dtls: add build config option for ecc and psk

This makes it possible to build tinyDTLS without ECDHE_ECDHA or without
PSK support. Especially the ECDHE_ECDSA cipher needs some more code and
also extends the handshake struct by some 100 bytes. On constrained
devices one might just want tiynDTLS with PSK support or just with
ECDHE_ECDSA support.

Signed-off-by: Hauke Mehrtens <[email protected]>

Makefile.in

@@ -46,12 +46,18 @@ SOURCES:= dtls.c crypto.c ccm.c hmac.c netq.c peer.c dtls_time.c
 ifneq ("@NDEBUG@", "1")
 SOURCES += debug.c
 endif
-OBJECTS:= $(patsubst %.c, %.o, $(SOURCES)) aes/rijndael.o ecc/ecc.o @OPT_OBJS@
+OBJECTS:= $(patsubst %.c, %.o, $(SOURCES)) aes/rijndael.o @OPT_OBJS@
+ifeq ("@DTLS_ECC@", "1")
+OBJECTS += ecc/ecc.o
+endif
 HEADERS:=dtls.h hmac.h debug.h config.h uthash.h numeric.h crypto.h global.h ccm.h \
  netq.h t_list.h alert.h utlist.h prng.h peer.h state.h dtls_time.h
 CFLAGS:=-Wall -pedantic -std=c99 @CFLAGS@
 CPPFLAGS:=@CPPFLAGS@ -DDTLS_CHECK_CONTENTTYPE
-SUBDIRS:=tests doc sha2 aes ecc
+SUBDIRS:=tests doc sha2 aes
+ifeq ("@DTLS_ECC@", "1")
+SUBDIRS += ecc
+endif
 DISTDIR=$(top_builddir)/$(package)
 FILES:=Makefile.in configure configure.in config.h.in $(SOURCES) $(HEADERS)
 LIB:=libtinydtls.a

Makefile.tinydtls

@@ -21,5 +21,16 @@ CFLAGS += -DSHA2_USE_INTTYPES_H=1
 endif
 
 CFLAGS += -DDTLSv12 -DWITH_SHA256 
+tinydtls_src = dtls.c crypto.c hmac.c rijndael.c sha2.c ccm.c netq.c ecc.c dtls_time.c peer.c
+
+# This adds support for TLS_PSK_WITH_AES_128_CCM_8
+CFLAGS += -DDTLS_PSK
+
+# This adds support for TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+CFLAGS += -DDTLS_ECC
+tinydtls_src += ecc.c
+
+# This activates debugging support
+# CFLAGS += -DNDEBUG
+tinydtls_src += debug.c
 
-tinydtls_src = dtls.c crypto.c hmac.c rijndael.c sha2.c ccm.c netq.c debug.c ecc.c dtls_time.c peer.c

configure.in

@@ -58,11 +58,26 @@ AC_ARG_WITH(debug,
    NDEBUG=1], 
   [])
 
+
+AC_ARG_WITH(ecc,
+  [AS_HELP_STRING([--without-ecc],[disable support for TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8])],
+  [],
+  [CPPFLAGS="${CPPFLAGS} -DDTLS_ECC"
+   DTLS_ECC=1])
+
+AC_ARG_WITH(psk,
+  [AS_HELP_STRING([--without-psk],[disable support for TLS_PSK_WITH_AES_128_CCM_8])],
+  [],
+  [CPPFLAGS="${CPPFLAGS} -DDTLS_PSK"
+   DTLS_PSK=1])
+
 CPPFLAGS="${CPPFLAGS} -DDTLSv12 -DWITH_SHA256"
 OPT_OBJS="${OPT_OBJS} sha2/sha2.o"
 
 AC_SUBST(OPT_OBJS)
 AC_SUBST(NDEBUG)
+AC_SUBST(DTLS_ECC)
+AC_SUBST(DTLS_PSK)
 
 # Checks for header files.
 AC_CHECK_HEADERS([assert.h arpa/inet.h fcntl.h inttypes.h netdb.h netinet/in.h stddef.h stdint.h stdlib.h string.h strings.h sys/param.h sys/socket.h sys/time.h time.h unistd.h])

crypto.c

@@ -307,6 +307,7 @@ dtls_ccm_decrypt(aes128_ccm_t *ccm_ctx, const unsigned char *src,
   return len;
 }
 
+#ifdef DTLS_PSK
 int
 dtls_psk_pre_master_secret(unsigned char *key, size_t keylen,
 			   unsigned char *result, size_t result_len) {
@@ -329,7 +330,9 @@ dtls_psk_pre_master_secret(unsigned char *key, size_t keylen,
 
   return 2 * (sizeof(uint16) + keylen);
 }
+#endif /* DTLS_PSK */
 
+#ifdef DTLS_ECC
 static void dtls_ec_key_to_uint32(const unsigned char *key, size_t key_size,
 				  uint32_t *result) {
   int i;
@@ -509,6 +512,7 @@ dtls_ecdsa_verify_sig(const unsigned char *pub_key_x,
   return dtls_ecdsa_verify_sig_hash(pub_key_x, pub_key_y, key_size, sha256hash,
 				    sizeof(sha256hash), result_r, result_s);
 }
+#endif /* DTLS_ECC */
 
 int 
 dtls_encrypt(const unsigned char *src, size_t length,

crypto.h

@@ -121,8 +121,12 @@ typedef struct {
   dtls_cipher_t cipher;		/**< cipher type */
   unsigned int do_client_auth:1;
   union {
+#ifdef DTLS_ECC
     dtls_handshake_parameters_ecdsa_t ecdsa;
+#endif /* DTLS_ECC */
+#ifdef DTLS_PSK
     dtls_handshake_parameters_psk_t psk;
+#endif /* DTLS_PSK */
   } keyx;
 } dtls_handshake_parameters_t;
 

dtls-client.c

@@ -115,6 +115,7 @@ send_to_peer(struct dtls_context_t *ctx,
   return len;
 }
 
+#ifdef DTLS_PSK
 static int
 get_psk_key(struct dtls_context_t *ctx, 
 	    const session_t *session, 
@@ -131,7 +132,9 @@ get_psk_key(struct dtls_context_t *ctx,
   *result = &psk;
   return 0;
 }
+#endif /* DTLS_PSK */
 
+#ifdef DTLS_ECC
 static int
 get_ecdsa_key(struct dtls_context_t *ctx,
 	      const session_t *session,
@@ -155,6 +158,7 @@ verify_ecdsa_key(struct dtls_context_t *ctx,
 		 size_t key_size) {
   return 0;
 }
+#endif /* DTLS_ECC */
 
 PROCESS(udp_server_process, "UDP server process");
 AUTOSTART_PROCESSES(&udp_server_process);
@@ -216,9 +220,13 @@ init_dtls(session_t *dst) {
     .write = send_to_peer,
     .read  = read_from_peer,
     .event = NULL,
+#ifdef DTLS_PSK
     .get_psk_key = get_psk_key,
+#endif /* DTLS_PSK */
+#ifdef DTLS_ECC
     .get_ecdsa_key = get_ecdsa_key,
     .verify_ecdsa_key = verify_ecdsa_key
+#endif /* DTLS_ECC */
   };
   PRINTF("DTLS client started\n");
 

dtls-server.c

@@ -106,6 +106,7 @@ send_to_peer(struct dtls_context_t *ctx,
   return len;
 }
 
+#ifdef DTLS_PSK
 static int
 get_psk_key(struct dtls_context_t *ctx, 
 	    const session_t *session, 
@@ -122,7 +123,9 @@ get_psk_key(struct dtls_context_t *ctx,
   *result = &psk;
   return 0;
 }
+#endif /* DTLS_PSK */
 
+#ifdef DTLS_ECC
 static int
 get_ecdsa_key(struct dtls_context_t *ctx,
 	      const session_t *session,
@@ -146,6 +149,7 @@ verify_ecdsa_key(struct dtls_context_t *ctx,
 		 size_t key_size) {
   return 0;
 }
+#endif /* DTLS_ECC */
 
 PROCESS(udp_server_process, "UDP server process");
 AUTOSTART_PROCESSES(&udp_server_process);
@@ -208,9 +212,13 @@ init_dtls() {
     .write = send_to_peer,
     .read  = read_from_peer,
     .event = NULL,
+#ifdef DTLS_PSK
     .get_psk_key = get_psk_key,
+#endif /* DTLS_PSK */
+#ifdef DTLS_ECC
     .get_ecdsa_key = get_ecdsa_key,
     .verify_ecdsa_key = verify_ecdsa_key
+#endif /* DTLS_ECC */
   };
 #if UIP_CONF_ROUTER
   uip_ipaddr_t ipaddr;