mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-01-26 03:35:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Turn _SSL_SRV_RESPECT_CLIENT_PREFERENCE config option to a runtime option

Browse Source 
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
This commit is contained in:
TRodziewicz 2021-06-02 14:34:47 +02:00
parent 21f84643f8
commit 8476f2f30a
5 changed files with 69 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog.d/issue4398.txt Normal file
View File

@ -0,0 +1,9 @@
API changes
* Remove the MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE option from config.h.
Replace it with SSL runtime option which can be enabled or disabled using
new added API function mbedtls_ssl_conf_respect_client_preference(). Add
a new field respect_cli_pref in the mbedtls_ssl_config structure and two
defines used as a parameter: MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED
and MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED. Adapt the code used for
searching for a matching ciphersuite to use the new field instead of the
removed config.h option. Fixes #3498.

10
include/mbedtls/config.h
View File

@ -1471,16 +1471,6 @@
*/
#define MBEDTLS_SSL_RENEGOTIATION
/**
* \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
*
* Pick the ciphersuite according to the client's preferences rather than ours
* in the SSL Server module (MBEDTLS_SSL_SRV_C).
*
* Uncomment this macro to respect client's ciphersuite order
*/
//#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
/**
* \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
*

21
include/mbedtls/ssl.h
View File

@ -200,6 +200,9 @@
#define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED 0
#define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED 1
#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED 1
#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED 0
/*
* Default range for DTLS retransmission timer value, in milliseconds.
* RFC 6347 4.2.4.1 says from 1 second to 60 seconds.
@ -1185,6 +1188,9 @@ struct mbedtls_ssl_config
#if defined(MBEDTLS_SSL_SRV_C)
unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in
Certificate Request messages? */
unsigned int respect_cli_pref : 1; /*!< pick the ciphersuite according to
the client's preferences rather
than ours */
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
@ -2494,7 +2500,7 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co
*
* Note: The server uses its own preferences
* over the preference of the client unless
* MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
* conf->respect_cli_pref is enabled!
*
* \param conf SSL configuration
* \param ciphersuites 0-terminated list of allowed ciphersuites
@ -3292,6 +3298,19 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code );
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_SRV_C)
/**
* \brief Pick the ciphersuite according to the client's preferences
* rather than ours in the SSL Server module (MBEDTLS_SSL_SRV_C).
* (Default: MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED)
*
* \param conf SSL configuration
* \param enable Enable or disable (MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED
* or MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED)
*/
void mbedtls_ssl_conf_respect_client_preference( mbedtls_ssl_config *conf, int enable );
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
/**
* \brief Activate negotiation of truncated HMAC

56
library/ssl_srv.c
View File

@ -1872,27 +1872,43 @@ read_record_header:
got_common_suite = 0;
ciphersuites = ssl->conf->ciphersuite_list;
ciphersuite_info = NULL;
#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
for( i = 0; ciphersuites[i] != 0; i++ )
#else
for( i = 0; ciphersuites[i] != 0; i++ )
if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED)
{
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
#endif
{
if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
continue;
for( i = 0; ciphersuites[i] != 0; i++ )
{
if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
continue;
got_common_suite = 1;
got_common_suite = 1;
if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
&ciphersuite_info ) ) != 0 )
return( ret );
if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
&ciphersuite_info ) ) != 0 )
return( ret );
if( ciphersuite_info != NULL )
goto have_ciphersuite;
}
if( ciphersuite_info != NULL )
goto have_ciphersuite;
}
} else {
for( i = 0; ciphersuites[i] != 0; i++ )
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
{
if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
continue;
got_common_suite = 1;
if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
&ciphersuite_info ) ) != 0 )
return( ret );
if( ciphersuite_info != NULL )
goto have_ciphersuite;
}
}
if( got_common_suite )
{
@ -4416,4 +4432,10 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
return( ret );
}
void mbedtls_ssl_conf_respect_client_preference( mbedtls_ssl_config *conf, int enable )
{
conf->respect_cli_pref = enable;
}
#endif /* MBEDTLS_SSL_SRV_C */

1
library/ssl_tls.c
View File

@ -6189,6 +6189,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
#if defined(MBEDTLS_SSL_SRV_C)
conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
conf->respect_cli_pref = MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED;
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)