Move ssl_ticket to the PSA API
Convert the mbedtl_ssl_ticket_setup function to use the TF_PSA_Crypto
API.
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
diff --git a/ChangeLog.d/9874.txt b/ChangeLog.d/9874.txt
new file mode 100644
index 0000000..efcaa3a
--- /dev/null
+++ b/ChangeLog.d/9874.txt
@@ -0,0 +1,2 @@
+API changes
+ * Convert the mbedtl_ssl_ticket_setup function to use the TF_PSA_Crypto API.
diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h
index c05e640..6dfe371 100644
--- a/include/mbedtls/ssl_ticket.h
+++ b/include/mbedtls/ssl_ticket.h
@@ -20,7 +20,6 @@
*/
#include "mbedtls/ssl.h"
-#include "mbedtls/cipher.h"
#if defined(MBEDTLS_HAVE_TIME)
#include "mbedtls/platform_time.h"
@@ -93,8 +92,12 @@
* \param ctx Context to be set up
* \param f_rng RNG callback function (mandatory)
* \param p_rng RNG callback context
- * \param cipher AEAD cipher to use for ticket protection.
- * Recommended value: MBEDTLS_CIPHER_AES_256_GCM.
+ * \param alg Cryptographic algorithm to use recomended value
+ * PSA_ALG_GCM from include/psa/crypto_values.h.
+ * \param key_type Cryptographic key type to use recomended value
+ * PSA_KEY_TYPE_AES from include/psa/crypto_values.h.
+ * \param key_bits Cryptographic key type to use recomended value
+ * PSA_KEY_TYPE_AES from include/psa/crypto_values.h.
* \param lifetime Tickets lifetime in seconds
* Recommended value: 86400 (one day).
*
@@ -117,7 +120,7 @@
*/
int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
- mbedtls_cipher_type_t cipher,
+ psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits,
uint32_t lifetime);
/**
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index b770a88..8653e2d 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@@ -186,19 +186,10 @@
*/
int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
- mbedtls_cipher_type_t cipher,
+ psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits,
uint32_t lifetime)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t key_bits;
-
- psa_algorithm_t alg;
- psa_key_type_t key_type;
-
- if (mbedtls_ssl_cipher_to_psa(cipher, TICKET_AUTH_TAG_BYTES,
- &alg, &key_type, &key_bits) != PSA_SUCCESS) {
- return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
- }
if (PSA_ALG_IS_AEAD(alg) == 0) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c
index 64b35ed..28f9e33 100644
--- a/programs/fuzz/fuzz_server.c
+++ b/programs/fuzz/fuzz_server.c
@@ -131,10 +131,13 @@
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
if (options & 0x4) {
- if (mbedtls_ssl_ticket_setup(&ticket_ctx,
- dummy_random, &ctr_drbg,
- MBEDTLS_CIPHER_AES_256_GCM,
- 86400) != 0) {
+ if (mbedtls_ssl_ticket_setup(&ticket_ctx, //context
+ dummy_random, //f_rng
+ &ctr_drbg, //p_rng
+ PSA_ALG_GCM, //alg
+ PSA_KEY_TYPE_AES, //key_type
+ 256, //key_bits
+ 86400) != 0) { //lifetime
goto exit;
}
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 579c0a1..b1c1359 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -115,7 +115,9 @@
#define DFL_DUMMY_TICKET 0
#define DFL_TICKET_ROTATE 0
#define DFL_TICKET_TIMEOUT 86400
-#define DFL_TICKET_AEAD MBEDTLS_CIPHER_AES_256_GCM
+#define DFL_TICKET_ALG PSA_ALG_GCM
+#define DFL_TICKET_KEY_TYPE PSA_KEY_TYPE_AES
+#define DFL_TICKET_KEY_BITS 256
#define DFL_CACHE_MAX -1
#define DFL_CACHE_TIMEOUT -1
#define DFL_CACHE_REMOVE 0
@@ -661,7 +663,9 @@
int dummy_ticket; /* enable / disable dummy ticket generator */
int ticket_rotate; /* session ticket rotate (code coverage) */
int ticket_timeout; /* session ticket lifetime */
- int ticket_aead; /* session ticket protection */
+ int ticket_alg; /* session ticket algorithm */
+ int ticket_key_type; /* session ticket key type */
+ int ticket_key_bits; /* session ticket key size in bits */
int cache_max; /* max number of session cache entries */
#if defined(MBEDTLS_HAVE_TIME)
int cache_timeout; /* expiration delay of session cache entries*/
@@ -1472,38 +1476,71 @@
static int parse_cipher(char *buf)
{
+ int rc = 0;
if (strcmp(buf, "AES-128-CCM")) {
- return MBEDTLS_CIPHER_AES_128_CCM;
+ opt.ticket_alg = PSA_ALG_CCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_AES;
+ opt.ticket_key_bits = 128;
} else if (strcmp(buf, "AES-128-GCM")) {
- return MBEDTLS_CIPHER_AES_128_GCM;
+ opt.ticket_alg = PSA_ALG_GCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_AES;
+ opt.ticket_key_bits = 128;
} else if (strcmp(buf, "AES-192-CCM")) {
- return MBEDTLS_CIPHER_AES_192_CCM;
+ opt.ticket_alg = PSA_ALG_CCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_AES;
+ opt.ticket_key_bits = 192;
} else if (strcmp(buf, "AES-192-GCM")) {
- return MBEDTLS_CIPHER_AES_192_GCM;
+ opt.ticket_alg = PSA_ALG_CCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_AES;
+ opt.ticket_key_bits = 192;
} else if (strcmp(buf, "AES-256-CCM")) {
- return MBEDTLS_CIPHER_AES_256_CCM;
+ opt.ticket_alg = PSA_ALG_CCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_AES;
+ opt.ticket_key_bits = 128;
} else if (strcmp(buf, "ARIA-128-CCM")) {
- return MBEDTLS_CIPHER_ARIA_128_CCM;
+ opt.ticket_alg = PSA_ALG_CCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
+ opt.ticket_key_bits = 128;
} else if (strcmp(buf, "ARIA-128-GCM")) {
- return MBEDTLS_CIPHER_ARIA_128_GCM;
+ opt.ticket_alg = PSA_ALG_GCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
+ opt.ticket_key_bits = 128;
} else if (strcmp(buf, "ARIA-192-CCM")) {
- return MBEDTLS_CIPHER_ARIA_192_CCM;
+ opt.ticket_alg = PSA_ALG_CCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
+ opt.ticket_key_bits = 192;
} else if (strcmp(buf, "ARIA-192-GCM")) {
- return MBEDTLS_CIPHER_ARIA_192_GCM;
+ opt.ticket_alg = PSA_ALG_CCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
+ opt.ticket_key_bits = 192;
} else if (strcmp(buf, "ARIA-256-CCM")) {
- return MBEDTLS_CIPHER_ARIA_256_CCM;
+ opt.ticket_alg = PSA_ALG_CCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
+ opt.ticket_key_bits = 256;
} else if (strcmp(buf, "ARIA-256-GCM")) {
- return MBEDTLS_CIPHER_ARIA_256_GCM;
+ opt.ticket_alg = PSA_ALG_GCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_ARIA;
+ opt.ticket_key_bits = 256;
} else if (strcmp(buf, "CAMELLIA-128-CCM")) {
- return MBEDTLS_CIPHER_CAMELLIA_128_CCM;
+ opt.ticket_alg = PSA_ALG_CCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_CAMELLIA;
+ opt.ticket_key_bits = 128;
} else if (strcmp(buf, "CAMELLIA-192-CCM")) {
- return MBEDTLS_CIPHER_CAMELLIA_192_CCM;
+ opt.ticket_alg = PSA_ALG_CCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_CAMELLIA;
+ opt.ticket_key_bits = 192;
} else if (strcmp(buf, "CAMELLIA-256-CCM")) {
- return MBEDTLS_CIPHER_CAMELLIA_256_CCM;
+ opt.ticket_alg = PSA_ALG_CCM;
+ opt.ticket_key_type = PSA_KEY_TYPE_CAMELLIA;
+ opt.ticket_key_bits = 256;
} else if (strcmp(buf, "CHACHA20-POLY1305")) {
- return MBEDTLS_CIPHER_CHACHA20_POLY1305;
+ opt.ticket_alg = PSA_ALG_CHACHA20_POLY1305;
+ opt.ticket_key_type = PSA_KEY_TYPE_CHACHA20;
+ opt.ticket_key_bits = 256;
+ } else {
+ rc = -1;
}
- return MBEDTLS_CIPHER_NONE;
+ return rc;
}
int main(int argc, char *argv[])
@@ -1740,7 +1777,9 @@
opt.dummy_ticket = DFL_DUMMY_TICKET;
opt.ticket_rotate = DFL_TICKET_ROTATE;
opt.ticket_timeout = DFL_TICKET_TIMEOUT;
- opt.ticket_aead = DFL_TICKET_AEAD;
+ opt.ticket_alg = DFL_TICKET_ALG;
+ opt.ticket_key_type = DFL_TICKET_KEY_TYPE;
+ opt.ticket_key_bits = DFL_TICKET_KEY_BITS;
opt.cache_max = DFL_CACHE_MAX;
#if defined(MBEDTLS_HAVE_TIME)
opt.cache_timeout = DFL_CACHE_TIMEOUT;
@@ -2191,9 +2230,7 @@
goto usage;
}
} else if (strcmp(p, "ticket_aead") == 0) {
- opt.ticket_aead = parse_cipher(q);
-
- if (opt.ticket_aead == MBEDTLS_CIPHER_NONE) {
+ if (parse_cipher(q) != 0) {
goto usage;
}
} else if (strcmp(p, "cache_max") == 0) {
@@ -2963,8 +3000,11 @@
#endif /* MBEDTLS_HAVE_TIME */
{
if ((ret = mbedtls_ssl_ticket_setup(&ticket_ctx,
- rng_get, &rng,
- opt.ticket_aead,
+ rng_get,
+ &rng,
+ opt.ticket_alg,
+ opt.ticket_key_type,
+ opt.ticket_key_bits,
opt.ticket_timeout)) != 0) {
mbedtls_printf(
" failed\n ! mbedtls_ssl_ticket_setup returned %d\n\n",