Commit 91cbd73c authored by Greg Zaverucha's avatar Greg Zaverucha Committed by Kevin Kane

[IOT-1621] Add custom config.h file mbedtls build options

Adds a new version of the mbedtls config.h file specialized to IoTivity.
Library features that are not required by IoTivity are removed from the build.
The new file is extlibs/mbedtls/config-iotivity.h. Changes to config.h made by
ocf.patch are now made directly in config-iotivity.h. Update the scons file to
copy this to mbedtls/include/mbedtls/config.h. Update ssaladapter tests so that
they don't allow unsupported TLS versions.

TLS renegotiation was being disabled at runtime, now it is disabled at build.

To review the changes that IoTivity makes to config.h relative to the default,
diff extlibs/mbedtls/config-iotivity.h and
extlibs/mbedtlsmbedtls/include/mbedtls/config.h.

Change-Id: I9e6190e7c0e145443d5e164ccf47314a3bfcf53e
Signed-off-by: default avatarGreg Zaverucha <gregz@microsoft.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/15175Tested-by: default avatarjenkins-iotivity <jenkins-iotivity@opendaylight.org>
Reviewed-by: default avatarKevin Kane <kkane@microsoft.com>
parent c0645c68
...@@ -23,6 +23,7 @@ Import('env') ...@@ -23,6 +23,7 @@ Import('env')
import os import os
import sys import sys
import subprocess import subprocess
from shutil import copyfile
target_os = env.get('TARGET_OS') target_os = env.get('TARGET_OS')
root_dir = env.get('SRC_DIR') root_dir = env.get('SRC_DIR')
...@@ -71,6 +72,19 @@ else: ...@@ -71,6 +72,19 @@ else:
print 'mbedtls: Assume ocf.patch (TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256) was applied in %s' % mbedtls_dir print 'mbedtls: Assume ocf.patch (TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256) was applied in %s' % mbedtls_dir
os.chdir(start_dir) os.chdir(start_dir)
# Copy IoTivity's version of the mbedtls build configuration file
# from extlibs/mbedtls/iotivity-config.h
# to extlibs/mbedtls/mbedtls/include/mbedtls/config.h
iotivity_config = os.path.join(root_dir, 'extlibs', 'mbedtls', 'config-iotivity.h')
mbedtls_config = os.path.join(root_dir, 'extlibs', 'mbedtls', 'mbedtls', 'include', 'mbedtls', 'config.h')
try:
copyfile(iotivity_config, mbedtls_config)
except:
print 'mbedtls SConscript: cannot copy ' + iotivity_config + ' to ' + mbedtls_config
Exit(1)
else:
print 'Copied IoTivity version of config.h to ' + mbedtls_config
mbedtls_env = env.Clone() mbedtls_env = env.Clone()
mbedtls_env.PrependUnique(CPPPATH = [mbedtls_dir]) mbedtls_env.PrependUnique(CPPPATH = [mbedtls_dir])
......
This diff is collapsed.
...@@ -44,49 +44,6 @@ index 27abbd9..fa4db26 100644 ...@@ -44,49 +44,6 @@ index 27abbd9..fa4db26 100644
#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA #define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA #define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 #define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 6fc9c77..9798b39 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -648,6 +648,21 @@
#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED
+ *
+ * Enable the ECDHE-ANON based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C
+ *
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ * MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED
+
+
+/**
* \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
*
* Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
@@ -1233,7 +1248,7 @@
*
* Comment this macro to disable support for SSL session tickets
*/
-#define MBEDTLS_SSL_SESSION_TICKETS
+//#define MBEDTLS_SSL_SESSION_TICKETS
/**
* \def MBEDTLS_SSL_EXPORT_KEYS
@@ -1473,6 +1488,7 @@
* MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
* MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
* MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+ * MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256
*
* PEM_PARSE uses AES for decrypting encrypted keys.
*/
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index ba499d2..8046e6e 100644 index ba499d2..8046e6e 100644
--- a/include/mbedtls/ssl.h --- a/include/mbedtls/ssl.h
......
...@@ -39,7 +39,7 @@ ...@@ -39,7 +39,7 @@
#include "mbedtls/ctr_drbg.h" #include "mbedtls/ctr_drbg.h"
#include "mbedtls/pkcs12.h" #include "mbedtls/pkcs12.h"
#include "mbedtls/ssl_internal.h" #include "mbedtls/ssl_internal.h"
#include "mbedtls/net.h" #include "mbedtls/net_sockets.h"
#ifdef __WITH_DTLS__ #ifdef __WITH_DTLS__
#include "mbedtls/timing.h" #include "mbedtls/timing.h"
#include "mbedtls/ssl_cookie.h" #include "mbedtls/ssl_cookie.h"
...@@ -1269,13 +1269,18 @@ static int InitConfig(mbedtls_ssl_config * conf, int transport, int mode) ...@@ -1269,13 +1269,18 @@ static int InitConfig(mbedtls_ssl_config * conf, int transport, int mode)
return -1; return -1;
} }
/*
* Configure mbedTLS runtime options. Many options are configured at build
* time, see extlibs/mbedtls/config-iotivity.h
*/
mbedtls_ssl_conf_psk_cb(conf, GetPskCredentialsCallback, NULL); mbedtls_ssl_conf_psk_cb(conf, GetPskCredentialsCallback, NULL);
mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &g_caSslContext->rnd); mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &g_caSslContext->rnd);
mbedtls_ssl_conf_curves(conf, curve[ADAPTER_CURVE_SECP256R1]); mbedtls_ssl_conf_curves(conf, curve[ADAPTER_CURVE_SECP256R1]);
mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_renegotiation(conf, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_REQUIRED);
/* Set TLS 1.2 as the minimum allowed version. */
mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
#if !defined(NDEBUG) || defined(TB_LOG) #if !defined(NDEBUG) || defined(TB_LOG)
mbedtls_ssl_conf_dbg(conf, DebugSsl, NULL); mbedtls_ssl_conf_dbg(conf, DebugSsl, NULL);
mbedtls_debug_set_threshold(MBED_TLS_DEBUG_LEVEL); mbedtls_debug_set_threshold(MBED_TLS_DEBUG_LEVEL);
......
...@@ -432,8 +432,8 @@ static int32_t GetDtlsPskCredentials( CADtlsPskCredType_t, ...@@ -432,8 +432,8 @@ static int32_t GetDtlsPskCredentials( CADtlsPskCredType_t,
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \ #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \ !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \ !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C) || \ !defined(MBEDTLS_PEM_PARSE_C) ||!defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) !defined(MBEDTLS_X509_CRT_PARSE_C)
static int client( void ) static int client( void )
{ {
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or " mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
...@@ -445,13 +445,13 @@ static int client( void ) ...@@ -445,13 +445,13 @@ static int client( void )
} }
#else #else
#include "mbedtls/net.h" #include "mbedtls/net_sockets.h"
#include "mbedtls/debug.h" #include "mbedtls/debug.h"
#include "mbedtls/ssl.h" #include "mbedtls/ssl.h"
#include "mbedtls/entropy.h" #include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h" #include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/certs.h"
#include <string.h> #include <string.h>
...@@ -704,7 +704,7 @@ exit: ...@@ -704,7 +704,7 @@ exit:
} }
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C && #endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
MBEDTLS_CERTS_C && MBEDTLS_PEM_PARSE_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_PEM_PARSE_C && MBEDTLS_CTR_DRBG_C &&
MBEDTLS_X509_CRT_PARSE_C */ MBEDTLS_X509_CRT_PARSE_C */
/* ************************** /* **************************
...@@ -730,15 +730,15 @@ exit: ...@@ -730,15 +730,15 @@ exit:
#define mbedtls_printf printf #define mbedtls_printf printf
#endif #endif
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_CERTS_C) || \ #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_PEM_PARSE_C)|| \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_SSL_TLS_C) || \ !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_SSL_TLS_C) || \
!defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) || \ !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \ !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO)
!defined(MBEDTLS_PEM_PARSE_C)
/* int */void * server( void ) /* int */void * server( void )
{ {
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C " mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or " "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C " "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
...@@ -752,10 +752,9 @@ exit: ...@@ -752,10 +752,9 @@ exit:
#include "mbedtls/entropy.h" #include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h" #include "mbedtls/ctr_drbg.h"
#include "mbedtls/certs.h"
#include "mbedtls/x509.h" #include "mbedtls/x509.h"
#include "mbedtls/ssl.h" #include "mbedtls/ssl.h"
#include "mbedtls/net.h" #include "mbedtls/net_sockets.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/debug.h" #include "mbedtls/debug.h"
...@@ -1090,7 +1089,7 @@ exit: ...@@ -1090,7 +1089,7 @@ exit:
return NULL; return NULL;
} }
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_CERTS_C && MBEDTLS_ENTROPY_C && #endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C && MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C &&
MBEDTLS_RSA_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_X509_CRT_PARSE_C MBEDTLS_RSA_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_X509_CRT_PARSE_C
&& MBEDTLS_FS_IO && MBEDTLS_PEM_PARSE_C */ && MBEDTLS_FS_IO && MBEDTLS_PEM_PARSE_C */
...@@ -1192,8 +1191,7 @@ static int testCAsetSslAdapterCallbacks() ...@@ -1192,8 +1191,7 @@ static int testCAsetSslAdapterCallbacks()
&g_caSslContext->rnd); &g_caSslContext->rnd);
mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]); mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]);
mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3, mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_1); MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_renegotiation(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED);
CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256); CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256);
mbedtls_x509_crt_init(&g_caSslContext->ca); mbedtls_x509_crt_init(&g_caSslContext->ca);
...@@ -1315,8 +1313,7 @@ static void * test0CAinitiateSslHandshake(void * arg) ...@@ -1315,8 +1313,7 @@ static void * test0CAinitiateSslHandshake(void * arg)
&g_caSslContext->rnd); &g_caSslContext->rnd);
mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]); mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]);
mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3, mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_1); MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_renegotiation(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_x509_crt_init(&g_caSslContext->ca); mbedtls_x509_crt_init(&g_caSslContext->ca);
mbedtls_x509_crt_init(&g_caSslContext->crt); mbedtls_x509_crt_init(&g_caSslContext->crt);
...@@ -1477,8 +1474,7 @@ static void * testCAencryptSsl(void * arg) ...@@ -1477,8 +1474,7 @@ static void * testCAencryptSsl(void * arg)
&g_caSslContext->rnd); &g_caSslContext->rnd);
mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]); mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]);
mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3, mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_1); MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_renegotiation(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED);
CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256); CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256);
mbedtls_x509_crt_init(&g_caSslContext->ca); mbedtls_x509_crt_init(&g_caSslContext->ca);
...@@ -1723,8 +1719,7 @@ static void * testCAdecryptSsl(void * arg) ...@@ -1723,8 +1719,7 @@ static void * testCAdecryptSsl(void * arg)
&g_caSslContext->rnd); &g_caSslContext->rnd);
mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]); mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]);
mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3, mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_1); MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_renegotiation(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED);
CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256); CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256);
mbedtls_x509_crt_init(&g_caSslContext->ca); mbedtls_x509_crt_init(&g_caSslContext->ca);
...@@ -1867,8 +1862,7 @@ static int testCAdeinitSslAdapter() ...@@ -1867,8 +1862,7 @@ static int testCAdeinitSslAdapter()
&g_caSslContext->rnd); &g_caSslContext->rnd);
mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]); mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]);
mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3, mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_1); MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_renegotiation(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_x509_crt_init(&g_caSslContext->ca); mbedtls_x509_crt_init(&g_caSslContext->ca);
mbedtls_x509_crt_init(&g_caSslContext->crt); mbedtls_x509_crt_init(&g_caSslContext->crt);
...@@ -2225,8 +2219,7 @@ static void * testCAsslGenerateOwnerPsk(void * arg) ...@@ -2225,8 +2219,7 @@ static void * testCAsslGenerateOwnerPsk(void * arg)
&g_caSslContext->rnd); &g_caSslContext->rnd);
mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]); mbedtls_ssl_conf_curves(&g_caSslContext->clientTlsConf, curve[ADAPTER_CURVE_SECP256R1]);
mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3, mbedtls_ssl_conf_min_version(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_1); MBEDTLS_SSL_MINOR_VERSION_3);
mbedtls_ssl_conf_renegotiation(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_authmode(&g_caSslContext->clientTlsConf, MBEDTLS_SSL_VERIFY_REQUIRED);
CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256); CAsetTlsCipherSuite(MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256);
mbedtls_x509_crt_init(&g_caSslContext->ca); mbedtls_x509_crt_init(&g_caSslContext->ca);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment