mbedtls: Fix setting allowed cipher suites

[project/ustream-ssl.git] / ustream-mbedtls.c

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 7fbfba5dbd1b1bf28297e1369ed869bd9601d2dc..9b22ad281174666f498045c187aa57f07e2dd3a7 100644 (file)
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -87,21 +87,17 @@ static int _urandom(void *ctx, unsigned char *out, size_t len)
 }
 
 #define TLS_DEFAULT_CIPHERS                    \
-    TLS_CIPHER(AES_256_CBC_SHA256)             \
-    TLS_CIPHER(AES_256_GCM_SHA384)             \
-    TLS_CIPHER(AES_256_CBC_SHA)                        \
-    TLS_CIPHER(CAMELLIA_256_CBC_SHA256)                \
-    TLS_CIPHER(CAMELLIA_256_CBC_SHA)           \
-    TLS_CIPHER(AES_128_CBC_SHA256)             \
     TLS_CIPHER(AES_128_GCM_SHA256)             \
+    TLS_CIPHER(AES_256_GCM_SHA384)             \
     TLS_CIPHER(AES_128_CBC_SHA)                        \
-    TLS_CIPHER(CAMELLIA_128_CBC_SHA256)                \
-    TLS_CIPHER(CAMELLIA_128_CBC_SHA)           \
+    TLS_CIPHER(AES_256_CBC_SHA)                        \
     TLS_CIPHER(3DES_EDE_CBC_SHA)
 
 static const int default_ciphersuites_nodhe[] =
 {
 #define TLS_CIPHER(v)                          \
+       MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v,       \
+       MBEDTLS_TLS_ECDHE_RSA_WITH_##v,         \
        MBEDTLS_TLS_RSA_WITH_##v,
        TLS_DEFAULT_CIPHERS
 #undef TLS_CIPHER
@@ -111,6 +107,8 @@ static const int default_ciphersuites_nodhe[] =
 static const int default_ciphersuites[] =
 {
 #define TLS_CIPHER(v)                          \
+       MBEDTLS_TLS_ECDHE_ECDSA_WITH_##v,       \
+       MBEDTLS_TLS_ECDHE_RSA_WITH_##v,         \
        MBEDTLS_TLS_DHE_RSA_WITH_##v,           \
        MBEDTLS_TLS_RSA_WITH_##v,
        TLS_DEFAULT_CIPHERS
@@ -138,22 +136,32 @@ __ustream_ssl_context_new(bool server)
        mbedtls_x509_crt_init(&ctx->cert);
        mbedtls_x509_crt_init(&ctx->ca_cert);
 
+#if defined(MBEDTLS_SSL_CACHE_C)
+       mbedtls_ssl_cache_init(&ctx->cache);
+       mbedtls_ssl_cache_set_timeout(&ctx->cache, 30 * 60);
+       mbedtls_ssl_cache_set_max_entries(&ctx->cache, 5);
+#endif
+
        conf = &ctx->conf;
        mbedtls_ssl_config_init(conf);
 
-       if (server) {
-               mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe);
-               ep = MBEDTLS_SSL_IS_SERVER;
-       } else {
-               mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites);
-               ep = MBEDTLS_SSL_IS_CLIENT;
-       }
+       ep = server ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT;
 
        mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM,
                                    MBEDTLS_SSL_PRESET_DEFAULT);
        mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
        mbedtls_ssl_conf_rng(conf, _urandom, NULL);
 
+       if (server)
+               mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_nodhe);
+       else
+               mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites);
+
+#if defined(MBEDTLS_SSL_CACHE_C)
+       mbedtls_ssl_conf_session_cache(conf, &ctx->cache,
+                                      mbedtls_ssl_cache_get,
+                                      mbedtls_ssl_cache_set);
+#endif
        return ctx;
 }
 
@@ -214,6 +222,9 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
 
 __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
 {
+#if defined(MBEDTLS_SSL_CACHE_C)
+       mbedtls_ssl_cache_free(&ctx->cache);
+#endif
        mbedtls_pk_free(&ctx->key);
        mbedtls_x509_crt_free(&ctx->ca_cert);
        mbedtls_x509_crt_free(&ctx->cert);
@@ -316,6 +327,9 @@ __hidden int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len)
                if (ssl_do_wait(ret))
                        return U_SSL_PENDING;
 
+               if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)
+                       return 0;
+
                ustream_ssl_error(us, ret);
                return U_SSL_ERROR;
        }