TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a82290b7271a3cd489e62a0f98d24622dbbf4bbe^! / .
commita82290b7271a3cd489e62a0f98d24622dbbf4bbe[log] [tgz]
authorPrzemek Stekiel <przemyslaw.stekiel@mobica.com>Tue Sep 27 13:41:12 2022 +0200
committerPrzemek Stekiel <przemyslaw.stekiel@mobica.com>Tue Sep 27 15:04:14 2022 +0200
tree6c59244ec1ef32b1e791b595c5516dbf0d02a417
parent89ad62352dae7fede94bcfec3717e9c17c40be6b [diff]
Fix guards for mbedtls_ssl_ticket_write() and mbedtls_ssl_ticket_parse() functions

Both functions are calling mbedtls_cipher_auth_[encrypt/decrypt]_ext() functions. These functions are guarded with MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C flags - make it consistent.
As a result ssl_server2 won't build now with MBEDTLS_SSL_SESSION_TICKETS enabled (mbedtls_cipher_auth_[encrypt/decrypt]_ext() functions not available).
Mark MBEDTLS_SSL_SESSION_TICKETS as dependent on MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C and disable MBEDTLS_SSL_SESSION_TICKETS in stream cipher only build.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 1038706..1874e51 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h

@@ -962,6 +962,9 @@
 #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && !( defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) )
+#error "MBEDTLS_SSL_SESSION_TICKETS defined, but not all prerequisites"
+#endif
 
 
 /* Reject attempts to enable options that have been removed and that could

diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index 359686a..5398c39 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c

@@ -114,6 +114,7 @@
 /*
  * Rotate/generate keys if necessary
  */
+#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
 {
@@ -150,6 +151,7 @@
 #endif /* MBEDTLS_HAVE_TIME */
         return( 0 );
 }
+#endif
 
 /*
  * Rotate active session ticket encryption key
@@ -293,7 +295,7 @@
  * The key_name, iv, and length of encrypted_state are the additional
  * authenticated data.
  */
-
+#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
 int mbedtls_ssl_ticket_write( void *p_ticket,
                               const mbedtls_ssl_session *session,
                               unsigned char *start,
@@ -390,7 +392,9 @@
 
     return( ret );
 }
+#endif
 
+#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
 /*
  * Select key based on name
  */
@@ -517,6 +521,7 @@
 
     return( ret );
 }
+#endif
 
 /*
  * Free context

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 862b882..6429054 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh

@@ -1296,6 +1296,7 @@
     scripts/config.py unset MBEDTLS_CTR_DRBG_C
     scripts/config.py unset MBEDTLS_CMAC_C
     scripts/config.py unset MBEDTLS_NIST_KW_C
+    scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS
 
     # Enable stream(null) cipher only
     scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER