Reduce size of ssl_transform if no MAC ciphersuite is enabled

The hash contexts `ssl_transform->md_ctx_{enc/dec}` are not used if only AEAD ciphersuites are enabled. This commit removes them from the `ssl_transform` struct in this case, saving a few bytes.
2018-01-03 15:32:51 +00:00 · 2018-01-03 15:32:51 +00:00 · d56ed2491b
commit d56ed2491b
parent 8031d06cb2
2 changed files with 16 additions and 4 deletions
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@ -569,6 +569,8 @@ struct mbedtls_ssl_transform
    unsigned char iv_enc[16];           /*!<  IV (encryption)         */
    unsigned char iv_dec[16];           /*!<  IV (decryption)         */

+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
+
 #if defined(MBEDTLS_SSL_PROTO_SSL3)
    /* Needed only for SSL v3.0 secret */
    unsigned char mac_enc[20];          /*!<  SSL v3.0 secret (enc)   */
@ -578,13 +580,14 @@ struct mbedtls_ssl_transform
    mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
    mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */

-    mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
-    mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
-
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
    int encrypt_then_mac;       /*!< flag for EtM activation                */
 #endif

+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
+
+    mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
+    mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
    int minor_ver;

    /*
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1171,10 +1171,11 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
    }

+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
 #if defined(MBEDTLS_SSL_PROTO_SSL3)
    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
    {
-        if( mac_key_len > sizeof transform->mac_enc )
+        if( mac_key_len > sizeof( transform->mac_enc ) )
        {
            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@ -1203,6 +1204,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
    }
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */

 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
    if( mbedtls_ssl_hw_record_init != NULL )
@ -1221,6 +1223,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
        }
    }
+#else
+    ((void) mac_dec);
+    ((void) mac_enc);
 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */

 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
@ -7424,8 +7429,10 @@ static void ssl_transform_init( mbedtls_ssl_transform *transform )
    mbedtls_cipher_init( &transform->cipher_ctx_enc );
    mbedtls_cipher_init( &transform->cipher_ctx_dec );

+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
    mbedtls_md_init( &transform->md_ctx_enc );
    mbedtls_md_init( &transform->md_ctx_dec );
+#endif
 }

 void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
@ -9647,8 +9654,10 @@ void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
    mbedtls_cipher_free( &transform->cipher_ctx_enc );
    mbedtls_cipher_free( &transform->cipher_ctx_dec );

+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
    mbedtls_md_free( &transform->md_ctx_enc );
    mbedtls_md_free( &transform->md_ctx_dec );
+#endif

    mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
 }