mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-03-12 10:13:39 +00:00
Remove MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
Remove the configuration option MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED and all code guarded by it. This remove support for the RSA-PSK key exchange in TLS 1.2. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine
parent
7dfe7c9e4a
commit
ac767e5c69
@ -117,7 +117,6 @@ Support description
|
||||
| MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (2) |
|
||||
| MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED | n/a |
|
||||
| MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a |
|
||||
| MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED | n/a |
|
||||
| MBEDTLS_KEY_EXCHANGE_RSA_ENABLED | n/a |
|
||||
| MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED | n/a |
|
||||
| MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED | n/a |
|
||||
|
||||
@ -310,12 +310,6 @@
|
||||
#error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
|
||||
( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
|
||||
!defined(MBEDTLS_PKCS1_V15) )
|
||||
#error "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
|
||||
( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
|
||||
!defined(MBEDTLS_PKCS1_V15) )
|
||||
@ -797,7 +791,6 @@
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) )
|
||||
#error "One or more versions of the TLS protocol are enabled " \
|
||||
|
||||
@ -67,7 +67,6 @@
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
||||
#undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
||||
|
||||
@ -745,29 +745,6 @@
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
*
|
||||
* Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
|
||||
*
|
||||
* Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
|
||||
* MBEDTLS_X509_CRT_PARSE_C
|
||||
*
|
||||
* This enables the following ciphersuites (if other requisites are
|
||||
* enabled as well):
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
|
||||
* MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
|
||||
*/
|
||||
#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
*
|
||||
|
||||
@ -673,9 +673,6 @@ union mbedtls_ssl_premaster_secret {
|
||||
unsigned char _pms_dhe_psk[4 + MBEDTLS_MPI_MAX_SIZE
|
||||
+ MBEDTLS_PSK_MAX_LEN]; /* RFC 4279 3 */
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
unsigned char _pms_rsa_psk[52 + MBEDTLS_PSK_MAX_LEN]; /* RFC 4279 4 */
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
unsigned char _pms_ecdhe_psk[4 + MBEDTLS_ECP_MAX_BYTES
|
||||
+ MBEDTLS_PSK_MAX_LEN]; /* RFC 5489 2 */
|
||||
|
||||
@ -274,7 +274,6 @@ typedef enum {
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED
|
||||
@ -339,7 +338,6 @@ typedef enum {
|
||||
/* Key exchanges that don't involve ephemeral keys */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED
|
||||
#endif
|
||||
@ -356,7 +354,6 @@ typedef enum {
|
||||
|
||||
/* Key exchanges using a PSK */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
|
||||
|
||||
@ -371,14 +371,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
|
||||
"TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256",
|
||||
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 &&
|
||||
PSA_WANT_ALG_SHA_256 &&
|
||||
MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
@ -1235,89 +1227,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
#if defined(PSA_WANT_KEY_TYPE_AES)
|
||||
#if defined(PSA_WANT_ALG_GCM)
|
||||
#if defined(PSA_WANT_ALG_SHA_256)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256",
|
||||
MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_256 */
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_384)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384",
|
||||
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_384 */
|
||||
#endif /* PSA_WANT_ALG_GCM */
|
||||
|
||||
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
|
||||
#if defined(PSA_WANT_ALG_SHA_256)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256",
|
||||
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_256 */
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_384)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384",
|
||||
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_384 */
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_1)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
|
||||
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA",
|
||||
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_1 */
|
||||
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
|
||||
#endif /* PSA_WANT_KEY_TYPE_AES */
|
||||
|
||||
#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
|
||||
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
|
||||
#if defined(PSA_WANT_ALG_SHA_256)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256",
|
||||
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_256 */
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_384)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384",
|
||||
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_384 */
|
||||
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
|
||||
|
||||
#if defined(PSA_WANT_ALG_GCM)
|
||||
#if defined(PSA_WANT_ALG_SHA_256)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256",
|
||||
MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_256 */
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_384)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384",
|
||||
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_384 */
|
||||
#endif /* PSA_WANT_ALG_GCM */
|
||||
#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
#if defined(PSA_WANT_KEY_TYPE_AES)
|
||||
#if defined(PSA_WANT_ALG_CCM)
|
||||
@ -1421,29 +1330,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_384 */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
#if defined(PSA_WANT_ALG_SHA_1)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA, "TLS-RSA-PSK-WITH-NULL-SHA",
|
||||
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
MBEDTLS_CIPHERSUITE_WEAK,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_1 */
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_256)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256, "TLS-RSA-PSK-WITH-NULL-SHA256",
|
||||
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
MBEDTLS_CIPHERSUITE_WEAK,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
|
||||
#if defined(PSA_WANT_ALG_SHA_384)
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-NULL-SHA384",
|
||||
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
MBEDTLS_CIPHERSUITE_WEAK,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif /* PSA_WANT_ALG_SHA_384 */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
|
||||
|
||||
#if defined(PSA_WANT_KEY_TYPE_ARIA)
|
||||
@ -1483,41 +1369,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
|
||||
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
|
||||
"TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384",
|
||||
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
|
||||
defined(PSA_WANT_ALG_SHA_384))
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
|
||||
"TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384",
|
||||
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_256))
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
|
||||
"TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256",
|
||||
MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
|
||||
defined(PSA_WANT_ALG_SHA_256))
|
||||
{ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
|
||||
"TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256",
|
||||
MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||
0,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
||||
|
||||
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
|
||||
|
||||
@ -7357,21 +7357,6 @@ int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_excha
|
||||
p += psk_len;
|
||||
} else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
|
||||
/*
|
||||
* other_secret already set by the ClientKeyExchange message,
|
||||
* and is 48 bytes long
|
||||
*/
|
||||
if (end - p < 2) {
|
||||
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
*p++ = 0;
|
||||
*p++ = 48;
|
||||
p += 48;
|
||||
} else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
@ -1900,8 +1900,7 @@ static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
/*
|
||||
* Generate a pre-master secret and encrypt it with the server's RSA key
|
||||
*/
|
||||
@ -1976,8 +1975,7 @@ static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
|
||||
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
return 0;
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
@ -2188,14 +2186,12 @@ start_processing:
|
||||
} /* FALLTHROUGH */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
|
||||
; /* nothing more to do */
|
||||
} else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
|
||||
@ -3050,14 +3046,6 @@ ecdh_calc_secret:
|
||||
content_len = 0;
|
||||
} else
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
|
||||
if ((ret = ssl_write_encrypted_pms(ssl, header_len,
|
||||
&content_len, 2)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
} else
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
|
||||
/*
|
||||
|
||||
@ -3414,8 +3414,7 @@ static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
|
||||
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
@ -3601,8 +3600,7 @@ static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
@ -3671,8 +3669,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
|
||||
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
|
||||
(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED))
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
|
||||
(ssl->handshake->async_in_progress != 0)) {
|
||||
@ -3842,39 +3839,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
||||
} else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
if (ssl->handshake->async_in_progress != 0) {
|
||||
/* There is an asynchronous operation in progress to
|
||||
* decrypt the encrypted premaster secret, so skip
|
||||
* directly to resuming this operation. */
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("PSK identity already parsed"));
|
||||
/* Update p to skip the PSK identity. ssl_parse_encrypted_pms
|
||||
* won't actually use it, but maintain p anyway for robustness. */
|
||||
p += ssl->conf->psk_identity_len + 2;
|
||||
} else
|
||||
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||
if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 2)) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_encrypted_pms"), ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
|
||||
(mbedtls_key_exchange_type_t) ciphersuite_info->
|
||||
key_exchange)) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
|
||||
return ret;
|
||||
}
|
||||
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
|
||||
} else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
|
||||
if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
|
||||
|
||||
@ -1243,7 +1243,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
|
||||
scripts/config.py unset MBEDTLS_PKCS1_V21
|
||||
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
# Also disable key exchanges that depend on RSA
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
@ -1619,7 +1618,6 @@ component_test_new_psa_want_key_pair_symbol () {
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
scripts/config.py unset MBEDTLS_RSA_C
|
||||
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
|
||||
@ -312,7 +312,6 @@ REVERSE_DEPENDENCIES = {
|
||||
'PSA_WANT_ALG_RSA_PSS'],
|
||||
'MBEDTLS_PKCS1_V15': ['MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED',
|
||||
'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
|
||||
'MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED',
|
||||
'MBEDTLS_KEY_EXCHANGE_RSA_ENABLED',
|
||||
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT',
|
||||
'PSA_WANT_ALG_RSA_PKCS1V15_SIGN'],
|
||||
|
||||
@ -312,7 +312,6 @@ TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
|
||||
|
||||
@ -322,8 +321,7 @@ TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
|
||||
TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED"
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
|
||||
|
||||
requires_certificate_authentication () {
|
||||
if is_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user