Remove ciphersuite from SSL config if single suite hardcoded
If MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled, it overwrites
the runtime configuration of supported ciphersuites, which
includes both the configuration API and the fields which are
used to store the configuration. Both are therefore no longer
needed and should be removed for the benefit of code-size,
memory usage, and API clarity (no accidental hiccup of runtime
vs. compile-time configuration possible).
The configuration API mbedtls_ssl_conf_ciphersuites() has
already been removed in case MBEDTLS_SSL_SINGLE_CIPHERSUITE,
and this commit removes the field
mbedtls_ssl_config::ciphersuite_list
which it updates.
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 4312629..88c92b3 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -2662,14 +2662,17 @@
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );
+#endif /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */
#if defined(MBEDTLS_ARC4_C)
if( opt.arc4 != DFL_ARC4 )
mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 );
#endif
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
if( opt.version_suites != NULL )
{
mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[0],
@@ -2685,6 +2688,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_3 );
}
+#endif /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
if( opt.allow_legacy != DFL_ALLOW_LEGACY )