From eef142d7538e3b8211cafbdc1c1ab4aeac44dd21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 16 Sep 2015 10:05:04 +0200 Subject: [PATCH] Depend on ECJPAKE key exchange, not module This is more consistent, as it doesn't make any sense for a user to be able to set up an EC J-PAKE password with TLS if the corresponding key exchange is disabled. Arguably this is what we should de for other key exchanges as well instead of depending on ECDH_C etc, but this is an independent issue, so let's just do the right thing with the new key exchange and fix the other ones later. (This is a marginal issue anyway, since people who disable all ECDH key exchange are likely to also disable ECDH_C in order to minimize footprint.) --- include/mbedtls/ssl.h | 4 ++-- include/mbedtls/ssl_internal.h | 6 +++--- library/ssl_cli.c | 12 ++++++------ library/ssl_srv.c | 6 +++--- library/ssl_tls.c | 8 ++++---- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 04c309830..3d73da975 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1676,7 +1676,7 @@ void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, void *p_sni ); #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /** * \brief Set the EC J-PAKE password for current handshake. * @@ -1697,7 +1697,7 @@ void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, const unsigned char *pw, size_t pw_len ); -#endif /*MBEDTLS_ECJPAKE_C */ +#endif /*MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_ALPN) /** diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index dc2ddc192..d9e3e5c8f 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -41,7 +41,7 @@ #include "sha512.h" #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #include "ecjpake.h" #endif @@ -172,11 +172,11 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_ECDH_C) mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */ #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index e8cb0f143..2d32071e7 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -209,7 +209,7 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -278,9 +278,9 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, *olen = 6; } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -320,7 +320,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, *olen = kkpp_len + 4; } -#endif /* MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, @@ -821,7 +821,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; @@ -829,7 +829,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ext_len += olen; #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; #endif diff --git a/library/ssl_srv.c b/library/ssl_srv.c index afac3e108..67dad5fff 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1977,7 +1977,7 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -2005,7 +2005,7 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl, *olen = 6; } -#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_ALPN ) static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, @@ -2292,7 +2292,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ - defined(MBEDTLS_ECJPAKE_C) + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 2f5ca9fa8..84211bbc0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4932,7 +4932,7 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) #if defined(MBEDTLS_ECDH_C) mbedtls_ecdh_init( &handshake->ecdh_ctx ); #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); #endif @@ -5451,7 +5451,7 @@ void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /* * Set EC J-PAKE password for current handshake */ @@ -5475,7 +5475,7 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) ); } -#endif /* MBEDTLS_ECJPAKE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, @@ -6619,7 +6619,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params *handshake ) #if defined(MBEDTLS_ECDH_C) mbedtls_ecdh_free( &handshake->ecdh_ctx ); #endif -#if defined(MBEDTLS_ECJPAKE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); #endif