From 7ca4e4dc79a005e37ceb94c1f53c50b1aba0564b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 4 May 2015 10:55:58 +0200 Subject: [PATCH] Move things to conf substructure A simple series of sed invocations. This is the first step, purely internal changes. The conf substructure is not ready to be shared between contexts yet. --- include/mbedtls/ssl.h | 118 ++---------- library/debug.c | 32 ++-- library/ssl_cli.c | 126 ++++++------- library/ssl_srv.c | 150 ++++++++-------- library/ssl_tls.c | 406 +++++++++++++++++++++--------------------- 5 files changed, 374 insertions(+), 458 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b0bd8962b..f94aae84d 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -868,11 +868,13 @@ typedef struct * Numerical settings (int then char) */ + uint32_t read_timeout; /*!< timeout for mbedtls_ssl_read (ms) */ + #if defined(MBEDTLS_SSL_PROTO_DTLS) uint32_t hs_timeout_min; /*!< initial value of the handshake - retransmission timeout */ + retransmission timeout (ms) */ uint32_t hs_timeout_max; /*!< maximum value of the handshake - retransmission timeout */ + retransmission timeout (ms) */ #endif #if defined(MBEDTLS_SSL_RENEGOTIATION) @@ -934,11 +936,12 @@ mbedtls_ssl_config; struct mbedtls_ssl_context { + mbedtls_ssl_config *conf; /*!< configuration information */ + /* * Miscellaneous */ int state; /*!< SSL handshake: current state */ - int transport; /*!< Transport: stream or datagram */ #if defined(MBEDTLS_SSL_RENEGOTIATION) int renego_status; /*!< Initial, in progress, pending? */ int renego_records_seen; /*!< Records since renego request, or with DTLS, @@ -949,60 +952,24 @@ struct mbedtls_ssl_context int major_ver; /*!< equal to MBEDTLS_SSL_MAJOR_VERSION_3 */ int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */ - int max_major_ver; /*!< max. major version used */ - int max_minor_ver; /*!< max. minor version used */ - int min_major_ver; /*!< min. major version used */ - int min_minor_ver; /*!< min. minor version used */ - - uint32_t read_timeout; /*!< timeout for mbedtls_ssl_read in milliseconds */ - #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) - unsigned badmac_limit; /*!< limit of records with a bad MAC */ unsigned badmac_seen; /*!< records with a bad MAC received */ #endif #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) char fallback; /*!< flag for fallback connections */ #endif -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - char encrypt_then_mac; /*!< flag for encrypt-then-mac */ -#endif -#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - char extended_ms; /*!< flag for extended master secret */ -#endif - char arc4_disabled; /*!< flag for disabling RC4 */ /* - * Callbacks (RNG, debug, I/O, verification) + * Callbacks */ int (*f_rng)(void *, unsigned char *, size_t); - void (*f_dbg)(void *, int, const char *); + void *p_rng; /*!< context for the RNG function */ + int (*f_send)(void *, const unsigned char *, size_t); int (*f_recv)(void *, unsigned char *, size_t); int (*f_recv_timeout)(void *, unsigned char *, size_t, uint32_t); - int (*f_get_cache)(void *, mbedtls_ssl_session *); - int (*f_set_cache)(void *, const mbedtls_ssl_session *); - - void *p_rng; /*!< context for the RNG function */ - void *p_dbg; /*!< context for the debug function */ void *p_bio; /*!< context for I/O operations */ - void *p_get_cache; /*!< context for cache retrieval */ - void *p_set_cache; /*!< context for cache store */ - -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t); - void *p_sni; /*!< context for SNI extension */ -#endif - -#if defined(MBEDTLS_X509_CRT_PARSE_C) - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *); - void *p_vrfy; /*!< context for verification */ -#endif - -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t); - void *p_psk; /*!< context for PSK retrieval */ -#endif /* * Session layer @@ -1029,10 +996,6 @@ struct mbedtls_ssl_context #if defined(MBEDTLS_SSL_PROTO_DTLS) struct mbedtls_timing_hr_time time_info; /*!< timer context */ unsigned long time_limit; /*!< limit for the running timer */ - uint32_t hs_timeout_min; /*!< initial value of the handshake - retransmission timeout */ - uint32_t hs_timeout_max; /*!< maximum value of the handshake - retransmission timeout */ #endif /* @@ -1059,7 +1022,6 @@ struct mbedtls_ssl_context #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) uint64_t in_window_top; /*!< last validated record seq_num */ uint64_t in_window; /*!< bitmask for replay detection */ - char anti_replay; /*!< is anti-replay on? */ #endif size_t in_hslen; /*!< current handshake message length, @@ -1084,9 +1046,6 @@ struct mbedtls_ssl_context #if defined(MBEDTLS_ZLIB_SUPPORT) unsigned char *compress_buf; /*!< zlib data buffer */ #endif -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - unsigned char mfl_code; /*!< MaxFragmentLength chosen by us */ -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) signed char split_done; /*!< flag for record splitting: -1 disabled, 0 todo, 1 done */ @@ -1096,10 +1055,6 @@ struct mbedtls_ssl_context * PKI layer */ #if defined(MBEDTLS_X509_CRT_PARSE_C) - mbedtls_ssl_key_cert *key_cert; /*!< own certificate(s)/key(s) */ - - mbedtls_x509_crt *ca_chain; /*!< own trusted CA chain */ - mbedtls_x509_crl *ca_crl; /*!< trusted CA CRLs */ const char *peer_cn; /*!< expected peer CN */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -1110,48 +1065,12 @@ struct mbedtls_ssl_context mbedtls_ssl_ticket_keys *ticket_keys; /*!< keys for ticket encryption */ #endif /* MBEDTLS_SSL_SESSION_TICKETS */ + int client_auth; /*!< flag for client auth. */ + int verify_result; /*!< verification result */ + /* * User settings */ - int endpoint; /*!< 0: client, 1: server */ - int authmode; /*!< verification mode */ - int client_auth; /*!< flag for client auth. */ - int verify_result; /*!< verification result */ -#if defined(MBEDTLS_SSL_RENEGOTIATION) - int disable_renegotiation; /*!< enable/disable renegotiation */ - int renego_max_records; /*!< grace period for renegotiation */ - unsigned char renego_period[8]; /*!< value of the record counters - that triggers renegotiation */ -#endif - /* needed for option break handshake with insecure peers */ - int allow_legacy_renegotiation; /*!< allow legacy renegotiation */ - const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */ -#if defined(MBEDTLS_SSL_SET_CURVES) - const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */ -#endif -#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) - int trunc_hmac; /*!< negotiate truncated hmac? */ -#endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - int session_tickets; /*!< use session tickets? */ - int ticket_lifetime; /*!< session ticket lifetime */ -#endif - -#if defined(MBEDTLS_DHM_C) - mbedtls_mpi dhm_P; /*!< prime modulus for DHM */ - mbedtls_mpi dhm_G; /*!< generator for DHM */ -#endif - -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - /* - * PSK values - */ - unsigned char *psk; - size_t psk_len; - unsigned char *psk_identity; - size_t psk_identity_len; -#endif - #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /* * SNI extension @@ -1161,10 +1080,6 @@ struct mbedtls_ssl_context #endif #if defined(MBEDTLS_SSL_ALPN) - /* - * ALPN extension - */ - const char **alpn_list; /*!< ordered list of supported protocols */ const char *alpn_chosen; /*!< negotiated protocol */ #endif @@ -1174,11 +1089,6 @@ struct mbedtls_ssl_context #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) unsigned char *cli_id; /*!< transport-level ID of the client */ size_t cli_id_len; /*!< length of cli_id */ - int (*f_cookie_write)( void *, unsigned char **, unsigned char *, - const unsigned char *, size_t ); - int (*f_cookie_check)( void *, const unsigned char *, size_t, - const unsigned char *, size_t ); - void *p_cookie; /*!< context for the cookie callbacks */ #endif /* @@ -2446,7 +2356,7 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport, static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) return( 13 ); #else ((void) ssl); @@ -2457,7 +2367,7 @@ static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl ) static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) return( 12 ); #else ((void) ssl); diff --git a/library/debug.c b/library/debug.c index 8dae2ed0a..3164ad76b 100644 --- a/library/debug.c +++ b/library/debug.c @@ -83,18 +83,18 @@ void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level, char str[512]; int maxlen = sizeof( str ) - 1; - if( ssl->f_dbg == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || level > debug_threshold ) return; if( debug_log_mode == MBEDTLS_DEBUG_LOG_RAW ) { - ssl->f_dbg( ssl->p_dbg, level, text ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, text ); return; } mbedtls_snprintf( str, maxlen, "%s(%04d): %s\n", file, line, text ); str[maxlen] = '\0'; - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); } void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, @@ -105,7 +105,7 @@ void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, int maxlen = sizeof( str ) - 1; size_t idx = 0; - if( ssl->f_dbg == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || level > debug_threshold ) return; if( debug_log_mode == MBEDTLS_DEBUG_LOG_FULL ) @@ -115,7 +115,7 @@ void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, text, ret, -ret ); str[maxlen] = '\0'; - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); } void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, @@ -126,7 +126,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, char txt[17]; size_t i, maxlen = sizeof( str ) - 1, idx = 0; - if( ssl->f_dbg == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || level > debug_threshold ) return; if( debug_log_mode == MBEDTLS_DEBUG_LOG_FULL ) @@ -136,7 +136,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, text, (unsigned int) len ); str[maxlen] = '\0'; - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); idx = 0; memset( txt, 0, sizeof( txt ) ); @@ -150,7 +150,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, if( i > 0 ) { mbedtls_snprintf( str + idx, maxlen - idx, " %s\n", txt ); - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); idx = 0; memset( txt, 0, sizeof( txt ) ); @@ -175,7 +175,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, idx += mbedtls_snprintf( str + idx, maxlen - idx, " " ); mbedtls_snprintf( str + idx, maxlen - idx, " %s\n", txt ); - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); } } @@ -187,7 +187,7 @@ void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level, char str[512]; int maxlen = sizeof( str ) - 1; - if( ssl->f_dbg == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || level > debug_threshold ) return; mbedtls_snprintf( str, maxlen, "%s(X)", text ); @@ -209,7 +209,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, int j, k, maxlen = sizeof( str ) - 1, zeros = 1; size_t i, n, idx = 0; - if( ssl->f_dbg == NULL || X == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || X == NULL || level > debug_threshold ) return; for( n = X->n - 1; n > 0; n-- ) @@ -227,7 +227,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) ); str[maxlen] = '\0'; - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); idx = 0; for( i = n + 1, j = 0; i > 0; i-- ) @@ -247,7 +247,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, if( j > 0 ) { mbedtls_snprintf( str + idx, maxlen - idx, "\n" ); - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); idx = 0; } @@ -274,7 +274,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, } mbedtls_snprintf( str + idx, maxlen - idx, "\n" ); - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); } #endif /* MBEDTLS_BIGNUM_C */ @@ -322,7 +322,7 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level, char str[1024], prefix[64]; int i = 0, maxlen = sizeof( prefix ) - 1, idx = 0; - if( ssl->f_dbg == NULL || crt == NULL || level > debug_threshold ) + if( ssl->conf->f_dbg == NULL || crt == NULL || level > debug_threshold ) return; if( debug_log_mode == MBEDTLS_DEBUG_LOG_FULL ) @@ -347,7 +347,7 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level, text, ++i, buf ); str[maxlen] = '\0'; - ssl->f_dbg( ssl->p_dbg, level, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, str ); debug_print_pk( ssl, level, file, line, "crt->", &crt->pk ); diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 9f04b2bb4..354cc5a2b 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -158,7 +158,7 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, *olen = 0; - if( ssl->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) + if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) return; MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) ); @@ -262,7 +262,7 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); #if defined(MBEDTLS_SSL_SET_CURVES) - for( grp_id = ssl->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) + for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) { info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); #else @@ -320,7 +320,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, { unsigned char *p = buf; - if( ssl->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { + if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) { *olen = 0; return; } @@ -333,7 +333,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, *p++ = 0x00; *p++ = 1; - *p++ = ssl->mfl_code; + *p++ = ssl->conf->mfl_code; *olen = 5; } @@ -345,7 +345,7 @@ static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl, { unsigned char *p = buf; - if( ssl->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) + if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ) { *olen = 0; return; @@ -369,8 +369,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, { unsigned char *p = buf; - if( ssl->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || - ssl->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) + if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || + ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { *olen = 0; return; @@ -395,8 +395,8 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, { unsigned char *p = buf; - if( ssl->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || - ssl->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) + if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || + ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { *olen = 0; return; @@ -422,7 +422,7 @@ static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl, unsigned char *p = buf; size_t tlen = ssl->session_negotiate->ticket_len; - if( ssl->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) + if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) { *olen = 0; return; @@ -459,7 +459,7 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, unsigned char *p = buf; const char **cur; - if( ssl->alpn_list == NULL ) + if( ssl->conf->alpn_list == NULL ) { *olen = 0; return; @@ -481,7 +481,7 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, /* Skip writing extension and list length for now */ p += 4; - for( cur = ssl->alpn_list; *cur != NULL; cur++ ) + for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) { *p = (unsigned char)( strlen( *cur ) & 0xFF ); memcpy( p + 1, *cur, *p ); @@ -515,7 +515,7 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl ) * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake->verify_cookie != NULL ) { return( 0 ); @@ -565,14 +565,14 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE ) #endif { - ssl->major_ver = ssl->min_major_ver; - ssl->minor_ver = ssl->min_minor_ver; + ssl->major_ver = ssl->conf->min_major_ver; + ssl->minor_ver = ssl->conf->min_minor_ver; } - if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 ) + if( ssl->conf->max_major_ver == 0 && ssl->conf->max_minor_ver == 0 ) { - ssl->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; - ssl->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; + ssl->conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; + ssl->conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; } /* @@ -585,8 +585,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) buf = ssl->out_msg; p = buf + 4; - mbedtls_ssl_write_version( ssl->max_major_ver, ssl->max_minor_ver, - ssl->transport, p ); + mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, + ssl->conf->transport, p ); p += 2; MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]", @@ -659,7 +659,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) * DTLS cookie */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { if( ssl->handshake->verify_cookie == NULL ) { @@ -683,7 +683,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) /* * Ciphersuite list */ - ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; + ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; /* Skip writing ciphersuite length for now */ n = 0; @@ -697,17 +697,17 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) if( ciphersuite_info == NULL ) continue; - if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver || - ciphersuite_info->max_minor_ver < ssl->min_minor_ver ) + if( ciphersuite_info->min_minor_ver > ssl->conf->max_minor_ver || + ciphersuite_info->max_minor_ver < ssl->conf->min_minor_ver ) continue; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) continue; #endif - if( ssl->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && + if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) continue; @@ -760,7 +760,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) * an actual need for it. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) offer_compress = 0; #endif @@ -860,7 +860,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_send_flight_completed( ssl ); #endif @@ -928,9 +928,9 @@ static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl, * server should use the extension only if we did, * and if so the server's value should match ours (and len is always 1) */ - if( ssl->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || + if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE || len != 1 || - buf[0] != ssl->mfl_code ) + buf[0] != ssl->conf->mfl_code ) { return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } @@ -944,7 +944,7 @@ static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - if( ssl->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || + if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED || len != 0 ) { return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); @@ -963,7 +963,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - if( ssl->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || + if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || len != 0 ) { @@ -983,7 +983,7 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - if( ssl->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || + if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED || ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 || len != 0 ) { @@ -1003,7 +1003,7 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - if( ssl->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || + if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED || len != 0 ) { return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); @@ -1060,7 +1060,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, const char **p; /* If we didn't send it, the server shouldn't send it */ - if( ssl->alpn_list == NULL ) + if( ssl->conf->alpn_list == NULL ) return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); /* @@ -1086,7 +1086,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); /* Check that the server chosen protocol was in our list and save it */ - for( p = ssl->alpn_list; *p != NULL; p++ ) + for( p = ssl->conf->alpn_list; *p != NULL; p++ ) { if( name_len == strlen( *p ) && memcmp( buf + 3, *p, name_len ) == 0 ) @@ -1119,7 +1119,7 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) * } HelloVerifyRequest; */ MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); - mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->transport, p ); + mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); p += 2; /* @@ -1128,8 +1128,8 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) */ if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || - major_ver > ssl->max_major_ver || - minor_ver > ssl->max_minor_ver ) + major_ver > ssl->conf->max_major_ver || + minor_ver > ssl->conf->max_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) ); @@ -1199,8 +1199,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) { ssl->renego_records_seen++; - if( ssl->renego_max_records >= 0 && - ssl->renego_records_seen > ssl->renego_max_records ) + if( ssl->conf->renego_max_records >= 0 && + ssl->renego_records_seen > ssl->conf->renego_max_records ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " "but not honored by server" ) ); @@ -1217,7 +1217,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) { @@ -1257,18 +1257,18 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, - ssl->transport, buf + 0 ); + ssl->conf->transport, buf + 0 ); - if( ssl->major_ver < ssl->min_major_ver || - ssl->minor_ver < ssl->min_minor_ver || - ssl->major_ver > ssl->max_major_ver || - ssl->minor_ver > ssl->max_minor_ver ) + if( ssl->major_ver < ssl->conf->min_major_ver || + ssl->minor_ver < ssl->conf->min_minor_ver || + ssl->major_ver > ssl->conf->max_major_ver || + ssl->minor_ver > ssl->conf->max_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " " min: [%d:%d], server: [%d:%d], max: [%d:%d]", - ssl->min_major_ver, ssl->min_minor_ver, + ssl->conf->min_major_ver, ssl->conf->min_minor_ver, ssl->major_ver, ssl->minor_ver, - ssl->max_major_ver, ssl->max_minor_ver ) ); + ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); @@ -1334,7 +1334,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) /* See comments in ssl_write_client_hello() */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) accept_comp = 0; #endif @@ -1402,7 +1402,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); if( suite_info == NULL || - ( ssl->arc4_disabled && + ( ssl->conf->arc4_disabled && suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); @@ -1413,13 +1413,13 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) i = 0; while( 1 ) { - if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 ) + if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - if( ssl->ciphersuite_list[ssl->minor_ver][i++] == + if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] == ssl->session_negotiate->ciphersuite ) { break; @@ -1575,7 +1575,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) * Renegotiation security checks */ if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); handshake_failure = 1; @@ -1590,7 +1590,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) } else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); handshake_failure = 1; @@ -1779,8 +1779,8 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, * opaque random[46]; * } PreMasterSecret; */ - mbedtls_ssl_write_version( ssl->max_major_ver, ssl->max_minor_ver, - ssl->transport, p ); + mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver, + ssl->conf->transport, p ); if( ( ret = ssl->f_rng( ssl->p_rng, p + 2, 46 ) ) != 0 ) { @@ -2426,7 +2426,7 @@ static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_recv_flight_completed( ssl ); #endif @@ -2535,16 +2535,16 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) /* * opaque psk_identity<0..2^16-1>; */ - if( ssl->psk == NULL || ssl->psk_identity == NULL ) + if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); i = 4; - n = ssl->psk_identity_len; + n = ssl->conf->psk_identity_len; ssl->out_msg[i++] = (unsigned char)( n >> 8 ); ssl->out_msg[i++] = (unsigned char)( n ); - memcpy( ssl->out_msg + i, ssl->psk_identity, ssl->psk_identity_len ); - i += ssl->psk_identity_len; + memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); + i += ssl->conf->psk_identity_len; #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) @@ -2944,7 +2944,7 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) return( ret ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL && ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) { diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 3a6a3fec8..bb5e7e0c2 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -333,7 +333,7 @@ static int ssl_parse_ticket( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_HAVE_TIME) /* Check if still valid */ - if( (int) ( time( NULL) - session.start ) > ssl->ticket_lifetime ) + if( (int) ( time( NULL) - session.start ) > ssl->conf->ticket_lifetime ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "session ticket expired" ) ); mbedtls_ssl_session_free( &session ); @@ -363,7 +363,7 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, const unsigned char *info, size_t ilen ) { - if( ssl->endpoint != MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); mbedtls_free( ssl->cli_id ); @@ -382,9 +382,9 @@ void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_context *ssl, mbedtls_ssl_cookie_check_t *f_cookie_check, void *p_cookie ) { - ssl->f_cookie_write = f_cookie_write; - ssl->f_cookie_check = f_cookie_check; - ssl->p_cookie = p_cookie; + ssl->conf->f_cookie_write = f_cookie_write; + ssl->conf->f_cookie_check = f_cookie_check; + ssl->conf->p_cookie = p_cookie; } #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ @@ -397,13 +397,13 @@ static int ssl_sni_wrapper( mbedtls_ssl_context *ssl, const unsigned char* name, size_t len ) { int ret; - mbedtls_ssl_key_cert *key_cert_ori = ssl->key_cert; + mbedtls_ssl_key_cert *key_cert_ori = ssl->conf->key_cert; - ssl->key_cert = NULL; - ret = ssl->f_sni( ssl->p_sni, ssl, name, len ); - ssl->handshake->sni_key_cert = ssl->key_cert; + ssl->conf->key_cert = NULL; + ret = ssl->conf->f_sni( ssl->conf->p_sni, ssl, name, len ); + ssl->handshake->sni_key_cert = ssl->conf->key_cert; - ssl->key_cert = key_cert_ori; + ssl->conf->key_cert = key_cert_ori; return( ret ); } @@ -670,7 +670,7 @@ static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl, ((void) buf); - if( ssl->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) + if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; return( 0 ); @@ -690,7 +690,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, ((void) buf); - if( ssl->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && + if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) { ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; @@ -713,7 +713,7 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl, ((void) buf); - if( ssl->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && + if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED && ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) { ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; @@ -730,7 +730,7 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl, { int ret; - if( ssl->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) + if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) return( 0 ); /* Remember the client asked us to send a new ticket */ @@ -778,7 +778,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, const char **ours; /* If ALPN not configured, just ignore the extension */ - if( ssl->alpn_list == NULL ) + if( ssl->conf->alpn_list == NULL ) return( 0 ); /* @@ -802,7 +802,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, */ start = buf + 2; end = buf + len; - for( ours = ssl->alpn_list; *ours != NULL; ours++ ) + for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) { ours_len = strlen( *ours ); for( theirs = start; theirs != end; theirs += cur_len ) @@ -982,12 +982,12 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) return( 0 ); #endif - if( ssl->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && + if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); @@ -1009,9 +1009,9 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, /* If the ciphersuite requires a pre-shared key and we don't * have one, skip it now rather than failing later */ if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && - ssl->f_psk == NULL && - ( ssl->psk == NULL || ssl->psk_identity == NULL || - ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) ) + ssl->conf->f_psk == NULL && + ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || + ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) ); return( 0 ); @@ -1100,15 +1100,15 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) } ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; - ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver ) - ? buf[4] : ssl->max_minor_ver; + ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver ) + ? buf[4] : ssl->conf->max_minor_ver; - if( ssl->minor_ver < ssl->min_minor_ver ) + if( ssl->minor_ver < ssl->conf->min_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver, - ssl->min_major_ver, ssl->min_minor_ver ) ); + ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); @@ -1224,7 +1224,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) ); - if( ssl->minor_ver < ssl->max_minor_ver ) + if( ssl->minor_ver < ssl->conf->max_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); @@ -1240,7 +1240,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_FALLBACK_SCSV */ got_common_suite = 0; - ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; + ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; ciphersuite_info = NULL; #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) @@ -1291,7 +1291,7 @@ have_ciphersuite_v2: * SSLv2 Client Hello relevant renegotiation security checks */ if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); @@ -1353,7 +1353,7 @@ read_record_header: #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) #endif if( ( buf[0] & 0x80 ) != 0 ) return ssl_parse_client_hello_v2( ssl ); @@ -1385,7 +1385,7 @@ read_record_header: MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]", buf[1], buf[2] ) ); - mbedtls_ssl_read_version( &major, &minor, ssl->transport, buf + 1 ); + mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 ); /* According to RFC 5246 Appendix E.1, the version here is typically * "{03,00}, the lowest version number supported by the client, [or] the @@ -1400,7 +1400,7 @@ read_record_header: /* For DTLS if this is the initial handshake, remember the client sequence * number to use it in our next message (RFC 6347 4.2.1) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM #if defined(MBEDTLS_SSL_RENEGOTIATION) && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE #endif @@ -1455,7 +1455,7 @@ read_record_header: /* Done reading this record, get ready for the next one */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl ); else #endif @@ -1502,7 +1502,7 @@ read_record_header: } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* * Copy the client's handshake message_seq on initial handshakes, @@ -1583,18 +1583,18 @@ read_record_header: MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, - ssl->transport, buf ); + ssl->conf->transport, buf ); ssl->handshake->max_major_ver = ssl->major_ver; ssl->handshake->max_minor_ver = ssl->minor_ver; - if( ssl->major_ver < ssl->min_major_ver || - ssl->minor_ver < ssl->min_minor_ver ) + if( ssl->major_ver < ssl->conf->min_major_ver || + ssl->minor_ver < ssl->conf->min_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver, - ssl->min_major_ver, ssl->min_minor_ver ) ); + ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); @@ -1602,13 +1602,13 @@ read_record_header: return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); } - if( ssl->major_ver > ssl->max_major_ver ) + if( ssl->major_ver > ssl->conf->max_major_ver ) { - ssl->major_ver = ssl->max_major_ver; - ssl->minor_ver = ssl->max_minor_ver; + ssl->major_ver = ssl->conf->max_major_ver; + ssl->minor_ver = ssl->conf->max_minor_ver; } - else if( ssl->minor_ver > ssl->max_minor_ver ) - ssl->minor_ver = ssl->max_minor_ver; + else if( ssl->minor_ver > ssl->conf->max_minor_ver ) + ssl->minor_ver = ssl->conf->max_minor_ver; /* * Save client random (inc. Unix time) @@ -1641,7 +1641,7 @@ read_record_header: * Check the cookie length and content */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { cookie_offset = 35 + sess_len; cookie_len = buf[cookie_offset]; @@ -1656,13 +1656,13 @@ read_record_header: buf + cookie_offset + 1, cookie_len ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) - if( ssl->f_cookie_check != NULL + if( ssl->conf->f_cookie_check != NULL #if defined(MBEDTLS_SSL_RENEGOTIATION) && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE #endif ) { - if( ssl->f_cookie_check( ssl->p_cookie, + if( ssl->conf->f_cookie_check( ssl->conf->p_cookie, buf + cookie_offset + 1, cookie_len, ssl->cli_id, ssl->cli_id_len ) != 0 ) { @@ -1743,7 +1743,7 @@ read_record_header: /* See comments in ssl_write_client_hello() */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; #endif @@ -1793,7 +1793,7 @@ read_record_header: #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) case MBEDTLS_TLS_EXT_SERVERNAME: MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); - if( ssl->f_sni == NULL ) + if( ssl->conf->f_sni == NULL ) break; ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); @@ -1931,7 +1931,7 @@ read_record_header: { MBEDTLS_SSL_DEBUG_MSG( 0, ( "received FALLBACK_SCSV" ) ); - if( ssl->minor_ver < ssl->max_minor_ver ) + if( ssl->minor_ver < ssl->conf->max_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 0, ( "inapropriate fallback" ) ); @@ -1974,7 +1974,7 @@ read_record_header: * Renegotiation security checks */ if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION && - ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); handshake_failure = 1; @@ -1989,7 +1989,7 @@ read_record_header: } else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) ); handshake_failure = 1; @@ -2017,7 +2017,7 @@ read_record_header: * and certificate from the SNI callback triggered by the SNI extension.) */ got_common_suite = 0; - ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; + ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; ciphersuite_info = NULL; #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) @@ -2068,7 +2068,7 @@ have_ciphersuite: ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_recv_flight_completed( ssl ); #endif @@ -2351,12 +2351,12 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) /* The RFC is not clear on this point, but sending the actual negotiated * version looks like the most interoperable thing to do. */ mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, - ssl->transport, p ); + ssl->conf->transport, p ); MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 ); p += 2; /* If we get here, f_cookie_check is not null */ - if( ssl->f_cookie_write == NULL ) + if( ssl->conf->f_cookie_write == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -2365,7 +2365,7 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl ) /* Skip length byte until we know the length */ cookie_len_byte = p++; - if( ( ret = ssl->f_cookie_write( ssl->p_cookie, + if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie, &p, ssl->out_buf + MBEDTLS_SSL_BUFFER_LEN, ssl->cli_id, ssl->cli_id_len ) ) != 0 ) { @@ -2407,7 +2407,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake->verify_cookie_len != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); @@ -2434,7 +2434,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) p = buf + 4; mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, - ssl->transport, p ); + ssl->conf->transport, p ); p += 2; MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]", @@ -2474,8 +2474,8 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE && #endif ssl->session_negotiate->length != 0 && - ssl->f_get_cache != NULL && - ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 ) + ssl->conf->f_get_cache != NULL && + ssl->conf->f_get_cache( ssl->conf->p_get_cache, ssl->session_negotiate ) == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) ); ssl->handshake->resume = 1; @@ -2651,7 +2651,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ssl->authmode == MBEDTLS_SSL_VERIFY_NONE ) + ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) ); return( 0 ); @@ -2743,7 +2743,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) * opaque DistinguishedName<1..2^16-1>; */ p += 2; - crt = ssl->ca_chain; + crt = ssl->conf->ca_chain; total_dn_size = 0; while( crt != NULL && crt->version != 0 ) @@ -2880,8 +2880,8 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) * opaque dh_Ys<1..2^16-1>; * } ServerDHParams; */ - if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 || - ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 ) + if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 || + ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); return( ret ); @@ -2927,7 +2927,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) const mbedtls_ecp_group_id *gid; /* Match our preference list against the offered curves */ - for( gid = ssl->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) + for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) if( (*curve)->grp_id == *gid ) goto curve_matching_done; @@ -3167,7 +3167,7 @@ static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_send_flight_completed( ssl ); #endif @@ -3268,7 +3268,7 @@ static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl, mbedtls_ssl_write_version( ssl->handshake->max_major_ver, ssl->handshake->max_minor_ver, - ssl->transport, ver ); + ssl->conf->transport, ver ); /* * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding * must not cause the connection to end immediately; instead, send a @@ -3320,9 +3320,9 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha int ret = 0; size_t n; - if( ssl->f_psk == NULL && - ( ssl->psk == NULL || ssl->psk_identity == NULL || - ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) ) + if( ssl->conf->f_psk == NULL && + ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || + ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); @@ -3346,17 +3346,17 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); } - if( ssl->f_psk != NULL ) + if( ssl->conf->f_psk != NULL ) { - if( ssl->f_psk( ssl->p_psk, ssl, *p, n ) != 0 ) + if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 ) ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; } else { /* Identity is not a big secret since clients send it in the clear, * but treat it carefully anyway, just in case */ - if( n != ssl->psk_identity_len || - mbedtls_ssl_safer_memcmp( ssl->psk_identity, *p, n ) != 0 ) + if( n != ssl->conf->psk_identity_len || + mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 ) { ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; } @@ -3796,7 +3796,7 @@ static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl ) { int ret; size_t tlen; - uint32_t lifetime = (uint32_t) ssl->ticket_lifetime; + uint32_t lifetime = (uint32_t) ssl->conf->ticket_lifetime; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) ); @@ -3864,7 +3864,7 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl ) return( ret ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL && ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9fb2c9719..17c64957a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -68,7 +68,7 @@ static void mbedtls_zeroize( void *v, size_t n ) { static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) return( 2 ); #else ((void) ssl); @@ -111,16 +111,16 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) { uint32_t new_timeout; - if( ssl->handshake->retransmit_timeout >= ssl->hs_timeout_max ) + if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) return( -1 ); new_timeout = 2 * ssl->handshake->retransmit_timeout; /* Avoid arithmetic overflow and range overflow */ if( new_timeout < ssl->handshake->retransmit_timeout || - new_timeout > ssl->hs_timeout_max ) + new_timeout > ssl->conf->hs_timeout_max ) { - new_timeout = ssl->hs_timeout_max; + new_timeout = ssl->conf->hs_timeout_max; } ssl->handshake->retransmit_timeout = new_timeout; @@ -132,7 +132,7 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) { - ssl->handshake->retransmit_timeout = ssl->hs_timeout_min; + ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs", ssl->handshake->retransmit_timeout ) ); } @@ -772,7 +772,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) * Finally setup the cipher contexts, IVs and MAC secrets. */ #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { key1 = keyblk + transform->maclen * 2; key2 = keyblk + transform->maclen * 2 + transform->keylen; @@ -792,7 +792,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { key1 = keyblk + transform->maclen * 2 + transform->keylen; key2 = keyblk + transform->maclen * 2; @@ -1077,12 +1077,12 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK ) { - if( end - p < 2 + (int) ssl->psk_len ) + if( end - p < 2 + (int) ssl->conf->psk_len ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - *(p++) = (unsigned char)( ssl->psk_len >> 8 ); - *(p++) = (unsigned char)( ssl->psk_len ); - p += ssl->psk_len; + *(p++) = (unsigned char)( ssl->conf->psk_len >> 8 ); + *(p++) = (unsigned char)( ssl->conf->psk_len ); + p += ssl->conf->psk_len; } else #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ @@ -1149,13 +1149,13 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch } /* opaque psk<0..2^16-1>; */ - if( end - p < 2 + (int) ssl->psk_len ) + if( end - p < 2 + (int) ssl->conf->psk_len ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - *(p++) = (unsigned char)( ssl->psk_len >> 8 ); - *(p++) = (unsigned char)( ssl->psk_len ); - memcpy( p, ssl->psk, ssl->psk_len ); - p += ssl->psk_len; + *(p++) = (unsigned char)( ssl->conf->psk_len >> 8 ); + *(p++) = (unsigned char)( ssl->conf->psk_len ); + memcpy( p, ssl->conf->psk, ssl->conf->psk_len ); + p += ssl->conf->psk_len; ssl->handshake->pmslen = p - ssl->handshake->premaster; @@ -1327,7 +1327,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) memcpy( add_data, ssl->out_ctr, 8 ); add_data[8] = ssl->out_msgtype; mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, - ssl->transport, add_data + 9 ); + ssl->conf->transport, add_data + 9 ); add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF; add_data[12] = ssl->out_msglen & 0xFF; @@ -1622,7 +1622,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) memcpy( add_data, ssl->in_ctr, 8 ); add_data[8] = ssl->in_msgtype; mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, - ssl->transport, add_data + 9 ); + ssl->conf->transport, add_data + 9 ); add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF; add_data[12] = ssl->in_msglen & 0xFF; @@ -2005,7 +2005,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) ssl->nb_zero = 0; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { ; /* in_ctr read from peer, not maintained internally */ } @@ -2138,9 +2138,9 @@ static int ssl_resend_hello_request( mbedtls_ssl_context *ssl ) { /* If renegotiation is not enforced, retransmit until we would reach max * timeout if we were using the usual handshake doubling scheme */ - if( ssl->renego_max_records < 0 ) + if( ssl->conf->renego_max_records < 0 ) { - uint32_t ratio = ssl->hs_timeout_max / ssl->hs_timeout_min + 1; + uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; unsigned char doublings = 1; while( ratio != 0 ) @@ -2197,7 +2197,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { uint32_t timeout; @@ -2272,7 +2272,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) timeout = ssl->handshake->retransmit_timeout; else - timeout = ssl->read_timeout; + timeout = ssl->conf->read_timeout; MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) ); @@ -2310,7 +2310,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) return( MBEDTLS_ERR_NET_WANT_READ ); } #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) - else if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && + else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) @@ -2655,7 +2655,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL && ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) { @@ -2677,7 +2677,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) * uint24 fragment_length; */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* Make room for the additional DTLS fields */ memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 ); @@ -2709,7 +2709,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) /* Save handshake and CCS messages for resending */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL && ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING && ( ssl->out_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC || @@ -2757,7 +2757,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) { ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, - ssl->transport, ssl->out_hdr + 1 ); + ssl->conf->transport, ssl->out_hdr + 1 ); ssl->out_len[0] = (unsigned char)( len >> 8 ); ssl->out_len[1] = (unsigned char)( len ); @@ -3036,7 +3036,7 @@ static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { int ret; unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; @@ -3104,7 +3104,7 @@ static int ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) /* Handshake message is complete, increment counter */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL ) { ssl->handshake->in_msg_seq++; @@ -3149,7 +3149,7 @@ int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl ) uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); uint64_t bit; - if( ssl->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) + if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) return( 0 ); if( rec_seqnum > ssl->in_window_top ) @@ -3173,7 +3173,7 @@ void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) { uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); - if( ssl->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) + if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) return; if( rec_seqnum > ssl->in_window_top ) @@ -3218,7 +3218,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) ssl->in_msgtype = ssl->in_hdr[0]; ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1]; - mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->transport, ssl->in_hdr + 1 ); + mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, " "version = [%d:%d], msglen = %d", @@ -3244,7 +3244,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* Drop unexpected ChangeCipherSpec messages */ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && @@ -3278,7 +3278,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_INVALID_RECORD ); } - if( minor_ver > ssl->max_minor_ver ) + if( minor_ver > ssl->conf->max_minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); return( MBEDTLS_ERR_SSL_INVALID_RECORD ); @@ -3286,7 +3286,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl ) /* Check epoch (and sequence number) with DTLS */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; @@ -3421,7 +3421,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_ZLIB_SUPPORT */ #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { mbedtls_ssl_dtls_replay_update( ssl ); } @@ -3480,7 +3480,7 @@ read_record_header: if( ( ret = ssl_parse_record_header( ssl ) ) != 0 ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* Ignore bad record and get next one; drop the whole datagram * since current header cannot be trusted to find the next record @@ -3507,7 +3507,7 @@ read_record_header: /* Done reading this record, get ready for the next one */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl ); else #endif @@ -3516,15 +3516,15 @@ read_record_header: if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* Silently discard invalid records */ if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD || ret == MBEDTLS_ERR_SSL_INVALID_MAC ) { #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) - if( ssl->badmac_limit != 0 && - ++ssl->badmac_seen >= ssl->badmac_limit ) + if( ssl->conf->badmac_limit != 0 && + ++ssl->badmac_seen >= ssl->conf->badmac_limit ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); return( MBEDTLS_ERR_SSL_INVALID_MAC ); @@ -3569,7 +3569,7 @@ read_record_header: * being mistaken for an ancient message in the current handshake. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake != NULL && ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) { @@ -3735,7 +3735,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { if( ssl->client_auth == 0 ) { @@ -3764,7 +3764,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { if( mbedtls_ssl_own_cert( ssl ) == NULL ) { @@ -3849,8 +3849,8 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && - ( ssl->authmode == MBEDTLS_SSL_VERIFY_NONE || + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && + ( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) ) { ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; @@ -3873,7 +3873,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) /* * Check if the client sent an empty certificate */ - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { if( ssl->in_msglen == 2 && @@ -3884,7 +3884,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) ); ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - if( ssl->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) + if( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) return( 0 ); else return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); @@ -3894,7 +3894,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 ) { if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && @@ -3905,7 +3905,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) ); ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - if( ssl->authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) + if( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); else return( 0 ); @@ -3997,7 +3997,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) * avoid "triple handshake" attack: https://secure-resumption.com/ */ #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) { if( ssl->session->peer_cert == NULL ) @@ -4018,9 +4018,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ - if( ssl->authmode != MBEDTLS_SSL_VERIFY_NONE ) + if( ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE ) { - if( ssl->ca_chain == NULL ) + if( ssl->conf->ca_chain == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED ); @@ -4030,9 +4030,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) * Main check: verify certificate */ ret = mbedtls_x509_crt_verify( ssl->session_negotiate->peer_cert, - ssl->ca_chain, ssl->ca_crl, ssl->peer_cn, + ssl->conf->ca_chain, ssl->conf->ca_crl, ssl->peer_cn, &ssl->session_negotiate->verify_result, - ssl->f_vrfy, ssl->p_vrfy ); + ssl->conf->f_vrfy, ssl->conf->p_vrfy ); if( ret != 0 ) { @@ -4060,7 +4060,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, ciphersuite_info, - ! ssl->endpoint, + ! ssl->conf->endpoint, &ssl->session_negotiate->verify_result ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) ); @@ -4068,7 +4068,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; } - if( ssl->authmode != MBEDTLS_SSL_VERIFY_REQUIRED ) + if( ssl->conf->authmode != MBEDTLS_SSL_VERIFY_REQUIRED ) ret = 0; } @@ -4140,7 +4140,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) ssl->session_in = ssl->session_negotiate; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) ssl_dtls_replay_reset( ssl ); @@ -4571,16 +4571,16 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl ) /* * Add cache entry */ - if( ssl->f_set_cache != NULL && + if( ssl->conf->f_set_cache != NULL && ssl->session->length != 0 && resume == 0 ) { - if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 ) + if( ssl->conf->f_set_cache( ssl->conf->p_set_cache, ssl->session ) != 0 ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) ); } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->handshake->flight != NULL ) { /* Cancel handshake timer */ @@ -4616,7 +4616,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) else ssl->out_msg = ssl->out_iv; - ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint ); + ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint ); // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63) hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12; @@ -4637,11 +4637,11 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) if( ssl->handshake->resume != 0 ) { #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; #endif #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; #endif } @@ -4655,7 +4655,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { unsigned char i; @@ -4697,7 +4697,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_send_flight_completed( ssl ); #endif @@ -4726,7 +4726,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) ); - ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 ); + ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 ); if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 ) { @@ -4770,11 +4770,11 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) if( ssl->handshake->resume != 0 ) { #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; #endif #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; #endif } @@ -4782,7 +4782,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ) ssl->state++; #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) mbedtls_ssl_recv_flight_completed( ssl ); #endif @@ -4893,7 +4893,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) ssl_handshake_params_init( ssl->handshake ); #if defined(MBEDTLS_X509_CRT_PARSE_C) - ssl->handshake->key_cert = ssl->key_cert; + ssl->handshake->key_cert = ssl->conf->key_cert; #endif /* @@ -4904,7 +4904,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) ssl->handshake->alt_transform_out = ssl->transform_out; // TODO: not the right place, we may not know endpoint yet - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; else ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; @@ -4958,28 +4958,34 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl ) int ret; int len = MBEDTLS_SSL_BUFFER_LEN; + ssl->conf = mbedtls_malloc( sizeof( mbedtls_ssl_config ) ); + if( ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); + + memset( ssl->conf, 0, sizeof( mbedtls_ssl_config ) ); + /* * Sane defaults */ - ssl->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; - ssl->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ - ssl->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; - ssl->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; + ssl->conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; + ssl->conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */ + ssl->conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION; + ssl->conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION; mbedtls_ssl_set_ciphersuites( ssl, mbedtls_ssl_list_ciphersuites() ); mbedtls_ssl_set_arc4_support( ssl, MBEDTLS_SSL_ARC4_DISABLED ); #if defined(MBEDTLS_SSL_RENEGOTIATION) - ssl->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; - memset( ssl->renego_period, 0xFF, 7 ); - ssl->renego_period[7] = 0x00; + ssl->conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; + memset( ssl->conf->renego_period, 0xFF, 7 ); + ssl->conf->renego_period[7] = 0x00; #endif #if defined(MBEDTLS_DHM_C) - if( ( ret = mbedtls_mpi_read_string( &ssl->dhm_P, 16, + if( ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_P, 16, MBEDTLS_DHM_RFC5114_MODP_1024_P) ) != 0 || - ( ret = mbedtls_mpi_read_string( &ssl->dhm_G, 16, + ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_G, 16, MBEDTLS_DHM_RFC5114_MODP_1024_G) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_read_string", ret ); @@ -5006,33 +5012,33 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl ) (void) mbedtls_ssl_set_transport( ssl, MBEDTLS_SSL_TRANSPORT_STREAM ); #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - ssl->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; + ssl->conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - ssl->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; + ssl->conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - ssl->ticket_lifetime = MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME; + ssl->conf->ticket_lifetime = MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME; #endif #if defined(MBEDTLS_SSL_SET_CURVES) - ssl->curve_list = mbedtls_ecp_grp_id_list( ); + ssl->conf->curve_list = mbedtls_ecp_grp_id_list( ); #endif #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) - ssl->f_cookie_write = ssl_cookie_write_dummy; - ssl->f_cookie_check = ssl_cookie_check_dummy; + ssl->conf->f_cookie_write = ssl_cookie_write_dummy; + ssl->conf->f_cookie_check = ssl_cookie_check_dummy; #endif #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - ssl->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; + ssl->conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) - ssl->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; - ssl->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; + ssl->conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; + ssl->conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; #endif if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) @@ -5198,20 +5204,20 @@ static int ssl_ticket_keys_init( mbedtls_ssl_context *ssl ) */ void mbedtls_ssl_set_endpoint( mbedtls_ssl_context *ssl, int endpoint ) { - ssl->endpoint = endpoint; + ssl->conf->endpoint = endpoint; #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ defined(MBEDTLS_SSL_CLI_C) if( endpoint == MBEDTLS_SSL_IS_CLIENT ) { - ssl->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; - ssl->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; + ssl->conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; + ssl->conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; } #endif #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) if( endpoint == MBEDTLS_SSL_IS_SERVER ) - ssl->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; + ssl->conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; #endif } @@ -5220,7 +5226,7 @@ int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ) #if defined(MBEDTLS_SSL_PROTO_DTLS) if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - ssl->transport = transport; + ssl->conf->transport = transport; ssl->out_hdr = ssl->out_buf; ssl->out_ctr = ssl->out_buf + 3; @@ -5235,11 +5241,11 @@ int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ) ssl->in_msg = ssl->in_buf + 13; /* DTLS starts with TLS1.1 */ - if( ssl->min_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - ssl->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; + if( ssl->conf->min_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) + ssl->conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; - if( ssl->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - ssl->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; + if( ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) + ssl->conf->max_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; return( 0 ); } @@ -5247,7 +5253,7 @@ int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ) if( transport == MBEDTLS_SSL_TRANSPORT_STREAM ) { - ssl->transport = transport; + ssl->conf->transport = transport; ssl->out_ctr = ssl->out_buf; ssl->out_hdr = ssl->out_buf + 8; @@ -5270,28 +5276,28 @@ int mbedtls_ssl_set_transport( mbedtls_ssl_context *ssl, int transport ) #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) void mbedtls_ssl_set_dtls_anti_replay( mbedtls_ssl_context *ssl, char mode ) { - ssl->anti_replay = mode; + ssl->conf->anti_replay = mode; } #endif #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) void mbedtls_ssl_set_dtls_badmac_limit( mbedtls_ssl_context *ssl, unsigned limit ) { - ssl->badmac_limit = limit; + ssl->conf->badmac_limit = limit; } #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) void mbedtls_ssl_set_handshake_timeout( mbedtls_ssl_context *ssl, uint32_t min, uint32_t max ) { - ssl->hs_timeout_min = min; - ssl->hs_timeout_max = max; + ssl->conf->hs_timeout_min = min; + ssl->conf->hs_timeout_max = max; } #endif void mbedtls_ssl_set_authmode( mbedtls_ssl_context *ssl, int authmode ) { - ssl->authmode = authmode; + ssl->conf->authmode = authmode; } #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -5299,8 +5305,8 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), void *p_vrfy ) { - ssl->f_vrfy = f_vrfy; - ssl->p_vrfy = p_vrfy; + ssl->conf->f_vrfy = f_vrfy; + ssl->conf->p_vrfy = p_vrfy; } #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -5316,8 +5322,8 @@ void mbedtls_ssl_set_dbg( mbedtls_ssl_context *ssl, void (*f_dbg)(void *, int, const char *), void *p_dbg ) { - ssl->f_dbg = f_dbg; - ssl->p_dbg = p_dbg; + ssl->conf->f_dbg = f_dbg; + ssl->conf->p_dbg = p_dbg; } #if ! defined(MBEDTLS_DEPRECATED_REMOVED) @@ -5350,7 +5356,7 @@ void mbedtls_ssl_set_bio_timeout( mbedtls_ssl_context *ssl, ssl->f_send = f_send; ssl->f_recv = f_recv; ssl->f_recv_timeout = f_recv_timeout; - ssl->read_timeout = timeout; + ssl->conf->read_timeout = timeout; } #if defined(MBEDTLS_SSL_SRV_C) @@ -5358,10 +5364,10 @@ void mbedtls_ssl_set_session_cache( mbedtls_ssl_context *ssl, int (*f_get_cache)(void *, mbedtls_ssl_session *), void *p_get_cache, int (*f_set_cache)(void *, const mbedtls_ssl_session *), void *p_set_cache ) { - ssl->f_get_cache = f_get_cache; - ssl->p_get_cache = p_get_cache; - ssl->f_set_cache = f_set_cache; - ssl->p_set_cache = p_set_cache; + ssl->conf->f_get_cache = f_get_cache; + ssl->conf->p_get_cache = p_get_cache; + ssl->conf->f_set_cache = f_set_cache; + ssl->conf->p_set_cache = p_set_cache; } #endif /* MBEDTLS_SSL_SRV_C */ @@ -5373,7 +5379,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session if( ssl == NULL || session == NULL || ssl->session_negotiate == NULL || - ssl->endpoint != MBEDTLS_SSL_IS_CLIENT ) + ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -5389,10 +5395,10 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session void mbedtls_ssl_set_ciphersuites( mbedtls_ssl_context *ssl, const int *ciphersuites ) { - ssl->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; - ssl->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; - ssl->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; - ssl->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; + ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites; + ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites; + ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites; + ssl->conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites; } void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_context *ssl, @@ -5405,7 +5411,7 @@ void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_context *ssl, if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 ) return; - ssl->ciphersuite_list[minor] = ciphersuites; + ssl->conf->ciphersuite_list[minor] = ciphersuites; } #if defined(MBEDTLS_X509_CRT_PARSE_C) @@ -5421,15 +5427,15 @@ static mbedtls_ssl_key_cert *ssl_add_key_cert( mbedtls_ssl_context *ssl ) memset( key_cert, 0, sizeof( mbedtls_ssl_key_cert ) ); /* Append the new key_cert to the (possibly empty) current list */ - if( ssl->key_cert == NULL ) + if( ssl->conf->key_cert == NULL ) { - ssl->key_cert = key_cert; + ssl->conf->key_cert = key_cert; if( ssl->handshake != NULL ) ssl->handshake->key_cert = key_cert; } else { - last = ssl->key_cert; + last = ssl->conf->key_cert; while( last->next != NULL ) last = last->next; last->next = key_cert; @@ -5441,8 +5447,8 @@ static mbedtls_ssl_key_cert *ssl_add_key_cert( mbedtls_ssl_context *ssl ) void mbedtls_ssl_set_ca_chain( mbedtls_ssl_context *ssl, mbedtls_x509_crt *ca_chain, mbedtls_x509_crl *ca_crl, const char *peer_cn ) { - ssl->ca_chain = ca_chain; - ssl->ca_crl = ca_crl; + ssl->conf->ca_chain = ca_chain; + ssl->conf->ca_crl = ca_crl; ssl->peer_cn = peer_cn; } @@ -5471,25 +5477,25 @@ int mbedtls_ssl_set_psk( mbedtls_ssl_context *ssl, const unsigned char *psk, siz if( psk_len > MBEDTLS_PSK_MAX_LEN ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - if( ssl->psk != NULL || ssl->psk_identity != NULL ) + if( ssl->conf->psk != NULL || ssl->conf->psk_identity != NULL ) { - mbedtls_free( ssl->psk ); - mbedtls_free( ssl->psk_identity ); + mbedtls_free( ssl->conf->psk ); + mbedtls_free( ssl->conf->psk_identity ); } - if( ( ssl->psk = mbedtls_malloc( psk_len ) ) == NULL || - ( ssl->psk_identity = mbedtls_malloc( psk_identity_len ) ) == NULL ) + if( ( ssl->conf->psk = mbedtls_malloc( psk_len ) ) == NULL || + ( ssl->conf->psk_identity = mbedtls_malloc( psk_identity_len ) ) == NULL ) { - mbedtls_free( ssl->psk ); - ssl->psk = NULL; + mbedtls_free( ssl->conf->psk ); + ssl->conf->psk = NULL; return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); } - ssl->psk_len = psk_len; - ssl->psk_identity_len = psk_identity_len; + ssl->conf->psk_len = psk_len; + ssl->conf->psk_identity_len = psk_identity_len; - memcpy( ssl->psk, psk, ssl->psk_len ); - memcpy( ssl->psk_identity, psk_identity, ssl->psk_identity_len ); + memcpy( ssl->conf->psk, psk, ssl->conf->psk_len ); + memcpy( ssl->conf->psk_identity, psk_identity, ssl->conf->psk_identity_len ); return( 0 ); } @@ -5499,8 +5505,8 @@ void mbedtls_ssl_set_psk_cb( mbedtls_ssl_context *ssl, size_t), void *p_psk ) { - ssl->f_psk = f_psk; - ssl->p_psk = p_psk; + ssl->conf->f_psk = f_psk; + ssl->conf->p_psk = p_psk; } #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ @@ -5509,13 +5515,13 @@ int mbedtls_ssl_set_dh_param( mbedtls_ssl_context *ssl, const char *dhm_P, const { int ret; - if( ( ret = mbedtls_mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 ) + if( ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_P, 16, dhm_P ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_read_string", ret ); return( ret ); } - if( ( ret = mbedtls_mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 ) + if( ( ret = mbedtls_mpi_read_string( &ssl->conf->dhm_G, 16, dhm_G ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_read_string", ret ); return( ret ); @@ -5528,13 +5534,13 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_context *ssl, mbedtls_dhm_context { int ret; - if( ( ret = mbedtls_mpi_copy( &ssl->dhm_P, &dhm_ctx->P ) ) != 0 ) + if( ( ret = mbedtls_mpi_copy( &ssl->conf->dhm_P, &dhm_ctx->P ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); return( ret ); } - if( ( ret = mbedtls_mpi_copy( &ssl->dhm_G, &dhm_ctx->G ) ) != 0 ) + if( ( ret = mbedtls_mpi_copy( &ssl->conf->dhm_G, &dhm_ctx->G ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); return( ret ); @@ -5550,7 +5556,7 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_context *ssl, mbedtls_dhm_context */ void mbedtls_ssl_set_curves( mbedtls_ssl_context *ssl, const mbedtls_ecp_group_id *curve_list ) { - ssl->curve_list = curve_list; + ssl->conf->curve_list = curve_list; } #endif @@ -5583,8 +5589,8 @@ void mbedtls_ssl_set_sni( mbedtls_ssl_context *ssl, const unsigned char *, size_t), void *p_sni ) { - ssl->f_sni = f_sni; - ssl->p_sni = p_sni; + ssl->conf->f_sni = f_sni; + ssl->conf->p_sni = p_sni; } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ @@ -5608,7 +5614,7 @@ int mbedtls_ssl_set_alpn_protocols( mbedtls_ssl_context *ssl, const char **proto return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - ssl->alpn_list = protos; + ssl->conf->alpn_list = protos; return( 0 ); } @@ -5628,7 +5634,7 @@ static int ssl_check_version( const mbedtls_ssl_context *ssl, int major, int min } #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && minor < MBEDTLS_SSL_MINOR_VERSION_2 ) { return( -1 ); @@ -5645,8 +5651,8 @@ int mbedtls_ssl_set_max_version( mbedtls_ssl_context *ssl, int major, int minor if( ssl_check_version( ssl, major, minor ) != 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - ssl->max_major_ver = major; - ssl->max_minor_ver = minor; + ssl->conf->max_major_ver = major; + ssl->conf->max_minor_ver = minor; return( 0 ); } @@ -5656,8 +5662,8 @@ int mbedtls_ssl_set_min_version( mbedtls_ssl_context *ssl, int major, int minor if( ssl_check_version( ssl, major, minor ) != 0 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - ssl->min_major_ver = major; - ssl->min_minor_ver = minor; + ssl->conf->min_major_ver = major; + ssl->conf->min_minor_ver = minor; return( 0 ); } @@ -5672,20 +5678,20 @@ void mbedtls_ssl_set_fallback( mbedtls_ssl_context *ssl, char fallback ) #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) void mbedtls_ssl_set_encrypt_then_mac( mbedtls_ssl_context *ssl, char etm ) { - ssl->encrypt_then_mac = etm; + ssl->conf->encrypt_then_mac = etm; } #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) void mbedtls_ssl_set_extended_master_secret( mbedtls_ssl_context *ssl, char ems ) { - ssl->extended_ms = ems; + ssl->conf->extended_ms = ems; } #endif void mbedtls_ssl_set_arc4_support( mbedtls_ssl_context *ssl, char arc4 ) { - ssl->arc4_disabled = arc4; + ssl->conf->arc4_disabled = arc4; } #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) @@ -5697,7 +5703,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_context *ssl, unsigned char mfl_co return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - ssl->mfl_code = mfl_code; + ssl->conf->mfl_code = mfl_code; return( 0 ); } @@ -5706,7 +5712,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_context *ssl, unsigned char mfl_co #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) int mbedtls_ssl_set_truncated_hmac( mbedtls_ssl_context *ssl, int truncate ) { - ssl->trunc_hmac = truncate; + ssl->conf->trunc_hmac = truncate; return( 0 ); } @@ -5721,34 +5727,34 @@ void mbedtls_ssl_set_cbc_record_splitting( mbedtls_ssl_context *ssl, char split void mbedtls_ssl_legacy_renegotiation( mbedtls_ssl_context *ssl, int allow_legacy ) { - ssl->allow_legacy_renegotiation = allow_legacy; + ssl->conf->allow_legacy_renegotiation = allow_legacy; } #if defined(MBEDTLS_SSL_RENEGOTIATION) void mbedtls_ssl_set_renegotiation( mbedtls_ssl_context *ssl, int renegotiation ) { - ssl->disable_renegotiation = renegotiation; + ssl->conf->disable_renegotiation = renegotiation; } void mbedtls_ssl_set_renegotiation_enforced( mbedtls_ssl_context *ssl, int max_records ) { - ssl->renego_max_records = max_records; + ssl->conf->renego_max_records = max_records; } void mbedtls_ssl_set_renegotiation_period( mbedtls_ssl_context *ssl, const unsigned char period[8] ) { - memcpy( ssl->renego_period, period, 8 ); + memcpy( ssl->conf->renego_period, period, 8 ); } #endif /* MBEDTLS_SSL_RENEGOTIATION */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) int mbedtls_ssl_set_session_tickets( mbedtls_ssl_context *ssl, int use_tickets ) { - ssl->session_tickets = use_tickets; + ssl->conf->session_tickets = use_tickets; #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) return( 0 ); #endif @@ -5763,7 +5769,7 @@ int mbedtls_ssl_set_session_tickets( mbedtls_ssl_context *ssl, int use_tickets ) void mbedtls_ssl_set_session_ticket_lifetime( mbedtls_ssl_context *ssl, int lifetime ) { - ssl->ticket_lifetime = lifetime; + ssl->conf->ticket_lifetime = lifetime; } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ @@ -5797,7 +5803,7 @@ const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl ) const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { switch( ssl->minor_ver ) { @@ -5882,7 +5888,7 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session if( ssl == NULL || dst == NULL || ssl->session == NULL || - ssl->endpoint != MBEDTLS_SSL_IS_CLIENT ) + ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -5899,11 +5905,11 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ret = mbedtls_ssl_handshake_client_step( ssl ); #endif #if defined(MBEDTLS_SSL_SRV_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) ret = mbedtls_ssl_handshake_server_step( ssl ); #endif @@ -5980,10 +5986,10 @@ static int ssl_start_renegotiation( mbedtls_ssl_context *ssl ) /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and * the ServerHello will have message_seq = 1" */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) ssl->handshake->out_msg_seq = 1; else ssl->handshake->in_msg_seq = 1; @@ -6014,7 +6020,7 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_SRV_C) /* On server, just send the request */ - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER ) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -6065,14 +6071,14 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) { if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || - ssl->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) + ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) { return( 0 ); } // TODO: adapt for DTLS - if( memcmp( ssl->in_ctr, ssl->renego_period, 8 ) <= 0 && - memcmp( ssl->out_ctr, ssl->renego_period, 8 ) <= 0 ) + if( memcmp( ssl->in_ctr, ssl->conf->renego_period, 8 ) <= 0 && + memcmp( ssl->out_ctr, ssl->conf->renego_period, 8 ) <= 0 ) { return( 0 ); } @@ -6093,7 +6099,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) return( ret ); @@ -6134,7 +6140,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) #if defined(MBEDTLS_SSL_PROTO_DTLS) /* Start timer if not already running */ if( ssl->time_limit == 0 ) - ssl_set_timer( ssl, ssl->read_timeout ); + ssl_set_timer( ssl, ssl->conf->read_timeout ); #endif if( ! record_read ) @@ -6171,7 +6177,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); #if defined(MBEDTLS_SSL_CLI_C) - if( ssl->endpoint == MBEDTLS_SSL_IS_CLIENT && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) { @@ -6179,29 +6185,29 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) /* With DTLS, drop the packet (probably from last handshake) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) return( MBEDTLS_ERR_NET_WANT_READ ); #endif return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); } - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); /* With DTLS, drop the packet (probably from last handshake) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) return( MBEDTLS_ERR_NET_WANT_READ ); #endif return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); } #endif - if( ssl->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || + if( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->allow_legacy_renegotiation == + ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); @@ -6240,8 +6246,8 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) { /* DTLS clients need to know renego is server-initiated */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->endpoint == MBEDTLS_SSL_IS_CLIENT ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; } @@ -6266,9 +6272,9 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { - if( ssl->renego_max_records >= 0 ) + if( ssl->conf->renego_max_records >= 0 ) { - if( ++ssl->renego_records_seen > ssl->renego_max_records ) + if( ++ssl->renego_records_seen > ssl->conf->renego_max_records ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " "but not honored by client" ) ); @@ -6303,7 +6309,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) * Do it now, after setting in_offt, to avoid taking this branch * again if ssl_write_hello_request() returns WANT_WRITE */ #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->endpoint == MBEDTLS_SSL_IS_SERVER && + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 ) @@ -6350,7 +6356,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, /* * Assume mfl_code is correct since it was checked when set */ - max_len = mfl_code_to_length[ssl->mfl_code]; + max_len = mfl_code_to_length[ssl->conf->mfl_code]; /* * Check if a smaller max length was negotiated @@ -6364,7 +6370,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, if( len > max_len ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " "maximum fragment length: %d > %d", @@ -6632,8 +6638,8 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_DHM_C) - mbedtls_mpi_free( &ssl->dhm_P ); - mbedtls_mpi_free( &ssl->dhm_G ); + mbedtls_mpi_free( &ssl->conf->dhm_P ); + mbedtls_mpi_free( &ssl->conf->dhm_G ); #endif if( ssl->transform ) @@ -6677,19 +6683,19 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - if( ssl->psk != NULL ) + if( ssl->conf->psk != NULL ) { - mbedtls_zeroize( ssl->psk, ssl->psk_len ); - mbedtls_zeroize( ssl->psk_identity, ssl->psk_identity_len ); - mbedtls_free( ssl->psk ); - mbedtls_free( ssl->psk_identity ); - ssl->psk_len = 0; - ssl->psk_identity_len = 0; + mbedtls_zeroize( ssl->conf->psk, ssl->conf->psk_len ); + mbedtls_zeroize( ssl->conf->psk_identity, ssl->conf->psk_identity_len ); + mbedtls_free( ssl->conf->psk ); + mbedtls_free( ssl->conf->psk_identity ); + ssl->conf->psk_len = 0; + ssl->conf->psk_identity_len = 0; } #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) - ssl_key_cert_free( ssl->key_cert ); + ssl_key_cert_free( ssl->conf->key_cert ); #endif #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) @@ -6786,7 +6792,7 @@ int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp { const mbedtls_ecp_group_id *gid; - for( gid = ssl->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) + for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) if( *gid == grp_id ) return( 1 );