tls: use already existing symbols to size the buffer for XXDḦ peer key
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti
parent
aa7cbd619c
commit
da403b749e
2 changed files with 4 additions and 26 deletions
|
|
@ -757,24 +757,12 @@ struct mbedtls_ssl_handshake_params {
|
||||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO &&
|
#endif /* !MBEDTLS_USE_PSA_CRYPTO &&
|
||||||
MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
|
MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
|
||||||
|
|
||||||
#if defined(PSA_WANT_ALG_ECDH) && defined(PSA_WANT_ALG_FFDH)
|
|
||||||
#if (MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH >= MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH)
|
|
||||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH
|
|
||||||
#else
|
|
||||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
|
|
||||||
#endif
|
|
||||||
#elif defined(PSA_WANT_ALG_ECDH)
|
|
||||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
|
|
||||||
#else
|
|
||||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_ANY_PSA_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_ANY_PSA_ENABLED)
|
||||||
psa_key_type_t xxdh_psa_type;
|
psa_key_type_t xxdh_psa_type;
|
||||||
size_t xxdh_bits;
|
size_t xxdh_bits;
|
||||||
mbedtls_svc_key_id_t xxdh_psa_privkey;
|
mbedtls_svc_key_id_t xxdh_psa_privkey;
|
||||||
uint8_t xxdh_psa_privkey_is_external;
|
uint8_t xxdh_psa_privkey_is_external;
|
||||||
unsigned char xxdh_psa_peerkey[SSL_XXDH_PSA_PEERKEY_SIZE];
|
unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
|
||||||
size_t xxdh_psa_peerkey_len;
|
size_t xxdh_psa_peerkey_len;
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_ANY_PSA_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_ANY_PSA_ENABLED */
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1774,19 +1774,9 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
|
||||||
return MBEDTLS_ERR_SSL_DECODE_ERROR;
|
return MBEDTLS_ERR_SSL_DECODE_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
|
/* xxdh_psa_peerkey is sized after maximum supported FFDH public key.
|
||||||
the sizes of the FFDH keys which are at least 2048 bits.
|
* PSA_VENDOR_FFDH_MAX_KEY_BITS is always larger than EC public key, so
|
||||||
The size of the array is thus greater than 256 bytes which is greater than any
|
* we can skip the buffer size check before the memcpy-ing data into it. */
|
||||||
possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
|
|
||||||
#if !defined(PSA_WANT_ALG_FFDH)
|
|
||||||
if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
|
|
||||||
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
|
|
||||||
}
|
|
||||||
#else
|
|
||||||
MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
|
|
||||||
"peer key buffer too small");
|
|
||||||
#endif
|
|
||||||
|
|
||||||
memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
|
memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
|
||||||
handshake->xxdh_psa_peerkey_len = ecpoint_len;
|
handshake->xxdh_psa_peerkey_len = ecpoint_len;
|
||||||
*p += ecpoint_len;
|
*p += ecpoint_len;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue