From d65ea42262a45606a8054dfa0470e6d05343c2b3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 5 Sep 2023 21:07:32 +0200 Subject: [PATCH] Fix some TLS 1.3 settings that were required in mbedtls_config.h Mbed TLS can be configured by writing a configuration file from scratch, without copying mbedtls_config.h. As a consequence, all the macro definitions in mbedtls_config.h must be optional. This was not the case for some MBEDTLS_SSL_TLS1_3_xxx macros with numerical values related to session tickets. Fix that. Signed-off-by: Gilles Peskine --- ChangeLog.d/tls13-custom-config.txt | 3 +++ include/mbedtls/mbedtls_config.h | 6 +++--- include/mbedtls/ssl.h | 12 ++++++++++++ 3 files changed, 18 insertions(+), 3 deletions(-) create mode 100644 ChangeLog.d/tls13-custom-config.txt diff --git a/ChangeLog.d/tls13-custom-config.txt b/ChangeLog.d/tls13-custom-config.txt new file mode 100644 index 000000000..da2e25d95 --- /dev/null +++ b/ChangeLog.d/tls13-custom-config.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix undefined symbols in some builds using TLS 1.3 with a custom + configuration file. diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index f34c0913f..df53041f0 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -4055,7 +4055,7 @@ * This is not used in TLS 1.2. * */ -#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 +//#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 /** * \def MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH @@ -4064,7 +4064,7 @@ * * This must be less than 256. */ -#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 +//#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 /** * \def MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS @@ -4074,7 +4074,7 @@ * the MBEDTLS_SSL_SESSION_TICKETS option is enabled. * */ -#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 +//#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 /* X509 options */ //#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */ diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 920efa98c..a3ecbfbf6 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -405,6 +405,18 @@ #define MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 16 #endif +#if !defined(MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) +#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000 +#endif + +#if !defined(MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH) +#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32 +#endif + +#if !defined(MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS) +#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 +#endif + /** \} name SECTION: Module settings */ /*