Add SSL presets.

No need to use a separate profile as in X.509, everything we need is already in ssl_config. Just load appropriate values.
2015-06-17 13:53:47 +02:00 · 2015-06-17 13:53:47 +02:00 · b31c5f68b1
commit b31c5f68b1
parent 7bfc122703
14 changed files with 132 additions and 56 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -196,6 +196,9 @@
 #define MBEDTLS_SSL_ARC4_ENABLED                0
 #define MBEDTLS_SSL_ARC4_DISABLED               1

+#define MBEDTLS_SSL_PRESET_DEFAULT              0
+#define MBEDTLS_SSL_PRESET_SUITEB               2
+
 /*
 * Default range for DTLS retransmission timer value, in milliseconds.
 * RFC 6347 4.2.4.1 says from 1 second to 60 seconds.
@ -2165,6 +2168,8 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf );
 * \param endpoint MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
 * \param transport MBEDTLS_SSL_TRANSPORT_STREAM for TLS, or
 *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS
+ * \param preset   a MBEDTLS_SSL_PRESET_XXX value
+ *                 (currently unused).
 *
 * \note           See \c mbedtls_ssl_conf_transport() for notes on DTLS.
 *
@ -2172,7 +2177,7 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf );
 *                 MBEDTLS_ERR_XXX_ALLOC_FAILED on memory allocation error.
 */
 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
-                                 int endpoint, int transport );
+                                 int endpoint, int transport, int preset );

 /**
 * \brief          Free an SSL configuration context
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -6612,11 +6612,33 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
    memset( conf, 0, sizeof( mbedtls_ssl_config ) );
 }

+static int ssl_preset_suiteb_ciphersuites[] = {
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    0
+};
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
+static int ssl_preset_suiteb_hashes[] = {
+    MBEDTLS_MD_SHA256,
+    MBEDTLS_MD_SHA384,
+    MBEDTLS_MD_NONE
+};
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
+    MBEDTLS_ECP_DP_SECP256R1,
+    MBEDTLS_ECP_DP_SECP384R1,
+    MBEDTLS_ECP_DP_NONE
+};
+#endif
+
 /*
 * Load default in mbetls_ssl_config
 */
 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
-                                 int endpoint, int transport )
+                                 int endpoint, int transport, int preset )
 {
 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
    int ret;
@ -6627,19 +6649,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
    mbedtls_ssl_conf_endpoint( conf, endpoint );
    mbedtls_ssl_conf_transport( conf, transport );

-    conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
-    conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */
-    conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
-    conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-    if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
-    {
-        /* DTLS starts with TLS 1.1 */
-        conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
-    }
-#endif
-
+    /*
+     * Things that are common to all presets
+     */
 #if defined(MBEDTLS_SSL_CLI_C)
    if( endpoint == MBEDTLS_SSL_IS_CLIENT )
    {
@ -6650,16 +6662,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
    }
 #endif

-    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
-    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
-    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
-    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
-                           mbedtls_ssl_list_ciphersuites();
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-    conf->cert_profile = &mbedtls_x509_crt_profile_default;
-#endif
-
 #if defined(MBEDTLS_ARC4_C)
    conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
 #endif
@ -6676,14 +6678,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
    conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
 #endif

-#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
-    conf->sig_hashes = mbedtls_md_list();
-#endif
-
-#if defined(MBEDTLS_ECP_C)
-    conf->curve_list = mbedtls_ecp_grp_id_list();
-#endif
-
 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
    conf->f_cookie_write = ssl_cookie_write_dummy;
    conf->f_cookie_check = ssl_cookie_check_dummy;
@ -6704,22 +6698,87 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
    conf->renego_period[7] = 0x00;
 #endif

-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
-    conf->dhm_min_bitlen = 1024;
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+            if( endpoint == MBEDTLS_SSL_IS_SERVER )
+            {
+                if( ( ret = mbedtls_ssl_conf_dh_param( conf,
+                                MBEDTLS_DHM_RFC5114_MODP_2048_P,
+                                MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
+                {
+                    return( ret );
+                }
+            }
 #endif

-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
-    if( endpoint == MBEDTLS_SSL_IS_SERVER )
+    /*
+     * Preset-specific defaults
+     */
+    switch( preset )
    {
-        if( ( ret = mbedtls_ssl_conf_dh_param( conf,
-                        MBEDTLS_DHM_RFC5114_MODP_2048_P,
-                        MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 )
-        {
-            return( ret );
-        }
-    }
+        /*
+         * NSA Suite B
+         */
+        case MBEDTLS_SSL_PRESET_SUITEB:
+            conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+            conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
+            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
+                                   ssl_preset_suiteb_ciphersuites;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+            conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
 #endif

+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
+            conf->sig_hashes = ssl_preset_suiteb_hashes;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+            conf->curve_list = ssl_preset_suiteb_curves;
+#endif
+
+        /*
+         * Default
+         */
+        default:
+            conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+            conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */
+            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+            if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+                conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
+#endif
+
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
+                                   mbedtls_ssl_list_ciphersuites();
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+            conf->cert_profile = &mbedtls_x509_crt_profile_default;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED)
+            conf->sig_hashes = mbedtls_md_list();
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+            conf->curve_list = mbedtls_ecp_grp_id_list();
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+            conf->dhm_min_bitlen = 1024;
+#endif
+    }
+
    return( 0 );
 }

--- a/programs/ssl/dtls_client.c
+++ b/programs/ssl/dtls_client.c
@ -163,7 +163,8 @@ int main( int argc, char *argv[] )

    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                   MBEDTLS_SSL_IS_CLIENT,
-                   MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 )
+                   MBEDTLS_SSL_TRANSPORT_DATAGRAM,
+                   MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
--- a/programs/ssl/dtls_server.c
+++ b/programs/ssl/dtls_server.c
@ -199,7 +199,8 @@ int main( void )

    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_SERVER,
-                    MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ) != 0 )
+                    MBEDTLS_SSL_TRANSPORT_DATAGRAM,
+                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
--- a/programs/ssl/mini_client.c
+++ b/programs/ssl/mini_client.c
@ -191,7 +191,8 @@ int main( void )

    if( mbedtls_ssl_config_defaults( &conf,
                MBEDTLS_SSL_IS_CLIENT,
-                MBEDTLS_SSL_TRANSPORT_STREAM) != 0 )
+                MBEDTLS_SSL_TRANSPORT_STREAM,
+                MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
    {
        ret = ssl_config_defaults_failed;
        goto exit;
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@ -153,7 +153,8 @@ int main( void )

    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_CLIENT,
-                    MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
+                    MBEDTLS_SSL_TRANSPORT_STREAM,
+                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -1059,7 +1059,8 @@ int main( int argc, char *argv[] )

    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_CLIENT,
-                    opt.transport ) ) != 0 )
+                    opt.transport,
+                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret );
        goto exit;
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@ -177,7 +177,8 @@ int main( void )

    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_SERVER,
-                    MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
+                    MBEDTLS_SSL_TRANSPORT_STREAM,
+                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@ -587,7 +587,8 @@ int main( int argc, char *argv[] )

    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_CLIENT,
-                    MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
+                    MBEDTLS_SSL_TRANSPORT_STREAM,
+                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@ -412,7 +412,8 @@ int main( void )

    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_SERVER,
-                    MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
+                    MBEDTLS_SSL_TRANSPORT_STREAM,
+                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
        mbedtls_printf( " failed: mbedtls_ssl_config_defaults returned -0x%04x\n",
                -ret );
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@ -193,7 +193,8 @@ int main( void )

    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_SERVER,
-                    MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
+                    MBEDTLS_SSL_TRANSPORT_STREAM,
+                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
        goto exit;
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -1533,7 +1533,8 @@ int main( int argc, char *argv[] )

    if( ( ret = mbedtls_ssl_config_defaults( &conf,
                    MBEDTLS_SSL_IS_SERVER,
-                    opt.transport ) ) != 0 )
+                    opt.transport,
+                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret );
        goto exit;
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@ -399,7 +399,8 @@ int main( int argc, char *argv[] )
         */
        if( ( ret = mbedtls_ssl_config_defaults( &conf,
                        MBEDTLS_SSL_IS_CLIENT,
-                        MBEDTLS_SSL_TRANSPORT_STREAM ) ) != 0 )
+                        MBEDTLS_SSL_TRANSPORT_STREAM,
+                        MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
        {
            mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
            goto exit;
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@ -20,7 +20,8 @@ void ssl_dtls_replay( char *prevs, char *new, int ret )

    TEST_ASSERT( mbedtls_ssl_config_defaults( &conf,
                 MBEDTLS_SSL_IS_CLIENT,
-                 MBEDTLS_SSL_TRANSPORT_DATAGRAM ) == 0 );
+                 MBEDTLS_SSL_TRANSPORT_DATAGRAM,
+                 MBEDTLS_SSL_PRESET_DEFAULT ) == 0 );
    TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );

    /* Read previous record numbers */