Replace x509_CRT_PARSE_C with KEY_EXCHANGE_WITH_CERT_ENABLED

SSL programs use certificates in an exchange, so it's more natural to have such dependency instead of just certificate parsing. Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2025-07-29 11:41:15 +03:00 · 2022-10-12 10:17:25 -04:00
parent 2d637c4cbb
commit 6ee1e20d7f
2 changed files with 43 additions and 62 deletions
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -175,7 +175,7 @@ int main( void )
 */
 #define DFL_IO_BUF_LEN      200

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 #if defined(MBEDTLS_FS_IO)
 #define USAGE_IO \
    "    ca_file=%%s          The single file containing the top-level CA(s) you fully trust\n" \
@ -206,8 +206,8 @@ int main( void )
 #endif /* MBEDTLS_FS_IO */
 #else
 #define USAGE_IO ""
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C)
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 #define USAGE_KEY_OPAQUE \
    "    key_opaque=%%d       Handle your private keys as if they were opaque\n" \
    "                        default: 0 (disabled)\n"
@ -1444,10 +1444,6 @@ int main( int argc, char *argv[] )
    mbedtls_ssl_cookie_ctx cookie_ctx;
 #endif

-#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
-    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-    mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
-#endif
    mbedtls_ssl_context ssl;
    mbedtls_ssl_config conf;
 #if defined(MBEDTLS_TIMING_C)
@ -1456,13 +1452,14 @@ int main( int argc, char *argv[] )
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
    unsigned char renego_period[8] = { 0 };
 #endif
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    uint32_t flags;
    mbedtls_x509_crt cacert;
    mbedtls_x509_crt srvcert;
    mbedtls_pk_context pkey;
    mbedtls_x509_crt srvcert2;
    mbedtls_pk_context pkey2;
+    mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
    mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
    mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
@ -1471,7 +1468,7 @@ int main( int argc, char *argv[] )
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
    ssl_async_key_context_t ssl_async_keys;
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
    mbedtls_dhm_context dhm;
 #endif
@ -1553,7 +1550,7 @@ int main( int argc, char *argv[] )
    mbedtls_ssl_init( &ssl );
    mbedtls_ssl_config_init( &conf );
    rng_init( &rng );
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    mbedtls_x509_crt_init( &cacert );
    mbedtls_x509_crt_init( &srvcert );
    mbedtls_pk_init( &pkey );
@ -1782,7 +1779,7 @@ int main( int argc, char *argv[] )
            opt.key_file = q;
        else if( strcmp( p, "key_pwd" ) == 0 )
            opt.key_pwd = q;
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
        else if( strcmp( p, "key_opaque" ) == 0 )
            opt.key_opaque = atoi( q );
 #endif
@ -2586,7 +2583,7 @@ int main( int argc, char *argv[] )
        goto exit;
    mbedtls_printf( " ok\n" );

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    /*
     * 1.1. Load the trusted CA
     */
@ -2794,7 +2791,7 @@ int main( int argc, char *argv[] )
    mbedtls_printf( " ok (key types: %s, %s)\n",
                    key_cert_init ? mbedtls_pk_get_name( &pkey ) : "none",
                    key_cert_init2 ? mbedtls_pk_get_name( &pkey2 ) : "none" );
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */

 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
    if( opt.dhm_file != NULL )
@ -2844,7 +2841,6 @@ int main( int argc, char *argv[] )
        goto exit;
    }

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    /* The default algorithms profile disables SHA-1, but our tests still
       rely on it heavily. Hence we allow it here. A real-world server
@ -2856,7 +2852,6 @@ int main( int argc, char *argv[] )
        mbedtls_ssl_conf_sig_algs( &conf, ssl_sig_algs_for_test );
    }
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */

    if( opt.auth_mode != DFL_AUTH_MODE )
        mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
@ -2864,15 +2859,13 @@ int main( int argc, char *argv[] )
    if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST )
        mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list );

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    /* exercise setting DN hints for server certificate request
     * (Intended for use where the client cert expected has been signed by
     *  a specific CA which is an intermediate in a CA chain, not the root) */
    if( opt.cert_req_dn_hint == 2 && key_cert_init2 )
        mbedtls_ssl_conf_dn_hints( &conf, &srvcert2 );
 #endif
-#endif

 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
@ -3109,7 +3102,7 @@ int main( int argc, char *argv[] )
    }
 #endif

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    if( strcmp( opt.ca_path, "none" ) != 0 &&
        strcmp( opt.ca_file, "none" ) != 0 )
    {
@ -3198,7 +3191,7 @@ int main( int argc, char *argv[] )
                                           &ssl_async_keys );
    }
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */

 #if defined(SNI_OPTION)
    if( opt.sni != NULL )
@ -3492,9 +3485,8 @@ reset:
    }
 #endif

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    /* exercise setting DN hints for server certificate request
     * (Intended for use where the client cert expected has been signed by
     *  a specific CA which is an intermediate in a CA chain, not the root)
@ -3503,7 +3495,6 @@ reset:
    if( opt.cert_req_dn_hint == 3 && key_cert_init2 )
        mbedtls_ssl_set_hs_dn_hints( &ssl, &srvcert2 );
 #endif
-#endif
 #endif

    mbedtls_printf( " ok\n" );
@ -3552,7 +3543,7 @@ handshake:
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret );

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
        if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
        {
            char vrfy_buf[512];
@ -3607,7 +3598,7 @@ handshake:
    }
 #endif

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    /*
     * 5. Verify the client certificate
     */
@ -3636,7 +3627,7 @@ handshake:
        mbedtls_printf( "%s\n", crt_buf );
    }
 #endif /* MBEDTLS_X509_REMOVE_INFO */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */

    if( opt.eap_tls != 0 )
    {
@ -4330,7 +4321,7 @@ exit:
        mbedtls_printf( "Failed to list of opaque PSKs - error was %d\n", ret );
 #endif

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    mbedtls_x509_crt_free( &cacert );
    mbedtls_x509_crt_free( &srvcert );
    mbedtls_pk_free( &pkey );