Add TLS 1.3 specific key to SSL transform conversion function

This commit adds the TLS 1.3 specific internal function ``` mbedtls_ssl_tls13_populate_transform() ``` which creates an instance of the SSL transform structure `mbedtls_ssl_transform` representing a TLS 1.3 record protection mechanism. It is analogous to the existing internal helper function ``` ssl_tls12_populate_transform() ``` which creates transform structures representing record protection mechanisms in TLS 1.2 and earlier. Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2025-12-24 17:41:01 +03:00 · 2021-03-22 07:50:44 +00:00
parent bd25755d2a
commit c94060c641
2 changed files with 141 additions and 0 deletions
--- a/library/ssl_tls13_keys.h
+++ b/library/ssl_tls13_keys.h
@@ -498,4 +498,37 @@ int mbedtls_ssl_tls1_3_create_psk_binder( mbedtls_ssl_context *ssl,
                               unsigned char const *transcript,
                               unsigned char *result );

+/**
+ * \bref Setup an SSL transform structure representing the
+ *       record protection mechanism used by TLS 1.3
+ *
+ * \param transform    The SSL transform structure to be created. This must have
+ *                     been initialized through mbedtls_ssl_transform_init() and
+ *                     not used in any other way prior to calling this function.
+ *                     In particular, this function does not clean up the
+ *                     transform structure prior to installing the new keys.
+ * \param endpoint     Indicates whether the transform is for the client
+ *                     (value #MBEDTLS_SSL_IS_CLIENT) or the server
+ *                     (value #MBEDTLS_SSL_IS_SERVER).
+ * \param ciphersuite  The numerical identifier for the ciphersuite to use.
+ *                     This must be one of the identifiers listed in
+ *                     ssl_ciphersuites.h.
+ * \param traffic_keys The key material to use. No reference is stored in
+ *                     the SSL transform being generated, and the caller
+ *                     should destroy the key material afterwards.
+ * \param ssl          (Debug-only) The SSL context to use for debug output
+ *                     in case of failure. This parameter is only needed if
+ *                     #MBEDTLS_DEBUG_C is set, and is ignored otherwise.
+ *
+ * \return             \c 0 on success. In this case, \p transform is ready to
+ *                     be used with mbedtls_ssl_transform_decrypt() and
+ *                     mbedtls_ssl_transform_encrypt().
+ * \return             A negative error code on failure.
+ */
+int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
+                                          int endpoint,
+                                          int ciphersuite,
+                                          mbedtls_ssl_key_set const *traffic_keys,
+                                          mbedtls_ssl_context *ssl );
+
 #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */