diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 416f5a51b1..18e4dfb167 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -116,7 +116,7 @@ int main( void ) #define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: " #define GET_REQUEST_END "\r\n\r\n" -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #define USAGE_CONTEXT_CRT_CB \ " context_crt_cb=%%d This determines whether the CRT verification callback is bound\n" \ " to the SSL configuration of the SSL context.\n" \ @@ -125,8 +125,8 @@ int main( void ) " - 1: Use CRT callback bound to SSL context\n" #else #define USAGE_CONTEXT_CRT_CB "" -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_FS_IO) #define USAGE_IO \ " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \ @@ -144,10 +144,10 @@ int main( void ) #define USAGE_IO \ " No file operations available (MBEDTLS_FS_IO not defined)\n" #endif /* MBEDTLS_FS_IO */ -#else /* MBEDTLS_X509_CRT_PARSE_C */ +#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #define USAGE_IO "" -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private key as if it were opaque\n" \ " default: 0 (disabled)\n" @@ -689,9 +689,6 @@ int main( int argc, char *argv[] ) psa_status_t status; #endif -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#endif rng_context_t rng; mbedtls_ssl_context ssl; mbedtls_ssl_config conf; @@ -701,17 +698,16 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_TIMING_C) mbedtls_timing_delay_context timer; #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) uint32_t flags; -#endif mbedtls_x509_crt cacert; mbedtls_x509_crt clicert; mbedtls_pk_context pkey; + mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_id_t key_slot = 0; /* invalid key slot */ #endif -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ char *p, *q; const int *list; #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) @@ -754,7 +750,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_config_init( &conf ); memset( &saved_session, 0, sizeof( mbedtls_ssl_session ) ); rng_init( &rng ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_init( &cacert ); mbedtls_x509_crt_init( &clicert ); mbedtls_pk_init( &pkey ); @@ -948,7 +944,7 @@ int main( int argc, char *argv[] ) opt.key_file = q; else if( strcmp( p, "key_pwd" ) == 0 ) opt.key_pwd = q; -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) else if( strcmp( p, "key_opaque" ) == 0 ) opt.key_opaque = atoi( q ); #endif @@ -1544,7 +1540,7 @@ int main( int argc, char *argv[] ) goto exit; mbedtls_printf( " ok\n" ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 1.1. Load the trusted CA */ @@ -1673,7 +1669,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_printf( " ok (key type: %s)\n", mbedtls_pk_get_name( &pkey ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ /* * 2. Start the connection @@ -1725,7 +1721,7 @@ int main( int argc, char *argv[] ) goto exit; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* The default algorithms profile disables SHA-1, but our tests still rely on it heavily. */ if( opt.allow_sha1 > 0 ) @@ -1739,7 +1735,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 ) @@ -1910,7 +1906,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation ); #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { @@ -1931,7 +1927,7 @@ int main( int argc, char *argv[] ) goto exit; } } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_ECP_C) if( opt.curves != NULL && @@ -2001,7 +1997,7 @@ int main( int argc, char *argv[] ) goto exit; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", @@ -2024,11 +2020,10 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( opt.context_crt_cb == 1 ) mbedtls_ssl_set_verify( &ssl, my_verify, NULL ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ io_ctx.ssl = &ssl; io_ctx.net = &server_fd; @@ -2328,8 +2323,7 @@ int main( int argc, char *argv[] ) } } -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 5. Verify the server certificate */ @@ -2351,7 +2345,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Peer certificate information ...\n" ); mbedtls_printf( "%s\n", peer_crt_info ); -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ret = report_cid_usage( &ssl, "initial handshake" ); @@ -2679,10 +2673,9 @@ send_request: mbedtls_printf( " . Restarting connection from same port..." ); fflush( stdout ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { @@ -2916,10 +2909,9 @@ reconnect: mbedtls_printf( " . Reconnecting with saved session..." ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { @@ -3013,14 +3005,14 @@ exit: mbedtls_free( context_buf ); #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_free( &clicert ); mbedtls_x509_crt_free( &cacert ); mbedtls_pk_free( &pkey ); #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key( key_slot ); #endif -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 4fbf036ff2..9a3d1066b6 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -168,7 +168,7 @@ int main( void ) */ #define DFL_IO_BUF_LEN 200 -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_FS_IO) #define USAGE_IO \ " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \ @@ -199,8 +199,8 @@ int main( void ) #endif /* MBEDTLS_FS_IO */ #else #define USAGE_IO "" -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private keys as if they were opaque\n" \ " default: 0 (disabled)\n" @@ -1300,11 +1300,6 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_COOKIE_C) mbedtls_ssl_cookie_ctx cookie_ctx; #endif - -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#endif rng_context_t rng; mbedtls_ssl_context ssl; mbedtls_ssl_config conf; @@ -1314,13 +1309,14 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_RENEGOTIATION) unsigned char renego_period[8] = { 0 }; #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) uint32_t flags; mbedtls_x509_crt cacert; mbedtls_x509_crt srvcert; mbedtls_pk_context pkey; mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; + mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_id_t key_slot = 0; /* invalid key slot */ psa_key_id_t key_slot2 = 0; /* invalid key slot */ @@ -1329,7 +1325,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) ssl_async_key_context_t ssl_async_keys; #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) mbedtls_dhm_context dhm; #endif @@ -1408,7 +1404,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_init( &ssl ); mbedtls_ssl_config_init( &conf ); rng_init( &rng ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_init( &cacert ); mbedtls_x509_crt_init( &srvcert ); mbedtls_pk_init( &pkey ); @@ -1627,7 +1623,7 @@ int main( int argc, char *argv[] ) opt.key_file = q; else if( strcmp( p, "key_pwd" ) == 0 ) opt.key_pwd = q; -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) else if( strcmp( p, "key_opaque" ) == 0 ) opt.key_opaque = atoi( q ); #endif @@ -2347,7 +2343,7 @@ int main( int argc, char *argv[] ) goto exit; mbedtls_printf( " ok\n" ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 1.1. Load the trusted CA */ @@ -2543,7 +2539,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_CERTS_C */ mbedtls_printf( " ok (key types: %s - %s)\n", mbedtls_pk_get_name( &pkey ), mbedtls_pk_get_name( &pkey2 ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) if( opt.dhm_file != NULL ) @@ -2612,7 +2608,7 @@ int main( int argc, char *argv[] ) goto exit; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* The default algorithms profile disables SHA-1, but our tests still rely on it heavily. Hence we allow it here. A real-world server should use the default profile unless there is a good reason not to. */ @@ -2622,7 +2618,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test ); mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test ); } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ if( opt.auth_mode != DFL_AUTH_MODE ) mbedtls_ssl_conf_authmode( &conf, opt.auth_mode ); @@ -2876,7 +2872,7 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { @@ -2965,7 +2961,7 @@ int main( int argc, char *argv[] ) &ssl_async_keys ); } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(SNI_OPTION) if( opt.sni != NULL ) @@ -3215,8 +3211,6 @@ reset: } #endif - mbedtls_printf( " ok\n" ); - /* * 4. Handshake */ @@ -3261,7 +3255,7 @@ handshake: { mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) { char vrfy_buf[512]; @@ -3307,7 +3301,7 @@ handshake: } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 5. Verify the client certificate */ @@ -3335,7 +3329,7 @@ handshake: mbedtls_ssl_get_peer_cert( &ssl ) ); mbedtls_printf( "%s\n", crt_buf ); } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_EXPORT_KEYS) if( opt.eap_tls != 0 ) @@ -4031,7 +4025,7 @@ exit: mbedtls_printf( "Failed to list of opaque PSKs - error was %d\n", ret ); #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_free( &cacert ); mbedtls_x509_crt_free( &srvcert ); mbedtls_pk_free( &pkey );