From 8031d06cb2d9544d601f01a3657e77cfddb272b7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 3 Jan 2018 15:32:31 +0000 Subject: [PATCH] Remove code from `ssl_derive_keys` if relevant modes are not enabled This commit guards code specific to AEAD, CBC and stream cipher modes in `ssl_derive_keys` by the respective configuration flags, analogous to the guards that are already in place in the record decryption and encryption functions `ssl_decrypt_buf` resp. `ssl_decrypt_buf`. --- library/ssl_tls.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a2350803a..d863f7d02 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -997,6 +997,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) keylen = cipher_info->key_bitlen / 8; +#if defined(MBEDTLS_GCM_C) || \ + defined(MBEDTLS_CCM_C) || \ + defined(MBEDTLS_CHACHAPOLY_C) if( cipher_info->mode == MBEDTLS_MODE_GCM || cipher_info->mode == MBEDTLS_MODE_CCM || cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY ) @@ -1023,6 +1026,10 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) transform->minlen = explicit_ivlen + transform->taglen; } else +#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ +#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) + if( cipher_info->mode == MBEDTLS_MODE_STREAM || + cipher_info->mode == MBEDTLS_MODE_CBC ) { /* Initialize HMAC contexts */ if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 || @@ -1103,6 +1110,12 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } } } + else +#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u", (unsigned) keylen,