Rm dead !USE_PSA code: SSL hooks
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO {library,include/mbedtls}/ssl_{ticket,cookie}.[ch]
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/include/mbedtls/ssl_cookie.h b/include/mbedtls/ssl_cookie.h
index 71c258e..afeb07b 100644
--- a/include/mbedtls/ssl_cookie.h
+++ b/include/mbedtls/ssl_cookie.h
@@ -15,11 +15,6 @@
#include "mbedtls/ssl.h"
-#if !defined(MBEDTLS_USE_PSA_CRYPTO)
-#if defined(MBEDTLS_THREADING_C)
-#include "mbedtls/threading.h"
-#endif
-#endif /* !MBEDTLS_USE_PSA_CRYPTO */
/**
* \name SECTION: Module settings
@@ -42,23 +37,14 @@
* \brief Context for the default cookie functions.
*/
typedef struct mbedtls_ssl_cookie_ctx {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t MBEDTLS_PRIVATE(psa_hmac_key); /*!< key id for the HMAC portion */
psa_algorithm_t MBEDTLS_PRIVATE(psa_hmac_alg); /*!< key algorithm for the HMAC portion */
-#else
- mbedtls_md_context_t MBEDTLS_PRIVATE(hmac_ctx); /*!< context for the HMAC portion */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if !defined(MBEDTLS_HAVE_TIME)
unsigned long MBEDTLS_PRIVATE(serial); /*!< serial number for expiration */
#endif
unsigned long MBEDTLS_PRIVATE(timeout); /*!< timeout delay, in seconds if HAVE_TIME,
or in number of tickets issued */
-#if !defined(MBEDTLS_USE_PSA_CRYPTO)
-#if defined(MBEDTLS_THREADING_C)
- mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
-#endif
-#endif /* !MBEDTLS_USE_PSA_CRYPTO */
} mbedtls_ssl_cookie_ctx;
/**
diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h
index 2ee1400..c05e640 100644
--- a/include/mbedtls/ssl_ticket.h
+++ b/include/mbedtls/ssl_ticket.h
@@ -26,9 +26,7 @@
#include "mbedtls/platform_time.h"
#endif
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
-#endif
#if defined(MBEDTLS_THREADING_C)
#include "mbedtls/threading.h"
@@ -54,14 +52,10 @@
* tickets created under that key.
*/
uint32_t MBEDTLS_PRIVATE(lifetime);
-#if !defined(MBEDTLS_USE_PSA_CRYPTO)
- mbedtls_cipher_context_t MBEDTLS_PRIVATE(ctx); /*!< context for auth enc/decryption */
-#else
mbedtls_svc_key_id_t MBEDTLS_PRIVATE(key); /*!< key used for auth enc/decryption */
psa_algorithm_t MBEDTLS_PRIVATE(alg); /*!< algorithm of auth enc/decryption */
psa_key_type_t MBEDTLS_PRIVATE(key_type); /*!< key type */
size_t MBEDTLS_PRIVATE(key_bits); /*!< key length in bits */
-#endif
}
mbedtls_ssl_ticket_key;
diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c
index 0e37467..01b90e1 100644
--- a/library/ssl_cookie.c
+++ b/library/ssl_cookie.c
@@ -22,7 +22,6 @@
#include <string.h>
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/psa_util.h"
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
@@ -33,7 +32,6 @@
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
-#endif
/*
* If DTLS is in use, then at least one of SHA-256 or SHA-384 is
@@ -59,21 +57,12 @@
void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx)
{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
ctx->psa_hmac_key = MBEDTLS_SVC_KEY_ID_INIT;
-#else
- mbedtls_md_init(&ctx->hmac_ctx);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if !defined(MBEDTLS_HAVE_TIME)
ctx->serial = 0;
#endif
ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
-#if !defined(MBEDTLS_USE_PSA_CRYPTO)
-#if defined(MBEDTLS_THREADING_C)
- mbedtls_mutex_init(&ctx->mutex);
-#endif
-#endif /* !MBEDTLS_USE_PSA_CRYPTO */
}
void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long delay)
@@ -87,15 +76,7 @@
return;
}
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(ctx->psa_hmac_key);
-#else
- mbedtls_md_free(&ctx->hmac_ctx);
-
-#if defined(MBEDTLS_THREADING_C)
- mbedtls_mutex_free(&ctx->mutex);
-#endif
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_cookie_ctx));
}
@@ -104,7 +85,6 @@
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_algorithm_t alg;
@@ -130,57 +110,10 @@
&ctx->psa_hmac_key)) != PSA_SUCCESS) {
return PSA_TO_MBEDTLS_ERR(status);
}
-#else
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char key[COOKIE_MD_OUTLEN];
-
- if ((ret = f_rng(p_rng, key, sizeof(key))) != 0) {
- return ret;
- }
-
- ret = mbedtls_md_setup(&ctx->hmac_ctx, mbedtls_md_info_from_type(COOKIE_MD), 1);
- if (ret != 0) {
- return ret;
- }
-
- ret = mbedtls_md_hmac_starts(&ctx->hmac_ctx, key, sizeof(key));
- if (ret != 0) {
- return ret;
- }
-
- mbedtls_platform_zeroize(key, sizeof(key));
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
return 0;
}
-#if !defined(MBEDTLS_USE_PSA_CRYPTO)
-/*
- * Generate the HMAC part of a cookie
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_cookie_hmac(mbedtls_md_context_t *hmac_ctx,
- const unsigned char time[4],
- unsigned char **p, unsigned char *end,
- const unsigned char *cli_id, size_t cli_id_len)
-{
- unsigned char hmac_out[COOKIE_MD_OUTLEN];
-
- MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_HMAC_LEN);
-
- if (mbedtls_md_hmac_reset(hmac_ctx) != 0 ||
- mbedtls_md_hmac_update(hmac_ctx, time, 4) != 0 ||
- mbedtls_md_hmac_update(hmac_ctx, cli_id, cli_id_len) != 0 ||
- mbedtls_md_hmac_finish(hmac_ctx, hmac_out) != 0) {
- return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
- }
-
- memcpy(*p, hmac_out, COOKIE_HMAC_LEN);
- *p += COOKIE_HMAC_LEN;
-
- return 0;
-}
-#endif /* !MBEDTLS_USE_PSA_CRYPTO */
/*
* Generate cookie for DTLS ClientHello verification
@@ -189,11 +122,9 @@
unsigned char **p, unsigned char *end,
const unsigned char *cli_id, size_t cli_id_len)
{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t sign_mac_length = 0;
-#endif
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
unsigned long t;
@@ -213,7 +144,6 @@
MBEDTLS_PUT_UINT32_BE(t, *p, 0);
*p += 4;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_sign_setup(&operation, ctx->psa_hmac_key,
ctx->psa_hmac_alg);
if (status != PSA_SUCCESS) {
@@ -243,31 +173,12 @@
*p += COOKIE_HMAC_LEN;
ret = 0;
-#else
-#if defined(MBEDTLS_THREADING_C)
- if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
- }
-#endif
- ret = ssl_cookie_hmac(&ctx->hmac_ctx, *p - 4,
- p, end, cli_id, cli_id_len);
-
-#if defined(MBEDTLS_THREADING_C)
- if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
- MBEDTLS_ERR_THREADING_MUTEX_ERROR);
- }
-#endif
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
exit:
status = psa_mac_abort(&operation);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
return ret;
}
@@ -278,13 +189,8 @@
const unsigned char *cookie, size_t cookie_len,
const unsigned char *cli_id, size_t cli_id_len)
{
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-#else
- unsigned char ref_hmac[COOKIE_HMAC_LEN];
- unsigned char *p = ref_hmac;
-#endif
int ret = 0;
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
unsigned long cur_time, cookie_time;
@@ -297,7 +203,6 @@
return -1;
}
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_verify_setup(&operation, ctx->psa_hmac_key,
ctx->psa_hmac_alg);
if (status != PSA_SUCCESS) {
@@ -326,35 +231,6 @@
}
ret = 0;
-#else
-#if defined(MBEDTLS_THREADING_C)
- if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
- }
-#endif
-
- if (ssl_cookie_hmac(&ctx->hmac_ctx, cookie,
- &p, p + sizeof(ref_hmac),
- cli_id, cli_id_len) != 0) {
- ret = -1;
- }
-
-#if defined(MBEDTLS_THREADING_C)
- if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
- ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
- MBEDTLS_ERR_THREADING_MUTEX_ERROR);
- }
-#endif
-
- if (ret != 0) {
- goto exit;
- }
-
- if (mbedtls_ct_memcmp(cookie + 4, ref_hmac, sizeof(ref_hmac)) != 0) {
- ret = -1;
- goto exit;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_HAVE_TIME)
cur_time = (unsigned long) mbedtls_time(NULL);
@@ -370,14 +246,10 @@
}
exit:
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_abort(&operation);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
-#else
- mbedtls_platform_zeroize(ref_hmac, sizeof(ref_hmac));
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
return ret;
}
#endif /* MBEDTLS_SSL_COOKIE_C */
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index 615b37f..b770a88 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@@ -17,7 +17,6 @@
#include <string.h>
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
@@ -27,7 +26,6 @@
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
-#endif
/*
* Initialize context
@@ -67,9 +65,7 @@
unsigned char buf[MAX_KEY_BYTES] = { 0 };
mbedtls_ssl_ticket_key *key = ctx->keys + index;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
-#endif
#if defined(MBEDTLS_HAVE_TIME)
key->generation_time = mbedtls_time(NULL);
@@ -87,7 +83,6 @@
return ret;
}
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_set_key_usage_flags(&attributes,
PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
psa_set_key_algorithm(&attributes, key->alg);
@@ -98,12 +93,6 @@
psa_import_key(&attributes, buf,
PSA_BITS_TO_BYTES(key->key_bits),
&key->key));
-#else
- /* With GCM and CCM, same context can encrypt & decrypt */
- ret = mbedtls_cipher_setkey(&key->ctx, buf,
- mbedtls_cipher_get_key_bitlen(&key->ctx),
- MBEDTLS_ENCRYPT);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_platform_zeroize(buf, sizeof(buf));
@@ -124,9 +113,7 @@
mbedtls_time_t current_time = mbedtls_time(NULL);
mbedtls_time_t key_time = key->generation_time;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-#endif
if (current_time >= key_time &&
(uint64_t) (current_time - key_time) < key->lifetime) {
@@ -135,11 +122,9 @@
ctx->active = 1 - ctx->active;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_destroy_key(ctx->keys[ctx->active].key)) != PSA_SUCCESS) {
return PSA_TO_MBEDTLS_ERR(status);
}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
return ssl_ticket_gen_key(ctx, ctx->active);
} else
@@ -159,19 +144,14 @@
mbedtls_ssl_ticket_key * const key = ctx->keys + idx;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
const size_t bitlen = key->key_bits;
-#else
- const int bitlen = mbedtls_cipher_get_key_bitlen(&key->ctx);
-#endif
if (nlength < TICKET_KEY_NAME_BYTES || klength * 8 < (size_t) bitlen) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_destroy_key(key->key)) != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
return ret;
@@ -189,12 +169,6 @@
ret = PSA_TO_MBEDTLS_ERR(status);
return ret;
}
-#else
- ret = mbedtls_cipher_setkey(&key->ctx, k, bitlen, MBEDTLS_ENCRYPT);
- if (ret != 0) {
- return ret;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
ctx->active = idx;
ctx->ticket_lifetime = lifetime;
@@ -218,14 +192,9 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t key_bits;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t alg;
psa_key_type_t key_type;
-#else
- const mbedtls_cipher_info_t *cipher_info;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_ssl_cipher_to_psa(cipher, TICKET_AUTH_TAG_BYTES,
&alg, &key_type, &key_bits) != PSA_SUCCESS) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@@ -234,17 +203,6 @@
if (PSA_ALG_IS_AEAD(alg) == 0) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
-#else
- cipher_info = mbedtls_cipher_info_from_type(cipher);
-
- if (mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_GCM &&
- mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_CCM &&
- mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_CHACHAPOLY) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
-
- key_bits = mbedtls_cipher_info_get_key_bitlen(cipher_info);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (key_bits > 8 * MAX_KEY_BYTES) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@@ -255,7 +213,6 @@
ctx->ticket_lifetime = lifetime;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
ctx->keys[0].alg = alg;
ctx->keys[0].key_type = key_type;
ctx->keys[0].key_bits = key_bits;
@@ -263,15 +220,6 @@
ctx->keys[1].alg = alg;
ctx->keys[1].key_type = key_type;
ctx->keys[1].key_bits = key_bits;
-#else
- if ((ret = mbedtls_cipher_setup(&ctx->keys[0].ctx, cipher_info)) != 0) {
- return ret;
- }
-
- if ((ret = mbedtls_cipher_setup(&ctx->keys[1].ctx, cipher_info)) != 0) {
- return ret;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = ssl_ticket_gen_key(ctx, 0)) != 0 ||
(ret = ssl_ticket_gen_key(ctx, 1)) != 0) {
@@ -311,9 +259,7 @@
unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
size_t clear_len, ciph_len;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-#endif
*tlen = 0;
@@ -355,7 +301,6 @@
MBEDTLS_PUT_UINT16_BE(clear_len, state_len_bytes, 0);
/* Encrypt and authenticate */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_aead_encrypt(key->key, key->alg, iv, TICKET_IV_BYTES,
key_name, TICKET_ADD_DATA_LEN,
state, clear_len,
@@ -364,17 +309,6 @@
ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup;
}
-#else
- if ((ret = mbedtls_cipher_auth_encrypt_ext(&key->ctx,
- iv, TICKET_IV_BYTES,
- /* Additional data: key name, IV and length */
- key_name, TICKET_ADD_DATA_LEN,
- state, clear_len,
- state, (size_t) (end - state), &ciph_len,
- TICKET_AUTH_TAG_BYTES)) != 0) {
- goto cleanup;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ciph_len != clear_len + TICKET_AUTH_TAG_BYTES) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@@ -428,9 +362,7 @@
unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
size_t enc_len, clear_len;
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
-#endif
if (ctx == NULL || ctx->f_rng == NULL) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@@ -466,7 +398,6 @@
}
/* Decrypt and authenticate */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_aead_decrypt(key->key, key->alg, iv, TICKET_IV_BYTES,
key_name, TICKET_ADD_DATA_LEN,
ticket, enc_len + TICKET_AUTH_TAG_BYTES,
@@ -474,21 +405,6 @@
ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup;
}
-#else
- if ((ret = mbedtls_cipher_auth_decrypt_ext(&key->ctx,
- iv, TICKET_IV_BYTES,
- /* Additional data: key name, IV and length */
- key_name, TICKET_ADD_DATA_LEN,
- ticket, enc_len + TICKET_AUTH_TAG_BYTES,
- ticket, enc_len, &clear_len,
- TICKET_AUTH_TAG_BYTES)) != 0) {
- if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
- ret = MBEDTLS_ERR_SSL_INVALID_MAC;
- }
-
- goto cleanup;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (clear_len != enc_len) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@@ -537,13 +453,8 @@
return;
}
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(ctx->keys[0].key);
psa_destroy_key(ctx->keys[1].key);
-#else
- mbedtls_cipher_free(&ctx->keys[0].ctx);
- mbedtls_cipher_free(&ctx->keys[1].ctx);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_free(&ctx->mutex);