From 3946f79cabc20e2dfa7fa45ae60d1ca8895b4af7 Mon Sep 17 00:00:00 2001
From: TRodziewicz <tomasz.rodziewicz@mobica.com>
Date: Mon, 14 Jun 2021 12:11:18 +0200
Subject: [PATCH] Correction according to code review (function and param.
 names change and docs rewording)

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
---
 ChangeLog.d/issue4398.txt                     | 10 ++------
 ...NT_PREFERENCE_config_opt_to_runtime_opt.md | 17 +++++++------
 include/mbedtls/ssl.h                         | 25 +++++++++++--------
 library/ssl_srv.c                             |  6 ++---
 library/ssl_tls.c                             |  2 +-
 5 files changed, 29 insertions(+), 31 deletions(-)

diff --git a/ChangeLog.d/issue4398.txt b/ChangeLog.d/issue4398.txt
index 67acbf5a2..b7f241391 100644
--- a/ChangeLog.d/issue4398.txt
+++ b/ChangeLog.d/issue4398.txt
@@ -1,9 +1,3 @@
 API changes
-    * Remove the MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE option from config.h.
-      Replace it with SSL runtime option which can be enabled or disabled using
-      new added API function mbedtls_ssl_conf_respect_client_preference(). Add
-      a new field respect_cli_pref in the mbedtls_ssl_config structure and two
-      defines used as a parameter: MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED
-      and MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED. Adapt the code used for
-      searching for a matching ciphersuite to use the new field instead of the
-      removed config.h option. Fixes #3498.
+    * Replace MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE by a runtime
+      configuration function mbedtls_ssl_conf_preference_order(). Fixes #4398.
diff --git a/docs/3.0-migration-guide.d/turn_SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt.md b/docs/3.0-migration-guide.d/turn_SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt.md
index 6b1db9e62..6a6554dfb 100644
--- a/docs/3.0-migration-guide.d/turn_SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt.md
+++ b/docs/3.0-migration-guide.d/turn_SSL_SRV_RESPECT_CLIENT_PREFERENCE_config_opt_to_runtime_opt.md
@@ -1,13 +1,14 @@
 Turn MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE configuration option into a runtime option
 --
 
-This change affects users who see the change of the SSL server vs. client
-preferred set of ciphersuites in runtime useful.
+This change affects users who were enabling MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+option in the `config.h`
 
-The `MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE` `config.h` option has been
-removed and a new function with similar functionality has been introduced into the
-SSL API.
+This option has been removed and a new function with similar functionality has
+been introduced into the SSL API.
 
-This new function `mbedtls_ssl_conf_respect_client_preference()` can be used to
-change the preferred set of ciphersuites on the server to those used on the client.
-The default state is to use the server set of suites.
+This new function `mbedtls_ssl_conf_preference_order()` can be used to
+change the preferred order of ciphersuites on the server to those used on the client,
+e.g.: `mbedtls_ssl_conf_preference_order(ssl_config, MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)`
+has the same effect as enabling the removed option. The default state is to use
+the server order of suites.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 364239a84..f0ae778b5 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -200,8 +200,8 @@
 #define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED    0
 #define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED      1
 
-#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED    1
-#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED   0
+#define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT  1
+#define MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER  0
 
 /*
  * Default range for DTLS retransmission timer value, in milliseconds.
@@ -2498,9 +2498,12 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co
  *                      The ciphersuites array is not copied, and must remain
  *                      valid for the lifetime of the ssl_config.
  *
- *                      Note: The server uses its own preferences
- *                      over the preference of the client unless
- *                      conf->respect_cli_pref is enabled!
+ *                      Note: By default, the server chooses its preferred
+ *                      ciphersuite among those that the client supports. If
+ *                      mbedtls_ssl_conf_preference_order() is called to prefer
+ *                      the client's preferences, the server instead chooses
+ *                      the client's preferred ciphersuite among those that
+ *                      the server supports.
  *
  * \param conf          SSL configuration
  * \param ciphersuites  0-terminated list of allowed ciphersuites
@@ -3300,15 +3303,15 @@ int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_c
 
 #if defined(MBEDTLS_SSL_SRV_C)
 /**
- * \brief          Pick the ciphersuite according to the client's preferences
- *                 rather than ours in the SSL Server module (MBEDTLS_SSL_SRV_C).
- *                 (Default: MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED)
+ * \brief          Pick the ciphersuites order according to the second parameter
+ *                 in the SSL Server module (MBEDTLS_SSL_SRV_C).
+ *                 (Default, if never called: MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER)
  *
  * \param conf     SSL configuration
- * \param enable   Enable or disable (MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED
- *                                 or MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED)
+ * \param order    Server or client (MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER
+ *                                or MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)
  */
-void mbedtls_ssl_conf_respect_client_preference( mbedtls_ssl_config *conf, int enable );
+void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order );
 #endif /* MBEDTLS_SSL_SRV_C */
 
 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index c7ec4fe2a..c70c21f85 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1873,7 +1873,7 @@ read_record_header:
     ciphersuites = ssl->conf->ciphersuite_list;
     ciphersuite_info = NULL;
 
-    if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_ENABLED)
+    if (ssl->conf->respect_cli_pref == MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_CLIENT)
     {
         for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
             for( i = 0; ciphersuites[i] != 0; i++ )
@@ -4433,9 +4433,9 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
     return( ret );
 }
 
-void mbedtls_ssl_conf_respect_client_preference( mbedtls_ssl_config *conf, int enable )
+void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order )
 {
-    conf->respect_cli_pref = enable;
+    conf->respect_cli_pref = order;
 }
 
 #endif /* MBEDTLS_SSL_SRV_C */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ab11391ba..8ef98af20 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6189,7 +6189,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
 
 #if defined(MBEDTLS_SSL_SRV_C)
     conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
-    conf->respect_cli_pref = MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREF_DISABLED;
+    conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)