Remove ciphersuite from handshake params if single suite hardcoded If MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled, the type mbedtls_ssl_ciphersuite_handle_t is logically a boolean (concretely realized as `unsigned char`), containing the invalid handle and the unique valid handle, which represents the single enabled ciphersuite. The SSL handshake structure mbedtls_ssl_handshake_params contains an instance of mbedtls_ssl_ciphersuite_handle_t which is guaranteed to be valid, and which is hence redundant in any two-valued implementation of mbedtls_ssl_ciphersuite_handle_t. This commit replaces read-uses of mbedtls_ssl_handshake_params::ciphersuite_info by a getter functions which, and defines this getter function either by just reading the field from the handshake structure (in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is disabled), or by returning the single valid ciphersuite handle (in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled) and removing the field from mbedtls_ssl_handshake_params in this case.

commit: df6459673354a0e57e7c0588c8a8b4aa59a10cdf [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Wed Jun 26 13:02:22 2019 +0100
committer: Hanno Becker <hanno.becker@arm.com> Mon Jul 08 11:23:24 2019 +0100
tree: 7eb52a5bb2e2a7ab709b715366e63aad0016b045
parent: 2d46b4f2a1270c5d252816683e7e2c5f3e849514 [diff]
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index bf5ec11..498bb79 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c

@@ -1452,7 +1452,8 @@
     int ret;
 
     if( mbedtls_ssl_suite_get_key_exchange(
-            ssl->handshake->ciphersuite_info ) != MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+            mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
+        != MBEDTLS_KEY_EXCHANGE_ECJPAKE )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
         return( 0 );
@@ -2595,7 +2596,7 @@
 {
     int ret;
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
     unsigned char *p = NULL, *end = NULL;
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
@@ -2981,7 +2982,7 @@
 static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
 {
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
 
@@ -3003,7 +3004,7 @@
     size_t n = 0;
     size_t cert_type_len = 0, dn_len = 0;
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
 
@@ -3204,7 +3205,7 @@
     int ret;
     size_t i, n;
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
 
@@ -3507,7 +3508,7 @@
 static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
 {
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
     int ret;
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
@@ -3533,7 +3534,7 @@
 {
     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
     size_t n = 0, offset = 0;
     unsigned char hash[48];
     unsigned char *hash_start = hash;
@@ -3638,7 +3639,8 @@
          * Reason: Otherwise we should have running hashes for SHA512 and SHA224
          *         in order to satisfy 'weird' needs from the server side.
          */
-        if( mbedtls_ssl_suite_get_mac( ssl->handshake->ciphersuite_info )
+        if( mbedtls_ssl_suite_get_mac(
+                mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
             == MBEDTLS_MD_SHA384 )
         {
             md_alg = MBEDTLS_MD_SHA384;

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 43664fe..1963672 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -1291,7 +1291,9 @@
 
     ssl->session_negotiate->ciphersuite =
         mbedtls_ssl_suite_get_id( ciphersuite_info );
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
     ssl->handshake->ciphersuite_info = ciphersuite_info;
+#endif
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
         mbedtls_ssl_get_ciphersuite_name(
@@ -2212,7 +2214,9 @@
 
     ssl->session_negotiate->ciphersuite =
         mbedtls_ssl_suite_get_id( ciphersuite_info );
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
     ssl->handshake->ciphersuite_info = ciphersuite_info;
+#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
         mbedtls_ssl_get_ciphersuite_name(
@@ -2542,9 +2546,12 @@
     *olen = 0;
 
     /* Skip costly computation if not needed */
-    if( mbedtls_ssl_suite_get_key_exchange( ssl->handshake->ciphersuite_info ) !=
+    if( mbedtls_ssl_suite_get_key_exchange(
+            mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) ) !=
         MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
         return;
+    }
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
 
@@ -2936,7 +2943,7 @@
 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
 {
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
 
@@ -2955,7 +2962,7 @@
 {
     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
     size_t dn_size, total_dn_size; /* excluding length bytes */
     size_t ct_len, sa_len; /* including length bytes */
     unsigned char *buf, *p;
@@ -3186,7 +3193,7 @@
                                             size_t *signature_len )
 {
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
@@ -3549,7 +3556,7 @@
     size_t signature_len = 0;
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-                            ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
@@ -3992,11 +3999,10 @@
 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
 {
     int ret;
-    mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
+    mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
     unsigned char *p, *end;
 
-    ciphersuite_info = ssl->handshake->ciphersuite_info;
-
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
 
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
@@ -4287,7 +4293,7 @@
 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
 {
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
 
@@ -4314,7 +4320,7 @@
 #endif
     mbedtls_md_type_t md_alg;
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
     mbedtls_pk_context *peer_pk = NULL;
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index c245145..6792273 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -1340,8 +1340,8 @@
 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
 {
     int ret;
-    mbedtls_ssl_ciphersuite_handle_t  const ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+    mbedtls_ssl_ciphersuite_handle_t const ciphersuite_info =
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
 
@@ -6072,7 +6072,8 @@
 /* No certificate support -> dummy functions */
 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
 {
-    mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info;
+    mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
 
@@ -6089,7 +6090,8 @@
 
 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
 {
-    mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info;
+    mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
 
@@ -6112,7 +6114,8 @@
     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
     size_t i, n;
     const mbedtls_x509_crt *crt;
-    mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info;
+    mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
 
@@ -6477,7 +6480,7 @@
                                              int authmode )
 {
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
         return( SSL_CERTIFICATE_SKIP );
@@ -6512,6 +6515,7 @@
 {
     int verify_ret;
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
     mbedtls_x509_crt *ca_chain;
     mbedtls_x509_crl *ca_crl;
commit	df6459673354a0e57e7c0588c8a8b4aa59a10cdf	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Wed Jun 26 13:02:22 2019 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Mon Jul 08 11:23:24 2019 +0100
tree	7eb52a5bb2e2a7ab709b715366e63aad0016b045
parent	2d46b4f2a1270c5d252816683e7e2c5f3e849514 [diff]