Remove non-PSA MAC keys in mbedtls_ssl_transform when MBEDTLS_USE_PSA_CRYPTO is defined
Also remove last usage of non-PSA MAC keys in ssl_decrypt_non_etm_cbc() SSL test. Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
This commit is contained in:
parent
4f091290bd
commit
cf8841a076
4 changed files with 29 additions and 6 deletions
|
@ -952,10 +952,10 @@ struct mbedtls_ssl_transform
|
|||
mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
|
||||
mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
|
||||
psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
|
||||
#endif
|
||||
|
||||
#else
|
||||
mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
|
||||
mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
int encrypt_then_mac; /*!< flag for EtM activation */
|
||||
|
|
|
@ -5755,9 +5755,10 @@ void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
|
|||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_destroy_key( transform->psa_mac_enc );
|
||||
psa_destroy_key( transform->psa_mac_dec );
|
||||
#endif
|
||||
#else
|
||||
mbedtls_md_free( &transform->md_ctx_enc );
|
||||
mbedtls_md_free( &transform->md_ctx_dec );
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
#endif
|
||||
|
||||
mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
|
||||
|
|
|
@ -613,10 +613,11 @@ void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform )
|
|||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
#endif
|
||||
#else
|
||||
mbedtls_md_init( &transform->md_ctx_enc );
|
||||
mbedtls_md_init( &transform->md_ctx_dec );
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
|
||||
void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
|
||||
|
@ -7174,6 +7175,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
|
|||
if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM ||
|
||||
mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CBC )
|
||||
{
|
||||
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
/* Initialize HMAC contexts */
|
||||
if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
|
||||
( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
|
||||
|
@ -7181,6 +7183,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
|
|||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
|
||||
goto end;
|
||||
}
|
||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
/* Get MAC length */
|
||||
mac_key_len = mbedtls_md_get_size( md_info );
|
||||
|
@ -7328,13 +7331,14 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
|
|||
MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_mac_key", ret );
|
||||
goto end;
|
||||
}
|
||||
#endif
|
||||
#else
|
||||
ret = mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
|
||||
if( ret != 0 )
|
||||
goto end;
|
||||
ret = mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
|
||||
if( ret != 0 )
|
||||
goto end;
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
|
||||
|
||||
|
|
|
@ -1383,7 +1383,7 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
|
|||
CHK( psa_import_key( &attributes,
|
||||
md0, maclen,
|
||||
&t_out->psa_mac_dec ) == PSA_SUCCESS );
|
||||
#endif
|
||||
#else
|
||||
CHK( mbedtls_md_setup( &t_out->md_ctx_enc, md_info, 1 ) == 0 );
|
||||
CHK( mbedtls_md_setup( &t_out->md_ctx_dec, md_info, 1 ) == 0 );
|
||||
CHK( mbedtls_md_setup( &t_in->md_ctx_enc, md_info, 1 ) == 0 );
|
||||
|
@ -1397,6 +1397,7 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
|
|||
md1, maclen ) == 0 );
|
||||
CHK( mbedtls_md_hmac_starts( &t_out->md_ctx_dec,
|
||||
md0, maclen ) == 0 );
|
||||
#endif
|
||||
}
|
||||
#else
|
||||
((void) hash_id);
|
||||
|
@ -3724,6 +3725,10 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
|
|||
unsigned char padlen; /* excluding the padding_length byte */
|
||||
unsigned char add_data[13];
|
||||
unsigned char mac[MBEDTLS_MD_MAX_SIZE];
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
|
||||
size_t sign_mac_length = 0;
|
||||
#endif
|
||||
int exp_ret;
|
||||
int ret;
|
||||
const unsigned char pad_max_len = 255; /* Per the standard */
|
||||
|
@ -3807,11 +3812,24 @@ void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
|
|||
*/
|
||||
|
||||
/* MAC with additional data */
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
TEST_EQUAL( PSA_SUCCESS, psa_mac_sign_setup( &operation,
|
||||
t0.psa_mac_enc,
|
||||
t0.psa_mac_alg ) );
|
||||
TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation, add_data, 13 ) );
|
||||
TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation,
|
||||
rec.buf + rec.data_offset,
|
||||
rec.data_len ) );
|
||||
TEST_EQUAL( PSA_SUCCESS, psa_mac_sign_finish( &operation,
|
||||
mac, MBEDTLS_MD_MAX_SIZE,
|
||||
&sign_mac_length ) );
|
||||
#else
|
||||
TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, add_data, 13 ) );
|
||||
TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc,
|
||||
rec.buf + rec.data_offset,
|
||||
rec.data_len ) );
|
||||
TEST_EQUAL( 0, mbedtls_md_hmac_finish( &t0.md_ctx_enc, mac ) );
|
||||
#endif
|
||||
|
||||
memcpy( rec.buf + rec.data_offset + rec.data_len, mac, t0.maclen );
|
||||
rec.data_len += t0.maclen;
|
||||
|
|
Loading…
Reference in a new issue