diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 259d08884..dda140ef7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1852,27 +1852,55 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) -/* - * Set EC J-PAKE password for current handshake - */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) -int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, - const unsigned char *pw, - size_t pw_len ) -{ - psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_pake_role_t psa_role; - psa_status_t status; - if( ssl->handshake == NULL || ssl->conf == NULL ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) +static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common( + mbedtls_ssl_context *ssl, + mbedtls_svc_key_id_t pwd ) +{ + psa_status_t status; + psa_pake_role_t psa_role; + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + + psa_pake_cs_set_algorithm( &cipher_suite, PSA_ALG_JPAKE ); + psa_pake_cs_set_primitive( &cipher_suite, + PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, + PSA_ECC_FAMILY_SECP_R1, + 256) ); + psa_pake_cs_set_hash( &cipher_suite, PSA_ALG_SHA_256 ); + + status = psa_pake_setup( &ssl->handshake->psa_pake_ctx, &cipher_suite ); + if( status != PSA_SUCCESS ) + return status; if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) psa_role = PSA_PAKE_ROLE_SERVER; else psa_role = PSA_PAKE_ROLE_CLIENT; + status = psa_pake_set_role( &ssl->handshake->psa_pake_ctx, psa_role ); + if( status != PSA_SUCCESS ) + return status; + + status = psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, pwd ); + if( status != PSA_SUCCESS ) + return status; + + ssl->handshake->psa_pake_ctx_is_ok = 1; + + return ( PSA_SUCCESS ); +} + +int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, + const unsigned char *pw, + size_t pw_len ) +{ + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status; + + if( ssl->handshake == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + /* Empty password is not valid */ if( ( pw == NULL) || ( pw_len == 0 ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -1886,21 +1914,8 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - psa_pake_cs_set_algorithm( &cipher_suite, PSA_ALG_JPAKE ); - psa_pake_cs_set_primitive( &cipher_suite, - PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, - PSA_ECC_FAMILY_SECP_R1, - 256) ); - psa_pake_cs_set_hash( &cipher_suite, PSA_ALG_SHA_256 ); - - status = psa_pake_setup( &ssl->handshake->psa_pake_ctx, &cipher_suite ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - } - - status = psa_pake_set_role( &ssl->handshake->psa_pake_ctx, psa_role ); + status = mbedtls_ssl_set_hs_ecjpake_password_common( ssl, + ssl->handshake->psa_pake_password ); if( status != PSA_SUCCESS ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -1908,25 +1923,12 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - status = psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, - ssl->handshake->psa_pake_password ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - } - - ssl->handshake->psa_pake_ctx_is_ok = 1; - return( 0 ); } int mbedtls_ssl_set_hs_ecjpake_password_opaque( mbedtls_ssl_context *ssl, mbedtls_svc_key_id_t pwd ) { - psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); - psa_pake_role_t psa_role; psa_status_t status; if( ssl->handshake == NULL || ssl->conf == NULL ) @@ -1935,37 +1937,14 @@ int mbedtls_ssl_set_hs_ecjpake_password_opaque( mbedtls_ssl_context *ssl, if( mbedtls_svc_key_id_is_null( pwd ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - psa_pake_cs_set_algorithm( &cipher_suite, PSA_ALG_JPAKE ); - psa_pake_cs_set_primitive( &cipher_suite, - PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, - PSA_ECC_FAMILY_SECP_R1, - 256) ); - psa_pake_cs_set_hash( &cipher_suite, PSA_ALG_SHA_256 ); - - status = psa_pake_setup( &ssl->handshake->psa_pake_ctx, &cipher_suite ); + status = mbedtls_ssl_set_hs_ecjpake_password_common( ssl, pwd ); if( status != PSA_SUCCESS ) + { + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - - if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) - psa_role = PSA_PAKE_ROLE_SERVER; - else - psa_role = PSA_PAKE_ROLE_CLIENT; - - status = psa_pake_set_role( &ssl->handshake->psa_pake_ctx, psa_role ); - if( status != PSA_SUCCESS ) - goto error; - - status = psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, pwd ); - if( status != PSA_SUCCESS ) - goto error; - - ssl->handshake->psa_pake_ctx_is_ok = 1; + } return( 0 ); - -error: - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } #else /* MBEDTLS_USE_PSA_CRYPTO */ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,