From 2984bd254317b2a2b660227d7e09c68ccf6d8d73 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 26 Feb 2019 11:43:09 +0000 Subject: [PATCH] Add config sanity check for !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE --- include/mbedtls/check_config.h | 8 ++++++++ include/mbedtls/ssl.h | 7 +++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 00fb9b367..76ab07a9f 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -278,6 +278,14 @@ #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" #endif +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) && \ + !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \ + ( !defined(MBEDTLS_SHA256_C) && \ + !defined(MBEDTLS_SHA512_C) && \ + !defined(MBEDTLS_SHA1_C) ) +#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires MBEDTLS_SHA512_C, MBEDTLS_SHA256_C or MBEDTLS_SHA1_C" +#endif + #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \ ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) ) #error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites" diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 65c8d94d9..9a36009a7 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -812,7 +812,8 @@ typedef int mbedtls_ssl_async_resume_t( mbedtls_ssl_context *ssl, typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) && \ + !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) #define MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN 48 #if defined(MBEDTLS_SHA256_C) #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA256 @@ -824,9 +825,11 @@ typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl ); #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA1 #define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 20 #else +/* This is already checked in check_config.h, but be sure. */ #error "Bad configuration - need SHA-1, SHA-256 or SHA-512 enabled to compute digest of peer CRT." #endif -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED && + !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ /* * This structure is used for storing current session data.