TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e0200dad634d4ce61d2c835fa620ddb55b821101^! / . / include / mbedtls
commite0200dad634d4ce61d2c835fa620ddb55b821101[log] [tgz]
authorHanno Becker <hanno.becker@arm.com>Thu Jun 13 09:23:43 2019 +0100
committerHanno Becker <hanno.becker@arm.com>Tue Jul 02 16:41:35 2019 +0100
treea77ffee45dcae2e5169a75a08404a88c8dec76de
parentb0b2b675681d94d70d0afe2ebb030df74be92c90 [diff]
Allow configuration of ConnectionID at compile-time

Introduces
- MBEDTLS_SSL_CONF_CID_LEN and
- MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID
to control
- the length of incoming CIDs
- the behaviour in receipt of unexpected CIDs
at compile-time.

Impact on code-size:

|  | GCC 82.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23223 | 23865 | 26775 |
| `libmbedtls.a` after  | 23147 | 23781 | 26703 |
| gain in Bytes | 76 | 84 | 72 |

diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 88f4701..a038121 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h

@@ -631,6 +631,13 @@
 #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
 #endif
 
+#if (  defined(MBEDTLS_SSL_CONF_CID_LEN) &&                     \
+      !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) ) ||     \
+    ( !defined(MBEDTLS_SSL_CONF_CID_LEN) &&                     \
+       defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID) )
+#error "MBEDTLS_SSL_CONF_CID_LEN and MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID must be defined simultaneously"
+#endif
+
 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) &&                              \
     ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
 #error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT  defined, but not all prerequisites"

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index d45d887..5af2e79 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h

@@ -3457,6 +3457,8 @@
 /* DTLS-specific settings */
 //#define MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED
 //#define MBEDTLS_SSL_CONF_BADMAC_LIMIT 0
+//#define MBEDTLS_SSL_CONF_CID_LEN 0
+//#define MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
 
 /* ExtendedMasterSecret extension
  * The following two options must be set/unset simultaneously. */

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index d783d07..e68eb1c 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -957,7 +957,9 @@
 #endif
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
     size_t cid_len; /*!< The length of CIDs for incoming DTLS records.      */
+#endif /* !MBEDTLS_SSL_CONF_CID_LEN */
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -1100,9 +1102,11 @@
                                           Certificate Request messages?     */
 #endif
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
     unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
                                              *   record with unexpected CID
                                              *   should lead to failure.    */
+#endif /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 };
 
@@ -2312,9 +2316,11 @@
 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
                                    const int *ciphersuites );
 
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
 #define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0
 #define MBEDTLS_SSL_UNEXPECTED_CID_FAIL   1
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
+    !defined(MBEDTLS_SSL_CONF_CID_LEN) &&      \
+    !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
 /**
  * \brief               Specify the length of Connection IDs for incoming
  *                      encrypted DTLS records, as well as the behaviour
@@ -2343,13 +2349,19 @@
  *                      same SSL configuration; this allows simpler parsing of
  *                      record headers.
  *
+ * \note                On constrained systems, this configuration can also be
+ *                      fixed at compile-time via MBEDTLS_SSL_CONF_CID_LEN and
+ *                      MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID.
+ *
  * \return              \c 0 on success.
  * \return              #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
  *                      is too large.
  */
 int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
                           int ignore_other_cids );
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID &&
+          !MBEDTLS_SSL_CONF_CID_LEN &&
+          !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
 
 /**
  * \brief               Set the list of allowed ciphersuites and the

diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 20d2006..57fe486 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h

@@ -1085,6 +1085,38 @@
  * be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
  */
 
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#if !defined(MBEDTLS_SSL_CONF_CID_LEN)
+static inline size_t mbedtls_ssl_conf_get_cid_len(
+    mbedtls_ssl_config  const *conf )
+{
+    return( conf->cid_len );
+}
+#else /* !MBEDTLS_SSL_CONF_CID_LEN */
+static inline size_t mbedtls_ssl_conf_get_cid_len(
+    mbedtls_ssl_config  const *conf )
+{
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_CID_LEN );
+}
+#endif /* MBEDTLS_SSL_CONF_CID_LEN */
+
+#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
+static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
+    mbedtls_ssl_config  const *conf )
+{
+    return( conf->ignore_unexpected_cid );
+}
+#else /* !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
+static inline unsigned int mbedtls_ssl_conf_get_ignore_unexpected_cid(
+    mbedtls_ssl_config  const *conf )
+{
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID );
+}
+#endif /* MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
 #if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
 static inline unsigned int mbedtls_ssl_conf_get_allow_legacy_renegotiation(
     mbedtls_ssl_config  const *conf )