TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f057ecfedfea1e0a43e16a9134c7941c12534fd4^! / . / library / ssl_tls.c
commitf057ecfedfea1e0a43e16a9134c7941c12534fd4[log] [tgz]
authorManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Fri Feb 24 13:19:17 2023 +0100
committerManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Fri Feb 24 13:30:55 2023 +0100
tree1f6ebc1416a36f032739d5746d49d4cf9bedc4d8
parent2cd751465c1fb25a7438e6da777d9ce883d1bb73 [diff] [blame]
Use MD not low-level sha256/512 in TLS

Same reasoning as in previous commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 778b006..7798d78 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -839,7 +839,13 @@
         return mbedtls_md_error_from_psa(status);
     }
 #else
-    ret = mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0);
+    ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
+                           mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
+                           0);
+    if (ret != 0) {
+        return ret;
+    }
+    ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
     if (ret != 0) {
         return ret;
     }
@@ -856,7 +862,12 @@
         return mbedtls_md_error_from_psa(status);
     }
 #else
-    ret = mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1);
+    ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
+                           mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
+    if (ret != 0) {
+        return ret;
+    }
+    ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
     if (ret != 0) {
         return ret;
     }
@@ -887,7 +898,7 @@
         return mbedtls_md_error_from_psa(status);
     }
 #else
-    ret = mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len);
+    ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
     if (ret != 0) {
         return ret;
     }
@@ -900,7 +911,7 @@
         return mbedtls_md_error_from_psa(status);
     }
 #else
-    ret = mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len);
+    ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
     if (ret != 0) {
         return ret;
     }
@@ -917,7 +928,7 @@
     return mbedtls_md_error_from_psa(psa_hash_update(
                                          &ssl->handshake->fin_sha256_psa, buf, len));
 #else
-    return mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len);
+    return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
 #endif
 }
 #endif
@@ -930,7 +941,7 @@
     return mbedtls_md_error_from_psa(psa_hash_update(
                                          &ssl->handshake->fin_sha384_psa, buf, len));
 #else
-    return mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len);
+    return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
 #endif
 }
 #endif
@@ -943,14 +954,14 @@
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     handshake->fin_sha256_psa = psa_hash_operation_init();
 #else
-    mbedtls_sha256_init(&handshake->fin_sha256);
+    mbedtls_md_init(&handshake->fin_sha256);
 #endif
 #endif
 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     handshake->fin_sha384_psa = psa_hash_operation_init();
 #else
-    mbedtls_sha512_init(&handshake->fin_sha384);
+    mbedtls_md_init(&handshake->fin_sha384);
 #endif
 #endif
 
@@ -4081,14 +4092,14 @@
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_hash_abort(&handshake->fin_sha256_psa);
 #else
-    mbedtls_sha256_free(&handshake->fin_sha256);
+    mbedtls_md_free(&handshake->fin_sha256);
 #endif
 #endif
 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     psa_hash_abort(&handshake->fin_sha384_psa);
 #else
-    mbedtls_sha512_free(&handshake->fin_sha384);
+    mbedtls_md_free(&handshake->fin_sha384);
 #endif
 #endif
 
@@ -5771,17 +5782,24 @@
                                                size_t *olen)
 {
     int ret;
-    mbedtls_sha512_context sha512;
+    mbedtls_md_context_t sha512;
 
     if (dst_len < 48) {
         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
     }
 
-    mbedtls_sha512_init(&sha512);
-    mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha384);
+    mbedtls_md_init(&sha512);
+    ret = mbedtls_md_setup(&sha512, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
+    if (ret != 0) {
+        goto exit;
+    }
+    ret = mbedtls_md_clone(&sha512, &ssl->handshake->fin_sha384);
+    if (ret != 0) {
+        goto exit;
+    }
 
-    if ((ret = mbedtls_sha512_finish(&sha512, dst)) != 0) {
-        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_sha512_finish", ret);
+    if ((ret = mbedtls_md_finish(&sha512, dst)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
         goto exit;
     }
 
@@ -5789,7 +5807,7 @@
 
 exit:
 
-    mbedtls_sha512_free(&sha512);
+    mbedtls_md_free(&sha512);
     return ret;
 }
 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
@@ -5802,17 +5820,24 @@
                                                size_t *olen)
 {
     int ret;
-    mbedtls_sha256_context sha256;
+    mbedtls_md_context_t sha256;
 
     if (dst_len < 32) {
         return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
     }
 
-    mbedtls_sha256_init(&sha256);
-    mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256);
+    mbedtls_md_init(&sha256);
+    ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
+    if (ret != 0) {
+        goto exit;
+    }
+    ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
+    if (ret != 0) {
+        goto exit;
+    }
 
-    if ((ret = mbedtls_sha256_finish(&sha256, dst)) != 0) {
-        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_sha256_finish", ret);
+    if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) {
+        MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
         goto exit;
     }
 
@@ -5820,7 +5845,7 @@
 
 exit:
 
-    mbedtls_sha256_free(&sha256);
+    mbedtls_md_free(&sha256);
     return ret;
 }
 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
@@ -6603,15 +6628,22 @@
     return mbedtls_md_error_from_psa(status);
 #else
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_sha256_context sha256;
+    mbedtls_md_context_t sha256;
 
-    mbedtls_sha256_init(&sha256);
+    mbedtls_md_init(&sha256);
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha256"));
 
-    mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256);
+    ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
+    if (ret != 0) {
+        goto exit;
+    }
+    ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
+    if (ret != 0) {
+        goto exit;
+    }
 
-    ret = mbedtls_sha256_finish(&sha256, hash);
+    ret = mbedtls_md_finish(&sha256, hash);
     if (ret != 0) {
         goto exit;
     }
@@ -6622,7 +6654,7 @@
     MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
 
 exit:
-    mbedtls_sha256_free(&sha256);
+    mbedtls_md_free(&sha256);
     return ret;
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 }
@@ -6658,15 +6690,22 @@
     return mbedtls_md_error_from_psa(status);
 #else
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_sha512_context sha512;
+    mbedtls_md_context_t sha512;
 
-    mbedtls_sha512_init(&sha512);
+    mbedtls_md_init(&sha512);
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha384"));
 
-    mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha384);
+    ret = mbedtls_md_setup(&sha512, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
+    if (ret != 0) {
+        goto exit;
+    }
+    ret = mbedtls_md_clone(&sha512, &ssl->handshake->fin_sha384);
+    if (ret != 0) {
+        goto exit;
+    }
 
-    ret = mbedtls_sha512_finish(&sha512, hash);
+    ret = mbedtls_md_finish(&sha512, hash);
     if (ret != 0) {
         goto exit;
     }
@@ -6677,7 +6716,7 @@
     MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
 
 exit:
-    mbedtls_sha512_free(&sha512);
+    mbedtls_md_free(&sha512);
     return ret;
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 }
@@ -7634,7 +7673,7 @@
     psa_status_t status;
 #else
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_sha256_context sha256;
+    mbedtls_md_context_t sha256;
 #endif
 
     mbedtls_ssl_session *session = ssl->session_negotiate;
@@ -7663,11 +7702,18 @@
     MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32);
 #else
 
-    mbedtls_sha256_init(&sha256);
+    mbedtls_md_init(&sha256);
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc  finished tls sha256"));
 
-    mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256);
+    ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
+    if (ret != 0) {
+        goto exit;
+    }
+    ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
+    if (ret != 0) {
+        goto exit;
+    }
 
     /*
      * TLSv1.2:
@@ -7675,7 +7721,7 @@
      *               Hash( handshake ) )[0.11]
      */
 
-    ret = mbedtls_sha256_finish(&sha256, padbuf);
+    ret = mbedtls_md_finish(&sha256, padbuf);
     if (ret != 0) {
         goto exit;
     }
@@ -7697,7 +7743,7 @@
     psa_hash_abort(&sha256_psa);
     return mbedtls_md_error_from_psa(status);
 #else
-    mbedtls_sha256_free(&sha256);
+    mbedtls_md_free(&sha256);
     return ret;
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 }
@@ -7717,7 +7763,7 @@
     psa_status_t status;
 #else
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-    mbedtls_sha512_context sha512;
+    mbedtls_md_context_t sha512;
 #endif
 
     mbedtls_ssl_session *session = ssl->session_negotiate;
@@ -7745,11 +7791,18 @@
     }
     MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48);
 #else
-    mbedtls_sha512_init(&sha512);
+    mbedtls_md_init(&sha512);
 
     MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc  finished tls sha384"));
 
-    mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha384);
+    ret = mbedtls_md_setup(&sha512, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
+    if (ret != 0) {
+        goto exit;
+    }
+    ret = mbedtls_md_clone(&sha512, &ssl->handshake->fin_sha384);
+    if (ret != 0) {
+        goto exit;
+    }
 
     /*
      * TLSv1.2:
@@ -7757,7 +7810,7 @@
      *               Hash( handshake ) )[0.11]
      */
 
-    ret = mbedtls_sha512_finish(&sha512, padbuf);
+    ret = mbedtls_md_finish(&sha512, padbuf);
     if (ret != 0) {
         goto exit;
     }
@@ -7779,7 +7832,7 @@
     psa_hash_abort(&sha384_psa);
     return mbedtls_md_error_from_psa(status);
 #else
-    mbedtls_sha512_free(&sha512);
+    mbedtls_md_free(&sha512);
     return ret;
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 }