diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f0067f4b2d..8e63548a43 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6600,64 +6600,89 @@ int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md) return 0; } +#if defined(MBEDTLS_USE_PSA_CRYPTO) +static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl, + const psa_hash_operation_t *hs_op, + size_t buffer_size, + unsigned char *hash, + size_t *hlen) +{ + psa_status_t status; + psa_hash_operation_t copy = psa_hash_operation_init(); + +#if !defined(MBEDTLS_DEBUG_C) + (void) ssl; +#endif + MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify")); + status = psa_hash_clone(hs_op, ©); + if (status != PSA_SUCCESS) { + goto exit; + } + + status = psa_hash_finish(©, hash, buffer_size, hlen); + if (status != PSA_SUCCESS) { + goto exit; + } + + MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); + MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); + +exit: + psa_hash_abort(©); + return mbedtls_md_error_from_psa(status); +} +#else +static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl, + const mbedtls_md_context_t *hs_ctx, + unsigned char *hash, + size_t *hlen) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_md_context_t copy; + + mbedtls_md_init(©); + +#if !defined(MBEDTLS_DEBUG_C) + (void) ssl; +#endif + MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify")); + + ret = mbedtls_md_setup(©, mbedtls_md_info_from_ctx(hs_ctx), 0); + if (ret != 0) { + goto exit; + } + ret = mbedtls_md_clone(©, hs_ctx); + if (ret != 0) { + goto exit; + } + + ret = mbedtls_md_finish(©, hash); + if (ret != 0) { + goto exit; + } + + *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx)); + + MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); + MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); + +exit: + mbedtls_md_free(©); + return ret; +} +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + #if defined(MBEDTLS_MD_CAN_SHA256) int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hlen) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t hash_size; - psa_status_t status; - psa_hash_operation_t sha256_psa = psa_hash_operation_init(); - - MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha256")); - status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa); - if (status != PSA_SUCCESS) { - goto exit; - } - - status = psa_hash_finish(&sha256_psa, hash, 32, &hash_size); - if (status != PSA_SUCCESS) { - goto exit; - } - - *hlen = 32; - MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); - -exit: - psa_hash_abort(&sha256_psa); - return mbedtls_md_error_from_psa(status); + return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32, + hash, hlen); #else - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_md_context_t sha256; - - mbedtls_md_init(&sha256); - - MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha256")); - - ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0); - if (ret != 0) { - goto exit; - } - ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256); - if (ret != 0) { - goto exit; - } - - ret = mbedtls_md_finish(&sha256, hash); - if (ret != 0) { - goto exit; - } - - *hlen = 32; - - MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); - -exit: - mbedtls_md_free(&sha256); - return ret; + return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256, + hash, hlen); #endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_MD_CAN_SHA256 */ @@ -6668,58 +6693,11 @@ int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, size_t *hlen) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t hash_size; - psa_status_t status; - psa_hash_operation_t sha384_psa = psa_hash_operation_init(); - - MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha384")); - status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa); - if (status != PSA_SUCCESS) { - goto exit; - } - - status = psa_hash_finish(&sha384_psa, hash, 48, &hash_size); - if (status != PSA_SUCCESS) { - goto exit; - } - - *hlen = 48; - MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); - -exit: - psa_hash_abort(&sha384_psa); - return mbedtls_md_error_from_psa(status); + return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48, + hash, hlen); #else - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_md_context_t sha384; - - mbedtls_md_init(&sha384); - - MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha384")); - - ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); - if (ret != 0) { - goto exit; - } - ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384); - if (ret != 0) { - goto exit; - } - - ret = mbedtls_md_finish(&sha384, hash); - if (ret != 0) { - goto exit; - } - - *hlen = 48; - - MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); - MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); - -exit: - mbedtls_md_free(&sha384); - return ret; + return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384, + hash, hlen); #endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_MD_CAN_SHA384 */