AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use inline PSA code instead of using ssl_cookie_hmac in mbedtls_ssl_cookie_write()

Browse Source 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
This commit is contained in:
Neil Armstrong 2022-03-21 11:39:52 +01:00
parent 6d5baf5f1e
commit 2d5e343c75
1 changed files with 37 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
library/ssl_cookie.c
View File

@ -156,56 +156,19 @@ int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
return( 0 ); return( 0 );
} }
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
/* /*
* Generate the HMAC part of a cookie * Generate the HMAC part of a cookie
*/ */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static int ssl_cookie_hmac( mbedtls_ssl_cookie_ctx *ctx,
const unsigned char time[4],
unsigned char **p, unsigned char *end,
const unsigned char *cli_id, size_t cli_id_len )
#else
static int ssl_cookie_hmac( mbedtls_md_context_t *hmac_ctx, static int ssl_cookie_hmac( mbedtls_md_context_t *hmac_ctx,
const unsigned char time[4], const unsigned char time[4],
unsigned char **p, unsigned char *end, unsigned char **p, unsigned char *end,
const unsigned char *cli_id, size_t cli_id_len ) const unsigned char *cli_id, size_t cli_id_len )
#endif
{ {
unsigned char hmac_out[COOKIE_MD_OUTLEN]; unsigned char hmac_out[COOKIE_MD_OUTLEN];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t sign_mac_length = 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_CHK_BUF_PTR( *p, end, COOKIE_HMAC_LEN ); MBEDTLS_SSL_CHK_BUF_PTR( *p, end, COOKIE_HMAC_LEN );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( psa_mac_sign_setup( &operation, ctx->psa_hmac,
ctx->psa_hmac_alg ) != PSA_SUCCESS ) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto cookie_hmac_exit;
}
if( psa_mac_update( &operation, time, 4 ) != PSA_SUCCESS ) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto cookie_hmac_exit;
}
if( psa_mac_update( &operation, cli_id,
cli_id_len ) != PSA_SUCCESS ) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto cookie_hmac_exit;
}
if( psa_mac_sign_finish( &operation, hmac_out, COOKIE_MD_OUTLEN,
&sign_mac_length ) != PSA_SUCCESS ) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto cookie_hmac_exit;
}
ret = 0;
#else
if( mbedtls_md_hmac_reset( hmac_ctx ) != 0 || if( mbedtls_md_hmac_reset( hmac_ctx ) != 0 ||
mbedtls_md_hmac_update( hmac_ctx, time, 4 ) != 0 || mbedtls_md_hmac_update( hmac_ctx, time, 4 ) != 0 ||
mbedtls_md_hmac_update( hmac_ctx, cli_id, cli_id_len ) != 0 || mbedtls_md_hmac_update( hmac_ctx, cli_id, cli_id_len ) != 0 ||
@ -213,21 +176,13 @@ static int ssl_cookie_hmac( mbedtls_md_context_t *hmac_ctx,
{ {
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
} }
#endif /* MBEDTLS_USE_PSA_CRYPTO */
memcpy( *p, hmac_out, COOKIE_HMAC_LEN ); memcpy( *p, hmac_out, COOKIE_HMAC_LEN );
*p += COOKIE_HMAC_LEN; *p += COOKIE_HMAC_LEN;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
cookie_hmac_exit:
if( psa_mac_abort( &operation ) != PSA_SUCCESS )
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
return ret;
#else
return( 0 ); return( 0 );
#endif
} }
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
/* /*
* Generate cookie for DTLS ClientHello verification * Generate cookie for DTLS ClientHello verification
@ -236,6 +191,10 @@ int mbedtls_ssl_cookie_write( void *p_ctx,
unsigned char **p, unsigned char *end, unsigned char **p, unsigned char *end,
const unsigned char *cli_id, size_t cli_id_len ) const unsigned char *cli_id, size_t cli_id_len )
{ {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
size_t sign_mac_length = 0;
#endif
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx; mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
unsigned long t; unsigned long t;
@ -255,8 +214,32 @@ int mbedtls_ssl_cookie_write( void *p_ctx,
*p += 4; *p += 4;
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = ssl_cookie_hmac( ctx, *p - 4, if( psa_mac_sign_setup( &operation, ctx->psa_hmac,
p, end, cli_id, cli_id_len ); ctx->psa_hmac_alg ) != PSA_SUCCESS ) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto exit;
}
if( psa_mac_update( &operation, *p - 4, 4 ) != PSA_SUCCESS ) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto exit;
}
if( psa_mac_update( &operation, cli_id,
cli_id_len ) != PSA_SUCCESS ) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto exit;
}
if( psa_mac_sign_finish( &operation, *p, COOKIE_MD_OUTLEN,
&sign_mac_length ) != PSA_SUCCESS ) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto exit;
}
*p += COOKIE_HMAC_LEN;
ret = 0;
#else #else
#if defined(MBEDTLS_THREADING_C) #if defined(MBEDTLS_THREADING_C)
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
@ -273,6 +256,11 @@ int mbedtls_ssl_cookie_write( void *p_ctx,
#endif #endif
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
exit:
if( psa_mac_abort( &operation ) != PSA_SUCCESS )
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( ret ); return( ret );
} }