From a82290b7271a3cd489e62a0f98d24622dbbf4bbe Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 27 Sep 2022 13:41:12 +0200 Subject: [PATCH] Fix guards for mbedtls_ssl_ticket_write() and mbedtls_ssl_ticket_parse() functions Both functions are calling mbedtls_cipher_auth_[encrypt/decrypt]_ext() functions. These functions are guarded with MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C flags - make it consistent. As a result ssl_server2 won't build now with MBEDTLS_SSL_SESSION_TICKETS enabled (mbedtls_cipher_auth_[encrypt/decrypt]_ext() functions not available). Mark MBEDTLS_SSL_SESSION_TICKETS as dependent on MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C and disable MBEDTLS_SSL_SESSION_TICKETS in stream cipher only build. Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 3 +++ library/ssl_ticket.c | 7 ++++++- tests/scripts/all.sh | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 10387061ab..1874e51cbd 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -962,6 +962,9 @@ #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && !( defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) ) +#error "MBEDTLS_SSL_SESSION_TICKETS defined, but not all prerequisites" +#endif /* Reject attempts to enable options that have been removed and that could diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 359686afa3..5398c3970c 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -114,6 +114,7 @@ static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx, /* * Rotate/generate keys if necessary */ +#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx ) { @@ -150,6 +151,7 @@ static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx ) #endif /* MBEDTLS_HAVE_TIME */ return( 0 ); } +#endif /* * Rotate active session ticket encryption key @@ -293,7 +295,7 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, * The key_name, iv, and length of encrypted_state are the additional * authenticated data. */ - +#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) int mbedtls_ssl_ticket_write( void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, @@ -390,7 +392,9 @@ cleanup: return( ret ); } +#endif +#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) /* * Select key based on name */ @@ -517,6 +521,7 @@ cleanup: return( ret ); } +#endif /* * Free context diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 862b8822be..64290544f2 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1296,6 +1296,7 @@ component_test_crypto_default_stream_cipher_only () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS # Enable stream(null) cipher only scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER