From a6934776c90a834a321daf7eeb35f2ad7d402c50 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 4 Nov 2022 15:39:30 +0800 Subject: [PATCH 01/10] Add reco_debug_level to reduce debug output Signed-off-by: Jerry Yu --- programs/ssl/ssl_server2.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1b4a94ab0..69e6b81e4 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -490,6 +490,8 @@ int main( void ) " debug_level=%%d default: 0 (disabled)\n" \ " build_version=%%d default: none (disabled)\n" \ " option: 1 (print build version only and stop)\n" \ + " reco_debug_level=%%d default: 0 (disabled)\n" \ + " debug_level for 2nd flight.\n" \ " buffer_size=%%d default: 200 \n" \ " (minimum: 1)\n" \ " response_size=%%d default: about 152 (basic response)\n" \ @@ -592,6 +594,7 @@ struct options const char *server_addr; /* address on which the ssl service runs */ const char *server_port; /* port on which the ssl service runs */ int debug_level; /* level of debugging */ + int reco_debug_level; /* level of 2nd flight debugging */ int nbio; /* should I/O be blocking? */ int event; /* loop or event-driven IO? level or edge triggered? */ uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */ @@ -1629,6 +1632,7 @@ int main( int argc, char *argv[] ) opt.server_addr = DFL_SERVER_ADDR; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; + opt.reco_debug_level = DFL_DEBUG_LEVEL; opt.event = DFL_EVENT; opt.response_size = DFL_RESPONSE_SIZE; opt.nbio = DFL_NBIO; @@ -1755,6 +1759,12 @@ int main( int argc, char *argv[] ) goto exit; } } + else if( strcmp( p, "reco_debug_level" ) == 0 ) + { + opt.reco_debug_level = atoi( q ); + if( opt.reco_debug_level < 0 || opt.reco_debug_level > 65535 ) + goto usage; + } else if( strcmp( p, "nbio" ) == 0 ) { opt.nbio = atoi( q ); @@ -4284,6 +4294,11 @@ close_notify: mbedtls_printf( " done\n" ); +#if defined(MBEDTLS_DEBUG_C) + if( opt.reco_debug_level ) + mbedtls_debug_set_threshold( opt.reco_debug_level ); +#endif + goto reset; /* From 16f6853b054d7551f8bacd5e5f00ebfa7ef8ab50 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 5 Nov 2022 10:50:06 +0800 Subject: [PATCH 02/10] Add max_early_data_size config option Signed-off-by: Jerry Yu --- include/mbedtls/check_config.h | 10 ++++++++++ include/mbedtls/mbedtls_config.h | 15 +++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 7f5558087..66407083d 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -32,6 +32,9 @@ #error "mbed TLS requires a platform with 8-bit chars" #endif +/* Need std integer definition for checking max_early_data_size */ +#include + #if defined(_WIN32) #if !defined(MBEDTLS_PLATFORM_C) #error "MBEDTLS_PLATFORM_C is required on Windows" @@ -849,6 +852,13 @@ #error "MBEDTLS_SSL_EARLY_DATA defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C) && \ + ( !defined(MBEDTLS_SSL_MAX_EARLY_DATA_SIZE) || \ + ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE <= 0 ) || \ + ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE > UINT32_MAX ) ) +#error "MBEDTLS_SSL_MAX_EARLY_DATA_SIZE MUST be defined and in range(1..UINT32_MAX)" +#endif + #if defined(MBEDTLS_SSL_PROTO_DTLS) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_PROTO_DTLS defined, but not all prerequisites" diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index c719073c2..f33ce60b7 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1664,6 +1664,8 @@ * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED * +* Requires: MBEDTLS_SSL_MAX_EARLY_DATA_SIZE >= 0 +* * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 * is not enabled, this option does not have any effect on the build. * @@ -1673,6 +1675,19 @@ */ //#define MBEDTLS_SSL_EARLY_DATA +/** + * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE + * + * The maximium amount of 0-RTT data(RFC8446 section 4.6.1). + * It only works when MBEDTLS_SSL_EARLY_DATA is enabled and MUST be in range + * 1...UINT32_MAX + * + * This feature is experimental, not completed and thus not ready for + * production. + * + */ +#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024 + /** * \def MBEDTLS_SSL_PROTO_DTLS * From cc4e007ff6de20825b8c2234bdf6a5a61e1f5a0e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 22 Nov 2022 17:22:22 +0800 Subject: [PATCH 03/10] Add max_early_data_size to mbedtls_ssl_config Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 30 ++++++++++++++++++++++++++++++ library/ssl_tls.c | 13 +++++++++++++ 2 files changed, 43 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 3165cd56a..edc1a9898 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1524,9 +1524,17 @@ struct mbedtls_ssl_config #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ #if defined(MBEDTLS_SSL_EARLY_DATA) +#if defined(MBEDTLS_SSL_CLI_C) int MBEDTLS_PRIVATE(early_data_enabled); /*!< Early data enablement: * - MBEDTLS_SSL_EARLY_DATA_DISABLED, * - MBEDTLS_SSL_EARLY_DATA_ENABLED */ +#endif /* MBEDTLS_SSL_CLI_C */ + +#if defined(MBEDTLS_SSL_SRV_C) + /* The maximium amount of 0-RTT data. RFC 8446 section 4.6.1 */ + uint32_t MBEDTLS_PRIVATE(max_early_data_size); +#endif /* MBEDTLS_SSL_SRV_C */ + #endif /* MBEDTLS_SSL_EARLY_DATA */ #if defined(MBEDTLS_SSL_ALPN) @@ -1943,6 +1951,7 @@ void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ); void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_EARLY_DATA) +#if defined(MBEDTLS_SSL_CLI_C) /** * \brief Set the early data mode * Default: disabled on server and client @@ -1964,6 +1973,27 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); */ void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf, int early_data_enabled ); +#endif /* MBEDTLS_SSL_CLI_C */ + +#if defined(MBEDTLS_SSL_SRV_C) +/** + * \brief Set the max_early_data_size parameter. + * + * \param[in] conf The SSL configuration to use. + * \param[in] max_early_data_size The maximum amount of 0-RTT data. + * - 0 Disable 0-RTT feature. + * + * \note max_early_data_size MUST be smaller than + * MBEDTLS_SSL_MAX_EARLY_DATA_SIZE. Otherwise, + * MBEDTLS_SSL_MAX_EARLY_DATA_SIZE will be used. + * + * \warning This interface is experimental and may change without notice. + * + */ +void mbedtls_ssl_tls13_conf_max_early_data_size( + mbedtls_ssl_config *conf, uint32_t max_early_data_size ); +#endif /* MBEDTLS_SSL_SRV_C */ + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA */ #if defined(MBEDTLS_X509_CRT_PARSE_C) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 83f2b3c3e..14ffef20b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1699,11 +1699,24 @@ void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config *conf, } #if defined(MBEDTLS_SSL_EARLY_DATA) +#if defined(MBEDTLS_SSL_CLI_C) void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf, int early_data_enabled ) { conf->early_data_enabled = early_data_enabled; } +#endif /* MBEDTLS_SSL_CLI_C */ + +#if defined(MBEDTLS_SSL_SRV_C) +void mbedtls_ssl_tls13_conf_max_early_data_size( + mbedtls_ssl_config *conf, uint32_t max_early_data_size ) +{ + conf->max_early_data_size = + max_early_data_size < MBEDTLS_SSL_MAX_EARLY_DATA_SIZE ? + max_early_data_size : MBEDTLS_SSL_MAX_EARLY_DATA_SIZE; +} +#endif /* MBEDTLS_SSL_SRV_C */ + #endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ From 7854a4e01947adb30c5d7613f63082e505dfcfad Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 5 Nov 2022 23:14:47 +0800 Subject: [PATCH 04/10] Add max_early_data_size option for ssl_sever2 - to set max_early_data_set Signed-off-by: Jerry Yu --- programs/ssl/ssl_server2.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 69e6b81e4..dec50eee5 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -129,6 +129,7 @@ int main( void ) #define DFL_SNI NULL #define DFL_ALPN_STRING NULL #define DFL_CURVES NULL +#define DFL_MAX_EARLY_DATA_SIZE 0 #define DFL_SIG_ALGS NULL #define DFL_DHM_FILE NULL #define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM @@ -424,6 +425,16 @@ int main( void ) #define USAGE_ECJPAKE "" #endif +#if defined(MBEDTLS_SSL_EARLY_DATA) +#define USAGE_EARLY_DATA \ + " max_early_data_size=%%d default: 0 (disabled)\n" \ + " options: 0 (disabled), " \ + " -1 (enabled, builtin max size), " \ + " n > 0 (enabled, max amount data for 0-RTT )\n" +#else +#define USAGE_EARLY_DATA "" +#endif /* MBEDTLS_SSL_EARLY_DATA */ + #if defined(MBEDTLS_ECP_C) #define USAGE_CURVES \ " curves=a,b,c,d default: \"default\" (library default)\n" \ @@ -680,6 +691,7 @@ struct options const char *cid_val_renego; /* the CID to use for incoming messages * after renegotiation */ int reproducible; /* make communication reproducible */ + uint32_t max_early_data_size; /* max amount early data */ int query_config_mode; /* whether to read config */ int use_srtp; /* Support SRTP */ int force_srtp_profile; /* SRTP protection profile to use or all */ @@ -1695,6 +1707,7 @@ int main( int argc, char *argv[] ) opt.sni = DFL_SNI; opt.alpn_string = DFL_ALPN_STRING; opt.curves = DFL_CURVES; + opt.max_early_data_size = DFL_MAX_EARLY_DATA_SIZE; opt.sig_algs = DFL_SIG_ALGS; opt.dhm_file = DFL_DHM_FILE; opt.transport = DFL_TRANSPORT; @@ -1891,6 +1904,12 @@ int main( int argc, char *argv[] ) else if( strcmp( p, "sig_algs" ) == 0 ) opt.sig_algs = q; #endif +#if defined(MBEDTLS_SSL_EARLY_DATA) + else if( strcmp( p, "max_early_data_size" ) == 0 ) + { + opt.max_early_data_size = atoi( q ); + } +#endif /* MBEDTLS_SSL_EARLY_DATA */ else if( strcmp( p, "renegotiation" ) == 0 ) { opt.renegotiation = (atoi( q )) ? @@ -2886,6 +2905,10 @@ int main( int argc, char *argv[] ) if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST ) mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list ); +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_tls13_conf_max_early_data_size( &conf, opt.max_early_data_size ); +#endif /* MBEDTLS_SSL_EARLY_DATA */ + #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) /* exercise setting DN hints for server certificate request * (Intended for use where the client cert expected has been signed by From 54dfcb7794fa9db4a1139a2351a2c6ddb7cd2103 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 5 Dec 2022 15:43:09 +0800 Subject: [PATCH 05/10] fix comments and debug info issues Signed-off-by: Jerry Yu --- programs/ssl/ssl_server2.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index dec50eee5..ef0b1a84d 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -430,7 +430,7 @@ int main( void ) " max_early_data_size=%%d default: 0 (disabled)\n" \ " options: 0 (disabled), " \ " -1 (enabled, builtin max size), " \ - " n > 0 (enabled, max amount data for 0-RTT )\n" + " n > 0 (enabled, max amount of early data )\n" #else #define USAGE_EARLY_DATA "" #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -502,7 +502,7 @@ int main( void ) " build_version=%%d default: none (disabled)\n" \ " option: 1 (print build version only and stop)\n" \ " reco_debug_level=%%d default: 0 (disabled)\n" \ - " debug_level for 2nd flight.\n" \ + " level of debugging for re-connection.\n" \ " buffer_size=%%d default: 200 \n" \ " (minimum: 1)\n" \ " response_size=%%d default: about 152 (basic response)\n" \ @@ -605,7 +605,7 @@ struct options const char *server_addr; /* address on which the ssl service runs */ const char *server_port; /* port on which the ssl service runs */ int debug_level; /* level of debugging */ - int reco_debug_level; /* level of 2nd flight debugging */ + int reco_debug_level; /* level of debugging for re-connection. */ int nbio; /* should I/O be blocking? */ int event; /* loop or event-driven IO? level or edge triggered? */ uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */ @@ -691,7 +691,7 @@ struct options const char *cid_val_renego; /* the CID to use for incoming messages * after renegotiation */ int reproducible; /* make communication reproducible */ - uint32_t max_early_data_size; /* max amount early data */ + uint32_t max_early_data_size; /* max amount of early data */ int query_config_mode; /* whether to read config */ int use_srtp; /* Support SRTP */ int force_srtp_profile; /* SRTP protection profile to use or all */ From 12c46bd14f3179d48deed3d5393c2ef83bd121aa Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 6 Dec 2022 11:02:51 +0800 Subject: [PATCH 06/10] fix various issues - disable reuse of max_early_data_size. - make conf_early_data available for server. - various comment issues Signed-off-by: Jerry Yu --- include/mbedtls/check_config.h | 5 ++--- include/mbedtls/mbedtls_config.h | 12 +++++++----- include/mbedtls/ssl.h | 27 ++++++++++++++++----------- library/ssl_tls.c | 2 -- 4 files changed, 25 insertions(+), 21 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 66407083d..e548a216f 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -32,7 +32,6 @@ #error "mbed TLS requires a platform with 8-bit chars" #endif -/* Need std integer definition for checking max_early_data_size */ #include #if defined(_WIN32) @@ -854,9 +853,9 @@ #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C) && \ ( !defined(MBEDTLS_SSL_MAX_EARLY_DATA_SIZE) || \ - ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE <= 0 ) || \ + ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE < 0 ) || \ ( MBEDTLS_SSL_MAX_EARLY_DATA_SIZE > UINT32_MAX ) ) -#error "MBEDTLS_SSL_MAX_EARLY_DATA_SIZE MUST be defined and in range(1..UINT32_MAX)" +#error "MBEDTLS_SSL_MAX_EARLY_DATA_SIZE MUST be defined and in range(0..UINT32_MAX)" #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) && \ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index f33ce60b7..2172072ba 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1664,8 +1664,6 @@ * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED * -* Requires: MBEDTLS_SSL_MAX_EARLY_DATA_SIZE >= 0 -* * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 * is not enabled, this option does not have any effect on the build. * @@ -1678,9 +1676,13 @@ /** * \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE * - * The maximium amount of 0-RTT data(RFC8446 section 4.6.1). - * It only works when MBEDTLS_SSL_EARLY_DATA is enabled and MUST be in range - * 1...UINT32_MAX + * The default maximum amount of 0-RTT data. See the documentation of + * \c mbedtls_ssl_tls13_conf_max_early_data_size() for more information. + * + * It must be positive and smaller than UINT32_MAX. + * + * If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not + * have any impact on the build. * * This feature is experimental, not completed and thus not ready for * production. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index edc1a9898..7ed735e35 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1524,14 +1524,12 @@ struct mbedtls_ssl_config #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ #if defined(MBEDTLS_SSL_EARLY_DATA) -#if defined(MBEDTLS_SSL_CLI_C) int MBEDTLS_PRIVATE(early_data_enabled); /*!< Early data enablement: * - MBEDTLS_SSL_EARLY_DATA_DISABLED, * - MBEDTLS_SSL_EARLY_DATA_ENABLED */ -#endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) - /* The maximium amount of 0-RTT data. RFC 8446 section 4.6.1 */ + /* The maximum amount of 0-RTT data. RFC 8446 section 4.6.1 */ uint32_t MBEDTLS_PRIVATE(max_early_data_size); #endif /* MBEDTLS_SSL_SRV_C */ @@ -1951,7 +1949,6 @@ void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ); void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_EARLY_DATA) -#if defined(MBEDTLS_SSL_CLI_C) /** * \brief Set the early data mode * Default: disabled on server and client @@ -1973,19 +1970,27 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); */ void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf, int early_data_enabled ); -#endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) /** - * \brief Set the max_early_data_size parameter. + * \brief Set the maximum amount of 0-RTT data in bytes + * Default: #MBEDTLS_SSL_MAX_EARLY_DATA_SIZE + * + * This function sets the value of the max_early_data_size + * field of the early data indication extension included in + * the NewSessionTicket messages that the server may send. + * + * The value defines the maximum amount of 0-RTT data + * in bytes that a client will be allowed to send when using + * one of the tickets defined by the NewSessionTicket messages. + * + * \note When resuming a session using a ticket, if the server receives more + * early data than allowed for the ticket, it terminates the connection. + * The maximum amount of 0-RTT data should thus be large enough + * to allow a minimum of early data to be exchanged. * * \param[in] conf The SSL configuration to use. * \param[in] max_early_data_size The maximum amount of 0-RTT data. - * - 0 Disable 0-RTT feature. - * - * \note max_early_data_size MUST be smaller than - * MBEDTLS_SSL_MAX_EARLY_DATA_SIZE. Otherwise, - * MBEDTLS_SSL_MAX_EARLY_DATA_SIZE will be used. * * \warning This interface is experimental and may change without notice. * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 14ffef20b..227f8841d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1699,13 +1699,11 @@ void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config *conf, } #if defined(MBEDTLS_SSL_EARLY_DATA) -#if defined(MBEDTLS_SSL_CLI_C) void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf, int early_data_enabled ) { conf->early_data_enabled = early_data_enabled; } -#endif /* MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_SRV_C) void mbedtls_ssl_tls13_conf_max_early_data_size( From 2c93fc15449545bfce5aad483af0b4b335717e48 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 6 Dec 2022 11:05:44 +0800 Subject: [PATCH 07/10] Revert "Add reco_debug_level to reduce debug output" This reverts commit a6934776c90a834a321daf7eeb35f2ad7d402c50. Signed-off-by: Jerry Yu --- programs/ssl/ssl_server2.c | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index ef0b1a84d..00f0c92c1 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -501,8 +501,6 @@ int main( void ) " debug_level=%%d default: 0 (disabled)\n" \ " build_version=%%d default: none (disabled)\n" \ " option: 1 (print build version only and stop)\n" \ - " reco_debug_level=%%d default: 0 (disabled)\n" \ - " level of debugging for re-connection.\n" \ " buffer_size=%%d default: 200 \n" \ " (minimum: 1)\n" \ " response_size=%%d default: about 152 (basic response)\n" \ @@ -605,7 +603,6 @@ struct options const char *server_addr; /* address on which the ssl service runs */ const char *server_port; /* port on which the ssl service runs */ int debug_level; /* level of debugging */ - int reco_debug_level; /* level of debugging for re-connection. */ int nbio; /* should I/O be blocking? */ int event; /* loop or event-driven IO? level or edge triggered? */ uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */ @@ -1644,7 +1641,6 @@ int main( int argc, char *argv[] ) opt.server_addr = DFL_SERVER_ADDR; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; - opt.reco_debug_level = DFL_DEBUG_LEVEL; opt.event = DFL_EVENT; opt.response_size = DFL_RESPONSE_SIZE; opt.nbio = DFL_NBIO; @@ -1772,12 +1768,6 @@ int main( int argc, char *argv[] ) goto exit; } } - else if( strcmp( p, "reco_debug_level" ) == 0 ) - { - opt.reco_debug_level = atoi( q ); - if( opt.reco_debug_level < 0 || opt.reco_debug_level > 65535 ) - goto usage; - } else if( strcmp( p, "nbio" ) == 0 ) { opt.nbio = atoi( q ); @@ -4317,11 +4307,6 @@ close_notify: mbedtls_printf( " done\n" ); -#if defined(MBEDTLS_DEBUG_C) - if( opt.reco_debug_level ) - mbedtls_debug_set_threshold( opt.reco_debug_level ); -#endif - goto reset; /* From d146a37d564f2ff72499d42453f7a77a7f50d236 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 6 Dec 2022 12:33:48 +0800 Subject: [PATCH 08/10] Change the definition of max_early_data_size argument. `conf_max_early_data_size` does not reuse as en/disable. When call it, we should call `conf_early_data()` also. Signed-off-by: Jerry Yu --- programs/ssl/ssl_server2.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 00f0c92c1..29a140a9f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -427,10 +427,9 @@ int main( void ) #if defined(MBEDTLS_SSL_EARLY_DATA) #define USAGE_EARLY_DATA \ - " max_early_data_size=%%d default: 0 (disabled)\n" \ - " options: 0 (disabled), " \ - " -1 (enabled, builtin max size), " \ - " n > 0 (enabled, max amount of early data )\n" + " max_early_data_size=%%d default: -1 (disabled)\n" \ + " options: -1 (disabled), " \ + " >= 0 (enabled, max amount of early data )\n" #else #define USAGE_EARLY_DATA "" #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -1547,6 +1546,9 @@ int main( int argc, char *argv[] ) }; #endif /* MBEDTLS_SSL_DTLS_SRTP */ +#if defined(MBEDTLS_SSL_EARLY_DATA) + int tls13_early_data_enabled = MBEDTLS_SSL_EARLY_DATA_DISABLED; +#endif #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) ); #if defined(MBEDTLS_MEMORY_DEBUG) @@ -1897,7 +1899,14 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_EARLY_DATA) else if( strcmp( p, "max_early_data_size" ) == 0 ) { - opt.max_early_data_size = atoi( q ); + long long value = atoll( q ); + tls13_early_data_enabled = + value >= 0 ? MBEDTLS_SSL_EARLY_DATA_ENABLED : + MBEDTLS_SSL_EARLY_DATA_DISABLED; + if( tls13_early_data_enabled ) + { + opt.max_early_data_size = atoi( q ); + } } #endif /* MBEDTLS_SSL_EARLY_DATA */ else if( strcmp( p, "renegotiation" ) == 0 ) @@ -2896,7 +2905,12 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list ); #if defined(MBEDTLS_SSL_EARLY_DATA) - mbedtls_ssl_tls13_conf_max_early_data_size( &conf, opt.max_early_data_size ); + mbedtls_ssl_tls13_conf_early_data( &conf, tls13_early_data_enabled ); + if( tls13_early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED ) + { + mbedtls_ssl_tls13_conf_max_early_data_size( + &conf, opt.max_early_data_size ); + } #endif /* MBEDTLS_SSL_EARLY_DATA */ #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) From 39da9857df4f261b9efc54b77c5cbc7e1aa5d059 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 6 Dec 2022 16:58:36 +0800 Subject: [PATCH 09/10] remove limitation of max_early_data_size Signed-off-by: Jerry Yu --- library/ssl_tls.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 227f8841d..65af6b62a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1709,9 +1709,7 @@ void mbedtls_ssl_tls13_conf_early_data( mbedtls_ssl_config *conf, void mbedtls_ssl_tls13_conf_max_early_data_size( mbedtls_ssl_config *conf, uint32_t max_early_data_size ) { - conf->max_early_data_size = - max_early_data_size < MBEDTLS_SSL_MAX_EARLY_DATA_SIZE ? - max_early_data_size : MBEDTLS_SSL_MAX_EARLY_DATA_SIZE; + conf->max_early_data_size = max_early_data_size; } #endif /* MBEDTLS_SSL_SRV_C */ From 6ee56aa18f370be6f5bafe54c3c7af5b1b78926e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 6 Dec 2022 17:47:22 +0800 Subject: [PATCH 10/10] Add default values for conf->*early_data* - early_data default to disable - max_early_data_size default to built-in value Signed-off-by: Jerry Yu --- library/ssl_tls.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 65af6b62a..332e42872 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5126,6 +5126,15 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) + +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_tls13_conf_early_data( conf, MBEDTLS_SSL_EARLY_DATA_DISABLED ); +#if defined(MBEDTLS_SSL_SRV_C) + mbedtls_ssl_tls13_conf_max_early_data_size( + conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE ); +#endif +#endif /* MBEDTLS_SSL_EARLY_DATA */ + #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_conf_new_session_tickets( conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS );