From fa6473d79bb275caef4f86ef40bcf1a14e3840f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 30 Apr 2015 18:03:08 +0200 Subject: [PATCH 01/45] Create structure ssl_config --- include/mbedtls/ssl.h | 147 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 146 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 5f4e46e5e..b0bd8962b 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -786,6 +786,152 @@ struct mbedtls_ssl_flight_item }; #endif /* MBEDTLS_SSL_PROTO_DTLS */ +/** + * SSL/TLS configuration to be shared between ssl_context structures. + */ +typedef struct +{ + /* Group items by size (largest first) to minimize padding overhead */ + + /* + * Pointers + */ + + const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */ + + /** Callback for printing debug output */ + void (*f_dbg)(void *, int, const char *); + void *p_dbg; /*!< context for the debug function */ + + /** Callback to retrieve a session from the cache */ + int (*f_get_cache)(void *, mbedtls_ssl_session *); + void *p_get_cache; /*!< context for cache retrieval */ + /** Callback to store a session into the cache */ + int (*f_set_cache)(void *, const mbedtls_ssl_session *); + void *p_set_cache; /*!< context for cache store */ + +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + /** Callback for setting cert according to SNI extension */ + int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t); + void *p_sni; /*!< context for SNI callback */ +#endif + +#if defined(MBEDTLS_X509_CRT_PARSE_C) + /** Callback to customize X.509 certificate chain verification */ + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *); + void *p_vrfy; /*!< context for X.509 verify calllback */ +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) + /** Callback to retrieve PSK key from identity */ + int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t); + void *p_psk; /*!< context for PSK callback */ +#endif + +#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) + /** Callback to create & write a cookie for ClientHello veirifcation */ + int (*f_cookie_write)( void *, unsigned char **, unsigned char *, + const unsigned char *, size_t ); + /** Callback to verify validity of a ClientHello cookie */ + int (*f_cookie_check)( void *, const unsigned char *, size_t, + const unsigned char *, size_t ); + void *p_cookie; /*!< context for the cookie callbacks */ +#endif + +#if defined(MBEDTLS_X509_CRT_PARSE_C) + mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */ + mbedtls_x509_crt *ca_chain; /*!< trusted CAs */ + mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */ +#endif /* MBEDTLS_X509_CRT_PARSE_C */ + +#if defined(MBEDTLS_SSL_SET_CURVES) + const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */ +#endif + +#if defined(MBEDTLS_DHM_C) + mbedtls_mpi dhm_P; /*!< prime modulus for DHM */ + mbedtls_mpi dhm_G; /*!< generator for DHM */ +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) + unsigned char *psk; /*!< pre-shared key */ + size_t psk_len; /*!< length of the pre-shared key */ + unsigned char *psk_identity; /*!< identity for PSK negotiation */ + size_t psk_identity_len;/*!< length of identity */ +#endif + +#if defined(MBEDTLS_SSL_ALPN) + const char **alpn_list; /*!< ordered list of protocols */ +#endif + + /* + * Numerical settings (int then char) + */ + +#if defined(MBEDTLS_SSL_PROTO_DTLS) + uint32_t hs_timeout_min; /*!< initial value of the handshake + retransmission timeout */ + uint32_t hs_timeout_max; /*!< maximum value of the handshake + retransmission timeout */ +#endif + +#if defined(MBEDTLS_SSL_RENEGOTIATION) + int renego_max_records; /*!< grace period for renegotiation */ + unsigned char renego_period[8]; /*!< value of the record counters + that triggers renegotiation */ +#endif + +#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) + unsigned int badmac_limit; /*!< limit of records with a bad MAC */ +#endif + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + int ticket_lifetime; /*!< session ticket lifetime (seconds) */ +#endif + + unsigned char max_major_ver; /*!< max. major version used */ + unsigned char max_minor_ver; /*!< max. minor version used */ + unsigned char min_major_ver; /*!< min. major version used */ + unsigned char min_minor_ver; /*!< min. minor version used */ + +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + unsigned char mfl_code; /*!< desired fragment length */ +#endif + + /* + * Flags (bitfields) + */ + + unsigned int endpoint : 1; /*!< 0: client, 1: server */ + unsigned int transport : 1; /*!< stream (TLS) or datagram (DTLS) */ + unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites? */ + unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */ + /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */ + unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX */ +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + unsigned int encrypt_then_mac : 1 ; /*!< negotiate encrypt-then-mac? */ +#endif +#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) + unsigned int extended_ms : 1; /*!< negotiate extended master secret? */ +#endif +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) + unsigned int anti_replay : 1; /*!< detect and prevent replay? */ +#endif +#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) + unsigned int cbc_record_splitting : 1; /*!< do cbc record splitting */ +#endif +#if defined(MBEDTLS_SSL_RENEGOTIATION) + unsigned int disable_renegotiation : 1; /*!< disable renegotiation? */ +#endif +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) + unsigned int trunc_hmac : 1; /*!< negotiate truncated hmac? */ +#endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + unsigned int session_tickets : 1; /*!< use session tickets? */ +#endif +} +mbedtls_ssl_config; + struct mbedtls_ssl_context { /* @@ -842,7 +988,6 @@ struct mbedtls_ssl_context void *p_bio; /*!< context for I/O operations */ void *p_get_cache; /*!< context for cache retrieval */ void *p_set_cache; /*!< context for cache store */ - void *p_hw_data; /*!< context for HW acceleration */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t); From 6df3196e7ccff26c42a31069282004fe1e5196b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 4 May 2015 10:55:47 +0200 Subject: [PATCH 02/45] Fix typo in test name --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a28f4a060..ae324dbc8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1044,7 +1044,7 @@ run_test "Session resume using cache: cache_max=1" \ -s "a session has been resumed" \ -c "a session has been resumed" -run_test "Session resume using cache: timemout > delay" \ +run_test "Session resume using cache: timeout > delay" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \ 0 \ From 7ca4e4dc79a005e37ceb94c1f53c50b1aba0564b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 4 May 2015 10:55:58 +0200 Subject: [PATCH 03/45] Move things to conf substructure A simple series of sed invocations. This is the first step, purely internal changes. The conf substructure is not ready to be shared between contexts yet. --- include/mbedtls/ssl.h | 118 ++---------- library/debug.c | 32 ++-- library/ssl_cli.c | 126 ++++++------- library/ssl_srv.c | 150 ++++++++-------- library/ssl_tls.c | 406 +++++++++++++++++++++--------------------- 5 files changed, 374 insertions(+), 458 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b0bd8962b..f94aae84d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -868,11 +868,13 @@ typedef struct * Numerical settings (int then char) */ + uint32_t read_timeout; /*!< timeout for mbedtls_ssl_read (ms) */ + #if defined(MBEDTLS_SSL_PROTO_DTLS) uint32_t hs_timeout_min; /*!< initial value of the handshake - retransmission timeout */ + retransmission timeout (ms) */ uint32_t hs_timeout_max; /*!< maximum value of the handshake - retransmission timeout */ + retransmission timeout (ms) */ #endif #if defined(MBEDTLS_SSL_RENEGOTIATION) @@ -934,11 +936,12 @@ mbedtls_ssl_config; struct mbedtls_ssl_context { + mbedtls_ssl_config *conf; /*!< configuration information */ + /* * Miscellaneous */ int state; /*!< SSL handshake: current state */ - int transport; /*!< Transport: stream or datagram */ #if defined(MBEDTLS_SSL_RENEGOTIATION) int renego_status; /*!< Initial, in progress, pending? */ int renego_records_seen; /*!< Records since renego request, or with DTLS, @@ -949,60 +952,24 @@ struct mbedtls_ssl_context int major_ver; /*!< equal to MBEDTLS_SSL_MAJOR_VERSION_3 */ int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */ - int max_major_ver; /*!< max. major version used */ - int max_minor_ver; /*!< max. minor version used */ - int min_major_ver; /*!< min. major version used */ - int min_minor_ver; /*!< min. minor version used */ - - uint32_t read_timeout; /*!< timeout for mbedtls_ssl_read in milliseconds */ - #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) - unsigned badmac_limit; /*!< limit of records with a bad MAC */ unsigned badmac_seen; /*!< records with a bad MAC received */ #endif #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) char fallback; /*!< flag for fallback connections */ #endif -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - char encrypt_then_mac; /*!< flag for encrypt-then-mac */ -#endif -#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - char extended_ms; /*!< flag for extended master secret */ -#endif - char arc4_disabled; /*!< flag for disabling RC4 */ /* - * Callbacks (RNG, debug, I/O, verification) + * Callbacks */ int (*f_rng)(void *, unsigned char *, size_t); - void (*f_dbg)(void *, int, const char *); + void *p_rng; /*!< context for the RNG function */ + int (*f_send)(void *, const unsigned char *, size_t); int (*f_recv)(void *, unsigned char *, size_t); int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t); - int (*f_get_cache)(void *, mbedtls_ssl_session *); - int (*f_set_cache)(void *, const mbedtls_ssl_session *); - - void *p_rng; /*!< context for the RNG function */ - void *p_dbg; /*!< context for the debug function */ void *p_bio; /*!< context for I/O operations */ - void *p_get_cache; /*!< context for cache retrieval */ - void *p_set_cache; /*!< context for cache store */ - -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t); - void *p_sni; /*!< context for SNI extension */ -#endif - -#if defined(MBEDTLS_X509_CRT_PARSE_C) - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *); - void *p_vrfy; /*!< context for verification */ -#endif - -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t); - void *p_psk; /*!< context for PSK retrieval */ -#endif /* * Session layer @@ -1029,10 +996,6 @@ struct mbedtls_ssl_context #if defined(MBEDTLS_SSL_PROTO_DTLS) struct mbedtls_timing_hr_time time_info; /*!< timer context */ unsigned long time_limit; /*!< limit for the running timer */ - uint32_t hs_timeout_min; /*!< initial value of the handshake - retransmission timeout */ - uint32_t hs_timeout_max; /*!< maximum value of the handshake - retransmission timeout */ #endif /* @@ -1059,7 +1022,6 @@ struct mbedtls_ssl_context #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) uint64_t in_window_top; /*!< last validated record seq_num */ uint64_t in_window; /*!< bitmask for replay detection */ - char anti_replay; /*!< is anti-replay on? */ #endif size_t in_hslen; /*!< current handshake message length, @@ -1084,9 +1046,6 @@ struct mbedtls_ssl_context #if defined(MBEDTLS_ZLIB_SUPPORT) unsigned char *compress_buf; /*!< zlib data buffer */ #endif -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - unsigned char mfl_code; /*!< MaxFragmentLength chosen by us */ -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) signed char split_done; /*!< flag for record splitting: -1 disabled, 0 todo, 1 done */ @@ -1096,10 +1055,6 @@ struct mbedtls_ssl_context * PKI layer */ #if defined(MBEDTLS_X509_CRT_PARSE_C) - mbedtls_ssl_key_cert *key_cert; /*!< own certificate(s)/key(s) */ - - mbedtls_x509_crt *ca_chain; /*!< own trusted CA chain */ - mbedtls_x509_crl *ca_crl; /*!< trusted CA CRLs */ const char *peer_cn; /*!< expected peer CN */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -1110,48 +1065,12 @@ struct mbedtls_ssl_context mbedtls_ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */ #endif /* MBEDTLS_SSL_SESSION_TICKETS */ + int client_auth; /*!< flag for client auth. */ + int verify_result; /*!< verification result */ + /* * User settings */ - int endpoint; /*!< 0: client, 1: server */ - int authmode; /*!< verification mode */ - int client_auth; /*!< flag for client auth. */ - int verify_result; /*!< verification result */ -#if defined(MBEDTLS_SSL_RENEGOTIATION) - int disable_renegotiation; /*!< enable/disable renegotiation */ - int renego_max_records; /*!< grace period for renegotiation */ - unsigned char renego_period[8]; /*!< value of the record counters - that triggers renegotiation */ -#endif - /* needed for option break handshake with insecure peers */ - int allow_legacy_renegotiation; /*!< allow legacy renegotiation */ - const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */ -#if defined(MBEDTLS_SSL_SET_CURVES) - const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */ -#endif -#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) - int trunc_hmac; /*!< negotiate truncated hmac? */ -#endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - int session_tickets; /*!< use session tickets? */ - int ticket_lifetime; /*!< session ticket lifetime */ -#endif - -#if defined(MBEDTLS_DHM_C) - mbedtls_mpi dhm_P; /*!< prime modulus for DHM */ - mbedtls_mpi dhm_G; /*!< generator for DHM */ -#endif - -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - /* - * PSK values - */ - unsigned char *psk; - size_t psk_len; - unsigned char *psk_identity; - size_t psk_identity_len; -#endif - #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /* * SNI extension @@ -1161,10 +1080,6 @@ struct mbedtls_ssl_context #endif #if defined(MBEDTLS_SSL_ALPN) - /* - * ALPN extension - */ - const char **alpn_list; /*!< ordered list of supported protocols */ const char *alpn_chosen; /*!< negotiated protocol */ #endif @@ -1174,11 +1089,6 @@ struct mbedtls_ssl_context #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) unsigned char *cli_id; /*!< transport-level ID of the client */ size_t cli_id_len; /*!< length of cli_id */ - int (*f_cookie_write)( void *, unsigned char **, unsigned char *, - const unsigned char *, size_t ); - int (*f_cookie_check)( void *, const unsigned char *, size_t, - const unsigned char *, size_t ); - void *p_cookie; /*!< context for the cookie callbacks */ #endif /* @@ -2446,7 +2356,7 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport, static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) return( 13 ); #else ((void) ssl); @@ -2457,7 +2367,7 @@ static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl ) static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) return( 12 ); #else ((void) ssl); diff --git a/library/debug.c b/library/debug.c index 8dae2ed0a..3164ad76b 100644 --- a/library/debug.c +++ b/library/debug.c @@ -83,18 +83,18 @@ void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level, char str[512]; int maxlen = sizeof( str ) - 1; - if( ssl->f_dbg == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || level > debug_threshold ) return; if( debug_log_mode == MBEDTLS_DEBUG_LOG_RAW ) { - ssl->f_dbg( ssl->p_dbg, level, text ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, text ); return; } mbedtls_snprintf( str, maxlen, "%s(%04d): %s\n", file, line, text ); str[maxlen] = '\0'; - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); } void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, @@ -105,7 +105,7 @@ void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, int maxlen = sizeof( str ) - 1; size_t idx = 0; - if( ssl->f_dbg == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || level > debug_threshold ) return; if( debug_log_mode == MBEDTLS_DEBUG_LOG_FULL ) @@ -115,7 +115,7 @@ void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, text, ret, -ret ); str[maxlen] = '\0'; - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); } void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, @@ -126,7 +126,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, char txt[17]; size_t i, maxlen = sizeof( str ) - 1, idx = 0; - if( ssl->f_dbg == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || level > debug_threshold ) return; if( debug_log_mode == MBEDTLS_DEBUG_LOG_FULL ) @@ -136,7 +136,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, text, (unsigned int) len ); str[maxlen] = '\0'; - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); idx = 0; memset( txt, 0, sizeof( txt ) ); @@ -150,7 +150,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, if( i > 0 ) { mbedtls_snprintf( str + idx, maxlen - idx, " %s\n", txt ); - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); idx = 0; memset( txt, 0, sizeof( txt ) ); @@ -175,7 +175,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, idx += mbedtls_snprintf( str + idx, maxlen - idx, " " ); mbedtls_snprintf( str + idx, maxlen - idx, " %s\n", txt ); - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); } } @@ -187,7 +187,7 @@ void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level, char str[512]; int maxlen = sizeof( str ) - 1; - if( ssl->f_dbg == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || level > debug_threshold ) return; mbedtls_snprintf( str, maxlen, "%s(X)", text ); @@ -209,7 +209,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, int j, k, maxlen = sizeof( str ) - 1, zeros = 1; size_t i, n, idx = 0; - if( ssl->f_dbg == NULL || X == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || X == NULL || level > debug_threshold ) return; for( n = X->n - 1; n > 0; n-- ) @@ -227,7 +227,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) ); str[maxlen] = '\0'; - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); idx = 0; for( i = n + 1, j = 0; i > 0; i-- ) @@ -247,7 +247,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, if( j > 0 ) { mbedtls_snprintf( str + idx, maxlen - idx, "\n" ); - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); idx = 0; } @@ -274,7 +274,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, } mbedtls_snprintf( str + idx, maxlen - idx, "\n" ); - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); } #endif /* MBEDTLS_BIGNUM_C */ @@ -322,7 +322,7 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level, char str[1024], prefix[64]; int i = 0, maxlen = sizeof( prefix ) - 1, idx = 0; - if( ssl->f_dbg == NULL || crt == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || crt == NULL || level > debug_threshold ) return; if( debug_log_mode == MBEDTLS_DEBUG_LOG_FULL ) @@ -347,7 +347,7 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level, text, ++i, buf ); str[maxlen] = '\0'; - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); debug_print_pk( ssl, level, file, line, "crt->", &crt->pk ); diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 9f04b2bb4..354cc5a2b 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -158,7 +158,7 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, *olen = 0; - if( ssl->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) + if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) return; MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); @@ -262,7 +262,7 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); #if defined(MBEDTLS_SSL_SET_CURVES) - for( grp_id = ssl->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) + for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) { info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); #else @@ -320,7 +320,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, { unsigned char *p = buf; - if( ssl->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { + if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { *olen = 0; return; } @@ -333,7 +333,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, *p++ = 0x00; *p++ = 1; - *p++ = ssl->mfl_code; + *p++ = ssl->conf->mfl_code; *olen = 5; } @@ -345,7 +345,7 @@ static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, { unsigned char *p = buf; - if( ssl->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) + if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) { *olen = 0; return; @@ -369,8 +369,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, { unsigned char *p = buf; - if( ssl->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || - ssl->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) + if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || + ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { *olen = 0; return; @@ -395,8 +395,8 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, { unsigned char *p = buf; - if( ssl->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || - ssl->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) + if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || + ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { *olen = 0; return; @@ -422,7 +422,7 @@ static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, unsigned char *p = buf; size_t tlen = ssl->session_negotiate->ticket_len; - if( ssl->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) + if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) { *olen = 0; return; @@ -459,7 +459,7 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, unsigned char *p = buf; const char **cur; - if( ssl->alpn_list == NULL ) + if( ssl->conf->alpn_list == NULL ) { *olen = 0; return; @@ -481,7 +481,7 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, /* Skip writing extension and list length for now */ p += 4; - for( cur = ssl->alpn_list; *cur != NULL; cur++ ) + for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) { *p = (unsigned char)( strlen( *cur ) & 0xFF ); memcpy( p + 1, *cur, *p ); @@ -515,7 +515,7 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl ) * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake->verify_cookie != NULL ) { return( 0 ); @@ -565,14 +565,14 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) #endif { - ssl->major_ver = ssl->min_major_ver; - ssl->minor_ver = ssl->min_minor_ver; + ssl->major_ver = ssl->conf->min_major_ver; + ssl->minor_ver = ssl->conf->min_minor_ver; } - if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 ) + if( ssl->conf->max_major_ver == 0 && ssl->conf->max_minor_ver == 0 ) { - ssl->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; - ssl->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; + ssl->conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; + ssl->conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; } /* @@ -585,8 +585,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) buf = ssl->out_msg; p = buf + 4; - mbedtls_ssl_write_version( ssl->max_major_ver, ssl->max_minor_ver, - ssl->transport, p ); + mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, + ssl->conf->transport, p ); p += 2; MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", @@ -659,7 +659,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) * DTLS cookie */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { if( ssl->handshake->verify_cookie == NULL ) { @@ -683,7 +683,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) /* * Ciphersuite list */ - ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; + ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; /* Skip writing ciphersuite length for now */ n = 0; @@ -697,17 +697,17 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) if( ciphersuite_info == NULL ) continue; - if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver || - ciphersuite_info->max_minor_ver < ssl->min_minor_ver ) + if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver || + ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver ) continue; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) continue; #endif - if( ssl->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && + if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) continue; @@ -760,7 +760,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) * an actual need for it. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) offer_compress = 0; #endif @@ -860,7 +860,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_send_flight_completed( ssl ); #endif @@ -928,9 +928,9 @@ static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, * server should use the extension only if we did, * and if so the server's value should match ours (and len is always 1) */ - if( ssl->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || + if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || len != 1 || - buf[0] != ssl->mfl_code ) + buf[0] != ssl->conf->mfl_code ) { return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } @@ -944,7 +944,7 @@ static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - if( ssl->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || + if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || len != 0 ) { return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); @@ -963,7 +963,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - if( ssl->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || + if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || len != 0 ) { @@ -983,7 +983,7 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - if( ssl->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || + if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || len != 0 ) { @@ -1003,7 +1003,7 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - if( ssl->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || + if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || len != 0 ) { return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); @@ -1060,7 +1060,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, const char **p; /* If we didn't send it, the server shouldn't send it */ - if( ssl->alpn_list == NULL ) + if( ssl->conf->alpn_list == NULL ) return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); /* @@ -1086,7 +1086,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); /* Check that the server chosen protocol was in our list and save it */ - for( p = ssl->alpn_list; *p != NULL; p++ ) + for( p = ssl->conf->alpn_list; *p != NULL; p++ ) { if( name_len == strlen( *p ) && memcmp( buf + 3, *p, name_len ) == 0 ) @@ -1119,7 +1119,7 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) * } HelloVerifyRequest; */ MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); - mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->transport, p ); + mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); p += 2; /* @@ -1128,8 +1128,8 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) */ if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || - major_ver > ssl->max_major_ver || - minor_ver > ssl->max_minor_ver ) + major_ver > ssl->conf->max_major_ver || + minor_ver > ssl->conf->max_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); @@ -1199,8 +1199,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) { ssl->renego_records_seen++; - if( ssl->renego_max_records >= 0 && - ssl->renego_records_seen > ssl->renego_max_records ) + if( ssl->conf->renego_max_records >= 0 && + ssl->renego_records_seen > ssl->conf->renego_max_records ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " "but not honored by server" ) ); @@ -1217,7 +1217,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) { @@ -1257,18 +1257,18 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, - ssl->transport, buf + 0 ); + ssl->conf->transport, buf + 0 ); - if( ssl->major_ver < ssl->min_major_ver || - ssl->minor_ver < ssl->min_minor_ver || - ssl->major_ver > ssl->max_major_ver || - ssl->minor_ver > ssl->max_minor_ver ) + if( ssl->major_ver < ssl->conf->min_major_ver || + ssl->minor_ver < ssl->conf->min_minor_ver || + ssl->major_ver > ssl->conf->max_major_ver || + ssl->minor_ver > ssl->conf->max_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " " min: [%d:%d], server: [%d:%d], max: [%d:%d]", - ssl->min_major_ver, ssl->min_minor_ver, + ssl->conf->min_major_ver, ssl->conf->min_minor_ver, ssl->major_ver, ssl->minor_ver, - ssl->max_major_ver, ssl->max_minor_ver ) ); + ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); @@ -1334,7 +1334,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) /* See comments in ssl_write_client_hello() */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) accept_comp = 0; #endif @@ -1402,7 +1402,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); if( suite_info == NULL || - ( ssl->arc4_disabled && + ( ssl->conf->arc4_disabled && suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); @@ -1413,13 +1413,13 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) i = 0; while( 1 ) { - if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 ) + if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - if( ssl->ciphersuite_list[ssl->minor_ver][i++] == + if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == ssl->session_negotiate->ciphersuite ) { break; @@ -1575,7 +1575,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) * Renegotiation security checks */ if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); handshake_failure = 1; @@ -1590,7 +1590,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); handshake_failure = 1; @@ -1779,8 +1779,8 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, * opaque random[46]; * } PreMasterSecret; */ - mbedtls_ssl_write_version( ssl->max_major_ver, ssl->max_minor_ver, - ssl->transport, p ); + mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, + ssl->conf->transport, p ); if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 ) { @@ -2426,7 +2426,7 @@ static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_recv_flight_completed( ssl ); #endif @@ -2535,16 +2535,16 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) /* * opaque psk_identity<0..2^16-1>; */ - if( ssl->psk == NULL || ssl->psk_identity == NULL ) + if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); i = 4; - n = ssl->psk_identity_len; + n = ssl->conf->psk_identity_len; ssl->out_msg[i++] = (unsigned char)( n >> 8 ); ssl->out_msg[i++] = (unsigned char)( n ); - memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len ); - i += ssl->psk_identity_len; + memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); + i += ssl->conf->psk_identity_len; #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) @@ -2944,7 +2944,7 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) return( ret ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL && ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) { diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 3a6a3fec8..bb5e7e0c2 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -333,7 +333,7 @@ static int ssl_parse_ticket( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_HAVE_TIME) /* Check if still valid */ - if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime ) + if( (int) ( time( NULL) - session.start ) > ssl->conf->ticket_lifetime ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "session ticket expired" ) ); mbedtls_ssl_session_free( &session ); @@ -363,7 +363,7 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, const unsigned char *info, size_t ilen ) { - if( ssl->endpoint != MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); mbedtls_free( ssl->cli_id ); @@ -382,9 +382,9 @@ void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_context *ssl, mbedtls_ssl_cookie_check_t *f_cookie_check, void *p_cookie ) { - ssl->f_cookie_write = f_cookie_write; - ssl->f_cookie_check = f_cookie_check; - ssl->p_cookie = p_cookie; + ssl->conf->f_cookie_write = f_cookie_write; + ssl->conf->f_cookie_check = f_cookie_check; + ssl->conf->p_cookie = p_cookie; } #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ @@ -397,13 +397,13 @@ static int ssl_sni_wrapper( mbedtls_ssl_context *ssl, const unsigned char* name, size_t len ) { int ret; - mbedtls_ssl_key_cert *key_cert_ori = ssl->key_cert; + mbedtls_ssl_key_cert *key_cert_ori = ssl->conf->key_cert; - ssl->key_cert = NULL; - ret = ssl->f_sni( ssl->p_sni, ssl, name, len ); - ssl->handshake->sni_key_cert = ssl->key_cert; + ssl->conf->key_cert = NULL; + ret = ssl->conf->f_sni( ssl->conf->p_sni, ssl, name, len ); + ssl->handshake->sni_key_cert = ssl->conf->key_cert; - ssl->key_cert = key_cert_ori; + ssl->conf->key_cert = key_cert_ori; return( ret ); } @@ -670,7 +670,7 @@ static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, ((void) buf); - if( ssl->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) + if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; return( 0 ); @@ -690,7 +690,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, ((void) buf); - if( ssl->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && + if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) { ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; @@ -713,7 +713,7 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, ((void) buf); - if( ssl->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && + if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) { ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; @@ -730,7 +730,7 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, { int ret; - if( ssl->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) + if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) return( 0 ); /* Remember the client asked us to send a new ticket */ @@ -778,7 +778,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, const char **ours; /* If ALPN not configured, just ignore the extension */ - if( ssl->alpn_list == NULL ) + if( ssl->conf->alpn_list == NULL ) return( 0 ); /* @@ -802,7 +802,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, */ start = buf + 2; end = buf + len; - for( ours = ssl->alpn_list; *ours != NULL; ours++ ) + for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) { ours_len = strlen( *ours ); for( theirs = start; theirs != end; theirs += cur_len ) @@ -982,12 +982,12 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) return( 0 ); #endif - if( ssl->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && + if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); @@ -1009,9 +1009,9 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, /* If the ciphersuite requires a pre-shared key and we don't * have one, skip it now rather than failing later */ if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && - ssl->f_psk == NULL && - ( ssl->psk == NULL || ssl->psk_identity == NULL || - ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) ) + ssl->conf->f_psk == NULL && + ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || + ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); return( 0 ); @@ -1100,15 +1100,15 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) } ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; - ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver ) - ? buf[4] : ssl->max_minor_ver; + ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver ) + ? buf[4] : ssl->conf->max_minor_ver; - if( ssl->minor_ver < ssl->min_minor_ver ) + if( ssl->minor_ver < ssl->conf->min_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver, - ssl->min_major_ver, ssl->min_minor_ver ) ); + ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); @@ -1224,7 +1224,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); - if( ssl->minor_ver < ssl->max_minor_ver ) + if( ssl->minor_ver < ssl->conf->max_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); @@ -1240,7 +1240,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ got_common_suite = 0; - ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; + ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; ciphersuite_info = NULL; #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) @@ -1291,7 +1291,7 @@ have_ciphersuite_v2: * SSLv2 Client Hello relevant renegotiation security checks */ if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); @@ -1353,7 +1353,7 @@ read_record_header: #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) #endif if( ( buf[0] & 0x80 ) != 0 ) return ssl_parse_client_hello_v2( ssl ); @@ -1385,7 +1385,7 @@ read_record_header: MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]", buf[1], buf[2] ) ); - mbedtls_ssl_read_version( &major, &minor, ssl->transport, buf + 1 ); + mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 ); /* According to RFC 5246 Appendix E.1, the version here is typically * "{03,00}, the lowest version number supported by the client, [or] the @@ -1400,7 +1400,7 @@ read_record_header: /* For DTLS if this is the initial handshake, remember the client sequence * number to use it in our next message (RFC 6347 4.2.1) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM #if defined(MBEDTLS_SSL_RENEGOTIATION) && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE #endif @@ -1455,7 +1455,7 @@ read_record_header: /* Done reading this record, get ready for the next one */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl ); else #endif @@ -1502,7 +1502,7 @@ read_record_header: } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* * Copy the client's handshake message_seq on initial handshakes, @@ -1583,18 +1583,18 @@ read_record_header: MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, - ssl->transport, buf ); + ssl->conf->transport, buf ); ssl->handshake->max_major_ver = ssl->major_ver; ssl->handshake->max_minor_ver = ssl->minor_ver; - if( ssl->major_ver < ssl->min_major_ver || - ssl->minor_ver < ssl->min_minor_ver ) + if( ssl->major_ver < ssl->conf->min_major_ver || + ssl->minor_ver < ssl->conf->min_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver, - ssl->min_major_ver, ssl->min_minor_ver ) ); + ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); @@ -1602,13 +1602,13 @@ read_record_header: return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); } - if( ssl->major_ver > ssl->max_major_ver ) + if( ssl->major_ver > ssl->conf->max_major_ver ) { - ssl->major_ver = ssl->max_major_ver; - ssl->minor_ver = ssl->max_minor_ver; + ssl->major_ver = ssl->conf->max_major_ver; + ssl->minor_ver = ssl->conf->max_minor_ver; } - else if( ssl->minor_ver > ssl->max_minor_ver ) - ssl->minor_ver = ssl->max_minor_ver; + else if( ssl->minor_ver > ssl->conf->max_minor_ver ) + ssl->minor_ver = ssl->conf->max_minor_ver; /* * Save client random (inc. Unix time) @@ -1641,7 +1641,7 @@ read_record_header: * Check the cookie length and content */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { cookie_offset = 35 + sess_len; cookie_len = buf[cookie_offset]; @@ -1656,13 +1656,13 @@ read_record_header: buf + cookie_offset + 1, cookie_len ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) - if( ssl->f_cookie_check != NULL + if( ssl->conf->f_cookie_check != NULL #if defined(MBEDTLS_SSL_RENEGOTIATION) && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE #endif ) { - if( ssl->f_cookie_check( ssl->p_cookie, + if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, buf + cookie_offset + 1, cookie_len, ssl->cli_id, ssl->cli_id_len ) != 0 ) { @@ -1743,7 +1743,7 @@ read_record_header: /* See comments in ssl_write_client_hello() */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; #endif @@ -1793,7 +1793,7 @@ read_record_header: #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) case MBEDTLS_TLS_EXT_SERVERNAME: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); - if( ssl->f_sni == NULL ) + if( ssl->conf->f_sni == NULL ) break; ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); @@ -1931,7 +1931,7 @@ read_record_header: { MBEDTLS_SSL_DEBUG_MSG( 0, ( "received FALLBACK_SCSV" ) ); - if( ssl->minor_ver < ssl->max_minor_ver ) + if( ssl->minor_ver < ssl->conf->max_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 0, ( "inapropriate fallback" ) ); @@ -1974,7 +1974,7 @@ read_record_header: * Renegotiation security checks */ if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && - ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); handshake_failure = 1; @@ -1989,7 +1989,7 @@ read_record_header: } else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); handshake_failure = 1; @@ -2017,7 +2017,7 @@ read_record_header: * and certificate from the SNI callback triggered by the SNI extension.) */ got_common_suite = 0; - ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; + ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; ciphersuite_info = NULL; #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) @@ -2068,7 +2068,7 @@ have_ciphersuite: ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_recv_flight_completed( ssl ); #endif @@ -2351,12 +2351,12 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) /* The RFC is not clear on this point, but sending the actual negotiated * version looks like the most interoperable thing to do. */ mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, - ssl->transport, p ); + ssl->conf->transport, p ); MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); p += 2; /* If we get here, f_cookie_check is not null */ - if( ssl->f_cookie_write == NULL ) + if( ssl->conf->f_cookie_write == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -2365,7 +2365,7 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) /* Skip length byte until we know the length */ cookie_len_byte = p++; - if( ( ret = ssl->f_cookie_write( ssl->p_cookie, + if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN, ssl->cli_id, ssl->cli_id_len ) ) != 0 ) { @@ -2407,7 +2407,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake->verify_cookie_len != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); @@ -2434,7 +2434,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) p = buf + 4; mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, - ssl->transport, p ); + ssl->conf->transport, p ); p += 2; MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", @@ -2474,8 +2474,8 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && #endif ssl->session_negotiate->length != 0 && - ssl->f_get_cache != NULL && - ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 ) + ssl->conf->f_get_cache != NULL && + ssl->conf->f_get_cache( ssl->conf->p_get_cache, ssl->session_negotiate ) == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); ssl->handshake->resume = 1; @@ -2651,7 +2651,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ssl->authmode == MBEDTLS_SSL_VERIFY_NONE ) + ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); return( 0 ); @@ -2743,7 +2743,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) * opaque DistinguishedName<1..2^16-1>; */ p += 2; - crt = ssl->ca_chain; + crt = ssl->conf->ca_chain; total_dn_size = 0; while( crt != NULL && crt->version != 0 ) @@ -2880,8 +2880,8 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) * opaque dh_Ys<1..2^16-1>; * } ServerDHParams; */ - if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 || - ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 ) + if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 || + ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); return( ret ); @@ -2927,7 +2927,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) const mbedtls_ecp_group_id *gid; /* Match our preference list against the offered curves */ - for( gid = ssl->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) + for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) if( (*curve)->grp_id == *gid ) goto curve_matching_done; @@ -3167,7 +3167,7 @@ static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_send_flight_completed( ssl ); #endif @@ -3268,7 +3268,7 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, mbedtls_ssl_write_version( ssl->handshake->max_major_ver, ssl->handshake->max_minor_ver, - ssl->transport, ver ); + ssl->conf->transport, ver ); /* * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding * must not cause the connection to end immediately; instead, send a @@ -3320,9 +3320,9 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha int ret = 0; size_t n; - if( ssl->f_psk == NULL && - ( ssl->psk == NULL || ssl->psk_identity == NULL || - ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) ) + if( ssl->conf->f_psk == NULL && + ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || + ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); @@ -3346,17 +3346,17 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); } - if( ssl->f_psk != NULL ) + if( ssl->conf->f_psk != NULL ) { - if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 ) + if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 ) ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; } else { /* Identity is not a big secret since clients send it in the clear, * but treat it carefully anyway, just in case */ - if( n != ssl->psk_identity_len || - mbedtls_ssl_safer_memcmp( ssl->psk_identity, *p, n ) != 0 ) + if( n != ssl->conf->psk_identity_len || + mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) { ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; } @@ -3796,7 +3796,7 @@ static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) { int ret; size_t tlen; - uint32_t lifetime = (uint32_t) ssl->ticket_lifetime; + uint32_t lifetime = (uint32_t) ssl->conf->ticket_lifetime; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); @@ -3864,7 +3864,7 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) return( ret ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL && ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9fb2c9719..17c64957a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -68,7 +68,7 @@ static void mbedtls_zeroize( void *v, size_t n ) { static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) return( 2 ); #else ((void) ssl); @@ -111,16 +111,16 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) { uint32_t new_timeout; - if( ssl->handshake->retransmit_timeout >= ssl->hs_timeout_max ) + if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) return( -1 ); new_timeout = 2 * ssl->handshake->retransmit_timeout; /* Avoid arithmetic overflow and range overflow */ if( new_timeout < ssl->handshake->retransmit_timeout || - new_timeout > ssl->hs_timeout_max ) + new_timeout > ssl->conf->hs_timeout_max ) { - new_timeout = ssl->hs_timeout_max; + new_timeout = ssl->conf->hs_timeout_max; } ssl->handshake->retransmit_timeout = new_timeout; @@ -132,7 +132,7 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) { - ssl->handshake->retransmit_timeout = ssl->hs_timeout_min; + ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", ssl->handshake->retransmit_timeout ) ); } @@ -772,7 +772,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) * Finally setup the cipher contexts, IVs and MAC secrets. */ #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { key1 = keyblk + transform->maclen * 2; key2 = keyblk + transform->maclen * 2 + transform->keylen; @@ -792,7 +792,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { key1 = keyblk + transform->maclen * 2 + transform->keylen; key2 = keyblk + transform->maclen * 2; @@ -1077,12 +1077,12 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK ) { - if( end - p < 2 + (int) ssl->psk_len ) + if( end - p < 2 + (int) ssl->conf->psk_len ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - *(p++) = (unsigned char)( ssl->psk_len >> 8 ); - *(p++) = (unsigned char)( ssl->psk_len ); - p += ssl->psk_len; + *(p++) = (unsigned char)( ssl->conf->psk_len >> 8 ); + *(p++) = (unsigned char)( ssl->conf->psk_len ); + p += ssl->conf->psk_len; } else #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ @@ -1149,13 +1149,13 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch } /* opaque psk<0..2^16-1>; */ - if( end - p < 2 + (int) ssl->psk_len ) + if( end - p < 2 + (int) ssl->conf->psk_len ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - *(p++) = (unsigned char)( ssl->psk_len >> 8 ); - *(p++) = (unsigned char)( ssl->psk_len ); - memcpy( p, ssl->psk, ssl->psk_len ); - p += ssl->psk_len; + *(p++) = (unsigned char)( ssl->conf->psk_len >> 8 ); + *(p++) = (unsigned char)( ssl->conf->psk_len ); + memcpy( p, ssl->conf->psk, ssl->conf->psk_len ); + p += ssl->conf->psk_len; ssl->handshake->pmslen = p - ssl->handshake->premaster; @@ -1327,7 +1327,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) memcpy( add_data, ssl->out_ctr, 8 ); add_data[8] = ssl->out_msgtype; mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, - ssl->transport, add_data + 9 ); + ssl->conf->transport, add_data + 9 ); add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF; add_data[12] = ssl->out_msglen & 0xFF; @@ -1622,7 +1622,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) memcpy( add_data, ssl->in_ctr, 8 ); add_data[8] = ssl->in_msgtype; mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, - ssl->transport, add_data + 9 ); + ssl->conf->transport, add_data + 9 ); add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF; add_data[12] = ssl->in_msglen & 0xFF; @@ -2005,7 +2005,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) ssl->nb_zero = 0; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { ; /* in_ctr read from peer, not maintained internally */ } @@ -2138,9 +2138,9 @@ static int ssl_resend_hello_request( mbedtls_ssl_context *ssl ) { /* If renegotiation is not enforced, retransmit until we would reach max * timeout if we were using the usual handshake doubling scheme */ - if( ssl->renego_max_records < 0 ) + if( ssl->conf->renego_max_records < 0 ) { - uint32_t ratio = ssl->hs_timeout_max / ssl->hs_timeout_min + 1; + uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; unsigned char doublings = 1; while( ratio != 0 ) @@ -2197,7 +2197,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { uint32_t timeout; @@ -2272,7 +2272,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) timeout = ssl->handshake->retransmit_timeout; else - timeout = ssl->read_timeout; + timeout = ssl->conf->read_timeout; MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) ); @@ -2310,7 +2310,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) return( MBEDTLS_ERR_NET_WANT_READ ); } #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) - else if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && + else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) @@ -2655,7 +2655,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL && ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) { @@ -2677,7 +2677,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) * uint24 fragment_length; */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* Make room for the additional DTLS fields */ memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 ); @@ -2709,7 +2709,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) /* Save handshake and CCS messages for resending */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL && ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING && ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC || @@ -2757,7 +2757,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) { ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, - ssl->transport, ssl->out_hdr + 1 ); + ssl->conf->transport, ssl->out_hdr + 1 ); ssl->out_len[0] = (unsigned char)( len >> 8 ); ssl->out_len[1] = (unsigned char)( len ); @@ -3036,7 +3036,7 @@ static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { int ret; unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; @@ -3104,7 +3104,7 @@ static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) /* Handshake message is complete, increment counter */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL ) { ssl->handshake->in_msg_seq++; @@ -3149,7 +3149,7 @@ int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl ) uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); uint64_t bit; - if( ssl->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) + if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) return( 0 ); if( rec_seqnum > ssl->in_window_top ) @@ -3173,7 +3173,7 @@ void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) { uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); - if( ssl->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) + if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) return; if( rec_seqnum > ssl->in_window_top ) @@ -3218,7 +3218,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) ssl->in_msgtype = ssl->in_hdr[0]; ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; - mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->transport, ssl->in_hdr + 1 ); + mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, " "version = [%d:%d], msglen = %d", @@ -3244,7 +3244,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* Drop unexpected ChangeCipherSpec messages */ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && @@ -3278,7 +3278,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_INVALID_RECORD ); } - if( minor_ver > ssl->max_minor_ver ) + if( minor_ver > ssl->conf->max_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); return( MBEDTLS_ERR_SSL_INVALID_RECORD ); @@ -3286,7 +3286,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) /* Check epoch (and sequence number) with DTLS */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; @@ -3421,7 +3421,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_ZLIB_SUPPORT */ #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { mbedtls_ssl_dtls_replay_update( ssl ); } @@ -3480,7 +3480,7 @@ read_record_header: if( ( ret = ssl_parse_record_header( ssl ) ) != 0 ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* Ignore bad record and get next one; drop the whole datagram * since current header cannot be trusted to find the next record @@ -3507,7 +3507,7 @@ read_record_header: /* Done reading this record, get ready for the next one */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl ); else #endif @@ -3516,15 +3516,15 @@ read_record_header: if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* Silently discard invalid records */ if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD || ret == MBEDTLS_ERR_SSL_INVALID_MAC ) { #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) - if( ssl->badmac_limit != 0 && - ++ssl->badmac_seen >= ssl->badmac_limit ) + if( ssl->conf->badmac_limit != 0 && + ++ssl->badmac_seen >= ssl->conf->badmac_limit ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); return( MBEDTLS_ERR_SSL_INVALID_MAC ); @@ -3569,7 +3569,7 @@ read_record_header: * being mistaken for an ancient message in the current handshake. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL && ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) { @@ -3735,7 +3735,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { if( ssl->client_auth == 0 ) { @@ -3764,7 +3764,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { if( mbedtls_ssl_own_cert( ssl ) == NULL ) { @@ -3849,8 +3849,8 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && - ( ssl->authmode == MBEDTLS_SSL_VERIFY_NONE || + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && + ( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) ) { ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; @@ -3873,7 +3873,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) /* * Check if the client sent an empty certificate */ - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { if( ssl->in_msglen == 2 && @@ -3884,7 +3884,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - if( ssl->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) + if( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) return( 0 ); else return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); @@ -3894,7 +3894,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) { if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && @@ -3905,7 +3905,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - if( ssl->authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) + if( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); else return( 0 ); @@ -3997,7 +3997,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) * avoid "triple handshake" attack: https://secure-resumption.com/ */ #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) { if( ssl->session->peer_cert == NULL ) @@ -4018,9 +4018,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ - if( ssl->authmode != MBEDTLS_SSL_VERIFY_NONE ) + if( ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE ) { - if( ssl->ca_chain == NULL ) + if( ssl->conf->ca_chain == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED ); @@ -4030,9 +4030,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) * Main check: verify certificate */ ret = mbedtls_x509_crt_verify( ssl->session_negotiate->peer_cert, - ssl->ca_chain, ssl->ca_crl, ssl->peer_cn, + ssl->conf->ca_chain, ssl->conf->ca_crl, ssl->peer_cn, &ssl->session_negotiate->verify_result, - ssl->f_vrfy, ssl->p_vrfy ); + ssl->conf->f_vrfy, ssl->conf->p_vrfy ); if( ret != 0 ) { @@ -4060,7 +4060,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, ciphersuite_info, - ! ssl->endpoint, + ! ssl->conf->endpoint, &ssl->session_negotiate->verify_result ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); @@ -4068,7 +4068,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; } - if( ssl->authmode != MBEDTLS_SSL_VERIFY_REQUIRED ) + if( ssl->conf->authmode != MBEDTLS_SSL_VERIFY_REQUIRED ) ret = 0; } @@ -4140,7 +4140,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) ssl->session_in = ssl->session_negotiate; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) ssl_dtls_replay_reset( ssl ); @@ -4571,16 +4571,16 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) /* * Add cache entry */ - if( ssl->f_set_cache != NULL && + if( ssl->conf->f_set_cache != NULL && ssl->session->length != 0 && resume == 0 ) { - if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 ) + if( ssl->conf->f_set_cache( ssl->conf->p_set_cache, ssl->session ) != 0 ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake->flight != NULL ) { /* Cancel handshake timer */ @@ -4616,7 +4616,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) else ssl->out_msg = ssl->out_iv; - ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint ); + ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint ); // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63) hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12; @@ -4637,11 +4637,11 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) if( ssl->handshake->resume != 0 ) { #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; #endif #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; #endif } @@ -4655,7 +4655,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { unsigned char i; @@ -4697,7 +4697,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_send_flight_completed( ssl ); #endif @@ -4726,7 +4726,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); - ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 ); + ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 ); if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) { @@ -4770,11 +4770,11 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) if( ssl->handshake->resume != 0 ) { #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; #endif #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; #endif } @@ -4782,7 +4782,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_recv_flight_completed( ssl ); #endif @@ -4893,7 +4893,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) ssl_handshake_params_init( ssl->handshake ); #if defined(MBEDTLS_X509_CRT_PARSE_C) - ssl->handshake->key_cert = ssl->key_cert; + ssl->handshake->key_cert = ssl->conf->key_cert; #endif /* @@ -4904,7 +4904,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) ssl->handshake->alt_transform_out = ssl->transform_out; // TODO: not the right place, we may not know endpoint yet - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; else ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; @@ -4958,28 +4958,34 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl ) int ret; int len = MBEDTLS_SSL_BUFFER_LEN; + ssl->conf = mbedtls_malloc( sizeof( mbedtls_ssl_config ) ); + if( ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); + + memset( ssl->conf, 0, sizeof( mbedtls_ssl_config ) ); + /* * Sane defaults */ - ssl->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; - ssl->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ - ssl->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; - ssl->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; + ssl->conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; + ssl->conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ + ssl->conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; + ssl->conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; mbedtls_ssl_set_ciphersuites( ssl, mbedtls_ssl_list_ciphersuites() ); mbedtls_ssl_set_arc4_support( ssl, MBEDTLS_SSL_ARC4_DISABLED ); #if defined(MBEDTLS_SSL_RENEGOTIATION) - ssl->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; - memset( ssl->renego_period, 0xFF, 7 ); - ssl->renego_period[7] = 0x00; + ssl->conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; + memset( ssl->conf->renego_period, 0xFF, 7 ); + ssl->conf->renego_period[7] = 0x00; #endif #if defined(MBEDTLS_DHM_C) - if( ( ret = mbedtls_mpi_read_string( &ssl->dhm_P, 16, + if( ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_P, 16, MBEDTLS_DHM_RFC5114_MODP_1024_P) ) != 0 || - ( ret = mbedtls_mpi_read_string( &ssl->dhm_G, 16, + ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_G, 16, MBEDTLS_DHM_RFC5114_MODP_1024_G) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_read_string", ret ); @@ -5006,33 +5012,33 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl ) (void) mbedtls_ssl_set_transport( ssl, MBEDTLS_SSL_TRANSPORT_STREAM ); #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - ssl->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; + ssl->conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - ssl->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; + ssl->conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - ssl->ticket_lifetime = MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME; + ssl->conf->ticket_lifetime = MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME; #endif #if defined(MBEDTLS_SSL_SET_CURVES) - ssl->curve_list = mbedtls_ecp_grp_id_list( ); + ssl->conf->curve_list = mbedtls_ecp_grp_id_list( ); #endif #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) - ssl->f_cookie_write = ssl_cookie_write_dummy; - ssl->f_cookie_check = ssl_cookie_check_dummy; + ssl->conf->f_cookie_write = ssl_cookie_write_dummy; + ssl->conf->f_cookie_check = ssl_cookie_check_dummy; #endif #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - ssl->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; + ssl->conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) - ssl->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; - ssl->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; + ssl->conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; + ssl->conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; #endif if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) @@ -5198,20 +5204,20 @@ static int ssl_ticket_keys_init( mbedtls_ssl_context *ssl ) */ void mbedtls_ssl_set_endpoint( mbedtls_ssl_context *ssl, int endpoint ) { - ssl->endpoint = endpoint; + ssl->conf->endpoint = endpoint; #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ defined(MBEDTLS_SSL_CLI_C) if( endpoint == MBEDTLS_SSL_IS_CLIENT ) { - ssl->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; - ssl->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; + ssl->conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; + ssl->conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; } #endif #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) if( endpoint == MBEDTLS_SSL_IS_SERVER ) - ssl->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; + ssl->conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; #endif } @@ -5220,7 +5226,7 @@ int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ) #if defined(MBEDTLS_SSL_PROTO_DTLS) if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - ssl->transport = transport; + ssl->conf->transport = transport; ssl->out_hdr = ssl->out_buf; ssl->out_ctr = ssl->out_buf + 3; @@ -5235,11 +5241,11 @@ int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ) ssl->in_msg = ssl->in_buf + 13; /* DTLS starts with TLS1.1 */ - if( ssl->min_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - ssl->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; + if( ssl->conf->min_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) + ssl->conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; - if( ssl->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - ssl->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; + if( ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) + ssl->conf->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; return( 0 ); } @@ -5247,7 +5253,7 @@ int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ) if( transport == MBEDTLS_SSL_TRANSPORT_STREAM ) { - ssl->transport = transport; + ssl->conf->transport = transport; ssl->out_ctr = ssl->out_buf; ssl->out_hdr = ssl->out_buf + 8; @@ -5270,28 +5276,28 @@ int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ) #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_context *ssl, char mode ) { - ssl->anti_replay = mode; + ssl->conf->anti_replay = mode; } #endif #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_context *ssl, unsigned limit ) { - ssl->badmac_limit = limit; + ssl->conf->badmac_limit = limit; } #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_context *ssl, uint32_t min, uint32_t max ) { - ssl->hs_timeout_min = min; - ssl->hs_timeout_max = max; + ssl->conf->hs_timeout_min = min; + ssl->conf->hs_timeout_max = max; } #endif void mbedtls_ssl_set_authmode( mbedtls_ssl_context *ssl, int authmode ) { - ssl->authmode = authmode; + ssl->conf->authmode = authmode; } #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -5299,8 +5305,8 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), void *p_vrfy ) { - ssl->f_vrfy = f_vrfy; - ssl->p_vrfy = p_vrfy; + ssl->conf->f_vrfy = f_vrfy; + ssl->conf->p_vrfy = p_vrfy; } #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -5316,8 +5322,8 @@ void mbedtls_ssl_set_dbg( mbedtls_ssl_context *ssl, void (*f_dbg)(void *, int, const char *), void *p_dbg ) { - ssl->f_dbg = f_dbg; - ssl->p_dbg = p_dbg; + ssl->conf->f_dbg = f_dbg; + ssl->conf->p_dbg = p_dbg; } #if ! defined(MBEDTLS_DEPRECATED_REMOVED) @@ -5350,7 +5356,7 @@ void mbedtls_ssl_set_bio_timeout( mbedtls_ssl_context *ssl, ssl->f_send = f_send; ssl->f_recv = f_recv; ssl->f_recv_timeout = f_recv_timeout; - ssl->read_timeout = timeout; + ssl->conf->read_timeout = timeout; } #if defined(MBEDTLS_SSL_SRV_C) @@ -5358,10 +5364,10 @@ void mbedtls_ssl_set_session_cache( mbedtls_ssl_context *ssl, int (*f_get_cache)(void *, mbedtls_ssl_session *), void *p_get_cache, int (*f_set_cache)(void *, const mbedtls_ssl_session *), void *p_set_cache ) { - ssl->f_get_cache = f_get_cache; - ssl->p_get_cache = p_get_cache; - ssl->f_set_cache = f_set_cache; - ssl->p_set_cache = p_set_cache; + ssl->conf->f_get_cache = f_get_cache; + ssl->conf->p_get_cache = p_get_cache; + ssl->conf->f_set_cache = f_set_cache; + ssl->conf->p_set_cache = p_set_cache; } #endif /* MBEDTLS_SSL_SRV_C */ @@ -5373,7 +5379,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session if( ssl == NULL || session == NULL || ssl->session_negotiate == NULL || - ssl->endpoint != MBEDTLS_SSL_IS_CLIENT ) + ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -5389,10 +5395,10 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_context *ssl, const int *ciphersuites ) { - ssl->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; - ssl->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; - ssl->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; - ssl->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; + ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; + ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; + ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; + ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; } void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_context *ssl, @@ -5405,7 +5411,7 @@ void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_context *ssl, if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 ) return; - ssl->ciphersuite_list[minor] = ciphersuites; + ssl->conf->ciphersuite_list[minor] = ciphersuites; } #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -5421,15 +5427,15 @@ static mbedtls_ssl_key_cert *ssl_add_key_cert( mbedtls_ssl_context *ssl ) memset( key_cert, 0, sizeof( mbedtls_ssl_key_cert ) ); /* Append the new key_cert to the (possibly empty) current list */ - if( ssl->key_cert == NULL ) + if( ssl->conf->key_cert == NULL ) { - ssl->key_cert = key_cert; + ssl->conf->key_cert = key_cert; if( ssl->handshake != NULL ) ssl->handshake->key_cert = key_cert; } else { - last = ssl->key_cert; + last = ssl->conf->key_cert; while( last->next != NULL ) last = last->next; last->next = key_cert; @@ -5441,8 +5447,8 @@ static mbedtls_ssl_key_cert *ssl_add_key_cert( mbedtls_ssl_context *ssl ) void mbedtls_ssl_set_ca_chain( mbedtls_ssl_context *ssl, mbedtls_x509_crt *ca_chain, mbedtls_x509_crl *ca_crl, const char *peer_cn ) { - ssl->ca_chain = ca_chain; - ssl->ca_crl = ca_crl; + ssl->conf->ca_chain = ca_chain; + ssl->conf->ca_crl = ca_crl; ssl->peer_cn = peer_cn; } @@ -5471,25 +5477,25 @@ int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, const unsigned char *psk, siz if( psk_len > MBEDTLS_PSK_MAX_LEN ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - if( ssl->psk != NULL || ssl->psk_identity != NULL ) + if( ssl->conf->psk != NULL || ssl->conf->psk_identity != NULL ) { - mbedtls_free( ssl->psk ); - mbedtls_free( ssl->psk_identity ); + mbedtls_free( ssl->conf->psk ); + mbedtls_free( ssl->conf->psk_identity ); } - if( ( ssl->psk = mbedtls_malloc( psk_len ) ) == NULL || - ( ssl->psk_identity = mbedtls_malloc( psk_identity_len ) ) == NULL ) + if( ( ssl->conf->psk = mbedtls_malloc( psk_len ) ) == NULL || + ( ssl->conf->psk_identity = mbedtls_malloc( psk_identity_len ) ) == NULL ) { - mbedtls_free( ssl->psk ); - ssl->psk = NULL; + mbedtls_free( ssl->conf->psk ); + ssl->conf->psk = NULL; return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); } - ssl->psk_len = psk_len; - ssl->psk_identity_len = psk_identity_len; + ssl->conf->psk_len = psk_len; + ssl->conf->psk_identity_len = psk_identity_len; - memcpy( ssl->psk, psk, ssl->psk_len ); - memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len ); + memcpy( ssl->conf->psk, psk, ssl->conf->psk_len ); + memcpy( ssl->conf->psk_identity, psk_identity, ssl->conf->psk_identity_len ); return( 0 ); } @@ -5499,8 +5505,8 @@ void mbedtls_ssl_set_psk_cb( mbedtls_ssl_context *ssl, size_t), void *p_psk ) { - ssl->f_psk = f_psk; - ssl->p_psk = p_psk; + ssl->conf->f_psk = f_psk; + ssl->conf->p_psk = p_psk; } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ @@ -5509,13 +5515,13 @@ int mbedtls_ssl_set_dh_param( mbedtls_ssl_context *ssl, const char *dhm_P, const { int ret; - if( ( ret = mbedtls_mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 ) + if( ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_P, 16, dhm_P ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_read_string", ret ); return( ret ); } - if( ( ret = mbedtls_mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 ) + if( ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_G, 16, dhm_G ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_read_string", ret ); return( ret ); @@ -5528,13 +5534,13 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_context *ssl, mbedtls_dhm_context { int ret; - if( ( ret = mbedtls_mpi_copy( &ssl->dhm_P, &dhm_ctx->P ) ) != 0 ) + if( ( ret = mbedtls_mpi_copy( &ssl->conf->dhm_P, &dhm_ctx->P ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); return( ret ); } - if( ( ret = mbedtls_mpi_copy( &ssl->dhm_G, &dhm_ctx->G ) ) != 0 ) + if( ( ret = mbedtls_mpi_copy( &ssl->conf->dhm_G, &dhm_ctx->G ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); return( ret ); @@ -5550,7 +5556,7 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_context *ssl, mbedtls_dhm_context */ void mbedtls_ssl_set_curves( mbedtls_ssl_context *ssl, const mbedtls_ecp_group_id *curve_list ) { - ssl->curve_list = curve_list; + ssl->conf->curve_list = curve_list; } #endif @@ -5583,8 +5589,8 @@ void mbedtls_ssl_set_sni( mbedtls_ssl_context *ssl, const unsigned char *, size_t), void *p_sni ) { - ssl->f_sni = f_sni; - ssl->p_sni = p_sni; + ssl->conf->f_sni = f_sni; + ssl->conf->p_sni = p_sni; } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ @@ -5608,7 +5614,7 @@ int mbedtls_ssl_set_alpn_protocols( mbedtls_ssl_context *ssl, const char **proto return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - ssl->alpn_list = protos; + ssl->conf->alpn_list = protos; return( 0 ); } @@ -5628,7 +5634,7 @@ static int ssl_check_version( const mbedtls_ssl_context *ssl, int major, int min } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && minor < MBEDTLS_SSL_MINOR_VERSION_2 ) { return( -1 ); @@ -5645,8 +5651,8 @@ int mbedtls_ssl_set_max_version( mbedtls_ssl_context *ssl, int major, int minor if( ssl_check_version( ssl, major, minor ) != 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - ssl->max_major_ver = major; - ssl->max_minor_ver = minor; + ssl->conf->max_major_ver = major; + ssl->conf->max_minor_ver = minor; return( 0 ); } @@ -5656,8 +5662,8 @@ int mbedtls_ssl_set_min_version( mbedtls_ssl_context *ssl, int major, int minor if( ssl_check_version( ssl, major, minor ) != 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - ssl->min_major_ver = major; - ssl->min_minor_ver = minor; + ssl->conf->min_major_ver = major; + ssl->conf->min_minor_ver = minor; return( 0 ); } @@ -5672,20 +5678,20 @@ void mbedtls_ssl_set_fallback( mbedtls_ssl_context *ssl, char fallback ) #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_context *ssl, char etm ) { - ssl->encrypt_then_mac = etm; + ssl->conf->encrypt_then_mac = etm; } #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_context *ssl, char ems ) { - ssl->extended_ms = ems; + ssl->conf->extended_ms = ems; } #endif void mbedtls_ssl_set_arc4_support( mbedtls_ssl_context *ssl, char arc4 ) { - ssl->arc4_disabled = arc4; + ssl->conf->arc4_disabled = arc4; } #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) @@ -5697,7 +5703,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_context *ssl, unsigned char mfl_co return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - ssl->mfl_code = mfl_code; + ssl->conf->mfl_code = mfl_code; return( 0 ); } @@ -5706,7 +5712,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_context *ssl, unsigned char mfl_co #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_context *ssl, int truncate ) { - ssl->trunc_hmac = truncate; + ssl->conf->trunc_hmac = truncate; return( 0 ); } @@ -5721,34 +5727,34 @@ void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_context *ssl, char split void mbedtls_ssl_legacy_renegotiation( mbedtls_ssl_context *ssl, int allow_legacy ) { - ssl->allow_legacy_renegotiation = allow_legacy; + ssl->conf->allow_legacy_renegotiation = allow_legacy; } #if defined(MBEDTLS_SSL_RENEGOTIATION) void mbedtls_ssl_set_renegotiation( mbedtls_ssl_context *ssl, int renegotiation ) { - ssl->disable_renegotiation = renegotiation; + ssl->conf->disable_renegotiation = renegotiation; } void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_context *ssl, int max_records ) { - ssl->renego_max_records = max_records; + ssl->conf->renego_max_records = max_records; } void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_context *ssl, const unsigned char period[8] ) { - memcpy( ssl->renego_period, period, 8 ); + memcpy( ssl->conf->renego_period, period, 8 ); } #endif /* MBEDTLS_SSL_RENEGOTIATION */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) int mbedtls_ssl_set_session_tickets( mbedtls_ssl_context *ssl, int use_tickets ) { - ssl->session_tickets = use_tickets; + ssl->conf->session_tickets = use_tickets; #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) return( 0 ); #endif @@ -5763,7 +5769,7 @@ int mbedtls_ssl_set_session_tickets( mbedtls_ssl_context *ssl, int use_tickets ) void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_context *ssl, int lifetime ) { - ssl->ticket_lifetime = lifetime; + ssl->conf->ticket_lifetime = lifetime; } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ @@ -5797,7 +5803,7 @@ const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ) const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { switch( ssl->minor_ver ) { @@ -5882,7 +5888,7 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session if( ssl == NULL || dst == NULL || ssl->session == NULL || - ssl->endpoint != MBEDTLS_SSL_IS_CLIENT ) + ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -5899,11 +5905,11 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ret = mbedtls_ssl_handshake_client_step( ssl ); #endif #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) ret = mbedtls_ssl_handshake_server_step( ssl ); #endif @@ -5980,10 +5986,10 @@ static int ssl_start_renegotiation( mbedtls_ssl_context *ssl ) /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and * the ServerHello will have message_seq = 1" */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) ssl->handshake->out_msg_seq = 1; else ssl->handshake->in_msg_seq = 1; @@ -6014,7 +6020,7 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_SRV_C) /* On server, just send the request */ - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -6065,14 +6071,14 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) { if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || - ssl->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) + ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) { return( 0 ); } // TODO: adapt for DTLS - if( memcmp( ssl->in_ctr, ssl->renego_period, 8 ) <= 0 && - memcmp( ssl->out_ctr, ssl->renego_period, 8 ) <= 0 ) + if( memcmp( ssl->in_ctr, ssl->conf->renego_period, 8 ) <= 0 && + memcmp( ssl->out_ctr, ssl->conf->renego_period, 8 ) <= 0 ) { return( 0 ); } @@ -6093,7 +6099,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) return( ret ); @@ -6134,7 +6140,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) #if defined(MBEDTLS_SSL_PROTO_DTLS) /* Start timer if not already running */ if( ssl->time_limit == 0 ) - ssl_set_timer( ssl, ssl->read_timeout ); + ssl_set_timer( ssl, ssl->conf->read_timeout ); #endif if( ! record_read ) @@ -6171,7 +6177,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) { @@ -6179,29 +6185,29 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* With DTLS, drop the packet (probably from last handshake) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) return( MBEDTLS_ERR_NET_WANT_READ ); #endif return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); } - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); /* With DTLS, drop the packet (probably from last handshake) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) return( MBEDTLS_ERR_NET_WANT_READ ); #endif return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); } #endif - if( ssl->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || + if( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->allow_legacy_renegotiation == + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); @@ -6240,8 +6246,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) { /* DTLS clients need to know renego is server-initiated */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; } @@ -6266,9 +6272,9 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { - if( ssl->renego_max_records >= 0 ) + if( ssl->conf->renego_max_records >= 0 ) { - if( ++ssl->renego_records_seen > ssl->renego_max_records ) + if( ++ssl->renego_records_seen > ssl->conf->renego_max_records ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " "but not honored by client" ) ); @@ -6303,7 +6309,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) * Do it now, after setting in_offt, to avoid taking this branch * again if ssl_write_hello_request() returns WANT_WRITE */ #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) @@ -6350,7 +6356,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, /* * Assume mfl_code is correct since it was checked when set */ - max_len = mfl_code_to_length[ssl->mfl_code]; + max_len = mfl_code_to_length[ssl->conf->mfl_code]; /* * Check if a smaller max length was negotiated @@ -6364,7 +6370,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, if( len > max_len ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " "maximum fragment length: %d > %d", @@ -6632,8 +6638,8 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_DHM_C) - mbedtls_mpi_free( &ssl->dhm_P ); - mbedtls_mpi_free( &ssl->dhm_G ); + mbedtls_mpi_free( &ssl->conf->dhm_P ); + mbedtls_mpi_free( &ssl->conf->dhm_G ); #endif if( ssl->transform ) @@ -6677,19 +6683,19 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - if( ssl->psk != NULL ) + if( ssl->conf->psk != NULL ) { - mbedtls_zeroize( ssl->psk, ssl->psk_len ); - mbedtls_zeroize( ssl->psk_identity, ssl->psk_identity_len ); - mbedtls_free( ssl->psk ); - mbedtls_free( ssl->psk_identity ); - ssl->psk_len = 0; - ssl->psk_identity_len = 0; + mbedtls_zeroize( ssl->conf->psk, ssl->conf->psk_len ); + mbedtls_zeroize( ssl->conf->psk_identity, ssl->conf->psk_identity_len ); + mbedtls_free( ssl->conf->psk ); + mbedtls_free( ssl->conf->psk_identity ); + ssl->conf->psk_len = 0; + ssl->conf->psk_identity_len = 0; } #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) - ssl_key_cert_free( ssl->key_cert ); + ssl_key_cert_free( ssl->conf->key_cert ); #endif #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) @@ -6786,7 +6792,7 @@ int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp { const mbedtls_ecp_group_id *gid; - for( gid = ssl->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) + for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) if( *gid == grp_id ) return( 1 ); From d5a9e4129685ec3666b1dbdf34d58f5b6bb45feb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 4 May 2015 11:11:42 +0200 Subject: [PATCH 04/45] Adapt test_suite_debug to recent changes --- tests/suites/test_suite_debug.function | 32 +++++++++++++++++++++----- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 492e32d7c..c423545f1 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -36,10 +36,12 @@ void debug_print_msg_threshold( int threshold, int level, char *file, int line, mbedtls_ssl_context ssl; struct buffer_data buffer; - memset( &ssl, 0, sizeof( mbedtls_ssl_context ) ); + mbedtls_ssl_init( &ssl ); memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; + TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 ); + mbedtls_debug_set_log_mode( MBEDTLS_DEBUG_LOG_FULL ); mbedtls_debug_set_threshold( threshold ); mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); @@ -48,6 +50,9 @@ void debug_print_msg_threshold( int threshold, int level, char *file, int line, mbedtls_debug_fmt("Text message, 2 == %d", 2 ) ); TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); + +exit: + mbedtls_ssl_free( &ssl ); } /* END_CASE */ @@ -58,16 +63,21 @@ void mbedtls_debug_print_ret( int mode, char *file, int line, char *text, int va mbedtls_ssl_context ssl; struct buffer_data buffer; - memset( &ssl, 0, sizeof( mbedtls_ssl_context ) ); + mbedtls_ssl_init( &ssl ); memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; + TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 ); + mbedtls_debug_set_log_mode( mode ); mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); mbedtls_debug_print_ret( &ssl, 0, file, line, text, value); TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); + +exit: + mbedtls_ssl_free( &ssl ); } /* END_CASE */ @@ -80,19 +90,24 @@ void mbedtls_debug_print_buf( int mode, char *file, int line, char *text, struct buffer_data buffer; size_t data_len; + mbedtls_ssl_init( &ssl ); memset( &data, 0, sizeof( data ) ); - memset( &ssl, 0, sizeof( mbedtls_ssl_context ) ); memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; data_len = unhexify( data, data_string ); + TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 ); + mbedtls_debug_set_log_mode( mode ); mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); mbedtls_debug_print_buf( &ssl, 0, file, line, text, data, data_len ); TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); + +exit: + mbedtls_ssl_free( &ssl ); } /* END_CASE */ @@ -104,11 +119,13 @@ void mbedtls_debug_print_crt( int mode, char *crt_file, char *file, int line, mbedtls_ssl_context ssl; struct buffer_data buffer; + mbedtls_ssl_init( &ssl ); mbedtls_x509_crt_init( &crt ); - memset( &ssl, 0, sizeof( mbedtls_ssl_context ) ); memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; + TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 ); + mbedtls_debug_set_log_mode( mode ); mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); @@ -119,6 +136,7 @@ void mbedtls_debug_print_crt( int mode, char *crt_file, char *file, int line, exit: mbedtls_x509_crt_free( &crt ); + mbedtls_ssl_free( &ssl ); } /* END_CASE */ @@ -130,12 +148,13 @@ void mbedtls_debug_print_mpi( int mode, int radix, char *value, char *file, int struct buffer_data buffer; mbedtls_mpi val; + mbedtls_ssl_init( &ssl ); mbedtls_mpi_init( &val ); - - memset( &ssl, 0, sizeof( mbedtls_ssl_context ) ); memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; + TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 ); + TEST_ASSERT( mbedtls_mpi_read_string( &val, radix, value ) == 0 ); mbedtls_debug_set_log_mode( mode ); @@ -147,5 +166,6 @@ void mbedtls_debug_print_mpi( int mode, int radix, char *value, char *file, int exit: mbedtls_mpi_free( &val ); + mbedtls_ssl_free( &ssl ); } /* END_CASE */ From cd523e2a5e02c75a695a10b59663ba8207bc295b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 4 May 2015 13:35:39 +0200 Subject: [PATCH 05/45] Introduce mbedtls_ssl_config_{init,defaults,free}() --- include/mbedtls/ssl.h | 30 ++++++ library/ssl_tls.c | 211 ++++++++++++++++++++++++------------------ 2 files changed, 153 insertions(+), 88 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index f94aae84d..cb5998dea 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2244,6 +2244,36 @@ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ); */ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ); +/** + * \brief Initialize an SSL configuration context + * Just makes the context ready for + * mbedtls_ssl_config_defaults() or mbedtls_ssl_free() + * + * \note You need to call mbedtls_ssl_config_defaults() unless you + * manually set all of the relevent fields yourself. + * + * \param conf SSL configuration context + */ +void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ); + +/** + * \brief Load reasonnable default SSL configuration values. + * (You need to call mbedtls_ssl_config_init() first.) + * + * \param conf SSL configuration context + * + * \return 0 if successful, or + * MBEDTLS_ERR_XXX_ALLOC_FAILED on memorr allocation error. + */ +int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf ); + +/** + * \brief Free an SSL configuration context + * + * \param conf SSL configuration context + */ +void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ); + /** * \brief Initialize SSL session structure * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 17c64957a..48787e64e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4956,47 +4956,22 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) int mbedtls_ssl_setup( mbedtls_ssl_context *ssl ) { int ret; - int len = MBEDTLS_SSL_BUFFER_LEN; + const size_t len = MBEDTLS_SSL_BUFFER_LEN; + /* + * Temporary, WIP + */ ssl->conf = mbedtls_malloc( sizeof( mbedtls_ssl_config ) ); if( ssl->conf == NULL ) return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); - memset( ssl->conf, 0, sizeof( mbedtls_ssl_config ) ); - - /* - * Sane defaults - */ - ssl->conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; - ssl->conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ - ssl->conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; - ssl->conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; - - mbedtls_ssl_set_ciphersuites( ssl, mbedtls_ssl_list_ciphersuites() ); - - mbedtls_ssl_set_arc4_support( ssl, MBEDTLS_SSL_ARC4_DISABLED ); - -#if defined(MBEDTLS_SSL_RENEGOTIATION) - ssl->conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; - memset( ssl->conf->renego_period, 0xFF, 7 ); - ssl->conf->renego_period[7] = 0x00; -#endif - -#if defined(MBEDTLS_DHM_C) - if( ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_P, 16, - MBEDTLS_DHM_RFC5114_MODP_1024_P) ) != 0 || - ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_G, 16, - MBEDTLS_DHM_RFC5114_MODP_1024_G) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_read_string", ret ); - return( ret ); - } -#endif + mbedtls_ssl_config_init( ssl->conf ); + mbedtls_ssl_config_defaults( ssl->conf ); /* * Prepare base structures */ - if( ( ssl->in_buf = mbedtls_malloc( len ) ) == NULL || + if( ( ssl-> in_buf = mbedtls_malloc( len ) ) == NULL || ( ssl->out_buf = mbedtls_malloc( len ) ) == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) ); @@ -5005,41 +4980,8 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); } - memset( ssl-> in_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); - memset( ssl->out_buf, 0, MBEDTLS_SSL_BUFFER_LEN ); - - /* No error is possible, MBEDTLS_SSL_TRANSPORT_STREAM always valid */ - (void) mbedtls_ssl_set_transport( ssl, MBEDTLS_SSL_TRANSPORT_STREAM ); - -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - ssl->conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; -#endif - -#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - ssl->conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; -#endif - -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - ssl->conf->ticket_lifetime = MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME; -#endif - -#if defined(MBEDTLS_SSL_SET_CURVES) - ssl->conf->curve_list = mbedtls_ecp_grp_id_list( ); -#endif - -#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) - ssl->conf->f_cookie_write = ssl_cookie_write_dummy; - ssl->conf->f_cookie_check = ssl_cookie_check_dummy; -#endif - -#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - ssl->conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; -#endif - -#if defined(MBEDTLS_SSL_PROTO_DTLS) - ssl->conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; - ssl->conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; -#endif + memset( ssl-> in_buf, 0, len ); + memset( ssl->out_buf, 0, len ); if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) return( ret ); @@ -6637,11 +6579,6 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) } #endif -#if defined(MBEDTLS_DHM_C) - mbedtls_mpi_free( &ssl->conf->dhm_P ); - mbedtls_mpi_free( &ssl->conf->dhm_G ); -#endif - if( ssl->transform ) { mbedtls_ssl_transform_free( ssl->transform ); @@ -6682,22 +6619,6 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) } #endif -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - if( ssl->conf->psk != NULL ) - { - mbedtls_zeroize( ssl->conf->psk, ssl->conf->psk_len ); - mbedtls_zeroize( ssl->conf->psk_identity, ssl->conf->psk_identity_len ); - mbedtls_free( ssl->conf->psk ); - mbedtls_free( ssl->conf->psk_identity ); - ssl->conf->psk_len = 0; - ssl->conf->psk_identity_len = 0; - } -#endif - -#if defined(MBEDTLS_X509_CRT_PARSE_C) - ssl_key_cert_free( ssl->conf->key_cert ); -#endif - #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) if( mbedtls_ssl_hw_record_finish != NULL ) { @@ -6710,12 +6631,126 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) mbedtls_free( ssl->cli_id ); #endif + /* Temporary, WIP */ + mbedtls_ssl_config_free( ssl->conf ); + mbedtls_free( ssl->conf ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) ); /* Actually clear after last debug message */ mbedtls_zeroize( ssl, sizeof( mbedtls_ssl_context ) ); } +/* + * Initialze mbedtls_ssl_config + */ +void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) +{ + memset( conf, 0, sizeof( mbedtls_ssl_config ) ); +} + +/* + * Load default in mbetls_ssl_config + */ +int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf ) +{ + int ret; + + conf->transport = MBEDTLS_SSL_TRANSPORT_STREAM; + + conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; + conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ + conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; + conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; + + conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = + conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = + conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = + conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = + mbedtls_ssl_list_ciphersuites(); + + conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED; + +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; +#endif + +#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) + conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; +#endif + +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + conf->ticket_lifetime = MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME; +#endif + +#if defined(MBEDTLS_SSL_SET_CURVES) + conf->curve_list = mbedtls_ecp_grp_id_list( ); +#endif + +#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) + conf->f_cookie_write = ssl_cookie_write_dummy; + conf->f_cookie_check = ssl_cookie_check_dummy; +#endif + +#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) + conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; +#endif + +#if defined(MBEDTLS_SSL_PROTO_DTLS) + conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; + conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; +#endif + +#if defined(MBEDTLS_SSL_RENEGOTIATION) + conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; + memset( conf->renego_period, 0xFF, 7 ); + conf->renego_period[7] = 0x00; +#endif + +#if defined(MBEDTLS_DHM_C) + if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, + MBEDTLS_DHM_RFC5114_MODP_1024_P) ) != 0 || + ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, + MBEDTLS_DHM_RFC5114_MODP_1024_G) ) != 0 ) + { + mbedtls_mpi_free( &conf->dhm_P ); + mbedtls_mpi_free( &conf->dhm_G ); + return( ret ); + } +#endif + + return( 0 ); +} + +/* + * Free mbedtls_ssl_config + */ +void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) +{ +#if defined(MBEDTLS_DHM_C) + mbedtls_mpi_free( &conf->dhm_P ); + mbedtls_mpi_free( &conf->dhm_G ); +#endif + +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) + if( conf->psk != NULL ) + { + mbedtls_zeroize( conf->psk, conf->psk_len ); + mbedtls_zeroize( conf->psk_identity, conf->psk_identity_len ); + mbedtls_free( conf->psk ); + mbedtls_free( conf->psk_identity ); + conf->psk_len = 0; + conf->psk_identity_len = 0; + } +#endif + +#if defined(MBEDTLS_X509_CRT_PARSE_C) + ssl_key_cert_free( conf->key_cert ); +#endif + + mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) ); +} + #if defined(MBEDTLS_PK_C) /* * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX From def0bbe3ab22e687416046122c5fb8ca7eff0e36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 4 May 2015 14:56:36 +0200 Subject: [PATCH 06/45] Allocate ssl_config out of ssl_setup() --- include/mbedtls/ssl.h | 4 +++- library/ssl_tls.c | 17 +++------------ programs/ssl/dtls_client.c | 13 ++++++++++-- programs/ssl/dtls_server.c | 11 +++++++++- programs/ssl/mini_client.c | 12 ++++++++++- programs/ssl/ssl_client1.c | 11 +++++++++- programs/ssl/ssl_client2.c | 11 +++++++++- programs/ssl/ssl_fork_server.c | 14 ++++++++++--- programs/ssl/ssl_mail_client.c | 11 +++++++++- programs/ssl/ssl_pthread_server.c | 12 ++++++++++- programs/ssl/ssl_server.c | 11 +++++++++- programs/ssl/ssl_server2.c | 11 +++++++++- programs/x509/cert_app.c | 29 +++++++++++++++++--------- tests/suites/test_suite_debug.function | 25 +++++++++++++++++----- tests/suites/test_suite_ssl.function | 6 +++++- 15 files changed, 154 insertions(+), 44 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index cb5998dea..3b11309e1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1164,11 +1164,13 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ); * \brief Set up an SSL context for use * * \param ssl SSL context + * \param conf SSL configuration to use * * \return 0 if successful, or MBEDTLS_ERR_SSL_MALLOC_FAILED if * memory allocation failed */ -int mbedtls_ssl_setup( mbedtls_ssl_context *ssl ); +int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, + mbedtls_ssl_config *conf ); /** * \brief Reset an already initialized SSL context for re-use diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 48787e64e..1b3691302 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4953,20 +4953,13 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) /* * Setup an SSL context */ -int mbedtls_ssl_setup( mbedtls_ssl_context *ssl ) +int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, + mbedtls_ssl_config *conf ) { int ret; const size_t len = MBEDTLS_SSL_BUFFER_LEN; - /* - * Temporary, WIP - */ - ssl->conf = mbedtls_malloc( sizeof( mbedtls_ssl_config ) ); - if( ssl->conf == NULL ) - return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); - - mbedtls_ssl_config_init( ssl->conf ); - mbedtls_ssl_config_defaults( ssl->conf ); + ssl->conf = conf; /* * Prepare base structures @@ -6631,10 +6624,6 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) mbedtls_free( ssl->cli_id ); #endif - /* Temporary, WIP */ - mbedtls_ssl_config_free( ssl->conf ); - mbedtls_free( ssl->conf ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) ); /* Actually clear after last debug message */ diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index 4f8228357..cacfe0f21 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -92,6 +92,7 @@ int main( int argc, char *argv[] ) mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; mbedtls_x509_crt cacert; ((void) argc); @@ -105,6 +106,7 @@ int main( int argc, char *argv[] ) * 0. Initialize the RNG and the session data */ mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); mbedtls_x509_crt_init( &cacert ); mbedtls_ctr_drbg_init( &ctr_drbg ); @@ -123,7 +125,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); /* - * 0. Initialize certificates + * 0. Load certificates */ mbedtls_printf( " . Loading the CA root certificate ..." ); fflush( stdout ); @@ -160,7 +162,13 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the DTLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); + goto exit; + } + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); goto exit; @@ -322,6 +330,7 @@ exit: mbedtls_x509_crt_free( &cacert ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy ); diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index a4b86f76e..869d919ad 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -97,6 +97,7 @@ int main( void ) mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; mbedtls_x509_crt srvcert; mbedtls_pk_context pkey; #if defined(MBEDTLS_SSL_CACHE_C) @@ -104,6 +105,7 @@ int main( void ) #endif mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); mbedtls_ssl_cookie_init( &cookie_ctx ); #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_init( &cache ); @@ -190,7 +192,13 @@ int main( void ) printf( " . Setting up the DTLS data..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); + goto exit; + } + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); goto exit; @@ -391,6 +399,7 @@ exit: mbedtls_x509_crt_free( &srvcert ); mbedtls_pk_free( &pkey ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); mbedtls_ssl_cookie_free( &cookie_ctx ); #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_free( &cache ); diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index cab6e8d4c..cd2884545 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -147,6 +147,7 @@ enum exit_codes { exit_ok = 0, ctr_drbg_seed_failed, + ssl_config_default_failed, ssl_setup_failed, socket_failed, connect_failed, @@ -167,12 +168,14 @@ int main( void ) mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; mbedtls_ctr_drbg_init( &ctr_drbg ); /* * 0. Initialize and setup stuff */ mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_init( &ca ); #endif @@ -185,7 +188,13 @@ int main( void ) goto exit; } - if( mbedtls_ssl_setup( &ssl ) != 0 ) + if( mbedtls_ssl_config_defaults( &conf ) != 0 ) + { + ret = ssl_config_defaults_failed; + goto exit; + } + + if( mbedtls_ssl_setup( &ssl, &conf ) != 0 ) { ret = ssl_setup_failed; goto exit; @@ -260,6 +269,7 @@ exit: mbedtls_net_close( server_fd ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy ); #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 37c24a22c..d136cd633 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -83,6 +83,7 @@ int main( void ) mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; mbedtls_x509_crt cacert; #if defined(MBEDTLS_DEBUG_C) @@ -93,6 +94,7 @@ int main( void ) * 0. Initialize the RNG and the session data */ mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); mbedtls_x509_crt_init( &cacert ); mbedtls_ctr_drbg_init( &ctr_drbg ); @@ -148,7 +150,13 @@ int main( void ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); + goto exit; + } + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); goto exit; @@ -275,6 +283,7 @@ exit: mbedtls_x509_crt_free( &cacert ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index de6ff655b..309a68af1 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -401,6 +401,7 @@ int main( int argc, char *argv[] ) mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; mbedtls_ssl_session saved_session; #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt cacert; @@ -415,6 +416,7 @@ int main( int argc, char *argv[] ) */ server_fd = 0; mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); memset( &saved_session, 0, sizeof( mbedtls_ssl_session ) ); mbedtls_ctr_drbg_init( &ctr_drbg ); #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -1047,7 +1049,13 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret ); + goto exit; + } + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret ); goto exit; @@ -1581,6 +1589,7 @@ exit: #endif mbedtls_ssl_session_free( &saved_session ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy ); diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index a0880e863..a26f85f60 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -103,11 +103,12 @@ int main( void ) mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; mbedtls_x509_crt srvcert; mbedtls_pk_context pkey; - memset( &ssl, 0, sizeof(mbedtls_ssl_context) ); - + mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); mbedtls_entropy_init( &entropy ); mbedtls_pk_init( &pkey ); mbedtls_x509_crt_init( &srvcert ); @@ -248,7 +249,13 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); + goto exit; + } + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); goto exit; @@ -373,6 +380,7 @@ exit: mbedtls_x509_crt_free( &srvcert ); mbedtls_pk_free( &pkey ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 8abe7406c..bf4bff919 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -355,6 +355,7 @@ int main( int argc, char *argv[] ) mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; mbedtls_x509_crt cacert; mbedtls_x509_crt clicert; mbedtls_pk_context pkey; @@ -368,6 +369,7 @@ int main( int argc, char *argv[] ) */ server_fd = 0; mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); memset( &buf, 0, sizeof( buf ) ); mbedtls_x509_crt_init( &cacert ); mbedtls_x509_crt_init( &clicert ); @@ -582,7 +584,13 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); + goto exit; + } + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); goto exit; @@ -821,6 +829,7 @@ exit: mbedtls_x509_crt_free( &cacert ); mbedtls_pk_free( &pkey ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy ); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 3432e5e79..7303c5dcb 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -130,10 +130,12 @@ static void *handle_ssl_connection( void *data ) unsigned char buf[1024]; char pers[50]; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; mbedtls_ctr_drbg_context ctr_drbg; /* Make sure memory references are valid */ mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); mbedtls_ctr_drbg_init( &ctr_drbg ); mbedtls_snprintf( pers, sizeof(pers), "SSL Pthread Thread %d", thread_id ); @@ -158,7 +160,14 @@ static void *handle_ssl_connection( void *data ) */ mbedtls_printf( " [ #%d ] Setting up the SSL data....\n", thread_id ); - if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + { + mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_config_defaults returned -0x%04x\n", + thread_id, -ret ); + goto thread_exit; + } + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_setup returned -0x%04x\n", thread_id, -ret ); @@ -314,6 +323,7 @@ thread_exit: mbedtls_net_close( client_fd ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); thread_info->thread_complete = 1; diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index bd68d3dda..a2b9a5811 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -97,6 +97,7 @@ int main( void ) mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; mbedtls_x509_crt srvcert; mbedtls_pk_context pkey; #if defined(MBEDTLS_SSL_CACHE_C) @@ -104,6 +105,7 @@ int main( void ) #endif mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_init( &cache ); #endif @@ -189,7 +191,13 @@ int main( void ) mbedtls_printf( " . Setting up the SSL data...." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); + goto exit; + } + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); goto exit; @@ -369,6 +377,7 @@ exit: mbedtls_x509_crt_free( &srvcert ); mbedtls_pk_free( &pkey ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_free( &cache ); #endif diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index be0d70ccb..013d3393d 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -722,6 +722,7 @@ int main( int argc, char *argv[] ) mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; #if defined(MBEDTLS_SSL_RENEGOTIATION) unsigned char renego_period[8] = { 0 }; #endif @@ -762,6 +763,7 @@ int main( int argc, char *argv[] ) */ listen_fd = 0; mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); mbedtls_ctr_drbg_init( &ctr_drbg ); #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_init( &cacert ); @@ -1518,7 +1520,13 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret ); + goto exit; + } + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret ); goto exit; @@ -2205,6 +2213,7 @@ exit: #endif mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy ); diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index a13f9bc5f..971dae1b9 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -146,6 +146,7 @@ int main( int argc, char *argv[] ) mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; mbedtls_x509_crt cacert; mbedtls_x509_crt clicert; mbedtls_x509_crl cacrl; @@ -161,6 +162,7 @@ int main( int argc, char *argv[] ) server_fd = 0; mbedtls_ctr_drbg_init( &ctr_drbg ); mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); mbedtls_x509_crt_init( &cacert ); mbedtls_x509_crt_init( &clicert ); #if defined(MBEDTLS_X509_CRL_PARSE_C) @@ -372,7 +374,7 @@ int main( int argc, char *argv[] ) strlen( pers ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret ); - goto exit; + goto ssl_exit; } mbedtls_printf( " ok\n" ); @@ -388,16 +390,22 @@ int main( int argc, char *argv[] ) opt.server_port, MBEDTLS_NET_PROTO_TCP ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_net_connect returned %d\n\n", ret ); - goto exit; + goto ssl_exit; } /* * 3. Setup stuff */ - if( ( ret = mbedtls_ssl_setup( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); + goto exit; + } + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); - goto exit; + goto ssl_exit; } mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); @@ -417,14 +425,14 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); - goto exit; + goto ssl_exit; } #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); - goto exit; + goto ssl_exit; } #endif @@ -436,8 +444,7 @@ int main( int argc, char *argv[] ) if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret ); - mbedtls_ssl_free( &ssl ); - goto exit; + goto ssl_exit; } } @@ -452,14 +459,16 @@ int main( int argc, char *argv[] ) if( ret == -1 ) { mbedtls_printf( " failed\n ! mbedtls_x509_crt_info returned %d\n\n", ret ); - mbedtls_ssl_free( &ssl ); - goto exit; + goto ssl_exit; } mbedtls_printf( "%s\n", buf ); mbedtls_ssl_close_notify( &ssl ); + +ssl_exit: mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); } else goto usage; diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index c423545f1..f170332c4 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -34,13 +34,15 @@ void debug_print_msg_threshold( int threshold, int level, char *file, int line, char *result_str ) { mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; struct buffer_data buffer; mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; - TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 ); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_log_mode( MBEDTLS_DEBUG_LOG_FULL ); mbedtls_debug_set_threshold( threshold ); @@ -53,6 +55,7 @@ void debug_print_msg_threshold( int threshold, int level, char *file, int line, exit: mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); } /* END_CASE */ @@ -61,13 +64,15 @@ void mbedtls_debug_print_ret( int mode, char *file, int line, char *text, int va char *result_str ) { mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; struct buffer_data buffer; mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; - TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 ); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_log_mode( mode ); mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); @@ -78,6 +83,7 @@ void mbedtls_debug_print_ret( int mode, char *file, int line, char *text, int va exit: mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); } /* END_CASE */ @@ -87,17 +93,19 @@ void mbedtls_debug_print_buf( int mode, char *file, int line, char *text, { unsigned char data[10000]; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; struct buffer_data buffer; size_t data_len; mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); memset( &data, 0, sizeof( data ) ); memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; data_len = unhexify( data, data_string ); - TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 ); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_log_mode( mode ); mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); @@ -108,6 +116,7 @@ void mbedtls_debug_print_buf( int mode, char *file, int line, char *text, exit: mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); } /* END_CASE */ @@ -117,14 +126,16 @@ void mbedtls_debug_print_crt( int mode, char *crt_file, char *file, int line, { mbedtls_x509_crt crt; mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; struct buffer_data buffer; mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); mbedtls_x509_crt_init( &crt ); memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; - TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 ); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_log_mode( mode ); mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); @@ -137,6 +148,7 @@ void mbedtls_debug_print_crt( int mode, char *crt_file, char *file, int line, exit: mbedtls_x509_crt_free( &crt ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); } /* END_CASE */ @@ -145,15 +157,17 @@ void mbedtls_debug_print_mpi( int mode, int radix, char *value, char *file, int char *prefix, char *result_str ) { mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; struct buffer_data buffer; mbedtls_mpi val; mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); mbedtls_mpi_init( &val ); memset( buffer.buf, 0, 2000 ); buffer.ptr = buffer.buf; - TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 ); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); TEST_ASSERT( mbedtls_mpi_read_string( &val, radix, value ) == 0 ); @@ -167,5 +181,6 @@ void mbedtls_debug_print_mpi( int mode, int radix, char *value, char *file, int exit: mbedtls_mpi_free( &val ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); } /* END_CASE */ diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 6d9a4c081..ce1cd913e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -11,11 +11,14 @@ void ssl_dtls_replay( char *prevs, char *new, int ret ) { mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; char *end_prevs = prevs + strlen( prevs ) + 1; mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); - TEST_ASSERT( mbedtls_ssl_setup( &ssl ) == 0 ); + TEST_ASSERT( mbedtls_ssl_config_defaults( &conf ) == 0 ); + TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); TEST_ASSERT( mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM ) == 0 ); /* Read previous record numbers */ @@ -31,5 +34,6 @@ void ssl_dtls_replay( char *prevs, char *new, int ret ) TEST_ASSERT( mbedtls_ssl_dtls_replay_check( &ssl ) == ret ); mbedtls_ssl_free( &ssl ); + mbedtls_ssl_config_free( &conf ); } /* END_CASE */ From 419d5ae419ea2dde1ed871b2c4db354d9373f24d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 4 May 2015 19:32:36 +0200 Subject: [PATCH 07/45] Make endpoint+transport args of config_defaults() --- include/mbedtls/ssl.h | 3 +- library/ssl_tls.c | 123 +++++++++++++-------------- programs/ssl/dtls_client.c | 7 +- programs/ssl/dtls_server.c | 6 +- programs/ssl/mini_client.c | 6 +- programs/ssl/ssl_client1.c | 5 +- programs/ssl/ssl_client2.c | 11 +-- programs/ssl/ssl_fork_server.c | 5 +- programs/ssl/ssl_mail_client.c | 5 +- programs/ssl/ssl_pthread_server.c | 5 +- programs/ssl/ssl_server.c | 5 +- programs/ssl/ssl_server2.c | 10 +-- programs/x509/cert_app.c | 5 +- tests/suites/test_suite_ssl.function | 5 +- 14 files changed, 98 insertions(+), 103 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3b11309e1..d515eb194 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2267,7 +2267,8 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ); * \return 0 if successful, or * MBEDTLS_ERR_XXX_ALLOC_FAILED on memorr allocation error. */ -int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf ); +int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, + int endpoint, int transport ); /** * \brief Free an SSL configuration context diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1b3691302..dd477c756 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4976,6 +4976,37 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, memset( ssl-> in_buf, 0, len ); memset( ssl->out_buf, 0, len ); +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + ssl->out_hdr = ssl->out_buf; + ssl->out_ctr = ssl->out_buf + 3; + ssl->out_len = ssl->out_buf + 11; + ssl->out_iv = ssl->out_buf + 13; + ssl->out_msg = ssl->out_buf + 13; + + ssl->in_hdr = ssl->in_buf; + ssl->in_ctr = ssl->in_buf + 3; + ssl->in_len = ssl->in_buf + 11; + ssl->in_iv = ssl->in_buf + 13; + ssl->in_msg = ssl->in_buf + 13; + } + else +#endif + { + ssl->out_ctr = ssl->out_buf; + ssl->out_hdr = ssl->out_buf + 8; + ssl->out_len = ssl->out_buf + 11; + ssl->out_iv = ssl->out_buf + 13; + ssl->out_msg = ssl->out_buf + 13; + + ssl->in_ctr = ssl->in_buf; + ssl->in_hdr = ssl->in_buf + 8; + ssl->in_len = ssl->in_buf + 11; + ssl->in_iv = ssl->in_buf + 13; + ssl->in_msg = ssl->in_buf + 13; + } + if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) return( ret ); @@ -5140,72 +5171,13 @@ static int ssl_ticket_keys_init( mbedtls_ssl_context *ssl ) void mbedtls_ssl_set_endpoint( mbedtls_ssl_context *ssl, int endpoint ) { ssl->conf->endpoint = endpoint; - -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ - defined(MBEDTLS_SSL_CLI_C) - if( endpoint == MBEDTLS_SSL_IS_CLIENT ) - { - ssl->conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; - ssl->conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; - } -#endif - -#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) - if( endpoint == MBEDTLS_SSL_IS_SERVER ) - ssl->conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; -#endif } int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ) { -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - { - ssl->conf->transport = transport; + ssl->conf->transport = transport; - ssl->out_hdr = ssl->out_buf; - ssl->out_ctr = ssl->out_buf + 3; - ssl->out_len = ssl->out_buf + 11; - ssl->out_iv = ssl->out_buf + 13; - ssl->out_msg = ssl->out_buf + 13; - - ssl->in_hdr = ssl->in_buf; - ssl->in_ctr = ssl->in_buf + 3; - ssl->in_len = ssl->in_buf + 11; - ssl->in_iv = ssl->in_buf + 13; - ssl->in_msg = ssl->in_buf + 13; - - /* DTLS starts with TLS1.1 */ - if( ssl->conf->min_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - ssl->conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; - - if( ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - ssl->conf->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; - - return( 0 ); - } -#endif - - if( transport == MBEDTLS_SSL_TRANSPORT_STREAM ) - { - ssl->conf->transport = transport; - - ssl->out_ctr = ssl->out_buf; - ssl->out_hdr = ssl->out_buf + 8; - ssl->out_len = ssl->out_buf + 11; - ssl->out_iv = ssl->out_buf + 13; - ssl->out_msg = ssl->out_buf + 13; - - ssl->in_ctr = ssl->in_buf; - ssl->in_hdr = ssl->in_buf + 8; - ssl->in_len = ssl->in_buf + 11; - ssl->in_iv = ssl->in_buf + 13; - ssl->in_msg = ssl->in_buf + 13; - - return( 0 ); - } - - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + return( 0 ); } #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) @@ -6641,17 +6613,42 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) /* * Load default in mbetls_ssl_config */ -int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf ) +int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, + int endpoint, int transport ) { int ret; - conf->transport = MBEDTLS_SSL_TRANSPORT_STREAM; + conf->endpoint = endpoint; + conf->transport = transport; conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + /* DTLS starts with TLS 1.1 */ + conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; + } +#endif + +#if defined(MBEDTLS_SSL_CLI_C) + if( endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; +#endif + } +#endif + +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_TRUNCATED_HMAC) + if( endpoint == MBEDTLS_SSL_IS_SERVER ) + conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; +#endif + conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index cacfe0f21..09cea3b92 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -162,7 +162,9 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the DTLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -176,9 +178,6 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); - mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM ); - /* OPTIONAL is usually a bad choice for security, but makes interop easier * in this simplified example, in which the ca chain is hardcoded. * Production code should set a proper ca chain and use REQUIRED. */ diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 869d919ad..451294347 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -192,7 +192,9 @@ int main( void ) printf( " . Setting up the DTLS data..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -204,8 +206,6 @@ int main( void ) goto exit; } - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER ); - mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM ); mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index cd2884545..694bf4031 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -188,7 +188,9 @@ int main( void ) goto exit; } - if( mbedtls_ssl_config_defaults( &conf ) != 0 ) + if( mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM) != 0 ) { ret = ssl_config_defaults_failed; goto exit; @@ -200,8 +202,6 @@ int main( void ) goto exit; } - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index d136cd633..480423530 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -150,7 +150,9 @@ int main( void ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -164,7 +166,6 @@ int main( void ) mbedtls_printf( " ok\n" ); - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 309a68af1..1454067bc 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1049,7 +1049,9 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + opt.transport ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret ); goto exit; @@ -1066,17 +1068,10 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_verify( &ssl, my_verify, NULL ); #endif - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); if( opt.auth_mode != DFL_AUTH_MODE ) mbedtls_ssl_set_authmode( &ssl, opt.auth_mode ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ( ret = mbedtls_ssl_set_transport( &ssl, opt.transport ) ) != 0 ) - { - mbedtls_printf( " failed\n ! selected transport is not available\n" ); - goto exit; - } - if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) mbedtls_ssl_set_handshake_timeout( &ssl, opt.hs_to_min, opt.hs_to_max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index a26f85f60..383746642 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -249,7 +249,9 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -263,7 +265,6 @@ int main( void ) mbedtls_printf( " ok\n" ); - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER ); mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index bf4bff919..26972f8cc 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -584,7 +584,9 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -598,7 +600,6 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL ); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 7303c5dcb..6896e97f3 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -160,7 +160,9 @@ static void *handle_ssl_connection( void *data ) */ mbedtls_printf( " [ #%d ] Setting up the SSL data....\n", thread_id ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_config_defaults returned -0x%04x\n", thread_id, -ret ); @@ -174,7 +176,6 @@ static void *handle_ssl_connection( void *data ) goto thread_exit; } - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER ); mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index a2b9a5811..5c2a7d29a 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -191,7 +191,9 @@ int main( void ) mbedtls_printf( " . Setting up the SSL data...." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -203,7 +205,6 @@ int main( void ) goto exit; } - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER ); mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 013d3393d..8955acfa6 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1520,7 +1520,9 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + opt.transport ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret ); goto exit; @@ -1537,12 +1539,6 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_authmode( &ssl, opt.auth_mode ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ( ret = mbedtls_ssl_set_transport( &ssl, opt.transport ) ) != 0 ) - { - mbedtls_printf( " failed\n ! selected transport is not available\n" ); - goto exit; - } - if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) mbedtls_ssl_set_handshake_timeout( &ssl, opt.hs_to_min, opt.hs_to_max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 971dae1b9..a8bc64a57 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -396,7 +396,9 @@ int main( int argc, char *argv[] ) /* * 3. Setup stuff */ - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -408,7 +410,6 @@ int main( int argc, char *argv[] ) goto ssl_exit; } - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); if( verify ) { mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_REQUIRED ); diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index ce1cd913e..c8acfeaec 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -17,9 +17,10 @@ void ssl_dtls_replay( char *prevs, char *new, int ret ) mbedtls_ssl_init( &ssl ); mbedtls_ssl_config_init( &conf ); - TEST_ASSERT( mbedtls_ssl_config_defaults( &conf ) == 0 ); + TEST_ASSERT( mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_DATAGRAM ) == 0 ); TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); - TEST_ASSERT( mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM ) == 0 ); /* Read previous record numbers */ for( ; end_prevs - prevs >= 13; prevs += 13 ) From d36e33fc07271bf506034ad326060e8845b44b74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 5 May 2015 10:45:39 +0200 Subject: [PATCH 08/45] Move easy ssl_set_xxx() functions to work on conf mbedtls_ssl_set_alpn_protocols mbedtls_ssl_set_arc4_support mbedtls_ssl_set_authmode mbedtls_ssl_set_ciphersuites mbedtls_ssl_set_ciphersuites_for_version mbedtls_ssl_set_curves mbedtls_ssl_set_dbg mbedtls_ssl_set_dh_param mbedtls_ssl_set_dh_param_ctx mbedtls_ssl_set_dtls_anti_replay mbedtls_ssl_set_dtls_badmac_limit mbedtls_ssl_set_dtls_cookies mbedtls_ssl_set_encrypt_then_mac mbedtls_ssl_set_endpoint mbedtls_ssl_set_extended_master_secret mbedtls_ssl_set_handshake_timeout mbedtls_ssl_legacy_renegotiation mbedtls_ssl_set_max_version mbedtls_ssl_set_min_version mbedtls_ssl_set_psk_cb mbedtls_ssl_set_renegotiation mbedtls_ssl_set_renegotiation_enforced mbedtls_ssl_set_renegotiation_period mbedtls_ssl_set_session_cache mbedtls_ssl_set_session_ticket_lifetime mbedtls_ssl_set_sni mbedtls_ssl_set_transport mbedtls_ssl_set_truncated_hmac mbedtls_ssl_set_verify --- include/mbedtls/ssl.h | 118 ++++++++--------- library/ssl_srv.c | 8 +- library/ssl_tls.c | 171 ++++++++++++------------- programs/ssl/dtls_client.c | 4 +- programs/ssl/dtls_server.c | 11 +- programs/ssl/mini_client.c | 2 +- programs/ssl/ssl_client1.c | 4 +- programs/ssl/ssl_client2.c | 28 ++-- programs/ssl/ssl_fork_server.c | 4 +- programs/ssl/ssl_mail_client.c | 6 +- programs/ssl/ssl_pthread_server.c | 9 +- programs/ssl/ssl_server.c | 9 +- programs/ssl/ssl_server2.c | 64 ++++----- programs/x509/cert_app.c | 8 +- tests/suites/test_suite_debug.function | 10 +- 15 files changed, 223 insertions(+), 233 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d515eb194..4f826e403 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1187,19 +1187,19 @@ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ); /** * \brief Set the current endpoint type * - * \param ssl SSL context + * \param conf SSL configuration * \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER * * \note This function should be called right after mbedtls_ssl_init() since * some other ssl_set_foo() functions depend on it. */ -void mbedtls_ssl_set_endpoint( mbedtls_ssl_context *ssl, int endpoint ); +void mbedtls_ssl_set_endpoint( mbedtls_ssl_config *conf, int endpoint ); /** * \brief Set the transport type (TLS or DTLS). * Default: TLS * - * \param ssl SSL context + * \param conf SSL configuration * \param transport transport type: * MBEDTLS_SSL_TRANSPORT_STREAM for TLS, * MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS. @@ -1212,12 +1212,13 @@ void mbedtls_ssl_set_endpoint( mbedtls_ssl_context *ssl, int endpoint ); * doesn't block, or one that handles timeouts, see * mbedtls_ssl_set_bio_timeout() */ -int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ); +int mbedtls_ssl_set_transport( mbedtls_ssl_config *conf, int transport ); /** * \brief Set the certificate verification mode + * Default: NONE on server, REQUIRED on client * - * \param ssl SSL context + * \param conf SSL configuration * \param authmode can be: * * MBEDTLS_SSL_VERIFY_NONE: peer certificate is not checked @@ -1238,7 +1239,7 @@ int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ); * the verification as soon as possible. For example, REQUIRED was protecting * against the "triple handshake" attack even before it was found. */ -void mbedtls_ssl_set_authmode( mbedtls_ssl_context *ssl, int authmode ); +void mbedtls_ssl_set_authmode( mbedtls_ssl_config *conf, int authmode ); #if defined(MBEDTLS_X509_CRT_PARSE_C) /** @@ -1248,11 +1249,11 @@ void mbedtls_ssl_set_authmode( mbedtls_ssl_context *ssl, int authmode ); * certificate in the chain. For implementation * information, please see \c x509parse_verify() * - * \param ssl SSL context + * \param conf SSL configuration * \param f_vrfy verification function * \param p_vrfy verification parameter */ -void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), void *p_vrfy ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -1271,11 +1272,11 @@ void mbedtls_ssl_set_rng( mbedtls_ssl_context *ssl, /** * \brief Set the debug callback * - * \param ssl SSL context + * \param conf SSL configuration * \param f_dbg debug function * \param p_dbg debug parameter */ -void mbedtls_ssl_set_dbg( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_dbg( mbedtls_ssl_config *conf, void (*f_dbg)(void *, int, const char *), void *p_dbg ); @@ -1404,12 +1405,12 @@ typedef int mbedtls_ssl_cookie_check_t( void *ctx, * Only disable if you known this can't happen in your * particular environment. * - * \param ssl SSL context + * \param conf SSL configuration * \param f_cookie_write Cookie write callback * \param f_cookie_check Cookie check callback * \param p_cookie Context for both callbacks */ -void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_config *conf, mbedtls_ssl_cookie_write_t *f_cookie_write, mbedtls_ssl_cookie_check_t *f_cookie_check, void *p_cookie ); @@ -1421,7 +1422,7 @@ void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_context *ssl, * (DTLS only, no effect on TLS.) * Default: enabled. * - * \param ssl SSL context + * \param conf SSL configuration * \param mode MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED. * * \warning Disabling this is a security risk unless the application @@ -1431,7 +1432,7 @@ void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_context *ssl, * packets and needs information about them to adjust its * transmission strategy, then you'll want to disable this. */ -void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_context *ssl, char mode ); +void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ); #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) @@ -1441,7 +1442,7 @@ void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_context *ssl, char mode ); * (DTLS only, no effect on TLS.) * Default: 0 (disabled). * - * \param ssl SSL context + * \param conf SSL configuration * \param limit Limit, or 0 to disable. * * \note If the limit is N, then the connection is terminated when @@ -1458,7 +1459,7 @@ void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_context *ssl, char mode ); * might make us waste resources checking authentication on * many bogus packets. */ -void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_context *ssl, unsigned limit ); +void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ); #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -1466,7 +1467,7 @@ void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_context *ssl, unsigned limit * \brief Set retransmit timeout values for the DTLS handshale. * (DTLS only, no effect on TLS.) * - * \param ssl SSL context + * \param conf SSL configuration * \param min Initial timeout value in milliseconds. * Default: 1000 (1 second). * \param max Maximum timeout value in milliseconds. @@ -1478,7 +1479,7 @@ void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_context *ssl, unsigned limit * handshake latency. Lower values may increase the risk of * network congestion by causing more retransmissions. */ -void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_context *ssl, uint32_t min, uint32_t max ); +void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ /** @@ -1513,13 +1514,13 @@ void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_context *ssl, uint32_t min, * an entry is still valid in the future. Return 0 if * successfully cached, return 1 otherwise. * - * \param ssl SSL context + * \param conf SSL configuration * \param f_get_cache session get callback * \param p_get_cache session get parameter * \param f_set_cache session set callback * \param p_set_cache session set parameter */ -void mbedtls_ssl_set_session_cache( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_session_cache( mbedtls_ssl_config *conf, int (*f_get_cache)(void *, mbedtls_ssl_session *), void *p_get_cache, int (*f_set_cache)(void *, const mbedtls_ssl_session *), void *p_set_cache ); #endif /* MBEDTLS_SSL_SRV_C */ @@ -1551,17 +1552,18 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session * over the preference of the client unless * MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined! * - * \param ssl SSL context + * \param conf SSL configuration * \param ciphersuites 0-terminated list of allowed ciphersuites */ -void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_context *ssl, const int *ciphersuites ); +void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_config *conf, + const int *ciphersuites ); /** * \brief Set the list of allowed ciphersuites and the * preference order for a specific version of the protocol. * (Only useful on the server side) * - * \param ssl SSL context + * \param conf SSL configuration * \param ciphersuites 0-terminated list of allowed ciphersuites * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 * supported) @@ -1572,7 +1574,7 @@ void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_context *ssl, const int *ciphersu * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 * and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ -void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_config *conf, const int *ciphersuites, int major, int minor ); @@ -1642,11 +1644,11 @@ int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, const unsigned char *psk, siz * identity and return 0. * Any other return value will result in a denied PSK identity. * - * \param ssl SSL context + * \param conf SSL configuration * \param f_psk PSK identity function * \param p_psk PSK identity parameter */ -void mbedtls_ssl_set_psk_cb( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_psk_cb( mbedtls_ssl_config *conf, int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *p_psk ); @@ -1658,24 +1660,24 @@ void mbedtls_ssl_set_psk_cb( mbedtls_ssl_context *ssl, * read as hexadecimal strings (server-side only) * (Default: MBEDTLS_DHM_RFC5114_MODP_1024_[PG]) * - * \param ssl SSL context + * \param conf SSL configuration * \param dhm_P Diffie-Hellman-Merkle modulus * \param dhm_G Diffie-Hellman-Merkle generator * * \return 0 if successful */ -int mbedtls_ssl_set_dh_param( mbedtls_ssl_context *ssl, const char *dhm_P, const char *dhm_G ); +int mbedtls_ssl_set_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ); /** * \brief Set the Diffie-Hellman public P and G values, * read from existing context (server-side only) * - * \param ssl SSL context + * \param conf SSL configuration * \param dhm_ctx Diffie-Hellman-Merkle context * * \return 0 if successful */ -int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_context *ssl, mbedtls_dhm_context *dhm_ctx ); +int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ); #endif /* MBEDTLS_DHM_C */ #if defined(MBEDTLS_SSL_SET_CURVES) @@ -1693,11 +1695,11 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_context *ssl, mbedtls_dhm_context * Both sides: limits the set of curves used by peer to the * listed curves for any use (ECDH(E), certificates). * - * \param ssl SSL context + * \param conf SSL configuration * \param curves Ordered list of allowed curves, * terminated by MBEDTLS_ECP_DP_NONE. */ -void mbedtls_ssl_set_curves( mbedtls_ssl_context *ssl, const mbedtls_ecp_group_id *curves ); +void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); #endif /* MBEDTLS_SSL_SET_CURVES */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) @@ -1728,11 +1730,11 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); * callback should return -1 to abort the handshake at this * point. * - * \param ssl SSL context + * \param conf SSL configuration * \param f_sni verification function * \param p_sni verification parameter */ -void mbedtls_ssl_set_sni( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_sni( mbedtls_ssl_config *conf, int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *p_sni ); @@ -1742,13 +1744,13 @@ void mbedtls_ssl_set_sni( mbedtls_ssl_context *ssl, /** * \brief Set the supported Application Layer Protocols. * - * \param ssl SSL context + * \param conf SSL configuration * \param protos NULL-terminated list of supported protocols, * in decreasing preference order. * * \return 0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA. */ -int mbedtls_ssl_set_alpn_protocols( mbedtls_ssl_context *ssl, const char **protos ); +int mbedtls_ssl_set_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ); /** * \brief Get the name of the negotiated Application Layer Protocol. @@ -1769,7 +1771,7 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ); * * Note: This ignores ciphersuites from 'higher' versions. * - * \param ssl SSL context + * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) * \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0, * MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2, @@ -1779,7 +1781,7 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ); * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ -int mbedtls_ssl_set_max_version( mbedtls_ssl_context *ssl, int major, int minor ); +int mbedtls_ssl_set_max_version( mbedtls_ssl_config *conf, int major, int minor ); /** * \brief Set the minimum accepted SSL/TLS protocol version @@ -1790,7 +1792,7 @@ int mbedtls_ssl_set_max_version( mbedtls_ssl_context *ssl, int major, int minor * * \note MBEDTLS_SSL_MINOR_VERSION_0 (SSL v3) should be avoided. * - * \param ssl SSL context + * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) * \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0, * MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2, @@ -1800,7 +1802,7 @@ int mbedtls_ssl_set_max_version( mbedtls_ssl_context *ssl, int major, int minor * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ -int mbedtls_ssl_set_min_version( mbedtls_ssl_context *ssl, int major, int minor ); +int mbedtls_ssl_set_min_version( mbedtls_ssl_config *conf, int major, int minor ); #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) /** @@ -1834,10 +1836,10 @@ void mbedtls_ssl_set_fallback( mbedtls_ssl_context *ssl, char fallback ); * improvement, and should not cause any interoperability * issue (used only if the peer supports it too). * - * \param ssl SSL context + * \param conf SSL configuration * \param etm MBEDTLS_SSL_ETM_ENABLED or MBEDTLS_SSL_ETM_DISABLED */ -void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_context *ssl, char etm ); +void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ); #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) @@ -1849,10 +1851,10 @@ void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_context *ssl, char etm ); * protocol, and should not cause any interoperability issue * (used only if the peer supports it too). * - * \param ssl SSL context + * \param conf SSL configuration * \param ems MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED */ -void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_context *ssl, char ems ); +void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_config *conf, char ems ); #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ /** @@ -1865,10 +1867,10 @@ void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_context *ssl, char ems * \note This function will likely be removed in future versions as * RC4 will then be disabled by default at compile time. * - * \param ssl SSL context + * \param conf SSL configuration * \param arc4 MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED */ -void mbedtls_ssl_set_arc4_support( mbedtls_ssl_context *ssl, char arc4 ); +void mbedtls_ssl_set_arc4_support( mbedtls_ssl_config *conf, char arc4 ); #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /** @@ -1895,13 +1897,13 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_context *ssl, unsigned char mfl_co * (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED on client, * MBEDTLS_SSL_TRUNC_HMAC_ENABLED on server.) * - * \param ssl SSL context + * \param conf SSL configuration * \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or * MBEDTLS_SSL_TRUNC_HMAC_DISABLED) * * \return Always 0. */ -int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_context *ssl, int truncate ); +int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_config *conf, int truncate ); #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) @@ -1942,10 +1944,10 @@ int mbedtls_ssl_set_session_tickets( mbedtls_ssl_context *ssl, int use_tickets ) * \brief Set session ticket lifetime (server only) * (Default: MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME (86400 secs / 1 day)) * - * \param ssl SSL context + * \param conf SSL configuration * \param lifetime session ticket lifetime */ -void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_context *ssl, int lifetime ); +void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime ); #endif /* MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_SSL_RENEGOTIATION) @@ -1958,11 +1960,11 @@ void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_context *ssl, int life * resource DoS by a malicious client. You should enable this on * a client to enable server-initiated renegotiation. * - * \param ssl SSL context + * \param conf SSL configuration * \param renegotiation Enable or disable (MBEDTLS_SSL_RENEGOTIATION_ENABLED or * MBEDTLS_SSL_RENEGOTIATION_DISABLED) */ -void mbedtls_ssl_set_renegotiation( mbedtls_ssl_context *ssl, int renegotiation ); +void mbedtls_ssl_set_renegotiation( mbedtls_ssl_config *conf, int renegotiation ); #endif /* MBEDTLS_SSL_RENEGOTIATION */ /** @@ -1987,12 +1989,12 @@ void mbedtls_ssl_set_renegotiation( mbedtls_ssl_context *ssl, int renegotiation * that do not support renegotiation altogether. * (Most secure option, interoperability issues) * - * \param ssl SSL context + * \param conf SSL configuration * \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION, * SSL_ALLOW_LEGACY_RENEGOTIATION or * MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) */ -void mbedtls_ssl_legacy_renegotiation( mbedtls_ssl_context *ssl, int allow_legacy ); +void mbedtls_ssl_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) /** @@ -2027,12 +2029,12 @@ void mbedtls_ssl_legacy_renegotiation( mbedtls_ssl_context *ssl, int allow_legac * if we receive application data from the server, we need a * place to write it, which only happens during mbedtls_ssl_read(). * - * \param ssl SSL context + * \param conf SSL configuration * \param max_records Use MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to * enforce renegotiation, or a non-negative value to enforce * it but allow for a grace period of max_records records. */ -void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_context *ssl, int max_records ); +void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ); /** * \brief Set record counter threshold for periodic renegotiation. @@ -2047,11 +2049,11 @@ void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_context *ssl, int max_r * Lower values can be used to enforce policies such as "keys * must be refreshed every N packets with cipher X". * - * \param ssl SSL context + * \param conf SSL configuration * \param period The threshold value: a big-endian 64-bit number. * Set to 2^64 - 1 to disable periodic renegotiation */ -void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_config *conf, const unsigned char period[8] ); #endif /* MBEDTLS_SSL_RENEGOTIATION */ diff --git a/library/ssl_srv.c b/library/ssl_srv.c index bb5e7e0c2..e91d13c39 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -377,14 +377,14 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, return( 0 ); } -void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_config *conf, mbedtls_ssl_cookie_write_t *f_cookie_write, mbedtls_ssl_cookie_check_t *f_cookie_check, void *p_cookie ) { - ssl->conf->f_cookie_write = f_cookie_write; - ssl->conf->f_cookie_check = f_cookie_check; - ssl->conf->p_cookie = p_cookie; + conf->f_cookie_write = f_cookie_write; + conf->f_cookie_check = f_cookie_check; + conf->p_cookie = p_cookie; } #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index dd477c756..6702c8bb6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5168,52 +5168,52 @@ static int ssl_ticket_keys_init( mbedtls_ssl_context *ssl ) /* * SSL set accessors */ -void mbedtls_ssl_set_endpoint( mbedtls_ssl_context *ssl, int endpoint ) +void mbedtls_ssl_set_endpoint( mbedtls_ssl_config *conf, int endpoint ) { - ssl->conf->endpoint = endpoint; + conf->endpoint = endpoint; } -int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ) +int mbedtls_ssl_set_transport( mbedtls_ssl_config *conf, int transport ) { - ssl->conf->transport = transport; + conf->transport = transport; return( 0 ); } #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) -void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_context *ssl, char mode ) +void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ) { - ssl->conf->anti_replay = mode; + conf->anti_replay = mode; } #endif #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) -void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_context *ssl, unsigned limit ) +void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ) { - ssl->conf->badmac_limit = limit; + conf->badmac_limit = limit; } #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) -void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_context *ssl, uint32_t min, uint32_t max ) +void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ) { - ssl->conf->hs_timeout_min = min; - ssl->conf->hs_timeout_max = max; + conf->hs_timeout_min = min; + conf->hs_timeout_max = max; } #endif -void mbedtls_ssl_set_authmode( mbedtls_ssl_context *ssl, int authmode ) +void mbedtls_ssl_set_authmode( mbedtls_ssl_config *conf, int authmode ) { - ssl->conf->authmode = authmode; + conf->authmode = authmode; } #if defined(MBEDTLS_X509_CRT_PARSE_C) -void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), void *p_vrfy ) { - ssl->conf->f_vrfy = f_vrfy; - ssl->conf->p_vrfy = p_vrfy; + conf->f_vrfy = f_vrfy; + conf->p_vrfy = p_vrfy; } #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -5225,12 +5225,12 @@ void mbedtls_ssl_set_rng( mbedtls_ssl_context *ssl, ssl->p_rng = p_rng; } -void mbedtls_ssl_set_dbg( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_dbg( mbedtls_ssl_config *conf, void (*f_dbg)(void *, int, const char *), void *p_dbg ) { - ssl->conf->f_dbg = f_dbg; - ssl->conf->p_dbg = p_dbg; + conf->f_dbg = f_dbg; + conf->p_dbg = p_dbg; } #if ! defined(MBEDTLS_DEPRECATED_REMOVED) @@ -5267,14 +5267,14 @@ void mbedtls_ssl_set_bio_timeout( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_SRV_C) -void mbedtls_ssl_set_session_cache( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_session_cache( mbedtls_ssl_config *conf, int (*f_get_cache)(void *, mbedtls_ssl_session *), void *p_get_cache, int (*f_set_cache)(void *, const mbedtls_ssl_session *), void *p_set_cache ) { - ssl->conf->f_get_cache = f_get_cache; - ssl->conf->p_get_cache = p_get_cache; - ssl->conf->f_set_cache = f_set_cache; - ssl->conf->p_set_cache = p_set_cache; + conf->f_get_cache = f_get_cache; + conf->p_get_cache = p_get_cache; + conf->f_set_cache = f_set_cache; + conf->p_set_cache = p_set_cache; } #endif /* MBEDTLS_SSL_SRV_C */ @@ -5300,15 +5300,16 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session } #endif /* MBEDTLS_SSL_CLI_C */ -void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_context *ssl, const int *ciphersuites ) +void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_config *conf, + const int *ciphersuites ) { - ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; - ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; - ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; - ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; + conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; + conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; + conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; + conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; } -void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_config *conf, const int *ciphersuites, int major, int minor ) { @@ -5318,7 +5319,7 @@ void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_context *ssl, if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 ) return; - ssl->conf->ciphersuite_list[minor] = ciphersuites; + conf->ciphersuite_list[minor] = ciphersuites; } #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -5407,51 +5408,39 @@ int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, const unsigned char *psk, siz return( 0 ); } -void mbedtls_ssl_set_psk_cb( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_psk_cb( mbedtls_ssl_config *conf, int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *p_psk ) { - ssl->conf->f_psk = f_psk; - ssl->conf->p_psk = p_psk; + conf->f_psk = f_psk; + conf->p_psk = p_psk; } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ #if defined(MBEDTLS_DHM_C) -int mbedtls_ssl_set_dh_param( mbedtls_ssl_context *ssl, const char *dhm_P, const char *dhm_G ) +int mbedtls_ssl_set_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ) { int ret; - if( ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_P, 16, dhm_P ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_read_string", ret ); + if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ) return( ret ); - } - if( ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_G, 16, dhm_G ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_read_string", ret ); + if( ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 ) return( ret ); - } return( 0 ); } -int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_context *ssl, mbedtls_dhm_context *dhm_ctx ) +int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) { int ret; - if( ( ret = mbedtls_mpi_copy( &ssl->conf->dhm_P, &dhm_ctx->P ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); + if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ) return( ret ); - } - if( ( ret = mbedtls_mpi_copy( &ssl->conf->dhm_G, &dhm_ctx->G ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); + if( ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 ) return( ret ); - } return( 0 ); } @@ -5461,9 +5450,10 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_context *ssl, mbedtls_dhm_context /* * Set the allowed elliptic curves */ -void mbedtls_ssl_set_curves( mbedtls_ssl_context *ssl, const mbedtls_ecp_group_id *curve_list ) +void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, + const mbedtls_ecp_group_id *curve_list ) { - ssl->conf->curve_list = curve_list; + conf->curve_list = curve_list; } #endif @@ -5491,18 +5481,18 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) return( 0 ); } -void mbedtls_ssl_set_sni( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_sni( mbedtls_ssl_config *conf, int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *p_sni ) { - ssl->conf->f_sni = f_sni; - ssl->conf->p_sni = p_sni; + conf->f_sni = f_sni; + conf->p_sni = p_sni; } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #if defined(MBEDTLS_SSL_ALPN) -int mbedtls_ssl_set_alpn_protocols( mbedtls_ssl_context *ssl, const char **protos ) +int mbedtls_ssl_set_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ) { size_t cur_len, tot_len; const char **p; @@ -5521,7 +5511,7 @@ int mbedtls_ssl_set_alpn_protocols( mbedtls_ssl_context *ssl, const char **proto return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - ssl->conf->alpn_list = protos; + conf->alpn_list = protos; return( 0 ); } @@ -5532,16 +5522,19 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_ALPN */ -static int ssl_check_version( const mbedtls_ssl_context *ssl, int major, int minor ) +static int ssl_check_version( const mbedtls_ssl_config *conf, + int major, int minor ) { - if( major < MBEDTLS_SSL_MIN_MAJOR_VERSION || major > MBEDTLS_SSL_MAX_MAJOR_VERSION || - minor < MBEDTLS_SSL_MIN_MINOR_VERSION || minor > MBEDTLS_SSL_MAX_MINOR_VERSION ) + if( major < MBEDTLS_SSL_MIN_MAJOR_VERSION || + major > MBEDTLS_SSL_MAX_MAJOR_VERSION || + minor < MBEDTLS_SSL_MIN_MINOR_VERSION || + minor > MBEDTLS_SSL_MAX_MINOR_VERSION ) { return( -1 ); } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && minor < MBEDTLS_SSL_MINOR_VERSION_2 ) { return( -1 ); @@ -5553,24 +5546,24 @@ static int ssl_check_version( const mbedtls_ssl_context *ssl, int major, int min return( 0 ); } -int mbedtls_ssl_set_max_version( mbedtls_ssl_context *ssl, int major, int minor ) +int mbedtls_ssl_set_max_version( mbedtls_ssl_config *conf, int major, int minor ) { - if( ssl_check_version( ssl, major, minor ) != 0 ) + if( ssl_check_version( conf, major, minor ) != 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - ssl->conf->max_major_ver = major; - ssl->conf->max_minor_ver = minor; + conf->max_major_ver = major; + conf->max_minor_ver = minor; return( 0 ); } -int mbedtls_ssl_set_min_version( mbedtls_ssl_context *ssl, int major, int minor ) +int mbedtls_ssl_set_min_version( mbedtls_ssl_config *conf, int major, int minor ) { - if( ssl_check_version( ssl, major, minor ) != 0 ) + if( ssl_check_version( conf, major, minor ) != 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - ssl->conf->min_major_ver = major; - ssl->conf->min_minor_ver = minor; + conf->min_major_ver = major; + conf->min_minor_ver = minor; return( 0 ); } @@ -5583,22 +5576,22 @@ void mbedtls_ssl_set_fallback( mbedtls_ssl_context *ssl, char fallback ) #endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) -void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_context *ssl, char etm ) +void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ) { - ssl->conf->encrypt_then_mac = etm; + conf->encrypt_then_mac = etm; } #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) -void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_context *ssl, char ems ) +void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_config *conf, char ems ) { - ssl->conf->extended_ms = ems; + conf->extended_ms = ems; } #endif -void mbedtls_ssl_set_arc4_support( mbedtls_ssl_context *ssl, char arc4 ) +void mbedtls_ssl_set_arc4_support( mbedtls_ssl_config *conf, char arc4 ) { - ssl->conf->arc4_disabled = arc4; + conf->arc4_disabled = arc4; } #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) @@ -5617,9 +5610,9 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_context *ssl, unsigned char mfl_co #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) -int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_context *ssl, int truncate ) +int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) { - ssl->conf->trunc_hmac = truncate; + conf->trunc_hmac = truncate; return( 0 ); } @@ -5632,26 +5625,26 @@ void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_context *ssl, char split } #endif -void mbedtls_ssl_legacy_renegotiation( mbedtls_ssl_context *ssl, int allow_legacy ) +void mbedtls_ssl_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) { - ssl->conf->allow_legacy_renegotiation = allow_legacy; + conf->allow_legacy_renegotiation = allow_legacy; } #if defined(MBEDTLS_SSL_RENEGOTIATION) -void mbedtls_ssl_set_renegotiation( mbedtls_ssl_context *ssl, int renegotiation ) +void mbedtls_ssl_set_renegotiation( mbedtls_ssl_config *conf, int renegotiation ) { - ssl->conf->disable_renegotiation = renegotiation; + conf->disable_renegotiation = renegotiation; } -void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_context *ssl, int max_records ) +void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ) { - ssl->conf->renego_max_records = max_records; + conf->renego_max_records = max_records; } -void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_config *conf, const unsigned char period[8] ) { - memcpy( ssl->conf->renego_period, period, 8 ); + memcpy( conf->renego_period, period, 8 ); } #endif /* MBEDTLS_SSL_RENEGOTIATION */ @@ -5674,9 +5667,9 @@ int mbedtls_ssl_set_session_tickets( mbedtls_ssl_context *ssl, int use_tickets ) return( ssl_ticket_keys_init( ssl ) ); } -void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_context *ssl, int lifetime ) +void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime ) { - ssl->conf->ticket_lifetime = lifetime; + conf->ticket_lifetime = lifetime; } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index 09cea3b92..eb27f3cbe 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -181,11 +181,11 @@ int main( int argc, char *argv[] ) /* OPTIONAL is usually a bad choice for security, but makes interop easier * in this simplified example, in which the ca chain is hardcoded. * Production code should set a proper ca chain and use REQUIRED. */ - mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL ); + mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, SERVER_NAME ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &ssl, my_debug, stdout ); + mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout, diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 451294347..96cb1368d 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -206,14 +206,13 @@ int main( void ) goto exit; } - mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &ssl, my_debug, stdout ); + mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_set_session_cache( &ssl, mbedtls_ssl_cache_get, &cache, - mbedtls_ssl_cache_set, &cache ); + mbedtls_ssl_set_session_cache( &conf, + mbedtls_ssl_cache_get, &cache, + mbedtls_ssl_cache_set, &cache ); #endif mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); @@ -230,7 +229,7 @@ int main( void ) goto exit; } - mbedtls_ssl_set_dtls_cookies( &ssl, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, + mbedtls_ssl_set_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &cookie_ctx ); printf( " ok\n" ); diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index 694bf4031..5d140b911 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -217,7 +217,7 @@ int main( void ) } mbedtls_ssl_set_ca_chain( &ssl, &ca, NULL, HOSTNAME ); - mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_REQUIRED ); + mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); #endif /* diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 480423530..38a510c35 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -168,11 +168,11 @@ int main( void ) /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ - mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL ); + mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, "mbed TLS Server 1" ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &ssl, my_debug, stdout ); + mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); /* diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 1454067bc..0f2313c1e 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1065,15 +1065,15 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_X509_CRT_PARSE_C) if( opt.debug_level > 0 ) - mbedtls_ssl_set_verify( &ssl, my_verify, NULL ); + mbedtls_ssl_set_verify( &conf, my_verify, NULL ); #endif if( opt.auth_mode != DFL_AUTH_MODE ) - mbedtls_ssl_set_authmode( &ssl, opt.auth_mode ); + mbedtls_ssl_set_authmode( &conf, opt.auth_mode ); #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) - mbedtls_ssl_set_handshake_timeout( &ssl, opt.hs_to_min, opt.hs_to_max ); + mbedtls_ssl_set_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) @@ -1086,17 +1086,17 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) if( opt.trunc_hmac != DFL_TRUNC_HMAC ) - mbedtls_ssl_set_truncated_hmac( &ssl, opt.trunc_hmac ); + mbedtls_ssl_set_truncated_hmac( &conf, opt.trunc_hmac ); #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) if( opt.extended_ms != DFL_EXTENDED_MS ) - mbedtls_ssl_set_extended_master_secret( &ssl, opt.extended_ms ); + mbedtls_ssl_set_extended_master_secret( &conf, opt.extended_ms ); #endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) if( opt.etm != DFL_ETM ) - mbedtls_ssl_set_encrypt_then_mac( &ssl, opt.etm ); + mbedtls_ssl_set_encrypt_then_mac( &conf, opt.etm ); #endif #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) @@ -1108,7 +1108,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) - if( ( ret = mbedtls_ssl_set_alpn_protocols( &ssl, alpn_list ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_alpn_protocols( &conf, alpn_list ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_alpn_protocols returned %d\n\n", ret ); goto exit; @@ -1116,7 +1116,7 @@ int main( int argc, char *argv[] ) #endif mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &ssl, my_debug, stdout ); + mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); if( opt.nbio == 2 ) mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, my_send, my_recv, NULL, @@ -1139,15 +1139,15 @@ int main( int argc, char *argv[] ) #endif if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) - mbedtls_ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); + mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite ); if( opt.arc4 != DFL_ARC4 ) - mbedtls_ssl_set_arc4_support( &ssl, opt.arc4 ); + mbedtls_ssl_set_arc4_support( &conf, opt.arc4 ); if( opt.allow_legacy != DFL_ALLOW_LEGACY ) - mbedtls_ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); + mbedtls_ssl_legacy_renegotiation( &conf, opt.allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) - mbedtls_ssl_set_renegotiation( &ssl, opt.renegotiation ); + mbedtls_ssl_set_renegotiation( &conf, opt.renegotiation ); #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -1187,7 +1187,7 @@ int main( int argc, char *argv[] ) if( opt.min_version != DFL_MIN_VERSION ) { - ret = mbedtls_ssl_set_min_version( &ssl, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); + ret = mbedtls_ssl_set_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); if( ret != 0 ) { mbedtls_printf( " failed\n ! selected min_version is not available\n" ); @@ -1197,7 +1197,7 @@ int main( int argc, char *argv[] ) if( opt.max_version != DFL_MAX_VERSION ) { - ret = mbedtls_ssl_set_max_version( &ssl, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); + ret = mbedtls_ssl_set_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); if( ret != 0 ) { mbedtls_printf( " failed\n ! selected max_version is not available\n" ); diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 383746642..877f9581c 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -265,10 +265,8 @@ int main( void ) mbedtls_printf( " ok\n" ); - mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &ssl, my_debug, stdout ); + mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 26972f8cc..000ed09f6 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -602,14 +602,14 @@ int main( int argc, char *argv[] ) /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ - mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL ); + mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &ssl, my_debug, stdout ); + mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) - mbedtls_ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); + mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite ); mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 ) diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 6896e97f3..e951b3ad7 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -176,17 +176,16 @@ static void *handle_ssl_connection( void *data ) goto thread_exit; } - mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &ssl, my_mutexed_debug, stdout ); + mbedtls_ssl_set_dbg( &conf, my_mutexed_debug, stdout ); /* mbedtls_ssl_cache_get() and mbedtls_ssl_cache_set() are thread-safe if * MBEDTLS_THREADING_C is set. */ #if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_set_session_cache( &ssl, mbedtls_ssl_cache_get, thread_info->cache, - mbedtls_ssl_cache_set, thread_info->cache ); + mbedtls_ssl_set_session_cache( &conf, + mbedtls_ssl_cache_get, thread_info->cache, + mbedtls_ssl_cache_set, thread_info->cache ); #endif mbedtls_ssl_set_ca_chain( &ssl, thread_info->ca_chain, NULL, NULL ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 5c2a7d29a..2302f06f6 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -205,14 +205,13 @@ int main( void ) goto exit; } - mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &ssl, my_debug, stdout ); + mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_set_session_cache( &ssl, mbedtls_ssl_cache_get, &cache, - mbedtls_ssl_cache_set, &cache ); + mbedtls_ssl_set_session_cache( &conf, + mbedtls_ssl_cache_get, &cache, + mbedtls_ssl_cache_set, &cache ); #endif mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 8955acfa6..e4f8163e6 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1534,13 +1534,12 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER ); if( opt.auth_mode != DFL_AUTH_MODE ) - mbedtls_ssl_set_authmode( &ssl, opt.auth_mode ); + mbedtls_ssl_set_authmode( &conf, opt.auth_mode ); #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) - mbedtls_ssl_set_handshake_timeout( &ssl, opt.hs_to_min, opt.hs_to_max ); + mbedtls_ssl_set_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) @@ -1553,22 +1552,22 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) if( opt.trunc_hmac != DFL_TRUNC_HMAC ) - mbedtls_ssl_set_truncated_hmac( &ssl, opt.trunc_hmac ); + mbedtls_ssl_set_truncated_hmac( &conf, opt.trunc_hmac ); #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) if( opt.extended_ms != DFL_EXTENDED_MS ) - mbedtls_ssl_set_extended_master_secret( &ssl, opt.extended_ms ); + mbedtls_ssl_set_extended_master_secret( &conf, opt.extended_ms ); #endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) if( opt.etm != DFL_ETM ) - mbedtls_ssl_set_encrypt_then_mac( &ssl, opt.etm ); + mbedtls_ssl_set_encrypt_then_mac( &conf, opt.etm ); #endif #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) - if( ( ret = mbedtls_ssl_set_alpn_protocols( &ssl, alpn_list ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_alpn_protocols( &conf, alpn_list ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_alpn_protocols returned %d\n\n", ret ); goto exit; @@ -1576,7 +1575,7 @@ int main( int argc, char *argv[] ) #endif mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &ssl, my_debug, stdout ); + mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C) if( opt.cache_max != -1 ) @@ -1585,8 +1584,9 @@ int main( int argc, char *argv[] ) if( opt.cache_timeout != -1 ) mbedtls_ssl_cache_set_timeout( &cache, opt.cache_timeout ); - mbedtls_ssl_set_session_cache( &ssl, mbedtls_ssl_cache_get, &cache, - mbedtls_ssl_cache_set, &cache ); + mbedtls_ssl_set_session_cache( &conf, + mbedtls_ssl_cache_get, &cache, + mbedtls_ssl_cache_set, &cache ); #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) @@ -1597,7 +1597,7 @@ int main( int argc, char *argv[] ) } if( opt.ticket_timeout != -1 ) - mbedtls_ssl_set_session_ticket_lifetime( &ssl, opt.ticket_timeout ); + mbedtls_ssl_set_session_ticket_lifetime( &conf, opt.ticket_timeout ); #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -1613,7 +1613,7 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_ssl_set_dtls_cookies( &ssl, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, + mbedtls_ssl_set_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &cookie_ctx ); } else @@ -1621,7 +1621,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) if( opt.cookies == 0 ) { - mbedtls_ssl_set_dtls_cookies( &ssl, NULL, NULL, NULL ); + mbedtls_ssl_set_dtls_cookies( &conf, NULL, NULL, NULL ); } else #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ @@ -1631,50 +1631,50 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) if( opt.anti_replay != DFL_ANTI_REPLAY ) - mbedtls_ssl_set_dtls_anti_replay( &ssl, opt.anti_replay ); + mbedtls_ssl_set_dtls_anti_replay( &conf, opt.anti_replay ); #endif #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) if( opt.badmac_limit != DFL_BADMAC_LIMIT ) - mbedtls_ssl_set_dtls_badmac_limit( &ssl, opt.badmac_limit ); + mbedtls_ssl_set_dtls_badmac_limit( &conf, opt.badmac_limit ); #endif } #endif /* MBEDTLS_SSL_PROTO_DTLS */ if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) - mbedtls_ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); + mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite ); if( opt.arc4 != DFL_ARC4 ) - mbedtls_ssl_set_arc4_support( &ssl, opt.arc4 ); + mbedtls_ssl_set_arc4_support( &conf, opt.arc4 ); if( opt.version_suites != NULL ) { - mbedtls_ssl_set_ciphersuites_for_version( &ssl, version_suites[0], + mbedtls_ssl_set_ciphersuites_for_version( &conf, version_suites[0], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0 ); - mbedtls_ssl_set_ciphersuites_for_version( &ssl, version_suites[1], + mbedtls_ssl_set_ciphersuites_for_version( &conf, version_suites[1], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1 ); - mbedtls_ssl_set_ciphersuites_for_version( &ssl, version_suites[2], + mbedtls_ssl_set_ciphersuites_for_version( &conf, version_suites[2], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_2 ); - mbedtls_ssl_set_ciphersuites_for_version( &ssl, version_suites[3], + mbedtls_ssl_set_ciphersuites_for_version( &conf, version_suites[3], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3 ); } if( opt.allow_legacy != DFL_ALLOW_LEGACY ) - mbedtls_ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); + mbedtls_ssl_legacy_renegotiation( &conf, opt.allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) - mbedtls_ssl_set_renegotiation( &ssl, opt.renegotiation ); + mbedtls_ssl_set_renegotiation( &conf, opt.renegotiation ); if( opt.renego_delay != DFL_RENEGO_DELAY ) - mbedtls_ssl_set_renegotiation_enforced( &ssl, opt.renego_delay ); + mbedtls_ssl_set_renegotiation_enforced( &conf, opt.renego_delay ); if( opt.renego_period != DFL_RENEGO_PERIOD ) { renego_period[7] = opt.renego_period; - mbedtls_ssl_set_renegotiation_period( &ssl, renego_period ); + mbedtls_ssl_set_renegotiation_period( &conf, renego_period ); } #endif @@ -1700,7 +1700,7 @@ int main( int argc, char *argv[] ) #if defined(SNI_OPTION) if( opt.sni != NULL ) - mbedtls_ssl_set_sni( &ssl, sni_callback, sni_info ); + mbedtls_ssl_set_sni( &conf, sni_callback, sni_info ); #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) @@ -1717,7 +1717,7 @@ int main( int argc, char *argv[] ) } if( opt.psk_list != NULL ) - mbedtls_ssl_set_psk_cb( &ssl, psk_callback, psk_info ); + mbedtls_ssl_set_psk_cb( &conf, psk_callback, psk_info ); #endif #if defined(MBEDTLS_DHM_C) @@ -1726,11 +1726,11 @@ int main( int argc, char *argv[] ) */ #if defined(MBEDTLS_FS_IO) if( opt.dhm_file != NULL ) - ret = mbedtls_ssl_set_dh_param_ctx( &ssl, &dhm ); + ret = mbedtls_ssl_set_dh_param_ctx( &conf, &dhm ); else #endif - ret = mbedtls_ssl_set_dh_param( &ssl, MBEDTLS_DHM_RFC5114_MODP_2048_P, - MBEDTLS_DHM_RFC5114_MODP_2048_G ); + ret = mbedtls_ssl_set_dh_param( &conf, MBEDTLS_DHM_RFC5114_MODP_2048_P, + MBEDTLS_DHM_RFC5114_MODP_2048_G ); if( ret != 0 ) { @@ -1741,7 +1741,7 @@ int main( int argc, char *argv[] ) if( opt.min_version != DFL_MIN_VERSION ) { - ret = mbedtls_ssl_set_min_version( &ssl, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); + ret = mbedtls_ssl_set_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); if( ret != 0 ) { mbedtls_printf( " failed\n ! selected min_version is not available\n" ); @@ -1751,7 +1751,7 @@ int main( int argc, char *argv[] ) if( opt.max_version != DFL_MIN_VERSION ) { - ret = mbedtls_ssl_set_max_version( &ssl, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); + ret = mbedtls_ssl_set_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); if( ret != 0 ) { mbedtls_printf( " failed\n ! selected max_version is not available\n" ); diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index a8bc64a57..9f6356d34 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -412,15 +412,15 @@ int main( int argc, char *argv[] ) if( verify ) { - mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_REQUIRED ); + mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); - mbedtls_ssl_set_verify( &ssl, my_verify, NULL ); + mbedtls_ssl_set_verify( &conf, my_verify, NULL ); } else - mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); + mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &ssl, my_debug, stdout ); + mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 ) diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index f170332c4..5fd5d3486 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -46,7 +46,7 @@ void debug_print_msg_threshold( int threshold, int level, char *file, int line, mbedtls_debug_set_log_mode( MBEDTLS_DEBUG_LOG_FULL ); mbedtls_debug_set_threshold( threshold ); - mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); + mbedtls_ssl_set_dbg( &conf, string_debug, &buffer); mbedtls_debug_print_msg( &ssl, level, file, line, mbedtls_debug_fmt("Text message, 2 == %d", 2 ) ); @@ -75,7 +75,7 @@ void mbedtls_debug_print_ret( int mode, char *file, int line, char *text, int va TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_log_mode( mode ); - mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); + mbedtls_ssl_set_dbg( &conf, string_debug, &buffer); mbedtls_debug_print_ret( &ssl, 0, file, line, text, value); @@ -108,7 +108,7 @@ void mbedtls_debug_print_buf( int mode, char *file, int line, char *text, TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_log_mode( mode ); - mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); + mbedtls_ssl_set_dbg( &conf, string_debug, &buffer); mbedtls_debug_print_buf( &ssl, 0, file, line, text, data, data_len ); @@ -138,7 +138,7 @@ void mbedtls_debug_print_crt( int mode, char *crt_file, char *file, int line, TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_log_mode( mode ); - mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); + mbedtls_ssl_set_dbg( &conf, string_debug, &buffer); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); mbedtls_debug_print_crt( &ssl, 0, file, line, prefix, &crt); @@ -172,7 +172,7 @@ void mbedtls_debug_print_mpi( int mode, int radix, char *value, char *file, int TEST_ASSERT( mbedtls_mpi_read_string( &val, radix, value ) == 0 ); mbedtls_debug_set_log_mode( mode ); - mbedtls_ssl_set_dbg(&ssl, string_debug, &buffer); + mbedtls_ssl_set_dbg( &conf, string_debug, &buffer); mbedtls_debug_print_mpi( &ssl, 0, file, line, prefix, &val); From 17eab2b65c02413d6b49d8dbc1ae7f77be35e6f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 5 May 2015 16:34:53 +0100 Subject: [PATCH 09/45] Move set_cbc_record_splitting() to conf --- include/mbedtls/ssl.h | 11 +++++------ library/ssl_tls.c | 11 ++++++++--- programs/ssl/ssl_client2.c | 2 +- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 4f826e403..3fa6ea793 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -258,8 +258,8 @@ #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED 0 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED 1 -#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED -1 -#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED 0 +#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED 0 +#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED 1 #define MBEDTLS_SSL_ARC4_ENABLED 0 #define MBEDTLS_SSL_ARC4_DISABLED 1 @@ -1047,8 +1047,7 @@ struct mbedtls_ssl_context unsigned char *compress_buf; /*!< zlib data buffer */ #endif #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - signed char split_done; /*!< flag for record splitting: - -1 disabled, 0 todo, 1 done */ + signed char split_done; /*!< current record already splitted? */ #endif /* @@ -1914,11 +1913,11 @@ int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_config *conf, int truncate ); * \note Only affects SSLv3 and TLS 1.0, not higher versions. * Does not affect non-CBC ciphersuites in any version. * - * \param ssl SSL context + * \param conf SSL configuration * \param split MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED or * MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED */ -void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_context *ssl, char split ); +void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_config *conf, char split ); #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6702c8bb6..7ac419b50 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5619,9 +5619,9 @@ int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) -void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_context *ssl, char split ) +void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_config *conf, char split ) { - ssl->split_done = split; + conf->cbc_record_splitting = split; } #endif @@ -6320,7 +6320,8 @@ static int ssl_write_split( mbedtls_ssl_context *ssl, { int ret; - if( ssl->split_done == MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED || + if( ssl->conf->cbc_record_splitting == + MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED || len <= 1 || ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 || mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ) @@ -6658,6 +6659,10 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; #endif +#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) + conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; +#endif + #if defined(MBEDTLS_SSL_SESSION_TICKETS) conf->ticket_lifetime = MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME; #endif diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 0f2313c1e..47e4bd5d9 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1101,7 +1101,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) if( opt.recsplit != DFL_RECSPLIT ) - mbedtls_ssl_set_cbc_record_splitting( &ssl, opt.recsplit + mbedtls_ssl_set_cbc_record_splitting( &conf, opt.recsplit ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ); #endif From 6bf89d6ad99a9eb8813bfbfa4c788b5a2aff8808 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 5 May 2015 17:01:57 +0100 Subject: [PATCH 10/45] Move ssl_set_max_fragment_len to work on conf --- include/mbedtls/ssl.h | 4 ++-- library/ssl_tls.c | 4 ++-- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3fa6ea793..c57cb1cd6 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1880,14 +1880,14 @@ void mbedtls_ssl_set_arc4_support( mbedtls_ssl_config *conf, char arc4 ); * (Client: set maximum fragment length to emit *and* * negotiate with the server during handshake) * - * \param ssl SSL context + * \param conf SSL configuration * \param mfl_code Code for maximum fragment length (allowed values: * MBEDTLS_SSL_MAX_FRAG_LEN_512, MBEDTLS_SSL_MAX_FRAG_LEN_1024, * MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096) * * \return O if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA */ -int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_context *ssl, unsigned char mfl_code ); +int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ); #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7ac419b50..e93182c75 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5595,7 +5595,7 @@ void mbedtls_ssl_set_arc4_support( mbedtls_ssl_config *conf, char arc4 ) } #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_context *ssl, unsigned char mfl_code ) +int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ) { if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN ) @@ -5603,7 +5603,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_context *ssl, unsigned char mfl_co return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - ssl->conf->mfl_code = mfl_code; + conf->mfl_code = mfl_code; return( 0 ); } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 47e4bd5d9..c6d1ff472 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1077,7 +1077,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - if( ( ret = mbedtls_ssl_set_max_frag_len( &ssl, opt.mfl_code ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_max_frag_len( &conf, opt.mfl_code ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_max_frag_len returned %d\n\n", ret ); goto exit; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index e4f8163e6..5f5033a15 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1543,7 +1543,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - if( ( ret = mbedtls_ssl_set_max_frag_len( &ssl, opt.mfl_code ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_max_frag_len( &conf, opt.mfl_code ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_max_frag_len returned %d\n\n", ret ); goto exit; From 684b0592cb8bc41df13a3a7f01a3fabf58fdbd1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 09:27:31 +0100 Subject: [PATCH 11/45] Move ssl_set_fallback() to work on conf Initially thought it would be per-connection, but since max_version is in conf too, and you need to lower that for a fallback connection, the fallback flag should be in the same place --- include/mbedtls/ssl.h | 11 +++++------ library/ssl_cli.c | 2 +- library/ssl_tls.c | 4 ++-- programs/ssl/ssl_client2.c | 2 +- 4 files changed, 9 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c57cb1cd6..a73ffe554 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -931,6 +931,9 @@ typedef struct #if defined(MBEDTLS_SSL_SESSION_TICKETS) unsigned int session_tickets : 1; /*!< use session tickets? */ #endif +#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) + unsigned int fallback : 1; /*!< is this a fallback? */ +#endif } mbedtls_ssl_config; @@ -956,10 +959,6 @@ struct mbedtls_ssl_context unsigned badmac_seen; /*!< records with a bad MAC received */ #endif -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) - char fallback; /*!< flag for fallback connections */ -#endif - /* * Callbacks */ @@ -1820,10 +1819,10 @@ int mbedtls_ssl_set_min_version( mbedtls_ssl_config *conf, int major, int minor * while, then cause failures when the server is upgraded to * support a newer TLS version. * - * \param ssl SSL context + * \param conf SSL configuration * \param fallback MBEDTLS_SSL_IS_NOT_FALLBACK or MBEDTLS_SSL_IS_FALLBACK */ -void mbedtls_ssl_set_fallback( mbedtls_ssl_context *ssl, char fallback ); +void mbedtls_ssl_set_fallback( mbedtls_ssl_config *conf, char fallback ); #endif /* MBEDTLS_SSL_FALLBACK_SCSV && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 354cc5a2b..bbc88381a 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -733,7 +733,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) /* Some versions of OpenSSL don't handle it correctly if not at end */ #if defined(MBEDTLS_SSL_FALLBACK_SCSV) - if( ssl->fallback == MBEDTLS_SSL_IS_FALLBACK ) + if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e93182c75..f72a2c443 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5569,9 +5569,9 @@ int mbedtls_ssl_set_min_version( mbedtls_ssl_config *conf, int major, int minor } #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) -void mbedtls_ssl_set_fallback( mbedtls_ssl_context *ssl, char fallback ) +void mbedtls_ssl_set_fallback( mbedtls_ssl_config *conf, char fallback ) { - ssl->fallback = fallback; + conf->fallback = fallback; } #endif diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index c6d1ff472..afaafc467 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1207,7 +1207,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_FALLBACK_SCSV) if( opt.fallback != DFL_FALLBACK ) - mbedtls_ssl_set_fallback( &ssl, opt.fallback ); + mbedtls_ssl_set_fallback( &conf, opt.fallback ); #endif mbedtls_printf( " ok\n" ); From e51bba05cf09aa1f29a82d7727c33474ff79e690 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 09:33:13 +0100 Subject: [PATCH 12/45] Make mfl_code a bitfield member --- include/mbedtls/ssl.h | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index a73ffe554..750e89d3f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -896,10 +896,6 @@ typedef struct unsigned char min_major_ver; /*!< min. major version used */ unsigned char min_minor_ver; /*!< min. minor version used */ -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - unsigned char mfl_code; /*!< desired fragment length */ -#endif - /* * Flags (bitfields) */ @@ -910,6 +906,9 @@ typedef struct unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */ /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */ unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX */ +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + unsigned int mfl_code : 3; /*!< desired fragment length */ +#endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) unsigned int encrypt_then_mac : 1 ; /*!< negotiate encrypt-then-mac? */ #endif From 2b49445876e867fe3e25a356e6d11ea68774f275 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 10:05:11 +0100 Subject: [PATCH 13/45] Move session ticket keys to conf This is temporary, they will soon be replaced by callbacks. !!! In this intermediate step security is removed !!! --- include/mbedtls/ssl.h | 15 +++++-------- library/ssl_srv.c | 16 ++++++------- library/ssl_tls.c | 46 +++++++++++++++----------------------- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- 5 files changed, 34 insertions(+), 47 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 750e89d3f..20d9c74f2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -864,6 +864,10 @@ typedef struct const char **alpn_list; /*!< ordered list of protocols */ #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + /* * Numerical settings (int then char) */ @@ -1055,13 +1059,6 @@ struct mbedtls_ssl_context const char *peer_cn; /*!< expected peer CN */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ - /* - * Support for generating and checking session tickets - */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */ -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ - int client_auth; /*!< flag for client auth. */ int verify_result; /*!< verification result */ @@ -1928,14 +1925,14 @@ void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_config *conf, char split * to allow generating the ticket encryption and * authentication keys. * - * \param ssl SSL context + * \param conf SSL configuration * \param use_tickets Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or * MBEDTLS_SSL_SESSION_TICKETS_DISABLED) * * \return O if successful, * or a specific error code (server only). */ -int mbedtls_ssl_set_session_tickets( mbedtls_ssl_context *ssl, int use_tickets ); +int mbedtls_ssl_set_session_tickets( mbedtls_ssl_config *conf, int use_tickets ); /** * \brief Set session ticket lifetime (server only) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index e91d13c39..59fce958b 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -189,11 +189,11 @@ static int ssl_write_ticket( mbedtls_ssl_context *ssl, size_t *tlen ) *tlen = 0; - if( ssl->ticket_keys == NULL ) + if( ssl->conf->ticket_keys == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); /* Write key name */ - memcpy( p, ssl->ticket_keys->key_name, 16 ); + memcpy( p, ssl->conf->ticket_keys->key_name, 16 ); p += 16; /* Generate and write IV (with a copy for aes_crypt) */ @@ -224,7 +224,7 @@ static int ssl_write_ticket( mbedtls_ssl_context *ssl, size_t *tlen ) state[i] = (unsigned char) pad_len; /* Encrypt */ - if( ( ret = mbedtls_aes_crypt_cbc( &ssl->ticket_keys->enc, MBEDTLS_AES_ENCRYPT, + if( ( ret = mbedtls_aes_crypt_cbc( &ssl->conf->ticket_keys->enc, MBEDTLS_AES_ENCRYPT, enc_len, iv, state, state ) ) != 0 ) { return( ret ); @@ -237,7 +237,7 @@ static int ssl_write_ticket( mbedtls_ssl_context *ssl, size_t *tlen ) /* Compute and write MAC( key_name + iv + enc_state_len + enc_state ) */ if( ( ret = mbedtls_md_hmac( mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ), - ssl->ticket_keys->mac_key, 16, + ssl->conf->ticket_keys->mac_key, 16, start, p - start, p ) ) != 0 ) { return( ret ); @@ -271,7 +271,7 @@ static int ssl_parse_ticket( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 3, "session ticket structure", buf, len ); - if( len < 34 || ssl->ticket_keys == NULL ) + if( len < 34 || ssl->conf->ticket_keys == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1]; @@ -283,12 +283,12 @@ static int ssl_parse_ticket( mbedtls_ssl_context *ssl, /* Check name, in constant time though it's not a big secret */ diff = 0; for( i = 0; i < 16; i++ ) - diff |= key_name[i] ^ ssl->ticket_keys->key_name[i]; + diff |= key_name[i] ^ ssl->conf->ticket_keys->key_name[i]; /* don't return yet, check the MAC anyway */ /* Check mac, with constant-time buffer comparison */ if( ( ret = mbedtls_md_hmac( mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ), - ssl->ticket_keys->mac_key, 16, + ssl->conf->ticket_keys->mac_key, 16, buf, len - 32, computed_mac ) ) != 0 ) { return( ret ); @@ -303,7 +303,7 @@ static int ssl_parse_ticket( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_INVALID_MAC ); /* Decrypt */ - if( ( ret = mbedtls_aes_crypt_cbc( &ssl->ticket_keys->dec, MBEDTLS_AES_DECRYPT, + if( ( ret = mbedtls_aes_crypt_cbc( &ssl->conf->ticket_keys->dec, MBEDTLS_AES_DECRYPT, enc_len, iv, ticket, ticket ) ) != 0 ) { return( ret ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f72a2c443..276a0dafc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5120,13 +5120,13 @@ static void ssl_ticket_keys_free( mbedtls_ssl_ticket_keys *tkeys ) /* * Allocate and initialize ticket keys */ -static int ssl_ticket_keys_init( mbedtls_ssl_context *ssl ) +static int ssl_ticket_keys_init( mbedtls_ssl_config *conf ) { int ret; mbedtls_ssl_ticket_keys *tkeys; unsigned char buf[16]; - if( ssl->ticket_keys != NULL ) + if( conf->ticket_keys != NULL ) return( 0 ); tkeys = mbedtls_malloc( sizeof(mbedtls_ssl_ticket_keys) ); @@ -5136,15 +5136,15 @@ static int ssl_ticket_keys_init( mbedtls_ssl_context *ssl ) mbedtls_aes_init( &tkeys->enc ); mbedtls_aes_init( &tkeys->dec ); - if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->key_name, 16 ) ) != 0 ) - { - ssl_ticket_keys_free( tkeys ); - mbedtls_free( tkeys ); - return( ret ); - } + /* Temporary WIP! Using hardcoded keys. This is to remove the dependency + * on the RNG and allow puttint the keys in conf. Key generation will soon + * be move outside the main SSL module anyway. */ - if( ( ret = ssl->f_rng( ssl->p_rng, buf, 16 ) ) != 0 || - ( ret = mbedtls_aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 || + memset( tkeys->key_name, 'x', 16 ); + memset( tkeys->mac_key, 0x2a, 16 ); + memset( buf, 0x2a, 16 ); + + if( ( ret = mbedtls_aes_setkey_enc( &tkeys->enc, buf, 128 ) ) != 0 || ( ret = mbedtls_aes_setkey_dec( &tkeys->dec, buf, 128 ) ) != 0 ) { ssl_ticket_keys_free( tkeys ); @@ -5152,14 +5152,7 @@ static int ssl_ticket_keys_init( mbedtls_ssl_context *ssl ) return( ret ); } - if( ( ret = ssl->f_rng( ssl->p_rng, tkeys->mac_key, 16 ) ) != 0 ) - { - ssl_ticket_keys_free( tkeys ); - mbedtls_free( tkeys ); - return( ret ); - } - - ssl->ticket_keys = tkeys; + conf->ticket_keys = tkeys; return( 0 ); } @@ -5649,22 +5642,19 @@ void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_config *conf, #endif /* MBEDTLS_SSL_RENEGOTIATION */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) -int mbedtls_ssl_set_session_tickets( mbedtls_ssl_context *ssl, int use_tickets ) +int mbedtls_ssl_set_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) { - ssl->conf->session_tickets = use_tickets; + conf->session_tickets = use_tickets; #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) return( 0 ); #endif if( use_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) return( 0 ); - if( ssl->f_rng == NULL ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - - return( ssl_ticket_keys_init( ssl ) ); + return( ssl_ticket_keys_init( conf ) ); } void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime ) @@ -6562,10 +6552,10 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( ssl->ticket_keys ) + if( ssl->conf->ticket_keys ) { - ssl_ticket_keys_free( ssl->ticket_keys ); - mbedtls_free( ssl->ticket_keys ); + ssl_ticket_keys_free( ssl->conf->ticket_keys ); + mbedtls_free( ssl->conf->ticket_keys ); } #endif diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index afaafc467..03ac1b35d 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1131,7 +1131,7 @@ int main( int argc, char *argv[] ) opt.read_timeout ); #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( ( ret = mbedtls_ssl_set_session_tickets( &ssl, opt.tickets ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_session_tickets( &conf, opt.tickets ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_session_tickets returned %d\n\n", ret ); goto exit; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 5f5033a15..e5fcfdf31 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1590,7 +1590,7 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( ( ret = mbedtls_ssl_set_session_tickets( &ssl, opt.tickets ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_session_tickets( &conf, opt.tickets ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_session_tickets returned %d\n\n", ret ); goto exit; From ba26c24769939ce821bb9cc906564a72fcdb9a62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 10:47:06 +0100 Subject: [PATCH 14/45] Change how hostname is stored internally --- include/mbedtls/ssl.h | 3 +-- library/ssl_cli.c | 19 +++++++++++-------- library/ssl_tls.c | 16 ++++++++-------- 3 files changed, 20 insertions(+), 18 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 20d9c74f2..6dfa9f47a 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1069,8 +1069,7 @@ struct mbedtls_ssl_context /* * SNI extension */ - unsigned char *hostname; - size_t hostname_len; + char *hostname; #endif #if defined(MBEDTLS_SSL_ALPN) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index bbc88381a..a6e020217 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -65,6 +65,7 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, size_t *olen ) { unsigned char *p = buf; + size_t hostname_len; *olen = 0; @@ -74,6 +75,8 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s", ssl->hostname ) ); + hostname_len = strlen( ssl->hostname ); + /* * struct { * NameType name_type; @@ -95,19 +98,19 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF ); - *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( (ssl->hostname_len + 5) ) & 0xFF ); + *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF ); + *p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF ); - *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( (ssl->hostname_len + 3) ) & 0xFF ); + *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF ); + *p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF ); *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF ); - *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF ); - *p++ = (unsigned char)( ( ssl->hostname_len ) & 0xFF ); + *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF ); + *p++ = (unsigned char)( ( hostname_len ) & 0xFF ); - memcpy( p, ssl->hostname, ssl->hostname_len ); + memcpy( p, ssl->hostname, hostname_len ); - *olen = ssl->hostname_len + 9; + *olen = hostname_len + 9; } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 276a0dafc..d417065d8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5453,23 +5453,24 @@ void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) { + size_t hostname_len; + if( hostname == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - ssl->hostname_len = strlen( hostname ); + hostname_len = strlen( hostname ); - if( ssl->hostname_len + 1 == 0 ) + if( hostname_len + 1 == 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - ssl->hostname = mbedtls_malloc( ssl->hostname_len + 1 ); + ssl->hostname = mbedtls_malloc( hostname_len + 1 ); if( ssl->hostname == NULL ) return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); - memcpy( ssl->hostname, (const unsigned char *) hostname, - ssl->hostname_len ); + memcpy( ssl->hostname, hostname, hostname_len ); - ssl->hostname[ssl->hostname_len] = '\0'; + ssl->hostname[hostname_len] = '\0'; return( 0 ); } @@ -6562,9 +6563,8 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) if( ssl->hostname != NULL ) { - mbedtls_zeroize( ssl->hostname, ssl->hostname_len ); + mbedtls_zeroize( ssl->hostname, strlen( ssl->hostname ) ); mbedtls_free( ssl->hostname ); - ssl->hostname_len = 0; } #endif From bc2b771af4b67c900813e58e7c8c77d7907291c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 11:14:19 +0100 Subject: [PATCH 15/45] Move ssl_set_ca_chain() to work on config --- ChangeLog | 2 ++ include/mbedtls/ssl.h | 24 ++++++++++-------------- library/ssl_tls.c | 16 +++++++++------- programs/ssl/dtls_client.c | 11 ++++++++--- programs/ssl/dtls_server.c | 2 +- programs/ssl/mini_client.c | 8 +++++++- programs/ssl/ssl_client1.c | 7 ++++++- programs/ssl/ssl_client2.c | 15 ++++++--------- programs/ssl/ssl_fork_server.c | 2 +- programs/ssl/ssl_mail_client.c | 7 ++++++- programs/ssl/ssl_pthread_server.c | 2 +- programs/ssl/ssl_server.c | 2 +- programs/ssl/ssl_server2.c | 2 +- programs/x509/cert_app.c | 4 +--- 14 files changed, 60 insertions(+), 44 deletions(-) diff --git a/ChangeLog b/ChangeLog index d81050445..cf834d3fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,8 @@ API Changes mbedtls_gcm_init() -> mbedtls_gcm_setkey() mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_init(_buf)() mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_init(_buf)() + * mbedtls_ssl_set_ca_chain() lost its last argument (peer_cn), now set + using mbedtls_ssl_set_hostname(). * Renamed mbedtls_pkcs11_priv_key_init() to ..._bind() and mbedtls_pkcs11_x509_cert_init() as well (handled by rename.pl and compat-1.3.h) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6dfa9f47a..7d660bc67 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1055,21 +1055,15 @@ struct mbedtls_ssl_context /* * PKI layer */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) - const char *peer_cn; /*!< expected peer CN */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ - int client_auth; /*!< flag for client auth. */ int verify_result; /*!< verification result */ /* * User settings */ -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - /* - * SNI extension - */ - char *hostname; +#if defined(MBEDTLS_X509_CRT_PARSE_C) + char *hostname; /*!< expected peer CN for verification + (and SNI if available) */ #endif #if defined(MBEDTLS_SSL_ALPN) @@ -1575,13 +1569,13 @@ void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_config *conf, /** * \brief Set the data required to verify peer certificate * - * \param ssl SSL context + * \param conf SSL configuration * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs) * \param ca_crl trusted CA CRLs - * \param peer_cn expected peer CommonName (or NULL) */ -void mbedtls_ssl_set_ca_chain( mbedtls_ssl_context *ssl, mbedtls_x509_crt *ca_chain, - mbedtls_x509_crl *ca_crl, const char *peer_cn ); +void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, + mbedtls_x509_crt *ca_chain, + mbedtls_x509_crl *ca_crl ); /** * \brief Set own certificate chain and private key @@ -1695,7 +1689,7 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); #endif /* MBEDTLS_SSL_SET_CURVES */ -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +#if defined(MBEDTLS_X509_CRT_PARSE_C) /** * \brief Set hostname for ServerName TLS extension * (client-side only) @@ -1707,7 +1701,9 @@ void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_i * \return 0 if successful or MBEDTLS_ERR_SSL_MALLOC_FAILED */ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); +#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /** * \brief Set server side ServerName TLS extension callback * (optional, server-side only). diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d417065d8..ad95a1f46 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4030,7 +4030,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) * Main check: verify certificate */ ret = mbedtls_x509_crt_verify( ssl->session_negotiate->peer_cert, - ssl->conf->ca_chain, ssl->conf->ca_crl, ssl->peer_cn, + ssl->conf->ca_chain, ssl->conf->ca_crl, ssl->hostname, &ssl->session_negotiate->verify_result, ssl->conf->f_vrfy, ssl->conf->p_vrfy ); @@ -5345,12 +5345,12 @@ static mbedtls_ssl_key_cert *ssl_add_key_cert( mbedtls_ssl_context *ssl ) return( key_cert ); } -void mbedtls_ssl_set_ca_chain( mbedtls_ssl_context *ssl, mbedtls_x509_crt *ca_chain, - mbedtls_x509_crl *ca_crl, const char *peer_cn ) +void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, + mbedtls_x509_crt *ca_chain, + mbedtls_x509_crl *ca_crl ) { - ssl->conf->ca_chain = ca_chain; - ssl->conf->ca_crl = ca_crl; - ssl->peer_cn = peer_cn; + conf->ca_chain = ca_chain; + conf->ca_crl = ca_crl; } int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert, @@ -5450,7 +5450,7 @@ void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, } #endif -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +#if defined(MBEDTLS_X509_CRT_PARSE_C) int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) { size_t hostname_len; @@ -5474,7 +5474,9 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) return( 0 ); } +#endif +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) void mbedtls_ssl_set_sni( mbedtls_ssl_config *conf, int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index eb27f3cbe..9f8fcbfa3 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -176,13 +176,16 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_printf( " ok\n" ); - /* OPTIONAL is usually a bad choice for security, but makes interop easier * in this simplified example, in which the ca chain is hardcoded. * Production code should set a proper ca chain and use REQUIRED. */ mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, SERVER_NAME ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); + if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); + goto exit; + } mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); @@ -191,6 +194,8 @@ int main( int argc, char *argv[] ) mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout, READ_TIMEOUT_MS ); + mbedtls_printf( " ok\n" ); + /* * 4. Handshake */ diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 96cb1368d..9a925ec27 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -215,7 +215,7 @@ int main( void ) mbedtls_ssl_cache_set, &cache ); #endif - mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); + mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) { printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index 5d140b911..d6ee5702f 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -149,6 +149,7 @@ enum exit_codes ctr_drbg_seed_failed, ssl_config_default_failed, ssl_setup_failed, + hostname_failed, socket_failed, connect_failed, x509_crt_parse_failed, @@ -216,7 +217,12 @@ int main( void ) goto exit; } - mbedtls_ssl_set_ca_chain( &ssl, &ca, NULL, HOSTNAME ); + mbedtls_ssl_set_ca_chain( &conf, &ca, NULL ); + if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 ) + { + ret = hostname_failed; + goto exit; + } mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); #endif diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 38a510c35..d7cb14199 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -169,7 +169,12 @@ int main( void ) /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, "mbed TLS Server 1" ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); + if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); + goto exit; + } mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 03ac1b35d..aaf22db33 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1154,7 +1154,7 @@ int main( int argc, char *argv[] ) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); } if( strcmp( opt.crt_file, "none" ) != 0 && strcmp( opt.key_file, "none" ) != 0 ) @@ -1165,6 +1165,11 @@ int main( int argc, char *argv[] ) goto exit; } } + if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); + goto exit; + } #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) @@ -1177,14 +1182,6 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); - goto exit; - } -#endif - if( opt.min_version != DFL_MIN_VERSION ) { ret = mbedtls_ssl_set_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 877f9581c..50de5ef54 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -269,7 +269,7 @@ int main( void ) mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); - mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); + mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 000ed09f6..ab849a95c 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -611,7 +611,12 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite ); - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); + if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); + goto exit; + } if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index e951b3ad7..1fc326263 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -188,7 +188,7 @@ static void *handle_ssl_connection( void *data ) mbedtls_ssl_cache_set, thread_info->cache ); #endif - mbedtls_ssl_set_ca_chain( &ssl, thread_info->ca_chain, NULL, NULL ); + mbedtls_ssl_set_ca_chain( &conf, thread_info->ca_chain, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, thread_info->server_cert, thread_info->server_key ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 2302f06f6..61b9dc95e 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -214,7 +214,7 @@ int main( void ) mbedtls_ssl_cache_set, &cache ); #endif - mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); + mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index e5fcfdf31..954ae430d 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1682,7 +1682,7 @@ int main( int argc, char *argv[] ) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, NULL ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); } if( key_cert_init ) if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 9f6356d34..2bac2ae7a 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -413,7 +413,7 @@ int main( int argc, char *argv[] ) if( verify ) { mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); mbedtls_ssl_set_verify( &conf, my_verify, NULL ); } else @@ -429,13 +429,11 @@ int main( int argc, char *argv[] ) goto ssl_exit; } -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto ssl_exit; } -#endif /* * 4. Handshake From 8620f73cdc5e8febf6a9cae5c460d37c699190c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 14:42:06 +0100 Subject: [PATCH 16/45] Documentation tune-ups --- include/mbedtls/ssl.h | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 7d660bc67..803f6160c 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1176,9 +1176,6 @@ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ); * * \param conf SSL configuration * \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER - * - * \note This function should be called right after mbedtls_ssl_init() since - * some other ssl_set_foo() functions depend on it. */ void mbedtls_ssl_set_endpoint( mbedtls_ssl_config *conf, int endpoint ); @@ -1192,9 +1189,6 @@ void mbedtls_ssl_set_endpoint( mbedtls_ssl_config *conf, int endpoint ); * MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS. * \return 0 on success or MBEDTLS_ERR_SSL_BAD_INPUT_DATA * - * \note If DTLS is selected and max and/or min version are less - * than TLS 1.1 (DTLS 1.0) they are upped to that value. - * * \note For DTLS, you must either provide a recv callback that * doesn't block, or one that handles timeouts, see * mbedtls_ssl_set_bio_timeout() @@ -2255,6 +2249,8 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ); * * \param conf SSL configuration context * + * \note See \c mbedtls_ssl_set_transport() for notes on DTLS. + * * \return 0 if successful, or * MBEDTLS_ERR_XXX_ALLOC_FAILED on memorr allocation error. */ From cc3195e81f40401ee68db63adfc6a39d0683fc92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 14:53:09 +0100 Subject: [PATCH 17/45] Fix misplaced #ifdef --- include/mbedtls/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 803f6160c..16a6a13bd 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1288,7 +1288,6 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, #undef MBEDTLS_DEPRECATED #endif /* MBEDTLS_DEPRECATED_REMOVED */ -#if defined(MBEDTLS_SSL_SRV_C) /** * \brief Set the underlying BIO callbacks for write, read and * read-with-timeout. @@ -1463,6 +1462,7 @@ void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ +#if defined(MBEDTLS_SSL_SRV_C) /** * \brief Set the session cache callbacks (server-side only) * If not set, no session resuming is done (except if session From 97fd52c529e293f98674f313fb2da9a9f8b85fbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 15:38:52 +0100 Subject: [PATCH 18/45] Split ssl_set_read_timeout() out of bio_timeout() --- include/mbedtls/ssl.h | 17 ++++++++++++++--- library/ssl_tls.c | 9 ++++++--- programs/ssl/dtls_client.c | 3 +-- programs/ssl/dtls_server.c | 3 +-- programs/ssl/mini_client.c | 2 +- programs/ssl/ssl_client1.c | 2 +- programs/ssl/ssl_client2.c | 10 +++++----- programs/ssl/ssl_fork_server.c | 2 +- programs/ssl/ssl_mail_client.c | 2 +- programs/ssl/ssl_pthread_server.c | 2 +- programs/ssl/ssl_server.c | 2 +- programs/ssl/ssl_server2.c | 9 +++++---- programs/x509/cert_app.c | 2 +- 13 files changed, 39 insertions(+), 26 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 16a6a13bd..aa8f1e39b 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1298,7 +1298,6 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, * \param f_recv read callback * \param f_recv_timeout read callback with timeout. * The last argument of the callback is the timeout in seconds - * \param timeout value of the mbedtls_ssl_read() timeout in milliseconds * * \note f_recv_timeout is required for DTLS, unless f_recv performs * non-blocking reads. @@ -1309,8 +1308,20 @@ void mbedtls_ssl_set_bio_timeout( mbedtls_ssl_context *ssl, void *p_bio, int (*f_send)(void *, const unsigned char *, size_t), int (*f_recv)(void *, unsigned char *, size_t), - int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t), - uint32_t timeout ); + int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t) ); + +/** + * \brief Set the timeout period for mbedtls_ssl_read() + * (Default: no timeout.) + * + * \param conf SSL configuration context + * \param timeout Timeout value in milliseconds. + * Use 0 for no timeout (default). + * + * \note With blocking I/O, this will only work if a non-NULL + * \c f_recv_timeout was set with \c mbedtls_ssl_set_bio_timeout(). + */ +void mbedtls_ssl_set_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) /** diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ad95a1f46..f7ee5f232 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5249,14 +5249,17 @@ void mbedtls_ssl_set_bio_timeout( mbedtls_ssl_context *ssl, void *p_bio, int (*f_send)(void *, const unsigned char *, size_t), int (*f_recv)(void *, unsigned char *, size_t), - int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t), - uint32_t timeout ) + int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t) ) { ssl->p_bio = p_bio; ssl->f_send = f_send; ssl->f_recv = f_recv; ssl->f_recv_timeout = f_recv_timeout; - ssl->conf->read_timeout = timeout; +} + +void mbedtls_ssl_set_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ) +{ + conf->read_timeout = timeout; } #if defined(MBEDTLS_SSL_SRV_C) diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index 9f8fcbfa3..f8ecf077d 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -191,8 +191,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, - mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout, - READ_TIMEOUT_MS ); + mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout ); mbedtls_printf( " ok\n" ); diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 9a925ec27..2b53fbead 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -280,8 +280,7 @@ reset: } mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, - mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout, - READ_TIMEOUT_MS ); + mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout ); printf( " ok\n" ); diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index d6ee5702f..dc41b398b 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -250,7 +250,7 @@ int main( void ) goto exit; } - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); + mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); if( mbedtls_ssl_handshake( &ssl ) != 0 ) { diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index d7cb14199..14f089e2d 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -178,7 +178,7 @@ int main( void ) mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); + mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); /* * 4. Handshake diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index aaf22db33..5d21450d5 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1119,16 +1119,16 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); if( opt.nbio == 2 ) - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, my_send, my_recv, NULL, - opt.read_timeout ); + mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, my_send, my_recv, NULL ); else mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, #if defined(MBEDTLS_HAVE_TIME) - opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL, + opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL #else - NULL, + NULL #endif - opt.read_timeout ); + ); + mbedtls_ssl_set_read_timeout( &conf, opt.read_timeout ); #if defined(MBEDTLS_SSL_SESSION_TICKETS) if( ( ret = mbedtls_ssl_set_session_tickets( &conf, opt.tickets ) ) != 0 ) diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 50de5ef54..91f0060c5 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -267,7 +267,7 @@ int main( void ) mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); + mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index ab849a95c..84ae22e62 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -606,7 +606,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); + mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite ); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 1fc326263..7e576d4e1 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -197,7 +197,7 @@ static void *handle_ssl_connection( void *data ) mbedtls_printf( " [ #%d ] ok\n", thread_id ); - mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); + mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); mbedtls_printf( " [ #%d ] ok\n", thread_id ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 61b9dc95e..eb5a039b3 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -252,7 +252,7 @@ reset: goto exit; } - mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); + mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); mbedtls_printf( " ok\n" ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 954ae430d..87b4a2e36 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1819,15 +1819,16 @@ reset: } if( opt.nbio == 2 ) - mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, my_send, my_recv, NULL, 0 ); + mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, my_send, my_recv, NULL ); else mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, #if defined(MBEDTLS_HAVE_TIME) - opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL, + opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL #else - NULL, + NULL #endif - opt.read_timeout ); + ); + mbedtls_ssl_set_read_timeout( &conf, opt.read_timeout ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 2bac2ae7a..9459b2d60 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -421,7 +421,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); + mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 ) { From 1b511f93c6353db39da0ae7534fb8c7a884f9f47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 15:54:23 +0100 Subject: [PATCH 19/45] Rename ssl_set_bio_timeout() to set_bio() Initially thought it was best to keep the old function around and add a new one, but this so many ssl_set_xxx() functions are changing anyway... --- ChangeLog | 8 ++++++-- include/mbedtls/compat-1.3.h | 2 +- include/mbedtls/ssl.h | 33 +++---------------------------- library/ssl_tls.c | 23 ++------------------- programs/ssl/dtls_client.c | 2 +- programs/ssl/dtls_server.c | 2 +- programs/ssl/mini_client.c | 2 +- programs/ssl/ssl_client1.c | 2 +- programs/ssl/ssl_client2.c | 4 ++-- programs/ssl/ssl_fork_server.c | 2 +- programs/ssl/ssl_mail_client.c | 2 +- programs/ssl/ssl_pthread_server.c | 2 +- programs/ssl/ssl_server.c | 2 +- programs/ssl/ssl_server2.c | 4 ++-- programs/x509/cert_app.c | 2 +- 15 files changed, 25 insertions(+), 67 deletions(-) diff --git a/ChangeLog b/ChangeLog index cf834d3fa..861693454 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,7 +41,8 @@ API Changes (support for renegotiation now needs explicit enabling in config.h). * net_connect() and net_bind() have a new 'proto' argument to choose between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP. - * ssl_set_bio() now requires that p_send == p_recv. + * ssl_set_bio() changed signature (contexts merged, order switched, one + additional callback for read-with-timeout). * Some constness fixes Removals @@ -62,7 +63,6 @@ Removals New deprecations * md_init_ctx() is deprecated in favour of md_setup(), that adds a third argument (allowing memory savings if HMAC is not used) - * ssl_set_bio() is deprecated in favour of ssl_set_bio_timeout(). Semi-API changes (technically public, morally private) * Changed md_info_t into an opaque structure (use md_get_xxx() accessors). @@ -88,6 +88,10 @@ Reauirement changes * The NET layer now unconditionnaly relies on getaddrinfo(). * Compiler is required to support C99 types such as long long and uint32_t. +Changes from the 1.4 preview branch + * ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with + new prototype, and mbedtls_ssl_set_read_timeout(). + = mbed TLS 1.3 branch Security diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h index 10953dbe5..21c507ef3 100644 --- a/include/mbedtls/compat-1.3.h +++ b/include/mbedtls/compat-1.3.h @@ -2475,7 +2475,7 @@ #define ssl_set_arc4_support mbedtls_ssl_set_arc4_support #define ssl_set_authmode mbedtls_ssl_set_authmode #define ssl_set_bio mbedtls_ssl_set_bio -#define ssl_set_bio_timeout mbedtls_ssl_set_bio_timeout +#define ssl_set_bio mbedtls_ssl_set_bio_timeout #define ssl_set_ca_chain mbedtls_ssl_set_ca_chain #define ssl_set_cbc_record_splitting mbedtls_ssl_set_cbc_record_splitting #define ssl_set_ciphersuites mbedtls_ssl_set_ciphersuites diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index aa8f1e39b..0a517de0b 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1191,7 +1191,7 @@ void mbedtls_ssl_set_endpoint( mbedtls_ssl_config *conf, int endpoint ); * * \note For DTLS, you must either provide a recv callback that * doesn't block, or one that handles timeouts, see - * mbedtls_ssl_set_bio_timeout() + * mbedtls_ssl_set_bio() */ int mbedtls_ssl_set_transport( mbedtls_ssl_config *conf, int transport ); @@ -1261,33 +1261,6 @@ void mbedtls_ssl_set_dbg( mbedtls_ssl_config *conf, void (*f_dbg)(void *, int, const char *), void *p_dbg ); -#if ! defined(MBEDTLS_DEPRECATED_REMOVED) -#if defined(MBEDTLS_DEPRECATED_WARNING) -#define MBEDTLS_DEPRECATED __attribute__((deprecated)) -#else -#define MBEDTLS_DEPRECATED -#endif -/** - * \brief Set the underlying BIO read and write callbacks - * - * \param ssl SSL context - * \param f_recv read callback - * \param p_recv read parameter (must be equal to write parameter) - * \param f_send write callback - * \param p_send write parameter (must be equal to read parameter) - * - * \warning It is required that p_recv == p_send. Otherwise, the first - * attempt at sending or receiving will result in a - * MBEDTLS_ERR_SSL_BAD_INPUT_DATA error. - * - * \deprecated Superseded by mbedtls_ssl_set_bio_timeout() in 2.0.0 - */ -void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, - int (*f_recv)(void *, unsigned char *, size_t), void *p_recv, - int (*f_send)(void *, const unsigned char *, size_t), void *p_send ) MBEDTLS_DEPRECATED; -#undef MBEDTLS_DEPRECATED -#endif /* MBEDTLS_DEPRECATED_REMOVED */ - /** * \brief Set the underlying BIO callbacks for write, read and * read-with-timeout. @@ -1304,7 +1277,7 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, * * \note TODO: timeout not supported with TLS yet */ -void mbedtls_ssl_set_bio_timeout( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, void *p_bio, int (*f_send)(void *, const unsigned char *, size_t), int (*f_recv)(void *, unsigned char *, size_t), @@ -1319,7 +1292,7 @@ void mbedtls_ssl_set_bio_timeout( mbedtls_ssl_context *ssl, * Use 0 for no timeout (default). * * \note With blocking I/O, this will only work if a non-NULL - * \c f_recv_timeout was set with \c mbedtls_ssl_set_bio_timeout(). + * \c f_recv_timeout was set with \c mbedtls_ssl_set_bio(). */ void mbedtls_ssl_set_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f7ee5f232..1e176b449 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2186,7 +2186,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " - "or mbedtls_ssl_set_bio_timeout()" ) ); + "or mbedtls_ssl_set_bio()" ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -2372,7 +2372,7 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) if( ssl->f_send == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " - "or mbedtls_ssl_set_bio_timeout()" ) ); + "or mbedtls_ssl_set_bio()" ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -5226,26 +5226,7 @@ void mbedtls_ssl_set_dbg( mbedtls_ssl_config *conf, conf->p_dbg = p_dbg; } -#if ! defined(MBEDTLS_DEPRECATED_REMOVED) void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, - int (*f_recv)(void *, unsigned char *, size_t), void *p_recv, - int (*f_send)(void *, const unsigned char *, size_t), void *p_send ) -{ - if( p_recv != p_send ) - { - ssl->f_recv = NULL; - ssl->f_send = NULL; - ssl->p_bio = NULL; - return; - } - - ssl->f_recv = f_recv; - ssl->f_send = f_send; - ssl->p_bio = p_send; -} -#endif /* MBEDTLS_DEPRECATED_REMOVED */ - -void mbedtls_ssl_set_bio_timeout( mbedtls_ssl_context *ssl, void *p_bio, int (*f_send)(void *, const unsigned char *, size_t), int (*f_recv)(void *, unsigned char *, size_t), diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index f8ecf077d..35b746828 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -190,7 +190,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, + mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout ); mbedtls_printf( " ok\n" ); diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 2b53fbead..f41233516 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -279,7 +279,7 @@ reset: goto exit; } - mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, + mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout ); printf( " ok\n" ); diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index dc41b398b..f7b11578b 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -250,7 +250,7 @@ int main( void ) goto exit; } - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); if( mbedtls_ssl_handshake( &ssl ) != 0 ) { diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 14f089e2d..788127270 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -178,7 +178,7 @@ int main( void ) mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); /* * 4. Handshake diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 5d21450d5..6503d8b73 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1119,9 +1119,9 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); if( opt.nbio == 2 ) - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, my_send, my_recv, NULL ); + mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL ); else - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, + mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, #if defined(MBEDTLS_HAVE_TIME) opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL #else diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 91f0060c5..e743e3efc 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -267,7 +267,7 @@ int main( void ) mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 84ae22e62..db513992f 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -606,7 +606,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite ); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 7e576d4e1..cbe6b4ddf 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -197,7 +197,7 @@ static void *handle_ssl_connection( void *data ) mbedtls_printf( " [ #%d ] ok\n", thread_id ); - mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); mbedtls_printf( " [ #%d ] ok\n", thread_id ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index eb5a039b3..583cfdd71 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -252,7 +252,7 @@ reset: goto exit; } - mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); mbedtls_printf( " ok\n" ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 87b4a2e36..7b85ce857 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1819,9 +1819,9 @@ reset: } if( opt.nbio == 2 ) - mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, my_send, my_recv, NULL ); + mbedtls_ssl_set_bio( &ssl, &client_fd, my_send, my_recv, NULL ); else - mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, + mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, #if defined(MBEDTLS_HAVE_TIME) opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL #else diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 9459b2d60..6c0659a7b 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -421,7 +421,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio_timeout( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 ) { From 8836994f6b9527f5565d38d758709a3ac8797550 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 16:19:31 +0100 Subject: [PATCH 20/45] Move WANT_READ/WANT_WRITE codes to SSL --- ChangeLog | 2 ++ include/mbedtls/compat-1.3.h | 6 ++--- include/mbedtls/error.h | 4 +-- include/mbedtls/net.h | 23 ++++++++-------- include/mbedtls/ssl.h | 16 ++++++----- library/error.c | 12 ++++----- library/net.c | 16 +++++------ library/ssl_tls.c | 24 ++++++++--------- programs/ssl/dtls_client.c | 16 +++++------ programs/ssl/dtls_server.c | 16 +++++------ programs/ssl/ssl_client1.c | 6 ++--- programs/ssl/ssl_client2.c | 38 +++++++++++++-------------- programs/ssl/ssl_fork_server.c | 6 ++--- programs/ssl/ssl_mail_client.c | 8 +++--- programs/ssl/ssl_pthread_server.c | 10 +++---- programs/ssl/ssl_server.c | 10 +++---- programs/ssl/ssl_server2.c | 34 ++++++++++++------------ programs/x509/cert_app.c | 2 +- scripts/data_files/rename-1.3-2.0.txt | 6 ++--- 19 files changed, 130 insertions(+), 125 deletions(-) diff --git a/ChangeLog b/ChangeLog index 861693454..28093ae01 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ API Changes Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are provided. * Headers are now found in the 'mbedtls' directory (previously 'polarssl'). + * Error codes NET_WANT_READ and NET_WANT_WRITE have been moved to the SSL + module and renamed accordingly (handled by rename.pl and compat-1.3.h) * The following _init() functions that could return errors have been split into an _init() that returns void and another function: mbedtls_ssl_init() -> mbedtls_ssl_setup() diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h index 21c507ef3..8b85656f0 100644 --- a/include/mbedtls/compat-1.3.h +++ b/include/mbedtls/compat-1.3.h @@ -1161,10 +1161,10 @@ #define POLARSSL_ERR_NET_RECV_FAILED MBEDTLS_ERR_NET_RECV_FAILED #define POLARSSL_ERR_NET_SEND_FAILED MBEDTLS_ERR_NET_SEND_FAILED #define POLARSSL_ERR_NET_SOCKET_FAILED MBEDTLS_ERR_NET_SOCKET_FAILED -#define POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_NET_TIMEOUT +#define POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_SSL_TIMEOUT #define POLARSSL_ERR_NET_UNKNOWN_HOST MBEDTLS_ERR_NET_UNKNOWN_HOST -#define POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_NET_WANT_READ -#define POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_NET_WANT_WRITE +#define POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_SSL_WANT_READ +#define POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_SSL_WANT_WRITE #define POLARSSL_ERR_OID_BUF_TOO_SMALL MBEDTLS_ERR_OID_BUF_TOO_SMALL #define POLARSSL_ERR_OID_NOT_FOUND MBEDTLS_ERR_OID_NOT_FOUND #define POLARSSL_ERR_PADLOCK_DATA_MISALIGNED MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 099fa426b..c3b0b1573 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -62,7 +62,7 @@ * DES 1 0x0032-0x0032 * CTR_DBRG 4 0x0034-0x003A * ENTROPY 3 0x003C-0x0040 - * NET 12 0x0042-0x0056 0x0011-0x0011 + * NET 9 0x0042-0x0052 * ENTROPY 1 0x0058-0x0058 * ASN1 7 0x0060-0x006C * MD2 1 0x0070-0x0070 @@ -88,7 +88,7 @@ * ECP 4 8 (Started from top) * MD 5 4 * CIPHER 6 6 - * SSL 6 13 (Started from top) + * SSL 6 16 (Started from top) * SSL 7 31 * * Module dependent error code (5 bits 0x.00.-0x.F8.) diff --git a/include/mbedtls/net.h b/include/mbedtls/net.h index 85fa3e74a..077fa3d5d 100644 --- a/include/mbedtls/net.h +++ b/include/mbedtls/net.h @@ -30,6 +30,8 @@ #include MBEDTLS_CONFIG_FILE #endif +#include "ssl.h" + #include #include @@ -41,10 +43,7 @@ #define MBEDTLS_ERR_NET_RECV_FAILED -0x004C /**< Reading information from the socket failed. */ #define MBEDTLS_ERR_NET_SEND_FAILED -0x004E /**< Sending information through the socket failed. */ #define MBEDTLS_ERR_NET_CONN_RESET -0x0050 /**< Connection was reset by peer. */ -#define MBEDTLS_ERR_NET_WANT_READ -0x0052 /**< Connection requires a read call. */ -#define MBEDTLS_ERR_NET_WANT_WRITE -0x0054 /**< Connection requires a write call. */ -#define MBEDTLS_ERR_NET_UNKNOWN_HOST -0x0056 /**< Failed to get an IP address for the given hostname. */ -#define MBEDTLS_ERR_NET_TIMEOUT -0x0011 /**< The operation timed out. */ +#define MBEDTLS_ERR_NET_UNKNOWN_HOST -0x0052 /**< Failed to get an IP address for the given hostname. */ #define MBEDTLS_NET_LISTEN_BACKLOG 10 /**< The backlog that listen() should use. */ @@ -100,7 +99,7 @@ int mbedtls_net_bind( int *fd, const char *bind_ip, int port, int proto ); * Must be at least 4 bytes, or 16 if IPv6 is supported * * \return 0 if successful, MBEDTLS_ERR_NET_ACCEPT_FAILED, or - * MBEDTLS_ERR_NET_WANT_READ is bind_fd was set to + * MBEDTLS_ERR_SSL_WANT_READ is bind_fd was set to * non-blocking and accept() is blocking. * * \note With UDP, connects the bind_fd to the client and just copy @@ -148,8 +147,9 @@ void mbedtls_net_usleep( unsigned long usec ); * \param len Maximum length of the buffer * * \return This function returns the number of bytes received, - * or a non-zero error code; MBEDTLS_ERR_NET_WANT_READ - * indicates read() is blocking. + * or a non-zero error code; with a non-blocking socket, + * MBEDTLS_ERR_SSL_WANT_READ indicates read() would be + * blocking. */ int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len ); @@ -162,8 +162,9 @@ int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len ); * \param len The length of the buffer * * \return This function returns the number of bytes sent, - * or a non-zero error code; MBEDTLS_ERR_NET_WANT_WRITE - * indicates write() is blocking. + * or a non-zero error code; with a non-blocking socket, + * MBEDTLS_ERR_SSL_WANT_WRITE indicates write() would be + * blocking. */ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len ); @@ -180,8 +181,8 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len ); * * \return This function returns the number of bytes received, * or a non-zero error code: - * MBEDTLS_ERR_NET_TIMEOUT if the operation timed out, - * MBEDTLS_ERR_NET_WANT_READ if interrupted by a signal. + * MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out, + * MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal. * * \note This function will block (until data becomes available or * timeout is reached) even if the socket is set to diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 0a517de0b..92420b533 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -30,7 +30,6 @@ #include MBEDTLS_CONFIG_FILE #endif -#include "net.h" #include "bignum.h" #include "ecp.h" @@ -151,6 +150,9 @@ #define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED -0x6A80 /**< DTLS client must retry for hello verification */ #define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL -0x6A00 /**< A buffer is too small to receive or write a message */ #define MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE -0x6980 /**< None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages). */ +#define MBEDTLS_ERR_SSL_WANT_READ -0x6900 /**< Connection requires a read call. */ +#define MBEDTLS_ERR_SSL_WANT_WRITE -0x6880 /**< Connection requires a write call. */ +#define MBEDTLS_ERR_SSL_TIMEOUT -0x6800 /**< The operation timed out. */ /* * Various constants @@ -1269,7 +1271,7 @@ void mbedtls_ssl_set_dbg( mbedtls_ssl_config *conf, * \param p_bio parameter (context) shared by BIO callbacks * \param f_send write callback * \param f_recv read callback - * \param f_recv_timeout read callback with timeout. + * \param f_recv_timeout blocking read callback with timeout. * The last argument of the callback is the timeout in seconds * * \note f_recv_timeout is required for DTLS, unless f_recv performs @@ -2119,8 +2121,8 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session * * \param ssl SSL context * - * \return 0 if successful, MBEDTLS_ERR_NET_WANT_READ, - * MBEDTLS_ERR_NET_WANT_WRITE, or a specific SSL error code. + * \return 0 if successful, MBEDTLS_ERR_SSL_WANT_READ, + * MBEDTLS_ERR_SSL_WANT_WRITE, or a specific SSL error code. */ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ); @@ -2133,8 +2135,8 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ); * * \param ssl SSL context * - * \return 0 if successful, MBEDTLS_ERR_NET_WANT_READ, - * MBEDTLS_ERR_NET_WANT_WRITE, or a specific SSL error code. + * \return 0 if successful, MBEDTLS_ERR_SSL_WANT_READ, + * MBEDTLS_ERR_SSL_WANT_WRITE, or a specific SSL error code. */ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ); @@ -2174,7 +2176,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) * \return This function returns the number of bytes written, * or a negative error code. * - * \note When this function returns MBEDTLS_ERR_NET_WANT_WRITE, + * \note When this function returns MBEDTLS_ERR_SSL_WANT_WRITE, * it must be called later with the *same* arguments, * until it returns a positive value. * diff --git a/library/error.c b/library/error.c index 4281e89a7..1a82cc934 100644 --- a/library/error.c +++ b/library/error.c @@ -457,6 +457,12 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "SSL - A buffer is too small to receive or write a message" ); if( use_ret == -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) ) mbedtls_snprintf( buf, buflen, "SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)" ); + if( use_ret == -(MBEDTLS_ERR_SSL_WANT_READ) ) + mbedtls_snprintf( buf, buflen, "SSL - Connection requires a read call" ); + if( use_ret == -(MBEDTLS_ERR_SSL_WANT_WRITE) ) + mbedtls_snprintf( buf, buflen, "SSL - Connection requires a write call" ); + if( use_ret == -(MBEDTLS_ERR_SSL_TIMEOUT) ) + mbedtls_snprintf( buf, buflen, "SSL - The operation timed out" ); #endif /* MBEDTLS_SSL_TLS_C */ #if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C) @@ -675,14 +681,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "NET - Sending information through the socket failed" ); if( use_ret == -(MBEDTLS_ERR_NET_CONN_RESET) ) mbedtls_snprintf( buf, buflen, "NET - Connection was reset by peer" ); - if( use_ret == -(MBEDTLS_ERR_NET_WANT_READ) ) - mbedtls_snprintf( buf, buflen, "NET - Connection requires a read call" ); - if( use_ret == -(MBEDTLS_ERR_NET_WANT_WRITE) ) - mbedtls_snprintf( buf, buflen, "NET - Connection requires a write call" ); if( use_ret == -(MBEDTLS_ERR_NET_UNKNOWN_HOST) ) mbedtls_snprintf( buf, buflen, "NET - Failed to get an IP address for the given hostname" ); - if( use_ret == -(MBEDTLS_ERR_NET_TIMEOUT) ) - mbedtls_snprintf( buf, buflen, "NET - The operation timed out" ); #endif /* MBEDTLS_NET_C */ #if defined(MBEDTLS_OID_C) diff --git a/library/net.c b/library/net.c index 0db883420..a37213446 100644 --- a/library/net.c +++ b/library/net.c @@ -338,7 +338,7 @@ int mbedtls_net_accept( int bind_fd, int *client_fd, void *client_ip ) if( ret < 0 ) { if( net_would_block( bind_fd ) != 0 ) - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); return( MBEDTLS_ERR_NET_ACCEPT_FAILED ); } @@ -425,7 +425,7 @@ int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len ) if( ret < 0 ) { if( net_would_block( fd ) != 0 ) - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); #if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \ !defined(EFI32) @@ -436,7 +436,7 @@ int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len ) return( MBEDTLS_ERR_NET_CONN_RESET ); if( errno == EINTR ) - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); #endif return( MBEDTLS_ERR_NET_RECV_FAILED ); @@ -467,17 +467,17 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len, /* Zero fds ready means we timed out */ if( ret == 0 ) - return( MBEDTLS_ERR_NET_TIMEOUT ); + return( MBEDTLS_ERR_SSL_TIMEOUT ); if( ret < 0 ) { #if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \ !defined(EFI32) if( WSAGetLastError() == WSAEINTR ) - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); #else if( errno == EINTR ) - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); #endif return( MBEDTLS_ERR_NET_RECV_FAILED ); @@ -499,7 +499,7 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len ) if( ret < 0 ) { if( net_would_block( fd ) != 0 ) - return( MBEDTLS_ERR_NET_WANT_WRITE ); + return( MBEDTLS_ERR_SSL_WANT_WRITE ); #if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \ !defined(EFI32) @@ -510,7 +510,7 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len ) return( MBEDTLS_ERR_NET_CONN_RESET ); if( errno == EINTR ) - return( MBEDTLS_ERR_NET_WANT_WRITE ); + return( MBEDTLS_ERR_SSL_WANT_WRITE ); #endif return( MBEDTLS_ERR_NET_SEND_FAILED ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1e176b449..229536dd3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2264,7 +2264,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) * that will end up being dropped. */ if( ssl_check_timer( ssl ) != 0 ) - ret = MBEDTLS_ERR_NET_TIMEOUT; + ret = MBEDTLS_ERR_SSL_TIMEOUT; else { len = MBEDTLS_SSL_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf ); @@ -2288,7 +2288,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) return( MBEDTLS_ERR_SSL_CONN_EOF ); } - if( ret == MBEDTLS_ERR_NET_TIMEOUT ) + if( ret == MBEDTLS_ERR_SSL_TIMEOUT ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); ssl_set_timer( ssl, 0 ); @@ -2298,7 +2298,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl_double_retransmit_timeout( ssl ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) ); - return( MBEDTLS_ERR_NET_TIMEOUT ); + return( MBEDTLS_ERR_SSL_TIMEOUT ); } if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) @@ -2307,7 +2307,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) return( ret ); } - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); } #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && @@ -2319,7 +2319,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) return( ret ); } - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); } #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ } @@ -2964,7 +2964,7 @@ static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context *ssl ) if( ssl_bitmask_check( bitmask, msg_len ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) ); - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); } MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) ); @@ -3070,7 +3070,7 @@ static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) ssl->handshake->in_msg_seq ) ); } - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); } /* Wait until message completion to increment in_msg_seq */ @@ -3584,7 +3584,7 @@ read_record_header: return( ret ); } - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); } else { @@ -6063,7 +6063,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* With DTLS, drop the packet (probably from last handshake) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); #endif return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); } @@ -6076,7 +6076,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* With DTLS, drop the packet (probably from last handshake) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); #endif return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); } @@ -6144,7 +6144,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* If a non-handshake record was read during renego, fallthrough, * else tell the user they should call mbedtls_ssl_read() again */ if( ! record_read ) - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); } else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { @@ -6165,7 +6165,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); } if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index 35b746828..58068bcad 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -202,8 +202,8 @@ int main( int argc, char *argv[] ) fflush( stdout ); do ret = mbedtls_ssl_handshake( &ssl ); - while( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ); if( ret != 0 ) { @@ -252,8 +252,8 @@ send_request: len = sizeof( MESSAGE ) - 1; do ret = mbedtls_ssl_write( &ssl, (unsigned char *) MESSAGE, len ); - while( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ); if( ret < 0 ) { @@ -274,14 +274,14 @@ send_request: memset( buf, 0, sizeof( buf ) ); do ret = mbedtls_ssl_read( &ssl, buf, len ); - while( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ); if( ret <= 0 ) { switch( ret ) { - case MBEDTLS_ERR_NET_TIMEOUT: + case MBEDTLS_ERR_SSL_TIMEOUT: mbedtls_printf( " timeout\n\n" ); if( retry_left-- > 0 ) goto send_request; @@ -309,7 +309,7 @@ close_notify: /* No error checking, the connection might be closed already */ do ret = mbedtls_ssl_close_notify( &ssl ); - while( ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_WRITE ); ret = 0; mbedtls_printf( " done\n" ); diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index f41233516..ef899e482 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -291,8 +291,8 @@ reset: fflush( stdout ); do ret = mbedtls_ssl_handshake( &ssl ); - while( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ); if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) { @@ -318,14 +318,14 @@ reset: memset( buf, 0, sizeof( buf ) ); do ret = mbedtls_ssl_read( &ssl, buf, len ); - while( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ); if( ret <= 0 ) { switch( ret ) { - case MBEDTLS_ERR_NET_TIMEOUT: + case MBEDTLS_ERR_SSL_TIMEOUT: printf( " timeout\n\n" ); goto reset; @@ -350,8 +350,8 @@ reset: fflush( stdout ); do ret = mbedtls_ssl_write( &ssl, buf, len ); - while( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ); if( ret < 0 ) { @@ -370,7 +370,7 @@ close_notify: /* No error checking, the connection might be closed already */ do ret = mbedtls_ssl_close_notify( &ssl ); - while( ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_WRITE ); ret = 0; printf( " done\n" ); diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 788127270..cac0a1ba2 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -188,7 +188,7 @@ int main( void ) while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret ); goto exit; @@ -226,7 +226,7 @@ int main( void ) while( ( ret = mbedtls_ssl_write( &ssl, buf, len ) ) <= 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret ); goto exit; @@ -248,7 +248,7 @@ int main( void ) memset( buf, 0, sizeof( buf ) ); ret = mbedtls_ssl_read( &ssl, buf, len ); - if( ret == MBEDTLS_ERR_NET_WANT_READ || ret == MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE ) continue; if( ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 6503d8b73..27d87cb0d 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -334,11 +334,11 @@ static int my_recv( void *ctx, unsigned char *buf, size_t len ) if( first_try ) { first_try = 0; - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); } ret = mbedtls_net_recv( ctx, buf, len ); - if( ret != MBEDTLS_ERR_NET_WANT_READ ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ ) first_try = 1; /* Next call will be a new operation */ return( ret ); } @@ -351,11 +351,11 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len ) if( first_try ) { first_try = 0; - return( MBEDTLS_ERR_NET_WANT_WRITE ); + return( MBEDTLS_ERR_SSL_WANT_WRITE ); } ret = mbedtls_net_send( ctx, buf, len ); - if( ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_WRITE ) first_try = 1; /* Next call will be a new operation */ return( ret ); } @@ -1217,7 +1217,7 @@ int main( int argc, char *argv[] ) while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n", -ret ); if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) @@ -1303,8 +1303,8 @@ int main( int argc, char *argv[] ) fflush( stdout ); while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && - ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n", ret ); goto exit; @@ -1355,8 +1355,8 @@ send_request: while( ( ret = mbedtls_ssl_write( &ssl, buf + written, len - written ) ) <= 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && - ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_write returned -0x%x\n\n", -ret ); goto exit; @@ -1367,8 +1367,8 @@ send_request: else /* Not stream, so datagram */ { do ret = mbedtls_ssl_write( &ssl, buf, len ); - while( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ); if( ret < 0 ) { @@ -1400,8 +1400,8 @@ send_request: memset( buf, 0, sizeof( buf ) ); ret = mbedtls_ssl_read( &ssl, buf, len ); - if( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ) continue; if( ret <= 0 ) @@ -1445,14 +1445,14 @@ send_request: memset( buf, 0, sizeof( buf ) ); do ret = mbedtls_ssl_read( &ssl, buf, len ); - while( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ); if( ret <= 0 ) { switch( ret ) { - case MBEDTLS_ERR_NET_TIMEOUT: + case MBEDTLS_ERR_SSL_TIMEOUT: mbedtls_printf( " timeout\n" ); if( retry_left-- > 0 ) goto send_request; @@ -1489,7 +1489,7 @@ close_notify: /* No error checking, the connection might be closed already */ do ret = mbedtls_ssl_close_notify( &ssl ); - while( ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_WRITE ); ret = 0; mbedtls_printf( " done\n" ); @@ -1545,8 +1545,8 @@ reconnect: while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && - ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret ); goto exit; diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index e743e3efc..61a59c62f 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -284,7 +284,7 @@ int main( void ) while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret ); goto exit; @@ -305,7 +305,7 @@ int main( void ) memset( buf, 0, sizeof( buf ) ); ret = mbedtls_ssl_read( &ssl, buf, len ); - if( ret == MBEDTLS_ERR_NET_WANT_READ || ret == MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE ) continue; if( ret <= 0 ) @@ -355,7 +355,7 @@ int main( void ) goto exit; } - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret ); goto exit; diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index db513992f..139c1ad12 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -177,7 +177,7 @@ static int do_handshake( mbedtls_ssl_context *ssl ) while( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { #if defined(MBEDTLS_ERROR_C) mbedtls_strerror( ret, (char *) buf, 1024 ); @@ -224,7 +224,7 @@ static int write_ssl_data( mbedtls_ssl_context *ssl, unsigned char *buf, size_t mbedtls_printf("\n%s", buf); while( len && ( ret = mbedtls_ssl_write( ssl, buf, len ) ) <= 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret ); return -1; @@ -244,7 +244,7 @@ static int write_ssl_and_get_response( mbedtls_ssl_context *ssl, unsigned char * mbedtls_printf("\n%s", buf); while( len && ( ret = mbedtls_ssl_write( ssl, buf, len ) ) <= 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret ); return -1; @@ -257,7 +257,7 @@ static int write_ssl_and_get_response( mbedtls_ssl_context *ssl, unsigned char * memset( data, 0, sizeof( data ) ); ret = mbedtls_ssl_read( ssl, data, len ); - if( ret == MBEDTLS_ERR_NET_WANT_READ || ret == MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE ) continue; if( ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ) diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index cbe6b4ddf..162d5ca36 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -208,7 +208,7 @@ static void *handle_ssl_connection( void *data ) while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_handshake returned -0x%04x\n", thread_id, -ret ); @@ -229,7 +229,7 @@ static void *handle_ssl_connection( void *data ) memset( buf, 0, sizeof( buf ) ); ret = mbedtls_ssl_read( &ssl, buf, len ); - if( ret == MBEDTLS_ERR_NET_WANT_READ || ret == MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE ) continue; if( ret <= 0 ) @@ -279,7 +279,7 @@ static void *handle_ssl_connection( void *data ) goto thread_exit; } - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_write returned -0x%04x\n", thread_id, ret ); @@ -295,8 +295,8 @@ static void *handle_ssl_connection( void *data ) while( ( ret = mbedtls_ssl_close_notify( &ssl ) ) < 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && - ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_close_notify returned -0x%04x\n", thread_id, ret ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 583cfdd71..c11fbd5da 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -264,7 +264,7 @@ reset: while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret ); goto reset; @@ -285,7 +285,7 @@ reset: memset( buf, 0, sizeof( buf ) ); ret = mbedtls_ssl_read( &ssl, buf, len ); - if( ret == MBEDTLS_ERR_NET_WANT_READ || ret == MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE ) continue; if( ret <= 0 ) @@ -333,7 +333,7 @@ reset: goto reset; } - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret ); goto exit; @@ -347,8 +347,8 @@ reset: while( ( ret = mbedtls_ssl_close_notify( &ssl ) ) < 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && - ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_close_notify returned %d\n\n", ret ); goto reset; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 7b85ce857..6f6836d9c 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -409,11 +409,11 @@ static int my_recv( void *ctx, unsigned char *buf, size_t len ) if( first_try ) { first_try = 0; - return( MBEDTLS_ERR_NET_WANT_READ ); + return( MBEDTLS_ERR_SSL_WANT_READ ); } ret = mbedtls_net_recv( ctx, buf, len ); - if( ret != MBEDTLS_ERR_NET_WANT_READ ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ ) first_try = 1; /* Next call will be a new operation */ return( ret ); } @@ -426,11 +426,11 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len ) if( first_try ) { first_try = 0; - return( MBEDTLS_ERR_NET_WANT_WRITE ); + return( MBEDTLS_ERR_SSL_WANT_WRITE ); } ret = mbedtls_net_send( ctx, buf, len ); - if( ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_WRITE ) first_try = 1; /* Next call will be a new operation */ return( ret ); } @@ -1874,8 +1874,8 @@ reset: fflush( stdout ); do ret = mbedtls_ssl_handshake( &ssl ); - while( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ); if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) { @@ -1959,8 +1959,8 @@ data_exchange: memset( buf, 0, sizeof( buf ) ); ret = mbedtls_ssl_read( &ssl, buf, len ); - if( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ) continue; if( ret <= 0 ) @@ -2050,8 +2050,8 @@ data_exchange: memset( buf, 0, sizeof( buf ) ); do ret = mbedtls_ssl_read( &ssl, buf, len ); - while( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ); if( ret <= 0 ) { @@ -2086,8 +2086,8 @@ data_exchange: while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && - ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n", ret ); goto reset; @@ -2120,8 +2120,8 @@ data_exchange: goto reset; } - if( ret != MBEDTLS_ERR_NET_WANT_READ && - ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret ); goto reset; @@ -2132,8 +2132,8 @@ data_exchange: else /* Not stream, so datagram */ { do ret = mbedtls_ssl_write( &ssl, buf, len ); - while( ret == MBEDTLS_ERR_NET_WANT_READ || - ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_READ || + ret == MBEDTLS_ERR_SSL_WANT_WRITE ); if( ret < 0 ) { @@ -2163,7 +2163,7 @@ close_notify: /* No error checking, the connection might be closed already */ do ret = mbedtls_ssl_close_notify( &ssl ); - while( ret == MBEDTLS_ERR_NET_WANT_WRITE ); + while( ret == MBEDTLS_ERR_SSL_WANT_WRITE ); ret = 0; mbedtls_printf( " done\n" ); diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 6c0659a7b..d0aea996e 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -440,7 +440,7 @@ int main( int argc, char *argv[] ) */ while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) { - if( ret != MBEDTLS_ERR_NET_WANT_READ && ret != MBEDTLS_ERR_NET_WANT_WRITE ) + if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret ); goto ssl_exit; diff --git a/scripts/data_files/rename-1.3-2.0.txt b/scripts/data_files/rename-1.3-2.0.txt index 06b56feb9..9ae06ae25 100644 --- a/scripts/data_files/rename-1.3-2.0.txt +++ b/scripts/data_files/rename-1.3-2.0.txt @@ -546,10 +546,10 @@ POLARSSL_ERR_NET_LISTEN_FAILED MBEDTLS_ERR_NET_LISTEN_FAILED POLARSSL_ERR_NET_RECV_FAILED MBEDTLS_ERR_NET_RECV_FAILED POLARSSL_ERR_NET_SEND_FAILED MBEDTLS_ERR_NET_SEND_FAILED POLARSSL_ERR_NET_SOCKET_FAILED MBEDTLS_ERR_NET_SOCKET_FAILED -POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_NET_TIMEOUT +POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_SSL_TIMEOUT POLARSSL_ERR_NET_UNKNOWN_HOST MBEDTLS_ERR_NET_UNKNOWN_HOST -POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_NET_WANT_READ -POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_NET_WANT_WRITE +POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_SSL_WANT_READ +POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_SSL_WANT_WRITE POLARSSL_ERR_OID_BUF_TOO_SMALL MBEDTLS_ERR_OID_BUF_TOO_SMALL POLARSSL_ERR_OID_NOT_FOUND MBEDTLS_ERR_OID_NOT_FOUND POLARSSL_ERR_PADLOCK_DATA_MISALIGNED MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED From 1028b74cff9607cdbcd3635378bb90a7c7a6153e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 17:33:07 +0100 Subject: [PATCH 21/45] Upgrade default DHM params size --- ChangeLog | 1 + include/mbedtls/ssl.h | 4 ++-- library/ssl_srv.c | 6 ++++++ library/ssl_tls.c | 36 ++++++++++++++++++++---------------- programs/ssl/ssl_server2.c | 4 ---- 5 files changed, 29 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index 28093ae01..2e5a54f89 100644 --- a/ChangeLog +++ b/ChangeLog @@ -84,6 +84,7 @@ Default behavior changes * Support for RSA_ALT contexts in the PK layer is now optional. Since is is enabled in the default configuration, this is only noticeable if using a custom config.h + * Default DHM parameters server-side upgraded from 1024 to 2048 bits. Reauirement changes * The minimum MSVC version required is now 2010 (better C99 support). diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 92420b533..4782cd539 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1621,11 +1621,11 @@ void mbedtls_ssl_set_psk_cb( mbedtls_ssl_config *conf, void *p_psk ); #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ -#if defined(MBEDTLS_DHM_C) +#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) /** * \brief Set the Diffie-Hellman public P and G values, * read as hexadecimal strings (server-side only) - * (Default: MBEDTLS_DHM_RFC5114_MODP_1024_[PG]) + * (Default: MBEDTLS_DHM_RFC5114_MODP_2048_[PG]) * * \param conf SSL configuration * \param dhm_P Diffie-Hellman-Merkle modulus diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 59fce958b..c537fe4b2 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2871,6 +2871,12 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) { + if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + /* * Ephemeral DH parameters: * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 229536dd3..114f5ae30 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5400,11 +5400,13 @@ int mbedtls_ssl_set_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const { int ret; - if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ) - return( ret ); - - if( ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 ) + if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 || + ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 ) + { + mbedtls_mpi_free( &conf->dhm_P ); + mbedtls_mpi_free( &conf->dhm_G ); return( ret ); + } return( 0 ); } @@ -5413,11 +5415,13 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context { int ret; - if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ) - return( ret ); - - if( ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 ) + if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 || + ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 ) + { + mbedtls_mpi_free( &conf->dhm_P ); + mbedtls_mpi_free( &conf->dhm_G ); return( ret ); + } return( 0 ); } @@ -6667,15 +6671,15 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->renego_period[7] = 0x00; #endif -#if defined(MBEDTLS_DHM_C) - if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, - MBEDTLS_DHM_RFC5114_MODP_1024_P) ) != 0 || - ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, - MBEDTLS_DHM_RFC5114_MODP_1024_G) ) != 0 ) +#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) + if( endpoint == MBEDTLS_SSL_IS_SERVER ) { - mbedtls_mpi_free( &conf->dhm_P ); - mbedtls_mpi_free( &conf->dhm_G ); - return( ret ); + if( ( ret = mbedtls_ssl_set_dh_param( conf, + MBEDTLS_DHM_RFC5114_MODP_2048_P, + MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 ) + { + return( ret ); + } } #endif diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 6f6836d9c..17aa9ff9f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1727,11 +1727,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_FS_IO) if( opt.dhm_file != NULL ) ret = mbedtls_ssl_set_dh_param_ctx( &conf, &dhm ); - else #endif - ret = mbedtls_ssl_set_dh_param( &conf, MBEDTLS_DHM_RFC5114_MODP_2048_P, - MBEDTLS_DHM_RFC5114_MODP_2048_G ); - if( ret != 0 ) { mbedtls_printf( " failed\n mbedtls_ssl_set_dh_param returned -0x%04X\n\n", - ret ); From 662c6e8cdd36166693891ba39a22c4a960884db6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 17:39:23 +0100 Subject: [PATCH 22/45] Disable truncated HMAC by default --- ChangeLog | 1 + include/mbedtls/ssl.h | 3 +-- library/ssl_tls.c | 5 ----- tests/ssl-opt.sh | 4 ++-- 4 files changed, 4 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2e5a54f89..68d27472c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -85,6 +85,7 @@ Default behavior changes enabled in the default configuration, this is only noticeable if using a custom config.h * Default DHM parameters server-side upgraded from 1024 to 2048 bits. + * Negotiation of truncated HMAC is now disabled by default on server too. Reauirement changes * The minimum MSVC version required is now 2010 (better C99 support). diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 4782cd539..4c1f68529 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1863,8 +1863,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_co #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) /** * \brief Activate negotiation of truncated HMAC - * (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED on client, - * MBEDTLS_SSL_TRUNC_HMAC_ENABLED on server.) + * (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED) * * \param conf SSL configuration * \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 114f5ae30..72bbbd7fb 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6618,11 +6618,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, } #endif -#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_TRUNCATED_HMAC) - if( endpoint == MBEDTLS_SSL_IS_SERVER ) - conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; -#endif - conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ae324dbc8..510000a30 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -626,8 +626,8 @@ run_test "Truncated HMAC: client enabled, server default" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ trunc_hmac=1" \ 0 \ - -S "dumping 'computed mac' (20 bytes)" \ - -s "dumping 'computed mac' (10 bytes)" + -s "dumping 'computed mac' (20 bytes)" \ + -S "dumping 'computed mac' (10 bytes)" run_test "Truncated HMAC: client enabled, server disabled" \ "$P_SRV debug_level=4 trunc_hmac=0" \ From 6e088f9a0f26f3f78d5b9495a6ea4744de3e473e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 17:53:08 +0100 Subject: [PATCH 23/45] Group all renamings together in Changelog --- ChangeLog | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 68d27472c..8957110c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,11 +10,10 @@ Features API Changes * All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace. + Some names have been further changed to make them more consistent. Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are - provided. + provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt * Headers are now found in the 'mbedtls' directory (previously 'polarssl'). - * Error codes NET_WANT_READ and NET_WANT_WRITE have been moved to the SSL - module and renamed accordingly (handled by rename.pl and compat-1.3.h) * The following _init() functions that could return errors have been split into an _init() that returns void and another function: mbedtls_ssl_init() -> mbedtls_ssl_setup() @@ -24,9 +23,6 @@ API Changes mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_init(_buf)() * mbedtls_ssl_set_ca_chain() lost its last argument (peer_cn), now set using mbedtls_ssl_set_hostname(). - * Renamed mbedtls_pkcs11_priv_key_init() to ..._bind() and - mbedtls_pkcs11_x509_cert_init() as well (handled by rename.pl and - compat-1.3.h) * mbedtls_memory_bufer_alloc_init() now returns void * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now return void. From ae319149907137aaeb491b53c2f5fb1217433c25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 17:55:51 +0100 Subject: [PATCH 24/45] Rename ssl_legacy_renegotiation() to ssl_set_... --- include/mbedtls/compat-1.3.h | 2 +- include/mbedtls/ssl.h | 2 +- library/ssl_tls.c | 2 +- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- scripts/data_files/rename-1.3-2.0.txt | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h index 8b85656f0..26439c77f 100644 --- a/include/mbedtls/compat-1.3.h +++ b/include/mbedtls/compat-1.3.h @@ -2443,7 +2443,7 @@ #define ssl_hw_record_write mbedtls_ssl_hw_record_write #define ssl_init mbedtls_ssl_init #define ssl_key_cert mbedtls_ssl_key_cert -#define ssl_legacy_renegotiation mbedtls_ssl_legacy_renegotiation +#define ssl_legacy_renegotiation mbedtls_set_ssl_legacy_renegotiation #define ssl_list_ciphersuites mbedtls_ssl_list_ciphersuites #define ssl_md_alg_from_hash mbedtls_ssl_md_alg_from_hash #define ssl_optimize_checksum mbedtls_ssl_optimize_checksum diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 4c1f68529..6ab2dd2e9 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1962,7 +1962,7 @@ void mbedtls_ssl_set_renegotiation( mbedtls_ssl_config *conf, int renegotiation * SSL_ALLOW_LEGACY_RENEGOTIATION or * MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) */ -void mbedtls_ssl_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ); +void mbedtls_set_ssl_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) /** diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 72bbbd7fb..c0f52925d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5609,7 +5609,7 @@ void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_config *conf, char split } #endif -void mbedtls_ssl_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) +void mbedtls_set_ssl_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) { conf->allow_legacy_renegotiation = allow_legacy; } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 27d87cb0d..897c17e76 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1145,7 +1145,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_arc4_support( &conf, opt.arc4 ); if( opt.allow_legacy != DFL_ALLOW_LEGACY ) - mbedtls_ssl_legacy_renegotiation( &conf, opt.allow_legacy ); + mbedtls_set_ssl_legacy_renegotiation( &conf, opt.allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) mbedtls_ssl_set_renegotiation( &conf, opt.renegotiation ); #endif diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 17aa9ff9f..68fc81eb1 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1664,7 +1664,7 @@ int main( int argc, char *argv[] ) } if( opt.allow_legacy != DFL_ALLOW_LEGACY ) - mbedtls_ssl_legacy_renegotiation( &conf, opt.allow_legacy ); + mbedtls_set_ssl_legacy_renegotiation( &conf, opt.allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) mbedtls_ssl_set_renegotiation( &conf, opt.renegotiation ); diff --git a/scripts/data_files/rename-1.3-2.0.txt b/scripts/data_files/rename-1.3-2.0.txt index 9ae06ae25..431e1bea7 100644 --- a/scripts/data_files/rename-1.3-2.0.txt +++ b/scripts/data_files/rename-1.3-2.0.txt @@ -1969,7 +1969,7 @@ ssl_hw_record_reset mbedtls_ssl_hw_record_reset ssl_hw_record_write mbedtls_ssl_hw_record_write ssl_init mbedtls_ssl_init ssl_key_cert mbedtls_ssl_key_cert -ssl_legacy_renegotiation mbedtls_ssl_legacy_renegotiation +ssl_legacy_renegotiation mbedtls_set_ssl_legacy_renegotiation ssl_list_ciphersuites mbedtls_ssl_list_ciphersuites ssl_md_alg_from_hash mbedtls_ssl_md_alg_from_hash ssl_optimize_checksum mbedtls_ssl_optimize_checksum From 5cb3308e5fa16a43c52e5230f8e38017933bbfad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 18:06:26 +0100 Subject: [PATCH 25/45] Merge contexts for session cache --- ChangeLog | 2 ++ include/mbedtls/ssl.h | 11 +++++------ library/ssl_srv.c | 2 +- library/ssl_tls.c | 10 +++++----- programs/ssl/dtls_server.c | 6 +++--- programs/ssl/ssl_server.c | 6 +++--- programs/ssl/ssl_server2.c | 6 +++--- 7 files changed, 22 insertions(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8957110c5..0b3735c42 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,8 @@ API Changes mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_init(_buf)() * mbedtls_ssl_set_ca_chain() lost its last argument (peer_cn), now set using mbedtls_ssl_set_hostname(). + * mbedtls_ssl_set_session_cached() changed prototype (only one context + pointer, parameters reordered). * mbedtls_memory_bufer_alloc_init() now returns void * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now return void. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6ab2dd2e9..b72ba92e2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -807,10 +807,9 @@ typedef struct /** Callback to retrieve a session from the cache */ int (*f_get_cache)(void *, mbedtls_ssl_session *); - void *p_get_cache; /*!< context for cache retrieval */ /** Callback to store a session into the cache */ int (*f_set_cache)(void *, const mbedtls_ssl_session *); - void *p_set_cache; /*!< context for cache store */ + void *p_cache; /*!< context for cache callbacks */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /** Callback for setting cert according to SNI extension */ @@ -1482,14 +1481,14 @@ void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, * successfully cached, return 1 otherwise. * * \param conf SSL configuration + * \param p_cache parmater (context) for both callbacks * \param f_get_cache session get callback - * \param p_get_cache session get parameter * \param f_set_cache session set callback - * \param p_set_cache session set parameter */ void mbedtls_ssl_set_session_cache( mbedtls_ssl_config *conf, - int (*f_get_cache)(void *, mbedtls_ssl_session *), void *p_get_cache, - int (*f_set_cache)(void *, const mbedtls_ssl_session *), void *p_set_cache ); + void *p_cache, + int (*f_get_cache)(void *, mbedtls_ssl_session *), + int (*f_set_cache)(void *, const mbedtls_ssl_session *) ); #endif /* MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_SSL_CLI_C) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index c537fe4b2..fd2ee9364 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2475,7 +2475,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) #endif ssl->session_negotiate->length != 0 && ssl->conf->f_get_cache != NULL && - ssl->conf->f_get_cache( ssl->conf->p_get_cache, ssl->session_negotiate ) == 0 ) + ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); ssl->handshake->resume = 1; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c0f52925d..85aa27614 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4575,7 +4575,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) ssl->session->length != 0 && resume == 0 ) { - if( ssl->conf->f_set_cache( ssl->conf->p_set_cache, ssl->session ) != 0 ) + if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); } @@ -5245,13 +5245,13 @@ void mbedtls_ssl_set_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ) #if defined(MBEDTLS_SSL_SRV_C) void mbedtls_ssl_set_session_cache( mbedtls_ssl_config *conf, - int (*f_get_cache)(void *, mbedtls_ssl_session *), void *p_get_cache, - int (*f_set_cache)(void *, const mbedtls_ssl_session *), void *p_set_cache ) + void *p_cache, + int (*f_get_cache)(void *, mbedtls_ssl_session *), + int (*f_set_cache)(void *, const mbedtls_ssl_session *) ) { + conf->p_cache = p_cache; conf->f_get_cache = f_get_cache; - conf->p_get_cache = p_get_cache; conf->f_set_cache = f_set_cache; - conf->p_set_cache = p_set_cache; } #endif /* MBEDTLS_SSL_SRV_C */ diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index ef899e482..6ad4e661b 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -210,9 +210,9 @@ int main( void ) mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_set_session_cache( &conf, - mbedtls_ssl_cache_get, &cache, - mbedtls_ssl_cache_set, &cache ); + mbedtls_ssl_set_session_cache( &conf, &cache, + mbedtls_ssl_cache_get, + mbedtls_ssl_cache_set ); #endif mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index c11fbd5da..9313a88e0 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -209,9 +209,9 @@ int main( void ) mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_set_session_cache( &conf, - mbedtls_ssl_cache_get, &cache, - mbedtls_ssl_cache_set, &cache ); + mbedtls_ssl_set_session_cache( &conf, &cache, + mbedtls_ssl_cache_get, + mbedtls_ssl_cache_set ); #endif mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 68fc81eb1..9a6d7f3ff 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1584,9 +1584,9 @@ int main( int argc, char *argv[] ) if( opt.cache_timeout != -1 ) mbedtls_ssl_cache_set_timeout( &cache, opt.cache_timeout ); - mbedtls_ssl_set_session_cache( &conf, - mbedtls_ssl_cache_get, &cache, - mbedtls_ssl_cache_set, &cache ); + mbedtls_ssl_set_session_cache( &conf, &cache, + mbedtls_ssl_cache_get, + mbedtls_ssl_cache_set ); #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) From 750e4d7769ba54a8241b49672795efa0e431c5f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 7 May 2015 12:35:38 +0100 Subject: [PATCH 26/45] Move ssl_set_rng() to act on config --- include/mbedtls/ssl.h | 17 +++++++++-------- library/ssl_cli.c | 26 +++++++++++++------------- library/ssl_srv.c | 24 ++++++++++++------------ library/ssl_tls.c | 14 +++++++------- programs/ssl/dtls_client.c | 2 +- programs/ssl/dtls_server.c | 2 +- programs/ssl/mini_client.c | 2 +- programs/ssl/ssl_client1.c | 2 +- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_fork_server.c | 2 +- programs/ssl/ssl_mail_client.c | 2 +- programs/ssl/ssl_pthread_server.c | 2 +- programs/ssl/ssl_server.c | 2 +- programs/ssl/ssl_server2.c | 2 +- programs/x509/cert_app.c | 2 +- 15 files changed, 52 insertions(+), 51 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b72ba92e2..a72914fb3 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -799,12 +799,16 @@ typedef struct * Pointers */ - const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */ + const int *ciphersuite_list[4]; /*!< allowed ciphersuites per version */ /** Callback for printing debug output */ void (*f_dbg)(void *, int, const char *); void *p_dbg; /*!< context for the debug function */ + /** Callback for getting (pseudo-)random numbers */ + int (*f_rng)(void *, unsigned char *, size_t); + void *p_rng; /*!< context for the RNG function */ + /** Callback to retrieve a session from the cache */ int (*f_get_cache)(void *, mbedtls_ssl_session *); /** Callback to store a session into the cache */ @@ -836,7 +840,7 @@ typedef struct /** Callback to verify validity of a ClientHello cookie */ int (*f_cookie_check)( void *, const unsigned char *, size_t, const unsigned char *, size_t ); - void *p_cookie; /*!< context for the cookie callbacks */ + void *p_cookie; /*!< context for the cookie callbacks */ #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -846,7 +850,7 @@ typedef struct #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_SET_CURVES) - const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */ + const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */ #endif #if defined(MBEDTLS_DHM_C) @@ -966,9 +970,6 @@ struct mbedtls_ssl_context /* * Callbacks */ - int (*f_rng)(void *, unsigned char *, size_t); - void *p_rng; /*!< context for the RNG function */ - int (*f_send)(void *, const unsigned char *, size_t); int (*f_recv)(void *, unsigned char *, size_t); int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t); @@ -1243,11 +1244,11 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_config *conf, /** * \brief Set the random number generator callback * - * \param ssl SSL context + * \param conf SSL configuration * \param f_rng RNG function * \param p_rng RNG parameter */ -void mbedtls_ssl_set_rng( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_rng( mbedtls_ssl_config *conf, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); diff --git a/library/ssl_cli.c b/library/ssl_cli.c index a6e020217..0b9de03f3 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -534,13 +534,13 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) ); #else - if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 ) + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) return( ret ); p += 4; #endif /* MBEDTLS_HAVE_TIME */ - if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 ) + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) return( ret ); return( 0 ); @@ -558,7 +558,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); - if( ssl->f_rng == NULL ) + if( ssl->conf->f_rng == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); return( MBEDTLS_ERR_SSL_NO_RNG ); @@ -640,7 +640,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) if( ssl->session_negotiate->ticket != NULL && ssl->session_negotiate->ticket_len != 0 ) { - ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 ); + ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 ); if( ret != 0 ) return( ret ); @@ -1785,7 +1785,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, ssl->conf->transport, p ); - if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 ) + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret ); return( ret ); @@ -1807,7 +1807,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, p, ssl->handshake->pmslen, ssl->out_msg + offset + len_bytes, olen, MBEDTLS_SSL_MAX_CONTENT_LEN - offset - len_bytes, - ssl->f_rng, ssl->p_rng ) ) != 0 ) + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret ); return( ret ); @@ -2461,7 +2461,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), &ssl->out_msg[i], n, - ssl->f_rng, ssl->p_rng ); + ssl->conf->f_rng, ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); @@ -2476,7 +2476,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, ssl->handshake->premaster, &ssl->handshake->pmslen, - ssl->f_rng, ssl->p_rng ) ) != 0 ) + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); return( ret ); @@ -2503,7 +2503,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, &ssl->out_msg[i], 1000, - ssl->f_rng, ssl->p_rng ); + ssl->conf->f_rng, ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); @@ -2516,7 +2516,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) &ssl->handshake->pmslen, ssl->handshake->premaster, MBEDTLS_MPI_MAX_SIZE, - ssl->f_rng, ssl->p_rng ) ) != 0 ) + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); return( ret ); @@ -2577,7 +2577,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), &ssl->out_msg[i], n, - ssl->f_rng, ssl->p_rng ); + ssl->conf->f_rng, ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); @@ -2594,7 +2594,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) */ ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, &ssl->out_msg[i], MBEDTLS_SSL_MAX_CONTENT_LEN - i, - ssl->f_rng, ssl->p_rng ); + ssl->conf->f_rng, ssl->conf->p_rng ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); @@ -2804,7 +2804,7 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash_start, hashlen, ssl->out_msg + 6 + offset, &n, - ssl->f_rng, ssl->p_rng ) ) != 0 ) + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); return( ret ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index fd2ee9364..8ca3e58f8 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -197,7 +197,7 @@ static int ssl_write_ticket( mbedtls_ssl_context *ssl, size_t *tlen ) p += 16; /* Generate and write IV (with a copy for aes_crypt) */ - if( ( ret = ssl->f_rng( ssl->p_rng, p, 16 ) ) != 0 ) + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 16 ) ) != 0 ) return( ret ); memcpy( iv, p, 16 ); p += 16; @@ -2417,7 +2417,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ - if( ssl->f_rng == NULL ) + if( ssl->conf->f_rng == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") ); return( MBEDTLS_ERR_SSL_NO_RNG ); @@ -2449,13 +2449,13 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) ); #else - if( ( ret = ssl->f_rng( ssl->p_rng, p, 4 ) ) != 0 ) + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 ) return( ret ); p += 4; #endif /* MBEDTLS_HAVE_TIME */ - if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 ) + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 ) return( ret ); p += 28; @@ -2503,7 +2503,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_SESSION_TICKETS */ { ssl->session_negotiate->length = n = 32; - if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, + if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, n ) ) != 0 ) return( ret ); } @@ -2895,7 +2895,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) if( ( ret = mbedtls_dhm_make_params( &ssl->handshake->dhm_ctx, (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), - p, &len, ssl->f_rng, ssl->p_rng ) ) != 0 ) + p, &len, ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret ); return( ret ); @@ -2960,7 +2960,7 @@ curve_matching_done: if( ( ret = mbedtls_ecdh_make_params( &ssl->handshake->ecdh_ctx, &len, p, MBEDTLS_SSL_MAX_CONTENT_LEN - n, - ssl->f_rng, ssl->p_rng ) ) != 0 ) + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret ); return( ret ); @@ -3124,7 +3124,7 @@ curve_matching_done: if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ), md_alg, hash, hashlen, p + 2 , &signature_len, - ssl->f_rng, ssl->p_rng ) ) != 0 ) + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret ); return( ret ); @@ -3282,14 +3282,14 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, * Also, avoid data-dependant branches here to protect against * timing-based variants. */ - ret = ssl->f_rng( ssl->p_rng, fake_pms, sizeof( fake_pms ) ); + ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) ); if( ret != 0 ) return( ret ); ret = mbedtls_pk_decrypt( mbedtls_ssl_own_key( ssl ), p, len, peer_pms, &peer_pmslen, sizeof( peer_pms ), - ssl->f_rng, ssl->p_rng ); + ssl->conf->f_rng, ssl->conf->p_rng ); diff = (size_t) ret; diff |= peer_pmslen ^ 48; @@ -3438,7 +3438,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, ssl->handshake->premaster, &ssl->handshake->pmslen, - ssl->f_rng, ssl->p_rng ) ) != 0 ) + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); @@ -3470,7 +3470,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) &ssl->handshake->pmslen, ssl->handshake->premaster, MBEDTLS_MPI_MAX_SIZE, - ssl->f_rng, ssl->p_rng ) ) != 0 ) + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 85aa27614..c599761b0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1108,7 +1108,7 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch /* Write length only when we know the actual value */ if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, p + 2, &len, - ssl->f_rng, ssl->p_rng ) ) != 0 ) + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); return( ret ); @@ -1129,7 +1129,7 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen, p + 2, end - ( p + 2 ), - ssl->f_rng, ssl->p_rng ) ) != 0 ) + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); return( ret ); @@ -1338,7 +1338,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) * Generate IV */ #if defined(MBEDTLS_SSL_AEAD_RANDOM_IV) - ret = ssl->f_rng( ssl->p_rng, + ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen, ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen ); if( ret != 0 ) @@ -1434,7 +1434,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) /* * Generate IV */ - int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc, + int ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc, ssl->transform_out->ivlen ); if( ret != 0 ) return( ret ); @@ -5210,12 +5210,12 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_X509_CRT_PARSE_C */ -void mbedtls_ssl_set_rng( mbedtls_ssl_context *ssl, +void mbedtls_ssl_set_rng( mbedtls_ssl_config *conf, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - ssl->f_rng = f_rng; - ssl->p_rng = p_rng; + conf->f_rng = f_rng; + conf->p_rng = p_rng; } void mbedtls_ssl_set_dbg( mbedtls_ssl_config *conf, diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index 58068bcad..658555a21 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -187,7 +187,7 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &server_fd, diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 6ad4e661b..e19ab80a1 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -206,7 +206,7 @@ int main( void ) goto exit; } - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C) diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index f7b11578b..0504c76fa 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -203,7 +203,7 @@ int main( void ) goto exit; } - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) mbedtls_ssl_set_psk( &ssl, psk, sizeof( psk ), diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index cac0a1ba2..f3b22fde3 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -176,7 +176,7 @@ int main( void ) goto exit; } - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 897c17e76..0181a2fe5 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1115,7 +1115,7 @@ int main( int argc, char *argv[] ) } #endif - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); if( opt.nbio == 2 ) diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 61a59c62f..6051181f5 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -265,7 +265,7 @@ int main( void ) mbedtls_printf( " ok\n" ); - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 139c1ad12..36bb92768 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -604,7 +604,7 @@ int main( int argc, char *argv[] ) * but makes interop easier in this simplified example */ mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 162d5ca36..3c69fbfbe 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -176,7 +176,7 @@ static void *handle_ssl_connection( void *data ) goto thread_exit; } - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_mutexed_debug, stdout ); /* mbedtls_ssl_cache_get() and mbedtls_ssl_cache_set() are thread-safe if diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 9313a88e0..a8025b37b 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -205,7 +205,7 @@ int main( void ) goto exit; } - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 9a6d7f3ff..e3e680ce5 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1574,7 +1574,7 @@ int main( int argc, char *argv[] ) } #endif - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C) diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index d0aea996e..1e5ef377d 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -419,7 +419,7 @@ int main( int argc, char *argv[] ) else mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE ); - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); From 0a4fb095342d07990b823e91ac39dd616bc86af2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 7 May 2015 12:50:31 +0100 Subject: [PATCH 27/45] Make xxx_drbg_random() thread-safe --- ChangeLog | 4 ++++ include/mbedtls/ctr_drbg.h | 8 ++++++++ include/mbedtls/hmac_drbg.h | 8 ++++++++ library/ctr_drbg.c | 30 +++++++++++++++++++++++++++++- library/hmac_drbg.c | 31 +++++++++++++++++++++++++++++-- 5 files changed, 78 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0b3735c42..4011512a0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -94,6 +94,10 @@ Changes from the 1.4 preview branch * ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with new prototype, and mbedtls_ssl_set_read_timeout(). +Changes + * mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now + thread-safe if MBEDTLS_THREADING_C is enabled. + = mbed TLS 1.3 branch Security diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h index 3ea4af2ec..cebf43b09 100644 --- a/include/mbedtls/ctr_drbg.h +++ b/include/mbedtls/ctr_drbg.h @@ -26,6 +26,10 @@ #include "aes.h" +#if defined(MBEDTLS_THREADING_C) +#include "mbedtls/threading.h" +#endif + #define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED -0x0034 /**< The entropy source failed. */ #define MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG -0x0036 /**< Too many random requested in single call. */ #define MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG -0x0038 /**< Input too large (Entropy + additional). */ @@ -99,6 +103,10 @@ typedef struct int (*f_entropy)(void *, unsigned char *, size_t); void *p_entropy; /*!< context for the entropy function */ + +#if defined(MBEDTLS_THREADING_C) + mbedtls_threading_mutex_t mutex; +#endif } mbedtls_ctr_drbg_context; diff --git a/include/mbedtls/hmac_drbg.h b/include/mbedtls/hmac_drbg.h index fb2ee0eb1..eeac3e320 100644 --- a/include/mbedtls/hmac_drbg.h +++ b/include/mbedtls/hmac_drbg.h @@ -26,6 +26,10 @@ #include "md.h" +#if defined(MBEDTLS_THREADING_C) +#include "mbedtls/threading.h" +#endif + /* * Error codes */ @@ -87,6 +91,10 @@ typedef struct /* Callbacks */ int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */ void *p_entropy; /*!< context for the entropy function */ + +#if defined(MBEDTLS_THREADING_C) + mbedtls_threading_mutex_t mutex; +#endif } mbedtls_hmac_drbg_context; /** diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index ec7d9a773..54feb71c9 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -61,6 +61,10 @@ static void mbedtls_zeroize( void *v, size_t n ) { void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx ) { memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) ); + +#if defined(MBEDTLS_THREADING_C) + mbedtls_mutex_init( &ctx->mutex ); +#endif } /* @@ -115,6 +119,9 @@ void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx ) if( ctx == NULL ) return; +#if defined(MBEDTLS_THREADING_C) + mbedtls_mutex_free( &ctx->mutex ); +#endif mbedtls_aes_free( &ctx->aes_ctx ); mbedtls_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) ); } @@ -392,7 +399,22 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng, int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len ) { - return mbedtls_ctr_drbg_random_with_add( p_rng, output, output_len, NULL, 0 ); + int ret; + mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng; + +#if defined(MBEDTLS_THREADING_C) + if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) + return( ret ); +#endif + + ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 ); + +#if defined(MBEDTLS_THREADING_C) + if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) + return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); +#endif + + return( ret ); } #if defined(MBEDTLS_FS_IO) @@ -537,6 +559,8 @@ int mbedtls_ctr_drbg_self_test( int verbose ) CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) ); + mbedtls_ctr_drbg_free( &ctx ); + if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -546,6 +570,8 @@ int mbedtls_ctr_drbg_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " CTR_DRBG (PR = FALSE): " ); + mbedtls_ctr_drbg_init( &ctx ); + test_offset = 0; CHK( mbedtls_ctr_drbg_seed_entropy_len( &ctx, ctr_drbg_self_test_entropy, (void *) entropy_source_nopr, nonce_pers_nopr, 16, 32 ) ); @@ -554,6 +580,8 @@ int mbedtls_ctr_drbg_self_test( int verbose ) CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) ); CHK( memcmp( buf, result_nopr, 16 ) ); + mbedtls_ctr_drbg_free( &ctx ); + if( verbose != 0 ) mbedtls_printf( "passed\n" ); diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c index 710eb8420..02fcc7d00 100644 --- a/library/hmac_drbg.c +++ b/library/hmac_drbg.c @@ -62,6 +62,10 @@ static void mbedtls_zeroize( void *v, size_t n ) { void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx ) { memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) ); + +#if defined(MBEDTLS_THREADING_C) + mbedtls_mutex_init( &ctx->mutex ); +#endif } /* @@ -313,7 +317,22 @@ int mbedtls_hmac_drbg_random_with_add( void *p_rng, */ int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len ) { - return( mbedtls_hmac_drbg_random_with_add( p_rng, output, out_len, NULL, 0 ) ); + int ret; + mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng; + +#if defined(MBEDTLS_THREADING_C) + if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) + return( ret ); +#endif + + ret = mbedtls_hmac_drbg_random_with_add( ctx, output, out_len, NULL, 0 ); + +#if defined(MBEDTLS_THREADING_C) + if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) + return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); +#endif + + return( ret ); } /* @@ -324,8 +343,10 @@ void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx ) if( ctx == NULL ) return; +#if defined(MBEDTLS_THREADING_C) + mbedtls_mutex_free( &ctx->mutex ); +#endif mbedtls_md_free( &ctx->md_ctx ); - mbedtls_zeroize( ctx, sizeof( mbedtls_hmac_drbg_context ) ); } @@ -481,6 +502,8 @@ int mbedtls_hmac_drbg_self_test( int verbose ) CHK( memcmp( buf, result_pr, OUTPUT_LEN ) ); mbedtls_hmac_drbg_free( &ctx ); + mbedtls_hmac_drbg_free( &ctx ); + if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -490,6 +513,8 @@ int mbedtls_hmac_drbg_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " HMAC_DRBG (PR = False) : " ); + mbedtls_hmac_drbg_init( &ctx ); + test_offset = 0; CHK( mbedtls_hmac_drbg_seed( &ctx, md_info, hmac_drbg_self_test_entropy, (void *) entropy_nopr, @@ -500,6 +525,8 @@ int mbedtls_hmac_drbg_self_test( int verbose ) CHK( memcmp( buf, result_nopr, OUTPUT_LEN ) ); mbedtls_hmac_drbg_free( &ctx ); + mbedtls_hmac_drbg_free( &ctx ); + if( verbose != 0 ) mbedtls_printf( "passed\n" ); From 4b6829662648e441b9fbfa04337617bc5b87c755 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 7 May 2015 15:59:54 +0100 Subject: [PATCH 28/45] Use a specific function in the PSK callback --- include/mbedtls/ssl.h | 41 ++++++++++++++++++++---- library/ssl_tls.c | 65 +++++++++++++++++++++++++++++++------- programs/ssl/ssl_server2.c | 3 +- 3 files changed, 89 insertions(+), 20 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index a72914fb3..e098bc9b5 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -672,6 +672,10 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */ #endif +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) + unsigned char *psk; /*!< PSK from the callback */ + size_t psk_len; /*!< Length of PSK from callback */ +#endif #if defined(MBEDTLS_X509_CRT_PARSE_C) /** * Current key/cert or key/cert list. @@ -1581,8 +1585,10 @@ int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_ce #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) /** - * \brief Set the Pre Shared Key (PSK) and the identity name connected - * to it. + * \brief Set the Pre Shared Key (PSK) and the expected identity name + * + * \note This is mainly useful for clients. Servers will usually + * want to use \c mbedtls_ssl_set_psk_cb() instead. * * \param ssl SSL context * \param psk pointer to the pre-shared key @@ -1592,11 +1598,28 @@ int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_ce * * \return 0 if successful or MBEDTLS_ERR_SSL_MALLOC_FAILED */ -int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, const unsigned char *psk, size_t psk_len, - const unsigned char *psk_identity, size_t psk_identity_len ); +int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, + const unsigned char *psk, size_t psk_len, + const unsigned char *psk_identity, size_t psk_identity_len ); + /** - * \brief Set the PSK callback (server-side only) (Optional). + * \brief Set the Pre Shared Key (PSK) for the current handshake + * + * \note This should only be called inside the PSK callback, + * ie the function passed to \c mbedtls_ssl_set_psk_cb(). + * + * \param ssl SSL context + * \param psk pointer to the pre-shared key + * \param psk_len pre-shared key length + * + * \return 0 if successful or MBEDTLS_ERR_SSL_MALLOC_FAILED + */ +int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, + const unsigned char *psk, size_t psk_len ); + +/** + * \brief Set the PSK callback (server-side only). * * If set, the PSK callback is called for each * handshake where a PSK ciphersuite was negotiated. @@ -1607,10 +1630,14 @@ int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, const unsigned char *psk, siz * mbedtls_ssl_context *ssl, const unsigned char *psk_identity, * size_t identity_len) * If a valid PSK identity is found, the callback should use - * mbedtls_ssl_set_psk() on the ssl context to set the correct PSK and - * identity and return 0. + * \c mbedtls_ssl_set_hs_psk() on the ssl context to set the + * correct PSK and return 0. * Any other return value will result in a denied PSK identity. * + * \note If you set a PSK callback using this function, then you + * don't need to set a PSK key and identity using + * \c mbedtls_ssl_set_psk(). + * * \param conf SSL configuration * \param f_psk PSK identity function * \param p_psk PSK identity parameter diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c599761b0..d3ec5dcf5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1066,6 +1066,15 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch { unsigned char *p = ssl->handshake->premaster; unsigned char *end = p + sizeof( ssl->handshake->premaster ); + const unsigned char *psk = ssl->conf->psk; + size_t psk_len = ssl->conf->psk_len; + + /* If the psk callback was called, use its result */ + if( ssl->handshake->psk != NULL ) + { + psk = ssl->handshake->psk; + psk_len = ssl->handshake->psk_len; + } /* * PMS = struct { @@ -1077,12 +1086,12 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK ) { - if( end - p < 2 + (int) ssl->conf->psk_len ) + if( end - p < 2 + (int) psk_len ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - *(p++) = (unsigned char)( ssl->conf->psk_len >> 8 ); - *(p++) = (unsigned char)( ssl->conf->psk_len ); - p += ssl->conf->psk_len; + *(p++) = (unsigned char)( psk_len >> 8 ); + *(p++) = (unsigned char)( psk_len ); + p += psk_len; } else #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ @@ -1149,13 +1158,13 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch } /* opaque psk<0..2^16-1>; */ - if( end - p < 2 + (int) ssl->conf->psk_len ) + if( end - p < 2 + (int) psk_len ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - *(p++) = (unsigned char)( ssl->conf->psk_len >> 8 ); - *(p++) = (unsigned char)( ssl->conf->psk_len ); - memcpy( p, ssl->conf->psk, ssl->conf->psk_len ); - p += ssl->conf->psk_len; + *(p++) = (unsigned char)( psk_len >> 8 ); + *(p++) = (unsigned char)( psk_len ); + memcpy( p, psk, psk_len ); + p += psk_len; ssl->handshake->pmslen = p - ssl->handshake->premaster; @@ -5353,8 +5362,9 @@ int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_ce #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) -int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, const unsigned char *psk, size_t psk_len, - const unsigned char *psk_identity, size_t psk_identity_len ) +int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, + const unsigned char *psk, size_t psk_len, + const unsigned char *psk_identity, size_t psk_identity_len ) { if( psk == NULL || psk_identity == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -5385,6 +5395,31 @@ int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, const unsigned char *psk, siz return( 0 ); } +int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, + const unsigned char *psk, size_t psk_len ) +{ + if( psk == NULL || ssl->handshake == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + if( psk_len > MBEDTLS_PSK_MAX_LEN ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + if( ssl->handshake->psk != NULL ) + mbedtls_free( ssl->conf->psk ); + + if( ( ssl->handshake->psk = mbedtls_malloc( psk_len ) ) == NULL ) + { + mbedtls_free( ssl->handshake->psk ); + ssl->handshake->psk = NULL; + return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); + } + + ssl->handshake->psk_len = psk_len; + memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len ); + + return( 0 ); +} + void mbedtls_ssl_set_psk_cb( mbedtls_ssl_config *conf, int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), @@ -6441,6 +6476,14 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake ) mbedtls_free( (void *) handshake->curves ); #endif +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) + if( handshake->psk != NULL ) + { + mbedtls_zeroize( handshake->psk, handshake->psk_len ); + mbedtls_free( handshake->psk ); + } +#endif + #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /* diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index e3e680ce5..12614c128 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -678,8 +678,7 @@ int psk_callback( void *p_info, mbedtls_ssl_context *ssl, if( name_len == strlen( cur->name ) && memcmp( name, cur->name, name_len ) == 0 ) { - return( mbedtls_ssl_set_psk( ssl, cur->key, cur->key_len, - name, name_len ) ); + return( mbedtls_ssl_set_hs_psk( ssl, cur->key, cur->key_len ) ); } cur = cur->next; From 120fdbdb3d3c76fb97b5fbd9e032654860cee3a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 7 May 2015 17:07:50 +0100 Subject: [PATCH 29/45] Change ssl_set_psk() to act on ssl_config --- include/mbedtls/ssl.h | 4 ++-- library/ssl_tls.c | 24 ++++++++++++------------ programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index e098bc9b5..86b061da4 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1590,7 +1590,7 @@ int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_ce * \note This is mainly useful for clients. Servers will usually * want to use \c mbedtls_ssl_set_psk_cb() instead. * - * \param ssl SSL context + * \param conf SSL configuration * \param psk pointer to the pre-shared key * \param psk_len pre-shared key length * \param psk_identity pointer to the pre-shared key identity @@ -1598,7 +1598,7 @@ int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_ce * * \return 0 if successful or MBEDTLS_ERR_SSL_MALLOC_FAILED */ -int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, +int mbedtls_ssl_set_psk( mbedtls_ssl_config *conf, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d3ec5dcf5..1d2593b78 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5362,7 +5362,7 @@ int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_ce #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) -int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, +int mbedtls_ssl_set_psk( mbedtls_ssl_config *conf, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len ) { @@ -5372,25 +5372,25 @@ int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, if( psk_len > MBEDTLS_PSK_MAX_LEN ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - if( ssl->conf->psk != NULL || ssl->conf->psk_identity != NULL ) + if( conf->psk != NULL || conf->psk_identity != NULL ) { - mbedtls_free( ssl->conf->psk ); - mbedtls_free( ssl->conf->psk_identity ); + mbedtls_free( conf->psk ); + mbedtls_free( conf->psk_identity ); } - if( ( ssl->conf->psk = mbedtls_malloc( psk_len ) ) == NULL || - ( ssl->conf->psk_identity = mbedtls_malloc( psk_identity_len ) ) == NULL ) + if( ( conf->psk = mbedtls_malloc( psk_len ) ) == NULL || + ( conf->psk_identity = mbedtls_malloc( psk_identity_len ) ) == NULL ) { - mbedtls_free( ssl->conf->psk ); - ssl->conf->psk = NULL; + mbedtls_free( conf->psk ); + conf->psk = NULL; return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); } - ssl->conf->psk_len = psk_len; - ssl->conf->psk_identity_len = psk_identity_len; + conf->psk_len = psk_len; + conf->psk_identity_len = psk_identity_len; - memcpy( ssl->conf->psk, psk, ssl->conf->psk_len ); - memcpy( ssl->conf->psk_identity, psk_identity, ssl->conf->psk_identity_len ); + memcpy( conf->psk, psk, conf->psk_len ); + memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len ); return( 0 ); } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 0181a2fe5..494fa72cd 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1173,7 +1173,7 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - if( ( ret = mbedtls_ssl_set_psk( &ssl, psk, psk_len, + if( ( ret = mbedtls_ssl_set_psk( &conf, psk, psk_len, (const unsigned char *) opt.psk_identity, strlen( opt.psk_identity ) ) ) != 0 ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 12614c128..f4c206ece 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1705,7 +1705,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) if( strlen( opt.psk ) != 0 && strlen( opt.psk_identity ) != 0 ) { - ret = mbedtls_ssl_set_psk( &ssl, psk, psk_len, + ret = mbedtls_ssl_set_psk( &conf, psk, psk_len, (const unsigned char *) opt.psk_identity, strlen( opt.psk_identity ) ); if( ret != 0 ) From 8f618a8e657700cca3e5721c34fdf37ecd434b8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sun, 10 May 2015 21:13:36 +0200 Subject: [PATCH 30/45] Rework ssl_set_own_cert() internals --- include/mbedtls/ssl.h | 35 +++++++++++++++---------- library/ssl_srv.c | 4 +-- library/ssl_tls.c | 61 ++++++++++++++++++------------------------- 3 files changed, 49 insertions(+), 51 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 86b061da4..695b23328 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -677,15 +677,9 @@ struct mbedtls_ssl_handshake_params size_t psk_len; /*!< Length of PSK from callback */ #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) - /** - * Current key/cert or key/cert list. - * On client: pointer to ssl->key_cert, only the first entry used. - * On server: starts as a pointer to ssl->key_cert, then becomes - * a pointer to the chosen key from this list or the SNI list. - */ - mbedtls_ssl_key_cert *key_cert; + mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ + mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ #endif #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -1579,8 +1573,9 @@ void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, * * \return 0 on success or MBEDTLS_ERR_SSL_MALLOC_FAILED */ -int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert, - mbedtls_pk_context *pk_key ); +int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, + mbedtls_x509_crt *own_cert, + mbedtls_pk_context *pk_key ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) @@ -2355,14 +2350,26 @@ int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp #if defined(MBEDTLS_X509_CRT_PARSE_C) static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl ) { - return( ssl->handshake->key_cert == NULL ? NULL - : ssl->handshake->key_cert->key ); + mbedtls_ssl_key_cert *key_cert; + + if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL ) + key_cert = ssl->handshake->key_cert; + else + key_cert = ssl->conf->key_cert; + + return( key_cert == NULL ? NULL : key_cert->key ); } static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl ) { - return( ssl->handshake->key_cert == NULL ? NULL - : ssl->handshake->key_cert->cert ); + mbedtls_ssl_key_cert *key_cert; + + if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL ) + key_cert = ssl->handshake->key_cert; + else + key_cert = ssl->conf->key_cert; + + return( key_cert == NULL ? NULL : key_cert->cert ); } /* diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 8ca3e58f8..0ff3c18ca 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -875,7 +875,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl, list = ssl->handshake->sni_key_cert; else #endif - list = ssl->handshake->key_cert; + list = ssl->conf->key_cert; if( pk_alg == MBEDTLS_PK_NONE ) return( 0 ); @@ -943,7 +943,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl, cur = fallback; - /* Do not update ssl->handshake->key_cert unless the is a match */ + /* Do not update ssl->handshake->key_cert unless there is a match */ if( cur != NULL ) { ssl->handshake->key_cert = cur; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1d2593b78..1a75deffe 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4901,10 +4901,6 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) ssl_transform_init( ssl->transform_negotiate ); ssl_handshake_params_init( ssl->handshake ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) - ssl->handshake->key_cert = ssl->conf->key_cert; -#endif - /* * We may not know yet if we're using DTLS, * so always initiliase DTLS-specific fields. @@ -5309,33 +5305,42 @@ void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_config *conf, } #if defined(MBEDTLS_X509_CRT_PARSE_C) -/* Add a new (empty) key_cert entry an return a pointer to it */ -static mbedtls_ssl_key_cert *ssl_add_key_cert( mbedtls_ssl_context *ssl ) +/* Append a new keycert entry to a (possibly empty) list */ +static int ssl_append_key_cert( mbedtls_ssl_key_cert **head, + mbedtls_x509_crt *cert, + mbedtls_pk_context *key ) { - mbedtls_ssl_key_cert *key_cert, *last; + mbedtls_ssl_key_cert *new; - key_cert = mbedtls_malloc( sizeof(mbedtls_ssl_key_cert) ); - if( key_cert == NULL ) - return( NULL ); + new = mbedtls_malloc( sizeof( mbedtls_ssl_key_cert ) ); + if( new == NULL ) + return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); - memset( key_cert, 0, sizeof( mbedtls_ssl_key_cert ) ); + new->cert = cert; + new->key = key; + new->next = NULL; - /* Append the new key_cert to the (possibly empty) current list */ - if( ssl->conf->key_cert == NULL ) + /* Update head is the list was null, else add to the end */ + if( *head == NULL ) { - ssl->conf->key_cert = key_cert; - if( ssl->handshake != NULL ) - ssl->handshake->key_cert = key_cert; + *head = new; } else { - last = ssl->conf->key_cert; - while( last->next != NULL ) - last = last->next; - last->next = key_cert; + mbedtls_ssl_key_cert *cur = *head; + while( cur->next != NULL ) + cur = cur->next; + cur->next = new; } - return( key_cert ); + return( 0 ); +} + +int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, + mbedtls_x509_crt *own_cert, + mbedtls_pk_context *pk_key ) +{ + return( ssl_append_key_cert( &ssl->conf->key_cert, own_cert, pk_key ) ); } void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, @@ -5345,20 +5350,6 @@ void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, conf->ca_chain = ca_chain; conf->ca_crl = ca_crl; } - -int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert, - mbedtls_pk_context *pk_key ) -{ - mbedtls_ssl_key_cert *key_cert = ssl_add_key_cert( ssl ); - - if( key_cert == NULL ) - return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); - - key_cert->cert = own_cert; - key_cert->key = pk_key; - - return( 0 ); -} #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) From 1af6c8500b75f65c65200ba67184a738282696da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sun, 10 May 2015 23:10:37 +0200 Subject: [PATCH 31/45] Add ssl_set_hs_own_cert() --- include/mbedtls/ssl.h | 20 ++++++++++++++++++-- library/ssl_srv.c | 22 ++-------------------- library/ssl_tls.c | 10 ++++++++++ programs/ssl/ssl_server2.c | 2 +- 4 files changed, 31 insertions(+), 23 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 695b23328..069c60e38 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1706,6 +1706,22 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +/** + * \brief Set own certificate and key for the current handshake + * + * \note Same as \c mbedtls_ssl_set_own_cert() but for use within + * the SNI callback. + * + * \param ssl SSL context + * \param own_cert own public certificate chain + * \param pk_key own private key + * + * \return 0 on success or MBEDTLS_ERR_SSL_MALLOC_FAILED + */ +int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, + mbedtls_x509_crt *own_cert, + mbedtls_pk_context *pk_key ); + /** * \brief Set server side ServerName TLS extension callback * (optional, server-side only). @@ -1716,8 +1732,8 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); * following parameters: (void *parameter, mbedtls_ssl_context *ssl, * const unsigned char *hostname, size_t len). If a suitable * certificate is found, the callback should set the - * certificate and key to use with mbedtls_ssl_set_own_cert() (and - * possibly adjust the CA chain as well) and return 0. The + * certificate and key to use with mbedtls_ssl_set_hs_own_cert() (and + * possibly adjust the CA chain as well TODO: broken) and return 0. The * callback should return -1 to abort the handshake at this * point. * diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 0ff3c18ca..ea015ae70 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -389,25 +389,6 @@ void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_config *conf, #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -/* - * Wrapper around f_sni, allowing use of mbedtls_ssl_set_own_cert() but - * making it act on ssl->handshake->sni_key_cert instead. - */ -static int ssl_sni_wrapper( mbedtls_ssl_context *ssl, - const unsigned char* name, size_t len ) -{ - int ret; - mbedtls_ssl_key_cert *key_cert_ori = ssl->conf->key_cert; - - ssl->conf->key_cert = NULL; - ret = ssl->conf->f_sni( ssl->conf->p_sni, ssl, name, len ); - ssl->handshake->sni_key_cert = ssl->conf->key_cert; - - ssl->conf->key_cert = key_cert_ori; - - return( ret ); -} - static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) @@ -437,7 +418,8 @@ static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl, if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) { - ret = ssl_sni_wrapper( ssl, p + 3, hostname_len ); + ret = ssl->conf->f_sni( ssl->conf->p_sni, + ssl, p + 3, hostname_len ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1a75deffe..6f6e74e29 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5352,6 +5352,16 @@ void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, + mbedtls_x509_crt *own_cert, + mbedtls_pk_context *pk_key ) +{ + return( ssl_append_key_cert( &ssl->handshake->sni_key_cert, + own_cert, pk_key ) ); +} +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ + #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) int mbedtls_ssl_set_psk( mbedtls_ssl_config *conf, const unsigned char *psk, size_t psk_len, diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index f4c206ece..8cc3ac177 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -547,7 +547,7 @@ int sni_callback( void *p_info, mbedtls_ssl_context *ssl, if( name_len == strlen( cur->name ) && memcmp( name, cur->name, name_len ) == 0 ) { - return( mbedtls_ssl_set_own_cert( ssl, cur->cert, cur->key ) ); + return( mbedtls_ssl_set_hs_own_cert( ssl, cur->cert, cur->key ) ); } cur = cur->next; From 17a40cd255aad24743840561af30bdfc7a34f31c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sun, 10 May 2015 23:17:17 +0200 Subject: [PATCH 32/45] Change ssl_own_cert to work on ssl_config --- include/mbedtls/ssl.h | 4 ++-- library/ssl_tls.c | 4 ++-- programs/ssl/dtls_server.c | 2 +- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_fork_server.c | 2 +- programs/ssl/ssl_mail_client.c | 2 +- programs/ssl/ssl_pthread_server.c | 2 +- programs/ssl/ssl_server.c | 2 +- programs/ssl/ssl_server2.c | 4 ++-- programs/x509/cert_app.c | 2 +- 10 files changed, 13 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 069c60e38..2df68fdbd 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1567,13 +1567,13 @@ void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, * using ECDSA). However, on client, currently only the first * certificate is used (subsequent calls have no effect). * - * \param ssl SSL context + * \param conf SSL configuration * \param own_cert own public certificate chain * \param pk_key own private key * * \return 0 on success or MBEDTLS_ERR_SSL_MALLOC_FAILED */ -int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, +int mbedtls_ssl_set_own_cert( mbedtls_ssl_config *conf, mbedtls_x509_crt *own_cert, mbedtls_pk_context *pk_key ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6f6e74e29..4406c1aaf 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5336,11 +5336,11 @@ static int ssl_append_key_cert( mbedtls_ssl_key_cert **head, return( 0 ); } -int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, +int mbedtls_ssl_set_own_cert( mbedtls_ssl_config *conf, mbedtls_x509_crt *own_cert, mbedtls_pk_context *pk_key ) { - return( ssl_append_key_cert( &ssl->conf->key_cert, own_cert, pk_key ) ); + return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) ); } void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index e19ab80a1..5d1134ce0 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -216,7 +216,7 @@ int main( void ) #endif mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); - if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); goto exit; diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 494fa72cd..0f03a81b6 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1159,7 +1159,7 @@ int main( int argc, char *argv[] ) if( strcmp( opt.crt_file, "none" ) != 0 && strcmp( opt.key_file, "none" ) != 0 ) { - if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_own_cert( &conf, &clicert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); goto exit; diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 6051181f5..2d03c8ba5 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -270,7 +270,7 @@ int main( void ) mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); - if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); goto exit; diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 36bb92768..f4f6b3b56 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -617,7 +617,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto exit; } - if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_own_cert( &conf, &clicert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); goto exit; diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 3c69fbfbe..7b7138af1 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -189,7 +189,7 @@ static void *handle_ssl_connection( void *data ) #endif mbedtls_ssl_set_ca_chain( &conf, thread_info->ca_chain, NULL ); - if( ( ret = mbedtls_ssl_set_own_cert( &ssl, thread_info->server_cert, thread_info->server_key ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_own_cert( &conf, thread_info->server_cert, thread_info->server_key ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); goto thread_exit; diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index a8025b37b..c1ad8baed 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -215,7 +215,7 @@ int main( void ) #endif mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); - if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); goto exit; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 8cc3ac177..0b690b055 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1684,13 +1684,13 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); } if( key_cert_init ) - if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); goto exit; } if( key_cert_init2 ) - if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert2, &pkey2 ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_own_cert( &conf, &srvcert2, &pkey2 ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); goto exit; diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 1e5ef377d..fb8128784 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -423,7 +423,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); - if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_own_cert( &conf, &clicert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); goto ssl_exit; From 1897af9e9318ee674f37fac065b262e1c7565171 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sun, 10 May 2015 23:27:38 +0200 Subject: [PATCH 33/45] Make conf const inside ssl_context (finally) --- include/mbedtls/ssl.h | 4 ++-- library/ssl_cli.c | 7 ++++--- library/ssl_tls.c | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2df68fdbd..6480e78c9 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -945,7 +945,7 @@ mbedtls_ssl_config; struct mbedtls_ssl_context { - mbedtls_ssl_config *conf; /*!< configuration information */ + const mbedtls_ssl_config *conf; /*!< configuration information */ /* * Miscellaneous @@ -1157,7 +1157,7 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ); * memory allocation failed */ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, - mbedtls_ssl_config *conf ); + const mbedtls_ssl_config *conf ); /** * \brief Reset an already initialized SSL context for re-use diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 0b9de03f3..c16b6e786 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -572,10 +572,11 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ssl->minor_ver = ssl->conf->min_minor_ver; } - if( ssl->conf->max_major_ver == 0 && ssl->conf->max_minor_ver == 0 ) + if( ssl->conf->max_major_ver == 0 ) { - ssl->conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; - ssl->conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, " + "consider using mbedtls_ssl_config_defaults()" ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } /* diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4406c1aaf..5fb2b6221 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4959,7 +4959,7 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) * Setup an SSL context */ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, - mbedtls_ssl_config *conf ) + const mbedtls_ssl_config *conf ) { int ret; const size_t len = MBEDTLS_SSL_BUFFER_LEN; From 22bfa4bb53267a1a66d254791dd5487185636903 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 08:46:37 +0200 Subject: [PATCH 34/45] Add ssl_set_hs_ca_chain() --- include/mbedtls/ssl.h | 39 +++++++++++++++++++++++++++++++-------- library/ssl_srv.c | 4 +++- library/ssl_tls.c | 26 ++++++++++++++++++++++++-- 3 files changed, 58 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6480e78c9..da47f12ef 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -680,6 +680,8 @@ struct mbedtls_ssl_handshake_params mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ + mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */ + mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ #endif #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -1562,10 +1564,15 @@ void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, * certificate chain. The top certificate (self-signed) * can be omitted. * - * \note This function may be called more than once if you want to - * support multiple certificates (eg, one using RSA and one - * using ECDSA). However, on client, currently only the first - * certificate is used (subsequent calls have no effect). + * \note On server, this function can be called multiple times to + * provision more than one cert/key pair (eg one ECDSA, one + * RSA with SHA-256, one RSA with SHA-1). An adequate + * certificate will be selected according to the client's + * advertised capabilities. In case mutliple certificates are + * adequate, preference is given to the one set by the first + * call to this function, then second, etc. + * + * \note On client, only the first call has any effect. * * \param conf SSL configuration * \param own_cert own public certificate chain @@ -1722,6 +1729,21 @@ int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert, mbedtls_pk_context *pk_key ); +/** + * \brief Set the data required to verify peer certificate for the + * current handshake + * + * \note Same as \c mbedtls_ssl_set_ca_chain() but for use within + * the SNI callback. + * + * \param ssl SSL context + * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs) + * \param ca_crl trusted CA CRLs + */ +void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl, + mbedtls_x509_crt *ca_chain, + mbedtls_x509_crl *ca_crl ); + /** * \brief Set server side ServerName TLS extension callback * (optional, server-side only). @@ -1732,10 +1754,11 @@ int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, * following parameters: (void *parameter, mbedtls_ssl_context *ssl, * const unsigned char *hostname, size_t len). If a suitable * certificate is found, the callback should set the - * certificate and key to use with mbedtls_ssl_set_hs_own_cert() (and - * possibly adjust the CA chain as well TODO: broken) and return 0. The - * callback should return -1 to abort the handshake at this - * point. + * certificate(s) and key(s) to use with \c + * mbedtls_ssl_set_hs_own_cert() (can be called repeatedly), + * and optionally adjust the CA with \c + * mbedtls_ssl_set_hs_ca_chain() and return 0. The callback + * should return -1 to abort the handshake at this point. * * \param conf SSL configuration * \param f_sni verification function diff --git a/library/ssl_srv.c b/library/ssl_srv.c index ea015ae70..e83466ec6 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2725,7 +2725,9 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) * opaque DistinguishedName<1..2^16-1>; */ p += 2; - crt = ssl->conf->ca_chain; + crt = ssl->handshake->sni_ca_chain != NULL ? + ssl->handshake->sni_ca_chain : + ssl->conf->ca_chain; total_dn_size = 0; while( crt != NULL && crt->version != 0 ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5fb2b6221..6618ebe54 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4029,7 +4029,21 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) if( ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE ) { - if( ssl->conf->ca_chain == NULL ) + mbedtls_x509_crt *ca_chain; + mbedtls_x509_crl *ca_crl; + + if( ssl->handshake->sni_ca_chain != NULL ) + { + ca_chain = ssl->handshake->sni_ca_chain; + ca_crl = ssl->handshake->sni_ca_crl; + } + else + { + ca_chain = ssl->conf->ca_chain; + ca_crl = ssl->conf->ca_crl; + } + + if( ca_chain == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED ); @@ -4039,7 +4053,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) * Main check: verify certificate */ ret = mbedtls_x509_crt_verify( ssl->session_negotiate->peer_cert, - ssl->conf->ca_chain, ssl->conf->ca_crl, ssl->hostname, + ca_chain, ca_crl, ssl->hostname, &ssl->session_negotiate->verify_result, ssl->conf->f_vrfy, ssl->conf->p_vrfy ); @@ -5360,6 +5374,14 @@ int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, return( ssl_append_key_cert( &ssl->handshake->sni_key_cert, own_cert, pk_key ) ); } + +void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl, + mbedtls_x509_crt *ca_chain, + mbedtls_x509_crl *ca_crl ) +{ + ssl->handshake->sni_ca_chain = ca_chain; + ssl->handshake->sni_ca_crl = ca_crl; +} #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) From 6729e79482985b0d85b9fcd024d8d89a3c59e74e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 09:50:24 +0200 Subject: [PATCH 35/45] Rename ssl_set_xxx() to ssl_conf_xxx() --- include/mbedtls/compat-1.3.h | 74 ++++++++++---------- include/mbedtls/config.h | 10 +-- include/mbedtls/ssl.h | 94 +++++++++++++------------- library/ssl_srv.c | 2 +- library/ssl_tls.c | 78 ++++++++++----------- programs/ssl/dtls_client.c | 8 +-- programs/ssl/dtls_server.c | 16 ++--- programs/ssl/mini_client.c | 8 +-- programs/ssl/ssl_client1.c | 8 +-- programs/ssl/ssl_client2.c | 58 ++++++++-------- programs/ssl/ssl_fork_server.c | 10 +-- programs/ssl/ssl_mail_client.c | 14 ++-- programs/ssl/ssl_pthread_server.c | 12 ++-- programs/ssl/ssl_server.c | 12 ++-- programs/ssl/ssl_server2.c | 88 ++++++++++++------------ programs/x509/cert_app.c | 16 ++--- scripts/data_files/rename-1.3-2.0.txt | 74 ++++++++++---------- tests/suites/test_suite_debug.function | 10 +-- 18 files changed, 296 insertions(+), 296 deletions(-) diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h index 26439c77f..dd03b7129 100644 --- a/include/mbedtls/compat-1.3.h +++ b/include/mbedtls/compat-1.3.h @@ -2443,7 +2443,7 @@ #define ssl_hw_record_write mbedtls_ssl_hw_record_write #define ssl_init mbedtls_ssl_init #define ssl_key_cert mbedtls_ssl_key_cert -#define ssl_legacy_renegotiation mbedtls_set_ssl_legacy_renegotiation +#define ssl_legacy_renegotiation mbedtls_ssl_conf_legacy_renegotiation #define ssl_list_ciphersuites mbedtls_ssl_list_ciphersuites #define ssl_md_alg_from_hash mbedtls_ssl_md_alg_from_hash #define ssl_optimize_checksum mbedtls_ssl_optimize_checksum @@ -2471,49 +2471,49 @@ #define ssl_session_free mbedtls_ssl_session_free #define ssl_session_init mbedtls_ssl_session_init #define ssl_session_reset mbedtls_ssl_session_reset -#define ssl_set_alpn_protocols mbedtls_ssl_set_alpn_protocols -#define ssl_set_arc4_support mbedtls_ssl_set_arc4_support -#define ssl_set_authmode mbedtls_ssl_set_authmode +#define ssl_set_alpn_protocols mbedtls_ssl_conf_alpn_protocols +#define ssl_set_arc4_support mbedtls_ssl_conf_arc4_support +#define ssl_set_authmode mbedtls_ssl_conf_authmode #define ssl_set_bio mbedtls_ssl_set_bio #define ssl_set_bio mbedtls_ssl_set_bio_timeout -#define ssl_set_ca_chain mbedtls_ssl_set_ca_chain -#define ssl_set_cbc_record_splitting mbedtls_ssl_set_cbc_record_splitting -#define ssl_set_ciphersuites mbedtls_ssl_set_ciphersuites -#define ssl_set_ciphersuites_for_version mbedtls_ssl_set_ciphersuites_for_version +#define ssl_set_ca_chain mbedtls_ssl_conf_ca_chain +#define ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting +#define ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites +#define ssl_set_ciphersuites_for_version mbedtls_ssl_conf_ciphersuites_for_version #define ssl_set_client_transport_id mbedtls_ssl_set_client_transport_id -#define ssl_set_curves mbedtls_ssl_set_curves -#define ssl_set_dbg mbedtls_ssl_set_dbg -#define ssl_set_dh_param mbedtls_ssl_set_dh_param -#define ssl_set_dh_param_ctx mbedtls_ssl_set_dh_param_ctx -#define ssl_set_dtls_anti_replay mbedtls_ssl_set_dtls_anti_replay -#define ssl_set_dtls_badmac_limit mbedtls_ssl_set_dtls_badmac_limit -#define ssl_set_dtls_cookies mbedtls_ssl_set_dtls_cookies -#define ssl_set_encrypt_then_mac mbedtls_ssl_set_encrypt_then_mac -#define ssl_set_endpoint mbedtls_ssl_set_endpoint -#define ssl_set_extended_master_secret mbedtls_ssl_set_extended_master_secret -#define ssl_set_fallback mbedtls_ssl_set_fallback -#define ssl_set_handshake_timeout mbedtls_ssl_set_handshake_timeout +#define ssl_set_curves mbedtls_ssl_conf_curves +#define ssl_set_dbg mbedtls_ssl_conf_dbg +#define ssl_set_dh_param mbedtls_ssl_conf_dh_param +#define ssl_set_dh_param_ctx mbedtls_ssl_conf_dh_param_ctx +#define ssl_set_dtls_anti_replay mbedtls_ssl_conf_dtls_anti_replay +#define ssl_set_dtls_badmac_limit mbedtls_ssl_conf_dtls_badmac_limit +#define ssl_set_dtls_cookies mbedtls_ssl_conf_dtls_cookies +#define ssl_set_encrypt_then_mac mbedtls_ssl_conf_encrypt_then_mac +#define ssl_set_endpoint mbedtls_ssl_conf_endpoint +#define ssl_set_extended_master_secret mbedtls_ssl_conf_extended_master_secret +#define ssl_set_fallback mbedtls_ssl_conf_fallback +#define ssl_set_handshake_timeout mbedtls_ssl_conf_handshake_timeout #define ssl_set_hostname mbedtls_ssl_set_hostname -#define ssl_set_max_frag_len mbedtls_ssl_set_max_frag_len -#define ssl_set_max_version mbedtls_ssl_set_max_version -#define ssl_set_min_version mbedtls_ssl_set_min_version -#define ssl_set_own_cert mbedtls_ssl_set_own_cert +#define ssl_set_max_frag_len mbedtls_ssl_conf_max_frag_len +#define ssl_set_max_version mbedtls_ssl_conf_max_version +#define ssl_set_min_version mbedtls_ssl_conf_min_version +#define ssl_set_own_cert mbedtls_ssl_conf_own_cert #define ssl_set_own_cert_alt mbedtls_ssl_set_own_cert_alt #define ssl_set_own_cert_rsa mbedtls_ssl_set_own_cert_rsa -#define ssl_set_psk mbedtls_ssl_set_psk -#define ssl_set_psk_cb mbedtls_ssl_set_psk_cb -#define ssl_set_renegotiation mbedtls_ssl_set_renegotiation -#define ssl_set_renegotiation_enforced mbedtls_ssl_set_renegotiation_enforced -#define ssl_set_renegotiation_period mbedtls_ssl_set_renegotiation_period -#define ssl_set_rng mbedtls_ssl_set_rng +#define ssl_set_psk mbedtls_ssl_conf_psk +#define ssl_set_psk_cb mbedtls_ssl_conf_psk_cb +#define ssl_set_renegotiation mbedtls_ssl_conf_renegotiation +#define ssl_set_renegotiation_enforced mbedtls_ssl_conf_renegotiation_enforced +#define ssl_set_renegotiation_period mbedtls_ssl_conf_renegotiation_period +#define ssl_set_rng mbedtls_ssl_conf_rng #define ssl_set_session mbedtls_ssl_set_session -#define ssl_set_session_cache mbedtls_ssl_set_session_cache -#define ssl_set_session_ticket_lifetime mbedtls_ssl_set_session_ticket_lifetime -#define ssl_set_session_tickets mbedtls_ssl_set_session_tickets -#define ssl_set_sni mbedtls_ssl_set_sni -#define ssl_set_transport mbedtls_ssl_set_transport -#define ssl_set_truncated_hmac mbedtls_ssl_set_truncated_hmac -#define ssl_set_verify mbedtls_ssl_set_verify +#define ssl_set_session_cache mbedtls_ssl_conf_session_cache +#define ssl_set_session_ticket_lifetime mbedtls_ssl_conf_session_ticket_lifetime +#define ssl_set_session_tickets mbedtls_ssl_conf_session_tickets +#define ssl_set_sni mbedtls_ssl_conf_sni +#define ssl_set_transport mbedtls_ssl_conf_transport +#define ssl_set_truncated_hmac mbedtls_ssl_conf_truncated_hmac +#define ssl_set_verify mbedtls_ssl_conf_verify #define ssl_sig_from_pk mbedtls_ssl_sig_from_pk #define ssl_states mbedtls_ssl_states #define ssl_ticket_keys mbedtls_ssl_ticket_keys diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 46cc7aeb6..0c72da9ba 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -361,7 +361,7 @@ * Remove RC4 ciphersuites by default in SSL / TLS. * This flag removes the ciphersuites based on RC4 from the default list as * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to - * enable (some of) them with mbedtls_ssl_set_ciphersuites() by including them + * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them * explicitly. * * Uncomment this macro to remove RC4 ciphersuites by default. @@ -1064,7 +1064,7 @@ * MBEDTLS_SSL_PROTO_DTLS * * \warning Disabling this is often a security risk! - * See mbedtls_ssl_set_dtls_anti_replay() for details. + * See mbedtls_ssl_conf_dtls_anti_replay() for details. * * Comment this to disable anti-replay in DTLS. */ @@ -1094,7 +1094,7 @@ * * Enable support for a limit of records with bad MAC. * - * See mbedtls_ssl_set_dtls_badmac_limit(). + * See mbedtls_ssl_conf_dtls_badmac_limit(). * * Requires: MBEDTLS_SSL_PROTO_DTLS */ @@ -1136,14 +1136,14 @@ /** * \def MBEDTLS_SSL_SET_CURVES * - * Enable mbedtls_ssl_set_curves(). + * Enable mbedtls_ssl_conf_curves(). * * This is disabled by default since it breaks binary compatibility with the * 1.3.x line. If you choose to enable it, you will need to rebuild your * application against the new header files, relinking will not be enough. * It will be enabled by default, or no longer an option, in the 1.4 branch. * - * Uncomment to make mbedtls_ssl_set_curves() available. + * Uncomment to make mbedtls_ssl_conf_curves() available. */ //#define MBEDTLS_SSL_SET_CURVES diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index da47f12ef..742e9e440 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -789,7 +789,7 @@ struct mbedtls_ssl_flight_item #endif /* MBEDTLS_SSL_PROTO_DTLS */ /** - * SSL/TLS configuration to be shared between ssl_context structures. + * SSL/TLS configuration to be shared between mbedtls_ssl_context structures. */ typedef struct { @@ -1179,7 +1179,7 @@ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ); * \param conf SSL configuration * \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER */ -void mbedtls_ssl_set_endpoint( mbedtls_ssl_config *conf, int endpoint ); +void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ); /** * \brief Set the transport type (TLS or DTLS). @@ -1193,9 +1193,9 @@ void mbedtls_ssl_set_endpoint( mbedtls_ssl_config *conf, int endpoint ); * * \note For DTLS, you must either provide a recv callback that * doesn't block, or one that handles timeouts, see - * mbedtls_ssl_set_bio() + * mbedtls_ssl_conf_bio() */ -int mbedtls_ssl_set_transport( mbedtls_ssl_config *conf, int transport ); +int mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ); /** * \brief Set the certificate verification mode @@ -1222,7 +1222,7 @@ int mbedtls_ssl_set_transport( mbedtls_ssl_config *conf, int transport ); * the verification as soon as possible. For example, REQUIRED was protecting * against the "triple handshake" attack even before it was found. */ -void mbedtls_ssl_set_authmode( mbedtls_ssl_config *conf, int authmode ); +void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); #if defined(MBEDTLS_X509_CRT_PARSE_C) /** @@ -1236,7 +1236,7 @@ void mbedtls_ssl_set_authmode( mbedtls_ssl_config *conf, int authmode ); * \param f_vrfy verification function * \param p_vrfy verification parameter */ -void mbedtls_ssl_set_verify( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), void *p_vrfy ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -1248,7 +1248,7 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_config *conf, * \param f_rng RNG function * \param p_rng RNG parameter */ -void mbedtls_ssl_set_rng( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); @@ -1259,7 +1259,7 @@ void mbedtls_ssl_set_rng( mbedtls_ssl_config *conf, * \param f_dbg debug function * \param p_dbg debug parameter */ -void mbedtls_ssl_set_dbg( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf, void (*f_dbg)(void *, int, const char *), void *p_dbg ); @@ -1296,7 +1296,7 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, * \note With blocking I/O, this will only work if a non-NULL * \c f_recv_timeout was set with \c mbedtls_ssl_set_bio(). */ -void mbedtls_ssl_set_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ); +void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) /** @@ -1376,7 +1376,7 @@ typedef int mbedtls_ssl_cookie_check_t( void *ctx, * \param f_cookie_check Cookie check callback * \param p_cookie Context for both callbacks */ -void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf, mbedtls_ssl_cookie_write_t *f_cookie_write, mbedtls_ssl_cookie_check_t *f_cookie_check, void *p_cookie ); @@ -1398,7 +1398,7 @@ void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_config *conf, * packets and needs information about them to adjust its * transmission strategy, then you'll want to disable this. */ -void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ); +void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ); #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) @@ -1425,7 +1425,7 @@ void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ); * might make us waste resources checking authentication on * many bogus packets. */ -void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ); +void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ); #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -1445,7 +1445,7 @@ void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit * handshake latency. Lower values may increase the risk of * network congestion by causing more retransmissions. */ -void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ); +void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_SRV_C) @@ -1486,7 +1486,7 @@ void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, * \param f_get_cache session get callback * \param f_set_cache session set callback */ -void mbedtls_ssl_set_session_cache( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, void *p_cache, int (*f_get_cache)(void *, mbedtls_ssl_session *), int (*f_set_cache)(void *, const mbedtls_ssl_session *) ); @@ -1522,7 +1522,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session * \param conf SSL configuration * \param ciphersuites 0-terminated list of allowed ciphersuites */ -void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ); /** @@ -1541,7 +1541,7 @@ void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_config *conf, * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 * and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ -void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, const int *ciphersuites, int major, int minor ); @@ -1553,7 +1553,7 @@ void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_config *conf, * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs) * \param ca_crl trusted CA CRLs */ -void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf, mbedtls_x509_crt *ca_chain, mbedtls_x509_crl *ca_crl ); @@ -1580,7 +1580,7 @@ void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, * * \return 0 on success or MBEDTLS_ERR_SSL_MALLOC_FAILED */ -int mbedtls_ssl_set_own_cert( mbedtls_ssl_config *conf, +int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, mbedtls_x509_crt *own_cert, mbedtls_pk_context *pk_key ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -1590,7 +1590,7 @@ int mbedtls_ssl_set_own_cert( mbedtls_ssl_config *conf, * \brief Set the Pre Shared Key (PSK) and the expected identity name * * \note This is mainly useful for clients. Servers will usually - * want to use \c mbedtls_ssl_set_psk_cb() instead. + * want to use \c mbedtls_ssl_conf_psk_cb() instead. * * \param conf SSL configuration * \param psk pointer to the pre-shared key @@ -1600,7 +1600,7 @@ int mbedtls_ssl_set_own_cert( mbedtls_ssl_config *conf, * * \return 0 if successful or MBEDTLS_ERR_SSL_MALLOC_FAILED */ -int mbedtls_ssl_set_psk( mbedtls_ssl_config *conf, +int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len ); @@ -1609,7 +1609,7 @@ int mbedtls_ssl_set_psk( mbedtls_ssl_config *conf, * \brief Set the Pre Shared Key (PSK) for the current handshake * * \note This should only be called inside the PSK callback, - * ie the function passed to \c mbedtls_ssl_set_psk_cb(). + * ie the function passed to \c mbedtls_ssl_conf_psk_cb(). * * \param ssl SSL context * \param psk pointer to the pre-shared key @@ -1638,13 +1638,13 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, * * \note If you set a PSK callback using this function, then you * don't need to set a PSK key and identity using - * \c mbedtls_ssl_set_psk(). + * \c mbedtls_ssl_conf_psk(). * * \param conf SSL configuration * \param f_psk PSK identity function * \param p_psk PSK identity parameter */ -void mbedtls_ssl_set_psk_cb( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *p_psk ); @@ -1662,7 +1662,7 @@ void mbedtls_ssl_set_psk_cb( mbedtls_ssl_config *conf, * * \return 0 if successful */ -int mbedtls_ssl_set_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ); +int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ); /** * \brief Set the Diffie-Hellman public P and G values, @@ -1673,7 +1673,7 @@ int mbedtls_ssl_set_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const * * \return 0 if successful */ -int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ); +int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ); #endif /* MBEDTLS_DHM_C */ #if defined(MBEDTLS_SSL_SET_CURVES) @@ -1695,7 +1695,7 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context * \param curves Ordered list of allowed curves, * terminated by MBEDTLS_ECP_DP_NONE. */ -void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); +void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); #endif /* MBEDTLS_SSL_SET_CURVES */ #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -1716,7 +1716,7 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); /** * \brief Set own certificate and key for the current handshake * - * \note Same as \c mbedtls_ssl_set_own_cert() but for use within + * \note Same as \c mbedtls_ssl_conf_own_cert() but for use within * the SNI callback. * * \param ssl SSL context @@ -1733,7 +1733,7 @@ int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl, * \brief Set the data required to verify peer certificate for the * current handshake * - * \note Same as \c mbedtls_ssl_set_ca_chain() but for use within + * \note Same as \c mbedtls_ssl_conf_ca_chain() but for use within * the SNI callback. * * \param ssl SSL context @@ -1764,7 +1764,7 @@ void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl, * \param f_sni verification function * \param p_sni verification parameter */ -void mbedtls_ssl_set_sni( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *p_sni ); @@ -1780,7 +1780,7 @@ void mbedtls_ssl_set_sni( mbedtls_ssl_config *conf, * * \return 0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA. */ -int mbedtls_ssl_set_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ); +int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ); /** * \brief Get the name of the negotiated Application Layer Protocol. @@ -1811,7 +1811,7 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ); * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ -int mbedtls_ssl_set_max_version( mbedtls_ssl_config *conf, int major, int minor ); +int mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ); /** * \brief Set the minimum accepted SSL/TLS protocol version @@ -1832,7 +1832,7 @@ int mbedtls_ssl_set_max_version( mbedtls_ssl_config *conf, int major, int minor * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ -int mbedtls_ssl_set_min_version( mbedtls_ssl_config *conf, int major, int minor ); +int mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ); #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) /** @@ -1854,7 +1854,7 @@ int mbedtls_ssl_set_min_version( mbedtls_ssl_config *conf, int major, int minor * \param conf SSL configuration * \param fallback MBEDTLS_SSL_IS_NOT_FALLBACK or MBEDTLS_SSL_IS_FALLBACK */ -void mbedtls_ssl_set_fallback( mbedtls_ssl_config *conf, char fallback ); +void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ); #endif /* MBEDTLS_SSL_FALLBACK_SCSV && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) @@ -1869,7 +1869,7 @@ void mbedtls_ssl_set_fallback( mbedtls_ssl_config *conf, char fallback ); * \param conf SSL configuration * \param etm MBEDTLS_SSL_ETM_ENABLED or MBEDTLS_SSL_ETM_DISABLED */ -void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ); +void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ); #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) @@ -1884,7 +1884,7 @@ void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ); * \param conf SSL configuration * \param ems MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED */ -void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_config *conf, char ems ); +void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems ); #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ /** @@ -1900,7 +1900,7 @@ void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_config *conf, char ems * \param conf SSL configuration * \param arc4 MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED */ -void mbedtls_ssl_set_arc4_support( mbedtls_ssl_config *conf, char arc4 ); +void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ); #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /** @@ -1918,7 +1918,7 @@ void mbedtls_ssl_set_arc4_support( mbedtls_ssl_config *conf, char arc4 ); * * \return O if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA */ -int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ); +int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ); #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) @@ -1932,7 +1932,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_co * * \return Always 0. */ -int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_config *conf, int truncate ); +int mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ); #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) @@ -1947,7 +1947,7 @@ int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_config *conf, int truncate ); * \param split MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED or * MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED */ -void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_config *conf, char split ); +void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ); #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) @@ -1956,7 +1956,7 @@ void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_config *conf, char split * (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED on client, * MBEDTLS_SSL_SESSION_TICKETS_DISABLED on server) * - * \note On server, mbedtls_ssl_set_rng() must be called before this function + * \note On server, mbedtls_ssl_conf_rng() must be called before this function * to allow generating the ticket encryption and * authentication keys. * @@ -1967,7 +1967,7 @@ void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_config *conf, char split * \return O if successful, * or a specific error code (server only). */ -int mbedtls_ssl_set_session_tickets( mbedtls_ssl_config *conf, int use_tickets ); +int mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ); /** * \brief Set session ticket lifetime (server only) @@ -1976,7 +1976,7 @@ int mbedtls_ssl_set_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) * \param conf SSL configuration * \param lifetime session ticket lifetime */ -void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime ); +void mbedtls_ssl_conf_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime ); #endif /* MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_SSL_RENEGOTIATION) @@ -1993,7 +1993,7 @@ void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_config *conf, int life * \param renegotiation Enable or disable (MBEDTLS_SSL_RENEGOTIATION_ENABLED or * MBEDTLS_SSL_RENEGOTIATION_DISABLED) */ -void mbedtls_ssl_set_renegotiation( mbedtls_ssl_config *conf, int renegotiation ); +void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation ); #endif /* MBEDTLS_SSL_RENEGOTIATION */ /** @@ -2023,7 +2023,7 @@ void mbedtls_ssl_set_renegotiation( mbedtls_ssl_config *conf, int renegotiation * SSL_ALLOW_LEGACY_RENEGOTIATION or * MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) */ -void mbedtls_set_ssl_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ); +void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) /** @@ -2063,7 +2063,7 @@ void mbedtls_set_ssl_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_l * enforce renegotiation, or a non-negative value to enforce * it but allow for a grace period of max_records records. */ -void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ); +void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ); /** * \brief Set record counter threshold for periodic renegotiation. @@ -2082,7 +2082,7 @@ void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_config *conf, int max_r * \param period The threshold value: a big-endian 64-bit number. * Set to 2^64 - 1 to disable periodic renegotiation */ -void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf, const unsigned char period[8] ); #endif /* MBEDTLS_SSL_RENEGOTIATION */ @@ -2295,7 +2295,7 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ); * * \param conf SSL configuration context * - * \note See \c mbedtls_ssl_set_transport() for notes on DTLS. + * \note See \c mbedtls_ssl_conf_transport() for notes on DTLS. * * \return 0 if successful, or * MBEDTLS_ERR_XXX_ALLOC_FAILED on memorr allocation error. diff --git a/library/ssl_srv.c b/library/ssl_srv.c index e83466ec6..3e2b9017a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -377,7 +377,7 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, return( 0 ); } -void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf, mbedtls_ssl_cookie_write_t *f_cookie_write, mbedtls_ssl_cookie_check_t *f_cookie_check, void *p_cookie ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6618ebe54..b098e0dd3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1952,7 +1952,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) ssl->in_msglen ); mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, ssl->in_msg + ssl->in_msglen ); - /* Call md_process at least once due to cache attacks */ + /* Call mbedtls_md_process at least once due to cache attacks */ for( j = 0; j < extra_run + 1; j++ ) mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg ); @@ -5180,12 +5180,12 @@ static int ssl_ticket_keys_init( mbedtls_ssl_config *conf ) /* * SSL set accessors */ -void mbedtls_ssl_set_endpoint( mbedtls_ssl_config *conf, int endpoint ) +void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ) { conf->endpoint = endpoint; } -int mbedtls_ssl_set_transport( mbedtls_ssl_config *conf, int transport ) +int mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ) { conf->transport = transport; @@ -5193,34 +5193,34 @@ int mbedtls_ssl_set_transport( mbedtls_ssl_config *conf, int transport ) } #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) -void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ) +void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ) { conf->anti_replay = mode; } #endif #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) -void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ) +void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ) { conf->badmac_limit = limit; } #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) -void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ) +void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max ) { conf->hs_timeout_min = min; conf->hs_timeout_max = max; } #endif -void mbedtls_ssl_set_authmode( mbedtls_ssl_config *conf, int authmode ) +void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) { conf->authmode = authmode; } #if defined(MBEDTLS_X509_CRT_PARSE_C) -void mbedtls_ssl_set_verify( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), void *p_vrfy ) { @@ -5229,7 +5229,7 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_X509_CRT_PARSE_C */ -void mbedtls_ssl_set_rng( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { @@ -5237,7 +5237,7 @@ void mbedtls_ssl_set_rng( mbedtls_ssl_config *conf, conf->p_rng = p_rng; } -void mbedtls_ssl_set_dbg( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf, void (*f_dbg)(void *, int, const char *), void *p_dbg ) { @@ -5257,13 +5257,13 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl, ssl->f_recv_timeout = f_recv_timeout; } -void mbedtls_ssl_set_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ) +void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ) { conf->read_timeout = timeout; } #if defined(MBEDTLS_SSL_SRV_C) -void mbedtls_ssl_set_session_cache( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, void *p_cache, int (*f_get_cache)(void *, mbedtls_ssl_session *), int (*f_set_cache)(void *, const mbedtls_ssl_session *) ) @@ -5296,7 +5296,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session } #endif /* MBEDTLS_SSL_CLI_C */ -void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf, const int *ciphersuites ) { conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; @@ -5305,7 +5305,7 @@ void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_config *conf, conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; } -void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, const int *ciphersuites, int major, int minor ) { @@ -5350,14 +5350,14 @@ static int ssl_append_key_cert( mbedtls_ssl_key_cert **head, return( 0 ); } -int mbedtls_ssl_set_own_cert( mbedtls_ssl_config *conf, +int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf, mbedtls_x509_crt *own_cert, mbedtls_pk_context *pk_key ) { return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) ); } -void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf, mbedtls_x509_crt *ca_chain, mbedtls_x509_crl *ca_crl ) { @@ -5385,7 +5385,7 @@ void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) -int mbedtls_ssl_set_psk( mbedtls_ssl_config *conf, +int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, const unsigned char *psk, size_t psk_len, const unsigned char *psk_identity, size_t psk_identity_len ) { @@ -5443,7 +5443,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, return( 0 ); } -void mbedtls_ssl_set_psk_cb( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *p_psk ) @@ -5454,7 +5454,7 @@ void mbedtls_ssl_set_psk_cb( mbedtls_ssl_config *conf, #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ #if defined(MBEDTLS_DHM_C) -int mbedtls_ssl_set_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ) +int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ) { int ret; @@ -5469,7 +5469,7 @@ int mbedtls_ssl_set_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const return( 0 ); } -int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) +int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) { int ret; @@ -5489,7 +5489,7 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context /* * Set the allowed elliptic curves */ -void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curve_list ) { conf->curve_list = curve_list; @@ -5523,7 +5523,7 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) #endif #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -void mbedtls_ssl_set_sni( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *p_sni ) @@ -5534,7 +5534,7 @@ void mbedtls_ssl_set_sni( mbedtls_ssl_config *conf, #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #if defined(MBEDTLS_SSL_ALPN) -int mbedtls_ssl_set_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ) +int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos ) { size_t cur_len, tot_len; const char **p; @@ -5588,7 +5588,7 @@ static int ssl_check_version( const mbedtls_ssl_config *conf, return( 0 ); } -int mbedtls_ssl_set_max_version( mbedtls_ssl_config *conf, int major, int minor ) +int mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ) { if( ssl_check_version( conf, major, minor ) != 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -5599,7 +5599,7 @@ int mbedtls_ssl_set_max_version( mbedtls_ssl_config *conf, int major, int minor return( 0 ); } -int mbedtls_ssl_set_min_version( mbedtls_ssl_config *conf, int major, int minor ) +int mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ) { if( ssl_check_version( conf, major, minor ) != 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -5611,33 +5611,33 @@ int mbedtls_ssl_set_min_version( mbedtls_ssl_config *conf, int major, int minor } #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) -void mbedtls_ssl_set_fallback( mbedtls_ssl_config *conf, char fallback ) +void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ) { conf->fallback = fallback; } #endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) -void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ) +void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ) { conf->encrypt_then_mac = etm; } #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) -void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_config *conf, char ems ) +void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems ) { conf->extended_ms = ems; } #endif -void mbedtls_ssl_set_arc4_support( mbedtls_ssl_config *conf, char arc4 ) +void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ) { conf->arc4_disabled = arc4; } #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) -int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ) +int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code ) { if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || mfl_code_to_length[mfl_code] > MBEDTLS_SSL_MAX_CONTENT_LEN ) @@ -5652,7 +5652,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_co #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) -int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) +int mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) { conf->trunc_hmac = truncate; @@ -5661,29 +5661,29 @@ int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) -void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_config *conf, char split ) +void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ) { conf->cbc_record_splitting = split; } #endif -void mbedtls_set_ssl_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) +void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) { conf->allow_legacy_renegotiation = allow_legacy; } #if defined(MBEDTLS_SSL_RENEGOTIATION) -void mbedtls_ssl_set_renegotiation( mbedtls_ssl_config *conf, int renegotiation ) +void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation ) { conf->disable_renegotiation = renegotiation; } -void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ) +void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records ) { conf->renego_max_records = max_records; } -void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_config *conf, +void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf, const unsigned char period[8] ) { memcpy( conf->renego_period, period, 8 ); @@ -5691,7 +5691,7 @@ void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_config *conf, #endif /* MBEDTLS_SSL_RENEGOTIATION */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) -int mbedtls_ssl_set_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) +int mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) { conf->session_tickets = use_tickets; @@ -5706,7 +5706,7 @@ int mbedtls_ssl_set_session_tickets( mbedtls_ssl_config *conf, int use_tickets ) return( ssl_ticket_keys_init( conf ) ); } -void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime ) +void mbedtls_ssl_conf_session_ticket_lifetime( mbedtls_ssl_config *conf, int lifetime ) { conf->ticket_lifetime = lifetime; } @@ -6735,7 +6735,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) if( endpoint == MBEDTLS_SSL_IS_SERVER ) { - if( ( ret = mbedtls_ssl_set_dh_param( conf, + if( ( ret = mbedtls_ssl_conf_dh_param( conf, MBEDTLS_DHM_RFC5114_MODP_2048_P, MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 ) { diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index 658555a21..fb95adf13 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -179,16 +179,16 @@ int main( int argc, char *argv[] ) /* OPTIONAL is usually a bad choice for security, but makes interop easier * in this simplified example, in which the ca chain is hardcoded. * Production code should set a proper ca chain and use REQUIRED. */ - mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); - mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); + mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); + mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto exit; } - mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout ); diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 5d1134ce0..55b6b3e16 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -206,19 +206,19 @@ int main( void ) goto exit; } - mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_set_session_cache( &conf, &cache, + mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); #endif - mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); - if( ( ret = mbedtls_ssl_set_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) + mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { - printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); + printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); goto exit; } @@ -229,7 +229,7 @@ int main( void ) goto exit; } - mbedtls_ssl_set_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, + mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &cookie_ctx ); printf( " ok\n" ); @@ -275,7 +275,7 @@ reset: sizeof( client_ip ) ) ) != 0 ) { printf( " failed\n ! " - "ssl_set_client_tranport_id() returned -0x%x\n\n", -ret ); + "ssl_set_client_transport_id() returned -0x%x\n\n", -ret ); goto exit; } diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index 0504c76fa..d770754f1 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -203,10 +203,10 @@ int main( void ) goto exit; } - mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - mbedtls_ssl_set_psk( &ssl, psk, sizeof( psk ), + mbedtls_ssl_conf_psk( &ssl, psk, sizeof( psk ), (const unsigned char *) psk_id, sizeof( psk_id ) - 1 ); #endif @@ -217,13 +217,13 @@ int main( void ) goto exit; } - mbedtls_ssl_set_ca_chain( &conf, &ca, NULL ); + mbedtls_ssl_conf_ca_chain( &conf, &ca, NULL ); if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 ) { ret = hostname_failed; goto exit; } - mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); + mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); #endif /* diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index f3b22fde3..cf5598b53 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -168,16 +168,16 @@ int main( void ) /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ - mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); - mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); + mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); + mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto exit; } - mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); /* diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 0f03a81b6..6620d4eab 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1065,58 +1065,58 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_X509_CRT_PARSE_C) if( opt.debug_level > 0 ) - mbedtls_ssl_set_verify( &conf, my_verify, NULL ); + mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); #endif if( opt.auth_mode != DFL_AUTH_MODE ) - mbedtls_ssl_set_authmode( &conf, opt.auth_mode ); + mbedtls_ssl_conf_authmode( &conf, opt.auth_mode ); #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) - mbedtls_ssl_set_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max ); + mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - if( ( ret = mbedtls_ssl_set_max_frag_len( &conf, opt.mfl_code ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_max_frag_len( &conf, opt.mfl_code ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_max_frag_len returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_max_frag_len returned %d\n\n", ret ); goto exit; } #endif #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) if( opt.trunc_hmac != DFL_TRUNC_HMAC ) - mbedtls_ssl_set_truncated_hmac( &conf, opt.trunc_hmac ); + mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac ); #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) if( opt.extended_ms != DFL_EXTENDED_MS ) - mbedtls_ssl_set_extended_master_secret( &conf, opt.extended_ms ); + mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms ); #endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) if( opt.etm != DFL_ETM ) - mbedtls_ssl_set_encrypt_then_mac( &conf, opt.etm ); + mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm ); #endif #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) if( opt.recsplit != DFL_RECSPLIT ) - mbedtls_ssl_set_cbc_record_splitting( &conf, opt.recsplit + mbedtls_ssl_conf_cbc_record_splitting( &conf, opt.recsplit ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ); #endif #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) - if( ( ret = mbedtls_ssl_set_alpn_protocols( &conf, alpn_list ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_alpn_protocols returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_alpn_protocols returned %d\n\n", ret ); goto exit; } #endif - mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); if( opt.nbio == 2 ) mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL ); @@ -1128,40 +1128,40 @@ int main( int argc, char *argv[] ) NULL #endif ); - mbedtls_ssl_set_read_timeout( &conf, opt.read_timeout ); + mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout ); #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( ( ret = mbedtls_ssl_set_session_tickets( &conf, opt.tickets ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_session_tickets( &conf, opt.tickets ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_session_tickets returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session_tickets returned %d\n\n", ret ); goto exit; } #endif if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) - mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite ); + mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); if( opt.arc4 != DFL_ARC4 ) - mbedtls_ssl_set_arc4_support( &conf, opt.arc4 ); + mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 ); if( opt.allow_legacy != DFL_ALLOW_LEGACY ) - mbedtls_set_ssl_legacy_renegotiation( &conf, opt.allow_legacy ); + mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) - mbedtls_ssl_set_renegotiation( &conf, opt.renegotiation ); + mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation ); #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { - mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); + mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); } if( strcmp( opt.crt_file, "none" ) != 0 && strcmp( opt.key_file, "none" ) != 0 ) { - if( ( ret = mbedtls_ssl_set_own_cert( &conf, &clicert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); goto exit; } } @@ -1173,18 +1173,18 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - if( ( ret = mbedtls_ssl_set_psk( &conf, psk, psk_len, + if( ( ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len, (const unsigned char *) opt.psk_identity, strlen( opt.psk_identity ) ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_psk returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_psk returned %d\n\n", ret ); goto exit; } #endif if( opt.min_version != DFL_MIN_VERSION ) { - ret = mbedtls_ssl_set_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); + ret = mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); if( ret != 0 ) { mbedtls_printf( " failed\n ! selected min_version is not available\n" ); @@ -1194,7 +1194,7 @@ int main( int argc, char *argv[] ) if( opt.max_version != DFL_MAX_VERSION ) { - ret = mbedtls_ssl_set_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); + ret = mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); if( ret != 0 ) { mbedtls_printf( " failed\n ! selected max_version is not available\n" ); @@ -1204,7 +1204,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_FALLBACK_SCSV) if( opt.fallback != DFL_FALLBACK ) - mbedtls_ssl_set_fallback( &conf, opt.fallback ); + mbedtls_ssl_conf_fallback( &conf, opt.fallback ); #endif mbedtls_printf( " ok\n" ); @@ -1520,7 +1520,7 @@ reconnect: if( ( ret = mbedtls_ssl_set_session( &ssl, &saved_session ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_session returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session returned %d\n\n", ret ); goto exit; } diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 2d03c8ba5..e064c5c81 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -265,14 +265,14 @@ int main( void ) mbedtls_printf( " ok\n" ); - mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); - mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); - if( ( ret = mbedtls_ssl_set_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) + mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); goto exit; } diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index f4f6b3b56..d28b85159 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -602,24 +602,24 @@ int main( int argc, char *argv[] ) /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ - mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); + mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); - mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) - mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite ); + mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); - mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); + mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto exit; } - if( ( ret = mbedtls_ssl_set_own_cert( &conf, &clicert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); goto exit; } diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 7b7138af1..9150a8eb7 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -176,22 +176,22 @@ static void *handle_ssl_connection( void *data ) goto thread_exit; } - mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &conf, my_mutexed_debug, stdout ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_mutexed_debug, stdout ); /* mbedtls_ssl_cache_get() and mbedtls_ssl_cache_set() are thread-safe if * MBEDTLS_THREADING_C is set. */ #if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_set_session_cache( &conf, + mbedtls_ssl_conf_session_cache( &conf, mbedtls_ssl_cache_get, thread_info->cache, mbedtls_ssl_cache_set, thread_info->cache ); #endif - mbedtls_ssl_set_ca_chain( &conf, thread_info->ca_chain, NULL ); - if( ( ret = mbedtls_ssl_set_own_cert( &conf, thread_info->server_cert, thread_info->server_key ) ) != 0 ) + mbedtls_ssl_conf_ca_chain( &conf, thread_info->ca_chain, NULL ); + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, thread_info->server_cert, thread_info->server_key ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); goto thread_exit; } diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index c1ad8baed..150b6262a 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -205,19 +205,19 @@ int main( void ) goto exit; } - mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_set_session_cache( &conf, &cache, + mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); #endif - mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); - if( ( ret = mbedtls_ssl_set_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) + mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); goto exit; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 0b690b055..81b92a6d4 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1534,47 +1534,47 @@ int main( int argc, char *argv[] ) } if( opt.auth_mode != DFL_AUTH_MODE ) - mbedtls_ssl_set_authmode( &conf, opt.auth_mode ); + mbedtls_ssl_conf_authmode( &conf, opt.auth_mode ); #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) - mbedtls_ssl_set_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max ); + mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - if( ( ret = mbedtls_ssl_set_max_frag_len( &conf, opt.mfl_code ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_max_frag_len( &conf, opt.mfl_code ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_max_frag_len returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_max_frag_len returned %d\n\n", ret ); goto exit; }; #endif #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) if( opt.trunc_hmac != DFL_TRUNC_HMAC ) - mbedtls_ssl_set_truncated_hmac( &conf, opt.trunc_hmac ); + mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac ); #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) if( opt.extended_ms != DFL_EXTENDED_MS ) - mbedtls_ssl_set_extended_master_secret( &conf, opt.extended_ms ); + mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms ); #endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) if( opt.etm != DFL_ETM ) - mbedtls_ssl_set_encrypt_then_mac( &conf, opt.etm ); + mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm ); #endif #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) - if( ( ret = mbedtls_ssl_set_alpn_protocols( &conf, alpn_list ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_alpn_protocols returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_alpn_protocols returned %d\n\n", ret ); goto exit; } #endif - mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); #if defined(MBEDTLS_SSL_CACHE_C) if( opt.cache_max != -1 ) @@ -1583,20 +1583,20 @@ int main( int argc, char *argv[] ) if( opt.cache_timeout != -1 ) mbedtls_ssl_cache_set_timeout( &cache, opt.cache_timeout ); - mbedtls_ssl_set_session_cache( &conf, &cache, + mbedtls_ssl_conf_session_cache( &conf, &cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if( ( ret = mbedtls_ssl_set_session_tickets( &conf, opt.tickets ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_session_tickets( &conf, opt.tickets ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_session_tickets returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session_tickets returned %d\n\n", ret ); goto exit; } if( opt.ticket_timeout != -1 ) - mbedtls_ssl_set_session_ticket_lifetime( &conf, opt.ticket_timeout ); + mbedtls_ssl_conf_session_ticket_lifetime( &conf, opt.ticket_timeout ); #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -1612,7 +1612,7 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_ssl_set_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, + mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &cookie_ctx ); } else @@ -1620,7 +1620,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) if( opt.cookies == 0 ) { - mbedtls_ssl_set_dtls_cookies( &conf, NULL, NULL, NULL ); + mbedtls_ssl_conf_dtls_cookies( &conf, NULL, NULL, NULL ); } else #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ @@ -1630,50 +1630,50 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) if( opt.anti_replay != DFL_ANTI_REPLAY ) - mbedtls_ssl_set_dtls_anti_replay( &conf, opt.anti_replay ); + mbedtls_ssl_conf_dtls_anti_replay( &conf, opt.anti_replay ); #endif #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) if( opt.badmac_limit != DFL_BADMAC_LIMIT ) - mbedtls_ssl_set_dtls_badmac_limit( &conf, opt.badmac_limit ); + mbedtls_ssl_conf_dtls_badmac_limit( &conf, opt.badmac_limit ); #endif } #endif /* MBEDTLS_SSL_PROTO_DTLS */ if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) - mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite ); + mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); if( opt.arc4 != DFL_ARC4 ) - mbedtls_ssl_set_arc4_support( &conf, opt.arc4 ); + mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 ); if( opt.version_suites != NULL ) { - mbedtls_ssl_set_ciphersuites_for_version( &conf, version_suites[0], + mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[0], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0 ); - mbedtls_ssl_set_ciphersuites_for_version( &conf, version_suites[1], + mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[1], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1 ); - mbedtls_ssl_set_ciphersuites_for_version( &conf, version_suites[2], + mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[2], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_2 ); - mbedtls_ssl_set_ciphersuites_for_version( &conf, version_suites[3], + mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[3], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3 ); } if( opt.allow_legacy != DFL_ALLOW_LEGACY ) - mbedtls_set_ssl_legacy_renegotiation( &conf, opt.allow_legacy ); + mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); #if defined(MBEDTLS_SSL_RENEGOTIATION) - mbedtls_ssl_set_renegotiation( &conf, opt.renegotiation ); + mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation ); if( opt.renego_delay != DFL_RENEGO_DELAY ) - mbedtls_ssl_set_renegotiation_enforced( &conf, opt.renego_delay ); + mbedtls_ssl_conf_renegotiation_enforced( &conf, opt.renego_delay ); if( opt.renego_period != DFL_RENEGO_PERIOD ) { renego_period[7] = opt.renego_period; - mbedtls_ssl_set_renegotiation_period( &conf, renego_period ); + mbedtls_ssl_conf_renegotiation_period( &conf, renego_period ); } #endif @@ -1681,42 +1681,42 @@ int main( int argc, char *argv[] ) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { - mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); + mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); } if( key_cert_init ) - if( ( ret = mbedtls_ssl_set_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); goto exit; } if( key_cert_init2 ) - if( ( ret = mbedtls_ssl_set_own_cert( &conf, &srvcert2, &pkey2 ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert2, &pkey2 ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); goto exit; } #endif #if defined(SNI_OPTION) if( opt.sni != NULL ) - mbedtls_ssl_set_sni( &conf, sni_callback, sni_info ); + mbedtls_ssl_conf_sni( &conf, sni_callback, sni_info ); #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) if( strlen( opt.psk ) != 0 && strlen( opt.psk_identity ) != 0 ) { - ret = mbedtls_ssl_set_psk( &conf, psk, psk_len, + ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len, (const unsigned char *) opt.psk_identity, strlen( opt.psk_identity ) ); if( ret != 0 ) { - mbedtls_printf( " failed\n mbedtls_ssl_set_psk returned -0x%04X\n\n", - ret ); + mbedtls_printf( " failed\n mbedtls_ssl_conf_psk returned -0x%04X\n\n", - ret ); goto exit; } } if( opt.psk_list != NULL ) - mbedtls_ssl_set_psk_cb( &conf, psk_callback, psk_info ); + mbedtls_ssl_conf_psk_cb( &conf, psk_callback, psk_info ); #endif #if defined(MBEDTLS_DHM_C) @@ -1725,18 +1725,18 @@ int main( int argc, char *argv[] ) */ #if defined(MBEDTLS_FS_IO) if( opt.dhm_file != NULL ) - ret = mbedtls_ssl_set_dh_param_ctx( &conf, &dhm ); + ret = mbedtls_ssl_conf_dh_param_ctx( &conf, &dhm ); #endif if( ret != 0 ) { - mbedtls_printf( " failed\n mbedtls_ssl_set_dh_param returned -0x%04X\n\n", - ret ); + mbedtls_printf( " failed\n mbedtls_ssl_conf_dh_param returned -0x%04X\n\n", - ret ); goto exit; } #endif if( opt.min_version != DFL_MIN_VERSION ) { - ret = mbedtls_ssl_set_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); + ret = mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); if( ret != 0 ) { mbedtls_printf( " failed\n ! selected min_version is not available\n" ); @@ -1746,7 +1746,7 @@ int main( int argc, char *argv[] ) if( opt.max_version != DFL_MIN_VERSION ) { - ret = mbedtls_ssl_set_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); + ret = mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); if( ret != 0 ) { mbedtls_printf( " failed\n ! selected max_version is not available\n" ); @@ -1823,7 +1823,7 @@ reset: NULL #endif ); - mbedtls_ssl_set_read_timeout( &conf, opt.read_timeout ); + mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) @@ -1832,7 +1832,7 @@ reset: sizeof( client_ip ) ) ) != 0 ) { mbedtls_printf( " failed\n ! " - "ssl_set_client_tranport_id() returned -0x%x\n\n", -ret ); + "ssl_set_client_transport_id() returned -0x%x\n\n", -ret ); goto exit; } } diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index fb8128784..79a652e1c 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -412,20 +412,20 @@ int main( int argc, char *argv[] ) if( verify ) { - mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); - mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); - mbedtls_ssl_set_verify( &conf, my_verify, NULL ); + mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); + mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); + mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); } else - mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE ); + mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE ); - mbedtls_ssl_set_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); - if( ( ret = mbedtls_ssl_set_own_cert( &conf, &clicert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); goto ssl_exit; } diff --git a/scripts/data_files/rename-1.3-2.0.txt b/scripts/data_files/rename-1.3-2.0.txt index 431e1bea7..f86341ebf 100644 --- a/scripts/data_files/rename-1.3-2.0.txt +++ b/scripts/data_files/rename-1.3-2.0.txt @@ -1969,7 +1969,7 @@ ssl_hw_record_reset mbedtls_ssl_hw_record_reset ssl_hw_record_write mbedtls_ssl_hw_record_write ssl_init mbedtls_ssl_init ssl_key_cert mbedtls_ssl_key_cert -ssl_legacy_renegotiation mbedtls_set_ssl_legacy_renegotiation +ssl_legacy_renegotiation mbedtls_ssl_conf_legacy_renegotiation ssl_list_ciphersuites mbedtls_ssl_list_ciphersuites ssl_md_alg_from_hash mbedtls_ssl_md_alg_from_hash ssl_optimize_checksum mbedtls_ssl_optimize_checksum @@ -1997,49 +1997,49 @@ ssl_session mbedtls_ssl_session ssl_session_free mbedtls_ssl_session_free ssl_session_init mbedtls_ssl_session_init ssl_session_reset mbedtls_ssl_session_reset -ssl_set_alpn_protocols mbedtls_ssl_set_alpn_protocols -ssl_set_arc4_support mbedtls_ssl_set_arc4_support -ssl_set_authmode mbedtls_ssl_set_authmode +ssl_set_alpn_protocols mbedtls_ssl_conf_alpn_protocols +ssl_set_arc4_support mbedtls_ssl_conf_arc4_support +ssl_set_authmode mbedtls_ssl_conf_authmode ssl_set_bio mbedtls_ssl_set_bio ssl_set_bio_timeout mbedtls_ssl_set_bio_timeout -ssl_set_ca_chain mbedtls_ssl_set_ca_chain -ssl_set_cbc_record_splitting mbedtls_ssl_set_cbc_record_splitting -ssl_set_ciphersuites mbedtls_ssl_set_ciphersuites -ssl_set_ciphersuites_for_version mbedtls_ssl_set_ciphersuites_for_version +ssl_set_ca_chain mbedtls_ssl_conf_ca_chain +ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting +ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites +ssl_set_ciphersuites_for_version mbedtls_ssl_conf_ciphersuites_for_version ssl_set_client_transport_id mbedtls_ssl_set_client_transport_id -ssl_set_curves mbedtls_ssl_set_curves -ssl_set_dbg mbedtls_ssl_set_dbg -ssl_set_dh_param mbedtls_ssl_set_dh_param -ssl_set_dh_param_ctx mbedtls_ssl_set_dh_param_ctx -ssl_set_dtls_anti_replay mbedtls_ssl_set_dtls_anti_replay -ssl_set_dtls_badmac_limit mbedtls_ssl_set_dtls_badmac_limit -ssl_set_dtls_cookies mbedtls_ssl_set_dtls_cookies -ssl_set_encrypt_then_mac mbedtls_ssl_set_encrypt_then_mac -ssl_set_endpoint mbedtls_ssl_set_endpoint -ssl_set_extended_master_secret mbedtls_ssl_set_extended_master_secret -ssl_set_fallback mbedtls_ssl_set_fallback -ssl_set_handshake_timeout mbedtls_ssl_set_handshake_timeout +ssl_set_curves mbedtls_ssl_conf_curves +ssl_set_dbg mbedtls_ssl_conf_dbg +ssl_set_dh_param mbedtls_ssl_conf_dh_param +ssl_set_dh_param_ctx mbedtls_ssl_conf_dh_param_ctx +ssl_set_dtls_anti_replay mbedtls_ssl_conf_dtls_anti_replay +ssl_set_dtls_badmac_limit mbedtls_ssl_conf_dtls_badmac_limit +ssl_set_dtls_cookies mbedtls_ssl_conf_dtls_cookies +ssl_set_encrypt_then_mac mbedtls_ssl_conf_encrypt_then_mac +ssl_set_endpoint mbedtls_ssl_conf_endpoint +ssl_set_extended_master_secret mbedtls_ssl_conf_extended_master_secret +ssl_set_fallback mbedtls_ssl_conf_fallback +ssl_set_handshake_timeout mbedtls_ssl_conf_handshake_timeout ssl_set_hostname mbedtls_ssl_set_hostname -ssl_set_max_frag_len mbedtls_ssl_set_max_frag_len -ssl_set_max_version mbedtls_ssl_set_max_version -ssl_set_min_version mbedtls_ssl_set_min_version -ssl_set_own_cert mbedtls_ssl_set_own_cert +ssl_set_max_frag_len mbedtls_ssl_conf_max_frag_len +ssl_set_max_version mbedtls_ssl_conf_max_version +ssl_set_min_version mbedtls_ssl_conf_min_version +ssl_set_own_cert mbedtls_ssl_conf_own_cert ssl_set_own_cert_alt mbedtls_ssl_set_own_cert_alt ssl_set_own_cert_rsa mbedtls_ssl_set_own_cert_rsa -ssl_set_psk mbedtls_ssl_set_psk -ssl_set_psk_cb mbedtls_ssl_set_psk_cb -ssl_set_renegotiation mbedtls_ssl_set_renegotiation -ssl_set_renegotiation_enforced mbedtls_ssl_set_renegotiation_enforced -ssl_set_renegotiation_period mbedtls_ssl_set_renegotiation_period -ssl_set_rng mbedtls_ssl_set_rng +ssl_set_psk mbedtls_ssl_conf_psk +ssl_set_psk_cb mbedtls_ssl_conf_psk_cb +ssl_set_renegotiation mbedtls_ssl_conf_renegotiation +ssl_set_renegotiation_enforced mbedtls_ssl_conf_renegotiation_enforced +ssl_set_renegotiation_period mbedtls_ssl_conf_renegotiation_period +ssl_set_rng mbedtls_ssl_conf_rng ssl_set_session mbedtls_ssl_set_session -ssl_set_session_cache mbedtls_ssl_set_session_cache -ssl_set_session_ticket_lifetime mbedtls_ssl_set_session_ticket_lifetime -ssl_set_session_tickets mbedtls_ssl_set_session_tickets -ssl_set_sni mbedtls_ssl_set_sni -ssl_set_transport mbedtls_ssl_set_transport -ssl_set_truncated_hmac mbedtls_ssl_set_truncated_hmac -ssl_set_verify mbedtls_ssl_set_verify +ssl_set_session_cache mbedtls_ssl_conf_session_cache +ssl_set_session_ticket_lifetime mbedtls_ssl_conf_session_ticket_lifetime +ssl_set_session_tickets mbedtls_ssl_conf_session_tickets +ssl_set_sni mbedtls_ssl_conf_sni +ssl_set_transport mbedtls_ssl_conf_transport +ssl_set_truncated_hmac mbedtls_ssl_conf_truncated_hmac +ssl_set_verify mbedtls_ssl_conf_verify ssl_sig_from_pk mbedtls_ssl_sig_from_pk ssl_states mbedtls_ssl_states ssl_ticket_keys mbedtls_ssl_ticket_keys diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 5fd5d3486..5c8993fb9 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -46,7 +46,7 @@ void debug_print_msg_threshold( int threshold, int level, char *file, int line, mbedtls_debug_set_log_mode( MBEDTLS_DEBUG_LOG_FULL ); mbedtls_debug_set_threshold( threshold ); - mbedtls_ssl_set_dbg( &conf, string_debug, &buffer); + mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); mbedtls_debug_print_msg( &ssl, level, file, line, mbedtls_debug_fmt("Text message, 2 == %d", 2 ) ); @@ -75,7 +75,7 @@ void mbedtls_debug_print_ret( int mode, char *file, int line, char *text, int va TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_log_mode( mode ); - mbedtls_ssl_set_dbg( &conf, string_debug, &buffer); + mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); mbedtls_debug_print_ret( &ssl, 0, file, line, text, value); @@ -108,7 +108,7 @@ void mbedtls_debug_print_buf( int mode, char *file, int line, char *text, TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_log_mode( mode ); - mbedtls_ssl_set_dbg( &conf, string_debug, &buffer); + mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); mbedtls_debug_print_buf( &ssl, 0, file, line, text, data, data_len ); @@ -138,7 +138,7 @@ void mbedtls_debug_print_crt( int mode, char *crt_file, char *file, int line, TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); mbedtls_debug_set_log_mode( mode ); - mbedtls_ssl_set_dbg( &conf, string_debug, &buffer); + mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); mbedtls_debug_print_crt( &ssl, 0, file, line, prefix, &crt); @@ -172,7 +172,7 @@ void mbedtls_debug_print_mpi( int mode, int radix, char *value, char *file, int TEST_ASSERT( mbedtls_mpi_read_string( &val, radix, value ) == 0 ); mbedtls_debug_set_log_mode( mode ); - mbedtls_ssl_set_dbg( &conf, string_debug, &buffer); + mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); mbedtls_debug_print_mpi( &ssl, 0, file, line, prefix, &val); From 2f84e979296ced48e5ff4c505b8e00230be2caea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 09:52:24 +0200 Subject: [PATCH 36/45] Fix typos in the Changelog --- ChangeLog | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4011512a0..2fc2d0118 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,12 +15,13 @@ API Changes provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt * Headers are now found in the 'mbedtls' directory (previously 'polarssl'). * The following _init() functions that could return errors have - been split into an _init() that returns void and another function: + been split into an _init() that returns void and another function that + should generally called shortly after init and can return errors: mbedtls_ssl_init() -> mbedtls_ssl_setup() mbedtls_ccm_init() -> mbedtls_ccm_setkey() mbedtls_gcm_init() -> mbedtls_gcm_setkey() - mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_init(_buf)() - mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_init(_buf)() + mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)() + mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed() * mbedtls_ssl_set_ca_chain() lost its last argument (peer_cn), now set using mbedtls_ssl_set_hostname(). * mbedtls_ssl_set_session_cached() changed prototype (only one context From caace657110e42744f914e405130b76b4abee067 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 09:57:11 +0200 Subject: [PATCH 37/45] Update Changelog for recent config split --- ChangeLog | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 2fc2d0118..90654ab47 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,7 +22,12 @@ API Changes mbedtls_gcm_init() -> mbedtls_gcm_setkey() mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)() mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed() - * mbedtls_ssl_set_ca_chain() lost its last argument (peer_cn), now set + * Most ssl_set_xxx() functions (all except ssl_set_hostname(), + ssl_set_session() and ssl_set_client_transport_id(), plus + ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx() + (see rename.pl and compat-1.3.h above) and their first argument's type + changed from ssl_context to ssl_config. + * mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set using mbedtls_ssl_set_hostname(). * mbedtls_ssl_set_session_cached() changed prototype (only one context pointer, parameters reordered). From 01e5e8c1f88d713514c78ae72153ffdaa2512549 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 10:11:56 +0200 Subject: [PATCH 38/45] Change a few ssl_conf return types to void --- ChangeLog | 11 ++++++--- include/mbedtls/ssl.h | 35 +++++++++++++---------------- library/ssl_tls.c | 46 ++++---------------------------------- programs/ssl/ssl_client2.c | 18 ++------------- programs/ssl/ssl_server2.c | 18 ++------------- 5 files changed, 31 insertions(+), 97 deletions(-) diff --git a/ChangeLog b/ChangeLog index 90654ab47..1fed051d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,9 +29,10 @@ API Changes changed from ssl_context to ssl_config. * mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set using mbedtls_ssl_set_hostname(). - * mbedtls_ssl_set_session_cached() changed prototype (only one context + * mbedtls_ssl_conf_session_cache() changed prototype (only one context pointer, parameters reordered). - * mbedtls_memory_bufer_alloc_init() now returns void + * mbedtls_ssl_conf_truncated_hmac() now returns void. + * mbedtls_memory_bufer_alloc_init() now returns void. * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now return void. * ecdsa_write_signature() gained an addtional md_alg argument and @@ -96,9 +97,13 @@ Reauirement changes * The NET layer now unconditionnaly relies on getaddrinfo(). * Compiler is required to support C99 types such as long long and uint32_t. -Changes from the 1.4 preview branch +API changes from the 1.4 preview branch * ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with new prototype, and mbedtls_ssl_set_read_timeout(). + * The following functions now return void: + mbedtls_ssl_conf_transport() + mbedtls_ssl_conf_max_version() + mbedtls_ssl_conf_min_version() Changes * mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 742e9e440..b5e6a8c8d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1185,17 +1185,16 @@ void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ); * \brief Set the transport type (TLS or DTLS). * Default: TLS * + * \note For DTLS, you must either provide a recv callback that + * doesn't block, or one that handles timeouts, see + * mbedtls_ssl_conf_bio() + * * \param conf SSL configuration * \param transport transport type: * MBEDTLS_SSL_TRANSPORT_STREAM for TLS, * MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS. - * \return 0 on success or MBEDTLS_ERR_SSL_BAD_INPUT_DATA - * - * \note For DTLS, you must either provide a recv callback that - * doesn't block, or one that handles timeouts, see - * mbedtls_ssl_conf_bio() */ -int mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ); +void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ); /** * \brief Set the certificate verification mode @@ -1799,19 +1798,18 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ); * and/or accepted at the server side * (Default: MBEDTLS_SSL_MAX_MAJOR_VERSION, MBEDTLS_SSL_MAX_MINOR_VERSION) * - * Note: This ignores ciphersuites from 'higher' versions. + * \note This ignores ciphersuites from higher versions. + * + * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and + * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 * * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) * \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0, * MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2, * MBEDTLS_SSL_MINOR_VERSION_3 supported) - * \return 0 on success or MBEDTLS_ERR_SSL_BAD_INPUT_DATA - * - * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and - * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ -int mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ); +void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ); /** * \brief Set the minimum accepted SSL/TLS protocol version @@ -1822,17 +1820,16 @@ int mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor * * \note MBEDTLS_SSL_MINOR_VERSION_0 (SSL v3) should be avoided. * + * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and + * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 + * * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) * \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0, * MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2, * MBEDTLS_SSL_MINOR_VERSION_3 supported) - * \return 0 on success or MBEDTLS_ERR_SSL_BAD_INPUT_DATA - * - * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and - * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ -int mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ); +void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ); #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) /** @@ -1929,10 +1926,8 @@ int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_c * \param conf SSL configuration * \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or * MBEDTLS_SSL_TRUNC_HMAC_DISABLED) - * - * \return Always 0. */ -int mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ); +void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ); #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b098e0dd3..8263573b6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5185,11 +5185,9 @@ void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ) conf->endpoint = endpoint; } -int mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ) +void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ) { conf->transport = transport; - - return( 0 ); } #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) @@ -5564,50 +5562,16 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_ALPN */ -static int ssl_check_version( const mbedtls_ssl_config *conf, - int major, int minor ) +void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ) { - if( major < MBEDTLS_SSL_MIN_MAJOR_VERSION || - major > MBEDTLS_SSL_MAX_MAJOR_VERSION || - minor < MBEDTLS_SSL_MIN_MINOR_VERSION || - minor > MBEDTLS_SSL_MAX_MINOR_VERSION ) - { - return( -1 ); - } - -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - minor < MBEDTLS_SSL_MINOR_VERSION_2 ) - { - return( -1 ); - } -#else - ((void) ssl); -#endif - - return( 0 ); -} - -int mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor ) -{ - if( ssl_check_version( conf, major, minor ) != 0 ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - conf->max_major_ver = major; conf->max_minor_ver = minor; - - return( 0 ); } -int mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ) +void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ) { - if( ssl_check_version( conf, major, minor ) != 0 ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - conf->min_major_ver = major; conf->min_minor_ver = minor; - - return( 0 ); } #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) @@ -5652,11 +5616,9 @@ int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_c #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) -int mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) +void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) { conf->trunc_hmac = truncate; - - return( 0 ); } #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 6620d4eab..8d04b9af3 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1183,24 +1183,10 @@ int main( int argc, char *argv[] ) #endif if( opt.min_version != DFL_MIN_VERSION ) - { - ret = mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); - if( ret != 0 ) - { - mbedtls_printf( " failed\n ! selected min_version is not available\n" ); - goto exit; - } - } + mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); if( opt.max_version != DFL_MAX_VERSION ) - { - ret = mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); - if( ret != 0 ) - { - mbedtls_printf( " failed\n ! selected max_version is not available\n" ); - goto exit; - } - } + mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); #if defined(MBEDTLS_SSL_FALLBACK_SCSV) if( opt.fallback != DFL_FALLBACK ) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 81b92a6d4..b9e2c09e7 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1735,24 +1735,10 @@ int main( int argc, char *argv[] ) #endif if( opt.min_version != DFL_MIN_VERSION ) - { - ret = mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); - if( ret != 0 ) - { - mbedtls_printf( " failed\n ! selected min_version is not available\n" ); - goto exit; - } - } + mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); if( opt.max_version != DFL_MIN_VERSION ) - { - ret = mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); - if( ret != 0 ) - { - mbedtls_printf( " failed\n ! selected max_version is not available\n" ); - goto exit; - } - } + mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); mbedtls_printf( " ok\n" ); From 9a1a4d6903c9b5781cded71bee85c9ef103b966a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 10:35:53 +0200 Subject: [PATCH 39/45] Update Changelog with forgotten change --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 1fed051d3..d6ad721de 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,11 @@ API Changes ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx() (see rename.pl and compat-1.3.h above) and their first argument's type changed from ssl_context to ssl_config. + * The following functions have been introduced and must be used in callback + implementations (SNI, PSK) instead of their *conf counterparts: + mbedtls_ssl_set_hs_own_cert() + mbedtls_ssl_set_hs_ca_chain() + mbedtls_ssl_set_hs_psk() * mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set using mbedtls_ssl_set_hostname(). * mbedtls_ssl_conf_session_cache() changed prototype (only one context From 06939cebef302804a22cccc1ba50e7461ccfd2bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 11:25:46 +0200 Subject: [PATCH 40/45] Fix order of ssl_conf vs ssl_setup in programs Except ssl_phtread_server that will be done later --- ChangeLog | 4 +++- include/mbedtls/ssl.h | 6 +++++ library/ssl_tls.c | 18 +++++++-------- programs/ssl/dtls_client.c | 16 ++++++------- programs/ssl/dtls_server.c | 12 +++++----- programs/ssl/mini_client.c | 17 +++++++------- programs/ssl/ssl_client1.c | 17 +++++++------- programs/ssl/ssl_client2.c | 41 +++++++++++++++++++++------------- programs/ssl/ssl_fork_server.c | 15 +++++++------ programs/ssl/ssl_mail_client.c | 21 ++++++++--------- programs/ssl/ssl_server.c | 12 +++++----- programs/ssl/ssl_server2.c | 33 ++++++++++++++------------- programs/x509/cert_app.c | 15 +++++++------ 13 files changed, 124 insertions(+), 103 deletions(-) diff --git a/ChangeLog b/ChangeLog index d6ad721de..2b8a43811 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,12 +16,14 @@ API Changes * Headers are now found in the 'mbedtls' directory (previously 'polarssl'). * The following _init() functions that could return errors have been split into an _init() that returns void and another function that - should generally called shortly after init and can return errors: + should generally be the first function called on this context after init: mbedtls_ssl_init() -> mbedtls_ssl_setup() mbedtls_ccm_init() -> mbedtls_ccm_setkey() mbedtls_gcm_init() -> mbedtls_gcm_setkey() mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)() mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed() + Note that for mbetls_ssl_setup(), you need to be done setting up the + ssl_config structure before calling it. * Most ssl_set_xxx() functions (all except ssl_set_hostname(), ssl_set_session() and ssl_set_client_transport_id(), plus ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx() diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b5e6a8c8d..1efb6a889 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1152,6 +1152,12 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ); /** * \brief Set up an SSL context for use * + * \note No copy of the configuration context is made, it can be + * shared by many ssl_context structures. + * + * \warning Modifying the conf structure after is has been used in this + * function is unsupported! + * * \param ssl SSL context * \param conf SSL configuration to use * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8263573b6..be7a25fcc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4915,18 +4915,16 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) ssl_transform_init( ssl->transform_negotiate ); ssl_handshake_params_init( ssl->handshake ); - /* - * We may not know yet if we're using DTLS, - * so always initiliase DTLS-specific fields. - */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - ssl->handshake->alt_transform_out = ssl->transform_out; + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + ssl->handshake->alt_transform_out = ssl->transform_out; - // TODO: not the right place, we may not know endpoint yet - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) - ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; - else - ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; + else + ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; + } #endif return( 0 ); diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index fb95adf13..3886bbd30 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -170,26 +170,26 @@ int main( int argc, char *argv[] ) goto exit; } + /* OPTIONAL is usually a bad choice for security, but makes interop easier + * in this simplified example, in which the ca chain is hardcoded. + * Production code should set a proper ca chain and use REQUIRED. */ + mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); + mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); goto exit; } - /* OPTIONAL is usually a bad choice for security, but makes interop easier - * in this simplified example, in which the ca chain is hardcoded. - * Production code should set a proper ca chain and use REQUIRED. */ - mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); - mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto exit; } - mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout ); diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 55b6b3e16..40416be96 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -200,12 +200,6 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) - { - printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); - goto exit; - } - mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); @@ -232,6 +226,12 @@ int main( void ) mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &cookie_ctx ); + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + { + printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); + goto exit; + } + printf( " ok\n" ); reset: diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index d770754f1..1bb71a2f0 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -197,12 +197,6 @@ int main( void ) goto exit; } - if( mbedtls_ssl_setup( &ssl, &conf ) != 0 ) - { - ret = ssl_setup_failed; - goto exit; - } - mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) @@ -218,13 +212,20 @@ int main( void ) } mbedtls_ssl_conf_ca_chain( &conf, &ca, NULL ); + mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); +#endif + + if( mbedtls_ssl_setup( &ssl, &conf ) != 0 ) + { + ret = ssl_setup_failed; + goto exit; + } + if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 ) { ret = hostname_failed; goto exit; } - mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); -#endif /* * 1. Start the connection diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index cf5598b53..ec1edd89a 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -158,26 +158,27 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); - goto exit; - } - mbedtls_printf( " ok\n" ); /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); + + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); + goto exit; + } + if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto exit; } - mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); /* diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 8d04b9af3..79cdb2894 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1057,12 +1057,6 @@ int main( int argc, char *argv[] ) goto exit; } - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret ); - goto exit; - } - #if defined(MBEDTLS_X509_CRT_PARSE_C) if( opt.debug_level > 0 ) mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); @@ -1118,16 +1112,6 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); - if( opt.nbio == 2 ) - mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL ); - else - mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, -#if defined(MBEDTLS_HAVE_TIME) - opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL -#else - NULL -#endif - ); mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout ); #if defined(MBEDTLS_SSL_SESSION_TICKETS) @@ -1193,6 +1177,31 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_fallback( &conf, opt.fallback ); #endif + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret ); + goto exit; + } + +#if defined(MBEDTLS_X509_CRT_PARSE_C) + if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); + goto exit; + } +#endif + + if( opt.nbio == 2 ) + mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL ); + else + mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, +#if defined(MBEDTLS_HAVE_TIME) + opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL +#else + NULL +#endif + ); + mbedtls_printf( " ok\n" ); /* diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index e064c5c81..77aa88d49 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -257,17 +257,10 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); - goto exit; - } - mbedtls_printf( " ok\n" ); mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) @@ -276,6 +269,14 @@ int main( void ) goto exit; } + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); + goto exit; + } + + mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + /* * 5. Handshake */ diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index d28b85159..a555d400e 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -592,21 +592,12 @@ int main( int argc, char *argv[] ) goto exit; } - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); - goto exit; - } - - mbedtls_printf( " ok\n" ); - /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); @@ -623,7 +614,13 @@ int main( int argc, char *argv[] ) goto exit; } -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); + goto exit; + } + +#if defined(MBEDTLS_x509_CRT_PARSE_C) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); @@ -631,6 +628,10 @@ int main( int argc, char *argv[] ) } #endif + mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + + mbedtls_printf( " ok\n" ); + if( opt.mode == MODE_SSL_TLS ) { if( do_handshake( &ssl ) != 0 ) diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 150b6262a..a919ad9d8 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -199,12 +199,6 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); - goto exit; - } - mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); @@ -221,6 +215,12 @@ int main( void ) goto exit; } + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); + goto exit; + } + mbedtls_printf( " ok\n" ); reset: diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index b9e2c09e7..863cc534f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1527,12 +1527,6 @@ int main( int argc, char *argv[] ) goto exit; } - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret ); - goto exit; - } - if( opt.auth_mode != DFL_AUTH_MODE ) mbedtls_ssl_conf_authmode( &conf, opt.auth_mode ); @@ -1740,6 +1734,23 @@ int main( int argc, char *argv[] ) if( opt.max_version != DFL_MIN_VERSION ) mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret ); + goto exit; + } + + if( opt.nbio == 2 ) + mbedtls_ssl_set_bio( &ssl, &client_fd, my_send, my_recv, NULL ); + else + mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, +#if defined(MBEDTLS_HAVE_TIME) + opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL +#else + NULL +#endif + ); + mbedtls_printf( " ok\n" ); reset: @@ -1799,16 +1810,6 @@ reset: goto exit; } - if( opt.nbio == 2 ) - mbedtls_ssl_set_bio( &ssl, &client_fd, my_send, my_recv, NULL ); - else - mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, -#if defined(MBEDTLS_HAVE_TIME) - opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL -#else - NULL -#endif - ); mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 79a652e1c..41bbb4272 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -404,12 +404,6 @@ int main( int argc, char *argv[] ) goto exit; } - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); - goto ssl_exit; - } - if( verify ) { mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); @@ -421,7 +415,6 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 ) { @@ -429,12 +422,20 @@ int main( int argc, char *argv[] ) goto ssl_exit; } + if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); + goto ssl_exit; + } + if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto ssl_exit; } + mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + /* * 4. Handshake */ From ccc302692ac2c659b560b4f40532c5d25c1705b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 12:04:55 +0200 Subject: [PATCH 41/45] Fix bug introduced when splitting init functions --- library/ccm.c | 4 ---- library/ctr_drbg.c | 1 - library/gcm.c | 4 ---- library/hmac_drbg.c | 8 -------- 4 files changed, 17 deletions(-) diff --git a/library/ccm.c b/library/ccm.c index 957fda9ea..109927e4c 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -74,10 +74,6 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, int ret; const mbedtls_cipher_info_t *cipher_info; - memset( ctx, 0, sizeof( mbedtls_ccm_context ) ); - - mbedtls_cipher_init( &ctx->cipher_ctx ); - cipher_info = mbedtls_cipher_info_from_values( cipher, keysize, MBEDTLS_MODE_ECB ); if( cipher_info == NULL ) return( MBEDTLS_ERR_CCM_BAD_INPUT ); diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 54feb71c9..00b50d26b 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -82,7 +82,6 @@ int mbedtls_ctr_drbg_seed_entropy_len( int ret; unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE]; - memset( ctx, 0, sizeof(mbedtls_ctr_drbg_context) ); memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE ); mbedtls_aes_init( &ctx->aes_ctx ); diff --git a/library/gcm.c b/library/gcm.c index 58cb4f283..39648b4c6 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -167,10 +167,6 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx, int ret; const mbedtls_cipher_info_t *cipher_info; - memset( ctx, 0, sizeof(mbedtls_gcm_context) ); - - mbedtls_cipher_init( &ctx->cipher_ctx ); - cipher_info = mbedtls_cipher_info_from_values( cipher, keysize, MBEDTLS_MODE_ECB ); if( cipher_info == NULL ) return( MBEDTLS_ERR_GCM_BAD_INPUT ); diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c index 02fcc7d00..5c4ee6def 100644 --- a/library/hmac_drbg.c +++ b/library/hmac_drbg.c @@ -105,10 +105,6 @@ int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx, { int ret; - memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) ); - - mbedtls_md_init( &ctx->md_ctx ); - if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 ) return( ret ); @@ -179,10 +175,6 @@ int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx, int ret; size_t entropy_len, md_size; - memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) ); - - mbedtls_md_init( &ctx->md_ctx ); - if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 ) return( ret ); From 0af00e865b3795e4a5cc0d8ecddd58d5824f1e19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 11:32:43 +0200 Subject: [PATCH 42/45] Optimize config usage in concurrent server examples --- programs/ssl/ssl_fork_server.c | 48 +++++----- programs/ssl/ssl_pthread_server.c | 141 ++++++++++++++---------------- 2 files changed, 96 insertions(+), 93 deletions(-) diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 77aa88d49..1df814b1d 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -169,6 +169,32 @@ int main( void ) mbedtls_printf( " ok\n" ); + /* + * 1b. Prepare SSL configuration + */ + mbedtls_printf( " . Configuring SSL..." ); + fflush( stdout ); + + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); + goto exit; + } + + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); + + mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + /* * 2. Setup the listening TCP socket */ @@ -249,26 +275,6 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_ssl_config_defaults( &conf, - MBEDTLS_SSL_IS_SERVER, - MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); - goto exit; - } - - mbedtls_printf( " ok\n" ); - - mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); - - mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); - if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); - goto exit; - } - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); @@ -277,6 +283,8 @@ int main( void ) mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + mbedtls_printf( " ok\n" ); + /* * 5. Handshake */ diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 9150a8eb7..1cc9811f3 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -103,13 +103,7 @@ static void my_mutexed_debug( void *ctx, int level, const char *str ) typedef struct { int client_fd; int thread_complete; - mbedtls_entropy_context *entropy; -#if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_cache_context *cache; -#endif - mbedtls_x509_crt *ca_chain; - mbedtls_x509_crt *server_cert; - mbedtls_pk_context *server_key; + const mbedtls_ssl_config *config; } thread_info_t; typedef struct { @@ -128,79 +122,25 @@ static void *handle_ssl_connection( void *data ) int client_fd = thread_info->client_fd; int thread_id = (int) pthread_self(); unsigned char buf[1024]; - char pers[50]; mbedtls_ssl_context ssl; - mbedtls_ssl_config conf; - mbedtls_ctr_drbg_context ctr_drbg; /* Make sure memory references are valid */ mbedtls_ssl_init( &ssl ); - mbedtls_ssl_config_init( &conf ); - mbedtls_ctr_drbg_init( &ctr_drbg ); - mbedtls_snprintf( pers, sizeof(pers), "SSL Pthread Thread %d", thread_id ); mbedtls_printf( " [ #%d ] Client FD %d\n", thread_id, client_fd ); - mbedtls_printf( " [ #%d ] Seeding the random number generator...\n", thread_id ); - - /* mbedtls_entropy_func() is thread-safe if MBEDTLS_THREADING_C is set - */ - if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, thread_info->entropy, - (const unsigned char *) pers, - strlen( pers ) ) ) != 0 ) - { - mbedtls_printf( " [ #%d ] failed: mbedtls_ctr_drbg_seed returned -0x%04x\n", - thread_id, -ret ); - goto thread_exit; - } - - mbedtls_printf( " [ #%d ] ok\n", thread_id ); /* - * 4. Setup stuff + * 4. Get the SSL context ready */ - mbedtls_printf( " [ #%d ] Setting up the SSL data....\n", thread_id ); - - if( ( ret = mbedtls_ssl_config_defaults( &conf, - MBEDTLS_SSL_IS_SERVER, - MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) - { - mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_config_defaults returned -0x%04x\n", - thread_id, -ret ); - goto thread_exit; - } - - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_setup( &ssl, thread_info->config ) ) != 0 ) { mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_setup returned -0x%04x\n", thread_id, -ret ); goto thread_exit; } - mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); - mbedtls_ssl_conf_dbg( &conf, my_mutexed_debug, stdout ); - - /* mbedtls_ssl_cache_get() and mbedtls_ssl_cache_set() are thread-safe if - * MBEDTLS_THREADING_C is set. - */ -#if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_conf_session_cache( &conf, - mbedtls_ssl_cache_get, thread_info->cache, - mbedtls_ssl_cache_set, thread_info->cache ); -#endif - - mbedtls_ssl_conf_ca_chain( &conf, thread_info->ca_chain, NULL ); - if( ( ret = mbedtls_ssl_conf_own_cert( &conf, thread_info->server_cert, thread_info->server_key ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); - goto thread_exit; - } - - mbedtls_printf( " [ #%d ] ok\n", thread_id ); - mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); - mbedtls_printf( " [ #%d ] ok\n", thread_id ); - /* * 5. Handshake */ @@ -321,9 +261,7 @@ thread_exit: #endif mbedtls_net_close( client_fd ); - mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); thread_info->thread_complete = 1; @@ -374,9 +312,13 @@ int main( void ) int ret; int listen_fd; int client_fd = -1; + const char pers[] = "ssl_pthread_server"; mbedtls_entropy_context entropy; + mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_ssl_config conf; mbedtls_x509_crt srvcert; + mbedtls_x509_crt cachain; mbedtls_pk_context pkey; #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) unsigned char alloc_buf[100000]; @@ -391,18 +333,23 @@ int main( void ) #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_init( &cache ); - base_info.cache = &cache; #endif + mbedtls_x509_crt_init( &srvcert ); + mbedtls_x509_crt_init( &cachain ); + + mbedtls_ssl_config_init( &conf ); + mbedtls_ctr_drbg_init( &ctr_drbg ); memset( threads, 0, sizeof(threads) ); mbedtls_mutex_init( &debug_mutex ); + base_info.config = &conf; + /* * We use only a single entropy source that is used in all the threads. */ mbedtls_entropy_init( &entropy ); - base_info.entropy = &entropy; /* * 1. Load the certificates and private RSA key @@ -410,8 +357,6 @@ int main( void ) mbedtls_printf( "\n . Loading the server cert. and key..." ); fflush( stdout ); - mbedtls_x509_crt_init( &srvcert ); - /* * This demonstration program uses embedded test certificates. * Instead, you may want to use mbedtls_x509_crt_parse_file() to read the @@ -425,7 +370,7 @@ int main( void ) goto exit; } - ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem, + ret = mbedtls_x509_crt_parse( &cachain, (const unsigned char *) mbedtls_test_cas_pem, mbedtls_test_cas_pem_len ); if( ret != 0 ) { @@ -442,12 +387,60 @@ int main( void ) goto exit; } - base_info.ca_chain = srvcert.next; - base_info.server_cert = &srvcert; - base_info.server_key = &pkey; + mbedtls_printf( " ok\n" ); + + /* + * 1b. Seed the random number generator + */ + mbedtls_printf( " . Seeding the random number generator..." ); + + if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, + (const unsigned char *) pers, + strlen( pers ) ) ) != 0 ) + { + mbedtls_printf( " failed: mbedtls_ctr_drbg_seed returned -0x%04x\n", + -ret ); + goto exit; + } mbedtls_printf( " ok\n" ); + /* + * 1c. Prepare SSL configuration + */ + mbedtls_printf( " . Setting up the SSL data...." ); + + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) + { + mbedtls_printf( " failed: mbedtls_ssl_config_defaults returned -0x%04x\n", + -ret ); + goto exit; + } + + mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_dbg( &conf, my_mutexed_debug, stdout ); + + /* mbedtls_ssl_cache_get() and mbedtls_ssl_cache_set() are thread-safe if + * MBEDTLS_THREADING_C is set. + */ +#if defined(MBEDTLS_SSL_CACHE_C) + mbedtls_ssl_conf_session_cache( &conf, &cache, + mbedtls_ssl_cache_get, + mbedtls_ssl_cache_set ); +#endif + + mbedtls_ssl_conf_ca_chain( &conf, &cachain, NULL ); + if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* * 2. Setup the listening TCP socket */ @@ -504,7 +497,9 @@ exit: #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_free( &cache ); #endif + mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy ); + mbedtls_ssl_config_free( &conf ); mbedtls_mutex_free( &debug_mutex ); From fd862b14c504fbb59c5692b043d9bf33ff51a9d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 12:40:45 +0200 Subject: [PATCH 43/45] Fix typos in mini_client.c --- programs/ssl/mini_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index 1bb71a2f0..20ce2b7fe 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -147,7 +147,7 @@ enum exit_codes { exit_ok = 0, ctr_drbg_seed_failed, - ssl_config_default_failed, + ssl_config_defaults_failed, ssl_setup_failed, hostname_failed, socket_failed, @@ -200,7 +200,7 @@ int main( void ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - mbedtls_ssl_conf_psk( &ssl, psk, sizeof( psk ), + mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ), (const unsigned char *) psk_id, sizeof( psk_id ) - 1 ); #endif From 8b431fbbec8e7bcfa35e20ca38a8573898613a56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 12:54:52 +0200 Subject: [PATCH 44/45] Fix dependency issues --- library/ssl_srv.c | 9 ++++++--- library/ssl_tls.c | 4 ++++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 3e2b9017a..b442e653e 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2725,9 +2725,12 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) * opaque DistinguishedName<1..2^16-1>; */ p += 2; - crt = ssl->handshake->sni_ca_chain != NULL ? - ssl->handshake->sni_ca_chain : - ssl->conf->ca_chain; +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + if( ssl->handshake->sni_ca_chain != NULL ) + crt = ssl->handshake->sni_ca_chain; + else +#endif + crt = ssl->conf->ca_chain; total_dn_size = 0; while( crt != NULL && crt->version != 0 ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index be7a25fcc..0a8119e25 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4032,12 +4032,14 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) mbedtls_x509_crt *ca_chain; mbedtls_x509_crl *ca_crl; +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) if( ssl->handshake->sni_ca_chain != NULL ) { ca_chain = ssl->handshake->sni_ca_chain; ca_crl = ssl->handshake->sni_ca_crl; } else +#endif { ca_chain = ssl->conf->ca_chain; ca_crl = ssl->conf->ca_crl; @@ -6616,7 +6618,9 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, int endpoint, int transport ) { +#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) int ret; +#endif conf->endpoint = endpoint; conf->transport = transport; From 30eceb766a45893f1dfd31afa2b87498d14c26b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 11 May 2015 14:42:56 +0200 Subject: [PATCH 45/45] Fix warning in ssl_pthread_server GCC 4.9 with ASan + UBSan on OS X complains that we were casting to int from a wider integer type. Anyway, this cast is totally non-portable (pthread_t could even be structure), switching to long gets rid of the warning... --- programs/ssl/ssl_pthread_server.c | 36 +++++++++++++++---------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 1cc9811f3..7d710bed9 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -120,21 +120,21 @@ static void *handle_ssl_connection( void *data ) int ret, len; thread_info_t *thread_info = (thread_info_t *) data; int client_fd = thread_info->client_fd; - int thread_id = (int) pthread_self(); + long int thread_id = (long int) pthread_self(); unsigned char buf[1024]; mbedtls_ssl_context ssl; /* Make sure memory references are valid */ mbedtls_ssl_init( &ssl ); - mbedtls_printf( " [ #%d ] Client FD %d\n", thread_id, client_fd ); + mbedtls_printf( " [ #%ld ] Client FD %d\n", thread_id, client_fd ); /* * 4. Get the SSL context ready */ if( ( ret = mbedtls_ssl_setup( &ssl, thread_info->config ) ) != 0 ) { - mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_setup returned -0x%04x\n", + mbedtls_printf( " [ #%ld ] failed: mbedtls_ssl_setup returned -0x%04x\n", thread_id, -ret ); goto thread_exit; } @@ -144,24 +144,24 @@ static void *handle_ssl_connection( void *data ) /* * 5. Handshake */ - mbedtls_printf( " [ #%d ] Performing the SSL/TLS handshake\n", thread_id ); + mbedtls_printf( " [ #%ld ] Performing the SSL/TLS handshake\n", thread_id ); while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) { if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { - mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_handshake returned -0x%04x\n", + mbedtls_printf( " [ #%ld ] failed: mbedtls_ssl_handshake returned -0x%04x\n", thread_id, -ret ); goto thread_exit; } } - mbedtls_printf( " [ #%d ] ok\n", thread_id ); + mbedtls_printf( " [ #%ld ] ok\n", thread_id ); /* * 6. Read the HTTP Request */ - mbedtls_printf( " [ #%d ] < Read from client\n", thread_id ); + mbedtls_printf( " [ #%ld ] < Read from client\n", thread_id ); do { @@ -177,24 +177,24 @@ static void *handle_ssl_connection( void *data ) switch( ret ) { case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY: - mbedtls_printf( " [ #%d ] connection was closed gracefully\n", + mbedtls_printf( " [ #%ld ] connection was closed gracefully\n", thread_id ); goto thread_exit; case MBEDTLS_ERR_NET_CONN_RESET: - mbedtls_printf( " [ #%d ] connection was reset by peer\n", + mbedtls_printf( " [ #%ld ] connection was reset by peer\n", thread_id ); goto thread_exit; default: - mbedtls_printf( " [ #%d ] mbedtls_ssl_read returned -0x%04x\n", + mbedtls_printf( " [ #%ld ] mbedtls_ssl_read returned -0x%04x\n", thread_id, -ret ); goto thread_exit; } } len = ret; - mbedtls_printf( " [ #%d ] %d bytes read\n=====\n%s\n=====\n", + mbedtls_printf( " [ #%ld ] %d bytes read\n=====\n%s\n=====\n", thread_id, len, (char *) buf ); if( ret > 0 ) @@ -205,7 +205,7 @@ static void *handle_ssl_connection( void *data ) /* * 7. Write the 200 Response */ - mbedtls_printf( " [ #%d ] > Write to client:\n", thread_id ); + mbedtls_printf( " [ #%ld ] > Write to client:\n", thread_id ); len = sprintf( (char *) buf, HTTP_RESPONSE, mbedtls_ssl_get_ciphersuite( &ssl ) ); @@ -214,31 +214,31 @@ static void *handle_ssl_connection( void *data ) { if( ret == MBEDTLS_ERR_NET_CONN_RESET ) { - mbedtls_printf( " [ #%d ] failed: peer closed the connection\n", + mbedtls_printf( " [ #%ld ] failed: peer closed the connection\n", thread_id ); goto thread_exit; } if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { - mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_write returned -0x%04x\n", + mbedtls_printf( " [ #%ld ] failed: mbedtls_ssl_write returned -0x%04x\n", thread_id, ret ); goto thread_exit; } } len = ret; - mbedtls_printf( " [ #%d ] %d bytes written\n=====\n%s\n=====\n", + mbedtls_printf( " [ #%ld ] %d bytes written\n=====\n%s\n=====\n", thread_id, len, (char *) buf ); - mbedtls_printf( " [ #%d ] . Closing the connection...", thread_id ); + mbedtls_printf( " [ #%ld ] . Closing the connection...", thread_id ); while( ( ret = mbedtls_ssl_close_notify( &ssl ) ) < 0 ) { if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { - mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_close_notify returned -0x%04x\n", + mbedtls_printf( " [ #%ld ] failed: mbedtls_ssl_close_notify returned -0x%04x\n", thread_id, ret ); goto thread_exit; } @@ -255,7 +255,7 @@ thread_exit: { char error_buf[100]; mbedtls_strerror( ret, error_buf, 100 ); - mbedtls_printf(" [ #%d ] Last error was: -0x%04x - %s\n\n", + mbedtls_printf(" [ #%ld ] Last error was: -0x%04x - %s\n\n", thread_id, -ret, error_buf ); } #endif