From 801abb69a531307c1ae2613c5320af803a8c3a9a Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 4 May 2022 17:38:10 +0200 Subject: [PATCH 1/9] Provide a PSA definition of mbedtls_ssl_ciphersuite_get_cipher_key_bitlen() when MBEDTLS_USE_PSA_CRYPTO is defined Signed-off-by: Neil Armstrong --- library/ssl_ciphersuites.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index ee8a60eb1..402463f9d 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -1876,7 +1876,21 @@ int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name ) size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( const mbedtls_ssl_ciphersuite_t *info ) { -#if defined(MBEDTLS_CIPHER_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_type_t key_type; + psa_algorithm_t alg; + size_t key_bits; + + status = mbedtls_ssl_cipher_to_psa( info->cipher, + info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16, + &alg, &key_type, &key_bits ); + + if( status != PSA_SUCCESS ) + return 0; + + return key_bits; +#elif defined(MBEDTLS_CIPHER_C) const mbedtls_cipher_info_t * const cipher_info = mbedtls_cipher_info_from_type( info->cipher ); From a8093f5c48a15dfe5acfb72ab8e2898284f88ad0 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 4 May 2022 17:44:05 +0200 Subject: [PATCH 2/9] In mbedtls_ssl_tls13_populate_transform() make sure mbedtls_cipher_info_from_type() is only called when USE_PSA is disabled Signed-off-by: Neil Armstrong --- library/ssl_tls13_keys.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 072c8693a..c79d4c92a 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -993,8 +993,8 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, { #if !defined(MBEDTLS_USE_PSA_CRYPTO) int ret; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_cipher_info_t const *cipher_info; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ const mbedtls_ssl_ciphersuite_t *ciphersuite_info; unsigned char const *key_enc; unsigned char const *iv_enc; @@ -1022,6 +1022,7 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } +#if !defined(MBEDTLS_USE_PSA_CRYPTO) cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); if( cipher_info == NULL ) { @@ -1030,7 +1031,6 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } -#if !defined(MBEDTLS_USE_PSA_CRYPTO) /* * Setup cipher contexts in target transform */ @@ -1120,7 +1120,7 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, /* * Setup psa keys and alg */ - if( ( status = mbedtls_ssl_cipher_to_psa( cipher_info->type, + if( ( status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, transform->taglen, &alg, &key_type, From 4f4f271850b03dd4f9932a29c4bb7aba8ed76e5e Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 5 May 2022 15:34:39 +0200 Subject: [PATCH 3/9] In mbedtls_ssl_tls13_generate_handshake_keys() and mbedtls_ssl_tls13_generate_application_keys(), avoid calling mbedtls_cipher_info_from_type() Signed-off-by: Neil Armstrong --- library/ssl_tls13_keys.c | 62 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index c79d4c92a..714c21ac4 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1203,7 +1203,15 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_key_type_t key_type; + psa_algorithm_t alg; + size_t key_bits; + size_t taglen; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; +#else mbedtls_cipher_info_t const *cipher_info; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ size_t key_len, iv_len; mbedtls_ssl_handshake_params *handshake = ssl->handshake; @@ -1212,9 +1220,32 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) + taglen = 8; + else + taglen = 16; + + status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen, + &alg, &key_type, &key_bits ); + if( status != PSA_SUCCESS ) + { + ret = psa_ssl_status_to_mbedtls( status ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cipher_to_psa", ret ); + return ret; + } + + key_len = PSA_BITS_TO_BYTES(key_bits); + + if( PSA_ALG_IS_AEAD( alg ) ) + iv_len = 12; + else + iv_len = PSA_CIPHER_IV_LENGTH( key_type, alg ); +#else cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); key_len = cipher_info->key_bitlen >> 3; iv_len = cipher_info->iv_size; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ md_type = ciphersuite_info->mac; @@ -1408,17 +1439,48 @@ int mbedtls_ssl_tls13_generate_application_keys( size_t hash_len; /* Variables relating to the cipher for the chosen ciphersuite. */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_key_type_t key_type; + psa_algorithm_t alg; + size_t key_bits; + size_t taglen; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; +#else mbedtls_cipher_info_t const *cipher_info; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ size_t key_len, iv_len; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive application traffic keys" ) ); /* Extract basic information about hash and ciphersuite */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( handshake->ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) + taglen = 8; + else + taglen = 16; + + status = mbedtls_ssl_cipher_to_psa( handshake->ciphersuite_info->cipher, + taglen, &alg, &key_type, &key_bits ); + if( status != PSA_SUCCESS ) + { + ret = psa_ssl_status_to_mbedtls( status ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cipher_to_psa", ret ); + goto cleanup; + } + + key_len = PSA_BITS_TO_BYTES(key_bits); + + if( PSA_ALG_IS_AEAD( alg ) ) + iv_len = 12; + else + iv_len = PSA_CIPHER_IV_LENGTH( key_type, alg ); +#else cipher_info = mbedtls_cipher_info_from_type( handshake->ciphersuite_info->cipher ); key_len = cipher_info->key_bitlen / 8; iv_len = cipher_info->iv_size; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ md_type = handshake->ciphersuite_info->mac; From 689557ca128a5e753bd82cf6c23935b1ce2ebe9f Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 12 May 2022 08:30:59 +0200 Subject: [PATCH 4/9] Make CIPHER_C guard code as alternate of USE_PSA_CRYPTO in mbedtls_ssl_ciphersuite_get_cipher_key_bitlen() Signed-off-by: Neil Armstrong --- library/ssl_ciphersuites.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 402463f9d..7deb57a1d 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -1890,15 +1890,12 @@ size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen( const mbedtls_ssl_ciphersu return 0; return key_bits; -#elif defined(MBEDTLS_CIPHER_C) +#else const mbedtls_cipher_info_t * const cipher_info = mbedtls_cipher_info_from_type( info->cipher ); return( mbedtls_cipher_info_get_key_bitlen( cipher_info ) ); -#else - (void)info; - return( 0 ); -#endif +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_PK_C) From 93617245c3bfe31e4144709fb4cdca8371be6642 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 12 May 2022 08:32:03 +0200 Subject: [PATCH 5/9] Code style fixes Signed-off-by: Neil Armstrong --- library/ssl_tls13_keys.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 714c21ac4..46ff3afd5 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1235,7 +1235,7 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, return ret; } - key_len = PSA_BITS_TO_BYTES(key_bits); + key_len = PSA_BITS_TO_BYTES( key_bits ); if( PSA_ALG_IS_AEAD( alg ) ) iv_len = 12; @@ -1469,7 +1469,7 @@ int mbedtls_ssl_tls13_generate_application_keys( goto cleanup; } - key_len = PSA_BITS_TO_BYTES(key_bits); + key_len = PSA_BITS_TO_BYTES( key_bits ); if( PSA_ALG_IS_AEAD( alg ) ) iv_len = 12; From e3b0b8ab6758ceed36a48aca3de691a72700b3d1 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 17 May 2022 09:11:45 +0200 Subject: [PATCH 6/9] Remove non-PSA code in mbedtls_ssl_tls13_generate_handshake_keys/mbedtls_ssl_tls13_generate_application_keys Signed-off-by: Neil Armstrong --- library/ssl_tls13_keys.c | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 46ff3afd5..8360cbba2 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1203,15 +1203,11 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_type_t key_type; psa_algorithm_t alg; size_t key_bits; size_t taglen; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; -#else - mbedtls_cipher_info_t const *cipher_info; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ size_t key_len, iv_len; mbedtls_ssl_handshake_params *handshake = ssl->handshake; @@ -1220,7 +1216,6 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) taglen = 8; else @@ -1241,11 +1236,6 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, iv_len = 12; else iv_len = PSA_CIPHER_IV_LENGTH( key_type, alg ); -#else - cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); - key_len = cipher_info->key_bitlen >> 3; - iv_len = cipher_info->iv_size; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ md_type = ciphersuite_info->mac; @@ -1439,22 +1429,17 @@ int mbedtls_ssl_tls13_generate_application_keys( size_t hash_len; /* Variables relating to the cipher for the chosen ciphersuite. */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_type_t key_type; psa_algorithm_t alg; size_t key_bits; size_t taglen; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; -#else - mbedtls_cipher_info_t const *cipher_info; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ size_t key_len, iv_len; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive application traffic keys" ) ); /* Extract basic information about hash and ciphersuite */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) if( handshake->ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) taglen = 8; else @@ -1475,12 +1460,6 @@ int mbedtls_ssl_tls13_generate_application_keys( iv_len = 12; else iv_len = PSA_CIPHER_IV_LENGTH( key_type, alg ); -#else - cipher_info = mbedtls_cipher_info_from_type( - handshake->ciphersuite_info->cipher ); - key_len = cipher_info->key_bitlen / 8; - iv_len = cipher_info->iv_size; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ md_type = handshake->ciphersuite_info->mac; From b818e16b2903bf0e56f10e89ae2afac40aa4675e Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 17 May 2022 09:24:52 +0200 Subject: [PATCH 7/9] Move out common PSA code from mbedtls_ssl_tls13_generate_handshake_keys/mbedtls_ssl_tls13_generate_application_keys Signed-off-by: Neil Armstrong --- library/ssl_tls13_keys.c | 82 +++++++++++++++++++--------------------- 1 file changed, 38 insertions(+), 44 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 8360cbba2..15bf94700 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1188,6 +1188,36 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) return( 0 ); } +static int mbedtls_ssl_tls13_get_cipher_key_info( + const mbedtls_ssl_ciphersuite_t *ciphersuite_info, + size_t *key_len, size_t *iv_len ) +{ + psa_key_type_t key_type; + psa_algorithm_t alg; + size_t taglen; + size_t key_bits; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) + taglen = 8; + else + taglen = 16; + + status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen, + &alg, &key_type, &key_bits ); + if( status != PSA_SUCCESS ) + return psa_ssl_status_to_mbedtls( status ); + + *key_len = PSA_BITS_TO_BYTES( key_bits ); + + if( PSA_ALG_IS_AEAD( alg ) ) + *iv_len = 12; + else + *iv_len = PSA_CIPHER_IV_LENGTH( key_type, alg ); + + return 0; +} + /* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for * protecting the handshake messages, as described in Section 7 of TLS 1.3. */ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, @@ -1203,11 +1233,6 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; - psa_key_type_t key_type; - psa_algorithm_t alg; - size_t key_bits; - size_t taglen; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t key_len, iv_len; mbedtls_ssl_handshake_params *handshake = ssl->handshake; @@ -1216,27 +1241,14 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) ); - if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) - taglen = 8; - else - taglen = 16; - - status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen, - &alg, &key_type, &key_bits ); - if( status != PSA_SUCCESS ) + ret = mbedtls_ssl_tls13_get_cipher_key_info( ciphersuite_info, + &key_len, &iv_len ); + if( ret != 0 ) { - ret = psa_ssl_status_to_mbedtls( status ); - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cipher_to_psa", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret ); return ret; } - key_len = PSA_BITS_TO_BYTES( key_bits ); - - if( PSA_ALG_IS_AEAD( alg ) ) - iv_len = 12; - else - iv_len = PSA_CIPHER_IV_LENGTH( key_type, alg ); - md_type = ciphersuite_info->mac; hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac ); @@ -1429,38 +1441,20 @@ int mbedtls_ssl_tls13_generate_application_keys( size_t hash_len; /* Variables relating to the cipher for the chosen ciphersuite. */ - psa_key_type_t key_type; - psa_algorithm_t alg; - size_t key_bits; - size_t taglen; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; size_t key_len, iv_len; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive application traffic keys" ) ); /* Extract basic information about hash and ciphersuite */ - if( handshake->ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) - taglen = 8; - else - taglen = 16; - - status = mbedtls_ssl_cipher_to_psa( handshake->ciphersuite_info->cipher, - taglen, &alg, &key_type, &key_bits ); - if( status != PSA_SUCCESS ) + ret = mbedtls_ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info, + &key_len, &iv_len ); + if( ret != 0 ) { - ret = psa_ssl_status_to_mbedtls( status ); - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cipher_to_psa", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret ); goto cleanup; } - key_len = PSA_BITS_TO_BYTES( key_bits ); - - if( PSA_ALG_IS_AEAD( alg ) ) - iv_len = 12; - else - iv_len = PSA_CIPHER_IV_LENGTH( key_type, alg ); - md_type = handshake->ciphersuite_info->mac; hash_alg = mbedtls_psa_translate_md( handshake->ciphersuite_info->mac ); From 0fa8ce3498667c3a363b75fc89bf6176fd44477c Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 17 May 2022 14:42:57 +0200 Subject: [PATCH 8/9] TLS 1.3 only have AEAD ciphers, drop the PSA_ALG_IS_AEAD() check in mbedtls_ssl_tls13_get_cipher_key_info() Signed-off-by: Neil Armstrong --- library/ssl_tls13_keys.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 15bf94700..f3437a320 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1210,10 +1210,8 @@ static int mbedtls_ssl_tls13_get_cipher_key_info( *key_len = PSA_BITS_TO_BYTES( key_bits ); - if( PSA_ALG_IS_AEAD( alg ) ) - *iv_len = 12; - else - *iv_len = PSA_CIPHER_IV_LENGTH( key_type, alg ); + /* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */ + *iv_len = 12; return 0; } From 8395d7a37d9b4366d98a04d5033e3e886c16257b Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 18 May 2022 11:44:56 +0200 Subject: [PATCH 9/9] Change guard of mbedtls_ssl_cipher_to_psa() with USE_PSA_CRYPTO || SSL_PROTO_TLS1_3 Signed-off-by: Neil Armstrong --- library/ssl_misc.h | 4 +--- library/ssl_tls.c | 4 ++-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 6f9100bd9..9fcb2b296 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2137,7 +2137,7 @@ static inline int mbedtls_ssl_sig_alg_is_supported( } #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL. * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is * guaranteed to not be a valid PSA algorithm identifier. @@ -2167,9 +2167,7 @@ psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_typ psa_algorithm_t *alg, psa_key_type_t *key_type, size_t *key_size ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) /** * \brief Convert given PSA status to mbedtls error code. * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8d6d379b5..53318650c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1838,7 +1838,7 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( return( mbedtls_ssl_get_actual_mode( base_mode, encrypt_then_mac ) ); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_type, size_t taglen, psa_algorithm_t *alg, @@ -1983,7 +1983,7 @@ psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_typ return PSA_SUCCESS; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,