commit df6459673354a0e57e7c0588c8a8b4aa59a10cdf
author Hanno Becker <hanno.becker@arm.com> Wed Jun 26 13:02:22 2019 +0100
committer Hanno Becker <hanno.becker@arm.com> Mon Jul 08 11:23:24 2019 +0100
tree 7eb52a5bb2e2a7ab709b715366e63aad0016b045
parent 2d46b4f2a1270c5d252816683e7e2c5f3e849514

Remove ciphersuite from handshake params if single suite hardcoded

If MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled, the type

  mbedtls_ssl_ciphersuite_handle_t

is logically a boolean (concretely realized as `unsigned char`),
containing the invalid handle and the unique valid handle, which
represents the single enabled ciphersuite.

The SSL handshake structure mbedtls_ssl_handshake_params contains
an instance of mbedtls_ssl_ciphersuite_handle_t which is guaranteed
to be valid, and which is hence redundant in any two-valued
implementation of mbedtls_ssl_ciphersuite_handle_t.

This commit replaces read-uses of

  mbedtls_ssl_handshake_params::ciphersuite_info

by a getter functions which, and defines this getter function
either by just reading the field from the handshake structure
(in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is disabled), or by
returning the single valid ciphersuite handle (in case
MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled) and removing the
field from mbedtls_ssl_handshake_params in this case.

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 43664fe..1963672 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1291,7 +1291,9 @@
 
     ssl->session_negotiate->ciphersuite =
         mbedtls_ssl_suite_get_id( ciphersuite_info );
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
     ssl->handshake->ciphersuite_info = ciphersuite_info;
+#endif
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
         mbedtls_ssl_get_ciphersuite_name(
@@ -2212,7 +2214,9 @@
 
     ssl->session_negotiate->ciphersuite =
         mbedtls_ssl_suite_get_id( ciphersuite_info );
+#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
     ssl->handshake->ciphersuite_info = ciphersuite_info;
+#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
         mbedtls_ssl_get_ciphersuite_name(
@@ -2542,9 +2546,12 @@
     *olen = 0;
 
     /* Skip costly computation if not needed */
-    if( mbedtls_ssl_suite_get_key_exchange( ssl->handshake->ciphersuite_info ) !=
+    if( mbedtls_ssl_suite_get_key_exchange(
+            mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) ) !=
         MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
         return;
+    }
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
 
@@ -2936,7 +2943,7 @@
 static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
 {
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
 
@@ -2955,7 +2962,7 @@
 {
     int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
     size_t dn_size, total_dn_size; /* excluding length bytes */
     size_t ct_len, sa_len; /* including length bytes */
     unsigned char *buf, *p;
@@ -3186,7 +3193,7 @@
                                             size_t *signature_len )
 {
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
@@ -3549,7 +3556,7 @@
     size_t signature_len = 0;
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-                            ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
@@ -3992,11 +3999,10 @@
 static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
 {
     int ret;
-    mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
+    mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
     unsigned char *p, *end;
 
-    ciphersuite_info = ssl->handshake->ciphersuite_info;
-
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
 
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
@@ -4287,7 +4293,7 @@
 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
 {
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
 
@@ -4314,7 +4320,7 @@
 #endif
     mbedtls_md_type_t md_alg;
     mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
-        ssl->handshake->ciphersuite_info;
+        mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
     mbedtls_pk_context *peer_pk = NULL;
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );