diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index bca249d31..0dbf60ec7 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -501,7 +501,9 @@ struct mbedtls_ssl_handshake_params const unsigned char *, size_t, unsigned char *, size_t); +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) mbedtls_ssl_ciphersuite_handle_t ciphersuite_info; +#endif /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */ size_t pmslen; /*!< premaster length */ @@ -556,6 +558,21 @@ static inline int mbedtls_ssl_hs_get_extended_ms( } #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) +static inline mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_handshake_get_ciphersuite( + mbedtls_ssl_handshake_params const *handshake ) +{ + return( handshake->ciphersuite_info ); +} +#else /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */ +static inline mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_handshake_get_ciphersuite( + mbedtls_ssl_handshake_params const *handshake ) +{ + ((void) handshake); + return( MBEDTLS_SSL_CIPHERSUITE_UNIQUE_VALID_HANDLE ); +} +#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */ + typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer; /* diff --git a/library/ssl_cli.c b/library/ssl_cli.c index bf5ec11cf..498bb79d8 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1452,7 +1452,8 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, int ret; if( mbedtls_ssl_suite_get_key_exchange( - ssl->handshake->ciphersuite_info ) != MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) ) + != MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); return( 0 ); @@ -2595,7 +2596,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) { int ret; mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); unsigned char *p = NULL, *end = NULL; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); @@ -2981,7 +2982,7 @@ exit: static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) { mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); @@ -3003,7 +3004,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) size_t n = 0; size_t cert_type_len = 0, dn_len = 0; mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); @@ -3204,7 +3205,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) int ret; size_t i, n; mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); @@ -3507,7 +3508,7 @@ ecdh_calc_secret: static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) { mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); int ret; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) ); @@ -3533,7 +3534,7 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); size_t n = 0, offset = 0; unsigned char hash[48]; unsigned char *hash_start = hash; @@ -3638,7 +3639,8 @@ sign: * Reason: Otherwise we should have running hashes for SHA512 and SHA224 * in order to satisfy 'weird' needs from the server side. */ - if( mbedtls_ssl_suite_get_mac( ssl->handshake->ciphersuite_info ) + if( mbedtls_ssl_suite_get_mac( + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) ) == MBEDTLS_MD_SHA384 ) { md_alg = MBEDTLS_MD_SHA384; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 43664feb8..1963672ea 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1291,7 +1291,9 @@ have_ciphersuite_v2: ssl->session_negotiate->ciphersuite = mbedtls_ssl_suite_get_id( ciphersuite_info ); +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) ssl->handshake->ciphersuite_info = ciphersuite_info; +#endif MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", mbedtls_ssl_get_ciphersuite_name( @@ -2212,7 +2214,9 @@ have_ciphersuite: ssl->session_negotiate->ciphersuite = mbedtls_ssl_suite_get_id( ciphersuite_info ); +#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE) ssl->handshake->ciphersuite_info = ciphersuite_info; +#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */ MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", mbedtls_ssl_get_ciphersuite_name( @@ -2542,9 +2546,12 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, *olen = 0; /* Skip costly computation if not needed */ - if( mbedtls_ssl_suite_get_key_exchange( ssl->handshake->ciphersuite_info ) != + if( mbedtls_ssl_suite_get_key_exchange( + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) ) != MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + { return; + } MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) ); @@ -2936,7 +2943,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) { mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); @@ -2955,7 +2962,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); size_t dn_size, total_dn_size; /* excluding length bytes */ size_t ct_len, sa_len; /* including length bytes */ unsigned char *buf, *p; @@ -3186,7 +3193,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, size_t *signature_len ) { mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) @@ -3549,7 +3556,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) size_t signature_len = 0; #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED) mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); @@ -3992,11 +3999,10 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) { int ret; - mbedtls_ssl_ciphersuite_handle_t ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); unsigned char *p, *end; - ciphersuite_info = ssl->handshake->ciphersuite_info; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) ); #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \ @@ -4287,7 +4293,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) { mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); @@ -4314,7 +4320,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) #endif mbedtls_md_type_t md_alg; mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); mbedtls_pk_context *peer_pk = NULL; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c245145b7..6792273d5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1340,8 +1340,8 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) { int ret; - mbedtls_ssl_ciphersuite_handle_t const ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t const ciphersuite_info = + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) ); @@ -6072,7 +6072,8 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) /* No certificate support -> dummy functions */ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) { - mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); @@ -6089,7 +6090,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) { - mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); @@ -6112,7 +6114,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; size_t i, n; const mbedtls_x509_crt *crt; - mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); @@ -6477,7 +6480,7 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl, int authmode ) { mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) ) return( SSL_CERTIFICATE_SKIP ); @@ -6512,6 +6515,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, { int verify_ret; mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = + mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); mbedtls_x509_crt *ca_chain; mbedtls_x509_crl *ca_crl;