From 419d5ae419ea2dde1ed871b2c4db354d9373f24d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 4 May 2015 19:32:36 +0200 Subject: [PATCH] Make endpoint+transport args of config_defaults() --- include/mbedtls/ssl.h | 3 +- library/ssl_tls.c | 123 +++++++++++++-------------- programs/ssl/dtls_client.c | 7 +- programs/ssl/dtls_server.c | 6 +- programs/ssl/mini_client.c | 6 +- programs/ssl/ssl_client1.c | 5 +- programs/ssl/ssl_client2.c | 11 +-- programs/ssl/ssl_fork_server.c | 5 +- programs/ssl/ssl_mail_client.c | 5 +- programs/ssl/ssl_pthread_server.c | 5 +- programs/ssl/ssl_server.c | 5 +- programs/ssl/ssl_server2.c | 10 +-- programs/x509/cert_app.c | 5 +- tests/suites/test_suite_ssl.function | 5 +- 14 files changed, 98 insertions(+), 103 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3b11309e1..d515eb194 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2267,7 +2267,8 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ); * \return 0 if successful, or * MBEDTLS_ERR_XXX_ALLOC_FAILED on memorr allocation error. */ -int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf ); +int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, + int endpoint, int transport ); /** * \brief Free an SSL configuration context diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1b3691302..dd477c756 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4976,6 +4976,37 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, memset( ssl-> in_buf, 0, len ); memset( ssl->out_buf, 0, len ); +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if( conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + ssl->out_hdr = ssl->out_buf; + ssl->out_ctr = ssl->out_buf + 3; + ssl->out_len = ssl->out_buf + 11; + ssl->out_iv = ssl->out_buf + 13; + ssl->out_msg = ssl->out_buf + 13; + + ssl->in_hdr = ssl->in_buf; + ssl->in_ctr = ssl->in_buf + 3; + ssl->in_len = ssl->in_buf + 11; + ssl->in_iv = ssl->in_buf + 13; + ssl->in_msg = ssl->in_buf + 13; + } + else +#endif + { + ssl->out_ctr = ssl->out_buf; + ssl->out_hdr = ssl->out_buf + 8; + ssl->out_len = ssl->out_buf + 11; + ssl->out_iv = ssl->out_buf + 13; + ssl->out_msg = ssl->out_buf + 13; + + ssl->in_ctr = ssl->in_buf; + ssl->in_hdr = ssl->in_buf + 8; + ssl->in_len = ssl->in_buf + 11; + ssl->in_iv = ssl->in_buf + 13; + ssl->in_msg = ssl->in_buf + 13; + } + if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) return( ret ); @@ -5140,72 +5171,13 @@ static int ssl_ticket_keys_init( mbedtls_ssl_context *ssl ) void mbedtls_ssl_set_endpoint( mbedtls_ssl_context *ssl, int endpoint ) { ssl->conf->endpoint = endpoint; - -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ - defined(MBEDTLS_SSL_CLI_C) - if( endpoint == MBEDTLS_SSL_IS_CLIENT ) - { - ssl->conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; - ssl->conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; - } -#endif - -#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) - if( endpoint == MBEDTLS_SSL_IS_SERVER ) - ssl->conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; -#endif } int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ) { -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - { - ssl->conf->transport = transport; + ssl->conf->transport = transport; - ssl->out_hdr = ssl->out_buf; - ssl->out_ctr = ssl->out_buf + 3; - ssl->out_len = ssl->out_buf + 11; - ssl->out_iv = ssl->out_buf + 13; - ssl->out_msg = ssl->out_buf + 13; - - ssl->in_hdr = ssl->in_buf; - ssl->in_ctr = ssl->in_buf + 3; - ssl->in_len = ssl->in_buf + 11; - ssl->in_iv = ssl->in_buf + 13; - ssl->in_msg = ssl->in_buf + 13; - - /* DTLS starts with TLS1.1 */ - if( ssl->conf->min_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - ssl->conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; - - if( ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - ssl->conf->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; - - return( 0 ); - } -#endif - - if( transport == MBEDTLS_SSL_TRANSPORT_STREAM ) - { - ssl->conf->transport = transport; - - ssl->out_ctr = ssl->out_buf; - ssl->out_hdr = ssl->out_buf + 8; - ssl->out_len = ssl->out_buf + 11; - ssl->out_iv = ssl->out_buf + 13; - ssl->out_msg = ssl->out_buf + 13; - - ssl->in_ctr = ssl->in_buf; - ssl->in_hdr = ssl->in_buf + 8; - ssl->in_len = ssl->in_buf + 11; - ssl->in_iv = ssl->in_buf + 13; - ssl->in_msg = ssl->in_buf + 13; - - return( 0 ); - } - - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + return( 0 ); } #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) @@ -6641,17 +6613,42 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf ) /* * Load default in mbetls_ssl_config */ -int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf ) +int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, + int endpoint, int transport ) { int ret; - conf->transport = MBEDTLS_SSL_TRANSPORT_STREAM; + conf->endpoint = endpoint; + conf->transport = transport; conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + /* DTLS starts with TLS 1.1 */ + conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; + } +#endif + +#if defined(MBEDTLS_SSL_CLI_C) + if( endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; +#endif + } +#endif + +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_TRUNCATED_HMAC) + if( endpoint == MBEDTLS_SSL_IS_SERVER ) + conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; +#endif + conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index cacfe0f21..09cea3b92 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -162,7 +162,9 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the DTLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -176,9 +178,6 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); - mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM ); - /* OPTIONAL is usually a bad choice for security, but makes interop easier * in this simplified example, in which the ca chain is hardcoded. * Production code should set a proper ca chain and use REQUIRED. */ diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 869d919ad..451294347 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -192,7 +192,9 @@ int main( void ) printf( " . Setting up the DTLS data..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -204,8 +206,6 @@ int main( void ) goto exit; } - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER ); - mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM ); mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index cd2884545..694bf4031 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -188,7 +188,9 @@ int main( void ) goto exit; } - if( mbedtls_ssl_config_defaults( &conf ) != 0 ) + if( mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM) != 0 ) { ret = ssl_config_defaults_failed; goto exit; @@ -200,8 +202,6 @@ int main( void ) goto exit; } - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); - mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index d136cd633..480423530 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -150,7 +150,9 @@ int main( void ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -164,7 +166,6 @@ int main( void ) mbedtls_printf( " ok\n" ); - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 309a68af1..1454067bc 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1049,7 +1049,9 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + opt.transport ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret ); goto exit; @@ -1066,17 +1068,10 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_verify( &ssl, my_verify, NULL ); #endif - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); if( opt.auth_mode != DFL_AUTH_MODE ) mbedtls_ssl_set_authmode( &ssl, opt.auth_mode ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ( ret = mbedtls_ssl_set_transport( &ssl, opt.transport ) ) != 0 ) - { - mbedtls_printf( " failed\n ! selected transport is not available\n" ); - goto exit; - } - if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) mbedtls_ssl_set_handshake_timeout( &ssl, opt.hs_to_min, opt.hs_to_max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index a26f85f60..383746642 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -249,7 +249,9 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -263,7 +265,6 @@ int main( void ) mbedtls_printf( " ok\n" ); - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER ); mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index bf4bff919..26972f8cc 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -584,7 +584,9 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -598,7 +600,6 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok\n" ); - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_OPTIONAL ); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 7303c5dcb..6896e97f3 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -160,7 +160,9 @@ static void *handle_ssl_connection( void *data ) */ mbedtls_printf( " [ #%d ] Setting up the SSL data....\n", thread_id ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " [ #%d ] failed: mbedtls_ssl_config_defaults returned -0x%04x\n", thread_id, -ret ); @@ -174,7 +176,6 @@ static void *handle_ssl_connection( void *data ) goto thread_exit; } - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER ); mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index a2b9a5811..5c2a7d29a 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -191,7 +191,9 @@ int main( void ) mbedtls_printf( " . Setting up the SSL data...." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -203,7 +205,6 @@ int main( void ) goto exit; } - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_SERVER ); mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_NONE ); mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 013d3393d..8955acfa6 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1520,7 +1520,9 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + opt.transport ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret ); goto exit; @@ -1537,12 +1539,6 @@ int main( int argc, char *argv[] ) mbedtls_ssl_set_authmode( &ssl, opt.auth_mode ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ( ret = mbedtls_ssl_set_transport( &ssl, opt.transport ) ) != 0 ) - { - mbedtls_printf( " failed\n ! selected transport is not available\n" ); - goto exit; - } - if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) mbedtls_ssl_set_handshake_timeout( &ssl, opt.hs_to_min, opt.hs_to_max ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 971dae1b9..a8bc64a57 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -396,7 +396,9 @@ int main( int argc, char *argv[] ) /* * 3. Setup stuff */ - if( ( ret = mbedtls_ssl_config_defaults( &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ); goto exit; @@ -408,7 +410,6 @@ int main( int argc, char *argv[] ) goto ssl_exit; } - mbedtls_ssl_set_endpoint( &ssl, MBEDTLS_SSL_IS_CLIENT ); if( verify ) { mbedtls_ssl_set_authmode( &ssl, MBEDTLS_SSL_VERIFY_REQUIRED ); diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index ce1cd913e..c8acfeaec 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -17,9 +17,10 @@ void ssl_dtls_replay( char *prevs, char *new, int ret ) mbedtls_ssl_init( &ssl ); mbedtls_ssl_config_init( &conf ); - TEST_ASSERT( mbedtls_ssl_config_defaults( &conf ) == 0 ); + TEST_ASSERT( mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_DATAGRAM ) == 0 ); TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); - TEST_ASSERT( mbedtls_ssl_set_transport( &ssl, MBEDTLS_SSL_TRANSPORT_DATAGRAM ) == 0 ); /* Read previous record numbers */ for( ; end_prevs - prevs >= 13; prevs += 13 )