mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-25 00:02:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ECJPAKE: always use MD light

Browse Source 
This enables access to all available hashes, instead of the previous
situation where you had to choose by including MD_C or not.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2023-03-14 23:59:24 +01:00
parent ffcda5679a
commit 41bc8b6b1e
5 changed files with 32 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/mbedtls/build_info.h
View File

@ -89,7 +89,8 @@
/* Auto-enable MBEDTLS_MD_LIGHT if some module needs it. /* Auto-enable MBEDTLS_MD_LIGHT if some module needs it.
*/ */
#if defined(MBEDTLS_PEM_PARSE_C) || \ #if defined(MBEDTLS_ECJPAKE_C) || \
defined(MBEDTLS_PEM_PARSE_C) || \
defined(MBEDTLS_RSA_C) defined(MBEDTLS_RSA_C)
#define MBEDTLS_MD_LIGHT #define MBEDTLS_MD_LIGHT
#endif #endif

8
include/mbedtls/check_config.h
View File

@ -374,12 +374,10 @@
#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
#endif #endif
/* Use of EC J-PAKE in TLS requires SHA-256. /* Use of EC J-PAKE in TLS requires SHA-256. */
* This will be taken from MD if it is present, or from PSA if MD is absent.
* Note: MBEDTLS_ECJPAKE_C depends on MBEDTLS_MD_C || MBEDTLS_PSA_CRYPTO_C. */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
!( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) && \ !(defined(MBEDTLS_SHA256_C) || \
!( !defined(MBEDTLS_MD_C) && defined(PSA_WANT_ALG_SHA_256) ) (defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256)))
#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites" #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
#endif #endif

15
include/mbedtls/mbedtls_config.h
View File

@ -993,9 +993,13 @@
* might still happen. For this reason, this is disabled by default. * might still happen. For this reason, this is disabled by default.
* *
* Requires: MBEDTLS_ECJPAKE_C * Requires: MBEDTLS_ECJPAKE_C
* SHA-256 (via MD if present, or via PSA, see MBEDTLS_ECJPAKE_C) * SHA-256 (via MBEDTLS_SHA256_C or a PSA driver)
* MBEDTLS_ECP_DP_SECP256R1_ENABLED * MBEDTLS_ECP_DP_SECP256R1_ENABLED
* *
* \warning If SHA-256 is provided only by a PSA driver, you must call
* psa_crypto_init() before the first hanshake (even if
* MBEDTLS_USE_PSA_CRYPTO is disabled).
*
* This enables the following ciphersuites (if other requisites are * This enables the following ciphersuites (if other requisites are
* enabled as well): * enabled as well):
* MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
@ -2504,13 +2508,8 @@
* *
* Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C * Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C
* *
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() * \warning If using a hash that is only provided by PSA drivers, you must
* before doing any EC J-PAKE operations. * call psa_crypto_init() before doing any EC J-PAKE operations.
*
* \warning When building with MBEDTLS_MD_C, all hashes used with this
* need to be available as built-ins (that is, for SHA-256, MBEDTLS_SHA256_C,
* etc.) as opposed to just PSA drivers. So far, PSA drivers are only used by
* this module in builds where MBEDTLS_MD_C is disabled.
*/ */
#define MBEDTLS_ECJPAKE_C #define MBEDTLS_ECJPAKE_C

29
library/ecjpake.c
View File

@ -30,18 +30,6 @@
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
/* We use MD first if it's available (for compatibility reasons)
* and "fall back" to PSA otherwise (which needs psa_crypto_init()). */
#if !defined(MBEDTLS_MD_C)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#if !defined(MBEDTLS_ECJPAKE_ALT)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_md_errors, \
psa_generic_status_to_mbedtls)
#endif /* !MBEDTLS_ECJPAKE_ALT */
#endif /* !MBEDTLS_MD_C */
#include "hash_info.h" #include "hash_info.h"
#include <string.h> #include <string.h>
@ -66,19 +54,8 @@ static int mbedtls_ecjpake_compute_hash(mbedtls_md_type_t md_type,
const unsigned char *input, size_t ilen, const unsigned char *input, size_t ilen,
unsigned char *output) unsigned char *output)
{ {
#if defined(MBEDTLS_MD_C)
return mbedtls_md(mbedtls_md_info_from_type(md_type), return mbedtls_md(mbedtls_md_info_from_type(md_type),
input, ilen, output); input, ilen, output);
#else
psa_algorithm_t alg = mbedtls_psa_translate_md(md_type);
psa_status_t status;
size_t out_size = PSA_HASH_LENGTH(alg);
size_t out_len;
status = psa_hash_compute(alg, input, ilen, output, out_size, &out_len);
return PSA_TO_MBEDTLS_ERR(status);
#endif /* !MBEDTLS_MD_C */
} }
/* /*
@ -142,15 +119,9 @@ int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,
ctx->role = role; ctx->role = role;
#if defined(MBEDTLS_MD_C)
if ((mbedtls_md_info_from_type(hash)) == NULL) { if ((mbedtls_md_info_from_type(hash)) == NULL) {
return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE; return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
} }
#else
if (mbedtls_psa_translate_md(hash) == MBEDTLS_MD_NONE) {
return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
}
#endif
ctx->md_type = hash; ctx->md_type = hash;

21
tests/suites/test_suite_ecjpake.function
View File

@ -109,6 +109,8 @@ void ecjpake_invalid_param()
mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256; mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256;
mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP256R1; mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP256R1;
MD_PSA_INIT();
mbedtls_ecjpake_init(&ctx); mbedtls_ecjpake_init(&ctx);
TEST_EQUAL(MBEDTLS_ERR_ECP_BAD_INPUT_DATA, TEST_EQUAL(MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
@ -118,14 +120,19 @@ void ecjpake_invalid_param()
valid_group, valid_group,
buf, len)); buf, len));
exit: exit:
return; MD_PSA_DONE();
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
void ecjpake_selftest() void ecjpake_selftest()
{ {
MD_PSA_INIT();
TEST_ASSERT(mbedtls_ecjpake_self_test(1) == 0); TEST_ASSERT(mbedtls_ecjpake_self_test(1) == 0);
exit:
MD_PSA_DONE();
} }
/* END_CASE */ /* END_CASE */
@ -137,6 +144,8 @@ void read_bad_md(data_t *msg)
const size_t pw_len = 0; const size_t pw_len = 0;
int any_role = MBEDTLS_ECJPAKE_CLIENT; int any_role = MBEDTLS_ECJPAKE_CLIENT;
MD_PSA_INIT();
mbedtls_ecjpake_init(&corrupt_ctx); mbedtls_ecjpake_init(&corrupt_ctx);
TEST_ASSERT(mbedtls_ecjpake_setup(&corrupt_ctx, any_role, TEST_ASSERT(mbedtls_ecjpake_setup(&corrupt_ctx, any_role,
MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw,
@ -148,6 +157,7 @@ void read_bad_md(data_t *msg)
exit: exit:
mbedtls_ecjpake_free(&corrupt_ctx); mbedtls_ecjpake_free(&corrupt_ctx);
MD_PSA_DONE();
} }
/* END_CASE */ /* END_CASE */
@ -158,6 +168,8 @@ void read_round_one(int role, data_t *msg, int ref_ret)
const unsigned char *pw = NULL; const unsigned char *pw = NULL;
const size_t pw_len = 0; const size_t pw_len = 0;
MD_PSA_INIT();
mbedtls_ecjpake_init(&ctx); mbedtls_ecjpake_init(&ctx);
TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, role, TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, role,
@ -168,6 +180,7 @@ void read_round_one(int role, data_t *msg, int ref_ret)
exit: exit:
mbedtls_ecjpake_free(&ctx); mbedtls_ecjpake_free(&ctx);
MD_PSA_DONE();
} }
/* END_CASE */ /* END_CASE */
@ -178,6 +191,8 @@ void read_round_two_cli(data_t *msg, int ref_ret)
const unsigned char *pw = NULL; const unsigned char *pw = NULL;
const size_t pw_len = 0; const size_t pw_len = 0;
MD_PSA_INIT();
mbedtls_ecjpake_init(&ctx); mbedtls_ecjpake_init(&ctx);
TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, MBEDTLS_ECJPAKE_CLIENT, TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, MBEDTLS_ECJPAKE_CLIENT,
@ -194,6 +209,7 @@ void read_round_two_cli(data_t *msg, int ref_ret)
exit: exit:
mbedtls_ecjpake_free(&ctx); mbedtls_ecjpake_free(&ctx);
MD_PSA_DONE();
} }
/* END_CASE */ /* END_CASE */
@ -204,6 +220,8 @@ void read_round_two_srv(data_t *msg, int ref_ret)
const unsigned char *pw = NULL; const unsigned char *pw = NULL;
const size_t pw_len = 0; const size_t pw_len = 0;
MD_PSA_INIT();
mbedtls_ecjpake_init(&ctx); mbedtls_ecjpake_init(&ctx);
TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, MBEDTLS_ECJPAKE_SERVER, TEST_ASSERT(mbedtls_ecjpake_setup(&ctx, MBEDTLS_ECJPAKE_SERVER,
@ -220,5 +238,6 @@ void read_round_two_srv(data_t *msg, int ref_ret)
exit: exit:
mbedtls_ecjpake_free(&ctx); mbedtls_ecjpake_free(&ctx);
MD_PSA_DONE();
} }
/* END_CASE */ /* END_CASE */