mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-22 23:15:43 +01:00
Allow configuration of ConnectionID at compile-time
Introduces - MBEDTLS_SSL_CONF_CID_LEN and - MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID to control - the length of incoming CIDs - the behaviour in receipt of unexpected CIDs at compile-time. Impact on code-size: | | GCC 82.1 | ARMC5 5.06 | ARMC6 6.12 | | --- | --- | --- | --- | | `libmbedtls.a` before | 23223 | 23865 | 26775 | | `libmbedtls.a` after | 23147 | 23781 | 26703 | | gain in Bytes | 76 | 84 | 72 |
This commit is contained in:
Hanno Becker
parent
b0b2b67568
commit
e0200dad63
@ -80,6 +80,8 @@
|
||||
#define MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
|
||||
/* Compile-time fixed parts of the SSL configuration */
|
||||
#define MBEDTLS_SSL_CONF_CID_LEN 0
|
||||
#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
|
||||
#define MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION \
|
||||
MBEDTLS_SSL_SECURE_RENEGOTIATION
|
||||
#define MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED
|
||||
|
||||
@ -631,6 +631,13 @@
|
||||
#error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
|
||||
#endif
|
||||
|
||||
#if ( defined(MBEDTLS_SSL_CONF_CID_LEN) && \
|
||||
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) ) || \
|
||||
( !defined(MBEDTLS_SSL_CONF_CID_LEN) && \
|
||||
defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) )
|
||||
#error "MBEDTLS_SSL_CONF_CID_LEN and MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID must be defined simultaneously"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
|
||||
( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
|
||||
#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT defined, but not all prerequisites"
|
||||
|
||||
@ -3457,6 +3457,8 @@
|
||||
/* DTLS-specific settings */
|
||||
//#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED
|
||||
//#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0
|
||||
//#define MBEDTLS_SSL_CONF_CID_LEN 0
|
||||
//#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
|
||||
|
||||
/* ExtendedMasterSecret extension
|
||||
* The following two options must be set/unset simultaneously. */
|
||||
|
||||
@ -957,7 +957,9 @@ struct mbedtls_ssl_config
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
|
||||
size_t cid_len; /*!< The length of CIDs for incoming DTLS records. */
|
||||
#endif /* !MBEDTLS_SSL_CONF_CID_LEN */
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
@ -1100,9 +1102,11 @@ struct mbedtls_ssl_config
|
||||
Certificate Request messages? */
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
|
||||
unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
|
||||
* record with unexpected CID
|
||||
* should lead to failure. */
|
||||
#endif /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
};
|
||||
|
||||
@ -2312,9 +2316,11 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co
|
||||
void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
|
||||
const int *ciphersuites );
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0
|
||||
#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 1
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
|
||||
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
|
||||
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
|
||||
/**
|
||||
* \brief Specify the length of Connection IDs for incoming
|
||||
* encrypted DTLS records, as well as the behaviour
|
||||
@ -2343,13 +2349,19 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
|
||||
* same SSL configuration; this allows simpler parsing of
|
||||
* record headers.
|
||||
*
|
||||
* \note On constrained systems, this configuration can also be
|
||||
* fixed at compile-time via MBEDTLS_SSL_CONF_CID_LEN and
|
||||
* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID.
|
||||
*
|
||||
* \return \c 0 on success.
|
||||
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
|
||||
* is too large.
|
||||
*/
|
||||
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
|
||||
int ignore_other_cids );
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
|
||||
!MBEDTLS_SSL_CONF_CID_LEN &&
|
||||
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
|
||||
|
||||
/**
|
||||
* \brief Set the list of allowed ciphersuites and the
|
||||
|
||||
@ -1085,6 +1085,38 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
|
||||
* be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
|
||||
*/
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
|
||||
static inline size_t mbedtls_ssl_conf_get_cid_len(
|
||||
mbedtls_ssl_config const *conf )
|
||||
{
|
||||
return( conf->cid_len );
|
||||
}
|
||||
#else /* !MBEDTLS_SSL_CONF_CID_LEN */
|
||||
static inline size_t mbedtls_ssl_conf_get_cid_len(
|
||||
mbedtls_ssl_config const *conf )
|
||||
{
|
||||
((void) conf);
|
||||
return( MBEDTLS_SSL_CONF_CID_LEN );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_CID_LEN */
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
|
||||
static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
|
||||
mbedtls_ssl_config const *conf )
|
||||
{
|
||||
return( conf->ignore_unexpected_cid );
|
||||
}
|
||||
#else /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
|
||||
static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
|
||||
mbedtls_ssl_config const *conf )
|
||||
{
|
||||
((void) conf);
|
||||
return( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||
static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation(
|
||||
mbedtls_ssl_config const *conf )
|
||||
|
||||
@ -117,6 +117,9 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl );
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
/* Top-level Connection ID API */
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
|
||||
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
|
||||
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
|
||||
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
|
||||
size_t len,
|
||||
int ignore_other_cid )
|
||||
@ -134,6 +137,21 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
|
||||
conf->cid_len = len;
|
||||
return( 0 );
|
||||
}
|
||||
#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
|
||||
!MBEDTLS_SSL_CONF_CID_LEN &&
|
||||
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
|
||||
|
||||
#if MBEDTLS_SSL_CONF_CID_LEN > MBEDTLS_SSL_CID_IN_LEN_MAX
|
||||
#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_CID_LEN"
|
||||
#endif
|
||||
#if MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE && \
|
||||
MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID != MBEDTLS_SSL_UNEXPECTED_CID_FAIL
|
||||
#error "Invalid hardcoded value for MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID"
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
|
||||
!MBEDTLS_SSL_CONF_CID_LEN &&
|
||||
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
|
||||
|
||||
int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
|
||||
int enable,
|
||||
@ -152,11 +170,11 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
|
||||
|
||||
if( own_cid_len != ssl->conf->cid_len )
|
||||
if( own_cid_len != mbedtls_ssl_conf_get_cid_len( ssl->conf ) )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
|
||||
(unsigned) own_cid_len,
|
||||
(unsigned) ssl->conf->cid_len ) );
|
||||
(unsigned) mbedtls_ssl_conf_get_cid_len( ssl->conf ) ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
@ -4617,7 +4635,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
|
||||
ssl->in_msgtype == MBEDTLS_SSL_MSG_CID &&
|
||||
ssl->conf->cid_len != 0 )
|
||||
mbedtls_ssl_conf_get_cid_len( ssl->conf ) != 0 )
|
||||
{
|
||||
/* Shift pointers to account for record header including CID
|
||||
* struct {
|
||||
@ -4634,7 +4652,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
||||
|
||||
/* So far, we only support static CID lengths
|
||||
* fixed in the configuration. */
|
||||
ssl->in_len = ssl->in_cid + ssl->conf->cid_len;
|
||||
ssl->in_len = ssl->in_cid + mbedtls_ssl_conf_get_cid_len( ssl->conf );
|
||||
ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
|
||||
}
|
||||
else
|
||||
@ -4863,8 +4881,8 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
|
||||
ssl->conf->ignore_unexpected_cid
|
||||
== MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
|
||||
mbedtls_ssl_conf_get_ignore_unexpected_cid( ssl->conf )
|
||||
== MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
|
||||
ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
|
||||
|
||||
@ -2610,6 +2610,22 @@ int query_config( const char *config )
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_BADMAC_LIMIT */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CONF_CID_LEN)
|
||||
if( strcmp( "MBEDTLS_SSL_CONF_CID_LEN", config ) == 0 )
|
||||
{
|
||||
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_CID_LEN );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_CID_LEN */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
|
||||
if( strcmp( "MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID", config ) == 0 )
|
||||
{
|
||||
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
|
||||
if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 )
|
||||
{
|
||||
|
||||
@ -1672,7 +1672,9 @@ int main( int argc, char *argv[] )
|
||||
memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
|
||||
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
|
||||
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
|
||||
if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
|
||||
{
|
||||
if( opt.cid_enabled == 1 &&
|
||||
@ -1697,7 +1699,9 @@ int main( int argc, char *argv[] )
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
|
||||
!MBEDTLS_SSL_CONF_CID_LEN &&
|
||||
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
|
||||
|
||||
if( opt.auth_mode != DFL_AUTH_MODE )
|
||||
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
|
||||
|
||||
@ -2489,7 +2489,9 @@ int main( int argc, char *argv[] )
|
||||
};
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
|
||||
!defined(MBEDTLS_SSL_CONF_CID_LEN) && \
|
||||
!defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
|
||||
if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 )
|
||||
{
|
||||
if( opt.cid_enabled == 1 &&
|
||||
@ -2514,7 +2516,9 @@ int main( int argc, char *argv[] )
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
|
||||
!MBEDTLS_SSL_CONF_CID_LEN &&
|
||||
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
if( opt.trunc_hmac != DFL_TRUNC_HMAC )
|
||||
|
||||
Loading…
Reference in New Issue
Block a user