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ + #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) static inline unsigned int mbedtls_ssl_conf_get_ems( mbedtls_ssl_config const *conf ) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 80a6da27c..274938979 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2073,7 +2073,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) * Renegotiation security checks */ if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) + mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) == + MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); handshake_failure = 1; @@ -2088,7 +2089,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) + mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) == + MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); handshake_failure = 1; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index a69e8b46f..038b77ef6 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -55,7 +55,7 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, const unsigned char *info, size_t ilen ) { - if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_SERVER ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); mbedtls_free( ssl->cli_id ); @@ -1281,7 +1281,8 @@ have_ciphersuite_v2: * SSLv2 Client Hello relevant renegotiation security checks */ if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) + mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) == + MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, @@ -2048,7 +2049,8 @@ read_record_header: * Renegotiation security checks */ if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && - ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) + mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) == + MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); handshake_failure = 1; @@ -2063,7 +2065,8 @@ read_record_header: } else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) + mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) + == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); handshake_failure = 1; @@ -2894,7 +2897,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) authmode = ssl->handshake->sni_authmode; else #endif - authmode = ssl->conf->authmode; + authmode = mbedtls_ssl_conf_get_authmode( ssl->conf ); if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) || authmode == MBEDTLS_SSL_VERIFY_NONE ) @@ -2990,7 +2993,8 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) total_dn_size = 0; - if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED ) + if( mbedtls_ssl_conf_get_cert_req_ca_list( ssl->conf ) + == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED ) { #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) if( ssl->handshake->sni_ca_chain != NULL ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 79204a77f..2a96043bc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -117,6 +117,9 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl ); #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) /* Top-level Connection ID API */ +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + !defined(MBEDTLS_SSL_CONF_CID_LEN) && \ + !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len, int ignore_other_cid ) @@ -134,6 +137,21 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, conf->cid_len = len; return( 0 ); } +#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID && + !MBEDTLS_SSL_CONF_CID_LEN && + !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ + +#if MBEDTLS_SSL_CONF_CID_LEN > MBEDTLS_SSL_CID_IN_LEN_MAX +#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_CID_LEN" +#endif +#if MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE && \ + MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_FAIL +#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID" +#endif + +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID && + !MBEDTLS_SSL_CONF_CID_LEN && + !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl, int enable, @@ -152,11 +170,11 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) ); MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len ); - if( own_cid_len != ssl->conf->cid_len ) + if( own_cid_len != mbedtls_ssl_conf_get_cid_len( ssl->conf ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config", (unsigned) own_cid_len, - (unsigned) ssl->conf->cid_len ) ); + (unsigned) mbedtls_ssl_conf_get_cid_len( ssl->conf ) ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -300,8 +318,11 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) { uint32_t new_timeout; - if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) + if( ssl->handshake->retransmit_timeout >= + mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf ) ) + { return( -1 ); + } /* Implement the final paragraph of RFC 6347 section 4.1.1.1 * in the following way: after the initial transmission and a first @@ -309,7 +330,8 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) * This value is guaranteed to be deliverable (if not guaranteed to be * delivered) of any compliant IPv4 (and IPv6) network, and should work * on most non-IP stacks too. */ - if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min ) + if( ssl->handshake->retransmit_timeout != + mbedtls_ssl_conf_get_hs_timeout_min( ssl->conf ) ) { ssl->handshake->mtu = 508; MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) ); @@ -319,9 +341,9 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) /* Avoid arithmetic overflow and range overflow */ if( new_timeout < ssl->handshake->retransmit_timeout || - new_timeout > ssl->conf->hs_timeout_max ) + new_timeout > mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf ) ) { - new_timeout = ssl->conf->hs_timeout_max; + new_timeout = mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf ); } ssl->handshake->retransmit_timeout = new_timeout; @@ -333,7 +355,7 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) { - ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; + ssl->handshake->retransmit_timeout = mbedtls_ssl_conf_get_hs_timeout_min( ssl->conf ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", ssl->handshake->retransmit_timeout ) ); } @@ -1368,7 +1390,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) ssl->handshake->tls_prf, ssl->handshake->randbytes, ssl->minor_ver, - ssl->conf->endpoint, + mbedtls_ssl_conf_get_endpoint( ssl->conf ), ssl ); if( ret != 0 ) { @@ -2995,7 +3017,9 @@ static int ssl_resend_hello_request( mbedtls_ssl_context *ssl ) * timeout if we were using the usual handshake doubling scheme */ if( ssl->conf->renego_max_records < 0 ) { - uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; + uint32_t ratio = + mbedtls_ssl_conf_get_hs_timeout_max( ssl->conf ) / + mbedtls_ssl_conf_get_hs_timeout_min( ssl->conf ) + 1; unsigned char doublings = 1; while( ratio != 0 ) @@ -3136,7 +3160,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) timeout = ssl->handshake->retransmit_timeout; else - timeout = ssl->conf->read_timeout; + timeout = mbedtls_ssl_conf_get_read_timeout( ssl->conf ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) ); @@ -3174,7 +3198,8 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) return( MBEDTLS_ERR_SSL_WANT_READ ); } #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) - else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && + else if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_SERVER && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) @@ -3211,8 +3236,8 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->f_recv_timeout != NULL ) { ret = ssl->f_recv_timeout( ssl->p_bio, - ssl->in_hdr + ssl->in_left, len, - ssl->conf->read_timeout ); + ssl->in_hdr + ssl->in_left, len, + mbedtls_ssl_conf_get_read_timeout( ssl->conf ) ); } else { @@ -3700,7 +3725,8 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C) if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT && - ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ) + mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_CLIENT ) ) #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); @@ -4324,8 +4350,11 @@ int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl ) uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); uint64_t bit; - if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) + if( mbedtls_ssl_conf_get_anti_replay( ssl->conf ) == + MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) + { return( 0 ); + } if( rec_seqnum > ssl->in_window_top ) return( 0 ); @@ -4348,8 +4377,11 @@ void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) { uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); - if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) + if( mbedtls_ssl_conf_get_anti_replay( ssl->conf ) == + MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) + { return; + } if( rec_seqnum > ssl->in_window_top ) { @@ -4613,7 +4645,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->in_msgtype == MBEDTLS_SSL_MSG_CID && - ssl->conf->cid_len != 0 ) + mbedtls_ssl_conf_get_cid_len( ssl->conf ) != 0 ) { /* Shift pointers to account for record header including CID * struct { @@ -4630,7 +4662,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) /* So far, we only support static CID lengths * fixed in the configuration. */ - ssl->in_len = ssl->in_cid + ssl->conf->cid_len; + ssl->in_len = ssl->in_cid + mbedtls_ssl_conf_get_cid_len( ssl->conf ); ssl->in_iv = ssl->in_msg = ssl->in_len + 2; } else @@ -4726,7 +4758,8 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) * have an active transform (possibly iv_len != 0), so use the * fact that the record header len is 13 instead. */ - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_SERVER && ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && rec_epoch == 0 && ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && @@ -4859,8 +4892,8 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID && - ssl->conf->ignore_unexpected_cid - == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ) + mbedtls_ssl_conf_get_ignore_unexpected_cid( ssl->conf ) + == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) ); ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; @@ -5776,8 +5809,8 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) - if( ssl->conf->badmac_limit != 0 && - ++ssl->badmac_seen >= ssl->conf->badmac_limit ) + if( mbedtls_ssl_conf_get_badmac_limit( ssl->conf ) != 0 && + ++ssl->badmac_seen >= mbedtls_ssl_conf_get_badmac_limit( ssl->conf ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); return( MBEDTLS_ERR_SSL_INVALID_MAC ); @@ -5909,7 +5942,8 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && - ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && + mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_SERVER && ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) { @@ -6076,7 +6110,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_CLIENT ) { if( ssl->client_auth == 0 ) { @@ -6105,7 +6140,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER ) { if( mbedtls_ssl_own_cert( ssl ) == NULL ) { @@ -6309,7 +6344,8 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl, /* Check if we're handling the first CRT in the chain. */ #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) if( crt_cnt++ == 0 && - ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && + mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_CLIENT && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) { /* During client-side renegotiation, check that the server's @@ -6375,7 +6411,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_SRV_C) static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) { - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT ) return( -1 ); #if defined(MBEDTLS_SSL_PROTO_SSL3) @@ -6433,7 +6469,7 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl, return( SSL_CERTIFICATE_SKIP ); #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER ) { if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) return( SSL_CERTIFICATE_SKIP ); @@ -6532,11 +6568,11 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_ECP_C */ - ret = mbedtls_ssl_check_cert_usage( chain, - ciphersuite_info, - ! ssl->conf->endpoint, - &ssl->session_negotiate->verify_result ); - if( ret != 0 ) + if( mbedtls_ssl_check_cert_usage( chain, + ciphersuite_info, + ( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_CLIENT ), + &ssl->session_negotiate->verify_result ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); if( verify_ret == 0 ) @@ -6672,9 +6708,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ? ssl->handshake->sni_authmode - : ssl->conf->authmode; + : mbedtls_ssl_conf_get_authmode( ssl->conf ); #else - const int authmode = ssl->conf->authmode; + const int authmode = mbedtls_ssl_conf_get_authmode( ssl->conf ); #endif void *rs_ctx = NULL; mbedtls_x509_crt *chain = NULL; @@ -7355,7 +7391,8 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) ssl_update_out_pointers( ssl, ssl->transform_negotiate ); - ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint ); + ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, + mbedtls_ssl_conf_get_endpoint( ssl->conf ) ); /* * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites @@ -7382,12 +7419,18 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) if( ssl->handshake->resume != 0 ) { #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_CLIENT ) + { ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; + } #endif #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_SERVER ) + { ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; + } #endif } else @@ -7485,7 +7528,8 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); - ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 ); + ssl->handshake->calc_finished( ssl, buf, + mbedtls_ssl_conf_get_endpoint( ssl->conf ) ^ 1 ); if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) { @@ -7536,11 +7580,11 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) if( ssl->handshake->resume != 0 ) { #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT ) ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; #endif #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER ) ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; #endif } @@ -7690,7 +7734,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) { ssl->handshake->alt_transform_out = ssl->transform_out; - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT ) ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; else ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; @@ -8062,29 +8106,34 @@ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ) /* * SSL set accessors */ +#if !defined(MBEDTLS_SSL_CONF_ENDPOINT) void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ) { conf->endpoint = endpoint; } +#endif /* MBEDTLS_SSL_CONF_ENDPOINT */ void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ) { conf->transport = transport; } -#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \ + !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY) void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ) { - conf->anti_replay = mode; + conf->anti_replay = mode; } -#endif +#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY && !MBEDTLS_SSL_CONF_ANTI_REPLAY */ -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) -void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ) +#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \ + !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT) +void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, + unsigned limit ) { conf->badmac_limit = limit; } -#endif +#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT && !MBEDTLS_SSL_CONF_BADMAC_LIMIT */ #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -8094,17 +8143,36 @@ void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl, ssl->disable_datagram_packing = !allow_packing; } +#if !( defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) && \ + defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) ) void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ) { conf->hs_timeout_min = min; conf->hs_timeout_max = max; } -#endif +#else /* !( MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN && + MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX ) */ +void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, + uint32_t min, uint32_t max ) +{ + ((void) conf); + ((void) min); + ((void) max); +} +#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN && + MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */ + +#endif /* MBEDTLS_SSL_PROTO_DTLS */ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) { - conf->authmode = authmode; +#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) + conf->authmode = authmode; +#else + ((void) conf); + ((void) authmode); +#endif /* MBEDTLS_SSL_CONF_AUTHMODE */ } #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -8152,10 +8220,12 @@ void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu ) } #endif +#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ) { conf->read_timeout = timeout; } +#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl, void *p_timer, @@ -8190,7 +8260,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session if( ssl == NULL || session == NULL || ssl->session_negotiate == NULL || - ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) + mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_CLIENT ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -8318,7 +8388,7 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, if( ssl->handshake == NULL || ssl->conf == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER ) role = MBEDTLS_ECJPAKE_SERVER; else role = MBEDTLS_ECJPAKE_CLIENT; @@ -8612,7 +8682,7 @@ void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ) } #endif -#if defined(MBEDTLS_SSL_SRV_C) +#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST) void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, char cert_req_ca_list ) { @@ -8679,10 +8749,12 @@ void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split } #endif +#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) { conf->allow_legacy_renegotiation = allow_legacy; } +#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */ #if defined(MBEDTLS_SSL_RENEGOTIATION) void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation ) @@ -8986,7 +9058,7 @@ size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ) static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl ) { /* Return unlimited mtu for client hello messages to avoid fragmentation. */ - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT && ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO || ssl->state == MBEDTLS_SSL_SERVER_HELLO ) ) return ( 0 ); @@ -9068,7 +9140,7 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, if( ssl == NULL || dst == NULL || ssl->session == NULL || - ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) + mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_CLIENT ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -9652,11 +9724,11 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT ) ret = mbedtls_ssl_handshake_client_step( ssl ); #endif #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER ) ret = mbedtls_ssl_handshake_server_step( ssl ); #endif @@ -9739,10 +9811,15 @@ static int ssl_start_renegotiation( mbedtls_ssl_context *ssl ) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_SERVER ) + { ssl->handshake->out_msg_seq = 1; + } else + { ssl->handshake->in_msg_seq = 1; + } } #endif @@ -9773,7 +9850,7 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_SRV_C) /* On server, just send the request */ - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER ) { if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -9916,7 +9993,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) if( ssl->f_get_timer != NULL && ssl->f_get_timer( ssl->p_timer ) == -1 ) { - ssl_set_timer( ssl, ssl->conf->read_timeout ); + ssl_set_timer( ssl, + mbedtls_ssl_conf_get_read_timeout( ssl->conf ) ); } if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) @@ -9955,7 +10033,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) */ #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_CLIENT && ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) { @@ -9978,7 +10057,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_SERVER && ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); @@ -10003,7 +10083,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* Determine whether renegotiation attempt should be accepted */ if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->conf->allow_legacy_renegotiation == + mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) ) { /* @@ -10013,7 +10093,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* DTLS clients need to know renego is server-initiated */ #if defined(MBEDTLS_SSL_PROTO_DTLS) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && - ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_CLIENT ) { ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; } @@ -10126,7 +10207,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) * Do it now, after setting in_offt, to avoid taking this branch * again if ssl_write_hello_request() returns WANT_WRITE */ #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && + if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == + MBEDTLS_SSL_IS_SERVER && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) @@ -10722,7 +10804,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #if defined(MBEDTLS_SSL_CLI_C) if( endpoint == MBEDTLS_SSL_IS_CLIENT ) { +#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; +#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; #endif @@ -10756,18 +10840,25 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->f_cookie_check = ssl_cookie_check_dummy; #endif -#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \ + !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY) conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; #endif #if defined(MBEDTLS_SSL_SRV_C) +#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST) conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED; -#endif +#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */ +#endif /* MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_SSL_PROTO_DTLS) +#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; +#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */ +#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; -#endif +#endif /* !MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */ +#endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_RENEGOTIATION) conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 8e6ef23ee..7154364c8 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -2610,6 +2610,94 @@ int query_config( const char *config ) } #endif /* MBEDTLS_PLATFORM_GMTIME_R_ALT */ +#if defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) + if( strcmp( "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */ + +#if defined(MBEDTLS_SSL_CONF_AUTHMODE) + if( strcmp( "MBEDTLS_SSL_CONF_AUTHMODE", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_AUTHMODE ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_AUTHMODE */ + +#if defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) + if( strcmp( "MBEDTLS_SSL_CONF_READ_TIMEOUT", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_READ_TIMEOUT ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */ + +#if defined(MBEDTLS_SSL_CONF_ENDPOINT) + if( strcmp( "MBEDTLS_SSL_CONF_ENDPOINT", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ENDPOINT ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_ENDPOINT */ + +#if defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST) + if( strcmp( "MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */ + +#if defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) + if( strcmp( "MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN */ + +#if defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX) + if( strcmp( "MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX */ + +#if defined(MBEDTLS_SSL_CONF_ANTI_REPLAY) + if( strcmp( "MBEDTLS_SSL_CONF_ANTI_REPLAY", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ANTI_REPLAY ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_ANTI_REPLAY */ + +#if defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT) + if( strcmp( "MBEDTLS_SSL_CONF_BADMAC_LIMIT", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_BADMAC_LIMIT ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_BADMAC_LIMIT */ + +#if defined(MBEDTLS_SSL_CONF_CID_LEN) + if( strcmp( "MBEDTLS_SSL_CONF_CID_LEN", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_CID_LEN ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_CID_LEN */ + +#if defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) + if( strcmp( "MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID ); + return( 0 ); + } +#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ + #if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index dd194f316..a5d3eb1a7 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -293,6 +293,27 @@ int main( void ) #define USAGE_SERIALIZATION "" #endif +#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) +#define USAGE_AUTH_MODE \ + " auth_mode=%%s default: (library default: none)\n" \ + " options: none, optional, required\n" +#else +#define USAGE_AUTH_MODE "" +#endif + +#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) +#define USAGE_ALLOW_LEGACY_RENEGO " allow_legacy=%%d default: (library default: no)\n" +#else +#define USAGE_ALLOW_LEGACY_RENEGO "" +#endif + +#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) +#define USAGE_READ_TIMEOUT \ + " read_timeout=%%d default: 0 ms (no timeout)\n" +#else +#define USAGE_READ_TIMEOUT "" +#endif + #define USAGE \ "\n usage: ssl_client2 param=<>...\n" \ "\n acceptable parameters:\n" \ @@ -311,21 +332,20 @@ int main( void ) " options: 1 (non-blocking), 2 (added delays)\n" \ " event=%%d default: 0 (loop)\n" \ " options: 1 (level-triggered, implies nbio=1),\n" \ - " read_timeout=%%d default: 0 ms (no timeout)\n" \ + USAGE_READ_TIMEOUT \ " max_resend=%%d default: 0 (no resend on timeout)\n" \ "\n" \ USAGE_DTLS \ USAGE_CID \ "\n" \ - " auth_mode=%%s default: (library default: none)\n" \ - " options: none, optional, required\n" \ + USAGE_AUTH_MODE \ USAGE_IO \ "\n" \ USAGE_PSK \ USAGE_ECJPAKE \ USAGE_ECRESTART \ "\n" \ - " allow_legacy=%%d default: (library default: no)\n" \ + USAGE_ALLOW_LEGACY_RENEGO \ USAGE_RENEGO \ " exchanges=%%d default: 1\n" \ " reconnect=%%d number of reconnections using session resumption\n" \ @@ -908,8 +928,10 @@ int main( int argc, char *argv[] ) if( opt.event < 0 || opt.event > 2 ) goto usage; } +#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) else if( strcmp( p, "read_timeout" ) == 0 ) opt.read_timeout = atoi( q ); +#endif else if( strcmp( p, "max_resend" ) == 0 ) { opt.max_resend = atoi( q ); @@ -980,6 +1002,7 @@ int main( int argc, char *argv[] ) MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED; } +#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) else if( strcmp( p, "allow_legacy" ) == 0 ) { switch( atoi( q ) ) @@ -996,6 +1019,7 @@ int main( int argc, char *argv[] ) default: goto usage; } } +#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */ else if( strcmp( p, "renegotiate" ) == 0 ) { opt.renegotiate = atoi( q ); @@ -1175,6 +1199,7 @@ int main( int argc, char *argv[] ) else goto usage; } +#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) else if( strcmp( p, "auth_mode" ) == 0 ) { if( strcmp( q, "none" ) == 0 ) @@ -1186,6 +1211,7 @@ int main( int argc, char *argv[] ) else goto usage; } +#endif else if( strcmp( p, "max_frag_len" ) == 0 ) { if( strcmp( q, "512" ) == 0 ) @@ -1655,7 +1681,9 @@ int main( int argc, char *argv[] ) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + !defined(MBEDTLS_SSL_CONF_CID_LEN) && \ + !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 ) { if( opt.cid_enabled == 1 && @@ -1680,7 +1708,9 @@ int main( int argc, char *argv[] ) goto exit; } } -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID && + !MBEDTLS_SSL_CONF_CID_LEN && + !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ if( opt.auth_mode != DFL_AUTH_MODE ) mbedtls_ssl_conf_authmode( &conf, opt.auth_mode ); @@ -1748,7 +1778,9 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); +#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout ); +#endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_conf_session_tickets( &conf, opt.tickets ); @@ -1762,8 +1794,10 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 ); #endif +#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) if( opt.allow_legacy != DFL_ALLOW_LEGACY ) mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); +#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */ #if defined(MBEDTLS_SSL_RENEGOTIATION) mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation ); #endif diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index cd2fa93e7..72b51891e 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -317,14 +317,16 @@ int main( void ) #define USAGE_COOKIES "" #endif -#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \ + !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY) #define USAGE_ANTI_REPLAY \ " anti_replay=0/1 default: (library default: enabled)\n" #else #define USAGE_ANTI_REPLAY "" #endif -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) +#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \ + !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT) #define USAGE_BADMAC_LIMIT \ " badmac_limit=%%d default: (library default: disabled)\n" #else @@ -398,6 +400,36 @@ int main( void ) #define USAGE_SERIALIZATION "" #endif +#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) +#define USAGE_AUTH_MODE \ + " auth_mode=%%s default: (library default: none)\n" \ + " options: none, optional, required\n" +#else +#define USAGE_AUTH_MODE "" +#endif + +#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) +#define USAGE_ALLOW_LEGACY_RENEGO \ + " allow_legacy=%%d default: (library default: no)\n" +#else +#define USAGE_ALLOW_LEGACY_RENEGO "" +#endif + +#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) +#define USAGE_READ_TIMEOUT \ + " read_timeout=%%d default: 0 ms (no timeout)\n" +#else +#define USAGE_READ_TIMEOUT "" +#endif + +#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST) +#define USAGE_CERT_REQ_CA_LIST \ + " cert_req_ca_list=%%d default: 1 (send ca list)\n" \ + " options: 1 (send ca list), 0 (don't send)\n" +#else +#define USAGE_CERT_REQ_CA_LIST "" +#endif + #define USAGE \ "\n usage: ssl_server2 param=<>...\n" \ "\n acceptable parameters:\n" \ @@ -413,17 +445,15 @@ int main( void ) " options: 1 (non-blocking), 2 (added delays)\n" \ " event=%%d default: 0 (loop)\n" \ " options: 1 (level-triggered, implies nbio=1),\n" \ - " read_timeout=%%d default: 0 ms (no timeout)\n" \ + USAGE_READ_TIMEOUT \ "\n" \ USAGE_DTLS \ USAGE_COOKIES \ USAGE_ANTI_REPLAY \ USAGE_BADMAC_LIMIT \ "\n" \ - " auth_mode=%%s default: (library default: none)\n" \ - " options: none, optional, required\n" \ - " cert_req_ca_list=%%d default: 1 (send ca list)\n" \ - " options: 1 (send ca list), 0 (don't send)\n" \ + USAGE_AUTH_MODE \ + USAGE_CERT_REQ_CA_LIST \ USAGE_IO \ USAGE_SSL_ASYNC \ USAGE_SNI \ @@ -431,7 +461,7 @@ int main( void ) USAGE_PSK \ USAGE_ECJPAKE \ "\n" \ - " allow_legacy=%%d default: (library default: no)\n" \ + USAGE_ALLOW_LEGACY_RENEGO \ USAGE_RENEGO \ " exchanges=%%d default: 1\n" \ "\n" \ @@ -617,6 +647,7 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len ) return( ret ); } +#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) /* * Return authmode from string, or -1 on error */ @@ -631,6 +662,7 @@ static int get_auth_mode( const char *s ) return( -1 ); } +#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */ /* * Used by sni_parse and psk_parse to handle coma-separated lists @@ -1572,8 +1604,10 @@ int main( int argc, char *argv[] ) if( opt.event < 0 || opt.event > 2 ) goto usage; } +#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) else if( strcmp( p, "read_timeout" ) == 0 ) opt.read_timeout = atoi( q ); +#endif else if( strcmp( p, "buffer_size" ) == 0 ) { opt.buffer_size = atoi( q ); @@ -1672,6 +1706,7 @@ int main( int argc, char *argv[] ) MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED; } +#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) else if( strcmp( p, "allow_legacy" ) == 0 ) { switch( atoi( q ) ) @@ -1688,6 +1723,7 @@ int main( int argc, char *argv[] ) default: goto usage; } } +#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */ else if( strcmp( p, "renegotiate" ) == 0 ) { opt.renegotiate = atoi( q ); @@ -1800,11 +1836,13 @@ int main( int argc, char *argv[] ) else goto usage; } +#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) else if( strcmp( p, "auth_mode" ) == 0 ) { if( ( opt.auth_mode = get_auth_mode( q ) ) < 0 ) goto usage; } +#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */ else if( strcmp( p, "cert_req_ca_list" ) == 0 ) { opt.cert_req_ca_list = atoi( q ); @@ -1904,18 +1942,22 @@ int main( int argc, char *argv[] ) if( opt.cookies < -1 || opt.cookies > 1) goto usage; } +#if !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY) else if( strcmp( p, "anti_replay" ) == 0 ) { opt.anti_replay = atoi( q ); if( opt.anti_replay < 0 || opt.anti_replay > 1) goto usage; } +#endif /* !MBEDTLS_SSL_CONF_ANTI_REPLAY */ +#if !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT) else if( strcmp( p, "badmac_limit" ) == 0 ) { opt.badmac_limit = atoi( q ); if( opt.badmac_limit < 0 ) goto usage; } +#endif /* !MBEDTLS_SSL_CONF_BADMAC_LIMIT */ else if( strcmp( p, "hs_timeout" ) == 0 ) { if( ( p = strchr( q, '-' ) ) == NULL ) @@ -2454,11 +2496,15 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) if( opt.auth_mode != DFL_AUTH_MODE ) mbedtls_ssl_conf_authmode( &conf, opt.auth_mode ); +#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */ +#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST) if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST ) mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list ); +#endif #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) @@ -2476,7 +2522,9 @@ int main( int argc, char *argv[] ) }; #endif -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ + !defined(MBEDTLS_SSL_CONF_CID_LEN) && \ + !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 ) { if( opt.cid_enabled == 1 && @@ -2501,7 +2549,9 @@ int main( int argc, char *argv[] ) goto exit; } } -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID && + !MBEDTLS_SSL_CONF_CID_LEN && + !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) if( opt.trunc_hmac != DFL_TRUNC_HMAC ) @@ -2597,12 +2647,14 @@ int main( int argc, char *argv[] ) ; /* Nothing to do */ } -#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \ + !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY) if( opt.anti_replay != DFL_ANTI_REPLAY ) mbedtls_ssl_conf_dtls_anti_replay( &conf, opt.anti_replay ); #endif -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) +#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \ + !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT) if( opt.badmac_limit != DFL_BADMAC_LIMIT ) mbedtls_ssl_conf_dtls_badmac_limit( &conf, opt.badmac_limit ); #endif @@ -2633,8 +2685,10 @@ int main( int argc, char *argv[] ) MBEDTLS_SSL_MINOR_VERSION_3 ); } +#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) if( opt.allow_legacy != DFL_ALLOW_LEGACY ) mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); +#endif #if defined(MBEDTLS_SSL_RENEGOTIATION) mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation ); @@ -2908,7 +2962,9 @@ reset: goto exit; } +#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout ); +#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */ #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) diff --git a/scripts/baremetal.sh b/scripts/baremetal.sh index be5fd0488..7cd1e7005 100755 --- a/scripts/baremetal.sh +++ b/scripts/baremetal.sh @@ -213,7 +213,8 @@ baremetal_ram_heap() { : ${CLI:=./programs/ssl/ssl_client2} : ${CLI_PARAMS:="dtls=1 cid=1 cid_val=beef"} : ${SRV:=./programs/ssl/ssl_server2} - : ${SRV_PARAMS:="dtls=1 renegotiation=1 auth_mode=required cid=1 cid_val=dead"} + : ${SRV_PARAMS:="dtls=1 cid=1 cid_val=dead"} # renegotiation=1 auth_mode=required implicit + # compile-time hardcoding of configuration : ${VALGRIND:=valgrind} : ${VALGRIND_MASSIF_PARAMS="--time-unit=B --threshold=0.01 --detailed-freq=1"} @@ -271,7 +272,8 @@ baremetal_ram_stack() { : ${CLI:=./programs/ssl/ssl_client2} : ${CLI_PARAMS:="dtls=1"} : ${SRV:=./programs/ssl/ssl_server2} - : ${SRV_PARAMS:="dtls=1 renegotiation=1 auth_mode=required"} + : ${SRV_PARAMS:="dtls=1"} # renegotiation=1 auth_mode=required implicit + # compile-time hardcoding of configuration : ${VALGRIND:=valgrind} : ${VALGRIND_CALLGRIND_PARAMS:="--separate-callers=100"} diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d35b9bfc7..e76b3edfe 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -529,6 +529,34 @@ check_cmdline_param_compat() { fi } +check_cmdline_authmode_compat() { + __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_AUTHMODE" )" + if [ ! -z "$__VAL" ]; then + extract_cmdline_argument "auth_mode" + if [ "$__ARG" = "none" ] && [ "$__VAL" != "0" ]; then + SKIP_NEXT="YES"; + elif [ "$__ARG" = "optional" ] && [ "$__VAL" != "1" ]; then + SKIP_NEXT="YES" + elif [ "$__ARG" = "required" ] && [ "$__VAL" != "2" ]; then + SKIP_NEXT="YES" + fi + fi +} + +check_cmdline_legacy_renego_compat() { + __VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION" )" + if [ ! -z "$__VAL" ]; then + extract_cmdline_argument "allow_legacy" + if [ "$__ARG" = "-1" ] && [ "$__VAL" != "2" ]; then + SKIP_NEXT="YES"; + elif [ "$__ARG" = "0" ] && [ "$__VAL" != "0" ]; then + SKIP_NEXT="YES" + elif [ "$__ARG" = "1" ] && [ "$__VAL" != "1" ]; then + SKIP_NEXT="YES" + fi + fi +} + # Go through all options that can be hardcoded at compile-time and # detect whether the command line configures them in a conflicting # way. If so, skip the test. Otherwise, remove the corresponding @@ -544,6 +572,20 @@ check_cmdline_compat() { "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET" check_cmdline_param_compat "enforce_extended_master_secret" \ "MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET" + + # DTLS anti replay protection configuration + check_cmdline_param_compat "anti_replay" \ + "MBEDTLS_SSL_CONF_ANTI_REPLAY" + + # DTLS bad MAC limit + check_cmdline_param_compat "badmac_limit" \ + "MBEDTLS_SSL_CONF_BADMAC_LIMIT" + + # Authentication mode + check_cmdline_authmode_compat + + # Legacy renegotiation + check_cmdline_legacy_renego_compat } # Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]] @@ -7740,7 +7782,7 @@ run_test "DTLS proxy: reference" \ not_with_valgrind # spurious resend due to timeout run_test "DTLS proxy: duplicate every packet" \ -p "$P_PXY duplicate=1" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \ + "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=1" \ "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \ 0 \ -c "replayed record" \