mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-04-07 13:22:46 +00:00
Use PSA version of key agreement only for ECDHE keys
This should be cleaned when server-side static ECDH (1.2) support is added (#5320). Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
This commit is contained in:
Przemek Stekiel
parent
fd32e9609b
commit
130c4b5567
@ -3879,6 +3879,10 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
// Handle only ECDHE keys using PSA crypto.
|
||||||
|
if ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||||
|
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||||
|
{
|
||||||
size_t data_len = (size_t)( *p++ );
|
size_t data_len = (size_t)( *p++ );
|
||||||
size_t buf_len = (size_t)( end - p );
|
size_t buf_len = (size_t)( end - p );
|
||||||
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
|
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
|
||||||
@ -3927,7 +3931,10 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||||
#else
|
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
|
if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
|
||||||
p, end - p) ) != 0 )
|
p, end - p) ) != 0 )
|
||||||
{
|
{
|
||||||
@ -3950,7 +3957,31 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
MBEDTLS_DEBUG_ECDH_Z );
|
MBEDTLS_DEBUG_ECDH_Z );
|
||||||
#endif
|
}
|
||||||
|
#else /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
|
||||||
|
p, end - p) ) != 0 )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
|
||||||
|
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
|
||||||
|
}
|
||||||
|
|
||||||
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
|
MBEDTLS_DEBUG_ECDH_QP );
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
|
||||||
|
&ssl->handshake->pmslen,
|
||||||
|
ssl->handshake->premaster,
|
||||||
|
MBEDTLS_MPI_MAX_SIZE,
|
||||||
|
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
|
||||||
|
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
|
||||||
|
}
|
||||||
|
|
||||||
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
|
MBEDTLS_DEBUG_ECDH_Z );
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user