mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-20 12:40:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Correction according to code review (function and param. names change

Browse Source 
and docs rewording)

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
This commit is contained in:
TRodziewicz 2021-06-14 12:11:18 +02:00
parent 8b223b6509
commit 3946f79cab
5 changed files with 29 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog.d/issue4398.txt
View File

@ -1,9 +1,3 @@
API changes
* Remove the MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE option from config.h.
Replace it with SSL runtime option which can be enabled or disabled using
new added API function mbedtls_ssl_conf_respect_client_preference(). Add
a new field respect_cli_pref in the mbedtls_ssl_config structure and two
defines used as a parameter: MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED
and MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED. Adapt the code used for
searching for a matching ciphersuite to use the new field instead of the
removed config.h option. Fixes #3498.
* Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.

17
docs/3.0-migration-guide.d/turn_SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt.md
View File

@ -1,13 +1,14 @@
Turn MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE configuration option into a runtime option
--
This change affects users who see the change of the SSL server vs. client
preferred set of ciphersuites in runtime useful.
This change affects users who were enabling MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
option in the `config.h`
The `MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE` `config.h` option has been
removed and a new function with similar functionality has been introduced into the
SSL API.
This option has been removed and a new function with similar functionality has
been introduced into the SSL API.
This new function `mbedtls_ssl_conf_respect_client_preference()` can be used to
change the preferred set of ciphersuites on the server to those used on the client.
The default state is to use the server set of suites.
This new function `mbedtls_ssl_conf_preference_order()` can be used to
change the preferred order of ciphersuites on the server to those used on the client,
e.g.: `mbedtls_ssl_conf_preference_order(ssl_config, MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)`
has the same effect as enabling the removed option. The default state is to use
the server order of suites.

25
include/mbedtls/ssl.h
View File

@ -200,8 +200,8 @@
#define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED 0
#define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED 1
#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED 1
#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED 0
#define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT 1
#define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER 0
/*
* Default range for DTLS retransmission timer value, in milliseconds.
@ -2498,9 +2498,12 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co
* The ciphersuites array is not copied, and must remain
* valid for the lifetime of the ssl_config.
*
* Note: The server uses its own preferences
* over the preference of the client unless
* conf->respect_cli_pref is enabled!
* Note: By default, the server chooses its preferred
* ciphersuite among those that the client supports. If
* mbedtls_ssl_conf_preference_order() is called to prefer
* the client's preferences, the server instead chooses
* the client's preferred ciphersuite among those that
* the server supports.
*
* \param conf SSL configuration
* \param ciphersuites 0-terminated list of allowed ciphersuites
@ -3300,15 +3303,15 @@ int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_c
#if defined(MBEDTLS_SSL_SRV_C)
/**
* \brief Pick the ciphersuite according to the client's preferences
* rather than ours in the SSL Server module (MBEDTLS_SSL_SRV_C).
* (Default: MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED)
* \brief Pick the ciphersuites order according to the second parameter
* in the SSL Server module (MBEDTLS_SSL_SRV_C).
* (Default, if never called: MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER)
*
* \param conf SSL configuration
* \param enable Enable or disable (MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED
* or MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED)
* \param order Server or client (MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER
* or MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)
*/
void mbedtls_ssl_conf_respect_client_preference( mbedtls_ssl_config *conf, int enable );
void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order );
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)

6
library/ssl_srv.c
View File

@ -1873,7 +1873,7 @@ read_record_header:
ciphersuites = ssl->conf->ciphersuite_list;
ciphersuite_info = NULL;
if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED)
if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)
{
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
for( i = 0; ciphersuites[i] != 0; i++ )
@ -4433,9 +4433,9 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
return( ret );
}
void mbedtls_ssl_conf_respect_client_preference( mbedtls_ssl_config *conf, int enable )
void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order )
{
conf->respect_cli_pref = enable;
conf->respect_cli_pref = order;
}
#endif /* MBEDTLS_SSL_SRV_C */

2
library/ssl_tls.c
View File

@ -6189,7 +6189,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
#if defined(MBEDTLS_SSL_SRV_C)
conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
conf->respect_cli_pref = MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED;
conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)