mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-26 21:21:08 +00:00
Setup PSA-based cipher context in mbedtls_ssl_derive_keys()
This commit changes the code path in mbedtls_ssl_derive_keys() responsible for setting up record protection cipher contexts to attempt to use the new API mbedtls_cipher_setup_psa() in case MBEDTLS_USE_PSA_CRYPTO is set. For that, the AEAD tag length must be provided, which is already computed earlier in mbedtls_ssl_derive_keys() and only needs to be stored a function scope to be available for mbedtls_cipher_setup_psa(). If mbedtls_cipher_setup_psa() fails cleanly indicating that the requested cipher is not supported in PSA, we fall through to the default setup using mbedtls_cipher_setup(). However, we print a debug message in this case, to allow catching the fallthrough in tests where we know we're using a cipher which should be supported by PSA.
This commit is contained in:
parent
7909c4c875
commit
f704befee8
|
@ -618,6 +618,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
unsigned char *mac_dec;
|
unsigned char *mac_dec;
|
||||||
size_t mac_key_len;
|
size_t mac_key_len;
|
||||||
size_t iv_copy_len;
|
size_t iv_copy_len;
|
||||||
|
size_t taglen = 0;
|
||||||
const mbedtls_cipher_info_t *cipher_info;
|
const mbedtls_cipher_info_t *cipher_info;
|
||||||
const mbedtls_md_info_t *md_info;
|
const mbedtls_md_info_t *md_info;
|
||||||
|
|
||||||
|
@ -810,7 +811,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
cipher_info->mode == MBEDTLS_MODE_CCM ||
|
cipher_info->mode == MBEDTLS_MODE_CCM ||
|
||||||
cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
|
cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
|
||||||
{
|
{
|
||||||
size_t taglen, explicit_ivlen;
|
size_t explicit_ivlen;
|
||||||
|
|
||||||
transform->maclen = 0;
|
transform->maclen = 0;
|
||||||
mac_key_len = 0;
|
mac_key_len = 0;
|
||||||
|
@ -1030,6 +1031,22 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
|
||||||
|
cipher_info, taglen );
|
||||||
|
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ret == 0 )
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based encryption cipher context" ) );
|
||||||
|
else
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );
|
||||||
|
|
||||||
|
if( ret != 0 )
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
|
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
|
||||||
cipher_info ) ) != 0 )
|
cipher_info ) ) != 0 )
|
||||||
{
|
{
|
||||||
|
@ -1037,6 +1054,23 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
|
||||||
|
cipher_info, taglen );
|
||||||
|
|
||||||
|
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ret == 0 )
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Successfully setup PSA-based decryption cipher context" ) );
|
||||||
|
else
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );
|
||||||
|
|
||||||
|
if( ret != 0 )
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
|
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
|
||||||
cipher_info ) ) != 0 )
|
cipher_info ) ) != 0 )
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue