From f122944b7dbfd6ea617cf99f9c3c98b23723bd68 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 3 Jan 2018 15:32:31 +0000 Subject: [PATCH] Remove code from `ssl_derive_keys` if relevant modes are not enabled This commit guards code specific to AEAD, CBC and stream cipher modes in `ssl_derive_keys` by the respective configuration flags, analogous to the guards that are already in place in the record decryption and encryption functions `ssl_decrypt_buf` resp. `ssl_decrypt_buf`. --- library/ssl_tls.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 585acc869..29e947fc9 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -813,6 +813,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) keylen = cipher_info->key_bitlen / 8; +#if defined(MBEDTLS_GCM_C) || \ + defined(MBEDTLS_CCM_C) || \ + defined(MBEDTLS_CHACHAPOLY_C) if( cipher_info->mode == MBEDTLS_MODE_GCM || cipher_info->mode == MBEDTLS_MODE_CCM || cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY ) @@ -839,6 +842,10 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) transform->minlen = explicit_ivlen + transform->taglen; } else +#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ +#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) + if( cipher_info->mode == MBEDTLS_MODE_STREAM || + cipher_info->mode == MBEDTLS_MODE_CBC ) { /* Initialize HMAC contexts */ if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 || @@ -919,6 +926,12 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } } } + else +#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u", (unsigned) keylen,