TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e02758c9c88d1200bc20f7d9514de3fc18ec8aa6^! / . / library / ssl_srv.c
commite02758c9c88d1200bc20f7d9514de3fc18ec8aa6[log] [tgz]
authorHanno Becker <hanno.becker@arm.com>Wed Jun 26 15:31:31 2019 +0100
committerHanno Becker <hanno.becker@arm.com>Mon Jul 08 11:23:24 2019 +0100
treed0a558e7145478bc6d1e2f80b2d06e425395108b
parent6ace4657b6d4d9e7a74ffdb8a21fb0c1b9ed747b [diff] [blame]
Remove ciphersuite from SSL session if single suite hardcoded

If MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled, the type

  mbedtls_ssl_ciphersuite_handle_t

is logically a boolean (concretely realized as `unsigned char`),
containing the invalid handle and the unique valid handle, which
represents the single enabled ciphersuite.

The SSL session structure mbedtls_ssl_session contains an instance
of mbedtls_ssl_ciphersuite_handle_t which is guaranteed to be valid,
and which is hence redundant in any two-valued implementation of
mbedtls_ssl_ciphersuite_handle_t.

This commit replaces read-uses of

  mbedtls_ssl_session::ciphersuite_info

by a getter functions which, and defines this getter function
either by just reading the field from the session structure
(in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is disabled), or by
returning the single valid ciphersuite handle (in case
MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled) and removing the
field from mbedtls_ssl_session in this case.

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 1963672..a97bc3a 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -1037,7 +1037,9 @@
     size_t n;
     unsigned int ciph_len, sess_len, chal_len;
     unsigned char *buf, *p;
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
+#endif
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
 
@@ -1256,7 +1258,9 @@
 
             if( ssl_ciphersuite_is_match( ssl, cur_info, NULL ) )
             {
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
                 ciphersuite_info = cur_info;
+#endif
                 goto have_ciphersuite_v2;
             }
 
@@ -1289,9 +1293,9 @@
 
 have_ciphersuite_v2:
 
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
     ssl->session_negotiate->ciphersuite =
         mbedtls_ssl_suite_get_id( ciphersuite_info );
-#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
     ssl->handshake->ciphersuite_info = ciphersuite_info;
 #endif
 
@@ -1341,7 +1345,10 @@
     int extended_ms_seen = 0;
 #endif
     int handshake_failure = 0;
+
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
+#endif
     int major, minor;
 
 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
@@ -2175,7 +2182,9 @@
             if( ssl_ciphersuite_is_match( ssl, cur_info,
                                           acceptable_ec_grp_ids) )
             {
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
                 ciphersuite_info = cur_info;
+#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
                 goto have_ciphersuite;
             }
 
@@ -2212,9 +2221,9 @@
 
 have_ciphersuite:
 
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
     ssl->session_negotiate->ciphersuite =
         mbedtls_ssl_suite_get_id( ciphersuite_info );
-#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
     ssl->handshake->ciphersuite_info = ciphersuite_info;
 #endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
 
@@ -2354,7 +2363,7 @@
      * encrypt-then-MAC response extension back to the client."
      */
     suite = mbedtls_ssl_ciphersuite_from_id(
-        ssl->session_negotiate->ciphersuite );
+        mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) );
     if( suite == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
     {
         *olen = 0;
@@ -2695,6 +2704,7 @@
     mbedtls_time_t t;
 #endif
     int ret;
+    int ciphersuite;
     size_t olen, ext_len = 0, n;
     unsigned char *buf, *p;
 
@@ -2844,12 +2854,13 @@
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
             mbedtls_ssl_handshake_get_resume( ssl->handshake ) ? "a" : "no" ) );
 
-    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
-    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite      );
+    ciphersuite = mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate );
+    *p++ = (unsigned char)( ciphersuite >> 8 );
+    *p++ = (unsigned char)( ciphersuite      );
     *p++ = (unsigned char)( ssl->session_negotiate->compression      );
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
-           mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
+           mbedtls_ssl_get_ciphersuite_name( ciphersuite ) ) );
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
                    ssl->session_negotiate->compression ) );
 
@@ -2898,7 +2909,8 @@
 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
     defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
     if ( mbedtls_ssl_ciphersuite_uses_ec(
-         mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
+           mbedtls_ssl_ciphersuite_from_id(
+             mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) ) ) )
     {
         ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
         ext_len += olen;