Introduce and use MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED
Introduce and use
MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED to
guard TLS code (both TLS 1.2 and 1.3) specific
to handshakes involving certificates.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index f94f1b8..c8594ff 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -175,7 +175,7 @@
*/
#define DFL_IO_BUF_LEN 200
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_FS_IO)
#define USAGE_IO \
" ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \
@@ -206,8 +206,8 @@
#endif /* MBEDTLS_FS_IO */
#else
#define USAGE_IO ""
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#define USAGE_KEY_OPAQUE \
" key_opaque=%%d Handle your private keys as if they were opaque\n" \
" default: 0 (disabled)\n"
@@ -435,7 +435,7 @@
#define USAGE_CURVES ""
#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#define USAGE_SIG_ALGS \
" sig_algs=a,b,c,d default: \"default\" (library default)\n" \
" example: \"ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384\"\n"
@@ -1113,7 +1113,7 @@
unsigned remaining_delay;
} ssl_async_operation_context_t;
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
/* Note that ssl_async_operation_type_t and the array below need to be kept in sync!
* `ssl_async_operation_names[op]` is the name of op for each value `op`
@@ -1276,7 +1276,7 @@
mbedtls_printf( "Async cancel callback.\n" );
mbedtls_free( ctx );
}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -1455,7 +1455,7 @@
#if defined(MBEDTLS_SSL_RENEGOTIATION)
unsigned char renego_period[8] = { 0 };
#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
uint32_t flags;
mbedtls_x509_crt cacert;
mbedtls_x509_crt srvcert;
@@ -1468,7 +1468,7 @@
mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
#endif
int key_cert_init = 0, key_cert_init2 = 0;
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
ssl_async_key_context_t ssl_async_keys;
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
@@ -1505,7 +1505,7 @@
size_t context_buf_len = 0;
#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
uint16_t sig_alg_list[SIG_ALG_LIST_SIZE];
#endif
@@ -1552,7 +1552,7 @@
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
rng_init( &rng );
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_x509_crt_init( &cacert );
mbedtls_x509_crt_init( &srvcert );
mbedtls_pk_init( &pkey );
@@ -1781,7 +1781,7 @@
opt.key_file = q;
else if( strcmp( p, "key_pwd" ) == 0 )
opt.key_pwd = q;
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
else if( strcmp( p, "key_opaque" ) == 0 )
opt.key_opaque = atoi( q );
#endif
@@ -1865,7 +1865,7 @@
}
else if( strcmp( p, "curves" ) == 0 )
opt.curves = q;
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
else if( strcmp( p, "sig_algs" ) == 0 )
opt.sig_algs = q;
#endif
@@ -2451,7 +2451,7 @@
}
#endif /* MBEDTLS_ECP_C */
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
if( opt.sig_algs != NULL )
{
p = (char *) opt.sig_algs;
@@ -2583,7 +2583,7 @@
goto exit;
mbedtls_printf( " ok\n" );
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
/*
* 1.1. Load the trusted CA
*/
@@ -2791,7 +2791,7 @@
mbedtls_printf( " ok (key types: %s, %s)\n",
key_cert_init ? mbedtls_pk_get_name( &pkey ) : "none",
key_cert_init2 ? mbedtls_pk_get_name( &pkey2 ) : "none" );
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
if( opt.dhm_file != NULL )
@@ -2841,7 +2841,7 @@
goto exit;
}
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
/* The default algorithms profile disables SHA-1, but our tests still
rely on it heavily. Hence we allow it here. A real-world server
should use the default profile unless there is a good reason not to. */
@@ -2851,7 +2851,7 @@
mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test );
mbedtls_ssl_conf_sig_algs( &conf, ssl_sig_algs_for_test );
}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
if( opt.auth_mode != DFL_AUTH_MODE )
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
@@ -3102,7 +3102,7 @@
}
#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
if( strcmp( opt.ca_path, "none" ) != 0 &&
strcmp( opt.ca_file, "none" ) != 0 )
{
@@ -3191,7 +3191,7 @@
&ssl_async_keys );
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(SNI_OPTION)
if( opt.sni != NULL )
@@ -3228,7 +3228,7 @@
}
#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
if( opt.sig_algs != NULL )
mbedtls_ssl_conf_sig_algs( &conf, sig_alg_list );
#endif
@@ -3542,7 +3542,7 @@
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret );
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
{
char vrfy_buf[512];
@@ -3597,7 +3597,7 @@
}
#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
/*
* 5. Verify the client certificate
*/
@@ -3626,7 +3626,7 @@
mbedtls_printf( "%s\n", crt_buf );
}
#endif /* MBEDTLS_X509_REMOVE_INFO */
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
if( opt.eap_tls != 0 )
{
@@ -4320,7 +4320,7 @@
mbedtls_printf( "Failed to list of opaque PSKs - error was %d\n", ret );
#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_x509_crt_free( &cacert );
mbedtls_x509_crt_free( &srvcert );
mbedtls_pk_free( &pkey );