Introduce and use MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED

Introduce and use MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED to guard TLS code (both TLS 1.2 and 1.3) specific to handshakes involving certificates. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-07-30 22:43:08 +03:00 · 2022-10-05 12:46:29 +02:00
parent 41a443a68d
commit e68ab4f55e
8 changed files with 133 additions and 128 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -843,7 +843,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_DEPRECATED_REMOVED */
 #endif /* MBEDTLS_ECP_C */

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
    /* Heap allocate and translate sig_hashes from internal hash identifiers to
@ -909,7 +909,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
        ssl->handshake->sig_algs_heap_allocated = 0;
    }
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
    return( 0 );
 }

@ -2395,7 +2395,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
 }
 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
 /*
 * Set allowed/preferred hashes for handshake signatures
@ -2416,7 +2416,7 @@ void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf,
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
    conf->sig_algs = sig_algs;
 }
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

 #if defined(MBEDTLS_ECP_C)
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
@ -3587,7 +3587,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_DEPRECATED_REMOVED */
 #endif /* MBEDTLS_ECP_C */

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
    if ( ssl->handshake->sig_algs_heap_allocated )
        mbedtls_free( (void*) handshake->sig_algs );
@ -3599,7 +3599,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
        mbedtls_free( (void*) handshake->certificate_request_context );
    }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
    if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
@ -4465,7 +4465,7 @@ static int ssl_preset_suiteb_ciphersuites[] = {
    0
 };

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)

 /* NOTICE:
 *   For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
@ -4610,7 +4610,7 @@ static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
 };
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */

-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

 static uint16_t ssl_preset_suiteb_groups[] = {
 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
@ -4622,7 +4622,7 @@ static uint16_t ssl_preset_suiteb_groups[] = {
    MBEDTLS_SSL_IANA_TLS_GROUP_NONE
 };

-#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
 * to make sure there are no duplicated signature algorithm entries. */
 MBEDTLS_CHECK_RETURN_CRITICAL
@ -4646,7 +4646,7 @@ static int ssl_check_no_sig_alg_duplication( uint16_t * sig_algs )
    return( ret );
 }

-#endif /* MBEDTLS_DEBUG_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

 /*
 * Load default in mbedtls_ssl_config
@ -4658,7 +4658,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 #endif

-#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
    if( ssl_check_no_sig_alg_duplication( ssl_preset_suiteb_sig_algs ) )
    {
        mbedtls_printf( "ssl_preset_suiteb_sig_algs has duplicated entries\n" );
@ -4684,7 +4684,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
        return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED );
    }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-#endif /* MBEDTLS_DEBUG_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

    /* Use the functions here so that they are covered in tests,
     * but otherwise access member directly for efficiency */
@ -4815,14 +4815,14 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
            conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
 #endif

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
            if( mbedtls_ssl_conf_is_tls12_only( conf ) )
                conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
            else
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
                conf->sig_algs = ssl_preset_suiteb_sig_algs;
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
            conf->curve_list = NULL;
@ -4841,14 +4841,14 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
            conf->cert_profile = &mbedtls_x509_crt_profile_default;
 #endif

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
            if( mbedtls_ssl_conf_is_tls12_only( conf ) )
                conf->sig_algs = ssl_tls12_preset_default_sig_algs;
            else
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
                conf->sig_algs = ssl_preset_default_sig_algs;
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
            conf->curve_list = NULL;
@ -5274,7 +5274,7 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,

 #endif /* !MBEDTLS_USE_PSA_CRYPTO */

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 /* mbedtls_ssl_parse_sig_alg_ext()
 *
 * The `extension_data` field of signature algorithm contains  a `SignatureSchemeList`
@ -5382,7 +5382,7 @@ int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
    return( 0 );
 }

-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)

@ -8588,7 +8588,7 @@ int mbedtls_ssl_validate_ciphersuite(
    return( 0 );
 }

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 /*
 * Function for writing a signature algorithm extension.
 *
@ -8691,7 +8691,7 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
    return( 0 );
 }
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
 /*