From e5f3072aedf263ea36865c9e732e9bc5f0dc1dbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 22 Oct 2015 17:01:15 +0200 Subject: [PATCH] Fix #ifdef inconsistency fixes #310 Actually all key exchanges that use a certificate use signatures too, and there is no key exchange that uses signatures but no cert, so merge those two flags. --- ChangeLog | 4 +++- include/mbedtls/ssl.h | 6 +++--- include/mbedtls/ssl_ciphersuites.h | 9 +++------ include/mbedtls/ssl_internal.h | 2 +- library/ssl_cli.c | 4 ++-- library/ssl_tls.c | 12 ++++++------ 6 files changed, 18 insertions(+), 19 deletions(-) diff --git a/ChangeLog b/ChangeLog index ef9b0aa94..0ea0b5553 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,10 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS 2.1.2 released 2015-10-06 += mbed TLS 2.2.0 released 2015-10-xx Bugfix * Fix build error with configurations where ECDHE-PSK is the only key exchange. Found and fix provided by Chris Hammond. #270 + * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or + ECHD-ECDSA if the only key exchange. Multiple reports. #310 = mbed TLS 2.1.2 released 2015-10-06 diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 13e5b0c8c..f53c8008c 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -529,7 +529,7 @@ struct mbedtls_ssl_config mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) const int *sig_hashes; /*!< allowed signature hashes */ #endif @@ -1548,7 +1548,7 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /** * \brief Set the allowed hashes for signatures during the handshake. * (Default: all available hashes.) @@ -1569,7 +1569,7 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, */ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, const int *hashes ); -#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) /** diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index b322f4253..55fae0b26 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -246,6 +246,7 @@ typedef enum { MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, } mbedtls_key_exchange_type_t; +/* Key exchanges using a certificate */ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ @@ -256,6 +257,7 @@ typedef enum { #define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED #endif +/* Key exchanges using a PSK */ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ @@ -263,18 +265,13 @@ typedef enum { #define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED #endif +/* Key exchanges using a ECDHE */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) #define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED #endif -#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -#define MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED -#endif - typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t; #define MBEDTLS_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */ diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 78c748cfa..712053ed6 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -377,7 +377,7 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md ); int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ); #endif -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, mbedtls_md_type_t md ); #endif diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 32eae0f2a..7463a48ee 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1923,7 +1923,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, unsigned char **p, unsigned char *end, @@ -1979,7 +1979,7 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9142be856..1e3b36387 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5800,7 +5800,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /* * Set allowed/preferred hashes for handshake signatures */ @@ -6981,7 +6981,7 @@ static int ssl_preset_suiteb_ciphersuites[] = { 0 }; -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) static int ssl_preset_suiteb_hashes[] = { MBEDTLS_MD_SHA256, MBEDTLS_MD_SHA384, @@ -7097,7 +7097,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; #endif -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) conf->sig_hashes = ssl_preset_suiteb_hashes; #endif @@ -7130,7 +7130,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->cert_profile = &mbedtls_x509_crt_profile_default; #endif -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) conf->sig_hashes = mbedtls_md_list(); #endif @@ -7294,7 +7294,7 @@ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_i } #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /* * Check if a hash proposed by the peer is in our list. * Return 0 if we're willing to use it, -1 otherwise. @@ -7313,7 +7313,7 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, return( -1 ); } -#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,