ARMmbed/mbedtls
1
0
Fork 0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-05-11 17:32:34 +08:00
Code Issues Releases Wiki Activity

Rm dead !USE_PSA code: ssl_tls12_client (part 1)

Browse Source 
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO library/ssl_tls12_client.c

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2025-01-23 11:21:19 +01:00
parent 8fcfcf947c
commit fef408976f
1 changed files with 0 additions and 228 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

228
library/ssl_tls12_client.c
View File

@ -17,7 +17,6 @@
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/constant_time.h" #include "mbedtls/constant_time.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa_util_internal.h" #include "psa_util_internal.h"
#include "psa/crypto.h" #include "psa/crypto.h"
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
@ -31,7 +30,6 @@ static int local_err_translation(psa_status_t status)
} }
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include <string.h> #include <string.h>
@ -136,15 +134,9 @@ static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
*olen = 0; *olen = 0;
/* Skip costly extension if we can't use EC J-PAKE anyway */ /* Skip costly extension if we can't use EC J-PAKE anyway */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (ssl->handshake->psa_pake_ctx_is_ok != 1) { if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
return 0; return 0;
} }
#else
if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_MSG(3, MBEDTLS_SSL_DEBUG_MSG(3,
("client hello, adding ecjpake_kkpp extension")); ("client hello, adding ecjpake_kkpp extension"));
@ -163,7 +155,6 @@ static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
ssl->handshake->ecjpake_cache_len == 0) { ssl->handshake->ecjpake_cache_len == 0) {
MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters")); MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
p + 2, end - p - 2, &kkpp_len, p + 2, end - p - 2, &kkpp_len,
MBEDTLS_ECJPAKE_ROUND_ONE); MBEDTLS_ECJPAKE_ROUND_ONE);
@ -173,16 +164,6 @@ static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
return ret; return ret;
} }
#else
ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
p + 2, end - p - 2, &kkpp_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1,
"mbedtls_ecjpake_write_round_one", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len); ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
if (ssl->handshake->ecjpake_cache == NULL) { if (ssl->handshake->ecjpake_cache == NULL) {
@ -873,7 +854,6 @@ static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
ssl->handshake->ecjpake_cache = NULL; ssl->handshake->ecjpake_cache = NULL;
ssl->handshake->ecjpake_cache_len = 0; ssl->handshake->ecjpake_cache_len = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_psa_ecjpake_read_round( if ((ret = mbedtls_psa_ecjpake_read_round(
&ssl->handshake->psa_pake_ctx, buf, len, &ssl->handshake->psa_pake_ctx, buf, len,
MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) { MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
@ -889,19 +869,6 @@ static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
} }
return 0; return 0;
#else
if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
buf, len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
return ret;
}
return 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} }
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@ -1700,7 +1667,6 @@ static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
} }
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
@ -1774,83 +1740,6 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#else
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
{
uint16_t tls_id;
mbedtls_ecp_group_id grp_id;
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
grp_id = ssl->handshake->ecdh_ctx.grp.id;
#else
grp_id = ssl->handshake->ecdh_ctx.grp_id;
#endif
tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
if (tls_id == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
return -1;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_QP);
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECDH*_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
unsigned char **p,
unsigned char *end)
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
/*
* Ephemeral ECDH parameters:
*
* struct {
* ECParameters curve_params;
* ECPoint public;
* } ServerECDHParams;
*/
if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
(const unsigned char **) p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
}
#endif
return ret;
}
if (ssl_check_server_ecdh_params(ssl) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1,
("bad server key exchange message (ECDHE curve)"));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
return ret;
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_*_ENABLED */
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl, static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
@ -1999,7 +1888,6 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk); const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
#endif /* !defined(MBEDTLS_PK_USE_PSA_EC_DATA) */ #endif /* !defined(MBEDTLS_PK_USE_PSA_EC_DATA) */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
uint16_t tls_id = 0; uint16_t tls_id = 0;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE; psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(peer_pk); mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(peer_pk);
@ -2041,18 +1929,6 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
} }
ssl->handshake->xxdh_psa_peerkey_len = olen; ssl->handshake->xxdh_psa_peerkey_len = olen;
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#else /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
MBEDTLS_ECDH_THEIRS)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
return ret;
}
if (ssl_check_server_ecdh_params(ssl) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it, /* We don't need the peer's public key anymore. Free it,
* so that more RAM is available for upcoming expensive * so that more RAM is available for upcoming expensive
@ -2212,7 +2088,6 @@ start_processing:
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* /*
* The first 3 bytes are: * The first 3 bytes are:
* [0] MBEDTLS_ECP_TLS_NAMED_CURVE * [0] MBEDTLS_ECP_TLS_NAMED_CURVE
@ -2249,18 +2124,6 @@ start_processing:
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
} }
#else
ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
p, end - p);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else } else
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
{ {
@ -2733,7 +2596,6 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t key_attributes; psa_key_attributes_t key_attributes;
@ -2805,67 +2667,6 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) { if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
} }
#else
/*
* ECDH key exchange -- send client public value
*/
header_len = 4;
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ssl->handshake->ecrs_enabled) {
if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
goto ecdh_calc_secret;
}
mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
}
#endif
ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
&content_len,
&ssl->out_msg[header_len], 1000,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
}
#endif
return ret;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Q);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ssl->handshake->ecrs_enabled) {
ssl->handshake->ecrs_n = content_len;
ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
}
ecdh_calc_secret:
if (ssl->handshake->ecrs_enabled) {
content_len = ssl->handshake->ecrs_n;
}
#endif
if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
MBEDTLS_MPI_MAX_SIZE,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
}
#endif
return ret;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Z);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else } else
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
@ -3056,15 +2857,6 @@ ecdh_calc_secret:
return MBEDTLS_ERR_SSL_INTERNAL_ERROR; return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
} }
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
(mbedtls_key_exchange_type_t) ciphersuite_info->
key_exchange)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1,
"mbedtls_ssl_psk_derive_premaster", ret);
return ret;
}
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
} else } else
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
@ -3080,7 +2872,6 @@ ecdh_calc_secret:
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
header_len = 4; header_len = 4;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char *out_p = ssl->out_msg + header_len; unsigned char *out_p = ssl->out_msg + header_len;
unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
header_len; header_len;
@ -3093,25 +2884,6 @@ ecdh_calc_secret:
MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret); MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
return ret; return ret;
} }
#else
ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
ssl->out_msg + header_len,
MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
&content_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
return ret;
}
ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else } else
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
{ {