mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-29 11:41:15 +03:00
Remove MBEDTLS_KEY_EXCHANGE_RSA_ENABLED config option
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
This commit is contained in:
Gabor Mezei
@ -116,7 +116,6 @@ Support description
|
||||
| | |
|
||||
| MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (2) |
|
||||
| MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a |
|
||||
| MBEDTLS_KEY_EXCHANGE_RSA_ENABLED | n/a |
|
||||
| MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED | n/a |
|
||||
| MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED | n/a |
|
||||
| MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED | n/a |
|
||||
|
||||
@ -396,7 +396,6 @@ PSA_WANT_\* macros as in current `crypto_config.h`.
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
||||
//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
||||
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
||||
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
|
||||
#define MBEDTLS_SSL_ALPN
|
||||
//#define MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
|
||||
@ -87,12 +87,6 @@
|
||||
#error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
|
||||
( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
|
||||
!defined(MBEDTLS_PKCS1_V15) )
|
||||
#error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
|
||||
( !defined(PSA_WANT_ALG_JPAKE) || \
|
||||
!defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
|
||||
@ -155,8 +149,7 @@
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||
!(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
!(defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
|
||||
|
||||
@ -61,7 +61,6 @@
|
||||
#undef MBEDTLS_SSL_ENCRYPT_THEN_MAC
|
||||
#undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET
|
||||
#undef MBEDTLS_SSL_RENEGOTIATION
|
||||
#undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
||||
|
||||
@ -360,31 +360,6 @@
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
*
|
||||
* Enable the RSA-only based ciphersuite modes in SSL / TLS.
|
||||
*
|
||||
* Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
|
||||
* MBEDTLS_X509_CRT_PARSE_C
|
||||
*
|
||||
* This enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
|
||||
*
|
||||
|
||||
@ -650,9 +650,6 @@
|
||||
/* Dummy type used only for its size */
|
||||
union mbedtls_ssl_premaster_secret {
|
||||
unsigned char dummy; /* Make the union non-empty even with SSL disabled */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
unsigned char _pms_rsa[48]; /* RFC 5246 8.1.1 */
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
|
||||
@ -201,8 +201,7 @@ typedef enum {
|
||||
} mbedtls_key_exchange_type_t;
|
||||
|
||||
/* Key exchanges using a certificate */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
@ -260,8 +259,7 @@ typedef enum {
|
||||
#endif
|
||||
|
||||
/* Key exchanges that don't involve ephemeral keys */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED
|
||||
#endif
|
||||
|
||||
@ -490,116 +490,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
||||
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
#if defined(PSA_WANT_KEY_TYPE_AES)
|
||||
#if defined(PSA_WANT_ALG_SHA_384) && \
|
||||
defined(PSA_WANT_ALG_GCM)
|
||||
{ MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
|
||||
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_384 && PSA_WANT_ALG_GCM */
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_256)
|
||||
#if defined(PSA_WANT_ALG_GCM)
|
||||
{ MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256",
|
||||
MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_GCM */
|
||||
|
||||
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
|
||||
{ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
|
||||
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
|
||||
{ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS-RSA-WITH-AES-256-CBC-SHA256",
|
||||
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
|
||||
#endif /* PSA_WANT_ALG_SHA_256 */
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_1)
|
||||
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
|
||||
{ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
|
||||
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
|
||||
{ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, "TLS-RSA-WITH-AES-256-CBC-SHA",
|
||||
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
|
||||
#endif /* PSA_WANT_ALG_SHA_1 */
|
||||
#if defined(PSA_WANT_ALG_CCM)
|
||||
{ MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
|
||||
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
{ MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8, "TLS-RSA-WITH-AES-256-CCM-8",
|
||||
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
MBEDTLS_CIPHERSUITE_SHORT_TAG,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
{ MBEDTLS_TLS_RSA_WITH_AES_128_CCM, "TLS-RSA-WITH-AES-128-CCM",
|
||||
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
{ MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8, "TLS-RSA-WITH-AES-128-CCM-8",
|
||||
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
MBEDTLS_CIPHERSUITE_SHORT_TAG,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_CCM */
|
||||
#endif /* PSA_WANT_KEY_TYPE_AES */
|
||||
|
||||
#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
|
||||
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
|
||||
#if defined(PSA_WANT_ALG_SHA_256)
|
||||
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
|
||||
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
|
||||
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256",
|
||||
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_256 */
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_1)
|
||||
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA",
|
||||
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
|
||||
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA",
|
||||
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_1 */
|
||||
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
|
||||
|
||||
#if defined(PSA_WANT_ALG_GCM)
|
||||
#if defined(PSA_WANT_ALG_SHA_256)
|
||||
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256",
|
||||
MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_256 */
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_384)
|
||||
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
|
||||
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_384 */
|
||||
#endif /* PSA_WANT_ALG_GCM */
|
||||
#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
|
||||
#if defined(PSA_WANT_KEY_TYPE_AES)
|
||||
#if defined(PSA_WANT_ALG_SHA_1)
|
||||
@ -947,29 +837,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
#if defined(PSA_WANT_ALG_MD5)
|
||||
{ MBEDTLS_TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5",
|
||||
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
MBEDTLS_CIPHERSUITE_WEAK,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_1)
|
||||
{ MBEDTLS_TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA",
|
||||
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
MBEDTLS_CIPHERSUITE_WEAK,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_256)
|
||||
{ MBEDTLS_TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256",
|
||||
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
MBEDTLS_CIPHERSUITE_WEAK,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
||||
#if defined(PSA_WANT_ALG_SHA_1)
|
||||
{ MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA",
|
||||
@ -1019,41 +886,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
||||
|
||||
#if defined(PSA_WANT_KEY_TYPE_ARIA)
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
|
||||
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
|
||||
{ MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
|
||||
"TLS-RSA-WITH-ARIA-256-GCM-SHA384",
|
||||
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
|
||||
defined(PSA_WANT_ALG_SHA_384))
|
||||
{ MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
|
||||
"TLS-RSA-WITH-ARIA-256-CBC-SHA384",
|
||||
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_256))
|
||||
{ MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
|
||||
"TLS-RSA-WITH-ARIA-128-GCM-SHA256",
|
||||
MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
|
||||
defined(PSA_WANT_ALG_SHA_256))
|
||||
{ MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
|
||||
"TLS-RSA-WITH-ARIA-128-CBC-SHA256",
|
||||
MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
||||
|
||||
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
|
||||
|
||||
@ -1732,83 +1732,6 @@ static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
/*
|
||||
* Generate a pre-master secret and encrypt it with the server's RSA key
|
||||
*/
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
|
||||
size_t offset, size_t *olen,
|
||||
size_t pms_offset)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t len_bytes = 2;
|
||||
unsigned char *p = ssl->handshake->premaster + pms_offset;
|
||||
mbedtls_pk_context *peer_pk;
|
||||
|
||||
if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
|
||||
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Generate (part of) the pre-master as
|
||||
* struct {
|
||||
* ProtocolVersion client_version;
|
||||
* opaque random[46];
|
||||
* } PreMasterSecret;
|
||||
*/
|
||||
mbedtls_ssl_write_version(p, ssl->conf->transport,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2);
|
||||
|
||||
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
ssl->handshake->pmslen = 48;
|
||||
|
||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
peer_pk = &ssl->handshake->peer_pubkey;
|
||||
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
if (ssl->session_negotiate->peer_cert == NULL) {
|
||||
/* Should never happen */
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
|
||||
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
}
|
||||
peer_pk = &ssl->session_negotiate->peer_cert->pk;
|
||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
|
||||
/*
|
||||
* Now write it out, encrypted
|
||||
*/
|
||||
if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
|
||||
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_pk_encrypt(peer_pk,
|
||||
p, ssl->handshake->pmslen,
|
||||
ssl->out_msg + offset + len_bytes, olen,
|
||||
MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
if (len_bytes == 2) {
|
||||
MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
|
||||
*olen += 2;
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
/* We don't need the peer's public key anymore. Free it. */
|
||||
mbedtls_pk_free(peer_pk);
|
||||
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
return 0;
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
@ -1902,16 +1825,6 @@ static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
|
||||
ssl->state++;
|
||||
return 0;
|
||||
}
|
||||
((void) p);
|
||||
((void) end);
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
@ -2742,15 +2655,6 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
|
||||
} else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
|
||||
header_len = 4;
|
||||
if ((ret = ssl_write_encrypted_pms(ssl, header_len,
|
||||
&content_len, 0)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
} else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
|
||||
header_len = 4;
|
||||
@ -2768,7 +2672,7 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
return ret;
|
||||
}
|
||||
} else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||
{
|
||||
((void) ciphersuite_info);
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
|
||||
|
||||
@ -3181,194 +3181,6 @@ static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
|
||||
unsigned char *peer_pms,
|
||||
size_t *peer_pmslen,
|
||||
size_t peer_pmssize)
|
||||
{
|
||||
int ret = ssl->conf->f_async_resume(ssl,
|
||||
peer_pms, peer_pmslen, peer_pmssize);
|
||||
if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
|
||||
ssl->handshake->async_in_progress = 0;
|
||||
mbedtls_ssl_set_async_operation_data(ssl, NULL);
|
||||
}
|
||||
MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
|
||||
return ret;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
|
||||
const unsigned char *p,
|
||||
const unsigned char *end,
|
||||
unsigned char *peer_pms,
|
||||
size_t *peer_pmslen,
|
||||
size_t peer_pmssize)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
|
||||
if (own_cert == NULL) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
|
||||
return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
|
||||
}
|
||||
mbedtls_pk_context *public_key = &own_cert->pk;
|
||||
mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
|
||||
size_t len = mbedtls_pk_get_len(public_key);
|
||||
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
/* If we have already started decoding the message and there is an ongoing
|
||||
* decryption operation, resume signing. */
|
||||
if (ssl->handshake->async_in_progress != 0) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
|
||||
return ssl_resume_decrypt_pms(ssl,
|
||||
peer_pms, peer_pmslen, peer_pmssize);
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||
|
||||
/*
|
||||
* Prepare to decrypt the premaster using own private RSA key
|
||||
*/
|
||||
if (p + 2 > end) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
|
||||
return MBEDTLS_ERR_SSL_DECODE_ERROR;
|
||||
}
|
||||
if (*p++ != MBEDTLS_BYTE_1(len) ||
|
||||
*p++ != MBEDTLS_BYTE_0(len)) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
|
||||
return MBEDTLS_ERR_SSL_DECODE_ERROR;
|
||||
}
|
||||
|
||||
if (p + len != end) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
|
||||
return MBEDTLS_ERR_SSL_DECODE_ERROR;
|
||||
}
|
||||
|
||||
/*
|
||||
* Decrypt the premaster secret
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
if (ssl->conf->f_async_decrypt_start != NULL) {
|
||||
ret = ssl->conf->f_async_decrypt_start(ssl,
|
||||
mbedtls_ssl_own_cert(ssl),
|
||||
p, len);
|
||||
switch (ret) {
|
||||
case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
|
||||
/* act as if f_async_decrypt_start was null */
|
||||
break;
|
||||
case 0:
|
||||
ssl->handshake->async_in_progress = 1;
|
||||
return ssl_resume_decrypt_pms(ssl,
|
||||
peer_pms,
|
||||
peer_pmslen,
|
||||
peer_pmssize);
|
||||
case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
|
||||
ssl->handshake->async_in_progress = 1;
|
||||
return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
|
||||
default:
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||
|
||||
if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
|
||||
return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
|
||||
}
|
||||
|
||||
ret = mbedtls_pk_decrypt(private_key, p, len,
|
||||
peer_pms, peer_pmslen, peer_pmssize,
|
||||
ssl->conf->f_rng, ssl->conf->p_rng);
|
||||
return ret;
|
||||
}
|
||||
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
|
||||
const unsigned char *p,
|
||||
const unsigned char *end,
|
||||
size_t pms_offset)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned char *pms = ssl->handshake->premaster + pms_offset;
|
||||
unsigned char ver[2];
|
||||
unsigned char fake_pms[48], peer_pms[48];
|
||||
size_t peer_pmslen;
|
||||
mbedtls_ct_condition_t diff;
|
||||
|
||||
/* In case of a failure in decryption, the decryption may write less than
|
||||
* 2 bytes of output, but we always read the first two bytes. It doesn't
|
||||
* matter in the end because diff will be nonzero in that case due to
|
||||
* ret being nonzero, and we only care whether diff is 0.
|
||||
* But do initialize peer_pms and peer_pmslen for robustness anyway. This
|
||||
* also makes memory analyzers happy (don't access uninitialized memory,
|
||||
* even if it's an unsigned char). */
|
||||
peer_pms[0] = peer_pms[1] = ~0;
|
||||
peer_pmslen = 0;
|
||||
|
||||
ret = ssl_decrypt_encrypted_pms(ssl, p, end,
|
||||
peer_pms,
|
||||
&peer_pmslen,
|
||||
sizeof(peer_pms));
|
||||
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
|
||||
return ret;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||
|
||||
mbedtls_ssl_write_version(ver, ssl->conf->transport,
|
||||
ssl->session_negotiate->tls_version);
|
||||
|
||||
/* Avoid data-dependent branches while checking for invalid
|
||||
* padding, to protect against timing-based Bleichenbacher-type
|
||||
* attacks. */
|
||||
diff = mbedtls_ct_bool(ret);
|
||||
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
|
||||
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
|
||||
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
|
||||
|
||||
/*
|
||||
* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
|
||||
* must not cause the connection to end immediately; instead, send a
|
||||
* bad_record_mac later in the handshake.
|
||||
* To protect against timing-based variants of the attack, we must
|
||||
* not have any branch that depends on whether the decryption was
|
||||
* successful. In particular, always generate the fake premaster secret,
|
||||
* regardless of whether it will ultimately influence the output or not.
|
||||
*/
|
||||
ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
|
||||
if (ret != 0) {
|
||||
/* It's ok to abort on an RNG failure, since this does not reveal
|
||||
* anything about the RSA decryption. */
|
||||
return ret;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_DEBUG_ALL)
|
||||
if (diff != MBEDTLS_CT_FALSE) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
|
||||
}
|
||||
#endif
|
||||
|
||||
if (sizeof(ssl->handshake->premaster) < pms_offset ||
|
||||
sizeof(ssl->handshake->premaster) - pms_offset < 48) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
|
||||
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
}
|
||||
ssl->handshake->pmslen = 48;
|
||||
|
||||
/* Set pms to either the true or the fake PMS, without
|
||||
* data-dependent branches. */
|
||||
mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
|
||||
@ -3435,16 +3247,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
|
||||
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA &&
|
||||
(ssl->handshake->async_in_progress != 0)) {
|
||||
/* We've already read a record and there is an asynchronous
|
||||
* operation in progress to decrypt it. So skip reading the
|
||||
* record. */
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
|
||||
} else
|
||||
#endif
|
||||
if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
|
||||
return ret;
|
||||
@ -3635,14 +3437,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
|
||||
} else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
|
||||
if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
|
||||
return ret;
|
||||
}
|
||||
} else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
|
||||
if ((ret = mbedtls_psa_ecjpake_read_round(
|
||||
|
||||
@ -66,8 +66,7 @@
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
|
||||
#define MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
#endif
|
||||
|
||||
|
||||
@ -1165,7 +1165,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
|
||||
scripts/config.py unset MBEDTLS_PKCS1_V21
|
||||
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
# Also disable key exchanges that depend on RSA
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
||||
|
||||
@ -1525,7 +1524,6 @@ component_test_new_psa_want_key_pair_symbol () {
|
||||
scripts/config.py unset MBEDTLS_PKCS1_V21
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_RSA_C
|
||||
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
|
||||
|
||||
@ -315,7 +315,6 @@ REVERSE_DEPENDENCIES = {
|
||||
'PSA_WANT_ALG_RSA_OAEP',
|
||||
'PSA_WANT_ALG_RSA_PSS'],
|
||||
'MBEDTLS_PKCS1_V15': ['MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
|
||||
'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED',
|
||||
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT',
|
||||
'PSA_WANT_ALG_RSA_PKCS1V15_SIGN'],
|
||||
'MBEDTLS_RSA_C': ['MBEDTLS_PKCS1_V15',
|
||||
|
||||
@ -311,8 +311,7 @@ requires_any_configs_disabled() {
|
||||
SKIP_NEXT="YES"
|
||||
}
|
||||
|
||||
TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
|
||||
TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
|
||||
@ -320,9 +319,8 @@ TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
|
||||
TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
|
||||
|
||||
TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
|
||||
TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH="MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
|
||||
|
||||
requires_certificate_authentication () {
|
||||
if is_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
||||
|
||||
Reference in New Issue
Block a user