From ba8b1eb5d90bc866f12d78e5df36dbab3135affe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Mon, 17 Jun 2019 15:21:07 +0200
Subject: [PATCH] Use negated option for controlling TLS support.

A positive option looks better, but comes with the following compatibility
issue: people using a custom config.h that is not based on the default
config.h and need TLS support would need to manually change their config in
order to still get TLS.

Work around that by making the public option negative. Internally the positive
option is used, though.

In the future (when preparing the next major version), we might want to switch
back to a positive option as this would be more consistent with other options
we have.
---
 configs/config-ccm-psk-tls1_2.h   |  1 -
 configs/config-mini-tls1_1.h      |  1 -
 configs/config-suite-b.h          |  1 -
 configs/config-thread.h           |  1 +
 include/mbedtls/check_config.h    |  2 +-
 include/mbedtls/config.h          | 27 ++++++++++++---------------
 include/mbedtls/ssl.h             |  4 ++--
 include/mbedtls/ssl_internal.h    |  6 ++++++
 library/version_features.c        |  6 +++---
 programs/ssl/query_config.c       |  8 ++++----
 programs/ssl/ssl_client1.c        |  4 ++--
 programs/ssl/ssl_fork_server.c    |  6 +++---
 programs/ssl/ssl_mail_client.c    |  6 +++---
 programs/ssl/ssl_pthread_server.c |  6 +++---
 programs/ssl/ssl_server.c         |  6 +++---
 scripts/config.pl                 |  2 ++
 16 files changed, 45 insertions(+), 42 deletions(-)

diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index bd2c1a3b84..c9b58dd538 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -41,7 +41,6 @@
 /* mbed TLS feature support */
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_2
-#define MBEDTLS_SSL_PROTO_TLS
 
 /* mbed TLS modules */
 #define MBEDTLS_AES_C
diff --git a/configs/config-mini-tls1_1.h b/configs/config-mini-tls1_1.h
index 349ea8e577..013bc0300d 100644
--- a/configs/config-mini-tls1_1.h
+++ b/configs/config-mini-tls1_1.h
@@ -40,7 +40,6 @@
 #define MBEDTLS_PKCS1_V15
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_1
-#define MBEDTLS_SSL_PROTO_TLS
 
 /* mbed TLS modules */
 #define MBEDTLS_AES_C
diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h
index e6fad1c0ef..18e2c40369 100644
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@@ -47,7 +47,6 @@
 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_2
-#define MBEDTLS_SSL_PROTO_TLS
 
 /* mbed TLS modules */
 #define MBEDTLS_AES_C
diff --git a/configs/config-thread.h b/configs/config-thread.h
index 3166aa9701..4fa0b8d198 100644
--- a/configs/config-thread.h
+++ b/configs/config-thread.h
@@ -49,6 +49,7 @@
 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 #define MBEDTLS_SSL_PROTO_TLS1_2
 #define MBEDTLS_SSL_PROTO_DTLS
+#define MBEDTLS_SSL_PROTO_NO_TLS
 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY
 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
 #define MBEDTLS_SSL_EXPORT_KEYS
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index b3677b5287..34f1a3bee4 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -566,7 +566,7 @@
 #endif
 
 #if defined(MBEDTLS_SSL_TLS_C) && \
-    ( !defined(MBEDTLS_SSL_PROTO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS) )
+    ( defined(MBEDTLS_SSL_PROTO_NO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS) )
 #error "MBEDTLS_SSL_TLS_C defined, but neither TLS or DTLS is active"
 #endif
 
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index e0b5ba41cc..1653f89507 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1508,7 +1508,7 @@
  * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2,
  * and/or this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0.
  *
- * \see MBEDTLS_SSL_PROTO_TLS
+ * \see MBEDTLS_SSL_PROTO_NO_TLS
  *
  * Requires: MBEDTLS_SSL_PROTO_TLS1_1
  *        or MBEDTLS_SSL_PROTO_TLS1_2
@@ -1518,25 +1518,22 @@
 #define MBEDTLS_SSL_PROTO_DTLS
 
 /**
- * \def MBEDTLS_SSL_PROTO_TLS
+ * \def MBEDTLS_SSL_PROTO_NO_TLS
  *
- * Enable support for SSL/TLS (all available versions).
+ * Disable support for SSL/TLS (all available versions) - this doesn't affect
+ * support for DTLS which is controlled by #MBEDTLS_SSL_PROTO_DTLS.
  *
- * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2;
- * enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1;
- * enable this and MBEDTLS_SSL_PROTO_TLS1   to enable TLS 1.0;
- * and/or this and MBEDTLS_SSL_PROTO_SSL3   to enable SSL 3.0 (deprecated).
+ * Disable this and enable MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2;
+ * disable this and enable MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1;
+ * disable this and enable MBEDTLS_SSL_PROTO_TLS1   to enable TLS 1.0;
+ * disable this and enable MBEDTLS_SSL_PROTO_SSL3   to enable SSL 3.0.
  *
- * \see MBEDTLS_SSL_PROTO_DTLS
+ * Requirements: if this macro is disabled, at least one of the above
+ * TLS versions needs to be enabled.
  *
- * Requires: MBEDTLS_SSL_PROTO_TLS1_2
- *        or MBEDTLS_SSL_PROTO_TLS1_1
- *        or MBEDTLS_SSL_PROTO_TLS1
- *        or MBEDTLS_SSL_PROTO_SSL3 (deprecated)
- *
- * Comment this macro to disable support for TLS
+ * Uncomment this macro to disable support for TLS.
  */
-#define MBEDTLS_SSL_PROTO_TLS
+//#define MBEDTLS_SSL_PROTO_NO_TLS
 
 /**
  * \def MBEDTLS_SSL_ALPN
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 653f857cc7..1a4eaf6632 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1337,8 +1337,8 @@ void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint );
 
 /**
  * \brief           Set the transport type (TLS or DTLS).
- *                  Default: TLS if #MBEDTLS_SSL_PROTO_TLS is defined, else
- *                  DTLS.
+ *                  Default: TLS unless #MBEDTLS_SSL_PROTO_NO_TLS is defined,
+ *                  else DTLS.
  *
  * \note            For DTLS, you must either provide a recv callback that
  *                  doesn't block, or one that handles timeouts, see
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 1c8709f3f4..e6c829d3a6 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -58,6 +58,12 @@
 #define inline __inline
 #endif
 
+/* The public option is negative for backwards compatibility,
+ * but internally a poisitive option is more convenient. */
+#if !defined(MBEDTLS_SSL_PROTO_NO_TLS)
+#define MBEDTLS_SSL_PROTO_TLS
+#endif
+
 /* Determine minimum supported version */
 #define MBEDTLS_SSL_MIN_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
 
diff --git a/library/version_features.c b/library/version_features.c
index fc0b1f8f03..b1458a4ed7 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -486,9 +486,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     "MBEDTLS_SSL_PROTO_DTLS",
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
-#if defined(MBEDTLS_SSL_PROTO_TLS)
-    "MBEDTLS_SSL_PROTO_TLS",
-#endif /* MBEDTLS_SSL_PROTO_TLS */
+#if defined(MBEDTLS_SSL_PROTO_NO_TLS)
+    "MBEDTLS_SSL_PROTO_NO_TLS",
+#endif /* MBEDTLS_SSL_PROTO_NO_TLS */
 #if defined(MBEDTLS_SSL_ALPN)
     "MBEDTLS_SSL_ALPN",
 #endif /* MBEDTLS_SSL_ALPN */
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index be35a76ce5..d04f5123f2 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -1338,13 +1338,13 @@ int query_config( const char *config )
     }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
-#if defined(MBEDTLS_SSL_PROTO_TLS)
-    if( strcmp( "MBEDTLS_SSL_PROTO_TLS", config ) == 0 )
+#if defined(MBEDTLS_SSL_PROTO_NO_TLS)
+    if( strcmp( "MBEDTLS_SSL_PROTO_NO_TLS", config ) == 0 )
     {
-        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS );
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_NO_TLS );
         return( 0 );
     }
-#endif /* MBEDTLS_SSL_PROTO_TLS */
+#endif /* MBEDTLS_SSL_PROTO_NO_TLS */
 
 #if defined(MBEDTLS_SSL_ALPN)
     if( strcmp( "MBEDTLS_SSL_ALPN", config ) == 0 )
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index fc601ecd62..5d6758302f 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -44,14 +44,14 @@
     !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) ||         \
     !defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C) || \
     !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
-    !defined(MBEDTLS_SSL_PROTO_TLS)
+    defined(MBEDTLS_SSL_PROTO_NO_TLS)
 int main( void )
 {
     mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
            "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
            "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
            "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or"
-           "MBEDTLS_SSL_PROTO_TLS not defined.\n");
+           "not defined, and/or MBEDTLS_SSL_PROTO_NO_TLS defined.\n");
     return( 0 );
 }
 #else
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 62b4c40987..bbe61fd2a8 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -44,7 +44,7 @@
     !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) ||    \
     !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_TIMING_C) || \
     !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_PEM_PARSE_C) || \
-    !defined(MBEDTLS_SSL_PROTO_TLS)
+    defined(MBEDTLS_SSL_PROTO_NO_TLS)
 int main( int argc, char *argv[] )
 {
     ((void) argc);
@@ -54,8 +54,8 @@ int main( int argc, char *argv[] )
            "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
            "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
            "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
-           "MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C and/or "
-           "MBEDTLS_SSL_PROTO_TLS not defined.\n");
+           "MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C not defined, and/or "
+           "MBEDTLS_SSL_PROTO_NO_TLS defined.\n");
     return( 0 );
 }
 #elif defined(_WIN32)
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 55c90c645b..bc3fc8bcdb 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -48,14 +48,14 @@
     !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
     !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) ||         \
     !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
-    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_SSL_PROTO_TLS)
+    !defined(MBEDTLS_FS_IO) || defined(MBEDTLS_SSL_PROTO_NO_TLS)
 int main( void )
 {
     mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
            "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
            "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
-           "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
-           "MBEDTLS_SSL_PROTO_TLS not defined.\n");
+           "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
+           "not defined, and/or MBEDTLS_SSL_PROTO_NO_TLS defined.\n");
     return( 0 );
 }
 #else
diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c
index b00f476175..17f4584f03 100644
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@@ -45,7 +45,7 @@
     !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) ||            \
     !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) ||      \
     !defined(MBEDTLS_THREADING_C) || !defined(MBEDTLS_THREADING_PTHREAD) || \
-    !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_SSL_PROTO_TLS)
+    !defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_SSL_PROTO_NO_TLS)
 int main( void )
 {
     mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C "
@@ -53,8 +53,8 @@ int main( void )
            "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
            "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
            "MBEDTLS_THREADING_C and/or MBEDTLS_THREADING_PTHREAD "
-           "and/or MBEDTLS_PEM_PARSE_C and/or "
-           "MBEDTLS_SSL_PROTO_TLS not defined.\n");
+           "and/or MBEDTLS_PEM_PARSE_C not defined, and/or "
+           "MBEDTLS_SSL_PROTO_NO_TLS defined.\n");
     return( 0 );
 }
 #else
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 05d58fa74e..97918562ac 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -44,15 +44,15 @@
     !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) ||     \
     !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) ||    \
     !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
-    !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_SSL_PROTO_TLS)
+    !defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_SSL_PROTO_NO_TLS)
 int main( void )
 {
     mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_CERTS_C and/or MBEDTLS_ENTROPY_C "
            "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
            "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
            "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
-           "and/or MBEDTLS_PEM_PARSE_C and/or "
-           "MBEDTLS_SSL_PROTO_TLS not defined.\n");
+           "and/or MBEDTLS_PEM_PARSE_C not defined, and/or "
+           "MBEDTLS_SSL_PROTO_NO_TLS defined.\n");
     return( 0 );
 }
 #else
diff --git a/scripts/config.pl b/scripts/config.pl
index 86af55394c..ed9aa02a67 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -31,6 +31,7 @@
 #   MBEDTLS_REMOVE_ARC4_CIPHERSUITES
 #   MBEDTLS_REMOVE_3DES_CIPHERSUITES
 #   MBEDTLS_SSL_HW_RECORD_ACCEL
+#   MBEDTLS_SSL_PROTO_NO_DTLS
 #   MBEDTLS_RSA_NO_CRT
 #   MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
 #   MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
@@ -92,6 +93,7 @@ MBEDTLS_RSA_NO_CRT
 MBEDTLS_REMOVE_ARC4_CIPHERSUITES
 MBEDTLS_REMOVE_3DES_CIPHERSUITES
 MBEDTLS_SSL_HW_RECORD_ACCEL
+MBEDTLS_SSL_PROTO_NO_TLS
 MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
 MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 MBEDTLS_ZLIB_SUPPORT