yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-30 16:51:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add SSL presets.

Browse source 
No need to use a separate profile as in X.509, everything we need is already
in ssl_config. Just load appropriate values.
This commit is contained in:
Manuel Pégourié-Gonnard 2015-06-17 13:53:47 +02:00
parent 7bfc122703
commit b31c5f68b1
14 changed files with 132 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
include/mbedtls/ssl.h
View file

@ -196,6 +196,9 @@
#define MBEDTLS_SSL_ARC4_ENABLED 0 #define MBEDTLS_SSL_ARC4_ENABLED 0
#define MBEDTLS_SSL_ARC4_DISABLED 1 #define MBEDTLS_SSL_ARC4_DISABLED 1
#define MBEDTLS_SSL_PRESET_DEFAULT 0
#define MBEDTLS_SSL_PRESET_SUITEB 2
/* /*
* Default range for DTLS retransmission timer value, in milliseconds. * Default range for DTLS retransmission timer value, in milliseconds.
* RFC 6347 4.2.4.1 says from 1 second to 60 seconds. * RFC 6347 4.2.4.1 says from 1 second to 60 seconds.
@ -2165,6 +2168,8 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf );
* \param endpoint MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER * \param endpoint MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
* \param transport MBEDTLS_SSL_TRANSPORT_STREAM for TLS, or * \param transport MBEDTLS_SSL_TRANSPORT_STREAM for TLS, or
* MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS * MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS
* \param preset a MBEDTLS_SSL_PRESET_XXX value
* (currently unused).
* *
* \note See \c mbedtls_ssl_conf_transport() for notes on DTLS. * \note See \c mbedtls_ssl_conf_transport() for notes on DTLS.
* *
@ -2172,7 +2177,7 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf );
* MBEDTLS_ERR_XXX_ALLOC_FAILED on memory allocation error. * MBEDTLS_ERR_XXX_ALLOC_FAILED on memory allocation error.
*/ */
int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
int endpoint, int transport ); int endpoint, int transport, int preset );
/** /**
* \brief Free an SSL configuration context * \brief Free an SSL configuration context

145
library/ssl_tls.c
View file

@ -6612,11 +6612,33 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
memset( conf, 0, sizeof( mbedtls_ssl_config ) ); memset( conf, 0, sizeof( mbedtls_ssl_config ) );
} }
static int ssl_preset_suiteb_ciphersuites[] = {
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
0
};
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
static int ssl_preset_suiteb_hashes[] = {
MBEDTLS_MD_SHA256,
MBEDTLS_MD_SHA384,
MBEDTLS_MD_NONE
};
#endif
#if defined(MBEDTLS_ECP_C)
static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
MBEDTLS_ECP_DP_SECP256R1,
MBEDTLS_ECP_DP_SECP384R1,
MBEDTLS_ECP_DP_NONE
};
#endif
/* /*
* Load default in mbetls_ssl_config * Load default in mbetls_ssl_config
*/ */
int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
int endpoint, int transport ) int endpoint, int transport, int preset )
{ {
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
int ret; int ret;
@ -6627,19 +6649,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
mbedtls_ssl_conf_endpoint( conf, endpoint ); mbedtls_ssl_conf_endpoint( conf, endpoint );
mbedtls_ssl_conf_transport( conf, transport ); mbedtls_ssl_conf_transport( conf, transport );
conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; /*
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ * Things that are common to all presets
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; */
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
/* DTLS starts with TLS 1.1 */
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
}
#endif
#if defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_CLI_C)
if( endpoint == MBEDTLS_SSL_IS_CLIENT ) if( endpoint == MBEDTLS_SSL_IS_CLIENT )
{ {
@ -6650,16 +6662,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
} }
#endif #endif
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
mbedtls_ssl_list_ciphersuites();
#if defined(MBEDTLS_X509_CRT_PARSE_C)
conf->cert_profile = &mbedtls_x509_crt_profile_default;
#endif
#if defined(MBEDTLS_ARC4_C) #if defined(MBEDTLS_ARC4_C)
conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED; conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
#endif #endif
@ -6676,14 +6678,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
#endif #endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
conf->sig_hashes = mbedtls_md_list();
#endif
#if defined(MBEDTLS_ECP_C)
conf->curve_list = mbedtls_ecp_grp_id_list();
#endif
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
conf->f_cookie_write = ssl_cookie_write_dummy; conf->f_cookie_write = ssl_cookie_write_dummy;
conf->f_cookie_check = ssl_cookie_check_dummy; conf->f_cookie_check = ssl_cookie_check_dummy;
@ -6704,22 +6698,87 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->renego_period[7] = 0x00; conf->renego_period[7] = 0x00;
#endif #endif
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
conf->dhm_min_bitlen = 1024; if( endpoint == MBEDTLS_SSL_IS_SERVER )
{
if( ( ret = mbedtls_ssl_conf_dh_param( conf,
MBEDTLS_DHM_RFC5114_MODP_2048_P,
MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
{
return( ret );
}
}
#endif #endif
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) /*
if( endpoint == MBEDTLS_SSL_IS_SERVER ) * Preset-specific defaults
*/
switch( preset )
{ {
if( ( ret = mbedtls_ssl_conf_dh_param( conf, /*
MBEDTLS_DHM_RFC5114_MODP_2048_P, * NSA Suite B
MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 ) */
{ case MBEDTLS_SSL_PRESET_SUITEB:
return( ret ); conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
} conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
} conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
ssl_preset_suiteb_ciphersuites;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
#endif #endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
conf->sig_hashes = ssl_preset_suiteb_hashes;
#endif
#if defined(MBEDTLS_ECP_C)
conf->curve_list = ssl_preset_suiteb_curves;
#endif
/*
* Default
*/
default:
conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
#endif
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
mbedtls_ssl_list_ciphersuites();
#if defined(MBEDTLS_X509_CRT_PARSE_C)
conf->cert_profile = &mbedtls_x509_crt_profile_default;
#endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
conf->sig_hashes = mbedtls_md_list();
#endif
#if defined(MBEDTLS_ECP_C)
conf->curve_list = mbedtls_ecp_grp_id_list();
#endif
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
conf->dhm_min_bitlen = 1024;
#endif
}
return( 0 ); return( 0 );
} }

3
programs/ssl/dtls_client.c
View file

@ -163,7 +163,8 @@ int main( int argc, char *argv[] )
if( ( ret = mbedtls_ssl_config_defaults( &conf, if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 ) MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit; goto exit;

3
programs/ssl/dtls_server.c
View file

@ -199,7 +199,8 @@ int main( void )
if( ( ret = mbedtls_ssl_config_defaults( &conf, if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 ) MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit; goto exit;

3
programs/ssl/mini_client.c
View file

@ -191,7 +191,8 @@ int main( void )
if( mbedtls_ssl_config_defaults( &conf, if( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM) != 0 ) MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
{ {
ret = ssl_config_defaults_failed; ret = ssl_config_defaults_failed;
goto exit; goto exit;

3
programs/ssl/ssl_client1.c
View file

@ -153,7 +153,8 @@ int main( void )
if( ( ret = mbedtls_ssl_config_defaults( &conf, if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit; goto exit;

3
programs/ssl/ssl_client2.c
View file

@ -1059,7 +1059,8 @@ int main( int argc, char *argv[] )
if( ( ret = mbedtls_ssl_config_defaults( &conf, if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_IS_CLIENT,
opt.transport ) ) != 0 ) opt.transport,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret );
goto exit; goto exit;

3
programs/ssl/ssl_fork_server.c
View file

@ -177,7 +177,8 @@ int main( void )
if( ( ret = mbedtls_ssl_config_defaults( &conf, if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit; goto exit;

3
programs/ssl/ssl_mail_client.c
View file

@ -587,7 +587,8 @@ int main( int argc, char *argv[] )
if( ( ret = mbedtls_ssl_config_defaults( &conf, if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit; goto exit;

3
programs/ssl/ssl_pthread_server.c
View file

@ -412,7 +412,8 @@ int main( void )
if( ( ret = mbedtls_ssl_config_defaults( &conf, if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{ {
mbedtls_printf( " failed: mbedtls_ssl_config_defaults returned -0x%04x\n", mbedtls_printf( " failed: mbedtls_ssl_config_defaults returned -0x%04x\n",
-ret ); -ret );

3
programs/ssl/ssl_server.c
View file

@ -193,7 +193,8 @@ int main( void )
if( ( ret = mbedtls_ssl_config_defaults( &conf, if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit; goto exit;

3
programs/ssl/ssl_server2.c
View file

@ -1533,7 +1533,8 @@ int main( int argc, char *argv[] )
if( ( ret = mbedtls_ssl_config_defaults( &conf, if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_IS_SERVER,
opt.transport ) ) != 0 ) opt.transport,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret );
goto exit; goto exit;

3
programs/x509/cert_app.c
View file

@ -399,7 +399,8 @@ int main( int argc, char *argv[] )
*/ */
if( ( ret = mbedtls_ssl_config_defaults( &conf, if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
goto exit; goto exit;

3
tests/suites/test_suite_ssl.function
View file

@ -20,7 +20,8 @@ void ssl_dtls_replay( char *prevs, char *new, int ret )
TEST_ASSERT( mbedtls_ssl_config_defaults( &conf, TEST_ASSERT( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM ) == 0 ); MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT ) == 0 );
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
/* Read previous record numbers */ /* Read previous record numbers */