mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-27 02:54:14 +01:00
Merge pull request #592 from ARMmbed/static_config_extended_ms
[Baremetal] Exemplify hardcoding of SSL configuration at compile-time in the example of ExtendedMasterSecret
This commit is contained in:
commit
4e24c449e2
@ -79,6 +79,12 @@
|
||||
#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
|
||||
#define MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
|
||||
/* Compile-time fixed parts of the SSL configuration */
|
||||
#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET \
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENABLED
|
||||
#define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET \
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED
|
||||
|
||||
/* X.509 CRT parsing */
|
||||
#define MBEDTLS_X509_USE_C
|
||||
#define MBEDTLS_X509_CRT_PARSE_C
|
||||
|
@ -650,6 +650,13 @@
|
||||
#error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequsites"
|
||||
#endif
|
||||
|
||||
#if ( defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \
|
||||
!defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET) ) || \
|
||||
( !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \
|
||||
defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET) )
|
||||
#define "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET and MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET must be defined together."
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TICKET_C) && !defined(MBEDTLS_CIPHER_C)
|
||||
#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
|
||||
#endif
|
||||
|
@ -3438,6 +3438,25 @@
|
||||
|
||||
/* \} name SECTION: Customisation configuration options */
|
||||
|
||||
/**
|
||||
* \name SECTION: Compile-time SSL configuration
|
||||
*
|
||||
* This section allows to fix parts of the SSL configuration
|
||||
* at compile-time. If a field is fixed at compile-time, the
|
||||
* corresponding SSL configuration API `mbedtls_ssl_conf_xxx()`
|
||||
* is removed.
|
||||
*
|
||||
* This can be used on constrained systems to reduce code-size.
|
||||
* \{
|
||||
*/
|
||||
|
||||
/* ExtendedMasterSecret extension
|
||||
* The following two options must be set/unset simultaneously. */
|
||||
//#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED
|
||||
//#define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED
|
||||
|
||||
/* \} SECTION: Compile-time SSL configuration */
|
||||
|
||||
/* Target and application specific configurations
|
||||
*
|
||||
* Allow user to override any previous default.
|
||||
|
@ -1060,10 +1060,14 @@ struct mbedtls_ssl_config
|
||||
unsigned int encrypt_then_mac : 1 ; /*!< negotiate encrypt-then-mac? */
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
|
||||
unsigned int extended_ms : 1; /*!< negotiate extended master secret? */
|
||||
#endif /* !MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
|
||||
unsigned int enforce_extended_master_secret : 1; /*!< enforce the usage
|
||||
* of extended master
|
||||
* secret */
|
||||
#endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
|
||||
unsigned int anti_replay : 1; /*!< detect and prevent replay? */
|
||||
@ -1094,7 +1098,6 @@ struct mbedtls_ssl_config
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
};
|
||||
|
||||
|
||||
struct mbedtls_ssl_context
|
||||
{
|
||||
const mbedtls_ssl_config *conf; /*!< configuration information */
|
||||
@ -2842,6 +2845,7 @@ void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm );
|
||||
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
|
||||
/**
|
||||
* \brief Enable or disable Extended Master Secret negotiation.
|
||||
* (Default: MBEDTLS_SSL_EXTENDED_MS_ENABLED)
|
||||
@ -2850,11 +2854,20 @@ void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm );
|
||||
* protocol, and should not cause any interoperability issue
|
||||
* (used only if the peer supports it too).
|
||||
*
|
||||
* \note On constrained systems, this option can also be
|
||||
* fixed at compile-time by defining the constant
|
||||
* MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET
|
||||
* as MBEDTLS_SSL_EXTENDED_MS_ENABLED or
|
||||
* MBEDTLS_SSL_EXTENDED_MS_DISABLED.
|
||||
*
|
||||
* \param conf SSL configuration
|
||||
* \param ems MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED
|
||||
* \param ems MBEDTLS_SSL_EXTENDED_MS_ENABLED or
|
||||
* MBEDTLS_SSL_EXTENDED_MS_DISABLED
|
||||
*/
|
||||
void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems );
|
||||
#endif /* !MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
|
||||
/**
|
||||
* \brief Enable or disable Extended Master Secret enforcing.
|
||||
* (Default: MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED)
|
||||
@ -2871,9 +2884,17 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
|
||||
* \param conf Currently used SSL configuration struct.
|
||||
* \param ems_enf MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED or
|
||||
* MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED
|
||||
|
||||
* \note On constrained systems, this option can also be
|
||||
* fixed at compile-time by defining the constant
|
||||
* MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET
|
||||
* as MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED or
|
||||
* MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED.
|
||||
*
|
||||
*/
|
||||
void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
|
||||
char ems_enf );
|
||||
#endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
|
||||
#if defined(MBEDTLS_ARC4_C)
|
||||
|
@ -321,6 +321,18 @@
|
||||
#define MBEDTLS_SSL_TRANSPORT_ELSE /* empty: no other branch */
|
||||
#endif /* TLS and/or DTLS */
|
||||
|
||||
/* Check if the use of the ExtendedMasterSecret extension
|
||||
* is enforced at compile-time. If so, we don't need to
|
||||
* track its status in the handshake parameters. */
|
||||
#if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \
|
||||
defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET) && \
|
||||
MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET == \
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENABLED && \
|
||||
MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET == \
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED
|
||||
#define MBEDTLS_SSL_EXTENDED_MS_ENFORCED
|
||||
#endif
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
@ -505,7 +517,8 @@ struct mbedtls_ssl_handshake_params
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
int new_session_ticket; /*!< use NewSessionTicket? */
|
||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
|
||||
!defined(MBEDTLS_SSL_EXTENDED_MS_ENFORCED)
|
||||
int extended_ms; /*!< use Extended Master Secret? */
|
||||
#endif
|
||||
|
||||
@ -523,6 +536,24 @@ struct mbedtls_ssl_handshake_params
|
||||
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||
};
|
||||
|
||||
/*
|
||||
* Getter functions for fields in mbedtls_ssl_handshake_params which
|
||||
* may be statically implied by the configuration and hence be omitted
|
||||
* from the structure.
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
static inline int mbedtls_ssl_hs_get_extended_ms(
|
||||
mbedtls_ssl_handshake_params const *params )
|
||||
{
|
||||
#if !defined(MBEDTLS_SSL_EXTENDED_MS_ENFORCED)
|
||||
return( params->extended_ms );
|
||||
#else
|
||||
((void) params);
|
||||
return( MBEDTLS_SSL_EXTENDED_MS_ENABLED );
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MS_ENFORCED */
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
|
||||
typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
|
||||
|
||||
/*
|
||||
@ -1048,4 +1079,34 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
|
||||
mbedtls_ssl_transform *transform,
|
||||
mbedtls_record *rec );
|
||||
|
||||
|
||||
/*
|
||||
* Getter functions for fields in mbedtls_ssl_config which may
|
||||
* be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
|
||||
*/
|
||||
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
static inline unsigned int mbedtls_ssl_conf_get_ems(
|
||||
mbedtls_ssl_config const *conf )
|
||||
{
|
||||
#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
|
||||
return( conf->extended_ms );
|
||||
#else
|
||||
((void) conf);
|
||||
return( MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET );
|
||||
#endif /* MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
|
||||
}
|
||||
|
||||
static inline unsigned int mbedtls_ssl_conf_get_ems_enforced(
|
||||
mbedtls_ssl_config const *conf )
|
||||
{
|
||||
#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
|
||||
return( conf->enforce_extended_master_secret );
|
||||
#else
|
||||
((void) conf);
|
||||
return( MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET );
|
||||
#endif /* MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
|
||||
#endif /* ssl_internal.h */
|
||||
|
@ -590,7 +590,8 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
|
||||
|
||||
*olen = 0;
|
||||
|
||||
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
||||
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
||||
MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
||||
ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||
{
|
||||
return;
|
||||
@ -1328,7 +1329,8 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
size_t len )
|
||||
{
|
||||
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
||||
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
||||
MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
|
||||
len != 0 )
|
||||
{
|
||||
@ -1339,9 +1341,6 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
|
||||
}
|
||||
|
||||
((void) buf);
|
||||
|
||||
ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
@ -1601,6 +1600,9 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||
int renegotiation_info_seen = 0;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
int extended_ms_seen = 0;
|
||||
#endif
|
||||
int handshake_failure = 0;
|
||||
const mbedtls_ssl_ciphersuite_t *suite_info;
|
||||
@ -1982,6 +1984,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
extended_ms_seen = 1;
|
||||
|
||||
break;
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
@ -2089,15 +2092,23 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||
* Check if extended master secret is being enforced
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
||||
ssl->conf->enforce_extended_master_secret ==
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
||||
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
|
||||
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENABLED )
|
||||
{
|
||||
if( extended_ms_seen )
|
||||
{
|
||||
#if !defined(MBEDTLS_SSL_EXTENDED_MS_ENFORCED)
|
||||
ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
||||
#endif /* !MBEDTLS_SSL_EXTENDED_MS_ENFORCED */
|
||||
}
|
||||
else if( mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
||||
"secret, while it is enforced") );
|
||||
handshake_failure = 1;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
|
||||
if( handshake_failure == 1 )
|
||||
|
@ -567,12 +567,6 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
|
||||
|
||||
((void) buf);
|
||||
|
||||
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
||||
ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||
{
|
||||
ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
@ -1265,6 +1259,9 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
|
||||
unsigned char *buf, *p, *ext;
|
||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||
int renegotiation_info_seen = 0;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
int extended_ms_seen = 0;
|
||||
#endif
|
||||
int handshake_failure = 0;
|
||||
const int *ciphersuites;
|
||||
@ -1893,6 +1890,7 @@ read_record_header:
|
||||
ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
extended_ms_seen = 1;
|
||||
break;
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
|
||||
@ -2039,15 +2037,23 @@ read_record_header:
|
||||
* Check if extended master secret is being enforced
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
||||
ssl->conf->enforce_extended_master_secret ==
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
||||
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
|
||||
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENABLED )
|
||||
{
|
||||
if( extended_ms_seen )
|
||||
{
|
||||
#if !defined(MBEDTLS_SSL_EXTENDED_MS_ENFORCED)
|
||||
ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
||||
#endif /* !MBEDTLS_SSL_EXTENDED_MS_ENFORCED */
|
||||
}
|
||||
else if( mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
||||
"secret, while it is enforced") );
|
||||
handshake_failure = 1;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
|
||||
if( handshake_failure == 1 )
|
||||
@ -2266,7 +2272,8 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
|
||||
if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
||||
if( mbedtls_ssl_hs_get_extended_ms( ssl->handshake )
|
||||
== MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||
{
|
||||
*olen = 0;
|
||||
|
@ -1273,7 +1273,8 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
|
||||
handshake->pmslen );
|
||||
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
if( handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
|
||||
if( mbedtls_ssl_hs_get_extended_ms( handshake )
|
||||
== MBEDTLS_SSL_EXTENDED_MS_ENABLED )
|
||||
{
|
||||
unsigned char session_hash[48];
|
||||
size_t hash_len;
|
||||
@ -8609,17 +8610,20 @@ void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
|
||||
void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
|
||||
{
|
||||
conf->extended_ms = ems;
|
||||
}
|
||||
|
||||
#endif /* !MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
|
||||
#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
|
||||
void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
|
||||
char ems_enf )
|
||||
{
|
||||
conf->enforce_extended_master_secret = ems_enf;
|
||||
}
|
||||
#endif
|
||||
#endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
|
||||
#endif /* !MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
|
||||
#if defined(MBEDTLS_ARC4_C)
|
||||
void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
|
||||
@ -10716,9 +10720,13 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
|
||||
conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
||||
#endif /* !MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
|
||||
#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
|
||||
conf->enforce_extended_master_secret =
|
||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED;
|
||||
#endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
|
||||
|
@ -2578,6 +2578,22 @@ int query_config( const char *config )
|
||||
}
|
||||
#endif /* MBEDTLS_PLATFORM_GMTIME_R_ALT */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
|
||||
if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 )
|
||||
{
|
||||
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
|
||||
if( strcmp( "MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET", config ) == 0 )
|
||||
{
|
||||
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
|
||||
|
||||
/* If the symbol is not found, return an error */
|
||||
return( 1 );
|
||||
}
|
||||
|
@ -245,7 +245,9 @@ int main( void )
|
||||
#define USAGE_FALLBACK ""
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
|
||||
!defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \
|
||||
!defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
|
||||
#define USAGE_EMS \
|
||||
" extended_ms=0/1 default: (library default: on)\n" \
|
||||
" enforce_extended_master_secret=0/1 default: (library default: off)\n"
|
||||
@ -1706,7 +1708,9 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
|
||||
!defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \
|
||||
!defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
|
||||
if( opt.extended_ms != DFL_EXTENDED_MS )
|
||||
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
|
||||
if( opt.enforce_extended_master_secret != DFL_EXTENDED_MS_ENFORCE )
|
||||
|
@ -344,7 +344,9 @@ int main( void )
|
||||
#define USAGE_DTLS ""
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
|
||||
!defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \
|
||||
!defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
|
||||
#define USAGE_EMS \
|
||||
" extended_ms=0/1 default: (library default: on)\n" \
|
||||
" enforce_extended_master_secret=0/1 default: (library default: off)\n"
|
||||
@ -2491,7 +2493,9 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
|
||||
!defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \
|
||||
!defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
|
||||
if( opt.extended_ms != DFL_EXTENDED_MS )
|
||||
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
|
||||
if( opt.enforce_extended_master_secret != DFL_EXTENDED_MS_ENFORCE )
|
||||
|
@ -503,6 +503,49 @@ detect_dtls() {
|
||||
fi
|
||||
}
|
||||
|
||||
# Strip off a particular parameter from the command line
|
||||
# and return its value.
|
||||
# Parameter 1: Command line parameter to strip off
|
||||
# ENV I/O: CMD command line to search and modify
|
||||
extract_cmdline_argument() {
|
||||
__ARG=$(echo "$CMD" | sed -n "s/^.* $1=\([^ ]*\).*$/\1/p")
|
||||
CMD=$(echo "$CMD" | sed "s/$1=\([^ ]*\)//")
|
||||
}
|
||||
|
||||
# Check compatibility of the ssl_client2/ssl_server2 command-line
|
||||
# with a particular compile-time configurable option.
|
||||
# Parameter 1: Command-line argument (e.g. extended_ms)
|
||||
# Parameter 2: Corresponding compile-time configuration
|
||||
# (e.g. MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
|
||||
# ENV I/O: CMD command line to search and modify
|
||||
# SKIP_NEXT set to "YES" on a mismatch
|
||||
check_cmdline_param_compat() {
|
||||
__VAL="$( get_config_value_or_default "$2" )"
|
||||
if [ ! -z "$__VAL" ]; then
|
||||
extract_cmdline_argument "$1"
|
||||
if [ ! -z "$__ARG" ] && [ "$__ARG" != "$__VAL" ]; then
|
||||
SKIP_NEXT="YES"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# Go through all options that can be hardcoded at compile-time and
|
||||
# detect whether the command line configures them in a conflicting
|
||||
# way. If so, skip the test. Otherwise, remove the corresponding
|
||||
# entry.
|
||||
# Parameter 1: Command line to inspect
|
||||
# Output: Modified command line
|
||||
# ENV I/O: SKIP_TEST set to 1 on mismatch.
|
||||
check_cmdline_compat() {
|
||||
CMD="$1"
|
||||
|
||||
# ExtendedMasterSecret configuration
|
||||
check_cmdline_param_compat "extended_ms" \
|
||||
"MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET"
|
||||
check_cmdline_param_compat "enforce_extended_master_secret" \
|
||||
"MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET"
|
||||
}
|
||||
|
||||
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
|
||||
# Options: -s pattern pattern that must be present in server output
|
||||
# -c pattern pattern that must be present in client output
|
||||
@ -531,14 +574,6 @@ run_test() {
|
||||
SKIP_NEXT="YES"
|
||||
fi
|
||||
|
||||
# should we skip?
|
||||
if [ "X$SKIP_NEXT" = "XYES" ]; then
|
||||
SKIP_NEXT="NO"
|
||||
echo "SKIP"
|
||||
SKIPS=$(( $SKIPS + 1 ))
|
||||
return
|
||||
fi
|
||||
|
||||
# does this test use a proxy?
|
||||
if [ "X$1" = "X-p" ]; then
|
||||
PXY_CMD="$2"
|
||||
@ -553,6 +588,12 @@ run_test() {
|
||||
CLI_EXPECT="$3"
|
||||
shift 3
|
||||
|
||||
check_cmdline_compat "$SRV_CMD"
|
||||
SRV_CMD="$CMD"
|
||||
|
||||
check_cmdline_compat "$CLI_CMD"
|
||||
CLI_CMD="$CMD"
|
||||
|
||||
# Check if test uses files
|
||||
TEST_USES_FILES=$(echo "$SRV_CMD $CLI_CMD" | grep "\.\(key\|crt\|pem\)" )
|
||||
if [ ! -z "$TEST_USES_FILES" ]; then
|
||||
@ -1836,8 +1877,8 @@ run_test "Encrypt then MAC: client enabled, server SSLv3" \
|
||||
# Tests for Extended Master Secret extension
|
||||
|
||||
run_test "Extended Master Secret: default (not enforcing)" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI debug_level=3" \
|
||||
"$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0 " \
|
||||
"$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
|
||||
0 \
|
||||
-c "client hello, adding extended_master_secret extension" \
|
||||
-s "found extended master secret extension" \
|
||||
@ -1847,8 +1888,8 @@ run_test "Extended Master Secret: default (not enforcing)" \
|
||||
-s "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret: both enabled, both enforcing" \
|
||||
"$P_SRV debug_level=3 enforce_extended_master_secret=1" \
|
||||
"$P_CLI debug_level=3 enforce_extended_master_secret=1" \
|
||||
"$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||
"$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||
0 \
|
||||
-c "client hello, adding extended_master_secret extension" \
|
||||
-s "found extended master secret extension" \
|
||||
@ -1858,8 +1899,8 @@ run_test "Extended Master Secret: both enabled, both enforcing" \
|
||||
-s "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret: both enabled, client enforcing" \
|
||||
"$P_SRV debug_level=3 enforce_extended_master_secret=0" \
|
||||
"$P_CLI debug_level=3 enforce_extended_master_secret=1" \
|
||||
"$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
|
||||
"$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||
0 \
|
||||
-c "client hello, adding extended_master_secret extension" \
|
||||
-s "found extended master secret extension" \
|
||||
@ -1869,8 +1910,8 @@ run_test "Extended Master Secret: both enabled, client enforcing" \
|
||||
-s "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret: both enabled, server enforcing" \
|
||||
"$P_SRV debug_level=3 enforce_extended_master_secret=1" \
|
||||
"$P_CLI debug_level=3 enforce_extended_master_secret=0" \
|
||||
"$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||
"$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
|
||||
0 \
|
||||
-c "client hello, adding extended_master_secret extension" \
|
||||
-s "found extended master secret extension" \
|
||||
@ -1880,7 +1921,7 @@ run_test "Extended Master Secret: both enabled, server enforcing" \
|
||||
-s "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret: client enabled, server disabled, client enforcing" \
|
||||
"$P_SRV debug_level=3 extended_ms=0" \
|
||||
"$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
|
||||
"$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||
1 \
|
||||
-c "client hello, adding extended_master_secret extension" \
|
||||
@ -1891,7 +1932,7 @@ run_test "Extended Master Secret: client enabled, server disabled, client enf
|
||||
|
||||
run_test "Extended Master Secret enforced: client disabled, server enabled, server enforcing" \
|
||||
"$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
|
||||
"$P_CLI debug_level=3 extended_ms=0" \
|
||||
"$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
|
||||
1 \
|
||||
-C "client hello, adding extended_master_secret extension" \
|
||||
-S "found extended master secret extension" \
|
||||
@ -1900,8 +1941,8 @@ run_test "Extended Master Secret enforced: client disabled, server enabled, s
|
||||
-s "Peer not offering extended master secret, while it is enforced"
|
||||
|
||||
run_test "Extended Master Secret: client enabled, server disabled, not enforcing" \
|
||||
"$P_SRV debug_level=3 extended_ms=0" \
|
||||
"$P_CLI debug_level=3 extended_ms=1" \
|
||||
"$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
|
||||
"$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
|
||||
0 \
|
||||
-c "client hello, adding extended_master_secret extension" \
|
||||
-s "found extended master secret extension" \
|
||||
@ -1911,8 +1952,8 @@ run_test "Extended Master Secret: client enabled, server disabled, not enforc
|
||||
-S "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret: client disabled, server enabled, not enforcing" \
|
||||
"$P_SRV debug_level=3 extended_ms=1" \
|
||||
"$P_CLI debug_level=3 extended_ms=0" \
|
||||
"$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=0" \
|
||||
"$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
|
||||
0 \
|
||||
-C "client hello, adding extended_master_secret extension" \
|
||||
-S "found extended master secret extension" \
|
||||
@ -1922,8 +1963,8 @@ run_test "Extended Master Secret: client disabled, server enabled, not enforc
|
||||
-S "session hash for extended master secret"
|
||||
|
||||
run_test "Extended Master Secret: client disabled, server disabled" \
|
||||
"$P_SRV debug_level=3 extended_ms=0" \
|
||||
"$P_CLI debug_level=3 extended_ms=0" \
|
||||
"$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
|
||||
"$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=0" \
|
||||
0 \
|
||||
-C "client hello, adding extended_master_secret extension" \
|
||||
-S "found extended master secret extension" \
|
||||
@ -1934,8 +1975,8 @@ run_test "Extended Master Secret: client disabled, server disabled" \
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
|
||||
run_test "Extended Master Secret: client SSLv3, server enabled" \
|
||||
"$P_SRV debug_level=3 min_version=ssl3" \
|
||||
"$P_CLI debug_level=3 force_version=ssl3" \
|
||||
"$P_SRV debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
|
||||
"$P_CLI debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
|
||||
0 \
|
||||
-C "client hello, adding extended_master_secret extension" \
|
||||
-S "found extended master secret extension" \
|
||||
@ -1946,8 +1987,8 @@ run_test "Extended Master Secret: client SSLv3, server enabled" \
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
|
||||
run_test "Extended Master Secret: client enabled, server SSLv3" \
|
||||
"$P_SRV debug_level=3 force_version=ssl3" \
|
||||
"$P_CLI debug_level=3 min_version=ssl3" \
|
||||
"$P_SRV debug_level=3 force_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
|
||||
"$P_CLI debug_level=3 min_version=ssl3 extended_ms=1 enforce_extended_master_secret=0" \
|
||||
0 \
|
||||
-c "client hello, adding extended_master_secret extension" \
|
||||
-S "found extended master secret extension" \
|
||||
|
Loading…
Reference in New Issue
Block a user