diff --git a/configs/baremetal.h b/configs/baremetal.h index 99d54106a..ed5bdd951 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -60,7 +60,7 @@ /* Key exchanges */ #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 -//#define MBEDTLS_SSL_SINGLE_CIPHERSUITE MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 +#define MBEDTLS_SSL_SINGLE_CIPHERSUITE MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 /* Digests - just SHA-256 */ #define MBEDTLS_MD_C diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c72bbeb5a..f9b95023e 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -972,7 +972,9 @@ struct mbedtls_ssl_config * Pointers */ +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) const int *ciphersuite_list[4]; /*!< allowed ciphersuites per version */ +#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */ /** Callback for printing debug output */ void (*f_dbg)(void *, int, const char *, int, const char *); @@ -2466,6 +2468,7 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session, */ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_context *ssl ); +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) /** * \brief Set the list of allowed ciphersuites and the preference * order. First in the list has the highest preference. @@ -2478,11 +2481,43 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co * over the preference of the client unless * MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined! * + * \note On constrained systems, support for a single ciphersuite + * (in all versions) can be fixed at compile-time through + * the configuration option MBEDTLS_SSL_SINGLE_CIPHERSUITE. + * * \param conf SSL configuration * \param ciphersuites 0-terminated list of allowed ciphersuites */ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, - const int *ciphersuites ); + const int *ciphersuites ); + +/** + * \brief Set the list of allowed ciphersuites and the + * preference order for a specific version of the protocol. + * (Only useful on the server side) + * + * The ciphersuites array is not copied, and must remain + * valid for the lifetime of the ssl_config. + * + * \param conf SSL configuration + * \param ciphersuites 0-terminated list of allowed ciphersuites + * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 + * supported) + * \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0, + * MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2, + * MBEDTLS_SSL_MINOR_VERSION_3 supported) + * + * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 + * and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 + * + * \note On constrained systems, support for a single ciphersuite + * (in all versions) can be fixed at compile-time through + * the configuration option MBEDTLS_SSL_SINGLE_CIPHERSUITE. + */ +void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, + const int *ciphersuites, + int major, int minor ); +#endif /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */ #define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0 #define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 1 @@ -2531,29 +2566,6 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len, !MBEDTLS_SSL_CONF_CID_LEN && !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ -/** - * \brief Set the list of allowed ciphersuites and the - * preference order for a specific version of the protocol. - * (Only useful on the server side) - * - * The ciphersuites array is not copied, and must remain - * valid for the lifetime of the ssl_config. - * - * \param conf SSL configuration - * \param ciphersuites 0-terminated list of allowed ciphersuites - * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 - * supported) - * \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0, - * MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2, - * MBEDTLS_SSL_MINOR_VERSION_3 supported) - * - * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 - * and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 - */ -void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, - const int *ciphersuites, - int major, int minor ); - #if defined(MBEDTLS_X509_CRT_PARSE_C) /** * \brief Set the X.509 security profile used for verification diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6792273d5..afe32be57 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8323,6 +8323,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session } #endif /* MBEDTLS_SSL_CLI_C && !MBEDTLS_SSL_NO_SESSION_RESUMPTION */ +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ) { @@ -8344,6 +8345,7 @@ void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, conf->ciphersuite_list[minor] = ciphersuites; } +#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */ #if defined(MBEDTLS_X509_CRT_PARSE_C) void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf, @@ -10803,11 +10805,13 @@ static int ssl_preset_default_hashes[] = { }; #endif +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) static int ssl_preset_suiteb_ciphersuites[] = { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 0 }; +#endif /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */ #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) static int ssl_preset_suiteb_hashes[] = { @@ -10943,11 +10947,13 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ssl_preset_suiteb_ciphersuites; +#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */ #if defined(MBEDTLS_X509_CRT_PARSE_C) conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; @@ -10982,11 +10988,13 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; #endif +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = mbedtls_ssl_list_ciphersuites(); +#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */ #if defined(MBEDTLS_X509_CRT_PARSE_C) conf->cert_profile = &mbedtls_x509_crt_profile_default; diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 56641f54d..ac7810a43 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1788,8 +1788,10 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_session_tickets( &conf, opt.tickets ); #endif +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); +#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */ #if defined(MBEDTLS_ARC4_C) if( opt.arc4 != DFL_ARC4 ) diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 58804684e..3ceae8c74 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -621,8 +621,10 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); +#endif /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */ mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 ) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 4312629c5..88c92b33a 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2662,14 +2662,17 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); +#endif /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */ #if defined(MBEDTLS_ARC4_C) if( opt.arc4 != DFL_ARC4 ) mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 ); #endif +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) if( opt.version_suites != NULL ) { mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[0], @@ -2685,6 +2688,7 @@ int main( int argc, char *argv[] ) MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3 ); } +#endif /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */ #if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) if( opt.allow_legacy != DFL_ALLOW_LEGACY )