Introduce new config.h flag for TLS

For now the option has no effect. Adapted existing example config files. The fact that I needed to do this highlights that this is a slightly incompatible change: existing users need to update their existing custom configs (if standalone as opposed to based on the default config) in order to still get the same behaviour. The alternative would be to have a negative config option (eg NO_TLS or DTLS_ONLY) but this doesn't fit as nicely with the existing options, so hopefully the minor incompatibility is acceptable. I don't think it's worth adding a new component to all.sh: - builds with both DTLS and TLS are done in the default (and full) config - TLS-only builds are done with eg config-suite-b.h in test-ref-configs - a DTLS-only build is done with config-thread.h in test-ref-configs - builds with none of them (and SSL_TLS_C enabled) are forbidden
2024-11-22 22:35:43 +01:00 · 2019-03-18 10:18:37 +01:00 · 2019-03-18 10:18:37 +01:00 · a771160799
commit a771160799
parent 21d1c32b2b
8 changed files with 44 additions and 5 deletions
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@ -41,6 +41,7 @@
 /* mbed TLS feature support */
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_2
+#define MBEDTLS_SSL_PROTO_TLS

 /* mbed TLS modules */
 #define MBEDTLS_AES_C
--- a/configs/config-mini-tls1_1.h
+++ b/configs/config-mini-tls1_1.h
@ -40,6 +40,7 @@
 #define MBEDTLS_PKCS1_V15
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_1
+#define MBEDTLS_SSL_PROTO_TLS

 /* mbed TLS modules */
 #define MBEDTLS_AES_C
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@ -47,6 +47,7 @@
 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_2
+#define MBEDTLS_SSL_PROTO_TLS

 /* mbed TLS modules */
 #define MBEDTLS_AES_C
--- a/configs/config-thread.h
+++ b/configs/config-thread.h
@ -29,6 +29,7 @@
 * Distinguishing features:
 * - no RSA or classic DH, fully based on ECC
 * - no X.509
+ * - no TLS, only DTLS
 * - support for experimental EC J-PAKE key exchange
 *
 * See README.txt for usage instructions.
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -562,7 +562,12 @@
 #if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \
    !defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
    !defined(MBEDTLS_SSL_PROTO_TLS1_2))
-#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active"
+#error "MBEDTLS_SSL_TLS_C defined, but no protocol version is active"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && \
+    (!defined(MBEDTLS_SSL_PROTO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS))
+#error "MBEDTLS_SSL_TLS_C defined, but neither TLS or DTLS is active"
 #endif

 #if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1453,7 +1453,7 @@
 /**
 * \def MBEDTLS_SSL_PROTO_SSL3
 *
- * Enable support for SSL 3.0.
+ * Enable support for SSL 3.0 (if TLS is enabled).
 *
 * Requires: MBEDTLS_MD5_C
 *           MBEDTLS_SHA1_C
@ -1465,7 +1465,7 @@
 /**
 * \def MBEDTLS_SSL_PROTO_TLS1
 *
- * Enable support for TLS 1.0.
+ * Enable support for TLS 1.0 (if TLS is enabled).
 *
 * Requires: MBEDTLS_MD5_C
 *           MBEDTLS_SHA1_C
@ -1477,7 +1477,8 @@
 /**
 * \def MBEDTLS_SSL_PROTO_TLS1_1
 *
- * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
+ * Enable support for TLS 1.1 (if TLS is enabled) and DTLS 1.0 (if DTLS is
+ * enabled).
 *
 * Requires: MBEDTLS_MD5_C
 *           MBEDTLS_SHA1_C
@ -1489,7 +1490,8 @@
 /**
 * \def MBEDTLS_SSL_PROTO_TLS1_2
 *
- * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
+ * Enable support for TLS 1.2 (if TLS is enabled) and DTLS 1.2 (if DTLS is
+ * enabled).
 *
 * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
 *           (Depends on ciphersuites)
@ -1513,6 +1515,23 @@
 */
 #define MBEDTLS_SSL_PROTO_DTLS

+/**
+ * \def MBEDTLS_SSL_PROTO_TLS
+ *
+ * Enable support for TLS (all available versions).
+ *
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1   to enable TLS 1.0,
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1,
+ * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1_1
+ *        or MBEDTLS_SSL_PROTO_TLS1_1
+ *        or MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for TLS
+ */
+#define MBEDTLS_SSL_PROTO_TLS
+
 /**
 * \def MBEDTLS_SSL_ALPN
 *
--- a/library/version_features.c
+++ b/library/version_features.c
@ -486,6 +486,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    "MBEDTLS_SSL_PROTO_DTLS",
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_PROTO_TLS)
+    "MBEDTLS_SSL_PROTO_TLS",
+#endif /* MBEDTLS_SSL_PROTO_TLS */
 #if defined(MBEDTLS_SSL_ALPN)
    "MBEDTLS_SSL_ALPN",
 #endif /* MBEDTLS_SSL_ALPN */
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@ -1338,6 +1338,14 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */

+#if defined(MBEDTLS_SSL_PROTO_TLS)
+    if( strcmp( "MBEDTLS_SSL_PROTO_TLS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS */
+
 #if defined(MBEDTLS_SSL_ALPN)
    if( strcmp( "MBEDTLS_SSL_ALPN", config ) == 0 )
    {