mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 19:25:42 +01:00
Allow compile-time configuration of legacy renegotiation
Introduces MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION allowing to configure enforcing secure renegotiation at compile-time. Impact on code-size: | | GCC | ARMC5 | ARMC6 | | --- | --- | --- | --- | | `libmbedtls.a` after | 23379 | 23929 | 27727 | | `libmbedtls.a` before | 23307 | 23865 | 27615 | | gain in Bytes | 72 | 64 | 112 |
This commit is contained in:
parent
acd4fc0ac9
commit
b0b2b67568
@ -80,6 +80,8 @@
|
|||||||
#define MBEDTLS_SSL_DTLS_CONNECTION_ID
|
#define MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||||
|
|
||||||
/* Compile-time fixed parts of the SSL configuration */
|
/* Compile-time fixed parts of the SSL configuration */
|
||||||
|
#define MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION \
|
||||||
|
MBEDTLS_SSL_SECURE_RENEGOTIATION
|
||||||
#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED
|
#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED
|
||||||
#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0
|
#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0
|
||||||
#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED
|
#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED
|
||||||
|
@ -3450,6 +3450,8 @@
|
|||||||
* \{
|
* \{
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
//#define MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
|
||||||
|
|
||||||
//#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED
|
//#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED
|
||||||
|
|
||||||
/* DTLS-specific settings */
|
/* DTLS-specific settings */
|
||||||
|
@ -1052,8 +1052,10 @@ struct mbedtls_ssl_config
|
|||||||
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
|
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
|
||||||
unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */
|
unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */
|
||||||
#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
|
#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||||
/* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */
|
/* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */
|
||||||
unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX */
|
unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX */
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
|
||||||
#if defined(MBEDTLS_ARC4_C)
|
#if defined(MBEDTLS_ARC4_C)
|
||||||
unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites? */
|
unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites? */
|
||||||
#endif
|
#endif
|
||||||
@ -3047,6 +3049,7 @@ void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets
|
|||||||
void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation );
|
void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation );
|
||||||
#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||||
/**
|
/**
|
||||||
* \brief Prevent or allow legacy renegotiation.
|
* \brief Prevent or allow legacy renegotiation.
|
||||||
* (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION)
|
* (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION)
|
||||||
@ -3073,8 +3076,14 @@ void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation
|
|||||||
* \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
|
* \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
|
||||||
* SSL_ALLOW_LEGACY_RENEGOTIATION or
|
* SSL_ALLOW_LEGACY_RENEGOTIATION or
|
||||||
* MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE)
|
* MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE)
|
||||||
|
*
|
||||||
|
*
|
||||||
|
* \note On constrained systems, this option can also be
|
||||||
|
* fixed at compile-time by defining the constant
|
||||||
|
* MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION.
|
||||||
*/
|
*/
|
||||||
void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy );
|
void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy );
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||||
/**
|
/**
|
||||||
|
@ -1085,6 +1085,21 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
* be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
|
* be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||||
|
static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation(
|
||||||
|
mbedtls_ssl_config const *conf )
|
||||||
|
{
|
||||||
|
return( conf->allow_legacy_renegotiation );
|
||||||
|
}
|
||||||
|
#else /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
|
||||||
|
static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation(
|
||||||
|
mbedtls_ssl_config const *conf )
|
||||||
|
{
|
||||||
|
((void) conf);
|
||||||
|
return( MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
|
||||||
|
|
||||||
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
|
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
|
||||||
static inline int mbedtls_ssl_conf_get_authmode(
|
static inline int mbedtls_ssl_conf_get_authmode(
|
||||||
mbedtls_ssl_config const *conf )
|
mbedtls_ssl_config const *conf )
|
||||||
|
@ -2059,7 +2059,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
* Renegotiation security checks
|
* Renegotiation security checks
|
||||||
*/
|
*/
|
||||||
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
||||||
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
|
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
|
||||||
|
MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
|
||||||
handshake_failure = 1;
|
handshake_failure = 1;
|
||||||
@ -2074,7 +2075,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
|
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
|
||||||
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
||||||
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
|
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
|
||||||
|
MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
|
||||||
handshake_failure = 1;
|
handshake_failure = 1;
|
||||||
|
@ -1227,7 +1227,8 @@ have_ciphersuite_v2:
|
|||||||
* SSLv2 Client Hello relevant renegotiation security checks
|
* SSLv2 Client Hello relevant renegotiation security checks
|
||||||
*/
|
*/
|
||||||
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
||||||
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
|
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
|
||||||
|
MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
@ -2004,7 +2005,8 @@ read_record_header:
|
|||||||
* Renegotiation security checks
|
* Renegotiation security checks
|
||||||
*/
|
*/
|
||||||
if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
|
if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
|
||||||
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
|
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
|
||||||
|
MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
|
||||||
handshake_failure = 1;
|
handshake_failure = 1;
|
||||||
@ -2019,7 +2021,8 @@ read_record_header:
|
|||||||
}
|
}
|
||||||
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
|
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
|
||||||
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
||||||
ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
|
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf )
|
||||||
|
== MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
|
||||||
handshake_failure = 1;
|
handshake_failure = 1;
|
||||||
|
@ -8675,10 +8675,12 @@ void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||||
void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
|
void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
|
||||||
{
|
{
|
||||||
conf->allow_legacy_renegotiation = allow_legacy;
|
conf->allow_legacy_renegotiation = allow_legacy;
|
||||||
}
|
}
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||||
void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
|
void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
|
||||||
@ -9999,7 +10001,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
|
|||||||
/* Determine whether renegotiation attempt should be accepted */
|
/* Determine whether renegotiation attempt should be accepted */
|
||||||
if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
|
if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
|
||||||
( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
|
||||||
ssl->conf->allow_legacy_renegotiation ==
|
mbedtls_ssl_conf_get_allow_legacy_renegotiation( ssl->conf ) ==
|
||||||
MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
|
MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
|
@ -2578,6 +2578,14 @@ int query_config( const char *config )
|
|||||||
}
|
}
|
||||||
#endif /* MBEDTLS_PLATFORM_GMTIME_R_ALT */
|
#endif /* MBEDTLS_PLATFORM_GMTIME_R_ALT */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||||
|
if( strcmp( "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION", config ) == 0 )
|
||||||
|
{
|
||||||
|
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION );
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_CONF_AUTHMODE)
|
#if defined(MBEDTLS_SSL_CONF_AUTHMODE)
|
||||||
if( strcmp( "MBEDTLS_SSL_CONF_AUTHMODE", config ) == 0 )
|
if( strcmp( "MBEDTLS_SSL_CONF_AUTHMODE", config ) == 0 )
|
||||||
{
|
{
|
||||||
|
@ -301,6 +301,12 @@ int main( void )
|
|||||||
#define USAGE_AUTH_MODE ""
|
#define USAGE_AUTH_MODE ""
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||||
|
#define USAGE_ALLOW_LEGACY_RENEGO " allow_legacy=%%d default: (library default: no)\n"
|
||||||
|
#else
|
||||||
|
#define USAGE_ALLOW_LEGACY_RENEGO ""
|
||||||
|
#endif
|
||||||
|
|
||||||
#define USAGE \
|
#define USAGE \
|
||||||
"\n usage: ssl_client2 param=<>...\n" \
|
"\n usage: ssl_client2 param=<>...\n" \
|
||||||
"\n acceptable parameters:\n" \
|
"\n acceptable parameters:\n" \
|
||||||
@ -332,7 +338,7 @@ int main( void )
|
|||||||
USAGE_ECJPAKE \
|
USAGE_ECJPAKE \
|
||||||
USAGE_ECRESTART \
|
USAGE_ECRESTART \
|
||||||
"\n" \
|
"\n" \
|
||||||
" allow_legacy=%%d default: (library default: no)\n" \
|
USAGE_ALLOW_LEGACY_RENEGO \
|
||||||
USAGE_RENEGO \
|
USAGE_RENEGO \
|
||||||
" exchanges=%%d default: 1\n" \
|
" exchanges=%%d default: 1\n" \
|
||||||
" reconnect=%%d number of reconnections using session resumption\n" \
|
" reconnect=%%d number of reconnections using session resumption\n" \
|
||||||
@ -987,6 +993,7 @@ int main( int argc, char *argv[] )
|
|||||||
MBEDTLS_SSL_RENEGOTIATION_ENABLED :
|
MBEDTLS_SSL_RENEGOTIATION_ENABLED :
|
||||||
MBEDTLS_SSL_RENEGOTIATION_DISABLED;
|
MBEDTLS_SSL_RENEGOTIATION_DISABLED;
|
||||||
}
|
}
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||||
else if( strcmp( p, "allow_legacy" ) == 0 )
|
else if( strcmp( p, "allow_legacy" ) == 0 )
|
||||||
{
|
{
|
||||||
switch( atoi( q ) )
|
switch( atoi( q ) )
|
||||||
@ -1003,6 +1010,7 @@ int main( int argc, char *argv[] )
|
|||||||
default: goto usage;
|
default: goto usage;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
|
||||||
else if( strcmp( p, "renegotiate" ) == 0 )
|
else if( strcmp( p, "renegotiate" ) == 0 )
|
||||||
{
|
{
|
||||||
opt.renegotiate = atoi( q );
|
opt.renegotiate = atoi( q );
|
||||||
@ -1771,8 +1779,10 @@ int main( int argc, char *argv[] )
|
|||||||
mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 );
|
mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||||
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
|
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
|
||||||
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
|
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
|
||||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||||
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
|
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
|
||||||
#endif
|
#endif
|
||||||
|
@ -408,6 +408,13 @@ int main( void )
|
|||||||
#define USAGE_AUTH_MODE ""
|
#define USAGE_AUTH_MODE ""
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||||
|
#define USAGE_ALLOW_LEGACY_RENEGO \
|
||||||
|
" allow_legacy=%%d default: (library default: no)\n"
|
||||||
|
#else
|
||||||
|
#define USAGE_ALLOW_LEGACY_RENEGO ""
|
||||||
|
#endif
|
||||||
|
|
||||||
#define USAGE \
|
#define USAGE \
|
||||||
"\n usage: ssl_server2 param=<>...\n" \
|
"\n usage: ssl_server2 param=<>...\n" \
|
||||||
"\n acceptable parameters:\n" \
|
"\n acceptable parameters:\n" \
|
||||||
@ -440,7 +447,7 @@ int main( void )
|
|||||||
USAGE_PSK \
|
USAGE_PSK \
|
||||||
USAGE_ECJPAKE \
|
USAGE_ECJPAKE \
|
||||||
"\n" \
|
"\n" \
|
||||||
" allow_legacy=%%d default: (library default: no)\n" \
|
USAGE_ALLOW_LEGACY_RENEGO \
|
||||||
USAGE_RENEGO \
|
USAGE_RENEGO \
|
||||||
" exchanges=%%d default: 1\n" \
|
" exchanges=%%d default: 1\n" \
|
||||||
"\n" \
|
"\n" \
|
||||||
@ -1668,6 +1675,7 @@ int main( int argc, char *argv[] )
|
|||||||
MBEDTLS_SSL_RENEGOTIATION_ENABLED :
|
MBEDTLS_SSL_RENEGOTIATION_ENABLED :
|
||||||
MBEDTLS_SSL_RENEGOTIATION_DISABLED;
|
MBEDTLS_SSL_RENEGOTIATION_DISABLED;
|
||||||
}
|
}
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||||
else if( strcmp( p, "allow_legacy" ) == 0 )
|
else if( strcmp( p, "allow_legacy" ) == 0 )
|
||||||
{
|
{
|
||||||
switch( atoi( q ) )
|
switch( atoi( q ) )
|
||||||
@ -1684,6 +1692,7 @@ int main( int argc, char *argv[] )
|
|||||||
default: goto usage;
|
default: goto usage;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */
|
||||||
else if( strcmp( p, "renegotiate" ) == 0 )
|
else if( strcmp( p, "renegotiate" ) == 0 )
|
||||||
{
|
{
|
||||||
opt.renegotiate = atoi( q );
|
opt.renegotiate = atoi( q );
|
||||||
@ -2637,8 +2646,10 @@ int main( int argc, char *argv[] )
|
|||||||
MBEDTLS_SSL_MINOR_VERSION_3 );
|
MBEDTLS_SSL_MINOR_VERSION_3 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||||
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
|
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
|
||||||
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
|
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
|
||||||
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||||
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
|
mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation );
|
||||||
|
|
||||||
|
@ -543,6 +543,20 @@ check_cmdline_authmode_compat() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_cmdline_legacy_renego_compat() {
|
||||||
|
__VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION" )"
|
||||||
|
if [ ! -z "$__VAL" ]; then
|
||||||
|
extract_cmdline_argument "allow_legacy"
|
||||||
|
if [ "$__ARG" = "-1" ] && [ "$__VAL" != "2" ]; then
|
||||||
|
SKIP_NEXT="YES";
|
||||||
|
elif [ "$__ARG" = "0" ] && [ "$__VAL" != "0" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
elif [ "$__ARG" = "1" ] && [ "$__VAL" != "1" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# Go through all options that can be hardcoded at compile-time and
|
# Go through all options that can be hardcoded at compile-time and
|
||||||
# detect whether the command line configures them in a conflicting
|
# detect whether the command line configures them in a conflicting
|
||||||
# way. If so, skip the test. Otherwise, remove the corresponding
|
# way. If so, skip the test. Otherwise, remove the corresponding
|
||||||
@ -569,6 +583,9 @@ check_cmdline_compat() {
|
|||||||
|
|
||||||
# Authentication mode
|
# Authentication mode
|
||||||
check_cmdline_authmode_compat
|
check_cmdline_authmode_compat
|
||||||
|
|
||||||
|
# Legacy renegotiation
|
||||||
|
check_cmdline_legacy_renego_compat
|
||||||
}
|
}
|
||||||
|
|
||||||
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
|
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
|
||||||
|
Loading…
Reference in New Issue
Block a user