Allow configuration of endpoint (cli/srv) at compile-time

Introduces MBEDTLS_SSL_CONF_ENDPOINT to allow to choose between
server- or client-builds at compile-time.

Impact on code-size:

|  | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` (client only) before  | 18355 | 18815 | 21485 |
| `libmbedtls.a` (client only) after | 18219 | 18683 | 21347 |
| gain in Bytes (client only) | 136 | 132 | 138 |
| `libmbedtls.a` (server only) before  | 18715 | 18987 | 21883 |
| `libmbedtls.a` (server only) after | 18595 | 18823 | 21717 |
| gain in Bytes (server only) | 120 | 164 | 166 |
This commit is contained in:
Hanno Becker 2019-06-13 12:07:05 +01:00
parent 1f835fa22b
commit 2d9623f7d5
6 changed files with 90 additions and 31 deletions

View File

@ -3457,6 +3457,9 @@
/* Timeout */ /* Timeout */
//#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0 //#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0
/* Endpoint (Client/Server) */
//#define MBEDTLS_SSL_CONF_ENDPOINT MBED
/* DTLS-specific settings */ /* DTLS-specific settings */
//#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN //#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
//#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX //#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX

View File

@ -1055,7 +1055,9 @@ struct mbedtls_ssl_config
* Flags (bitfields) * Flags (bitfields)
*/ */
#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
unsigned int endpoint : 1; /*!< 0: client, 1: server */ unsigned int endpoint : 1; /*!< 0: client, 1: server */
#endif /* !MBEDTLS_SSL_CONF_ENDPOINT */
unsigned int transport : 1; /*!< stream (TLS) or datagram (DTLS) */ unsigned int transport : 1; /*!< stream (TLS) or datagram (DTLS) */
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) #if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */ unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */
@ -1381,13 +1383,18 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
*/ */
int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl ); int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl );
#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
/** /**
* \brief Set the current endpoint type * \brief Set the current endpoint type
* *
* \note On constrained systems, this can also be configured
* at compile-time via MBEDTLS_SSL_CONF_ENDPOINT.
*
* \param conf SSL configuration * \param conf SSL configuration
* \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER * \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
*/ */
void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ); void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint );
#endif /* !MBEDTLS_SSL_CONF_ENDPOINT */
/** /**
* \brief Set the transport type (TLS or DTLS). * \brief Set the transport type (TLS or DTLS).

View File

@ -1085,6 +1085,21 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
* be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX. * be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
*/ */
#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
static inline unsigned int mbedtls_ssl_conf_get_endpoint(
mbedtls_ssl_config const *conf )
{
return( conf->endpoint );
}
#else /* !MBEDTLS_SSL_CONF_ENDPOINT */
static inline unsigned int mbedtls_ssl_conf_get_endpoint(
mbedtls_ssl_config const *conf )
{
((void) conf);
return( MBEDTLS_SSL_CONF_ENDPOINT );
}
#endif /* MBEDTLS_SSL_CONF_ENDPOINT */
#if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) #if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT)
static inline uint32_t mbedtls_ssl_conf_get_read_timeout( static inline uint32_t mbedtls_ssl_conf_get_read_timeout(
mbedtls_ssl_config const *conf ) mbedtls_ssl_config const *conf )

View File

@ -55,7 +55,7 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
const unsigned char *info, const unsigned char *info,
size_t ilen ) size_t ilen )
{ {
if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_SERVER )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
mbedtls_free( ssl->cli_id ); mbedtls_free( ssl->cli_id );

View File

@ -1388,7 +1388,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
ssl->handshake->tls_prf, ssl->handshake->tls_prf,
ssl->handshake->randbytes, ssl->handshake->randbytes,
ssl->minor_ver, ssl->minor_ver,
ssl->conf->endpoint, mbedtls_ssl_conf_get_endpoint( ssl->conf ),
ssl ); ssl );
if( ret != 0 ) if( ret != 0 )
{ {
@ -3196,7 +3196,8 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
return( MBEDTLS_ERR_SSL_WANT_READ ); return( MBEDTLS_ERR_SSL_WANT_READ );
} }
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && else if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
{ {
if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
@ -3722,7 +3723,8 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT && ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ) mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT ) )
#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
@ -4754,7 +4756,8 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
* have an active transform (possibly iv_len != 0), so use the * have an active transform (possibly iv_len != 0), so use the
* fact that the record header len is 13 instead. * fact that the record header len is 13 instead.
*/ */
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
rec_epoch == 0 && rec_epoch == 0 &&
ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
@ -5937,7 +5940,8 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
{ {
@ -6104,7 +6108,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
} }
#if defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT )
{ {
if( ssl->client_auth == 0 ) if( ssl->client_auth == 0 )
{ {
@ -6133,7 +6138,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
} }
#endif /* MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
{ {
if( mbedtls_ssl_own_cert( ssl ) == NULL ) if( mbedtls_ssl_own_cert( ssl ) == NULL )
{ {
@ -6337,7 +6342,8 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
/* Check if we're handling the first CRT in the chain. */ /* Check if we're handling the first CRT in the chain. */
#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
if( crt_cnt++ == 0 && if( crt_cnt++ == 0 &&
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
{ {
/* During client-side renegotiation, check that the server's /* During client-side renegotiation, check that the server's
@ -6403,7 +6409,7 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
{ {
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
return( -1 ); return( -1 );
#if defined(MBEDTLS_SSL_PROTO_SSL3) #if defined(MBEDTLS_SSL_PROTO_SSL3)
@ -6461,7 +6467,7 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
return( SSL_CERTIFICATE_SKIP ); return( SSL_CERTIFICATE_SKIP );
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
{ {
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
return( SSL_CERTIFICATE_SKIP ); return( SSL_CERTIFICATE_SKIP );
@ -6551,7 +6557,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
if( mbedtls_ssl_check_cert_usage( chain, if( mbedtls_ssl_check_cert_usage( chain,
ciphersuite_info, ciphersuite_info,
! ssl->conf->endpoint, ( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT ),
&ssl->session_negotiate->verify_result ) != 0 ) &ssl->session_negotiate->verify_result ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
@ -7371,7 +7378,8 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
ssl_update_out_pointers( ssl, ssl->transform_negotiate ); ssl_update_out_pointers( ssl, ssl->transform_negotiate );
ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint ); ssl->handshake->calc_finished( ssl, ssl->out_msg + 4,
mbedtls_ssl_conf_get_endpoint( ssl->conf ) );
/* /*
* RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
@ -7397,12 +7405,18 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
if( ssl->handshake->resume != 0 ) if( ssl->handshake->resume != 0 )
{ {
#if defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT )
{
ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
}
#endif #endif
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER )
{
ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
}
#endif #endif
} }
else else
@ -7499,7 +7513,8 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 ); ssl->handshake->calc_finished( ssl, buf,
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ^ 1 );
if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
{ {
@ -7549,11 +7564,11 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
if( ssl->handshake->resume != 0 ) if( ssl->handshake->resume != 0 )
{ {
#if defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
#endif #endif
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
#endif #endif
} }
@ -7702,7 +7717,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
{ {
ssl->handshake->alt_transform_out = ssl->transform_out; ssl->handshake->alt_transform_out = ssl->transform_out;
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
else else
ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
@ -8074,10 +8089,12 @@ int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
/* /*
* SSL set accessors * SSL set accessors
*/ */
#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint ) void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
{ {
conf->endpoint = endpoint; conf->endpoint = endpoint;
} }
#endif /* MBEDTLS_SSL_CONF_ENDPOINT */
void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ) void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
{ {
@ -8226,7 +8243,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session
if( ssl == NULL || if( ssl == NULL ||
session == NULL || session == NULL ||
ssl->session_negotiate == NULL || ssl->session_negotiate == NULL ||
ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_CLIENT )
{ {
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
} }
@ -8354,7 +8371,7 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
if( ssl->handshake == NULL || ssl->conf == NULL ) if( ssl->handshake == NULL || ssl->conf == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
role = MBEDTLS_ECJPAKE_SERVER; role = MBEDTLS_ECJPAKE_SERVER;
else else
role = MBEDTLS_ECJPAKE_CLIENT; role = MBEDTLS_ECJPAKE_CLIENT;
@ -9024,7 +9041,7 @@ size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl ) static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
{ {
/* Return unlimited mtu for client hello messages to avoid fragmentation. */ /* Return unlimited mtu for client hello messages to avoid fragmentation. */
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT &&
( ssl->state == MBEDTLS_SSL_CLIENT_HELLO || ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
ssl->state == MBEDTLS_SSL_SERVER_HELLO ) ) ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
return ( 0 ); return ( 0 );
@ -9106,7 +9123,7 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
if( ssl == NULL || if( ssl == NULL ||
dst == NULL || dst == NULL ||
ssl->session == NULL || ssl->session == NULL ||
ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) mbedtls_ssl_conf_get_endpoint( ssl->conf ) != MBEDTLS_SSL_IS_CLIENT )
{ {
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
} }
@ -9690,11 +9707,11 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
#if defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
ret = mbedtls_ssl_handshake_client_step( ssl ); ret = mbedtls_ssl_handshake_client_step( ssl );
#endif #endif
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
ret = mbedtls_ssl_handshake_server_step( ssl ); ret = mbedtls_ssl_handshake_server_step( ssl );
#endif #endif
@ -9777,11 +9794,16 @@ static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
{ {
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER )
{
ssl->handshake->out_msg_seq = 1; ssl->handshake->out_msg_seq = 1;
}
else else
{
ssl->handshake->in_msg_seq = 1; ssl->handshake->in_msg_seq = 1;
} }
}
#endif #endif
ssl->state = MBEDTLS_SSL_HELLO_REQUEST; ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
@ -9811,7 +9833,7 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
/* On server, just send the request */ /* On server, just send the request */
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
{ {
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@ -9994,7 +10016,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
*/ */
#if defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT &&
( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
{ {
@ -10017,7 +10040,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
#endif /* MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
@ -10052,7 +10076,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
/* DTLS clients need to know renego is server-initiated */ /* DTLS clients need to know renego is server-initiated */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT )
{ {
ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
} }
@ -10165,7 +10190,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
* Do it now, after setting in_offt, to avoid taking this branch * Do it now, after setting in_offt, to avoid taking this branch
* again if ssl_write_hello_request() returns WANT_WRITE */ * again if ssl_write_hello_request() returns WANT_WRITE */
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
{ {
if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )

View File

@ -2602,6 +2602,14 @@ int query_config( const char *config )
} }
#endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */ #endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */
#if defined(MBEDTLS_SSL_CONF_ENDPOINT)
if( strcmp( "MBEDTLS_SSL_CONF_ENDPOINT", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ENDPOINT );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONF_ENDPOINT */
#if defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN) #if defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
if( strcmp( "MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN", config ) == 0 ) if( strcmp( "MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN", config ) == 0 )
{ {