mirror of
https://github.com/cuberite/polarssl.git
synced 2025-10-05 11:34:26 -04:00
0b8ece6beb
Some projects using Mbed TLS have migrated their configuration file (config.h -> mbedtls_config.h, or MBEDTLS_CONFIG_FILE) from Mbed TLS 2.x, and kept including check_config.h. This is unnecessary since Mbed TLS 3.0, and increasingly in 3.x it may report spurious errors because the configuration adjustments have not been done yet. This has led some projects to include configuration adjustment headers manually, but only partially or in the wrong order, which can result in silent inconsistencies. Error out if this happens, with a message mentioning check_config.h since that's the likely root cause. ``` perl -i -pe '$name = $ARGV; $name =~ s!include/!!; $name =~ s!_adjust_.*!_adjust_*.h!; $_ .= "\n#if !defined(MBEDTLS_CONFIG_FILES_READ)\n#error \"Do not include $name manually! This can lead to problems, \" \\\n \"up to and including runtime errors such as buffer overflows. \" \\\n \"If you're trying to fix a complaint from check_config.h, just remove it \" \\\n \"from your configuration file: since Mbed TLS 3.0, it is included \" \\\n \"automatically at the right time.\"\n#endif /* !MBEDTLS_CONFIG_FILES_READ */\n" if /^#define .*_H$/' include/*/*adjust*.h ``` Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
92 lines
3.3 KiB
C
92 lines
3.3 KiB
C
/**
|
|
* \file mbedtls/config_adjust_ssl.h
|
|
* \brief Adjust TLS configuration
|
|
*
|
|
* This is an internal header. Do not include it directly.
|
|
*
|
|
* Automatically enable certain dependencies. Generally, MBEDLTS_xxx
|
|
* configurations need to be explicitly enabled by the user: enabling
|
|
* MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
|
|
* compilation error. However, we do automatically enable certain options
|
|
* in some circumstances. One case is if MBEDTLS_xxx_B is an internal option
|
|
* used to identify parts of a module that are used by other module, and we
|
|
* don't want to make the symbol MBEDTLS_xxx_B part of the public API.
|
|
* Another case is if A didn't depend on B in earlier versions, and we
|
|
* want to use B in A but we need to preserve backward compatibility with
|
|
* configurations that explicitly activate MBEDTLS_xxx_A but not
|
|
* MBEDTLS_xxx_B.
|
|
*/
|
|
/*
|
|
* Copyright The Mbed TLS Contributors
|
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
*/
|
|
|
|
#ifndef MBEDTLS_CONFIG_ADJUST_SSL_H
|
|
#define MBEDTLS_CONFIG_ADJUST_SSL_H
|
|
|
|
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
|
#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
|
|
"up to and including runtime errors such as buffer overflows. " \
|
|
"If you're trying to fix a complaint from check_config.h, just remove " \
|
|
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
|
"automatically at the right time."
|
|
#endif /* */
|
|
|
|
/* The following blocks make it easier to disable all of TLS,
|
|
* or of TLS 1.2 or 1.3 or DTLS, without having to manually disable all
|
|
* key exchanges, options and extensions related to them. */
|
|
|
|
#if !defined(MBEDTLS_SSL_TLS_C)
|
|
#undef MBEDTLS_SSL_CLI_C
|
|
#undef MBEDTLS_SSL_SRV_C
|
|
#undef MBEDTLS_SSL_PROTO_TLS1_3
|
|
#undef MBEDTLS_SSL_PROTO_TLS1_2
|
|
#undef MBEDTLS_SSL_PROTO_DTLS
|
|
#endif
|
|
|
|
#if !(defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS))
|
|
#undef MBEDTLS_SSL_TICKET_C
|
|
#endif
|
|
|
|
#if !defined(MBEDTLS_SSL_PROTO_DTLS)
|
|
#undef MBEDTLS_SSL_DTLS_ANTI_REPLAY
|
|
#undef MBEDTLS_SSL_DTLS_CONNECTION_ID
|
|
#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
|
|
#undef MBEDTLS_SSL_DTLS_HELLO_VERIFY
|
|
#undef MBEDTLS_SSL_DTLS_SRTP
|
|
#undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
|
|
#endif
|
|
|
|
#if !defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
|
#undef MBEDTLS_SSL_ENCRYPT_THEN_MAC
|
|
#undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET
|
|
#undef MBEDTLS_SSL_RENEGOTIATION
|
|
#undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
|
#undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
|
|
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
|
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
|
#undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
|
#undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
|
|
#undef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
|
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
|
#undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
|
#undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
|
#undef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
|
#endif
|
|
|
|
#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
|
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
|
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
|
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
|
#undef MBEDTLS_SSL_EARLY_DATA
|
|
#undef MBEDTLS_SSL_RECORD_SIZE_LIMIT
|
|
#endif
|
|
|
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
|
(defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED))
|
|
#define MBEDTLS_SSL_TLS1_2_SOME_ECC
|
|
#endif
|
|
|
|
#endif /* MBEDTLS_CONFIG_ADJUST_SSL_H */
|