mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-24 16:15:32 +00:00
Introduce macros for max-{IV,block,key}-size for ciphers used in TLS
See the documentation in ssl_internal.h that this commit introduces for more information. Signed-off-by: Hanno Becker <hanno.becker@arm.com>
This commit is contained in:
parent
815869ac9c
commit
1588983ef0
|
@ -227,17 +227,24 @@ enum {
|
|||
};
|
||||
|
||||
/** Maximum length of any IV, in Bytes. */
|
||||
/* This should ideally be derived automatically from list of ciphers. */
|
||||
/* This should ideally be derived automatically from list of ciphers.
|
||||
* This should be kept in sync with MBEDTLS_SSL_MAX_IV_LENGTH defined
|
||||
* in ssl_internal.h. */
|
||||
#define MBEDTLS_MAX_IV_LENGTH 16
|
||||
|
||||
/** Maximum block size of any cipher, in Bytes. */
|
||||
/* This should ideally be derived automatically from list of ciphers. */
|
||||
/* This should ideally be derived automatically from list of ciphers.
|
||||
* This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
|
||||
* in ssl_internal.h. */
|
||||
#define MBEDTLS_MAX_BLOCK_LENGTH 16
|
||||
|
||||
/** Maximum key length, in Bytes. */
|
||||
/* This should ideally be derived automatically from list of ciphers.
|
||||
* For now, only check whether XTS is enabled which uses 64 Byte keys,
|
||||
* and use 32 Bytes as an upper bound for the maximum key length otherwise. */
|
||||
* and use 32 Bytes as an upper bound for the maximum key length otherwise.
|
||||
* This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
|
||||
* in ssl_internal.h, which however deliberately ignores the case of XTS
|
||||
* since the latter isn't used in SSL/TLS. */
|
||||
#if defined(MBEDTLS_CIPHER_MODE_XTS)
|
||||
#define MBEDTLS_MAX_KEY_LENGTH 64
|
||||
#else
|
||||
|
|
|
@ -379,7 +379,29 @@ typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
|
|||
const unsigned char *random, size_t rlen,
|
||||
unsigned char *dstbuf, size_t dlen );
|
||||
|
||||
/* cipher.h exports the maximum IV, key and block length from all
|
||||
* all ciphers enabled in the config, regardless of whether those
|
||||
* ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
|
||||
* in the default configuration and uses 64 Byte keys, but it is
|
||||
* not used for record protection in SSL/TLS.
|
||||
*
|
||||
* In order to prevent unnecessary inflation of key structures,
|
||||
* we introduce SSL-specific variants of the max-{key,block,IV}
|
||||
* macros here which are meant to only take those ciphers into
|
||||
* account which can be negotiated in SSL/TLS.
|
||||
*
|
||||
* Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
|
||||
* in cipher.h are rough overapproximations of the real maxima, here
|
||||
* we content ourselves with defining replicating those overapproximations
|
||||
* for the maximum block and IV length, and excluding XTS from the
|
||||
* computation of the maximum key length. */
|
||||
#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
|
||||
#define MBEDTLS_SSL_MAX_IV_LENGTH 16
|
||||
#define MBEDTLS_SSL_MAX_KEY_LENGTH 32
|
||||
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
|
||||
|
||||
/**
|
||||
* \brief The data structure holding the cryptographic material (key and IV)
|
||||
* used for record protection in TLS 1.3.
|
||||
|
@ -387,13 +409,13 @@ typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
|
|||
struct mbedtls_ssl_key_set
|
||||
{
|
||||
/*! The key for client->server records. */
|
||||
unsigned char client_write_key[ MBEDTLS_MAX_KEY_LENGTH ];
|
||||
unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
|
||||
/*! The key for server->client records. */
|
||||
unsigned char server_write_key[ MBEDTLS_MAX_KEY_LENGTH ];
|
||||
unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
|
||||
/*! The IV for client->server records. */
|
||||
unsigned char client_write_iv[ MBEDTLS_MAX_IV_LENGTH ];
|
||||
unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
|
||||
/*! The IV for server->client records. */
|
||||
unsigned char server_write_iv[ MBEDTLS_MAX_IV_LENGTH ];
|
||||
unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
|
||||
|
||||
size_t key_len; /*!< The length of client_write_key and
|
||||
* server_write_key, in Bytes. */
|
||||
|
|
Loading…
Reference in a new issue