mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-29 11:41:15 +03:00
Rm dead !USE_PSA code: SSL hooks
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO {library,include/mbedtls}/ssl_{ticket,cookie}.[ch] Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
@ -22,7 +22,6 @@
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#include "mbedtls/psa_util.h"
|
||||
/* Define a local translating function to save code size by not using too many
|
||||
* arguments in each translating place. */
|
||||
@ -33,7 +32,6 @@ static int local_err_translation(psa_status_t status)
|
||||
psa_generic_status_to_mbedtls);
|
||||
}
|
||||
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
|
||||
#endif
|
||||
|
||||
/*
|
||||
* If DTLS is in use, then at least one of SHA-256 or SHA-384 is
|
||||
@ -59,21 +57,12 @@ static int local_err_translation(psa_status_t status)
|
||||
|
||||
void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx)
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
ctx->psa_hmac_key = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
#else
|
||||
mbedtls_md_init(&ctx->hmac_ctx);
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
#if !defined(MBEDTLS_HAVE_TIME)
|
||||
ctx->serial = 0;
|
||||
#endif
|
||||
ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
|
||||
|
||||
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
mbedtls_mutex_init(&ctx->mutex);
|
||||
#endif
|
||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
||||
}
|
||||
|
||||
void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long delay)
|
||||
@ -87,15 +76,7 @@ void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx)
|
||||
return;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_destroy_key(ctx->psa_hmac_key);
|
||||
#else
|
||||
mbedtls_md_free(&ctx->hmac_ctx);
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
mbedtls_mutex_free(&ctx->mutex);
|
||||
#endif
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_cookie_ctx));
|
||||
}
|
||||
@ -104,7 +85,6 @@ int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
|
||||
int (*f_rng)(void *, unsigned char *, size_t),
|
||||
void *p_rng)
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
psa_algorithm_t alg;
|
||||
@ -130,57 +110,10 @@ int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
|
||||
&ctx->psa_hmac_key)) != PSA_SUCCESS) {
|
||||
return PSA_TO_MBEDTLS_ERR(status);
|
||||
}
|
||||
#else
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned char key[COOKIE_MD_OUTLEN];
|
||||
|
||||
if ((ret = f_rng(p_rng, key, sizeof(key))) != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
ret = mbedtls_md_setup(&ctx->hmac_ctx, mbedtls_md_info_from_type(COOKIE_MD), 1);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
ret = mbedtls_md_hmac_starts(&ctx->hmac_ctx, key, sizeof(key));
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
mbedtls_platform_zeroize(key, sizeof(key));
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
/*
|
||||
* Generate the HMAC part of a cookie
|
||||
*/
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_cookie_hmac(mbedtls_md_context_t *hmac_ctx,
|
||||
const unsigned char time[4],
|
||||
unsigned char **p, unsigned char *end,
|
||||
const unsigned char *cli_id, size_t cli_id_len)
|
||||
{
|
||||
unsigned char hmac_out[COOKIE_MD_OUTLEN];
|
||||
|
||||
MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_HMAC_LEN);
|
||||
|
||||
if (mbedtls_md_hmac_reset(hmac_ctx) != 0 ||
|
||||
mbedtls_md_hmac_update(hmac_ctx, time, 4) != 0 ||
|
||||
mbedtls_md_hmac_update(hmac_ctx, cli_id, cli_id_len) != 0 ||
|
||||
mbedtls_md_hmac_finish(hmac_ctx, hmac_out) != 0) {
|
||||
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
}
|
||||
|
||||
memcpy(*p, hmac_out, COOKIE_HMAC_LEN);
|
||||
*p += COOKIE_HMAC_LEN;
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
/*
|
||||
* Generate cookie for DTLS ClientHello verification
|
||||
@ -189,11 +122,9 @@ int mbedtls_ssl_cookie_write(void *p_ctx,
|
||||
unsigned char **p, unsigned char *end,
|
||||
const unsigned char *cli_id, size_t cli_id_len)
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
size_t sign_mac_length = 0;
|
||||
#endif
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
|
||||
unsigned long t;
|
||||
@ -213,7 +144,6 @@ int mbedtls_ssl_cookie_write(void *p_ctx,
|
||||
MBEDTLS_PUT_UINT32_BE(t, *p, 0);
|
||||
*p += 4;
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
status = psa_mac_sign_setup(&operation, ctx->psa_hmac_key,
|
||||
ctx->psa_hmac_alg);
|
||||
if (status != PSA_SUCCESS) {
|
||||
@ -243,31 +173,12 @@ int mbedtls_ssl_cookie_write(void *p_ctx,
|
||||
*p += COOKIE_HMAC_LEN;
|
||||
|
||||
ret = 0;
|
||||
#else
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
|
||||
}
|
||||
#endif
|
||||
|
||||
ret = ssl_cookie_hmac(&ctx->hmac_ctx, *p - 4,
|
||||
p, end, cli_id, cli_id_len);
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
|
||||
MBEDTLS_ERR_THREADING_MUTEX_ERROR);
|
||||
}
|
||||
#endif
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
exit:
|
||||
status = psa_mac_abort(&operation);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -278,13 +189,8 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
|
||||
const unsigned char *cookie, size_t cookie_len,
|
||||
const unsigned char *cli_id, size_t cli_id_len)
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
#else
|
||||
unsigned char ref_hmac[COOKIE_HMAC_LEN];
|
||||
unsigned char *p = ref_hmac;
|
||||
#endif
|
||||
int ret = 0;
|
||||
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
|
||||
unsigned long cur_time, cookie_time;
|
||||
@ -297,7 +203,6 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
|
||||
return -1;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
status = psa_mac_verify_setup(&operation, ctx->psa_hmac_key,
|
||||
ctx->psa_hmac_alg);
|
||||
if (status != PSA_SUCCESS) {
|
||||
@ -326,35 +231,6 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
#else
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
|
||||
}
|
||||
#endif
|
||||
|
||||
if (ssl_cookie_hmac(&ctx->hmac_ctx, cookie,
|
||||
&p, p + sizeof(ref_hmac),
|
||||
cli_id, cli_id_len) != 0) {
|
||||
ret = -1;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
|
||||
ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
|
||||
MBEDTLS_ERR_THREADING_MUTEX_ERROR);
|
||||
}
|
||||
#endif
|
||||
|
||||
if (ret != 0) {
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if (mbedtls_ct_memcmp(cookie + 4, ref_hmac, sizeof(ref_hmac)) != 0) {
|
||||
ret = -1;
|
||||
goto exit;
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
cur_time = (unsigned long) mbedtls_time(NULL);
|
||||
@ -370,14 +246,10 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
|
||||
}
|
||||
|
||||
exit:
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
status = psa_mac_abort(&operation);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
}
|
||||
#else
|
||||
mbedtls_platform_zeroize(ref_hmac, sizeof(ref_hmac));
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
return ret;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_COOKIE_C */
|
||||
|
@ -17,7 +17,6 @@
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
/* Define a local translating function to save code size by not using too many
|
||||
* arguments in each translating place. */
|
||||
static int local_err_translation(psa_status_t status)
|
||||
@ -27,7 +26,6 @@ static int local_err_translation(psa_status_t status)
|
||||
psa_generic_status_to_mbedtls);
|
||||
}
|
||||
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Initialize context
|
||||
@ -67,9 +65,7 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
|
||||
unsigned char buf[MAX_KEY_BYTES] = { 0 };
|
||||
mbedtls_ssl_ticket_key *key = ctx->keys + index;
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
key->generation_time = mbedtls_time(NULL);
|
||||
@ -87,7 +83,6 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_set_key_usage_flags(&attributes,
|
||||
PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
|
||||
psa_set_key_algorithm(&attributes, key->alg);
|
||||
@ -98,12 +93,6 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
|
||||
psa_import_key(&attributes, buf,
|
||||
PSA_BITS_TO_BYTES(key->key_bits),
|
||||
&key->key));
|
||||
#else
|
||||
/* With GCM and CCM, same context can encrypt & decrypt */
|
||||
ret = mbedtls_cipher_setkey(&key->ctx, buf,
|
||||
mbedtls_cipher_get_key_bitlen(&key->ctx),
|
||||
MBEDTLS_ENCRYPT);
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
mbedtls_platform_zeroize(buf, sizeof(buf));
|
||||
|
||||
@ -124,9 +113,7 @@ static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx)
|
||||
mbedtls_time_t current_time = mbedtls_time(NULL);
|
||||
mbedtls_time_t key_time = key->generation_time;
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
#endif
|
||||
|
||||
if (current_time >= key_time &&
|
||||
(uint64_t) (current_time - key_time) < key->lifetime) {
|
||||
@ -135,11 +122,9 @@ static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx)
|
||||
|
||||
ctx->active = 1 - ctx->active;
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if ((status = psa_destroy_key(ctx->keys[ctx->active].key)) != PSA_SUCCESS) {
|
||||
return PSA_TO_MBEDTLS_ERR(status);
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
return ssl_ticket_gen_key(ctx, ctx->active);
|
||||
} else
|
||||
@ -159,19 +144,14 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
|
||||
mbedtls_ssl_ticket_key * const key = ctx->keys + idx;
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
|
||||
const size_t bitlen = key->key_bits;
|
||||
#else
|
||||
const int bitlen = mbedtls_cipher_get_key_bitlen(&key->ctx);
|
||||
#endif
|
||||
|
||||
if (nlength < TICKET_KEY_NAME_BYTES || klength * 8 < (size_t) bitlen) {
|
||||
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if ((status = psa_destroy_key(key->key)) != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
return ret;
|
||||
@ -189,12 +169,6 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
return ret;
|
||||
}
|
||||
#else
|
||||
ret = mbedtls_cipher_setkey(&key->ctx, k, bitlen, MBEDTLS_ENCRYPT);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
ctx->active = idx;
|
||||
ctx->ticket_lifetime = lifetime;
|
||||
@ -218,14 +192,9 @@ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t key_bits;
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_algorithm_t alg;
|
||||
psa_key_type_t key_type;
|
||||
#else
|
||||
const mbedtls_cipher_info_t *cipher_info;
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if (mbedtls_ssl_cipher_to_psa(cipher, TICKET_AUTH_TAG_BYTES,
|
||||
&alg, &key_type, &key_bits) != PSA_SUCCESS) {
|
||||
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
|
||||
@ -234,17 +203,6 @@ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
|
||||
if (PSA_ALG_IS_AEAD(alg) == 0) {
|
||||
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
|
||||
}
|
||||
#else
|
||||
cipher_info = mbedtls_cipher_info_from_type(cipher);
|
||||
|
||||
if (mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_GCM &&
|
||||
mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_CCM &&
|
||||
mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_CHACHAPOLY) {
|
||||
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
key_bits = mbedtls_cipher_info_get_key_bitlen(cipher_info);
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
if (key_bits > 8 * MAX_KEY_BYTES) {
|
||||
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
|
||||
@ -255,7 +213,6 @@ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
|
||||
|
||||
ctx->ticket_lifetime = lifetime;
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
ctx->keys[0].alg = alg;
|
||||
ctx->keys[0].key_type = key_type;
|
||||
ctx->keys[0].key_bits = key_bits;
|
||||
@ -263,15 +220,6 @@ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
|
||||
ctx->keys[1].alg = alg;
|
||||
ctx->keys[1].key_type = key_type;
|
||||
ctx->keys[1].key_bits = key_bits;
|
||||
#else
|
||||
if ((ret = mbedtls_cipher_setup(&ctx->keys[0].ctx, cipher_info)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_cipher_setup(&ctx->keys[1].ctx, cipher_info)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
if ((ret = ssl_ticket_gen_key(ctx, 0)) != 0 ||
|
||||
(ret = ssl_ticket_gen_key(ctx, 1)) != 0) {
|
||||
@ -311,9 +259,7 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
|
||||
unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
|
||||
size_t clear_len, ciph_len;
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
#endif
|
||||
|
||||
*tlen = 0;
|
||||
|
||||
@ -355,7 +301,6 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
|
||||
MBEDTLS_PUT_UINT16_BE(clear_len, state_len_bytes, 0);
|
||||
|
||||
/* Encrypt and authenticate */
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if ((status = psa_aead_encrypt(key->key, key->alg, iv, TICKET_IV_BYTES,
|
||||
key_name, TICKET_ADD_DATA_LEN,
|
||||
state, clear_len,
|
||||
@ -364,17 +309,6 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
goto cleanup;
|
||||
}
|
||||
#else
|
||||
if ((ret = mbedtls_cipher_auth_encrypt_ext(&key->ctx,
|
||||
iv, TICKET_IV_BYTES,
|
||||
/* Additional data: key name, IV and length */
|
||||
key_name, TICKET_ADD_DATA_LEN,
|
||||
state, clear_len,
|
||||
state, (size_t) (end - state), &ciph_len,
|
||||
TICKET_AUTH_TAG_BYTES)) != 0) {
|
||||
goto cleanup;
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
if (ciph_len != clear_len + TICKET_AUTH_TAG_BYTES) {
|
||||
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
@ -428,9 +362,7 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
|
||||
unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
|
||||
size_t enc_len, clear_len;
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
#endif
|
||||
|
||||
if (ctx == NULL || ctx->f_rng == NULL) {
|
||||
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
|
||||
@ -466,7 +398,6 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
|
||||
}
|
||||
|
||||
/* Decrypt and authenticate */
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if ((status = psa_aead_decrypt(key->key, key->alg, iv, TICKET_IV_BYTES,
|
||||
key_name, TICKET_ADD_DATA_LEN,
|
||||
ticket, enc_len + TICKET_AUTH_TAG_BYTES,
|
||||
@ -474,21 +405,6 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
goto cleanup;
|
||||
}
|
||||
#else
|
||||
if ((ret = mbedtls_cipher_auth_decrypt_ext(&key->ctx,
|
||||
iv, TICKET_IV_BYTES,
|
||||
/* Additional data: key name, IV and length */
|
||||
key_name, TICKET_ADD_DATA_LEN,
|
||||
ticket, enc_len + TICKET_AUTH_TAG_BYTES,
|
||||
ticket, enc_len, &clear_len,
|
||||
TICKET_AUTH_TAG_BYTES)) != 0) {
|
||||
if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
|
||||
ret = MBEDTLS_ERR_SSL_INVALID_MAC;
|
||||
}
|
||||
|
||||
goto cleanup;
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
if (clear_len != enc_len) {
|
||||
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
@ -537,13 +453,8 @@ void mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context *ctx)
|
||||
return;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_destroy_key(ctx->keys[0].key);
|
||||
psa_destroy_key(ctx->keys[1].key);
|
||||
#else
|
||||
mbedtls_cipher_free(&ctx->keys[0].ctx);
|
||||
mbedtls_cipher_free(&ctx->keys[1].ctx);
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
mbedtls_mutex_free(&ctx->mutex);
|
||||
|
Reference in New Issue
Block a user