TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / d2f068e071bc4cb9b672dbf0a64ed816cd0560d4^! / . / include / polarssl / ssl.h
commitd2f068e071bc4cb9b672dbf0a64ed816cd0560d4[log] [tgz]
authorPaul Bakker <p.j.bakker@polarssl.org>Tue Aug 27 21:19:20 2013 +0200
committerPaul Bakker <p.j.bakker@polarssl.org>Tue Aug 27 21:19:20 2013 +0200
treeb84fb68025a5dbf4d954cd7ce10c8f8ad3f0f26a
parentfb08fd2e23536bf60ab92fd87717b52edc86d1fc [diff] [blame]
Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2 individually

diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 8383b7f..1576fcb 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h

@@ -31,14 +31,28 @@
 #include "net.h"
 #include "bignum.h"
 
-#include "md5.h"
-#include "sha1.h"
-#include "sha256.h"
-#include "sha512.h"
-#include "aes.h"
-
 #include "ssl_ciphersuites.h"
 
+#if defined(POLARSSL_MD5_C)
+#include "md5.h"
+#endif
+
+#if defined(POLARSSL_SHA1_C)
+#include "sha1.h"
+#endif
+
+#if defined(POLARSSL_SHA256_C)
+#include "sha256.h"
+#endif
+
+#if defined(POLARSSL_SHA512_C)
+#include "sha512.h"
+#endif
+
+#if defined(POLARSSL_AES_C)
+#include "aes.h"
+#endif
+
 #if defined(POLARSSL_X509_PARSE_C)
 #include "x509.h"
 #endif
@@ -121,6 +135,44 @@
 #define SSL_MINOR_VERSION_2             2   /*!< TLS v1.1 */
 #define SSL_MINOR_VERSION_3             3   /*!< TLS v1.2 */
 
+/* Determine minimum supported version */
+#define SSL_MIN_MAJOR_VERSION           SSL_MAJOR_VERSION_3
+
+#if defined(POLARSSL_SSL_PROTO_SSL3)
+#define SSL_MIN_MINOR_VERSION           SSL_MINOR_VERSION_0
+#else
+#if defined(POLARSSL_SSL_PROTO_TLS1)
+#define SSL_MIN_MINOR_VERSION           SSL_MINOR_VERSION_1
+#else
+#if defined(POLARSSL_SSL_PROTO_TLS1_1)
+#define SSL_MIN_MINOR_VERSION           SSL_MINOR_VERSION_2
+#else
+#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+#define SSL_MIN_MINOR_VERSION           SSL_MINOR_VERSION_3
+#endif
+#endif
+#endif
+#endif
+
+/* Determine maximum supported version */
+#define SSL_MAX_MAJOR_VERSION           SSL_MAJOR_VERSION_3
+
+#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+#define SSL_MAX_MINOR_VERSION           SSL_MINOR_VERSION_3
+#else
+#if defined(POLARSSL_SSL_PROTO_TLS1_1)
+#define SSL_MAX_MINOR_VERSION           SSL_MINOR_VERSION_2
+#else
+#if defined(POLARSSL_SSL_PROTO_TLS1)
+#define SSL_MAX_MINOR_VERSION           SSL_MINOR_VERSION_1
+#else
+#if defined(POLARSSL_SSL_PROTO_SSL3)
+#define SSL_MAX_MINOR_VERSION           SSL_MINOR_VERSION_0
+#endif
+#endif
+#endif
+#endif
+
 /* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
  * NONE must be zero so that memset()ing structure to zero works */
 #define SSL_MAX_FRAG_LEN_NONE           0   /*!< don't use this extension   */
@@ -392,9 +444,11 @@
     unsigned char iv_enc[16];           /*!<  IV (encryption)         */
     unsigned char iv_dec[16];           /*!<  IV (decryption)         */
 
+#if defined(POLARSSL_SSL_PROTO_SSL3)
     /* Needed only for SSL v3.0 secret */
     unsigned char mac_enc[32];          /*!<  SSL v3.0 secret (enc)   */
     unsigned char mac_dec[32];          /*!<  SSL v3.0 secret (dec)   */
+#endif /* POLARSSL_SSL_PROTO_SSL3 */
 
     md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
     md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
@@ -436,12 +490,19 @@
     /*
      * Checksum contexts
      */
+#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
+    defined(POLARSSL_SSL_PROTO_TLS1_1)
        md5_context fin_md5;
       sha1_context fin_sha1;
+#endif
+#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+#if defined(POLARSSL_SHA256_C)
     sha256_context fin_sha256;
+#endif
 #if defined(POLARSSL_SHA512_C)
     sha512_context fin_sha512;
 #endif
+#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
 
     void (*update_checksum)(ssl_context *, const unsigned char *, size_t);
     void (*calc_verify)(ssl_context *, unsigned char *);
@@ -1010,11 +1071,12 @@
 /**
  * \brief          Set the maximum supported version sent from the client side
  *                 and/or accepted at the server side
- *                 (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3)
+ *                 (Default: SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION)
  *
- *                 Note: This prevents ciphersuites from 'higher' versions to
- *                 be ignored.
- * 
+ *                 Note: This ignores ciphersuites from 'higher' versions.
+ *                 Note: Input outside of the SSL_MAX_XXXXX_VERSION and
+ *                       SSL_MIN_XXXXX_VERSION range is ignored.
+ *
  * \param ssl      SSL context
  * \param major    Major version number (only SSL_MAJOR_VERSION_3 supported)
  * \param minor    Minor version number (SSL_MINOR_VERSION_0,
@@ -1026,7 +1088,10 @@
 
 /**
  * \brief          Set the minimum accepted SSL/TLS protocol version
- *                 (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0)
+ *                 (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
+ *
+ *                 Note: Input outside of the SSL_MAX_XXXXX_VERSION and
+ *                       SSL_MIN_XXXXX_VERSION range is ignored.
  *
  * \param ssl      SSL context
  * \param major    Major version number (only SSL_MAJOR_VERSION_3 supported)