Use negated option for controlling TLS support.

A positive option looks better, but comes with the following compatibility issue: people using a custom config.h that is not based on the default config.h and need TLS support would need to manually change their config in order to still get TLS. Work around that by making the public option negative. Internally the positive option is used, though. In the future (when preparing the next major version), we might want to switch back to a positive option as this would be more consistent with other options we have.
2024-11-22 11:15:43 +01:00 · 2019-06-17 15:21:07 +02:00 · 2019-06-17 15:21:07 +02:00 · ba8b1eb5d9
commit ba8b1eb5d9
parent ec1c222947
16 changed files with 45 additions and 42 deletions
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@ -41,7 +41,6 @@
 /* mbed TLS feature support */
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_2
-#define MBEDTLS_SSL_PROTO_TLS

 /* mbed TLS modules */
 #define MBEDTLS_AES_C
--- a/configs/config-mini-tls1_1.h
+++ b/configs/config-mini-tls1_1.h
@ -40,7 +40,6 @@
 #define MBEDTLS_PKCS1_V15
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_1
-#define MBEDTLS_SSL_PROTO_TLS

 /* mbed TLS modules */
 #define MBEDTLS_AES_C
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@ -47,7 +47,6 @@
 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_2
-#define MBEDTLS_SSL_PROTO_TLS

 /* mbed TLS modules */
 #define MBEDTLS_AES_C
--- a/configs/config-thread.h
+++ b/configs/config-thread.h
@ -49,6 +49,7 @@
 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 #define MBEDTLS_SSL_PROTO_TLS1_2
 #define MBEDTLS_SSL_PROTO_DTLS
+#define MBEDTLS_SSL_PROTO_NO_TLS
 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY
 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
 #define MBEDTLS_SSL_EXPORT_KEYS
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -566,7 +566,7 @@
 #endif

 #if defined(MBEDTLS_SSL_TLS_C) && \
-    ( !defined(MBEDTLS_SSL_PROTO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS) )
+    ( defined(MBEDTLS_SSL_PROTO_NO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS) )
 #error "MBEDTLS_SSL_TLS_C defined, but neither TLS or DTLS is active"
 #endif

--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1508,7 +1508,7 @@
 * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2,
 * and/or this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0.
 *
- * \see MBEDTLS_SSL_PROTO_TLS
+ * \see MBEDTLS_SSL_PROTO_NO_TLS
 *
 * Requires: MBEDTLS_SSL_PROTO_TLS1_1
 *        or MBEDTLS_SSL_PROTO_TLS1_2
@ -1518,25 +1518,22 @@
 #define MBEDTLS_SSL_PROTO_DTLS

 /**
- * \def MBEDTLS_SSL_PROTO_TLS
+ * \def MBEDTLS_SSL_PROTO_NO_TLS
 *
- * Enable support for SSL/TLS (all available versions).
+ * Disable support for SSL/TLS (all available versions) - this doesn't affect
+ * support for DTLS which is controlled by #MBEDTLS_SSL_PROTO_DTLS.
 *
- * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2;
- * enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1;
- * enable this and MBEDTLS_SSL_PROTO_TLS1   to enable TLS 1.0;
- * and/or this and MBEDTLS_SSL_PROTO_SSL3   to enable SSL 3.0 (deprecated).
+ * Disable this and enable MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2;
+ * disable this and enable MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1;
+ * disable this and enable MBEDTLS_SSL_PROTO_TLS1   to enable TLS 1.0;
+ * disable this and enable MBEDTLS_SSL_PROTO_SSL3   to enable SSL 3.0.
 *
- * \see MBEDTLS_SSL_PROTO_DTLS
+ * Requirements: if this macro is disabled, at least one of the above
+ * TLS versions needs to be enabled.
 *
- * Requires: MBEDTLS_SSL_PROTO_TLS1_2
- *        or MBEDTLS_SSL_PROTO_TLS1_1
- *        or MBEDTLS_SSL_PROTO_TLS1
- *        or MBEDTLS_SSL_PROTO_SSL3 (deprecated)
- *
- * Comment this macro to disable support for TLS
+ * Uncomment this macro to disable support for TLS.
 */
-#define MBEDTLS_SSL_PROTO_TLS
+//#define MBEDTLS_SSL_PROTO_NO_TLS

 /**
 * \def MBEDTLS_SSL_ALPN
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1337,8 +1337,8 @@ void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint );

 /**
 * \brief           Set the transport type (TLS or DTLS).
- *                  Default: TLS if #MBEDTLS_SSL_PROTO_TLS is defined, else
- *                  DTLS.
+ *                  Default: TLS unless #MBEDTLS_SSL_PROTO_NO_TLS is defined,
+ *                  else DTLS.
 *
 * \note            For DTLS, you must either provide a recv callback that
 *                  doesn't block, or one that handles timeouts, see
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@ -58,6 +58,12 @@
 #define inline __inline
 #endif

+/* The public option is negative for backwards compatibility,
+ * but internally a poisitive option is more convenient. */
+#if !defined(MBEDTLS_SSL_PROTO_NO_TLS)
+#define MBEDTLS_SSL_PROTO_TLS
+#endif
+
 /* Determine minimum supported version */
 #define MBEDTLS_SSL_MIN_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3

--- a/library/version_features.c
+++ b/library/version_features.c
@ -486,9 +486,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    "MBEDTLS_SSL_PROTO_DTLS",
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
-#if defined(MBEDTLS_SSL_PROTO_TLS)
-    "MBEDTLS_SSL_PROTO_TLS",
-#endif /* MBEDTLS_SSL_PROTO_TLS */
+#if defined(MBEDTLS_SSL_PROTO_NO_TLS)
+    "MBEDTLS_SSL_PROTO_NO_TLS",
+#endif /* MBEDTLS_SSL_PROTO_NO_TLS */
 #if defined(MBEDTLS_SSL_ALPN)
    "MBEDTLS_SSL_ALPN",
 #endif /* MBEDTLS_SSL_ALPN */
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@ -1338,13 +1338,13 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */

-#if defined(MBEDTLS_SSL_PROTO_TLS)
-    if( strcmp( "MBEDTLS_SSL_PROTO_TLS", config ) == 0 )
+#if defined(MBEDTLS_SSL_PROTO_NO_TLS)
+    if( strcmp( "MBEDTLS_SSL_PROTO_NO_TLS", config ) == 0 )
    {
-        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS );
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_NO_TLS );
        return( 0 );
    }
-#endif /* MBEDTLS_SSL_PROTO_TLS */
+#endif /* MBEDTLS_SSL_PROTO_NO_TLS */

 #if defined(MBEDTLS_SSL_ALPN)
    if( strcmp( "MBEDTLS_SSL_ALPN", config ) == 0 )
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@ -44,14 +44,14 @@
    !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) ||         \
    !defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C) || \
    !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
-    !defined(MBEDTLS_SSL_PROTO_TLS)
+    defined(MBEDTLS_SSL_PROTO_NO_TLS)
 int main( void )
 {
    mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
           "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
           "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
           "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or"
-           "MBEDTLS_SSL_PROTO_TLS not defined.\n");
+           "not defined, and/or MBEDTLS_SSL_PROTO_NO_TLS defined.\n");
    return( 0 );
 }
 #else
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@ -44,7 +44,7 @@
    !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) ||    \
    !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_TIMING_C) || \
    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_PEM_PARSE_C) || \
-    !defined(MBEDTLS_SSL_PROTO_TLS)
+    defined(MBEDTLS_SSL_PROTO_NO_TLS)
 int main( int argc, char *argv[] )
 {
    ((void) argc);
@ -54,8 +54,8 @@ int main( int argc, char *argv[] )
           "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
           "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
           "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
-           "MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C and/or "
-           "MBEDTLS_SSL_PROTO_TLS not defined.\n");
+           "MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C not defined, and/or "
+           "MBEDTLS_SSL_PROTO_NO_TLS defined.\n");
    return( 0 );
 }
 #elif defined(_WIN32)
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@ -48,14 +48,14 @@
    !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
    !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) ||         \
    !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
-    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_SSL_PROTO_TLS)
+    !defined(MBEDTLS_FS_IO) || defined(MBEDTLS_SSL_PROTO_NO_TLS)
 int main( void )
 {
    mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
           "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
           "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
-           "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
-           "MBEDTLS_SSL_PROTO_TLS not defined.\n");
+           "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
+           "not defined, and/or MBEDTLS_SSL_PROTO_NO_TLS defined.\n");
    return( 0 );
 }
 #else
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@ -45,7 +45,7 @@
    !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) ||            \
    !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) ||      \
    !defined(MBEDTLS_THREADING_C) || !defined(MBEDTLS_THREADING_PTHREAD) || \
-    !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_SSL_PROTO_TLS)
+    !defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_SSL_PROTO_NO_TLS)
 int main( void )
 {
    mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C "
@ -53,8 +53,8 @@ int main( void )
           "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
           "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
           "MBEDTLS_THREADING_C and/or MBEDTLS_THREADING_PTHREAD "
-           "and/or MBEDTLS_PEM_PARSE_C and/or "
-           "MBEDTLS_SSL_PROTO_TLS not defined.\n");
+           "and/or MBEDTLS_PEM_PARSE_C not defined, and/or "
+           "MBEDTLS_SSL_PROTO_NO_TLS defined.\n");
    return( 0 );
 }
 #else
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@ -44,15 +44,15 @@
    !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) ||     \
    !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) ||    \
    !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
-    !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_SSL_PROTO_TLS)
+    !defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_SSL_PROTO_NO_TLS)
 int main( void )
 {
    mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C "
           "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
           "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
           "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
-           "and/or MBEDTLS_PEM_PARSE_C and/or "
-           "MBEDTLS_SSL_PROTO_TLS not defined.\n");
+           "and/or MBEDTLS_PEM_PARSE_C not defined, and/or "
+           "MBEDTLS_SSL_PROTO_NO_TLS defined.\n");
    return( 0 );
 }
 #else
--- a/scripts/config.pl
+++ b/scripts/config.pl
@ -31,6 +31,7 @@
 #   MBEDTLS_REMOVE_ARC4_CIPHERSUITES
 #   MBEDTLS_REMOVE_3DES_CIPHERSUITES
 #   MBEDTLS_SSL_HW_RECORD_ACCEL
+#   MBEDTLS_SSL_PROTO_NO_DTLS
 #   MBEDTLS_RSA_NO_CRT
 #   MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
 #   MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
@ -92,6 +93,7 @@ MBEDTLS_RSA_NO_CRT
 MBEDTLS_REMOVE_ARC4_CIPHERSUITES
 MBEDTLS_REMOVE_3DES_CIPHERSUITES
 MBEDTLS_SSL_HW_RECORD_ACCEL
+MBEDTLS_SSL_PROTO_NO_TLS
 MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
 MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 MBEDTLS_ZLIB_SUPPORT