Unify PSA to Mbed TLS error translation

Move all error translation utilities to psa_util.c.
Introduce macros and functions to avoid having
a local copy of the error translating function in
each place.
Identify overlapping errors and introduce a
generic function.
Provide a single macro for all error translations
(unless one file needs a couple of different ones).
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
This commit is contained in:
Andrzej Kurek 2022-12-23 11:00:06 -05:00
parent 05b80a4eee
commit 8a045ce5e6
29 changed files with 459 additions and 147 deletions

View file

@ -344,6 +344,41 @@ extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;
#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */ #endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
#endif /* MBEDTLS_PSA_CRYPTO_C */ /* PSA errors use int32_t, while Mbed TLS ones use int16_t. psa_status_t
* is enough to store either of them. */
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_MD5_C)
extern psa_status_t psa_to_md_errors[8];
#endif
#if defined(MBEDTLS_LMS_C)
extern psa_status_t psa_to_lms_errors[6];
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
extern psa_status_t psa_to_ssl_errors[14];
#endif
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
extern psa_status_t psa_to_pk_rsa_errors[16];
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
extern psa_status_t psa_to_pk_ecdsa_errors[14];
#endif
int psa_generic_status_to_mbedtls(psa_status_t status);
int psa_status_to_mbedtls(psa_status_t status,
psa_status_t *local_translations,
size_t local_errors_num,
int (*fallback_f)(psa_status_t));
int psa_pk_status_to_mbedtls(psa_status_t status);
#define PSA_TO_MBEDTLS_ERR_LIST(status, error_list, fallback_f) \
psa_status_to_mbedtls(status, error_list, sizeof(error_list), fallback_f)
#endif /* MBEDTLS_PSA_CRYPTO_C */
#endif /* MBEDTLS_PSA_UTIL_H */ #endif /* MBEDTLS_PSA_UTIL_H */

View file

@ -77,6 +77,7 @@ set(src_crypto
psa_crypto_slot_management.c psa_crypto_slot_management.c
psa_crypto_storage.c psa_crypto_storage.c
psa_its_file.c psa_its_file.c
psa_util.c
ripemd160.c ripemd160.c
rsa.c rsa.c
rsa_alt_helpers.c rsa_alt_helpers.c

View file

@ -142,6 +142,7 @@ OBJS_CRYPTO= \
psa_crypto_slot_management.o \ psa_crypto_slot_management.o \
psa_crypto_storage.o \ psa_crypto_storage.o \
psa_its_file.o \ psa_its_file.o \
psa_util.o \
ripemd160.o \ ripemd160.o \
rsa.o \ rsa.o \
rsa_alt_helpers.o \ rsa_alt_helpers.o \

View file

@ -46,6 +46,11 @@
#endif #endif
#include <string.h> #include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#endif
/* /*
* Define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS where assembly is present to * Define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS where assembly is present to
@ -620,7 +625,7 @@ cleanup:
psa_hash_abort(&operation); psa_hash_abort(&operation);
psa_hash_abort(&aux_operation); psa_hash_abort(&aux_operation);
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
#undef MAX_HASH_BLOCK_LENGTH #undef MAX_HASH_BLOCK_LENGTH

View file

@ -35,6 +35,11 @@
#if !defined(MBEDTLS_MD_C) #if !defined(MBEDTLS_MD_C)
#include "psa/crypto.h" #include "psa/crypto.h"
#include "mbedtls/psa_util.h" #include "mbedtls/psa_util.h"
#if !defined(MBEDTLS_ECJPAKE_ALT)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_md_errors, \
psa_generic_status_to_mbedtls)
#endif /* !MBEDTLS_ECJPAKE_ALT */
#endif /* !MBEDTLS_MD_C */ #endif /* !MBEDTLS_MD_C */
#include "hash_info.h" #include "hash_info.h"
@ -72,7 +77,7 @@ static int mbedtls_ecjpake_compute_hash(mbedtls_md_type_t md_type,
status = psa_hash_compute(alg, input, ilen, output, out_size, &out_len); status = psa_hash_compute(alg, input, ilen, output, out_size, &out_len);
return mbedtls_md_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
#endif /* !MBEDTLS_MD_C */ #endif /* !MBEDTLS_MD_C */
} }

View file

@ -104,6 +104,7 @@ mbedtls_md_type_t mbedtls_hash_info_md_from_psa(psa_algorithm_t psa_alg)
return entry->md_type; return entry->md_type;
} }
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
int mbedtls_md_error_from_psa(psa_status_t status) int mbedtls_md_error_from_psa(psa_status_t status)
{ {
switch (status) { switch (status) {
@ -119,3 +120,4 @@ int mbedtls_md_error_from_psa(psa_status_t status)
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
} }
} }
#endif /* !MBEDTLS_DEPRECATED_REMOVED */

View file

@ -34,6 +34,7 @@
#include "mbedtls/md.h" #include "mbedtls/md.h"
#include "psa/crypto.h" #include "psa/crypto.h"
#include "mbedtls/platform_util.h"
/** \def MBEDTLS_HASH_MAX_SIZE /** \def MBEDTLS_HASH_MAX_SIZE
* *
@ -88,12 +89,13 @@ psa_algorithm_t mbedtls_hash_info_psa_from_md(mbedtls_md_type_t md_type);
*/ */
mbedtls_md_type_t mbedtls_hash_info_md_from_psa(psa_algorithm_t psa_alg); mbedtls_md_type_t mbedtls_hash_info_md_from_psa(psa_algorithm_t psa_alg);
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/** Convert PSA status to MD error code. /** Convert PSA status to MD error code.
* *
* \param status PSA status. * \param status PSA status.
* *
* \return The corresponding MD error code, * \return The corresponding MD error code,
*/ */
int mbedtls_md_error_from_psa(psa_status_t status); int MBEDTLS_DEPRECATED mbedtls_md_error_from_psa(psa_status_t status);
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_HASH_INFO_H */ #endif /* MBEDTLS_HASH_INFO_H */

View file

@ -41,9 +41,14 @@
#include "mbedtls/lms.h" #include "mbedtls/lms.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/psa_util.h"
#include "psa/crypto.h" #include "psa/crypto.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_lms_errors, \
psa_generic_status_to_mbedtls)
#define PUBLIC_KEY_TYPE_OFFSET (0) #define PUBLIC_KEY_TYPE_OFFSET (0)
#define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \ #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \
MBEDTLS_LMOTS_TYPE_LEN) MBEDTLS_LMOTS_TYPE_LEN)
@ -198,7 +203,7 @@ static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *pa
exit: exit:
psa_hash_abort(&op); psa_hash_abort(&op);
return mbedtls_lms_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
} }
/* Hash each element of the string of digits (+ checksum), producing a hash /* Hash each element of the string of digits (+ checksum), producing a hash
@ -321,7 +326,7 @@ exit:
psa_hash_abort(&op); psa_hash_abort(&op);
mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash)); mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash));
return mbedtls_lms_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
} }
/* Combine the hashes of the digit array into a public key. This is used in /* Combine the hashes of the digit array into a public key. This is used in
@ -386,9 +391,10 @@ exit:
psa_hash_abort(&op); psa_hash_abort(&op);
} }
return mbedtls_lms_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
} }
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
int mbedtls_lms_error_from_psa(psa_status_t status) int mbedtls_lms_error_from_psa(psa_status_t status)
{ {
switch (status) { switch (status) {
@ -406,6 +412,7 @@ int mbedtls_lms_error_from_psa(psa_status_t status)
return MBEDTLS_ERR_ERROR_GENERIC_ERROR; return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
} }
} }
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx) void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
{ {
@ -682,7 +689,7 @@ int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx,
exit: exit:
psa_hash_abort(&op); psa_hash_abort(&op);
return mbedtls_lms_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
} }
int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx, int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx,

View file

@ -79,6 +79,7 @@ void mbedtls_lms_unsigned_int_to_network_bytes(unsigned int val, size_t len,
unsigned int mbedtls_lms_network_bytes_to_unsigned_int(size_t len, unsigned int mbedtls_lms_network_bytes_to_unsigned_int(size_t len,
const unsigned char *bytes); const unsigned char *bytes);
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/** /**
* \brief This function converts a \ref psa_status_t to a * \brief This function converts a \ref psa_status_t to a
* low-level LMS error code. * low-level LMS error code.
@ -87,8 +88,8 @@ unsigned int mbedtls_lms_network_bytes_to_unsigned_int(size_t len,
* *
* \return The corresponding LMS error code. * \return The corresponding LMS error code.
*/ */
int mbedtls_lms_error_from_psa(psa_status_t status); int MBEDTLS_DEPRECATED mbedtls_lms_error_from_psa(psa_status_t status);
#endif
/** /**
* \brief This function initializes a public LMOTS context * \brief This function initializes a public LMOTS context

View file

@ -39,13 +39,17 @@
#include "lmots.h" #include "lmots.h"
#include "psa/crypto.h" #include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "mbedtls/lms.h" #include "mbedtls/lms.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/platform.h" #include "mbedtls/platform.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_lms_errors, \
psa_generic_status_to_mbedtls)
#define SIG_Q_LEAF_ID_OFFSET (0) #define SIG_Q_LEAF_ID_OFFSET (0)
#define SIG_OTS_SIG_OFFSET (SIG_Q_LEAF_ID_OFFSET + \ #define SIG_OTS_SIG_OFFSET (SIG_Q_LEAF_ID_OFFSET + \
MBEDTLS_LMOTS_Q_LEAF_ID_LEN) MBEDTLS_LMOTS_Q_LEAF_ID_LEN)
@ -140,7 +144,7 @@ static int create_merkle_leaf_value(const mbedtls_lms_parameters_t *params,
exit: exit:
psa_hash_abort(&op); psa_hash_abort(&op);
return mbedtls_lms_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
} }
/* Calculate the value of an internal node of the Merkle tree (which is a hash /* Calculate the value of an internal node of the Merkle tree (which is a hash
@ -220,7 +224,7 @@ static int create_merkle_internal_value(const mbedtls_lms_parameters_t *params,
exit: exit:
psa_hash_abort(&op); psa_hash_abort(&op);
return mbedtls_lms_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
} }
void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx) void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx)

View file

@ -39,6 +39,13 @@
#include "psa/crypto.h" #include "psa/crypto.h"
#endif #endif
#if !defined(MBEDTLS_MD5_C)
#include "mbedtls/psa_util.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_md_errors, \
psa_generic_status_to_mbedtls)
#endif
#include "mbedtls/legacy_or_psa.h" #include "mbedtls/legacy_or_psa.h"
#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
@ -236,7 +243,7 @@ static int pem_pbkdf1(unsigned char *key, size_t keylen,
exit: exit:
mbedtls_platform_zeroize(md5sum, 16); mbedtls_platform_zeroize(md5sum, 16);
return mbedtls_md_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
} }
#endif /* MBEDTLS_MD5_C */ #endif /* MBEDTLS_MD5_C */

View file

@ -41,6 +41,13 @@
#if defined(MBEDTLS_PSA_CRYPTO_C) #if defined(MBEDTLS_PSA_CRYPTO_C)
#include "mbedtls/psa_util.h" #include "mbedtls/psa_util.h"
#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_pk_rsa_errors, \
psa_pk_status_to_mbedtls)
#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_pk_ecdsa_errors, \
psa_pk_status_to_mbedtls)
#endif #endif
#include <limits.h> #include <limits.h>
@ -540,7 +547,7 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
&key_id); &key_id);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
psa_destroy_key(key_id); psa_destroy_key(key_id);
return mbedtls_pk_error_from_psa(status); return PSA_PK_TO_MBEDTLS_ERR(status);
} }
/* This function requires returning MBEDTLS_ERR_PK_SIG_LEN_MISMATCH /* This function requires returning MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
@ -562,7 +569,7 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
status = destruction_status; status = destruction_status;
} }
return mbedtls_pk_error_from_psa_rsa(status); return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
} else } else
#endif #endif
{ {
@ -700,7 +707,7 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
status = psa_sign_hash(*key, PSA_ALG_RSA_PSS(psa_md_alg), status = psa_sign_hash(*key, PSA_ALG_RSA_PSS(psa_md_alg),
hash, hash_len, hash, hash_len,
sig, sig_size, sig_len); sig, sig_size, sig_len);
return mbedtls_pk_error_from_psa_rsa(status); return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
} }
return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PSS(psa_md_alg), return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PSS(psa_md_alg),
@ -896,7 +903,7 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
/* import private key into PSA */ /* import private key into PSA */
status = psa_import_key(&attributes, d, d_len, key); status = psa_import_key(&attributes, d, d_len, key);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return mbedtls_pk_error_from_psa(status); return PSA_PK_TO_MBEDTLS_ERR(status);
} }
/* make PK context wrap the key slot */ /* make PK context wrap the key slot */
@ -936,7 +943,7 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
mbedtls_platform_zeroize(buf, sizeof(buf)); mbedtls_platform_zeroize(buf, sizeof(buf));
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return mbedtls_pk_error_from_psa(status); return PSA_PK_TO_MBEDTLS_ERR(status);
} }
/* make PK context wrap the key slot */ /* make PK context wrap the key slot */

View file

@ -40,9 +40,19 @@
#include "pkwrite.h" #include "pkwrite.h"
#endif #endif
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include "mbedtls/psa_util.h"
#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_pk_rsa_errors, \
psa_pk_status_to_mbedtls)
#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_pk_ecdsa_errors, \
psa_pk_status_to_mbedtls)
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h" #include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "hash_info.h" #include "hash_info.h"
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
@ -57,6 +67,7 @@
#include <stdint.h> #include <stdint.h>
#include <string.h> #include <string.h>
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_PSA_CRYPTO_C) #if defined(MBEDTLS_PSA_CRYPTO_C)
int mbedtls_pk_error_from_psa(psa_status_t status) int mbedtls_pk_error_from_psa(psa_status_t status)
{ {
@ -113,11 +124,9 @@ int mbedtls_pk_error_from_psa_rsa(psa_status_t status)
} }
} }
#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */ #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
#endif /* MBEDTLS_PSA_CRYPTO_C */ #endif /* MBEDTLS_PSA_CRYPTO_C */
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status) int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status)
{ {
@ -138,8 +147,8 @@ int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status)
} }
} }
#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_RSA_C) #if defined(MBEDTLS_RSA_C)
static int rsa_can_do(mbedtls_pk_type_t type) static int rsa_can_do(mbedtls_pk_type_t type)
@ -196,14 +205,14 @@ static int rsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
buf + sizeof(buf) - key_len, key_len, buf + sizeof(buf) - key_len, key_len,
&key_id); &key_id);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len, status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len,
sig, sig_len); sig, sig_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa_rsa(status); ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
ret = 0; ret = 0;
@ -211,7 +220,7 @@ static int rsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg,
cleanup: cleanup:
status = psa_destroy_key(key_id); status = psa_destroy_key(key_id);
if (ret == 0 && status != PSA_SUCCESS) { if (ret == 0 && status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
} }
return ret; return ret;
@ -289,13 +298,13 @@ int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,
buf + sizeof(buf) - key_len, key_len, buf + sizeof(buf) - key_len, key_len,
&key_id); &key_id);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
status = psa_sign_hash(key_id, alg, hash, hash_len, status = psa_sign_hash(key_id, alg, hash, hash_len,
sig, sig_size, sig_len); sig, sig_size, sig_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa_rsa(status); ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -304,7 +313,7 @@ int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,
cleanup: cleanup:
status = psa_destroy_key(key_id); status = psa_destroy_key(key_id);
if (ret == 0 && status != PSA_SUCCESS) { if (ret == 0 && status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
} }
return ret; return ret;
} }
@ -398,7 +407,7 @@ static int rsa_decrypt_wrap(void *ctx,
buf + sizeof(buf) - key_len, key_len, buf + sizeof(buf) - key_len, key_len,
&key_id); &key_id);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -407,7 +416,7 @@ static int rsa_decrypt_wrap(void *ctx,
NULL, 0, NULL, 0,
output, osize, olen); output, osize, olen);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa_rsa(status); ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -417,7 +426,7 @@ cleanup:
mbedtls_platform_zeroize(buf, sizeof(buf)); mbedtls_platform_zeroize(buf, sizeof(buf));
status = psa_destroy_key(key_id); status = psa_destroy_key(key_id);
if (ret == 0 && status != PSA_SUCCESS) { if (ret == 0 && status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
} }
return ret; return ret;
@ -484,7 +493,7 @@ static int rsa_encrypt_wrap(void *ctx,
buf + sizeof(buf) - key_len, key_len, buf + sizeof(buf) - key_len, key_len,
&key_id); &key_id);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -493,7 +502,7 @@ static int rsa_encrypt_wrap(void *ctx,
NULL, 0, NULL, 0,
output, osize, olen); output, osize, olen);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa_rsa(status); ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -502,7 +511,7 @@ static int rsa_encrypt_wrap(void *ctx,
cleanup: cleanup:
status = psa_destroy_key(key_id); status = psa_destroy_key(key_id);
if (ret == 0 && status != PSA_SUCCESS) { if (ret == 0 && status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
} }
return ret; return ret;
@ -716,7 +725,7 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
buf, key_len, buf, key_len,
&key_id); &key_id);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -737,7 +746,7 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
hash, hash_len, hash, hash_len,
buf, 2 * signature_part_size); buf, 2 * signature_part_size);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa_ecdsa(status); ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -750,7 +759,7 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
cleanup: cleanup:
status = psa_destroy_key(key_id); status = psa_destroy_key(key_id);
if (ret == 0 && status != PSA_SUCCESS) { if (ret == 0 && status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
} }
return ret; return ret;
@ -908,14 +917,14 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
buf, key_len, buf, key_len,
&key_id); &key_id);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
status = psa_sign_hash(key_id, psa_sig_md, hash, hash_len, status = psa_sign_hash(key_id, psa_sig_md, hash, hash_len,
sig, sig_size, sig_len); sig, sig_size, sig_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa_ecdsa(status); ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -925,7 +934,7 @@ cleanup:
mbedtls_platform_zeroize(buf, sizeof(buf)); mbedtls_platform_zeroize(buf, sizeof(buf));
status = psa_destroy_key(key_id); status = psa_destroy_key(key_id);
if (ret == 0 && status != PSA_SUCCESS) { if (ret == 0 && status != PSA_SUCCESS) {
ret = mbedtls_pk_error_from_psa(status); ret = PSA_PK_TO_MBEDTLS_ERR(status);
} }
return ret; return ret;
@ -1448,7 +1457,7 @@ static int pk_opaque_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
status = psa_get_key_attributes(*key, &attributes); status = psa_get_key_attributes(*key, &attributes);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return mbedtls_pk_error_from_psa(status); return PSA_PK_TO_MBEDTLS_ERR(status);
} }
type = psa_get_key_type(&attributes); type = psa_get_key_type(&attributes);
@ -1472,15 +1481,15 @@ static int pk_opaque_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) { if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
return mbedtls_pk_error_from_psa_ecdsa(status); return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
} else } else
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
#if defined(MBEDTLS_RSA_C) #if defined(MBEDTLS_RSA_C)
if (PSA_KEY_TYPE_IS_RSA(type)) { if (PSA_KEY_TYPE_IS_RSA(type)) {
return mbedtls_pk_error_from_psa_rsa(status); return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
} else } else
#endif /* MBEDTLS_RSA_C */ #endif /* MBEDTLS_RSA_C */
return mbedtls_pk_error_from_psa(status); return PSA_PK_TO_MBEDTLS_ERR(status);
} }
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
@ -1535,7 +1544,7 @@ static int pk_opaque_rsa_decrypt(void *ctx,
NULL, 0, NULL, 0,
output, osize, olen); output, osize, olen);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return mbedtls_pk_error_from_psa_rsa(status); return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
} }
return 0; return 0;

View file

@ -137,26 +137,30 @@ extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
extern const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info; extern const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info;
extern const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info; extern const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info;
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status); int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa_ecdsa(psa_status_t status);
#endif
#endif #endif
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_PSA_CRYPTO_C) #if defined(MBEDTLS_PSA_CRYPTO_C)
int mbedtls_pk_error_from_psa(psa_status_t status); #if !defined(MBEDTLS_DEPRECATED_REMOVED)
int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa(psa_status_t status);
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \ #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
int mbedtls_pk_error_from_psa_rsa(psa_status_t status); int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa_rsa(psa_status_t status);
#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */ #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_RSA_C) #if defined(MBEDTLS_RSA_C)
int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t psa_alg_md, int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t psa_alg_md,
mbedtls_rsa_context *rsa_ctx, mbedtls_rsa_context *rsa_ctx,
const unsigned char *hash, size_t hash_len, const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t sig_size, unsigned char *sig, size_t sig_size,
size_t *sig_len); size_t *sig_len);
#endif /* MBEDTLS_RSA_C */ #endif /* MBEDTLS_RSA_C */
#endif /* MBEDTLS_PSA_CRYPTO_C */ #endif /* MBEDTLS_PSA_CRYPTO_C */

View file

@ -35,6 +35,13 @@
#include <string.h> #include <string.h>
#if !defined(MBEDTLS_MD_C)
#include "mbedtls/psa_util.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_md_errors, \
psa_generic_status_to_mbedtls)
#endif
#if defined(MBEDTLS_DES_C) #if defined(MBEDTLS_DES_C)
#include "mbedtls/des.h" #include "mbedtls/des.h"
#endif #endif
@ -328,7 +335,7 @@ exit:
if (status == PSA_SUCCESS) { if (status == PSA_SUCCESS) {
status = status_abort; status = status_abort;
} }
return mbedtls_md_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
#endif /* !MBEDTLS_MD_C */ #endif /* !MBEDTLS_MD_C */
} }

View file

@ -47,6 +47,12 @@
#include "hash_info.h" #include "hash_info.h"
#include "mbedtls/psa_util.h" #include "mbedtls/psa_util.h"
#if !defined(MBEDTLS_MD_C)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_md_errors, \
psa_generic_status_to_mbedtls)
#endif
#if defined(MBEDTLS_ASN1_PARSE_C) #if defined(MBEDTLS_ASN1_PARSE_C)
static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params, static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
mbedtls_asn1_buf *salt, int *iterations, mbedtls_asn1_buf *salt, int *iterations,
@ -452,7 +458,7 @@ cleanup:
status = status_destruction; status = status_destruction;
} }
return mbedtls_md_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
#endif /* !MBEDTLS_MD_C */ #endif /* !MBEDTLS_MD_C */
} }

150
library/psa_util.c Normal file
View file

@ -0,0 +1,150 @@
/*
* PSA hashing layer on top of Mbed TLS software crypto
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "common.h"
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include <psa/crypto.h>
#include "psa_crypto_core.h"
#include <mbedtls/psa_util.h>
#include <mbedtls/error.h>
#include <mbedtls/lms.h>
#include <mbedtls/ssl.h>
#include <mbedtls/rsa.h>
/* PSA_SUCCESS is kept at the top of each error table since
* it's the most common status when everything functions properly. */
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_MD5_C)
psa_status_t psa_to_md_errors[] =
{
PSA_SUCCESS, 0,
PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE,
PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_MD_BAD_INPUT_DATA,
PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_MD_ALLOC_FAILED
};
#endif
#if defined(MBEDTLS_LMS_C)
psa_status_t psa_to_lms_errors[] =
{
PSA_SUCCESS, 0,
PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL,
PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_LMS_BAD_INPUT_DATA
};
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
psa_status_t psa_to_ssl_errors[] =
{
PSA_SUCCESS, 0,
PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_SSL_ALLOC_FAILED,
PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE,
PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_SSL_INVALID_MAC,
PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_SSL_BAD_INPUT_DATA,
PSA_ERROR_BAD_STATE, MBEDTLS_ERR_SSL_INTERNAL_ERROR,
PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
};
#endif
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
psa_status_t psa_to_pk_rsa_errors[] =
{
PSA_SUCCESS, 0,
PSA_ERROR_NOT_PERMITTED, MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
PSA_ERROR_INVALID_HANDLE, MBEDTLS_ERR_RSA_BAD_INPUT_DATA,
PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
PSA_ERROR_INSUFFICIENT_ENTROPY, MBEDTLS_ERR_RSA_RNG_FAILED,
PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_RSA_VERIFY_FAILED,
PSA_ERROR_INVALID_PADDING, MBEDTLS_ERR_RSA_INVALID_PADDING
};
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
psa_status_t psa_to_pk_ecdsa_errors[] =
{
PSA_SUCCESS, 0,
PSA_ERROR_NOT_PERMITTED, MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
PSA_ERROR_INVALID_HANDLE, MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE,
PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL,
PSA_ERROR_INSUFFICIENT_ENTROPY, MBEDTLS_ERR_ECP_RANDOM_FAILED,
PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_ECP_VERIFY_FAILED
};
#endif
int psa_generic_status_to_mbedtls(psa_status_t status)
{
switch (status) {
case PSA_SUCCESS:
return 0;
case PSA_ERROR_NOT_SUPPORTED:
return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
case PSA_ERROR_CORRUPTION_DETECTED:
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
case PSA_ERROR_COMMUNICATION_FAILURE:
case PSA_ERROR_HARDWARE_FAILURE:
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
case PSA_ERROR_NOT_PERMITTED:
default:
return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
}
}
int psa_status_to_mbedtls(psa_status_t status,
psa_status_t *local_translations,
size_t local_errors_size,
int (*fallback_f)(psa_status_t))
{
size_t local_errors_num = (size_t) local_errors_size / 2;
for (size_t i = 0; i < local_errors_num; i++) {
if (status == local_translations[2 * i]) {
return local_translations[2 * i + 1];
}
}
return fallback_f(status);
}
int psa_pk_status_to_mbedtls(psa_status_t status)
{
switch (status) {
case PSA_ERROR_INVALID_HANDLE:
return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
case PSA_ERROR_BUFFER_TOO_SMALL:
return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
case PSA_ERROR_NOT_SUPPORTED:
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
case PSA_ERROR_INVALID_ARGUMENT:
return MBEDTLS_ERR_PK_INVALID_ALG;
case PSA_ERROR_INSUFFICIENT_MEMORY:
return MBEDTLS_ERR_PK_ALLOC_FAILED;
case PSA_ERROR_BAD_STATE:
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
case PSA_ERROR_DATA_CORRUPT:
case PSA_ERROR_DATA_INVALID:
case PSA_ERROR_STORAGE_FAILURE:
return MBEDTLS_ERR_PK_FILE_IO_ERROR;
default:
return psa_generic_status_to_mbedtls(status);
}
}
#endif /* MBEDTLS_PSA_CRYPTO_C */

View file

@ -60,7 +60,10 @@
#if !defined(MBEDTLS_MD_C) #if !defined(MBEDTLS_MD_C)
#include "psa/crypto.h" #include "psa/crypto.h"
#include "mbedtls/psa_util.h" #include "mbedtls/psa_util.h"
#endif /* MBEDTLS_MD_C */ #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_md_errors, \
psa_generic_status_to_mbedtls)
#endif /* !MBEDTLS_MD_C */
#endif /* MBEDTLS_PKCS1_V21 */ #endif /* MBEDTLS_PKCS1_V21 */
#include "mbedtls/platform.h" #include "mbedtls/platform.h"
@ -1156,7 +1159,7 @@ exit:
#else #else
psa_hash_abort(&op); psa_hash_abort(&op);
return mbedtls_md_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
#endif #endif
} }
@ -1236,7 +1239,7 @@ exit:
exit: exit:
psa_hash_abort(&op); psa_hash_abort(&op);
return mbedtls_md_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
#endif /* !MBEDTLS_MD_C */ #endif /* !MBEDTLS_MD_C */
} }
@ -1269,7 +1272,7 @@ static int compute_hash(mbedtls_md_type_t md_alg,
status = psa_hash_compute(alg, input, ilen, output, out_size, &out_len); status = psa_hash_compute(alg, input, ilen, output, out_size, &out_len);
return mbedtls_md_error_from_psa(status); return PSA_TO_MBEDTLS_ERR(status);
#endif /* !MBEDTLS_MD_C */ #endif /* !MBEDTLS_MD_C */
} }
#endif /* MBEDTLS_PKCS1_V21 */ #endif /* MBEDTLS_PKCS1_V21 */

View file

@ -37,6 +37,12 @@
#include <string.h> #include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#endif
/* /*
* If DTLS is in use, then at least one of SHA-256 or SHA-384 is * If DTLS is in use, then at least one of SHA-256 or SHA-384 is
* available. Try SHA-256 first as 384 wastes resources * available. Try SHA-256 first as 384 wastes resources
@ -126,7 +132,7 @@ int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
if ((status = psa_generate_key(&attributes, if ((status = psa_generate_key(&attributes,
&ctx->psa_hmac_key)) != PSA_SUCCESS) { &ctx->psa_hmac_key)) != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
#else #else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -215,26 +221,26 @@ int mbedtls_ssl_cookie_write(void *p_ctx,
status = psa_mac_sign_setup(&operation, ctx->psa_hmac_key, status = psa_mac_sign_setup(&operation, ctx->psa_hmac_key,
ctx->psa_hmac_alg); ctx->psa_hmac_alg);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto exit; goto exit;
} }
status = psa_mac_update(&operation, *p - 4, 4); status = psa_mac_update(&operation, *p - 4, 4);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto exit; goto exit;
} }
status = psa_mac_update(&operation, cli_id, cli_id_len); status = psa_mac_update(&operation, cli_id, cli_id_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto exit; goto exit;
} }
status = psa_mac_sign_finish(&operation, *p, COOKIE_MD_OUTLEN, status = psa_mac_sign_finish(&operation, *p, COOKIE_MD_OUTLEN,
&sign_mac_length); &sign_mac_length);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto exit; goto exit;
} }
@ -263,7 +269,7 @@ int mbedtls_ssl_cookie_write(void *p_ctx,
exit: exit:
status = psa_mac_abort(&operation); status = psa_mac_abort(&operation);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
} }
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
return ret; return ret;
@ -299,27 +305,27 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
status = psa_mac_verify_setup(&operation, ctx->psa_hmac_key, status = psa_mac_verify_setup(&operation, ctx->psa_hmac_key,
ctx->psa_hmac_alg); ctx->psa_hmac_alg);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto exit; goto exit;
} }
status = psa_mac_update(&operation, cookie, 4); status = psa_mac_update(&operation, cookie, 4);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto exit; goto exit;
} }
status = psa_mac_update(&operation, cli_id, status = psa_mac_update(&operation, cli_id,
cli_id_len); cli_id_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto exit; goto exit;
} }
status = psa_mac_verify_finish(&operation, cookie + 4, status = psa_mac_verify_finish(&operation, cookie + 4,
COOKIE_HMAC_LEN); COOKIE_HMAC_LEN);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto exit; goto exit;
} }
@ -374,7 +380,7 @@ exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_abort(&operation); status = psa_mac_abort(&operation);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
} }
#else #else
mbedtls_platform_zeroize(ref_hmac, sizeof(ref_hmac)); mbedtls_platform_zeroize(ref_hmac, sizeof(ref_hmac));

View file

@ -2514,6 +2514,7 @@ psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type
psa_key_type_t *key_type, psa_key_type_t *key_type,
size_t *key_size); size_t *key_size);
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/** /**
* \brief Convert given PSA status to mbedtls error code. * \brief Convert given PSA status to mbedtls error code.
* *
@ -2521,7 +2522,7 @@ psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type
* *
* \return corresponding mbedtls error code * \return corresponding mbedtls error code
*/ */
static inline int psa_ssl_status_to_mbedtls(psa_status_t status) static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status)
{ {
switch (status) { switch (status) {
case PSA_SUCCESS: case PSA_SUCCESS:
@ -2542,6 +2543,7 @@ static inline int psa_ssl_status_to_mbedtls(psa_status_t status)
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
} }
} }
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \

View file

@ -48,6 +48,12 @@
#include "mbedtls/oid.h" #include "mbedtls/oid.h"
#endif #endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#endif
static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl); static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl);
/* /*
@ -879,10 +885,10 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
hmac_failed_etm_disabled: hmac_failed_etm_disabled:
mbedtls_platform_zeroize(mac, transform->maclen); mbedtls_platform_zeroize(mac, transform->maclen);
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
status = psa_mac_abort(&operation); status = psa_mac_abort(&operation);
if (ret == 0 && status != PSA_SUCCESS) { if (ret == 0 && status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
} }
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) { if (ret != 0) {
@ -979,7 +985,7 @@ hmac_failed_etm_disabled:
&rec->data_len); &rec->data_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_encrypt_buf", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_encrypt_buf", ret);
return ret; return ret;
} }
@ -1089,7 +1095,7 @@ hmac_failed_etm_disabled:
transform->psa_key_enc, transform->psa_alg); transform->psa_key_enc, transform->psa_alg);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_encrypt_setup", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_encrypt_setup", ret);
return ret; return ret;
} }
@ -1097,7 +1103,7 @@ hmac_failed_etm_disabled:
status = psa_cipher_set_iv(&cipher_op, transform->iv_enc, transform->ivlen); status = psa_cipher_set_iv(&cipher_op, transform->iv_enc, transform->ivlen);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret);
return ret; return ret;
@ -1108,7 +1114,7 @@ hmac_failed_etm_disabled:
data, rec->data_len, &olen); data, rec->data_len, &olen);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret);
return ret; return ret;
@ -1119,7 +1125,7 @@ hmac_failed_etm_disabled:
&part_len); &part_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret);
return ret; return ret;
@ -1222,10 +1228,10 @@ hmac_failed_etm_disabled:
hmac_failed_etm_enabled: hmac_failed_etm_enabled:
mbedtls_platform_zeroize(mac, transform->maclen); mbedtls_platform_zeroize(mac, transform->maclen);
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
status = psa_mac_abort(&operation); status = psa_mac_abort(&operation);
if (ret == 0 && status != PSA_SUCCESS) { if (ret == 0 && status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
} }
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) { if (ret != 0) {
@ -1399,7 +1405,7 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
&olen); &olen);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_aead_decrypt", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_aead_decrypt", ret);
return ret; return ret;
} }
@ -1571,10 +1577,10 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
hmac_failed_etm_enabled: hmac_failed_etm_enabled:
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
status = psa_mac_abort(&operation); status = psa_mac_abort(&operation);
if (ret == 0 && status != PSA_SUCCESS) { if (ret == 0 && status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
} }
#else #else
mbedtls_platform_zeroize(mac_expect, transform->maclen); mbedtls_platform_zeroize(mac_expect, transform->maclen);
@ -1621,7 +1627,7 @@ hmac_failed_etm_enabled:
transform->psa_key_dec, transform->psa_alg); transform->psa_key_dec, transform->psa_alg);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_decrypt_setup", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_decrypt_setup", ret);
return ret; return ret;
} }
@ -1629,7 +1635,7 @@ hmac_failed_etm_enabled:
status = psa_cipher_set_iv(&cipher_op, transform->iv_dec, transform->ivlen); status = psa_cipher_set_iv(&cipher_op, transform->iv_dec, transform->ivlen);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret);
return ret; return ret;
} }
@ -1639,7 +1645,7 @@ hmac_failed_etm_enabled:
data, rec->data_len, &olen); data, rec->data_len, &olen);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret);
return ret; return ret;
} }
@ -1649,7 +1655,7 @@ hmac_failed_etm_enabled:
&part_len); &part_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret);
return ret; return ret;
} }

View file

@ -30,6 +30,12 @@
#include <string.h> #include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#endif
/* /*
* Initialize context * Initialize context
*/ */
@ -91,7 +97,7 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
psa_set_key_type(&attributes, key->key_type); psa_set_key_type(&attributes, key->key_type);
psa_set_key_bits(&attributes, key->key_bits); psa_set_key_bits(&attributes, key->key_bits);
ret = psa_ssl_status_to_mbedtls( ret = PSA_TO_MBEDTLS_ERR(
psa_import_key(&attributes, buf, psa_import_key(&attributes, buf,
PSA_BITS_TO_BYTES(key->key_bits), PSA_BITS_TO_BYTES(key->key_bits),
&key->key)); &key->key));
@ -133,7 +139,7 @@ static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_destroy_key(ctx->keys[ctx->active].key)) != PSA_SUCCESS) { if ((status = psa_destroy_key(ctx->keys[ctx->active].key)) != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
@ -169,7 +175,7 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_destroy_key(key->key)) != PSA_SUCCESS) { if ((status = psa_destroy_key(key->key)) != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
return ret; return ret;
} }
@ -182,7 +188,7 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
if ((status = psa_import_key(&attributes, k, if ((status = psa_import_key(&attributes, k,
PSA_BITS_TO_BYTES(key->key_bits), PSA_BITS_TO_BYTES(key->key_bits),
&key->key)) != PSA_SUCCESS) { &key->key)) != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
return ret; return ret;
} }
#else #else
@ -355,7 +361,7 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
state, clear_len, state, clear_len,
state, end - state, state, end - state,
&ciph_len)) != PSA_SUCCESS) { &ciph_len)) != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
#else #else
@ -465,7 +471,7 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
key_name, TICKET_ADD_DATA_LEN, key_name, TICKET_ADD_DATA_LEN,
ticket, enc_len + TICKET_AUTH_TAG_BYTES, ticket, enc_len + TICKET_AUTH_TAG_BYTES,
ticket, enc_len, &clear_len)) != PSA_SUCCESS) { ticket, enc_len, &clear_len)) != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
#else #else

View file

@ -52,6 +52,12 @@
#include "mbedtls/oid.h" #include "mbedtls/oid.h"
#endif #endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#endif
#if defined(MBEDTLS_TEST_HOOKS) #if defined(MBEDTLS_TEST_HOOKS)
static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args; static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
@ -5759,7 +5765,7 @@ exit:
!defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
(void) ssl; (void) ssl;
#endif #endif
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
#else /* MBEDTLS_USE_PSA_CRYPTO */ #else /* MBEDTLS_USE_PSA_CRYPTO */
@ -8230,7 +8236,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
&alg, &alg,
&key_type, &key_type,
&key_bits)) != PSA_SUCCESS) { &key_bits)) != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
goto end; goto end;
} }
@ -8478,7 +8484,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
PSA_BITS_TO_BYTES(key_bits), PSA_BITS_TO_BYTES(key_bits),
&transform->psa_key_enc)) != PSA_SUCCESS) { &transform->psa_key_enc)) != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status); MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
goto end; goto end;
} }
@ -8489,7 +8495,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
key2, key2,
PSA_BITS_TO_BYTES(key_bits), PSA_BITS_TO_BYTES(key_bits),
&transform->psa_key_dec)) != PSA_SUCCESS) { &transform->psa_key_dec)) != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
goto end; goto end;
} }
@ -8552,7 +8558,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
if ((status = psa_import_key(&attributes, if ((status = psa_import_key(&attributes,
mac_enc, mac_key_len, mac_enc, mac_key_len,
&transform->psa_mac_enc)) != PSA_SUCCESS) { &transform->psa_mac_enc)) != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
goto end; goto end;
} }
@ -8573,7 +8579,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
if ((status = psa_import_key(&attributes, if ((status = psa_import_key(&attributes,
mac_dec, mac_key_len, mac_dec, mac_key_len,
&transform->psa_mac_dec)) != PSA_SUCCESS) { &transform->psa_mac_dec)) != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
goto end; goto end;
} }
@ -8628,7 +8634,7 @@ int mbedtls_psa_ecjpake_read_round(
status = psa_pake_input(pake_ctx, step, status = psa_pake_input(pake_ctx, step,
buf + input_offset, length); buf + input_offset, length);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
input_offset += length; input_offset += length;
@ -8670,7 +8676,7 @@ int mbedtls_psa_ecjpake_write_round(
len - output_offset - 1, len - output_offset - 1,
&output_len); &output_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
*(buf + output_offset) = (uint8_t) output_len; *(buf + output_offset) = (uint8_t) output_len;

View file

@ -33,6 +33,9 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/psa_util.h" #include "mbedtls/psa_util.h"
#include "psa/crypto.h" #include "psa/crypto.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
#include <string.h> #include <string.h>
@ -2951,7 +2954,7 @@ ecdh_calc_secret:
status = psa_generate_key(&key_attributes, status = psa_generate_key(&key_attributes,
&handshake->ecdh_psa_privkey); &handshake->ecdh_psa_privkey);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
/* Export the public part of the ECDH private key from PSA. /* Export the public part of the ECDH private key from PSA.
@ -2968,7 +2971,7 @@ ecdh_calc_secret:
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
psa_destroy_key(handshake->ecdh_psa_privkey); psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
*p = (unsigned char) own_pubkey_len; *p = (unsigned char) own_pubkey_len;
@ -3000,9 +3003,9 @@ ecdh_calc_secret:
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} else if (destruction_status != PSA_SUCCESS) { } else if (destruction_status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(destruction_status); return PSA_TO_MBEDTLS_ERR(destruction_status);
} }
/* Write the ECDH computation length before the ECDH computation */ /* Write the ECDH computation length before the ECDH computation */

View file

@ -34,6 +34,12 @@
#include <string.h> #include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#endif
#if defined(MBEDTLS_ECP_C) #if defined(MBEDTLS_ECP_C)
#include "mbedtls/ecp.h" #include "mbedtls/ecp.h"
#endif #endif
@ -2588,7 +2594,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
&key_attributes); &key_attributes);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
ssl->handshake->ecdh_psa_type = psa_get_key_type(&key_attributes); ssl->handshake->ecdh_psa_type = psa_get_key_type(&key_attributes);
@ -2635,7 +2641,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
status = psa_import_key(&key_attributes, buf, key_len, status = psa_import_key(&key_attributes, buf, key_len,
&ssl->handshake->ecdh_psa_privkey); &ssl->handshake->ecdh_psa_privkey);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -2956,7 +2962,7 @@ curve_matching_done:
status = psa_generate_key(&key_attributes, status = psa_generate_key(&key_attributes,
&handshake->ecdh_psa_privkey); &handshake->ecdh_psa_privkey);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
return ret; return ret;
} }
@ -2980,7 +2986,7 @@ curve_matching_done:
own_pubkey, own_pubkey_max_len, own_pubkey, own_pubkey_max_len,
&len); &len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
(void) psa_destroy_key(handshake->ecdh_psa_privkey); (void) psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
@ -3688,7 +3694,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
handshake->premaster, sizeof(handshake->premaster), handshake->premaster, sizeof(handshake->premaster),
&handshake->pmslen); &handshake->pmslen);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
if (handshake->ecdh_psa_privkey_is_external == 0) { if (handshake->ecdh_psa_privkey_is_external == 0) {
(void) psa_destroy_key(handshake->ecdh_psa_privkey); (void) psa_destroy_key(handshake->ecdh_psa_privkey);
@ -3701,7 +3707,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
status = psa_destroy_key(handshake->ecdh_psa_privkey); status = psa_destroy_key(handshake->ecdh_psa_privkey);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
return ret; return ret;
} }
@ -3894,9 +3900,9 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} else if (destruction_status != PSA_SUCCESS) { } else if (destruction_status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(destruction_status); return PSA_TO_MBEDTLS_ERR(destruction_status);
} }
/* Write the ECDH computation length before the ECDH computation */ /* Write the ECDH computation length before the ECDH computation */

View file

@ -34,6 +34,10 @@
#include "ssl_tls13_keys.h" #include "ssl_tls13_keys.h"
#include "ssl_debug_helpers.h" #include "ssl_debug_helpers.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
/* Write extensions */ /* Write extensions */
/* /*
@ -188,7 +192,7 @@ static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
/* Destroy generated private key. */ /* Destroy generated private key. */
status = psa_destroy_key(ssl->handshake->ecdh_psa_privkey); status = psa_destroy_key(ssl->handshake->ecdh_psa_privkey);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
return ret; return ret;
} }

View file

@ -36,6 +36,13 @@
#include "ssl_tls13_keys.h" #include "ssl_tls13_keys.h"
#include "ssl_debug_helpers.h" #include "ssl_debug_helpers.h"
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[ const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
MBEDTLS_SERVER_HELLO_RANDOM_LEN] = MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
{ 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
@ -1016,7 +1023,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
verify_hash, sizeof(verify_hash), verify_hash, sizeof(verify_hash),
&verify_hash_len); &verify_hash_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
@ -1482,7 +1489,7 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
status = psa_generate_key(&key_attributes, status = psa_generate_key(&key_attributes,
&handshake->ecdh_psa_privkey); &handshake->ecdh_psa_privkey);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
return ret; return ret;
@ -1493,7 +1500,7 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
buf, (size_t) (end - buf), buf, (size_t) (end - buf),
&own_pubkey_len); &own_pubkey_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
return ret; return ret;

View file

@ -35,6 +35,10 @@
#include "psa/crypto.h" #include "psa/crypto.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \ #define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
.name = string, .name = string,
@ -215,7 +219,7 @@ cleanup:
abort_status = psa_key_derivation_abort(&operation); abort_status = psa_key_derivation_abort(&operation);
status = (status == PSA_SUCCESS ? abort_status : status); status = (status == PSA_SUCCESS ? abort_status : status);
mbedtls_platform_zeroize(hkdf_label, hkdf_label_len); mbedtls_platform_zeroize(hkdf_label, hkdf_label_len);
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
@ -309,7 +313,7 @@ int mbedtls_ssl_tls13_derive_secret(
status = psa_hash_compute(hash_alg, ctx, ctx_len, hashed_context, status = psa_hash_compute(hash_alg, ctx, ctx_len, hashed_context,
PSA_HASH_LENGTH(hash_alg), &ctx_len); PSA_HASH_LENGTH(hash_alg), &ctx_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
return ret; return ret;
} }
} else { } else {
@ -416,7 +420,7 @@ int mbedtls_ssl_tls13_evolve_secret(
cleanup: cleanup:
abort_status = psa_key_derivation_abort(&operation); abort_status = psa_key_derivation_abort(&operation);
status = (status == PSA_SUCCESS ? abort_status : status); status = (status == PSA_SUCCESS ? abort_status : status);
ret = (ret == 0 ? psa_ssl_status_to_mbedtls(status) : ret); ret = (ret == 0 ? PSA_TO_MBEDTLS_ERR(status) : ret);
mbedtls_platform_zeroize(tmp_secret, sizeof(tmp_secret)); mbedtls_platform_zeroize(tmp_secret, sizeof(tmp_secret));
return ret; return ret;
} }
@ -740,19 +744,19 @@ static int ssl_tls13_calc_finished_core(psa_algorithm_t hash_alg,
status = psa_import_key(&attributes, finished_key, hash_len, &key); status = psa_import_key(&attributes, finished_key, hash_len, &key);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto exit; goto exit;
} }
status = psa_mac_compute(key, alg, transcript, hash_len, status = psa_mac_compute(key, alg, transcript, hash_len,
dst, hash_len, dst_len); dst, hash_len, dst_len);
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
exit: exit:
status = psa_destroy_key(key); status = psa_destroy_key(key);
if (ret == 0) { if (ret == 0) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
} }
mbedtls_platform_zeroize(finished_key, sizeof(finished_key)); mbedtls_platform_zeroize(finished_key, sizeof(finished_key));
@ -1040,8 +1044,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
&alg, &alg,
&key_type, &key_type,
&key_bits)) != PSA_SUCCESS) { &key_bits)) != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", psa_ssl_status_to_mbedtls(status)); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", PSA_TO_MBEDTLS_ERR(status));
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
transform->psa_alg = alg; transform->psa_alg = alg;
@ -1055,8 +1059,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
key_enc, key_enc,
PSA_BITS_TO_BYTES(key_bits), PSA_BITS_TO_BYTES(key_bits),
&transform->psa_key_enc)) != PSA_SUCCESS) { &transform->psa_key_enc)) != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", psa_ssl_status_to_mbedtls(status)); MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
@ -1065,8 +1069,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
key_dec, key_dec,
PSA_BITS_TO_BYTES(key_bits), PSA_BITS_TO_BYTES(key_bits),
&transform->psa_key_dec)) != PSA_SUCCESS) { &transform->psa_key_dec)) != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", psa_ssl_status_to_mbedtls(status)); MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
} }
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
@ -1094,7 +1098,7 @@ static int ssl_tls13_get_cipher_key_info(
status = mbedtls_ssl_cipher_to_psa(ciphersuite_info->cipher, taglen, status = mbedtls_ssl_cipher_to_psa(ciphersuite_info->cipher, taglen,
&alg, &key_type, &key_bits); &alg, &key_type, &key_bits);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
*key_len = PSA_BITS_TO_BYTES(key_bits); *key_len = PSA_BITS_TO_BYTES(key_bits);
@ -1467,7 +1471,7 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
status = psa_get_key_attributes(handshake->ecdh_psa_privkey, status = psa_get_key_attributes(handshake->ecdh_psa_privkey,
&key_attributes); &key_attributes);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
} }
shared_secret_len = PSA_BITS_TO_BYTES( shared_secret_len = PSA_BITS_TO_BYTES(
@ -1482,14 +1486,14 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len,
shared_secret, shared_secret_len, &shared_secret_len); shared_secret, shared_secret_len, &shared_secret_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
goto cleanup; goto cleanup;
} }
status = psa_destroy_key(handshake->ecdh_psa_privkey); status = psa_destroy_key(handshake->ecdh_psa_privkey);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
goto cleanup; goto cleanup;
} }
@ -1826,7 +1830,7 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
status = psa_get_key_attributes(ssl->handshake->psk_opaque, &key_attributes); status = psa_get_key_attributes(ssl->handshake->psk_opaque, &key_attributes);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
*psk_len = PSA_BITS_TO_BYTES(psa_get_key_bits(&key_attributes)); *psk_len = PSA_BITS_TO_BYTES(psa_get_key_bits(&key_attributes));
@ -1840,7 +1844,7 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
mbedtls_free((void *) *psk); mbedtls_free((void *) *psk);
*psk = NULL; *psk = NULL;
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
return 0; return 0;
#else #else

View file

@ -18,6 +18,12 @@
#include <constant_time_internal.h> #include <constant_time_internal.h>
#include <test/constant_flow.h> #include <test/constant_flow.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
@ -1299,27 +1305,27 @@ static int psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
transform->psa_key_enc, transform->psa_alg); transform->psa_key_enc, transform->psa_alg);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
status = psa_cipher_set_iv(&cipher_op, iv, iv_len); status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
status = psa_cipher_update(&cipher_op, status = psa_cipher_update(&cipher_op,
input, ilen, output, ilen, olen); input, ilen, output, ilen, olen);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
status = psa_cipher_finish(&cipher_op, status = psa_cipher_finish(&cipher_op,
output + *olen, ilen - *olen, &part_len); output + *olen, ilen - *olen, &part_len);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
return psa_ssl_status_to_mbedtls(status); return PSA_TO_MBEDTLS_ERR(status);
} }
*olen += part_len; *olen += part_len;
@ -1614,7 +1620,7 @@ static int build_transforms(mbedtls_ssl_transform *t_in,
&key_bits); &key_bits);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -1633,7 +1639,7 @@ static int build_transforms(mbedtls_ssl_transform *t_in,
&t_in->psa_key_enc); &t_in->psa_key_enc);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -1643,7 +1649,7 @@ static int build_transforms(mbedtls_ssl_transform *t_in,
&t_out->psa_key_enc); &t_out->psa_key_enc);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -1655,7 +1661,7 @@ static int build_transforms(mbedtls_ssl_transform *t_in,
&t_in->psa_key_dec); &t_in->psa_key_dec);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
@ -1665,7 +1671,7 @@ static int build_transforms(mbedtls_ssl_transform *t_in,
&t_out->psa_key_dec); &t_out->psa_key_dec);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup; goto cleanup;
} }
} }
@ -1735,7 +1741,7 @@ static int ssl_tls12_populate_session(mbedtls_ssl_session *session,
session->peer_cert_digest, session->peer_cert_digest,
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN,
&hash_size); &hash_size);
ret = psa_ssl_status_to_mbedtls(status); ret = PSA_TO_MBEDTLS_ERR(status);
#else #else
ret = mbedtls_md(mbedtls_md_info_from_type( ret = mbedtls_md(mbedtls_md_info_from_type(
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE), MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),