mirror of
https://github.com/ARMmbed/mbedtls.git
synced 2025-05-09 00:21:18 +08:00
Remove MBEDTLS_KEY_EXCHANGE_RSA_PSK
Remove mentions of MBEDTLS_KEY_EXCHANGE_RSA_PSK that were not guarded by the configuration option MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED. This finishes the removal of library code that supports the RSA-PSK key exchange in TLS 1.2. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine
parent
ac767e5c69
commit
712e9a1c3e
@ -262,7 +262,6 @@ typedef enum {
|
|||||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
|
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
|
||||||
MBEDTLS_KEY_EXCHANGE_PSK,
|
MBEDTLS_KEY_EXCHANGE_PSK,
|
||||||
MBEDTLS_KEY_EXCHANGE_DHE_PSK,
|
MBEDTLS_KEY_EXCHANGE_DHE_PSK,
|
||||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
|
||||||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
|
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
|
||||||
MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
|
MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
|
||||||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
|
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
|
||||||
|
|||||||
@ -1783,7 +1783,6 @@ mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphe
|
|||||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
|
||||||
return MBEDTLS_PK_RSA;
|
return MBEDTLS_PK_RSA;
|
||||||
|
|
||||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||||
@ -1803,7 +1802,6 @@ psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_cip
|
|||||||
{
|
{
|
||||||
switch (info->key_exchange) {
|
switch (info->key_exchange) {
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
|
||||||
return PSA_ALG_RSA_PKCS1V15_CRYPT;
|
return PSA_ALG_RSA_PKCS1V15_CRYPT;
|
||||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||||
@ -1826,7 +1824,6 @@ psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_c
|
|||||||
{
|
{
|
||||||
switch (info->key_exchange) {
|
switch (info->key_exchange) {
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
|
||||||
return PSA_KEY_USAGE_DECRYPT;
|
return PSA_KEY_USAGE_DECRYPT;
|
||||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||||
@ -1887,7 +1884,6 @@ int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info)
|
|||||||
{
|
{
|
||||||
switch (info->key_exchange) {
|
switch (info->key_exchange) {
|
||||||
case MBEDTLS_KEY_EXCHANGE_PSK:
|
case MBEDTLS_KEY_EXCHANGE_PSK:
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
|
||||||
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
||||||
return 1;
|
return 1;
|
||||||
|
|||||||
@ -50,7 +50,6 @@ static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t
|
|||||||
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_PSK:
|
case MBEDTLS_KEY_EXCHANGE_PSK:
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
@ -93,7 +92,6 @@ static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_cipher
|
|||||||
{
|
{
|
||||||
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
|
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
|
||||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||||
|
|||||||
@ -7016,11 +7016,6 @@ static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
|
|||||||
* Other secret is stored in premaster, where first 2 bytes hold the
|
* Other secret is stored in premaster, where first 2 bytes hold the
|
||||||
* length of the other key.
|
* length of the other key.
|
||||||
*/
|
*/
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
|
||||||
/* For RSA-PSK other key length is always 48 bytes. */
|
|
||||||
other_secret_len = 48;
|
|
||||||
other_secret = handshake->premaster + 2;
|
|
||||||
break;
|
|
||||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
||||||
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||||
other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
|
other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
|
||||||
@ -7820,10 +7815,6 @@ static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SRV_C)
|
#if defined(MBEDTLS_SSL_SRV_C)
|
||||||
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
|
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
|
||||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
|
|
||||||
return SSL_CERTIFICATE_SKIP;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
|
if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
|
||||||
ssl->session_negotiate->verify_result =
|
ssl->session_negotiate->verify_result =
|
||||||
MBEDTLS_X509_BADCERT_SKIP_VERIFY;
|
MBEDTLS_X509_BADCERT_SKIP_VERIFY;
|
||||||
@ -9670,7 +9661,6 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
|
|||||||
/* TLS 1.2 server part of the key exchange */
|
/* TLS 1.2 server part of the key exchange */
|
||||||
switch (ciphersuite->key_exchange) {
|
switch (ciphersuite->key_exchange) {
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
|
||||||
usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
|
usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
|||||||
@ -2141,8 +2141,7 @@ static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
|
|||||||
* doesn't use a psk_identity_hint
|
* doesn't use a psk_identity_hint
|
||||||
*/
|
*/
|
||||||
if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
|
if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
|
||||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
|
|
||||||
/* Current message is probably either
|
/* Current message is probably either
|
||||||
* CertificateRequest or ServerHelloDone */
|
* CertificateRequest or ServerHelloDone */
|
||||||
ssl->keep_current_message = 1;
|
ssl->keep_current_message = 1;
|
||||||
@ -2172,7 +2171,6 @@ start_processing:
|
|||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
|
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
|
||||||
if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
|
if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
|
||||||
@ -2187,8 +2185,7 @@ start_processing:
|
|||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
||||||
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
|
|
||||||
; /* nothing more to do */
|
; /* nothing more to do */
|
||||||
} else
|
} else
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
|
||||||
|
|||||||
@ -3670,8 +3670,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
|
|||||||
|
|
||||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
|
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||||
if ((ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA &&
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) &&
|
|
||||||
(ssl->handshake->async_in_progress != 0)) {
|
(ssl->handshake->async_in_progress != 0)) {
|
||||||
/* We've already read a record and there is an asynchronous
|
/* We've already read a record and there is an asynchronous
|
||||||
* operation in progress to decrypt it. So skip reading the
|
* operation in progress to decrypt it. So skip reading the
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user