lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

Remove MBEDTLS_KEY_EXCHANGE_RSA_ENABLED config option

Browse Source 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
This commit is contained in:
Gabor Mezei
2025-02-26 18:06:05 +01:00
parent 4515d10163
commit e1e27300a2
14 changed files with 8 additions and 524 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/architecture/tls13-support.md
View File

@ -116,7 +116,6 @@ Support description
| | | | | |
| MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (2) | | MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (2) |
| MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_RSA_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED | n/a |

1
docs/proposed/config-split.md
View File

@ -396,7 +396,6 @@ PSA_WANT_\* macros as in current `crypto_config.h`.
#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED //#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
#define MBEDTLS_SSL_ALPN #define MBEDTLS_SSL_ALPN
//#define MBEDTLS_SSL_ASYNC_PRIVATE //#define MBEDTLS_SSL_ASYNC_PRIVATE

9
include/mbedtls/check_config.h
View File

@ -87,12 +87,6 @@
#error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites" #error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
#endif #endif
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_PKCS1_V15) )
#error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
( !defined(PSA_WANT_ALG_JPAKE) || \ ( !defined(PSA_WANT_ALG_JPAKE) || \
!defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \ !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
@ -155,8 +149,7 @@
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
!(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ !(defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \

1
include/mbedtls/config_adjust_ssl.h
View File

@ -61,7 +61,6 @@
#undef MBEDTLS_SSL_ENCRYPT_THEN_MAC #undef MBEDTLS_SSL_ENCRYPT_THEN_MAC
#undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET #undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET
#undef MBEDTLS_SSL_RENEGOTIATION #undef MBEDTLS_SSL_RENEGOTIATION
#undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED #undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED #undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED

25
include/mbedtls/mbedtls_config.h
View File

@ -360,31 +360,6 @@
*/ */
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
/**
* \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
*
* Enable the RSA-only based ciphersuite modes in SSL / TLS.
*
* Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
* MBEDTLS_X509_CRT_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
* enabled as well):
* MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
* MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
* MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
* MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
* MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
* MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
*/
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
/** /**
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
* *

3
include/mbedtls/ssl.h
View File

@ -650,9 +650,6 @@
/* Dummy type used only for its size */ /* Dummy type used only for its size */
union mbedtls_ssl_premaster_secret { union mbedtls_ssl_premaster_secret {
unsigned char dummy; /* Make the union non-empty even with SSL disabled */ unsigned char dummy; /* Make the union non-empty even with SSL disabled */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
unsigned char _pms_rsa[48]; /* RFC 5246 8.1.1 */
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \

6
include/mbedtls/ssl_ciphersuites.h
View File

@ -201,8 +201,7 @@ typedef enum {
} mbedtls_key_exchange_type_t; } mbedtls_key_exchange_type_t;
/* Key exchanges using a certificate */ /* Key exchanges using a certificate */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
@ -260,8 +259,7 @@ typedef enum {
#endif #endif
/* Key exchanges that don't involve ephemeral keys */ /* Key exchanges that don't involve ephemeral keys */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
#define MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED #define MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED
#endif #endif

168
library/ssl_ciphersuites.c
View File

@ -490,116 +490,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */ #endif /* MBEDTLS_CIPHER_NULL_CIPHER */
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES)
#if defined(PSA_WANT_ALG_SHA_384) && \
defined(PSA_WANT_ALG_GCM)
{ MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 && PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(PSA_WANT_ALG_GCM)
{ MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256",
MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
{ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS-RSA-WITH-AES-256-CBC-SHA256",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_1)
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
{ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, "TLS-RSA-WITH-AES-256-CBC-SHA",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#endif /* PSA_WANT_ALG_SHA_1 */
#if defined(PSA_WANT_ALG_CCM)
{ MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8, "TLS-RSA-WITH-AES-256-CCM-8",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_128_CCM, "TLS-RSA-WITH-AES-128-CCM",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8, "TLS-RSA-WITH-AES-128-CCM-8",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CCM */
#endif /* PSA_WANT_KEY_TYPE_AES */
#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#if defined(PSA_WANT_ALG_GCM)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* PSA_WANT_ALG_GCM */
#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES) #if defined(PSA_WANT_KEY_TYPE_AES)
#if defined(PSA_WANT_ALG_SHA_1) #if defined(PSA_WANT_ALG_SHA_1)
@ -947,29 +837,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_CIPHER_NULL_CIPHER) #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(PSA_WANT_ALG_MD5)
{ MBEDTLS_TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
#if defined(PSA_WANT_ALG_SHA_1) #if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA", { MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA",
@ -1019,41 +886,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(PSA_WANT_KEY_TYPE_ARIA) #if defined(PSA_WANT_KEY_TYPE_ARIA)
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
"TLS-RSA-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
"TLS-RSA-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
"TLS-RSA-WITH-ARIA-128-GCM-SHA256",
MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
"TLS-RSA-WITH-ARIA-128-CBC-SHA256",
MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384)) #if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))

98
library/ssl_tls12_client.c
View File

@ -1732,83 +1732,6 @@ static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
} }
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
/*
* Generate a pre-master secret and encrypt it with the server's RSA key
*/
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
size_t offset, size_t *olen,
size_t pms_offset)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len_bytes = 2;
unsigned char *p = ssl->handshake->premaster + pms_offset;
mbedtls_pk_context *peer_pk;
if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
}
/*
* Generate (part of) the pre-master as
* struct {
* ProtocolVersion client_version;
* opaque random[46];
* } PreMasterSecret;
*/
mbedtls_ssl_write_version(p, ssl->conf->transport,
MBEDTLS_SSL_VERSION_TLS1_2);
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
return ret;
}
ssl->handshake->pmslen = 48;
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
peer_pk = &ssl->handshake->peer_pubkey;
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if (ssl->session_negotiate->peer_cert == NULL) {
/* Should never happen */
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
peer_pk = &ssl->session_negotiate->peer_cert->pk;
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
/*
* Now write it out, encrypted
*/
if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
if ((ret = mbedtls_pk_encrypt(peer_pk,
p, ssl->handshake->pmslen,
ssl->out_msg + offset + len_bytes, olen,
MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
return ret;
}
if (len_bytes == 2) {
MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
*olen += 2;
}
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it. */
mbedtls_pk_free(peer_pk);
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
@ -1902,16 +1825,6 @@ static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
ssl->state++;
return 0;
}
((void) p);
((void) end);
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
@ -2742,15 +2655,6 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
} else } else
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
header_len = 4;
if ((ret = ssl_write_encrypted_pms(ssl, header_len,
&content_len, 0)) != 0) {
return ret;
}
} else
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
header_len = 4; header_len = 4;
@ -2768,7 +2672,7 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
return ret; return ret;
} }
} else } else
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
{ {
((void) ciphersuite_info); ((void) ciphersuite_info);
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));

206
library/ssl_tls12_server.c
View File

@ -3181,194 +3181,6 @@ static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
return 0; return 0;
} }
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
unsigned char *peer_pms,
size_t *peer_pmslen,
size_t peer_pmssize)
{
int ret = ssl->conf->f_async_resume(ssl,
peer_pms, peer_pmslen, peer_pmssize);
if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
ssl->handshake->async_in_progress = 0;
mbedtls_ssl_set_async_operation_data(ssl, NULL);
}
MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
return ret;
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
const unsigned char *p,
const unsigned char *end,
unsigned char *peer_pms,
size_t *peer_pmslen,
size_t peer_pmssize)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
if (own_cert == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
}
mbedtls_pk_context *public_key = &own_cert->pk;
mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
size_t len = mbedtls_pk_get_len(public_key);
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
/* If we have already started decoding the message and there is an ongoing
* decryption operation, resume signing. */
if (ssl->handshake->async_in_progress != 0) {
MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
return ssl_resume_decrypt_pms(ssl,
peer_pms, peer_pmslen, peer_pmssize);
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
/*
* Prepare to decrypt the premaster using own private RSA key
*/
if (p + 2 > end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if (*p++ != MBEDTLS_BYTE_1(len) ||
*p++ != MBEDTLS_BYTE_0(len)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if (p + len != end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
/*
* Decrypt the premaster secret
*/
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
if (ssl->conf->f_async_decrypt_start != NULL) {
ret = ssl->conf->f_async_decrypt_start(ssl,
mbedtls_ssl_own_cert(ssl),
p, len);
switch (ret) {
case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
/* act as if f_async_decrypt_start was null */
break;
case 0:
ssl->handshake->async_in_progress = 1;
return ssl_resume_decrypt_pms(ssl,
peer_pms,
peer_pmslen,
peer_pmssize);
case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
ssl->handshake->async_in_progress = 1;
return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
default:
MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
return ret;
}
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
}
ret = mbedtls_pk_decrypt(private_key, p, len,
peer_pms, peer_pmslen, peer_pmssize,
ssl->conf->f_rng, ssl->conf->p_rng);
return ret;
}
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
const unsigned char *p,
const unsigned char *end,
size_t pms_offset)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *pms = ssl->handshake->premaster + pms_offset;
unsigned char ver[2];
unsigned char fake_pms[48], peer_pms[48];
size_t peer_pmslen;
mbedtls_ct_condition_t diff;
/* In case of a failure in decryption, the decryption may write less than
* 2 bytes of output, but we always read the first two bytes. It doesn't
* matter in the end because diff will be nonzero in that case due to
* ret being nonzero, and we only care whether diff is 0.
* But do initialize peer_pms and peer_pmslen for robustness anyway. This
* also makes memory analyzers happy (don't access uninitialized memory,
* even if it's an unsigned char). */
peer_pms[0] = peer_pms[1] = ~0;
peer_pmslen = 0;
ret = ssl_decrypt_encrypted_pms(ssl, p, end,
peer_pms,
&peer_pmslen,
sizeof(peer_pms));
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
return ret;
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
mbedtls_ssl_write_version(ver, ssl->conf->transport,
ssl->session_negotiate->tls_version);
/* Avoid data-dependent branches while checking for invalid
* padding, to protect against timing-based Bleichenbacher-type
* attacks. */
diff = mbedtls_ct_bool(ret);
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
/*
* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
* must not cause the connection to end immediately; instead, send a
* bad_record_mac later in the handshake.
* To protect against timing-based variants of the attack, we must
* not have any branch that depends on whether the decryption was
* successful. In particular, always generate the fake premaster secret,
* regardless of whether it will ultimately influence the output or not.
*/
ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
if (ret != 0) {
/* It's ok to abort on an RNG failure, since this does not reveal
* anything about the RSA decryption. */
return ret;
}
#if defined(MBEDTLS_SSL_DEBUG_ALL)
if (diff != MBEDTLS_CT_FALSE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
}
#endif
if (sizeof(ssl->handshake->premaster) < pms_offset ||
sizeof(ssl->handshake->premaster) - pms_offset < 48) {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
ssl->handshake->pmslen = 48;
/* Set pms to either the true or the fake PMS, without
* data-dependent branches. */
mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p, static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
@ -3435,16 +3247,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA &&
(ssl->handshake->async_in_progress != 0)) {
/* We've already read a record and there is an asynchronous
* operation in progress to decrypt it. So skip reading the
* record. */
MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
} else
#endif
if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
return ret; return ret;
@ -3635,14 +3437,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
} else } else
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
return ret;
}
} else
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
if ((ret = mbedtls_psa_ecjpake_read_round( if ((ret = mbedtls_psa_ecjpake_read_round(

3
tests/include/test/ssl_helpers.h
View File

@ -66,8 +66,7 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#define MBEDTLS_CAN_HANDLE_RSA_TEST_KEY #define MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
#endif #endif

2
tests/scripts/components-configuration-crypto.sh
View File

@ -1165,7 +1165,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_PKCS1_V21
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
# Also disable key exchanges that depend on RSA # Also disable key exchanges that depend on RSA
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
@ -1525,7 +1524,6 @@ component_test_new_psa_want_key_pair_symbol () {
scripts/config.py unset MBEDTLS_PKCS1_V21 scripts/config.py unset MBEDTLS_PKCS1_V21
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
scripts/config.py unset MBEDTLS_RSA_C scripts/config.py unset MBEDTLS_RSA_C
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT

1
tests/scripts/depends.py
View File

@ -315,7 +315,6 @@ REVERSE_DEPENDENCIES = {
'PSA_WANT_ALG_RSA_OAEP', 'PSA_WANT_ALG_RSA_OAEP',
'PSA_WANT_ALG_RSA_PSS'], 'PSA_WANT_ALG_RSA_PSS'],
'MBEDTLS_PKCS1_V15': ['MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', 'MBEDTLS_PKCS1_V15': ['MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED',
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT', 'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT',
'PSA_WANT_ALG_RSA_PKCS1V15_SIGN'], 'PSA_WANT_ALG_RSA_PKCS1V15_SIGN'],
'MBEDTLS_RSA_C': ['MBEDTLS_PKCS1_V15', 'MBEDTLS_RSA_C': ['MBEDTLS_PKCS1_V15',

8
tests/ssl-opt.sh
View File

@ -311,8 +311,7 @@ requires_any_configs_disabled() {
SKIP_NEXT="YES" SKIP_NEXT="YES"
} }
TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \ TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \ MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
@ -320,9 +319,8 @@ TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \ TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH="MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
requires_certificate_authentication () { requires_certificate_authentication () {
if is_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 if is_config_enabled MBEDTLS_SSL_PROTO_TLS1_3