commit e02758c9c88d1200bc20f7d9514de3fc18ec8aa6
author Hanno Becker <hanno.becker@arm.com> Wed Jun 26 15:31:31 2019 +0100
committer Hanno Becker <hanno.becker@arm.com> Mon Jul 08 11:23:24 2019 +0100
tree d0a558e7145478bc6d1e2f80b2d06e425395108b
parent 6ace4657b6d4d9e7a74ffdb8a21fb0c1b9ed747b

Remove ciphersuite from SSL session if single suite hardcoded

If MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled, the type

  mbedtls_ssl_ciphersuite_handle_t

is logically a boolean (concretely realized as `unsigned char`),
containing the invalid handle and the unique valid handle, which
represents the single enabled ciphersuite.

The SSL session structure mbedtls_ssl_session contains an instance
of mbedtls_ssl_ciphersuite_handle_t which is guaranteed to be valid,
and which is hence redundant in any two-valued implementation of
mbedtls_ssl_ciphersuite_handle_t.

This commit replaces read-uses of

  mbedtls_ssl_session::ciphersuite_info

by a getter functions which, and defines this getter function
either by just reading the field from the session structure
(in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is disabled), or by
returning the single valid ciphersuite handle (in case
MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled) and removing the
field from mbedtls_ssl_session in this case.

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index f9b9502..daa9d74 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -923,7 +923,9 @@
 #if defined(MBEDTLS_HAVE_TIME)
     mbedtls_time_t start;       /*!< starting time      */
 #endif
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
     int ciphersuite;            /*!< chosen ciphersuite */
+#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
     int compression;            /*!< chosen compression */
     size_t id_len;              /*!< session id length  */
     unsigned char id[32];       /*!< session identifier */