mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-29 08:14:27 +01:00
Merge pull request #3694 from AndrzejKurek/transform-cipher-optimization
Merge enc/dec cipher contexts in ssl transforms
This commit is contained in:
commit
73680ad5a2
@ -86,6 +86,7 @@
|
||||
#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
|
||||
#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
|
||||
#define MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
#define MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS
|
||||
|
||||
/* Compile-time fixed parts of the SSL configuration */
|
||||
#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
|
||||
|
@ -672,6 +672,11 @@
|
||||
#error "MBEDTLS_SSL_TLS_C defined, but neither TLS or DTLS is active"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS) && \
|
||||
defined(MBEDTLS_ARC4_C)
|
||||
#error "MBEDTLS_ARC4_C cannot be defined with MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS on"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
|
||||
defined(MBEDTLS_SSL_PROTO_TLS1_1) && !defined(MBEDTLS_SSL_PROTO_TLS1))
|
||||
#error "Illegal protocol selection"
|
||||
|
@ -3284,6 +3284,20 @@
|
||||
*/
|
||||
#define MBEDTLS_SSL_TLS_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS
|
||||
* Use one cipher context for both decryption and encryption in ssl transforms.
|
||||
*
|
||||
* This change saves some RAM, but makes the operations last longer:
|
||||
* before every encryption and decryption a key is set on the context.
|
||||
*
|
||||
* This change will not work with MBEDTLS_ARC4_C, since it requires an
|
||||
* additional table and offsets to be saved between cipher calls, and this
|
||||
* contradicts key resetting before each use.
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_THREADING_C
|
||||
*
|
||||
|
@ -756,9 +756,15 @@ struct mbedtls_ssl_transform
|
||||
z_stream ctx_inflate; /*!< decompression context */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
unsigned char *key_enc;
|
||||
unsigned char *key_dec;
|
||||
unsigned int key_bitlen;
|
||||
mbedtls_cipher_context_t cipher_ctx; /*!< encryption/decryption context */
|
||||
#else
|
||||
mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
|
||||
mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
|
||||
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
|
||||
/* We need the Hello random bytes in order to re-derive keys from the
|
||||
* Master Secret and other session info, see ssl_populate_transform() */
|
||||
|
@ -1563,7 +1563,21 @@ int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
||||
iv_copy_len );
|
||||
}
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx,
|
||||
cipher_info ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
|
||||
return( ret );
|
||||
}
|
||||
transform->key_enc = mbedtls_calloc( 1, cipher_info->key_bitlen >> 3 );
|
||||
transform->key_dec = mbedtls_calloc( 1, cipher_info->key_bitlen >> 3 );
|
||||
|
||||
memcpy( transform->key_enc, key1, cipher_info->key_bitlen >> 3 );
|
||||
memcpy( transform->key_dec, key2, cipher_info->key_bitlen >> 3 );
|
||||
|
||||
transform->key_bitlen = cipher_info->key_bitlen;
|
||||
#else
|
||||
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
|
||||
cipher_info ) ) != 0 )
|
||||
{
|
||||
@ -1593,10 +1607,18 @@ int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
if( cipher_info->mode == MBEDTLS_MODE_CBC )
|
||||
{
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx,
|
||||
MBEDTLS_PADDING_NONE ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
|
||||
return( ret );
|
||||
}
|
||||
#else
|
||||
if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
|
||||
MBEDTLS_PADDING_NONE ) ) != 0 )
|
||||
{
|
||||
@ -1610,6 +1632,7 @@ int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
|
||||
return( ret );
|
||||
}
|
||||
#endif
|
||||
}
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
|
||||
@ -2554,9 +2577,11 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
||||
post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
|
||||
data, rec->data_len );
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx );
|
||||
#else
|
||||
mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc );
|
||||
|
||||
#endif
|
||||
if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
|
||||
@ -2671,7 +2696,25 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
|
||||
"including %d bytes of padding",
|
||||
rec->data_len, 0 ) );
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx,
|
||||
transform->key_enc,
|
||||
transform->key_bitlen,
|
||||
MBEDTLS_ENCRYPT ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx,
|
||||
transform->iv_enc, transform->ivlen,
|
||||
data, rec->data_len,
|
||||
data, &olen ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
|
||||
return( ret );
|
||||
}
|
||||
#else
|
||||
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
|
||||
transform->iv_enc, transform->ivlen,
|
||||
data, rec->data_len,
|
||||
@ -2680,7 +2723,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif
|
||||
if( rec->data_len != olen )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
@ -2754,7 +2797,27 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
||||
/*
|
||||
* Encrypt and authenticate
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx,
|
||||
transform->key_enc,
|
||||
transform->key_bitlen,
|
||||
MBEDTLS_ENCRYPT ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx,
|
||||
iv, transform->ivlen,
|
||||
add_data, add_data_len, /* add data */
|
||||
data, rec->data_len, /* source */
|
||||
data, &rec->data_len, /* destination */
|
||||
data + rec->data_len, transform->taglen ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
|
||||
return( ret );
|
||||
}
|
||||
#else
|
||||
if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
|
||||
iv, transform->ivlen,
|
||||
add_data, add_data_len, /* add data */
|
||||
@ -2765,7 +2828,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif
|
||||
MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
|
||||
data + rec->data_len, transform->taglen );
|
||||
|
||||
@ -2841,7 +2904,26 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
||||
"including %d bytes of IV and %d bytes of padding",
|
||||
rec->data_len, transform->ivlen,
|
||||
padlen + 1 ) );
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx,
|
||||
transform->key_enc,
|
||||
transform->key_bitlen,
|
||||
MBEDTLS_ENCRYPT ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx,
|
||||
transform->iv_enc,
|
||||
transform->ivlen,
|
||||
data, rec->data_len,
|
||||
data, &olen ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
|
||||
return( ret );
|
||||
}
|
||||
#else
|
||||
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
|
||||
transform->iv_enc,
|
||||
transform->ivlen,
|
||||
@ -2851,7 +2933,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif
|
||||
if( rec->data_len != olen )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
@ -2866,8 +2948,13 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
||||
/*
|
||||
* Save IV in SSL3 and TLS1
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
mbedtls_platform_memcpy( transform->iv_enc, transform->cipher_ctx.iv,
|
||||
transform->ivlen );
|
||||
#else
|
||||
mbedtls_platform_memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv,
|
||||
transform->ivlen );
|
||||
#endif
|
||||
}
|
||||
else
|
||||
#endif
|
||||
@ -2968,8 +3055,11 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||
}
|
||||
|
||||
data = rec->buf + rec->data_offset;
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx );
|
||||
#else
|
||||
mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec );
|
||||
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
/*
|
||||
* Match record's CID with incoming CID.
|
||||
@ -2985,6 +3075,25 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||
if( mode == MBEDTLS_MODE_STREAM )
|
||||
{
|
||||
padlen = 0;
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx,
|
||||
transform->key_dec,
|
||||
transform->key_bitlen,
|
||||
MBEDTLS_DECRYPT ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
|
||||
return( ret );
|
||||
}
|
||||
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx,
|
||||
transform->iv_dec,
|
||||
transform->ivlen,
|
||||
data, rec->data_len,
|
||||
data, &olen ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
|
||||
return( ret );
|
||||
}
|
||||
#else
|
||||
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
|
||||
transform->iv_dec,
|
||||
transform->ivlen,
|
||||
@ -2994,7 +3103,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif
|
||||
if( rec->data_len != olen )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
@ -3082,6 +3191,31 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||
/*
|
||||
* Decrypt and authenticate
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx,
|
||||
transform->key_dec,
|
||||
transform->key_bitlen,
|
||||
MBEDTLS_DECRYPT ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
|
||||
return( ret );
|
||||
}
|
||||
if( ( ret = mbedtls_cipher_auth_decrypt( &transform->cipher_ctx,
|
||||
iv, transform->ivlen,
|
||||
add_data, add_data_len,
|
||||
data, rec->data_len,
|
||||
data, &olen,
|
||||
data + rec->data_len,
|
||||
transform->taglen ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
|
||||
|
||||
if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
|
||||
return( MBEDTLS_ERR_SSL_INVALID_MAC );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
#else
|
||||
if( ( ret = mbedtls_cipher_auth_decrypt( &transform->cipher_ctx_dec,
|
||||
iv, transform->ivlen,
|
||||
add_data, add_data_len,
|
||||
@ -3097,6 +3231,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||
|
||||
return( ret );
|
||||
}
|
||||
#endif
|
||||
|
||||
auth_done++;
|
||||
|
||||
/* Double-check that AEAD decryption doesn't change content length. */
|
||||
@ -3239,7 +3375,23 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
/* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx,
|
||||
transform->key_dec,
|
||||
transform->key_bitlen,
|
||||
MBEDTLS_DECRYPT ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
|
||||
return( ret );
|
||||
}
|
||||
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx,
|
||||
transform->iv_dec, transform->ivlen,
|
||||
data, rec->data_len, data, &olen ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
|
||||
return( ret );
|
||||
}
|
||||
#else
|
||||
if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
|
||||
transform->iv_dec, transform->ivlen,
|
||||
data, rec->data_len, data, &olen ) ) != 0 )
|
||||
@ -3247,7 +3399,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif
|
||||
/* Double-check that length hasn't changed during decryption. */
|
||||
if( rec->data_len != olen )
|
||||
{
|
||||
@ -3266,8 +3418,13 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
|
||||
* of the records; in other words, IVs are maintained across
|
||||
* record decryptions.
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
mbedtls_platform_memcpy( transform->iv_dec, transform->cipher_ctx.iv,
|
||||
transform->ivlen );
|
||||
#else
|
||||
mbedtls_platform_memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv,
|
||||
transform->ivlen );
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -8495,9 +8652,12 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
|
||||
void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform )
|
||||
{
|
||||
memset( transform, 0, sizeof(mbedtls_ssl_transform) );
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
mbedtls_cipher_init( &transform->cipher_ctx );
|
||||
#else
|
||||
mbedtls_cipher_init( &transform->cipher_ctx_enc );
|
||||
mbedtls_cipher_init( &transform->cipher_ctx_dec );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
|
||||
mbedtls_md_init( &transform->md_ctx_enc );
|
||||
@ -9866,8 +10026,11 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
|
||||
if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx ) )
|
||||
#else
|
||||
switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
|
||||
#endif
|
||||
{
|
||||
#if defined(MBEDTLS_GCM_C) || \
|
||||
defined(MBEDTLS_CCM_C) || \
|
||||
@ -9898,10 +10061,13 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
|
||||
case MBEDTLS_MODE_CBC:
|
||||
{
|
||||
size_t block_size;
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
block_size = mbedtls_cipher_get_block_size(
|
||||
&transform->cipher_ctx );
|
||||
#else
|
||||
block_size = mbedtls_cipher_get_block_size(
|
||||
&transform->cipher_ctx_enc );
|
||||
|
||||
#endif
|
||||
/* Expansion due to the addition of the MAC. */
|
||||
transform_expansion += transform->maclen;
|
||||
|
||||
@ -11371,8 +11537,13 @@ static int ssl_write_split( mbedtls_ssl_context *ssl,
|
||||
mbedtls_ssl_ver_gt(
|
||||
mbedtls_ssl_get_minor_ver( ssl ),
|
||||
MBEDTLS_SSL_MINOR_VERSION_1 ) ||
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx )
|
||||
!= MBEDTLS_MODE_CBC )
|
||||
#else
|
||||
mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
|
||||
!= MBEDTLS_MODE_CBC )
|
||||
#endif
|
||||
{
|
||||
return( ssl_write_real( ssl, buf, len ) );
|
||||
}
|
||||
@ -11486,10 +11657,16 @@ void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
|
||||
deflateEnd( &transform->ctx_deflate );
|
||||
inflateEnd( &transform->ctx_inflate );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
mbedtls_cipher_free( &transform->cipher_ctx );
|
||||
if( transform->key_dec != NULL )
|
||||
mbedtls_free( transform->key_dec );
|
||||
if( transform->key_enc != NULL )
|
||||
mbedtls_free( transform->key_enc );
|
||||
#else
|
||||
mbedtls_cipher_free( &transform->cipher_ctx_enc );
|
||||
mbedtls_cipher_free( &transform->cipher_ctx_dec );
|
||||
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
|
||||
mbedtls_md_free( &transform->md_ctx_enc );
|
||||
mbedtls_md_free( &transform->md_ctx_dec );
|
||||
|
@ -792,6 +792,9 @@ static const char *features[] = {
|
||||
#if defined(MBEDTLS_SSL_TLS_C)
|
||||
"MBEDTLS_SSL_TLS_C",
|
||||
#endif /* MBEDTLS_SSL_TLS_C */
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
"MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS",
|
||||
#endif /* MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS */
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
"MBEDTLS_THREADING_C",
|
||||
#endif /* MBEDTLS_THREADING_C */
|
||||
|
@ -2154,6 +2154,14 @@ int query_config( const char *config )
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_TLS_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
if( strcmp( "MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS", config ) == 0 )
|
||||
{
|
||||
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS */
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( strcmp( "MBEDTLS_THREADING_C", config ) == 0 )
|
||||
{
|
||||
|
@ -57,6 +57,7 @@
|
||||
# MBEDTLS_AES_ONLY_ENCRYPT
|
||||
# MBEDTLS_AES_SCA_COUNTERMEASURES
|
||||
# MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
|
||||
# MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS
|
||||
# and any symbol beginning _ALT
|
||||
#
|
||||
# The baremetal configuration excludes options that require a library or
|
||||
@ -140,6 +141,7 @@ MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
MBEDTLS_AES_ONLY_ENCRYPT
|
||||
MBEDTLS_AES_SCA_COUNTERMEASURES
|
||||
MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
|
||||
MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS
|
||||
_ALT\s*$
|
||||
);
|
||||
|
||||
|
@ -68,15 +68,41 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
|
||||
memset( key0, 0x1, keylen );
|
||||
memset( key1, 0x2, keylen );
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
t_in->key_enc = mbedtls_calloc( 1, keylen );
|
||||
t_in->key_dec = mbedtls_calloc( 1, keylen );
|
||||
|
||||
t_out->key_enc = mbedtls_calloc( 1, keylen );
|
||||
t_out->key_dec = mbedtls_calloc( 1, keylen );
|
||||
|
||||
memcpy( t_in->key_enc, key0, keylen);
|
||||
memcpy( t_in->key_dec, key1, keylen);
|
||||
t_in->key_bitlen = cipher_info->key_bitlen;
|
||||
|
||||
memcpy( t_out->key_enc, key1, keylen);
|
||||
memcpy( t_out->key_dec, key0, keylen);
|
||||
t_out->key_bitlen = cipher_info->key_bitlen;
|
||||
|
||||
/* Setup cipher contexts */
|
||||
CHK( mbedtls_cipher_setup( &t_in->cipher_ctx, cipher_info ) == 0 );
|
||||
CHK( mbedtls_cipher_setup( &t_out->cipher_ctx, cipher_info ) == 0 );
|
||||
#else
|
||||
/* Setup cipher contexts */
|
||||
CHK( mbedtls_cipher_setup( &t_in->cipher_ctx_enc, cipher_info ) == 0 );
|
||||
CHK( mbedtls_cipher_setup( &t_in->cipher_ctx_dec, cipher_info ) == 0 );
|
||||
CHK( mbedtls_cipher_setup( &t_out->cipher_ctx_enc, cipher_info ) == 0 );
|
||||
CHK( mbedtls_cipher_setup( &t_out->cipher_ctx_dec, cipher_info ) == 0 );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
if( cipher_info->mode == MBEDTLS_MODE_CBC )
|
||||
{
|
||||
#if defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
CHK( mbedtls_cipher_set_padding_mode( &t_in->cipher_ctx,
|
||||
MBEDTLS_PADDING_NONE ) == 0 );
|
||||
CHK( mbedtls_cipher_set_padding_mode( &t_out->cipher_ctx,
|
||||
MBEDTLS_PADDING_NONE ) == 0 );
|
||||
#else
|
||||
CHK( mbedtls_cipher_set_padding_mode( &t_in->cipher_ctx_enc,
|
||||
MBEDTLS_PADDING_NONE ) == 0 );
|
||||
CHK( mbedtls_cipher_set_padding_mode( &t_in->cipher_ctx_dec,
|
||||
@ -85,9 +111,11 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
|
||||
MBEDTLS_PADDING_NONE ) == 0 );
|
||||
CHK( mbedtls_cipher_set_padding_mode( &t_out->cipher_ctx_dec,
|
||||
MBEDTLS_PADDING_NONE ) == 0 );
|
||||
#endif
|
||||
}
|
||||
#endif /* MBEDTLS_CIPHER_MODE_CBC */
|
||||
|
||||
#if !defined(MBEDTLS_SSL_TRANSFORM_OPTIMIZE_CIPHERS)
|
||||
CHK( mbedtls_cipher_setkey( &t_in->cipher_ctx_enc, key0,
|
||||
keylen << 3, MBEDTLS_ENCRYPT ) == 0 );
|
||||
CHK( mbedtls_cipher_setkey( &t_in->cipher_ctx_dec, key1,
|
||||
@ -96,7 +124,7 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
|
||||
keylen << 3, MBEDTLS_ENCRYPT ) == 0 );
|
||||
CHK( mbedtls_cipher_setkey( &t_out->cipher_ctx_dec, key0,
|
||||
keylen << 3, MBEDTLS_DECRYPT ) == 0 );
|
||||
|
||||
#endif
|
||||
/* Setup MAC contexts */
|
||||
#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
|
||||
if( cipher_info->mode == MBEDTLS_MODE_CBC ||
|
||||
|
Loading…
Reference in New Issue
Block a user