Unify ssl_calc_finished_tls_sha{256,384}
Saves about 50-60 bytes on m0+ depending on whether USE_PSA is set.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 8e63548..876a32e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7639,20 +7639,22 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-#if defined(MBEDTLS_MD_CAN_SHA256)
-static int ssl_calc_finished_tls_sha256(
- mbedtls_ssl_context *ssl, unsigned char *buf, int from)
+static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
+ unsigned char *padbuf, size_t hlen,
+ unsigned char *buf, int from)
{
int len = 12;
const char *sender;
- unsigned char padbuf[32];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- size_t hash_size;
- psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
psa_status_t status;
+ psa_hash_operation_t *hs_op = ctx;
+ psa_hash_operation_t copy = PSA_HASH_OPERATION_INIT;
+ size_t hash_size;
#else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_md_context_t sha256;
+ mbedtls_md_context_t *hs_ctx = ctx;
+ mbedtls_md_context_t copy;
+ mbedtls_md_init(©);
#endif
mbedtls_ssl_session *session = ssl->session_negotiate;
@@ -7665,67 +7667,76 @@
: "server finished";
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- sha256_psa = psa_hash_operation_init();
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha256"));
-
- status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
+ status = psa_hash_clone(hs_op, ©);
if (status != PSA_SUCCESS) {
goto exit;
}
- status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size);
+ status = psa_hash_finish(©, padbuf, hlen, &hash_size);
if (status != PSA_SUCCESS) {
goto exit;
}
- MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32);
+ MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
#else
+ MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls"));
- mbedtls_md_init(&sha256);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha256"));
-
- ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
+ ret = mbedtls_md_setup(©, mbedtls_md_info_from_ctx(hs_ctx), 0);
if (ret != 0) {
goto exit;
}
- ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
+ ret = mbedtls_md_clone(©, hs_ctx);
if (ret != 0) {
goto exit;
}
+ ret = mbedtls_md_finish(©, padbuf);
+ if (ret != 0) {
+ goto exit;
+ }
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+ MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
+
/*
* TLSv1.2:
* hash = PRF( master, finished_label,
* Hash( handshake ) )[0.11]
*/
-
- ret = mbedtls_md_finish(&sha256, padbuf);
- if (ret != 0) {
- goto exit;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
- MBEDTLS_SSL_DEBUG_BUF(4, "finished sha256 output", padbuf, 32);
-
ssl->handshake->tls_prf(session->master, 48, sender,
- padbuf, 32, buf, len);
+ padbuf, hlen, buf, len);
MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
+ MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_abort(&sha256_psa);
+ psa_hash_abort(©);
return mbedtls_md_error_from_psa(status);
#else
- mbedtls_md_free(&sha256);
+ mbedtls_md_free(©);
return ret;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
+
+#if defined(MBEDTLS_MD_CAN_SHA256)
+static int ssl_calc_finished_tls_sha256(
+ mbedtls_ssl_context *ssl, unsigned char *buf, int from)
+{
+ unsigned char padbuf[32];
+ return ssl_calc_finished_tls_generic(ssl,
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ &ssl->handshake->fin_sha256_psa,
+#else
+ &ssl->handshake->fin_sha256,
+#endif
+ padbuf, sizeof(padbuf),
+ buf, from);
+}
#endif /* MBEDTLS_MD_CAN_SHA256*/
@@ -7733,87 +7744,15 @@
static int ssl_calc_finished_tls_sha384(
mbedtls_ssl_context *ssl, unsigned char *buf, int from)
{
- int len = 12;
- const char *sender;
unsigned char padbuf[48];
+ return ssl_calc_finished_tls_generic(ssl,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- size_t hash_size;
- psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
- psa_status_t status;
+ &ssl->handshake->fin_sha384_psa,
#else
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_md_context_t sha384;
+ &ssl->handshake->fin_sha384,
#endif
-
- mbedtls_ssl_session *session = ssl->session_negotiate;
- if (!session) {
- session = ssl->session;
- }
-
- sender = (from == MBEDTLS_SSL_IS_CLIENT)
- ? "client finished"
- : "server finished";
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- sha384_psa = psa_hash_operation_init();
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha384"));
-
- status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
-
- status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size);
- if (status != PSA_SUCCESS) {
- goto exit;
- }
- MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48);
-#else
- mbedtls_md_init(&sha384);
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha384"));
-
- ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
- if (ret != 0) {
- goto exit;
- }
- ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
- if (ret != 0) {
- goto exit;
- }
-
- /*
- * TLSv1.2:
- * hash = PRF( master, finished_label,
- * Hash( handshake ) )[0.11]
- */
-
- ret = mbedtls_md_finish(&sha384, padbuf);
- if (ret != 0) {
- goto exit;
- }
-#endif
-
- MBEDTLS_SSL_DEBUG_BUF(4, "finished sha384 output", padbuf, 48);
-
- ssl->handshake->tls_prf(session->master, 48, sender,
- padbuf, 48, buf, len);
-
- MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
-
- mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
-
- MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
-
-exit:
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_abort(&sha384_psa);
- return mbedtls_md_error_from_psa(status);
-#else
- mbedtls_md_free(&sha384);
- return ret;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ padbuf, sizeof(padbuf),
+ buf, from);
}
#endif /* MBEDTLS_MD_CAN_SHA384*/