diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index f6070dcba8..b0ad310f86 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -344,6 +344,41 @@ extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state; #endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */ -#endif /* MBEDTLS_PSA_CRYPTO_C */ +/* PSA errors use int32_t, while Mbed TLS ones use int16_t. psa_status_t + * is enough to store either of them. */ +#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_MD5_C) +extern psa_status_t psa_to_md_errors[8]; +#endif +#if defined(MBEDTLS_LMS_C) +extern psa_status_t psa_to_lms_errors[6]; +#endif + +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) +extern psa_status_t psa_to_ssl_errors[14]; +#endif + +#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \ + defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) +extern psa_status_t psa_to_pk_rsa_errors[16]; +#endif + +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) +extern psa_status_t psa_to_pk_ecdsa_errors[14]; +#endif + +int psa_generic_status_to_mbedtls(psa_status_t status); + +int psa_status_to_mbedtls(psa_status_t status, + psa_status_t *local_translations, + size_t local_errors_num, + int (*fallback_f)(psa_status_t)); + +int psa_pk_status_to_mbedtls(psa_status_t status); + +#define PSA_TO_MBEDTLS_ERR_LIST(status, error_list, fallback_f) \ + psa_status_to_mbedtls(status, error_list, sizeof(error_list), fallback_f) + +#endif /* MBEDTLS_PSA_CRYPTO_C */ #endif /* MBEDTLS_PSA_UTIL_H */ diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index bef2e1c4bd..06b0131db5 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -77,6 +77,7 @@ set(src_crypto psa_crypto_slot_management.c psa_crypto_storage.c psa_its_file.c + psa_util.c ripemd160.c rsa.c rsa_alt_helpers.c diff --git a/library/Makefile b/library/Makefile index ed5e1e1729..ceb9c0d16b 100644 --- a/library/Makefile +++ b/library/Makefile @@ -142,6 +142,7 @@ OBJS_CRYPTO= \ psa_crypto_slot_management.o \ psa_crypto_storage.o \ psa_its_file.o \ + psa_util.o \ ripemd160.o \ rsa.o \ rsa_alt_helpers.o \ diff --git a/library/constant_time.c b/library/constant_time.c index b3bf8744d3..552a918f43 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -46,6 +46,11 @@ #endif #include +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_ssl_errors, \ + psa_generic_status_to_mbedtls) +#endif /* * Define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS where assembly is present to @@ -620,7 +625,7 @@ cleanup: psa_hash_abort(&operation); psa_hash_abort(&aux_operation); - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } #undef MAX_HASH_BLOCK_LENGTH diff --git a/library/ecjpake.c b/library/ecjpake.c index 1a683d5698..36c1327bd5 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -35,6 +35,11 @@ #if !defined(MBEDTLS_MD_C) #include "psa/crypto.h" #include "mbedtls/psa_util.h" +#if !defined(MBEDTLS_ECJPAKE_ALT) +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_md_errors, \ + psa_generic_status_to_mbedtls) +#endif /* !MBEDTLS_ECJPAKE_ALT */ #endif /* !MBEDTLS_MD_C */ #include "hash_info.h" @@ -72,7 +77,7 @@ static int mbedtls_ecjpake_compute_hash(mbedtls_md_type_t md_type, status = psa_hash_compute(alg, input, ilen, output, out_size, &out_len); - return mbedtls_md_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); #endif /* !MBEDTLS_MD_C */ } diff --git a/library/hash_info.c b/library/hash_info.c index f8b41a5cbf..0e445b6cf8 100644 --- a/library/hash_info.c +++ b/library/hash_info.c @@ -104,6 +104,7 @@ mbedtls_md_type_t mbedtls_hash_info_md_from_psa(psa_algorithm_t psa_alg) return entry->md_type; } +#if !defined(MBEDTLS_DEPRECATED_REMOVED) int mbedtls_md_error_from_psa(psa_status_t status) { switch (status) { @@ -119,3 +120,4 @@ int mbedtls_md_error_from_psa(psa_status_t status) return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; } } +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ diff --git a/library/hash_info.h b/library/hash_info.h index 47da934dee..f984c82427 100644 --- a/library/hash_info.h +++ b/library/hash_info.h @@ -34,6 +34,7 @@ #include "mbedtls/md.h" #include "psa/crypto.h" +#include "mbedtls/platform_util.h" /** \def MBEDTLS_HASH_MAX_SIZE * @@ -88,12 +89,13 @@ psa_algorithm_t mbedtls_hash_info_psa_from_md(mbedtls_md_type_t md_type); */ mbedtls_md_type_t mbedtls_hash_info_md_from_psa(psa_algorithm_t psa_alg); +#if !defined(MBEDTLS_DEPRECATED_REMOVED) /** Convert PSA status to MD error code. * * \param status PSA status. * * \return The corresponding MD error code, */ -int mbedtls_md_error_from_psa(psa_status_t status); - +int MBEDTLS_DEPRECATED mbedtls_md_error_from_psa(psa_status_t status); +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_HASH_INFO_H */ diff --git a/library/lmots.c b/library/lmots.c index c6b45ed592..4061edde04 100644 --- a/library/lmots.c +++ b/library/lmots.c @@ -41,9 +41,14 @@ #include "mbedtls/lms.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +#include "mbedtls/psa_util.h" #include "psa/crypto.h" +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_lms_errors, \ + psa_generic_status_to_mbedtls) + #define PUBLIC_KEY_TYPE_OFFSET (0) #define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \ MBEDTLS_LMOTS_TYPE_LEN) @@ -198,7 +203,7 @@ static int create_digit_array_with_checksum(const mbedtls_lmots_parameters_t *pa exit: psa_hash_abort(&op); - return mbedtls_lms_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); } /* Hash each element of the string of digits (+ checksum), producing a hash @@ -321,7 +326,7 @@ exit: psa_hash_abort(&op); mbedtls_platform_zeroize(tmp_hash, sizeof(tmp_hash)); - return mbedtls_lms_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); } /* Combine the hashes of the digit array into a public key. This is used in @@ -386,9 +391,10 @@ exit: psa_hash_abort(&op); } - return mbedtls_lms_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); } +#if !defined(MBEDTLS_DEPRECATED_REMOVED) int mbedtls_lms_error_from_psa(psa_status_t status) { switch (status) { @@ -406,6 +412,7 @@ int mbedtls_lms_error_from_psa(psa_status_t status) return MBEDTLS_ERR_ERROR_GENERIC_ERROR; } } +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx) { @@ -682,7 +689,7 @@ int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx, exit: psa_hash_abort(&op); - return mbedtls_lms_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); } int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx, diff --git a/library/lmots.h b/library/lmots.h index deeeacea83..98d1941d53 100644 --- a/library/lmots.h +++ b/library/lmots.h @@ -79,6 +79,7 @@ void mbedtls_lms_unsigned_int_to_network_bytes(unsigned int val, size_t len, unsigned int mbedtls_lms_network_bytes_to_unsigned_int(size_t len, const unsigned char *bytes); +#if !defined(MBEDTLS_DEPRECATED_REMOVED) /** * \brief This function converts a \ref psa_status_t to a * low-level LMS error code. @@ -87,8 +88,8 @@ unsigned int mbedtls_lms_network_bytes_to_unsigned_int(size_t len, * * \return The corresponding LMS error code. */ -int mbedtls_lms_error_from_psa(psa_status_t status); - +int MBEDTLS_DEPRECATED mbedtls_lms_error_from_psa(psa_status_t status); +#endif /** * \brief This function initializes a public LMOTS context diff --git a/library/lms.c b/library/lms.c index 76bcc19af0..acc3523314 100644 --- a/library/lms.c +++ b/library/lms.c @@ -39,13 +39,17 @@ #include "lmots.h" #include "psa/crypto.h" - +#include "mbedtls/psa_util.h" #include "mbedtls/lms.h" #include "mbedtls/error.h" #include "mbedtls/platform_util.h" #include "mbedtls/platform.h" +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_lms_errors, \ + psa_generic_status_to_mbedtls) + #define SIG_Q_LEAF_ID_OFFSET (0) #define SIG_OTS_SIG_OFFSET (SIG_Q_LEAF_ID_OFFSET + \ MBEDTLS_LMOTS_Q_LEAF_ID_LEN) @@ -140,7 +144,7 @@ static int create_merkle_leaf_value(const mbedtls_lms_parameters_t *params, exit: psa_hash_abort(&op); - return mbedtls_lms_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); } /* Calculate the value of an internal node of the Merkle tree (which is a hash @@ -220,7 +224,7 @@ static int create_merkle_internal_value(const mbedtls_lms_parameters_t *params, exit: psa_hash_abort(&op); - return mbedtls_lms_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); } void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx) diff --git a/library/pem.c b/library/pem.c index 8044ed6446..9f14052e59 100644 --- a/library/pem.c +++ b/library/pem.c @@ -39,6 +39,13 @@ #include "psa/crypto.h" #endif +#if !defined(MBEDTLS_MD5_C) +#include "mbedtls/psa_util.h" +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_md_errors, \ + psa_generic_status_to_mbedtls) +#endif + #include "mbedtls/legacy_or_psa.h" #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ @@ -236,7 +243,7 @@ static int pem_pbkdf1(unsigned char *key, size_t keylen, exit: mbedtls_platform_zeroize(md5sum, 16); - return mbedtls_md_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); } #endif /* MBEDTLS_MD5_C */ diff --git a/library/pk.c b/library/pk.c index 05afdbc4e0..5e18ad2982 100644 --- a/library/pk.c +++ b/library/pk.c @@ -41,6 +41,13 @@ #if defined(MBEDTLS_PSA_CRYPTO_C) #include "mbedtls/psa_util.h" +#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status) +#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_pk_rsa_errors, \ + psa_pk_status_to_mbedtls) +#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_pk_ecdsa_errors, \ + psa_pk_status_to_mbedtls) #endif #include @@ -540,7 +547,7 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options, &key_id); if (status != PSA_SUCCESS) { psa_destroy_key(key_id); - return mbedtls_pk_error_from_psa(status); + return PSA_PK_TO_MBEDTLS_ERR(status); } /* This function requires returning MBEDTLS_ERR_PK_SIG_LEN_MISMATCH @@ -562,7 +569,7 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options, status = destruction_status; } - return mbedtls_pk_error_from_psa_rsa(status); + return PSA_PK_RSA_TO_MBEDTLS_ERR(status); } else #endif { @@ -700,7 +707,7 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type, status = psa_sign_hash(*key, PSA_ALG_RSA_PSS(psa_md_alg), hash, hash_len, sig, sig_size, sig_len); - return mbedtls_pk_error_from_psa_rsa(status); + return PSA_PK_RSA_TO_MBEDTLS_ERR(status); } return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PSS(psa_md_alg), @@ -896,7 +903,7 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk, /* import private key into PSA */ status = psa_import_key(&attributes, d, d_len, key); if (status != PSA_SUCCESS) { - return mbedtls_pk_error_from_psa(status); + return PSA_PK_TO_MBEDTLS_ERR(status); } /* make PK context wrap the key slot */ @@ -936,7 +943,7 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk, mbedtls_platform_zeroize(buf, sizeof(buf)); if (status != PSA_SUCCESS) { - return mbedtls_pk_error_from_psa(status); + return PSA_PK_TO_MBEDTLS_ERR(status); } /* make PK context wrap the key slot */ diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 45cf807c66..0396210447 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -40,9 +40,19 @@ #include "pkwrite.h" #endif +#if defined(MBEDTLS_PSA_CRYPTO_C) +#include "mbedtls/psa_util.h" +#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status) +#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_pk_rsa_errors, \ + psa_pk_status_to_mbedtls) +#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_pk_ecdsa_errors, \ + psa_pk_status_to_mbedtls) +#endif + #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" -#include "mbedtls/psa_util.h" #include "hash_info.h" #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) @@ -57,6 +67,7 @@ #include #include +#if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_PSA_CRYPTO_C) int mbedtls_pk_error_from_psa(psa_status_t status) { @@ -113,11 +124,9 @@ int mbedtls_pk_error_from_psa_rsa(psa_status_t status) } } #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */ - #endif /* MBEDTLS_PSA_CRYPTO_C */ #if defined(MBEDTLS_USE_PSA_CRYPTO) - #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status) { @@ -138,8 +147,8 @@ int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status) } } #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ - #endif /* MBEDTLS_USE_PSA_CRYPTO */ +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #if defined(MBEDTLS_RSA_C) static int rsa_can_do(mbedtls_pk_type_t type) @@ -196,14 +205,14 @@ static int rsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg, buf + sizeof(buf) - key_len, key_len, &key_id); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); goto cleanup; } status = psa_verify_hash(key_id, psa_alg_md, hash, hash_len, sig, sig_len); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa_rsa(status); + ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status); goto cleanup; } ret = 0; @@ -211,7 +220,7 @@ static int rsa_verify_wrap(void *ctx, mbedtls_md_type_t md_alg, cleanup: status = psa_destroy_key(key_id); if (ret == 0 && status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); } return ret; @@ -289,13 +298,13 @@ int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg, buf + sizeof(buf) - key_len, key_len, &key_id); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); goto cleanup; } status = psa_sign_hash(key_id, alg, hash, hash_len, sig, sig_size, sig_len); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa_rsa(status); + ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -304,7 +313,7 @@ int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg, cleanup: status = psa_destroy_key(key_id); if (ret == 0 && status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); } return ret; } @@ -398,7 +407,7 @@ static int rsa_decrypt_wrap(void *ctx, buf + sizeof(buf) - key_len, key_len, &key_id); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -407,7 +416,7 @@ static int rsa_decrypt_wrap(void *ctx, NULL, 0, output, osize, olen); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa_rsa(status); + ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -417,7 +426,7 @@ cleanup: mbedtls_platform_zeroize(buf, sizeof(buf)); status = psa_destroy_key(key_id); if (ret == 0 && status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); } return ret; @@ -484,7 +493,7 @@ static int rsa_encrypt_wrap(void *ctx, buf + sizeof(buf) - key_len, key_len, &key_id); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -493,7 +502,7 @@ static int rsa_encrypt_wrap(void *ctx, NULL, 0, output, osize, olen); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa_rsa(status); + ret = PSA_PK_RSA_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -502,7 +511,7 @@ static int rsa_encrypt_wrap(void *ctx, cleanup: status = psa_destroy_key(key_id); if (ret == 0 && status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); } return ret; @@ -716,7 +725,7 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, buf, key_len, &key_id); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -737,7 +746,7 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, hash, hash_len, buf, 2 * signature_part_size); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa_ecdsa(status); + ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -750,7 +759,7 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, cleanup: status = psa_destroy_key(key_id); if (ret == 0 && status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); } return ret; @@ -908,14 +917,14 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg, buf, key_len, &key_id); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); goto cleanup; } status = psa_sign_hash(key_id, psa_sig_md, hash, hash_len, sig, sig_size, sig_len); if (status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa_ecdsa(status); + ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -925,7 +934,7 @@ cleanup: mbedtls_platform_zeroize(buf, sizeof(buf)); status = psa_destroy_key(key_id); if (ret == 0 && status != PSA_SUCCESS) { - ret = mbedtls_pk_error_from_psa(status); + ret = PSA_PK_TO_MBEDTLS_ERR(status); } return ret; @@ -1448,7 +1457,7 @@ static int pk_opaque_sign_wrap(void *ctx, mbedtls_md_type_t md_alg, status = psa_get_key_attributes(*key, &attributes); if (status != PSA_SUCCESS) { - return mbedtls_pk_error_from_psa(status); + return PSA_PK_TO_MBEDTLS_ERR(status); } type = psa_get_key_type(&attributes); @@ -1472,15 +1481,15 @@ static int pk_opaque_sign_wrap(void *ctx, mbedtls_md_type_t md_alg, if (status != PSA_SUCCESS) { #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) { - return mbedtls_pk_error_from_psa_ecdsa(status); + return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status); } else #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ #if defined(MBEDTLS_RSA_C) if (PSA_KEY_TYPE_IS_RSA(type)) { - return mbedtls_pk_error_from_psa_rsa(status); + return PSA_PK_RSA_TO_MBEDTLS_ERR(status); } else #endif /* MBEDTLS_RSA_C */ - return mbedtls_pk_error_from_psa(status); + return PSA_PK_TO_MBEDTLS_ERR(status); } #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) @@ -1535,7 +1544,7 @@ static int pk_opaque_rsa_decrypt(void *ctx, NULL, 0, output, osize, olen); if (status != PSA_SUCCESS) { - return mbedtls_pk_error_from_psa_rsa(status); + return PSA_PK_RSA_TO_MBEDTLS_ERR(status); } return 0; diff --git a/library/pk_wrap.h b/library/pk_wrap.h index 7df96089d1..c5cd4df151 100644 --- a/library/pk_wrap.h +++ b/library/pk_wrap.h @@ -137,26 +137,30 @@ extern const mbedtls_pk_info_t mbedtls_rsa_alt_info; extern const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info; extern const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info; +#if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) -int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status); +int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa_ecdsa(psa_status_t status); +#endif #endif #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_PSA_CRYPTO_C) -int mbedtls_pk_error_from_psa(psa_status_t status); +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa(psa_status_t status); #if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \ defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) -int mbedtls_pk_error_from_psa_rsa(psa_status_t status); +int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa_rsa(psa_status_t status); #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */ +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #if defined(MBEDTLS_RSA_C) -int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t psa_alg_md, - mbedtls_rsa_context *rsa_ctx, - const unsigned char *hash, size_t hash_len, - unsigned char *sig, size_t sig_size, - size_t *sig_len); +int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t psa_alg_md, + mbedtls_rsa_context *rsa_ctx, + const unsigned char *hash, size_t hash_len, + unsigned char *sig, size_t sig_size, + size_t *sig_len); #endif /* MBEDTLS_RSA_C */ #endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/pkcs12.c b/library/pkcs12.c index f5ab742c58..8521483941 100644 --- a/library/pkcs12.c +++ b/library/pkcs12.c @@ -35,6 +35,13 @@ #include +#if !defined(MBEDTLS_MD_C) +#include "mbedtls/psa_util.h" +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_md_errors, \ + psa_generic_status_to_mbedtls) +#endif + #if defined(MBEDTLS_DES_C) #include "mbedtls/des.h" #endif @@ -328,7 +335,7 @@ exit: if (status == PSA_SUCCESS) { status = status_abort; } - return mbedtls_md_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); #endif /* !MBEDTLS_MD_C */ } diff --git a/library/pkcs5.c b/library/pkcs5.c index 4e71dd3968..f471b6378b 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -47,6 +47,12 @@ #include "hash_info.h" #include "mbedtls/psa_util.h" +#if !defined(MBEDTLS_MD_C) +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_md_errors, \ + psa_generic_status_to_mbedtls) +#endif + #if defined(MBEDTLS_ASN1_PARSE_C) static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params, mbedtls_asn1_buf *salt, int *iterations, @@ -452,7 +458,7 @@ cleanup: status = status_destruction; } - return mbedtls_md_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); #endif /* !MBEDTLS_MD_C */ } diff --git a/library/psa_util.c b/library/psa_util.c new file mode 100644 index 0000000000..7d0b8a2b18 --- /dev/null +++ b/library/psa_util.c @@ -0,0 +1,150 @@ +/* + * PSA hashing layer on top of Mbed TLS software crypto + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "common.h" + +#if defined(MBEDTLS_PSA_CRYPTO_C) + +#include + +#include "psa_crypto_core.h" +#include +#include +#include +#include +#include + +/* PSA_SUCCESS is kept at the top of each error table since + * it's the most common status when everything functions properly. */ +#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_MD5_C) +psa_status_t psa_to_md_errors[] = +{ + PSA_SUCCESS, 0, + PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE, + PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_MD_BAD_INPUT_DATA, + PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_MD_ALLOC_FAILED +}; +#endif +#if defined(MBEDTLS_LMS_C) +psa_status_t psa_to_lms_errors[] = +{ + PSA_SUCCESS, 0, + PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL, + PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_LMS_BAD_INPUT_DATA +}; +#endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) +psa_status_t psa_to_ssl_errors[] = +{ + PSA_SUCCESS, 0, + PSA_ERROR_INSUFFICIENT_MEMORY, MBEDTLS_ERR_SSL_ALLOC_FAILED, + PSA_ERROR_NOT_SUPPORTED, MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE, + PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_SSL_INVALID_MAC, + PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_SSL_BAD_INPUT_DATA, + PSA_ERROR_BAD_STATE, MBEDTLS_ERR_SSL_INTERNAL_ERROR, + PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL +}; +#endif + +#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \ + defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) +psa_status_t psa_to_pk_rsa_errors[] = +{ + PSA_SUCCESS, 0, + PSA_ERROR_NOT_PERMITTED, MBEDTLS_ERR_RSA_BAD_INPUT_DATA, + PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_RSA_BAD_INPUT_DATA, + PSA_ERROR_INVALID_HANDLE, MBEDTLS_ERR_RSA_BAD_INPUT_DATA, + PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE, + PSA_ERROR_INSUFFICIENT_ENTROPY, MBEDTLS_ERR_RSA_RNG_FAILED, + PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_RSA_VERIFY_FAILED, + PSA_ERROR_INVALID_PADDING, MBEDTLS_ERR_RSA_INVALID_PADDING +}; +#endif + +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) +psa_status_t psa_to_pk_ecdsa_errors[] = +{ + PSA_SUCCESS, 0, + PSA_ERROR_NOT_PERMITTED, MBEDTLS_ERR_ECP_BAD_INPUT_DATA, + PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_ECP_BAD_INPUT_DATA, + PSA_ERROR_INVALID_HANDLE, MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE, + PSA_ERROR_BUFFER_TOO_SMALL, MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL, + PSA_ERROR_INSUFFICIENT_ENTROPY, MBEDTLS_ERR_ECP_RANDOM_FAILED, + PSA_ERROR_INVALID_SIGNATURE, MBEDTLS_ERR_ECP_VERIFY_FAILED +}; +#endif + +int psa_generic_status_to_mbedtls(psa_status_t status) +{ + switch (status) { + case PSA_SUCCESS: + return 0; + case PSA_ERROR_NOT_SUPPORTED: + return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED; + case PSA_ERROR_CORRUPTION_DETECTED: + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + case PSA_ERROR_COMMUNICATION_FAILURE: + case PSA_ERROR_HARDWARE_FAILURE: + return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; + case PSA_ERROR_NOT_PERMITTED: + default: + return MBEDTLS_ERR_ERROR_GENERIC_ERROR; + } +} + +int psa_status_to_mbedtls(psa_status_t status, + psa_status_t *local_translations, + size_t local_errors_size, + int (*fallback_f)(psa_status_t)) +{ + size_t local_errors_num = (size_t) local_errors_size / 2; + for (size_t i = 0; i < local_errors_num; i++) { + if (status == local_translations[2 * i]) { + return local_translations[2 * i + 1]; + } + } + return fallback_f(status); +} + +int psa_pk_status_to_mbedtls(psa_status_t status) +{ + switch (status) { + case PSA_ERROR_INVALID_HANDLE: + return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; + case PSA_ERROR_BUFFER_TOO_SMALL: + return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; + case PSA_ERROR_NOT_SUPPORTED: + return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; + case PSA_ERROR_INVALID_ARGUMENT: + return MBEDTLS_ERR_PK_INVALID_ALG; + case PSA_ERROR_INSUFFICIENT_MEMORY: + return MBEDTLS_ERR_PK_ALLOC_FAILED; + case PSA_ERROR_BAD_STATE: + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + case PSA_ERROR_DATA_CORRUPT: + case PSA_ERROR_DATA_INVALID: + case PSA_ERROR_STORAGE_FAILURE: + return MBEDTLS_ERR_PK_FILE_IO_ERROR; + default: + return psa_generic_status_to_mbedtls(status); + } +} +#endif /* MBEDTLS_PSA_CRYPTO_C */ diff --git a/library/rsa.c b/library/rsa.c index df7d7975cb..7159588e76 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -60,7 +60,10 @@ #if !defined(MBEDTLS_MD_C) #include "psa/crypto.h" #include "mbedtls/psa_util.h" -#endif /* MBEDTLS_MD_C */ +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_md_errors, \ + psa_generic_status_to_mbedtls) +#endif /* !MBEDTLS_MD_C */ #endif /* MBEDTLS_PKCS1_V21 */ #include "mbedtls/platform.h" @@ -1156,7 +1159,7 @@ exit: #else psa_hash_abort(&op); - return mbedtls_md_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); #endif } @@ -1236,7 +1239,7 @@ exit: exit: psa_hash_abort(&op); - return mbedtls_md_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); #endif /* !MBEDTLS_MD_C */ } @@ -1269,7 +1272,7 @@ static int compute_hash(mbedtls_md_type_t md_alg, status = psa_hash_compute(alg, input, ilen, output, out_size, &out_len); - return mbedtls_md_error_from_psa(status); + return PSA_TO_MBEDTLS_ERR(status); #endif /* !MBEDTLS_MD_C */ } #endif /* MBEDTLS_PKCS1_V21 */ diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c index b7eead402e..ef4d1886d3 100644 --- a/library/ssl_cookie.c +++ b/library/ssl_cookie.c @@ -37,6 +37,12 @@ #include +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_ssl_errors, \ + psa_generic_status_to_mbedtls) +#endif + /* * If DTLS is in use, then at least one of SHA-256 or SHA-384 is * available. Try SHA-256 first as 384 wastes resources @@ -126,7 +132,7 @@ int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx, if ((status = psa_generate_key(&attributes, &ctx->psa_hmac_key)) != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } #else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -215,26 +221,26 @@ int mbedtls_ssl_cookie_write(void *p_ctx, status = psa_mac_sign_setup(&operation, ctx->psa_hmac_key, ctx->psa_hmac_alg); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto exit; } status = psa_mac_update(&operation, *p - 4, 4); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto exit; } status = psa_mac_update(&operation, cli_id, cli_id_len); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto exit; } status = psa_mac_sign_finish(&operation, *p, COOKIE_MD_OUTLEN, &sign_mac_length); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto exit; } @@ -263,7 +269,7 @@ int mbedtls_ssl_cookie_write(void *p_ctx, exit: status = psa_mac_abort(&operation); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); } #endif /* MBEDTLS_USE_PSA_CRYPTO */ return ret; @@ -299,27 +305,27 @@ int mbedtls_ssl_cookie_check(void *p_ctx, status = psa_mac_verify_setup(&operation, ctx->psa_hmac_key, ctx->psa_hmac_alg); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto exit; } status = psa_mac_update(&operation, cookie, 4); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto exit; } status = psa_mac_update(&operation, cli_id, cli_id_len); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto exit; } status = psa_mac_verify_finish(&operation, cookie + 4, COOKIE_HMAC_LEN); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto exit; } @@ -374,7 +380,7 @@ exit: #if defined(MBEDTLS_USE_PSA_CRYPTO) status = psa_mac_abort(&operation); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); } #else mbedtls_platform_zeroize(ref_hmac, sizeof(ref_hmac)); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 7385c6ee39..7d08ef4209 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2514,6 +2514,7 @@ psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type psa_key_type_t *key_type, size_t *key_size); +#if !defined(MBEDTLS_DEPRECATED_REMOVED) /** * \brief Convert given PSA status to mbedtls error code. * @@ -2521,7 +2522,7 @@ psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type * * \return corresponding mbedtls error code */ -static inline int psa_ssl_status_to_mbedtls(psa_status_t status) +static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status) { switch (status) { case PSA_SUCCESS: @@ -2542,6 +2543,7 @@ static inline int psa_ssl_status_to_mbedtls(psa_status_t status) return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; } } +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index d26d950864..1cad588077 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -48,6 +48,12 @@ #include "mbedtls/oid.h" #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_ssl_errors, \ + psa_generic_status_to_mbedtls) +#endif + static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl); /* @@ -879,10 +885,10 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl, hmac_failed_etm_disabled: mbedtls_platform_zeroize(mac, transform->maclen); #if defined(MBEDTLS_USE_PSA_CRYPTO) - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); status = psa_mac_abort(&operation); if (ret == 0 && status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); } #endif /* MBEDTLS_USE_PSA_CRYPTO */ if (ret != 0) { @@ -979,7 +985,7 @@ hmac_failed_etm_disabled: &rec->data_len); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_encrypt_buf", ret); return ret; } @@ -1089,7 +1095,7 @@ hmac_failed_etm_disabled: transform->psa_key_enc, transform->psa_alg); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_encrypt_setup", ret); return ret; } @@ -1097,7 +1103,7 @@ hmac_failed_etm_disabled: status = psa_cipher_set_iv(&cipher_op, transform->iv_enc, transform->ivlen); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret); return ret; @@ -1108,7 +1114,7 @@ hmac_failed_etm_disabled: data, rec->data_len, &olen); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret); return ret; @@ -1119,7 +1125,7 @@ hmac_failed_etm_disabled: &part_len); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret); return ret; @@ -1222,10 +1228,10 @@ hmac_failed_etm_disabled: hmac_failed_etm_enabled: mbedtls_platform_zeroize(mac, transform->maclen); #if defined(MBEDTLS_USE_PSA_CRYPTO) - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); status = psa_mac_abort(&operation); if (ret == 0 && status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); } #endif /* MBEDTLS_USE_PSA_CRYPTO */ if (ret != 0) { @@ -1399,7 +1405,7 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl, &olen); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_aead_decrypt", ret); return ret; } @@ -1571,10 +1577,10 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl, hmac_failed_etm_enabled: #if defined(MBEDTLS_USE_PSA_CRYPTO) - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); status = psa_mac_abort(&operation); if (ret == 0 && status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); } #else mbedtls_platform_zeroize(mac_expect, transform->maclen); @@ -1621,7 +1627,7 @@ hmac_failed_etm_enabled: transform->psa_key_dec, transform->psa_alg); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_decrypt_setup", ret); return ret; } @@ -1629,7 +1635,7 @@ hmac_failed_etm_enabled: status = psa_cipher_set_iv(&cipher_op, transform->iv_dec, transform->ivlen); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret); return ret; } @@ -1639,7 +1645,7 @@ hmac_failed_etm_enabled: data, rec->data_len, &olen); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret); return ret; } @@ -1649,7 +1655,7 @@ hmac_failed_etm_enabled: &part_len); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret); return ret; } diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index ba9dbd512c..7d07d191fd 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -30,6 +30,12 @@ #include +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_ssl_errors, \ + psa_generic_status_to_mbedtls) +#endif + /* * Initialize context */ @@ -91,7 +97,7 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx, psa_set_key_type(&attributes, key->key_type); psa_set_key_bits(&attributes, key->key_bits); - ret = psa_ssl_status_to_mbedtls( + ret = PSA_TO_MBEDTLS_ERR( psa_import_key(&attributes, buf, PSA_BITS_TO_BYTES(key->key_bits), &key->key)); @@ -133,7 +139,7 @@ static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx) #if defined(MBEDTLS_USE_PSA_CRYPTO) if ((status = psa_destroy_key(ctx->keys[ctx->active].key)) != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } #endif /* MBEDTLS_USE_PSA_CRYPTO */ @@ -169,7 +175,7 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx, #if defined(MBEDTLS_USE_PSA_CRYPTO) if ((status = psa_destroy_key(key->key)) != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); return ret; } @@ -182,7 +188,7 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx, if ((status = psa_import_key(&attributes, k, PSA_BITS_TO_BYTES(key->key_bits), &key->key)) != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); return ret; } #else @@ -355,7 +361,7 @@ int mbedtls_ssl_ticket_write(void *p_ticket, state, clear_len, state, end - state, &ciph_len)) != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto cleanup; } #else @@ -465,7 +471,7 @@ int mbedtls_ssl_ticket_parse(void *p_ticket, key_name, TICKET_ADD_DATA_LEN, ticket, enc_len + TICKET_AUTH_TAG_BYTES, ticket, enc_len, &clear_len)) != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto cleanup; } #else diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 441089f164..e8f1750122 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -52,6 +52,12 @@ #include "mbedtls/oid.h" #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_ssl_errors, \ + psa_generic_status_to_mbedtls) +#endif + #if defined(MBEDTLS_TEST_HOOKS) static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args; @@ -5759,7 +5765,7 @@ exit: !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) (void) ssl; #endif - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } #else /* MBEDTLS_USE_PSA_CRYPTO */ @@ -8230,7 +8236,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, &alg, &key_type, &key_bits)) != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret); goto end; } @@ -8478,7 +8484,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, PSA_BITS_TO_BYTES(key_bits), &transform->psa_key_enc)) != PSA_SUCCESS) { MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status); - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); goto end; } @@ -8489,7 +8495,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, key2, PSA_BITS_TO_BYTES(key_bits), &transform->psa_key_dec)) != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); goto end; } @@ -8552,7 +8558,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, if ((status = psa_import_key(&attributes, mac_enc, mac_key_len, &transform->psa_mac_enc)) != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); goto end; } @@ -8573,7 +8579,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, if ((status = psa_import_key(&attributes, mac_dec, mac_key_len, &transform->psa_mac_dec)) != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); goto end; } @@ -8628,7 +8634,7 @@ int mbedtls_psa_ecjpake_read_round( status = psa_pake_input(pake_ctx, step, buf + input_offset, length); if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } input_offset += length; @@ -8670,7 +8676,7 @@ int mbedtls_psa_ecjpake_write_round( len - output_offset - 1, &output_len); if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } *(buf + output_offset) = (uint8_t) output_len; diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index fc99fdebeb..890e9a906e 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -33,6 +33,9 @@ #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "mbedtls/psa_util.h" #include "psa/crypto.h" +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_ssl_errors, \ + psa_generic_status_to_mbedtls) #endif /* MBEDTLS_USE_PSA_CRYPTO */ #include @@ -2951,7 +2954,7 @@ ecdh_calc_secret: status = psa_generate_key(&key_attributes, &handshake->ecdh_psa_privkey); if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } /* Export the public part of the ECDH private key from PSA. @@ -2968,7 +2971,7 @@ ecdh_calc_secret: if (status != PSA_SUCCESS) { psa_destroy_key(handshake->ecdh_psa_privkey); handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } *p = (unsigned char) own_pubkey_len; @@ -3000,9 +3003,9 @@ ecdh_calc_secret: handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } else if (destruction_status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(destruction_status); + return PSA_TO_MBEDTLS_ERR(destruction_status); } /* Write the ECDH computation length before the ECDH computation */ diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index d5c8b7ce49..0806f7f5c8 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -34,6 +34,12 @@ #include +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_ssl_errors, \ + psa_generic_status_to_mbedtls) +#endif + #if defined(MBEDTLS_ECP_C) #include "mbedtls/ecp.h" #endif @@ -2588,7 +2594,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) &key_attributes); if (status != PSA_SUCCESS) { ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } ssl->handshake->ecdh_psa_type = psa_get_key_type(&key_attributes); @@ -2635,7 +2641,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) status = psa_import_key(&key_attributes, buf, key_len, &ssl->handshake->ecdh_psa_privkey); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -2956,7 +2962,7 @@ curve_matching_done: status = psa_generate_key(&key_attributes, &handshake->ecdh_psa_privkey); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret); return ret; } @@ -2980,7 +2986,7 @@ curve_matching_done: own_pubkey, own_pubkey_max_len, &len); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret); (void) psa_destroy_key(handshake->ecdh_psa_privkey); handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; @@ -3688,7 +3694,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) handshake->premaster, sizeof(handshake->premaster), &handshake->pmslen); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret); if (handshake->ecdh_psa_privkey_is_external == 0) { (void) psa_destroy_key(handshake->ecdh_psa_privkey); @@ -3701,7 +3707,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) status = psa_destroy_key(handshake->ecdh_psa_privkey); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); return ret; } @@ -3894,9 +3900,9 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } else if (destruction_status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(destruction_status); + return PSA_TO_MBEDTLS_ERR(destruction_status); } /* Write the ECDH computation length before the ECDH computation */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 0dd762ef39..05c736424d 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -34,6 +34,10 @@ #include "ssl_tls13_keys.h" #include "ssl_debug_helpers.h" +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_ssl_errors, \ + psa_generic_status_to_mbedtls) + /* Write extensions */ /* @@ -188,7 +192,7 @@ static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl) /* Destroy generated private key. */ status = psa_destroy_key(ssl->handshake->ecdh_psa_privkey); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); return ret; } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index f607e364cc..512656e34f 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -36,6 +36,13 @@ #include "ssl_tls13_keys.h" #include "ssl_debug_helpers.h" +#include "psa/crypto.h" +#include "mbedtls/psa_util.h" + +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_ssl_errors, \ + psa_generic_status_to_mbedtls) + const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[ MBEDTLS_SERVER_HELLO_RANDOM_LEN] = { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, @@ -1016,7 +1023,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl, verify_hash, sizeof(verify_hash), &verify_hash_len); if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); @@ -1482,7 +1489,7 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( status = psa_generate_key(&key_attributes, &handshake->ecdh_psa_privkey); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret); return ret; @@ -1493,7 +1500,7 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( buf, (size_t) (end - buf), &own_pubkey_len); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret); return ret; diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index a95d2fd908..6edce50bc8 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -35,6 +35,10 @@ #include "psa/crypto.h" +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_ssl_errors, \ + psa_generic_status_to_mbedtls) + #define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \ .name = string, @@ -215,7 +219,7 @@ cleanup: abort_status = psa_key_derivation_abort(&operation); status = (status == PSA_SUCCESS ? abort_status : status); mbedtls_platform_zeroize(hkdf_label, hkdf_label_len); - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } MBEDTLS_CHECK_RETURN_CRITICAL @@ -309,7 +313,7 @@ int mbedtls_ssl_tls13_derive_secret( status = psa_hash_compute(hash_alg, ctx, ctx_len, hashed_context, PSA_HASH_LENGTH(hash_alg), &ctx_len); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); return ret; } } else { @@ -416,7 +420,7 @@ int mbedtls_ssl_tls13_evolve_secret( cleanup: abort_status = psa_key_derivation_abort(&operation); status = (status == PSA_SUCCESS ? abort_status : status); - ret = (ret == 0 ? psa_ssl_status_to_mbedtls(status) : ret); + ret = (ret == 0 ? PSA_TO_MBEDTLS_ERR(status) : ret); mbedtls_platform_zeroize(tmp_secret, sizeof(tmp_secret)); return ret; } @@ -740,19 +744,19 @@ static int ssl_tls13_calc_finished_core(psa_algorithm_t hash_alg, status = psa_import_key(&attributes, finished_key, hash_len, &key); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto exit; } status = psa_mac_compute(key, alg, transcript, hash_len, dst, hash_len, dst_len); - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); exit: status = psa_destroy_key(key); if (ret == 0) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); } mbedtls_platform_zeroize(finished_key, sizeof(finished_key)); @@ -1040,8 +1044,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform, &alg, &key_type, &key_bits)) != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", psa_ssl_status_to_mbedtls(status)); - return psa_ssl_status_to_mbedtls(status); + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", PSA_TO_MBEDTLS_ERR(status)); + return PSA_TO_MBEDTLS_ERR(status); } transform->psa_alg = alg; @@ -1055,8 +1059,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform, key_enc, PSA_BITS_TO_BYTES(key_bits), &transform->psa_key_enc)) != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", psa_ssl_status_to_mbedtls(status)); - return psa_ssl_status_to_mbedtls(status); + MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status)); + return PSA_TO_MBEDTLS_ERR(status); } psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); @@ -1065,8 +1069,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform, key_dec, PSA_BITS_TO_BYTES(key_bits), &transform->psa_key_dec)) != PSA_SUCCESS) { - MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", psa_ssl_status_to_mbedtls(status)); - return psa_ssl_status_to_mbedtls(status); + MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status)); + return PSA_TO_MBEDTLS_ERR(status); } } #endif /* MBEDTLS_USE_PSA_CRYPTO */ @@ -1094,7 +1098,7 @@ static int ssl_tls13_get_cipher_key_info( status = mbedtls_ssl_cipher_to_psa(ciphersuite_info->cipher, taglen, &alg, &key_type, &key_bits); if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } *key_len = PSA_BITS_TO_BYTES(key_bits); @@ -1467,7 +1471,7 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl) status = psa_get_key_attributes(handshake->ecdh_psa_privkey, &key_attributes); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); } shared_secret_len = PSA_BITS_TO_BYTES( @@ -1482,14 +1486,14 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl) handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, shared_secret, shared_secret_len, &shared_secret_len); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret); goto cleanup; } status = psa_destroy_key(handshake->ecdh_psa_privkey); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); goto cleanup; } @@ -1826,7 +1830,7 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl, status = psa_get_key_attributes(ssl->handshake->psk_opaque, &key_attributes); if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } *psk_len = PSA_BITS_TO_BYTES(psa_get_key_bits(&key_attributes)); @@ -1840,7 +1844,7 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl, if (status != PSA_SUCCESS) { mbedtls_free((void *) *psk); *psk = NULL; - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } return 0; #else diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 15246cb1a4..9e37259a70 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -18,6 +18,12 @@ #include #include +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ + psa_to_ssl_errors, \ + psa_generic_status_to_mbedtls) +#endif + #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) @@ -1299,27 +1305,27 @@ static int psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform, transform->psa_key_enc, transform->psa_alg); if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } status = psa_cipher_set_iv(&cipher_op, iv, iv_len); if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } status = psa_cipher_update(&cipher_op, input, ilen, output, ilen, olen); if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } status = psa_cipher_finish(&cipher_op, output + *olen, ilen - *olen, &part_len); if (status != PSA_SUCCESS) { - return psa_ssl_status_to_mbedtls(status); + return PSA_TO_MBEDTLS_ERR(status); } *olen += part_len; @@ -1614,7 +1620,7 @@ static int build_transforms(mbedtls_ssl_transform *t_in, &key_bits); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -1633,7 +1639,7 @@ static int build_transforms(mbedtls_ssl_transform *t_in, &t_in->psa_key_enc); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -1643,7 +1649,7 @@ static int build_transforms(mbedtls_ssl_transform *t_in, &t_out->psa_key_enc); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -1655,7 +1661,7 @@ static int build_transforms(mbedtls_ssl_transform *t_in, &t_in->psa_key_dec); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto cleanup; } @@ -1665,7 +1671,7 @@ static int build_transforms(mbedtls_ssl_transform *t_in, &t_out->psa_key_dec); if (status != PSA_SUCCESS) { - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); goto cleanup; } } @@ -1735,7 +1741,7 @@ static int ssl_tls12_populate_session(mbedtls_ssl_session *session, session->peer_cert_digest, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN, &hash_size); - ret = psa_ssl_status_to_mbedtls(status); + ret = PSA_TO_MBEDTLS_ERR(status); #else ret = mbedtls_md(mbedtls_md_info_from_type( MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),