1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-28 00:21:48 +03:00

Merge pull request #4606 from TRodziewicz/turn__SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt

Turn _SSL_SRV_RESPECT_CLIENT_PREFERENCE config opt to a runtime opt
This commit is contained in:
Gilles Peskine
2021-06-14 19:03:28 +02:00
committed by GitHub
6 changed files with 82 additions and 30 deletions

View File

@ -201,6 +201,9 @@
#define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED 0
#define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED 1
#define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT 1
#define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER 0
/*
* Default range for DTLS retransmission timer value, in milliseconds.
* RFC 6347 4.2.4.1 says from 1 second to 60 seconds.
@ -1186,6 +1189,9 @@ struct mbedtls_ssl_config
#if defined(MBEDTLS_SSL_SRV_C)
unsigned int MBEDTLS_PRIVATE(cert_req_ca_list) : 1; /*!< enable sending CA list in
Certificate Request messages? */
unsigned int respect_cli_pref : 1; /*!< pick the ciphersuite according to
the client's preferences rather
than ours */
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
unsigned int MBEDTLS_PRIVATE(ignore_unexpected_cid) : 1; /*!< Determines whether DTLS
@ -2493,9 +2499,12 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co
* The ciphersuites array is not copied, and must remain
* valid for the lifetime of the ssl_config.
*
* Note: The server uses its own preferences
* over the preference of the client unless
* MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
* Note: By default, the server chooses its preferred
* ciphersuite among those that the client supports. If
* mbedtls_ssl_conf_preference_order() is called to prefer
* the client's preferences, the server instead chooses
* the client's preferred ciphersuite among those that
* the server supports.
*
* \param conf SSL configuration
* \param ciphersuites 0-terminated list of allowed ciphersuites
@ -3293,6 +3302,19 @@ void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code );
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_SRV_C)
/**
* \brief Pick the ciphersuites order according to the second parameter
* in the SSL Server module (MBEDTLS_SSL_SRV_C).
* (Default, if never called: MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER)
*
* \param conf SSL configuration
* \param order Server or client (MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER
* or MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)
*/
void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order );
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
/**
* \brief Activate negotiation of truncated HMAC