mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-24 06:02:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #7791 from valeriosetti/issue7406

Browse Source 
driver-only ECC: TLS: avoid use of mbedtls_ecp_write_key() (with USE_PSA)
This commit is contained in:
Manuel Pégourié-Gonnard 2023-06-22 11:13:44 +02:00 committed by GitHub
commit e25c43bd66
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
library/ssl_tls12_server.c
View File

@ -2589,14 +2589,17 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
unsigned char buf[ mbedtls_pk_context *pk;
PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; mbedtls_pk_type_t pk_type;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
uint16_t tls_id = 0; uint16_t tls_id = 0;
psa_ecc_family_t ecc_family; psa_ecc_family_t ecc_family;
size_t key_len; size_t key_len;
mbedtls_pk_context *pk;
mbedtls_ecp_group_id grp_id; mbedtls_ecp_group_id grp_id;
unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
mbedtls_ecp_keypair *key;
#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
pk = mbedtls_ssl_own_key(ssl); pk = mbedtls_ssl_own_key(ssl);
@ -2604,18 +2607,20 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
} }
#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA) pk_type = mbedtls_pk_get_type(pk);
mbedtls_ecp_keypair *key = mbedtls_pk_ec_rw(*pk);
#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
switch (mbedtls_pk_get_type(pk)) { switch (pk_type) {
case MBEDTLS_PK_OPAQUE: case MBEDTLS_PK_OPAQUE:
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
case MBEDTLS_PK_ECKEY:
case MBEDTLS_PK_ECKEY_DH:
case MBEDTLS_PK_ECDSA:
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
} }
ssl->handshake->ecdh_psa_privkey = pk->priv_id; ssl->handshake->ecdh_psa_privkey = pk->priv_id;
/* Key should not be destroyed in the TLS library */ /* Key should not be destroyed in the TLS library */
ssl->handshake->ecdh_psa_privkey_is_external = 1; ssl->handshake->ecdh_psa_privkey_is_external = 1;
@ -2633,9 +2638,11 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
ret = 0; ret = 0;
break; break;
#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
case MBEDTLS_PK_ECKEY: case MBEDTLS_PK_ECKEY:
case MBEDTLS_PK_ECKEY_DH: case MBEDTLS_PK_ECKEY_DH:
case MBEDTLS_PK_ECDSA: case MBEDTLS_PK_ECDSA:
key = mbedtls_pk_ec_rw(*pk);
grp_id = mbedtls_pk_get_group_id(pk); grp_id = mbedtls_pk_get_group_id(pk);
if (grp_id == MBEDTLS_ECP_DP_NONE) { if (grp_id == MBEDTLS_ECP_DP_NONE) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
@ -2660,36 +2667,29 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->ecdh_psa_type)); PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->ecdh_psa_type));
psa_set_key_bits(&key_attributes, ssl->handshake->ecdh_bits); psa_set_key_bits(&key_attributes, ssl->handshake->ecdh_bits);
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup;
}
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
key_len = PSA_BITS_TO_BYTES(key->grp.pbits); key_len = PSA_BITS_TO_BYTES(key->grp.pbits);
ret = mbedtls_ecp_write_key(key, buf, key_len); ret = mbedtls_ecp_write_key(key, buf, key_len);
if (ret != 0) { if (ret != 0) {
goto cleanup; mbedtls_platform_zeroize(buf, sizeof(buf));
break;
} }
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
status = psa_import_key(&key_attributes, buf, key_len, status = psa_import_key(&key_attributes, buf, key_len,
&ssl->handshake->ecdh_psa_privkey); &ssl->handshake->ecdh_psa_privkey);
if (status != PSA_SUCCESS) { if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status); ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup; mbedtls_platform_zeroize(buf, sizeof(buf));
break;
} }
mbedtls_platform_zeroize(buf, sizeof(buf));
ret = 0; ret = 0;
break; break;
#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
default: default:
ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
} }
cleanup:
mbedtls_platform_zeroize(buf, sizeof(buf));
return ret; return ret;
} }
#elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ #elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \