yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

ssl_tls13: use PSA_WANT_ALG_ECDH as symbol for marking ECDH capability

Browse source 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti 2023-03-20 15:22:47 +01:00
parent 8427b56d71
commit 080a22ba75
7 changed files with 31 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
include/mbedtls/pk.h
View file

@ -193,12 +193,6 @@ typedef struct mbedtls_pk_rsassa_pss_options {
#endif /* PSA_WANT_ALG_ECDSA */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Symbol for ECDH capabilities, no matter how it is provided */
#if (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_HAVE_FULL_ECDH)) || \
(!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C))
#define MBEDTLS_PK_CAN_ECDH
#endif
#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
#define MBEDTLS_PK_CAN_ECDSA_SOME
#endif

12
library/ssl_misc.h
View file

@ -2089,7 +2089,7 @@ int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl);
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
mbedtls_ssl_context *ssl,
@ -2097,7 +2097,7 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
unsigned char *buf,
unsigned char *end,
size_t *out_len);
#endif /* MBEDTLS_ECDH_C */
#endif /* PSA_WANT_ALG_ECDH */
#if defined(MBEDTLS_SSL_EARLY_DATA)
int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
@ -2215,7 +2215,7 @@ static inline int mbedtls_ssl_named_group_is_offered(
static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
{
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) !=
MBEDTLS_ECP_DP_NONE) {
@ -2224,7 +2224,7 @@ static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
}
#else
((void) named_group);
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
return 0;
}
@ -2617,14 +2617,14 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
const mbedtls_ssl_ciphersuite_t *suite);
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t buf_len);
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
mbedtls_ssl_context *ssl, int cipher_suite)

4
library/ssl_tls.c
View file

@ -4219,12 +4219,12 @@ void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
mbedtls_ssl_buffering_free(ssl);
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_PK_CAN_ECDH) && \
#if defined(PSA_WANT_ALG_ECDH) && \
(defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
if (handshake->ecdh_psa_privkey_is_external == 0) {
psa_destroy_key(handshake->ecdh_psa_privkey);
}
#endif /* MBEDTLS_PK_CAN_ECDH && MBEDTLS_USE_PSA_CRYPTO */
#endif /* PSA_WANT_ALG_ECDH && (MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3) */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_transform_free(handshake->transform_handshake);

18
library/ssl_tls13_client.c
View file

@ -184,7 +184,7 @@ static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id)) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
@ -200,7 +200,7 @@ static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return 0;
} else
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
if (0 /* other KEMs? */) {
/* Do something */
}
@ -219,7 +219,7 @@ static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
/* Pick first available ECDHE group compatible with TLS 1.3 */
if (group_list == NULL) {
@ -237,7 +237,7 @@ static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
#else
((void) ssl);
((void) group_id);
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
/*
* Add DHE named groups here.
@ -301,7 +301,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
* only one key share entry is allowed.
*/
client_shares = p;
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id)) {
/* Pointer to group */
unsigned char *group = p;
@ -326,7 +326,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
/* Write key_exchange_length */
MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);
} else
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
if (0 /* other KEMs? */) {
/* Do something */
} else {
@ -375,7 +375,7 @@ static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end)
{
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
const unsigned char *p = buf;
int selected_group;
int found = 0;
@ -480,7 +480,7 @@ static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group)) {
if (mbedtls_ssl_get_psa_curve_info_from_tls_id(group, NULL, NULL)
== PSA_ERROR_NOT_SUPPORTED) {
@ -496,7 +496,7 @@ static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
return ret;
}
} else
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
if (0 /* other KEMs? */) {
/* Do something */
} else {

4
library/ssl_tls13_generic.c
View file

@ -1428,7 +1428,7 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl)
return ret;
}
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
const unsigned char *buf,
@ -1510,7 +1510,7 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
return 0;
}
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
/* RFC 8446 section 4.2
*

4
library/ssl_tls13_keys.c
View file

@ -1463,7 +1463,7 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
*/
if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
if (mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id)) {
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
/* Compute ECDH shared secret. */
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
@ -1499,7 +1499,7 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
}
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
} else {
MBEDTLS_SSL_DEBUG_MSG(1, ("Group not supported."));
return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;

20
library/ssl_tls13_server.c
View file

@ -762,7 +762,7 @@ static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
return 0;
}
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
/*
*
* From RFC 8446:
@ -818,11 +818,11 @@ static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
return 0;
}
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
/*
* ssl_tls13_parse_key_shares_ext() verifies whether the information in the
* extension is correct and stores the first acceptable key share and its associated group.
@ -923,7 +923,7 @@ static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl,
}
return 0;
}
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_client_hello_has_exts(mbedtls_ssl_context *ssl,
@ -1462,7 +1462,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
break;
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension"));
@ -1481,9 +1481,9 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
}
break;
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
case MBEDTLS_TLS_EXT_KEY_SHARE:
MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension"));
@ -1508,7 +1508,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
}
break;
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
MBEDTLS_SSL_DEBUG_MSG(3, ("found supported versions extension"));
@ -1826,7 +1826,7 @@ static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl,
*out_len = 0;
#if defined(MBEDTLS_PK_CAN_ECDH)
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
ssl, named_group, buf, end, out_len);
@ -1837,7 +1837,7 @@ static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl,
return ret;
}
} else
#endif /* MBEDTLS_PK_CAN_ECDH */
#endif /* PSA_WANT_ALG_ECDH */
if (0 /* Other kinds of KEMs */) {
} else {
((void) ssl);