From 136f8409df6fd508d03252b73b481f6a8d3dee9a Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 30 Mar 2022 10:58:01 +0200 Subject: [PATCH] Replace PSA/Cipher logic with mbedtls_get_mode_from_transform() Signed-off-by: Neil Armstrong --- library/ssl_msg.c | 78 ++++++++++------------------------------------- 1 file changed, 16 insertions(+), 62 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index c55c60f825..0bfe4c9ada 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -523,9 +523,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - mbedtls_cipher_mode_t mode; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + mbedtls_ssl_mode_t ssl_mode; int auth_done = 0; unsigned char * data; unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ]; @@ -566,15 +564,13 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } + ssl_mode = mbedtls_get_mode_from_transform( transform ); + data = rec->buf + rec->data_offset; post_avail = rec->buf_len - ( rec->data_len + rec->data_offset ); MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", data, rec->data_len ); -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %" MBEDTLS_PRINTF_SIZET @@ -654,17 +650,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, * Add MAC before if needed */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER || - ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING -#else - if( mode == MBEDTLS_MODE_STREAM || - ( mode == MBEDTLS_MODE_CBC -#endif -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED -#endif - ) ) + if( ssl_mode == MBEDTLS_SSL_MODE_STREAM || + ssl_mode == MBEDTLS_SSL_MODE_CBC ) { if( post_avail < transform->maclen ) { @@ -748,11 +735,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, * Encrypt */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ) -#else - if( mode == MBEDTLS_MODE_STREAM ) -#endif + if( ssl_mode == MBEDTLS_SSL_MODE_STREAM ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " "including %d bytes of padding", @@ -767,13 +750,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_GCM_C) || \ defined(MBEDTLS_CCM_C) || \ defined(MBEDTLS_CHACHAPOLY_C) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( PSA_ALG_IS_AEAD( transform->psa_alg ) ) -#else - if( mode == MBEDTLS_MODE_GCM || - mode == MBEDTLS_MODE_CCM || - mode == MBEDTLS_MODE_CHACHAPOLY ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ssl_mode == MBEDTLS_SSL_MODE_AEAD ) { unsigned char iv[12]; unsigned char *dynamic_iv; @@ -891,11 +868,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, else #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) -#else - if( mode == MBEDTLS_MODE_CBC ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ssl_mode == MBEDTLS_SSL_MODE_CBC || + ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t padlen, i; @@ -1139,14 +1113,9 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, mbedtls_record *rec ) { size_t olen; -#if defined(MBEDTLS_USE_PSA_CRYPTO) + mbedtls_ssl_mode_t ssl_mode; int ret; -#else - mbedtls_cipher_mode_t mode; - int ret; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - int auth_done = 0; #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) size_t padlen = 0, correct = 1; @@ -1171,9 +1140,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, } data = rec->buf + rec->data_offset; -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + ssl_mode = mbedtls_get_mode_from_transform( transform ); #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) /* @@ -1187,11 +1154,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ) -#else - if( mode == MBEDTLS_MODE_STREAM ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ssl_mode == MBEDTLS_SSL_MODE_STREAM ) { /* The only supported stream cipher is "NULL", * so there's nothing to do here.*/ @@ -1201,13 +1164,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, #if defined(MBEDTLS_GCM_C) || \ defined(MBEDTLS_CCM_C) || \ defined(MBEDTLS_CHACHAPOLY_C) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( PSA_ALG_IS_AEAD( transform->psa_alg ) ) -#else - if( mode == MBEDTLS_MODE_GCM || - mode == MBEDTLS_MODE_CCM || - mode == MBEDTLS_MODE_CHACHAPOLY ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ssl_mode == MBEDTLS_SSL_MODE_AEAD ) { unsigned char iv[12]; unsigned char *dynamic_iv; @@ -1333,11 +1290,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, else #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) -#else - if( mode == MBEDTLS_MODE_CBC ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ssl_mode == MBEDTLS_SSL_MODE_CBC || + ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM ) { size_t minlen = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -1391,7 +1345,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, * Authenticate before decrypt if enabled */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) + if( ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;