commit cf8841a0761a1b90bdd936aae55d03c237d6b847
author Neil Armstrong <narmstrong@baylibre.com> Thu Feb 24 11:17:45 2022 +0100
committer Neil Armstrong <narmstrong@baylibre.com> Fri Feb 25 15:16:49 2022 +0100
tree 6c0e4941d607861fe172748f07608a14a04cbdfc
parent 4f091290bd5faa110bdee1f2e3eb14e4df98254e

Remove non-PSA MAC keys in mbedtls_ssl_transform when MBEDTLS_USE_PSA_CRYPTO is defined

Also remove last usage of non-PSA MAC keys in ssl_decrypt_non_etm_cbc() SSL test.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>

library/ssl_misc.h

diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 73504a6..9de5239 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -952,10 +952,10 @@
     mbedtls_svc_key_id_t psa_mac_enc;           /*!<  MAC (encryption)        */
     mbedtls_svc_key_id_t psa_mac_dec;           /*!<  MAC (decryption)        */
     psa_algorithm_t psa_mac_alg;                /*!<  psa MAC algorithm       */
-#endif
-
+#else
     mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
     mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     int encrypt_then_mac;       /*!< flag for EtM activation                */

library/ssl_msg.c

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 7445cb5..b8809fb 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -5755,9 +5755,10 @@
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_destroy_key( transform->psa_mac_enc );
     psa_destroy_key( transform->psa_mac_dec );
-#endif
+#else
     mbedtls_md_free( &transform->md_ctx_enc );
     mbedtls_md_free( &transform->md_ctx_dec );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #endif
 
     mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 60795e0..336f92d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -613,10 +613,11 @@
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
     transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
-#endif
+#else
     mbedtls_md_init( &transform->md_ctx_enc );
     mbedtls_md_init( &transform->md_ctx_dec );
 #endif
+#endif
 }
 
 void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
@@ -7174,6 +7175,7 @@
     if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM ||
         mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CBC )
     {
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
         /* Initialize HMAC contexts */
         if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
             ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
@@ -7181,6 +7183,7 @@
             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
             goto end;
         }
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
 
         /* Get MAC length */
         mac_key_len = mbedtls_md_get_size( md_info );
@@ -7328,13 +7331,14 @@
             MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_mac_key", ret );
             goto end;
         }
-#endif
+#else
         ret = mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
         if( ret != 0 )
             goto end;
         ret = mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
         if( ret != 0 )
             goto end;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
     }
 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
 

tests/suites/test_suite_ssl.function

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 31f9b72..0ec8b95 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -1383,7 +1383,7 @@
         CHK( psa_import_key( &attributes,
                              md0, maclen,
                              &t_out->psa_mac_dec ) == PSA_SUCCESS );
-#endif
+#else
         CHK( mbedtls_md_setup( &t_out->md_ctx_enc, md_info, 1 ) == 0 );
         CHK( mbedtls_md_setup( &t_out->md_ctx_dec, md_info, 1 ) == 0 );
         CHK( mbedtls_md_setup( &t_in->md_ctx_enc,  md_info, 1 ) == 0 );
@@ -1397,6 +1397,7 @@
                                         md1, maclen ) == 0 );
         CHK( mbedtls_md_hmac_starts( &t_out->md_ctx_dec,
                                         md0, maclen ) == 0 );
+#endif
     }
 #else
     ((void) hash_id);
@@ -3724,6 +3725,10 @@
     unsigned char padlen; /* excluding the padding_length byte */
     unsigned char add_data[13];
     unsigned char mac[MBEDTLS_MD_MAX_SIZE];
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
+    size_t sign_mac_length = 0;
+#endif
     int exp_ret;
     int ret;
     const unsigned char pad_max_len = 255; /* Per the standard */
@@ -3807,11 +3812,24 @@
      */
 
     /* MAC with additional data */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    TEST_EQUAL( PSA_SUCCESS, psa_mac_sign_setup( &operation,
+                                                 t0.psa_mac_enc,
+                                                 t0.psa_mac_alg ) );
+    TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation, add_data, 13 ) );
+    TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation,
+                                             rec.buf + rec.data_offset,
+                                             rec.data_len ) );
+    TEST_EQUAL( PSA_SUCCESS, psa_mac_sign_finish( &operation,
+                                                  mac, MBEDTLS_MD_MAX_SIZE,
+                                                  &sign_mac_length ) );
+#else
     TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, add_data, 13 ) );
     TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc,
                                            rec.buf + rec.data_offset,
                                            rec.data_len ) );
     TEST_EQUAL( 0, mbedtls_md_hmac_finish( &t0.md_ctx_enc, mac ) );
+#endif
 
     memcpy( rec.buf + rec.data_offset + rec.data_len, mac, t0.maclen );
     rec.data_len += t0.maclen;