diff --git a/features/nanostack/coap-service/source/coap_security_handler.c b/features/nanostack/coap-service/source/coap_security_handler.c index 1fbe3ffc86..bf6d8bb4b1 100644 --- a/features/nanostack/coap-service/source/coap_security_handler.c +++ b/features/nanostack/coap-service/source/coap_security_handler.c @@ -68,6 +68,7 @@ struct coap_security_s { }; +#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) const int ECJPAKE_SUITES[] = { MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, @@ -75,12 +76,15 @@ const int ECJPAKE_SUITES[] = { }; #endif +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) static const int PSK_SUITES[] = { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256, MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8, MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8, 0 }; +#endif /* defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) */ +#endif /* !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) */ #define TRACE_GROUP "CsSh" @@ -332,7 +336,9 @@ static int coap_security_handler_configure_keys(coap_security_t *sec, coap_secur if (0 != mbedtls_ssl_conf_psk(&sec->_conf, keys._priv_key, keys._priv_key_len, keys._cert, keys._cert_len)) { break; } +#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) mbedtls_ssl_conf_ciphersuites(&sec->_conf, PSK_SUITES); +#endif /* !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) */ ret = 0; #endif break; @@ -342,7 +348,9 @@ static int coap_security_handler_configure_keys(coap_security_t *sec, coap_secur if (mbedtls_ssl_set_hs_ecjpake_password(&sec->_ssl, keys._key, keys._key_len) != 0) { return -1; } +#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) mbedtls_ssl_conf_ciphersuites(&sec->_conf, ECJPAKE_SUITES); +#endif /* !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) */ //NOTE: If thread starts supporting PSK in other modes, then this will be needed! mbedtls_ssl_conf_export_keys_cb(&sec->_conf, @@ -394,11 +402,23 @@ int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_ser return -1; } + // Defines MBEDTLS_SSL_CONF_RECV/SEND/RECV_TIMEOUT define global functions which should be the same for all + // callers of mbedtls_ssl_set_bio_ctx and there should be only one ssl context. If these rules don't apply, + // these defines can't be used. +#if !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) mbedtls_ssl_set_bio(&sec->_ssl, sec, f_send, f_recv, NULL); +#else + mbedtls_ssl_set_bio_ctx(&sec->_ssl, sec); +#endif /* !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) */ + // Defines MBEDTLS_SSL_CONF_SET_TIMER/GET_TIMER define global functions which should be the same for all + // callers of mbedtls_ssl_set_timer_cb and there should be only one ssl context. If these rules don't apply, + // these defines can't be used. +#if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER) mbedtls_ssl_set_timer_cb(&sec->_ssl, sec, set_timer, get_timer); +#endif /* !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER) */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) //TODO: Figure out better way!!! @@ -420,8 +440,13 @@ int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_ser &sec->_cookie); #endif +#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) mbedtls_ssl_conf_min_version(&sec->_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3); +#endif /* !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) */ + +#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) mbedtls_ssl_conf_max_version(&sec->_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3); +#endif /* !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) */ sec->_is_started = true; diff --git a/features/nanostack/sal-stack-nanostack/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c b/features/nanostack/sal-stack-nanostack/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c index 6f236bcf1f..d7ee8951ee 100644 --- a/features/nanostack/sal-stack-nanostack/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c +++ b/features/nanostack/sal-stack-nanostack/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c @@ -340,9 +340,22 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p return -1; } + // Defines MBEDTLS_SSL_CONF_RECV/SEND/RECV_TIMEOUT define global functions which should be the same for all + // callers of mbedtls_ssl_set_bio_ctx and there should be only one ssl context. If these rules don't apply, + // these defines can't be used. +#if !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) // Set calbacks mbedtls_ssl_set_bio(&sec->ssl, sec, tls_sec_prot_lib_ssl_send, tls_sec_prot_lib_ssl_recv, NULL); +#else + mbedtls_ssl_set_bio_ctx(&sec->ssl, sec); +#endif /* !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) */ + +// Defines MBEDTLS_SSL_CONF_SET_TIMER/GET_TIMER define global functions which should be the same for all +// callers of mbedtls_ssl_set_timer_cb and there should be only one ssl context. If these rules don't apply, +// these defines can't be used. +#if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER) mbedtls_ssl_set_timer_cb(&sec->ssl, sec, tls_sec_prot_lib_ssl_set_timer, tls_sec_prot_lib_ssl_get_timer); +#endif /* !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER) */ // Configure certificates, keys and certificate revocation list if (tls_sec_prot_lib_configure_certificates(sec, certs) != 0) { @@ -350,6 +363,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p return -1; } +#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) // Configure ciphersuites static const int sec_suites[] = { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, @@ -358,6 +372,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p 0 }; mbedtls_ssl_conf_ciphersuites(&sec->conf, sec_suites); +#endif /* !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) */ #ifdef TLS_SEC_PROT_LIB_TLS_DEBUG mbedtls_ssl_conf_dbg(&sec->conf, tls_sec_prot_lib_debug, sec); @@ -367,8 +382,13 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p // Export keys callback mbedtls_ssl_conf_export_keys_ext_cb(&sec->conf, tls_sec_prot_lib_ssl_export_keys, sec); +#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) mbedtls_ssl_conf_min_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3); +#endif /* !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) */ + +#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) mbedtls_ssl_conf_max_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3); +#endif /* !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) */ // Set certificate verify callback mbedtls_ssl_set_verify(&sec->ssl, tls_sec_prot_lib_x509_crt_verify, sec); diff --git a/features/netsocket/DTLSSocketWrapper.cpp b/features/netsocket/DTLSSocketWrapper.cpp index f567e31bbd..2251fd1d24 100644 --- a/features/netsocket/DTLSSocketWrapper.cpp +++ b/features/netsocket/DTLSSocketWrapper.cpp @@ -30,7 +30,13 @@ DTLSSocketWrapper::DTLSSocketWrapper(Socket *transport, const char *hostname, co _timer_expired(false) { mbedtls_ssl_conf_transport(get_ssl_config(), MBEDTLS_SSL_TRANSPORT_DATAGRAM); + + // Defines MBEDTLS_SSL_CONF_SET_TIMER/GET_TIMER define global functions which should be the same for all + // callers of mbedtls_ssl_set_timer_cb and there should be only one ssl context. If these rules don't apply, + // these defines can't be used +#if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER) mbedtls_ssl_set_timer_cb(get_ssl_context(), this, timing_set_delay, timing_get_delay); +#endif /* !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER) */ } void DTLSSocketWrapper::timing_set_delay(void *ctx, uint32_t int_ms, uint32_t fin_ms) diff --git a/features/netsocket/TLSSocketWrapper.cpp b/features/netsocket/TLSSocketWrapper.cpp index 68d24127b2..c8b46adf2d 100644 --- a/features/netsocket/TLSSocketWrapper.cpp +++ b/features/netsocket/TLSSocketWrapper.cpp @@ -85,7 +85,7 @@ TLSSocketWrapper::~TLSSocketWrapper() void TLSSocketWrapper::set_hostname(const char *hostname) { -#ifdef MBEDTLS_X509_CRT_PARSE_C +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) mbedtls_ssl_set_hostname(&_ssl, hostname); #endif } @@ -207,7 +207,15 @@ nsapi_error_t TLSSocketWrapper::start_handshake(bool first_call) _transport->set_blocking(false); _transport->sigio(mbed::callback(this, &TLSSocketWrapper::event)); - mbedtls_ssl_set_bio(&_ssl, this, ssl_send, ssl_recv, NULL); + + // Defines MBEDTLS_SSL_CONF_RECV/SEND/RECV_TIMEOUT define global functions which should be the same for all + // callers of mbedtls_ssl_set_bio_ctx and there should be only one ssl context. If these rules don't apply, + // these defines can't be used. +#if !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) + mbedtls_ssl_set_bio(&_ssl, this, ssl_send, ssl_recv, nullptr); +#else + mbedtls_ssl_set_bio_ctx(&_ssl, this); +#endif /* !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) */ _tls_initialized = true; diff --git a/features/netsocket/TLSSocketWrapper.h b/features/netsocket/TLSSocketWrapper.h index 2a3e03e567..9b21b7c692 100644 --- a/features/netsocket/TLSSocketWrapper.h +++ b/features/netsocket/TLSSocketWrapper.h @@ -66,6 +66,9 @@ public: virtual ~TLSSocketWrapper(); /** Set hostname. + * + * @note Implementation is inside following defines: + * #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) * * TLSSocket requires hostname used to verify the certificate. * If hostname is not given in constructor, this function must be used before