tls: use already existing symbols to size the buffer for XXDḦ peer key
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti
parent
aa7cbd619c
commit
da403b749e
2 changed files with 4 additions and 26 deletions
|
|
@ -757,24 +757,12 @@ struct mbedtls_ssl_handshake_params {
|
|||
#endif /* !MBEDTLS_USE_PSA_CRYPTO &&
|
||||
MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
|
||||
|
||||
#if defined(PSA_WANT_ALG_ECDH) && defined(PSA_WANT_ALG_FFDH)
|
||||
#if (MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH >= MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH)
|
||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH
|
||||
#else
|
||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
|
||||
#endif
|
||||
#elif defined(PSA_WANT_ALG_ECDH)
|
||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
|
||||
#else
|
||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_ANY_PSA_ENABLED)
|
||||
psa_key_type_t xxdh_psa_type;
|
||||
size_t xxdh_bits;
|
||||
mbedtls_svc_key_id_t xxdh_psa_privkey;
|
||||
uint8_t xxdh_psa_privkey_is_external;
|
||||
unsigned char xxdh_psa_peerkey[SSL_XXDH_PSA_PEERKEY_SIZE];
|
||||
unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
|
||||
size_t xxdh_psa_peerkey_len;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_ANY_PSA_ENABLED */
|
||||
|
||||
|
|
|
|||
|
|
@ -1774,19 +1774,9 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
|
|||
return MBEDTLS_ERR_SSL_DECODE_ERROR;
|
||||
}
|
||||
|
||||
/* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
|
||||
the sizes of the FFDH keys which are at least 2048 bits.
|
||||
The size of the array is thus greater than 256 bytes which is greater than any
|
||||
possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
|
||||
#if !defined(PSA_WANT_ALG_FFDH)
|
||||
if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
|
||||
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
|
||||
}
|
||||
#else
|
||||
MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
|
||||
"peer key buffer too small");
|
||||
#endif
|
||||
|
||||
/* xxdh_psa_peerkey is sized after maximum supported FFDH public key.
|
||||
* PSA_VENDOR_FFDH_MAX_KEY_BITS is always larger than EC public key, so
|
||||
* we can skip the buffer size check before the memcpy-ing data into it. */
|
||||
memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
|
||||
handshake->xxdh_psa_peerkey_len = ecpoint_len;
|
||||
*p += ecpoint_len;
|
||||
|
|
|
|||
Loading…
Reference in a new issue