diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index bd2c1a3b8..c9b58dd53 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -41,7 +41,6 @@ /* mbed TLS feature support */ #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED #define MBEDTLS_SSL_PROTO_TLS1_2 -#define MBEDTLS_SSL_PROTO_TLS /* mbed TLS modules */ #define MBEDTLS_AES_C diff --git a/configs/config-mini-tls1_1.h b/configs/config-mini-tls1_1.h index 349ea8e57..013bc0300 100644 --- a/configs/config-mini-tls1_1.h +++ b/configs/config-mini-tls1_1.h @@ -40,7 +40,6 @@ #define MBEDTLS_PKCS1_V15 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED #define MBEDTLS_SSL_PROTO_TLS1_1 -#define MBEDTLS_SSL_PROTO_TLS /* mbed TLS modules */ #define MBEDTLS_AES_C diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index e6fad1c0e..18e2c4036 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -47,7 +47,6 @@ #define MBEDTLS_ECP_DP_SECP384R1_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_SSL_PROTO_TLS1_2 -#define MBEDTLS_SSL_PROTO_TLS /* mbed TLS modules */ #define MBEDTLS_AES_C diff --git a/configs/config-thread.h b/configs/config-thread.h index 3166aa970..4fa0b8d19 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -49,6 +49,7 @@ #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH #define MBEDTLS_SSL_PROTO_TLS1_2 #define MBEDTLS_SSL_PROTO_DTLS +#define MBEDTLS_SSL_PROTO_NO_TLS #define MBEDTLS_SSL_DTLS_ANTI_REPLAY #define MBEDTLS_SSL_DTLS_HELLO_VERIFY #define MBEDTLS_SSL_EXPORT_KEYS diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index b3677b528..34f1a3bee 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -566,7 +566,7 @@ #endif #if defined(MBEDTLS_SSL_TLS_C) && \ - ( !defined(MBEDTLS_SSL_PROTO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS) ) + ( defined(MBEDTLS_SSL_PROTO_NO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS) ) #error "MBEDTLS_SSL_TLS_C defined, but neither TLS or DTLS is active" #endif diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index e0b5ba41c..1653f8950 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1508,7 +1508,7 @@ * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2, * and/or this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0. * - * \see MBEDTLS_SSL_PROTO_TLS + * \see MBEDTLS_SSL_PROTO_NO_TLS * * Requires: MBEDTLS_SSL_PROTO_TLS1_1 * or MBEDTLS_SSL_PROTO_TLS1_2 @@ -1518,25 +1518,22 @@ #define MBEDTLS_SSL_PROTO_DTLS /** - * \def MBEDTLS_SSL_PROTO_TLS + * \def MBEDTLS_SSL_PROTO_NO_TLS * - * Enable support for SSL/TLS (all available versions). + * Disable support for SSL/TLS (all available versions) - this doesn't affect + * support for DTLS which is controlled by #MBEDTLS_SSL_PROTO_DTLS. * - * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2; - * enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1; - * enable this and MBEDTLS_SSL_PROTO_TLS1 to enable TLS 1.0; - * and/or this and MBEDTLS_SSL_PROTO_SSL3 to enable SSL 3.0 (deprecated). + * Disable this and enable MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2; + * disable this and enable MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1; + * disable this and enable MBEDTLS_SSL_PROTO_TLS1 to enable TLS 1.0; + * disable this and enable MBEDTLS_SSL_PROTO_SSL3 to enable SSL 3.0. * - * \see MBEDTLS_SSL_PROTO_DTLS + * Requirements: if this macro is disabled, at least one of the above + * TLS versions needs to be enabled. * - * Requires: MBEDTLS_SSL_PROTO_TLS1_2 - * or MBEDTLS_SSL_PROTO_TLS1_1 - * or MBEDTLS_SSL_PROTO_TLS1 - * or MBEDTLS_SSL_PROTO_SSL3 (deprecated) - * - * Comment this macro to disable support for TLS + * Uncomment this macro to disable support for TLS. */ -#define MBEDTLS_SSL_PROTO_TLS +//#define MBEDTLS_SSL_PROTO_NO_TLS /** * \def MBEDTLS_SSL_ALPN diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 653f857cc..1a4eaf663 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1337,8 +1337,8 @@ void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ); /** * \brief Set the transport type (TLS or DTLS). - * Default: TLS if #MBEDTLS_SSL_PROTO_TLS is defined, else - * DTLS. + * Default: TLS unless #MBEDTLS_SSL_PROTO_NO_TLS is defined, + * else DTLS. * * \note For DTLS, you must either provide a recv callback that * doesn't block, or one that handles timeouts, see diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 1c8709f3f..e6c829d3a 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -58,6 +58,12 @@ #define inline __inline #endif +/* The public option is negative for backwards compatibility, + * but internally a poisitive option is more convenient. */ +#if !defined(MBEDTLS_SSL_PROTO_NO_TLS) +#define MBEDTLS_SSL_PROTO_TLS +#endif + /* Determine minimum supported version */ #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 diff --git a/library/version_features.c b/library/version_features.c index fc0b1f8f0..b1458a4ed 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -486,9 +486,9 @@ static const char *features[] = { #if defined(MBEDTLS_SSL_PROTO_DTLS) "MBEDTLS_SSL_PROTO_DTLS", #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_PROTO_TLS) - "MBEDTLS_SSL_PROTO_TLS", -#endif /* MBEDTLS_SSL_PROTO_TLS */ +#if defined(MBEDTLS_SSL_PROTO_NO_TLS) + "MBEDTLS_SSL_PROTO_NO_TLS", +#endif /* MBEDTLS_SSL_PROTO_NO_TLS */ #if defined(MBEDTLS_SSL_ALPN) "MBEDTLS_SSL_ALPN", #endif /* MBEDTLS_SSL_ALPN */ diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index be35a76ce..d04f5123f 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1338,13 +1338,13 @@ int query_config( const char *config ) } #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_PROTO_TLS) - if( strcmp( "MBEDTLS_SSL_PROTO_TLS", config ) == 0 ) +#if defined(MBEDTLS_SSL_PROTO_NO_TLS) + if( strcmp( "MBEDTLS_SSL_PROTO_NO_TLS", config ) == 0 ) { - MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS ); + MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_NO_TLS ); return( 0 ); } -#endif /* MBEDTLS_SSL_PROTO_TLS */ +#endif /* MBEDTLS_SSL_PROTO_NO_TLS */ #if defined(MBEDTLS_SSL_ALPN) if( strcmp( "MBEDTLS_SSL_ALPN", config ) == 0 ) diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index fc601ecd6..5d6758302 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -44,14 +44,14 @@ !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \ !defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C) || \ !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \ - !defined(MBEDTLS_SSL_PROTO_TLS) + defined(MBEDTLS_SSL_PROTO_NO_TLS) int main( void ) { mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or " "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or" - "MBEDTLS_SSL_PROTO_TLS not defined.\n"); + "not defined, and/or MBEDTLS_SSL_PROTO_NO_TLS defined.\n"); return( 0 ); } #else diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 62b4c4098..bbe61fd2a 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -44,7 +44,7 @@ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_TIMING_C) || \ !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_PEM_PARSE_C) || \ - !defined(MBEDTLS_SSL_PROTO_TLS) + defined(MBEDTLS_SSL_PROTO_NO_TLS) int main( int argc, char *argv[] ) { ((void) argc); @@ -54,8 +54,8 @@ int main( int argc, char *argv[] ) "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or " - "MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C and/or " - "MBEDTLS_SSL_PROTO_TLS not defined.\n"); + "MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C not defined, and/or " + "MBEDTLS_SSL_PROTO_NO_TLS defined.\n"); return( 0 ); } #elif defined(_WIN32) diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 55c90c645..bc3fc8bcd 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -48,14 +48,14 @@ !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \ !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \ !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \ - !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_SSL_PROTO_TLS) + !defined(MBEDTLS_FS_IO) || defined(MBEDTLS_SSL_PROTO_NO_TLS) int main( void ) { mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or " "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " - "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or " - "MBEDTLS_SSL_PROTO_TLS not defined.\n"); + "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C " + "not defined, and/or MBEDTLS_SSL_PROTO_NO_TLS defined.\n"); return( 0 ); } #else diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index b00f47617..17f4584f0 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -45,7 +45,7 @@ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \ !defined(MBEDTLS_THREADING_C) || !defined(MBEDTLS_THREADING_PTHREAD) || \ - !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_SSL_PROTO_TLS) + !defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_SSL_PROTO_NO_TLS) int main( void ) { mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C " @@ -53,8 +53,8 @@ int main( void ) "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or " "MBEDTLS_THREADING_C and/or MBEDTLS_THREADING_PTHREAD " - "and/or MBEDTLS_PEM_PARSE_C and/or " - "MBEDTLS_SSL_PROTO_TLS not defined.\n"); + "and/or MBEDTLS_PEM_PARSE_C not defined, and/or " + "MBEDTLS_SSL_PROTO_NO_TLS defined.\n"); return( 0 ); } #else diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 05d58fa74..97918562a 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -44,15 +44,15 @@ !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) || \ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \ - !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_SSL_PROTO_TLS) + !defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_SSL_PROTO_NO_TLS) int main( void ) { mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C " "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C " - "and/or MBEDTLS_PEM_PARSE_C and/or " - "MBEDTLS_SSL_PROTO_TLS not defined.\n"); + "and/or MBEDTLS_PEM_PARSE_C not defined, and/or " + "MBEDTLS_SSL_PROTO_NO_TLS defined.\n"); return( 0 ); } #else diff --git a/scripts/config.pl b/scripts/config.pl index 86af55394..ed9aa02a6 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -31,6 +31,7 @@ # MBEDTLS_REMOVE_ARC4_CIPHERSUITES # MBEDTLS_REMOVE_3DES_CIPHERSUITES # MBEDTLS_SSL_HW_RECORD_ACCEL +# MBEDTLS_SSL_PROTO_NO_DTLS # MBEDTLS_RSA_NO_CRT # MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 # MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION @@ -92,6 +93,7 @@ MBEDTLS_RSA_NO_CRT MBEDTLS_REMOVE_ARC4_CIPHERSUITES MBEDTLS_REMOVE_3DES_CIPHERSUITES MBEDTLS_SSL_HW_RECORD_ACCEL +MBEDTLS_SSL_PROTO_NO_TLS MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION MBEDTLS_ZLIB_SUPPORT