/* * Copyright (c) 2023, Christian Huitema * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to * deal in the Software without restriction, including without limitation the * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or * sell copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS * IN THE SOFTWARE. */ #ifdef _WINDOWS #include "wincompat.h" #endif #include #include #include #include #include #include #include "picotls.h" #define PSA_FUNC_FAILED(fn, ret) \ do { \ fprintf(stderr, "in %s at line %d, " PTLS_TO_STR(fn) " failed (%d)\n", __FUNCTION__, __LINE__, (int)ret); \ abort(); \ } while (0) #define CALL_WITH_CHECK(fn, ...) \ do { \ psa_status_t ret; \ if ((ret = fn(__VA_ARGS__)) != PSA_SUCCESS) \ PSA_FUNC_FAILED(fn, ret); \ } while (0) void ptls_mbedtls_random_bytes(void *buf, size_t len) { CALL_WITH_CHECK(psa_generate_random, buf, len); } #define DEFINE_HASH(name, name_upcase, psa_alg) \ static void name##_do_init(psa_hash_operation_t *op) \ { \ *op = psa_hash_operation_init(); \ CALL_WITH_CHECK(psa_hash_setup, op, psa_alg); \ } \ static void name##_do_update(psa_hash_operation_t *op, const void *src, size_t len) \ { \ CALL_WITH_CHECK(psa_hash_update, op, src, len); \ } \ static void name##_do_final(psa_hash_operation_t *op, void *md) \ { \ size_t unused; \ CALL_WITH_CHECK(psa_hash_finish, op, md, PTLS_##name_upcase##_DIGEST_SIZE, &unused); \ } \ static void name##_do_clone(psa_hash_operation_t *dst, psa_hash_operation_t *src, size_t unused) \ { \ CALL_WITH_CHECK(psa_hash_clone, src, dst); \ } \ ptls_define_hash6(name, psa_hash_operation_t, name##_do_init, name##_do_update, name##_do_final, name##_do_clone); \ ptls_hash_algorithm_t ptls_mbedtls_##name = {PTLS_TO_STR(name), PTLS_##name_upcase##_BLOCK_SIZE, \ PTLS_##name_upcase##_DIGEST_SIZE, name##_create, PTLS_ZERO_DIGEST_##name_upcase}; DEFINE_HASH(sha256, SHA256, PSA_ALG_SHA_256); DEFINE_HASH(sha512, SHA512, PSA_ALG_SHA_512); #if defined(MBEDTLS_SHA384_C) DEFINE_HASH(sha384, SHA384, PSA_ALG_SHA_384); #endif /** * Generic implementation of a cipher using the PSA API */ struct st_ptls_mbedtls_cipher_context_t { ptls_cipher_context_t super; psa_algorithm_t alg; unsigned is_enc : 1; unsigned is_op_in_progress : 1; mbedtls_svc_key_id_t key; psa_cipher_operation_t op; }; static void cipher_init(ptls_cipher_context_t *_ctx, const void *iv) { struct st_ptls_mbedtls_cipher_context_t *ctx = (struct st_ptls_mbedtls_cipher_context_t *)_ctx; if (ctx->is_op_in_progress) { psa_cipher_abort(&ctx->op); ctx->is_op_in_progress = 0; } ctx->op = psa_cipher_operation_init(); if (ctx->is_enc) { CALL_WITH_CHECK(psa_cipher_encrypt_setup, &ctx->op, ctx->key, ctx->alg); } else { CALL_WITH_CHECK(psa_cipher_decrypt_setup, &ctx->op, ctx->key, ctx->alg); } ctx->is_op_in_progress = 1; if (ctx->super.algo->iv_size > 0) CALL_WITH_CHECK(psa_cipher_set_iv, &ctx->op, iv, ctx->super.algo->iv_size); } static void cipher_transform(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len) { struct st_ptls_mbedtls_cipher_context_t *ctx = (struct st_ptls_mbedtls_cipher_context_t *)_ctx; size_t unused = 0; CALL_WITH_CHECK(psa_cipher_update, &ctx->op, input, len, output, len, &unused); } static void cipher_dispose(ptls_cipher_context_t *_ctx) { struct st_ptls_mbedtls_cipher_context_t *ctx = (struct st_ptls_mbedtls_cipher_context_t *)_ctx; if (ctx->is_op_in_progress) psa_cipher_abort(&ctx->op); psa_destroy_key(ctx->key); } static int cipher_setup(ptls_cipher_context_t *_ctx, int is_enc, const void *key_bytes, psa_algorithm_t alg, psa_key_type_t key_type) { struct st_ptls_mbedtls_cipher_context_t *ctx = (struct st_ptls_mbedtls_cipher_context_t *)_ctx; { /* import key or fail immediately */ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_usage_flags(&attributes, is_enc ? PSA_KEY_USAGE_ENCRYPT : PSA_KEY_USAGE_DECRYPT); psa_set_key_algorithm(&attributes, alg); psa_set_key_type(&attributes, key_type); psa_set_key_bits(&attributes, ctx->super.algo->key_size * 8); if (psa_import_key(&attributes, key_bytes, ctx->super.algo->key_size, &ctx->key) != PSA_SUCCESS) return PTLS_ERROR_LIBRARY; } /* init the rest that are guaranteed to succeed */ ctx->super.do_dispose = cipher_dispose; ctx->super.do_init = cipher_init; ctx->super.do_transform = cipher_transform; ctx->alg = alg; ctx->is_enc = is_enc; ctx->is_op_in_progress = 0; ctx->op = psa_cipher_operation_init(); return 0; } static int ecb_setup(ptls_cipher_context_t *ctx, int is_enc, const void *key_bytes, psa_key_type_t key_type) { int ret; if ((ret = cipher_setup(ctx, is_enc, key_bytes, PSA_ALG_ECB_NO_PADDING, key_type)) != 0) return ret; /* ECB mode does not necessary call `ptls_cipher_init` */ cipher_init(ctx, NULL); return 0; } static int setup_aes128ecb(ptls_cipher_context_t *ctx, int is_enc, const void *key_bytes) { return ecb_setup(ctx, is_enc, key_bytes, PSA_KEY_TYPE_AES); } ptls_cipher_algorithm_t ptls_mbedtls_aes128ecb = { "AES128-ECB", PTLS_AES128_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 0 /* iv size */, sizeof(struct st_ptls_mbedtls_cipher_context_t), setup_aes128ecb}; static int setup_aes256ecb(ptls_cipher_context_t *ctx, int is_enc, const void *key_bytes) { return ecb_setup(ctx, is_enc, key_bytes, PSA_KEY_TYPE_AES); } ptls_cipher_algorithm_t ptls_mbedtls_aes256ecb = { "AES256-ECB", PTLS_AES256_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 0 /* iv size */, sizeof(struct st_ptls_mbedtls_cipher_context_t), setup_aes256ecb}; static int setup_aes128ctr(ptls_cipher_context_t *ctx, int is_enc, const void *key_bytes) { return cipher_setup(ctx, is_enc, key_bytes, PSA_ALG_CTR, PSA_KEY_TYPE_AES); } ptls_cipher_algorithm_t ptls_mbedtls_aes128ctr = { "AES128-CTR", PTLS_AES128_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 16 /* iv size */, sizeof(struct st_ptls_mbedtls_cipher_context_t), setup_aes128ctr}; static int setup_aes256ctr(ptls_cipher_context_t *ctx, int is_enc, const void *key_bytes) { return cipher_setup(ctx, is_enc, key_bytes, PSA_ALG_CTR, PSA_KEY_TYPE_AES); } ptls_cipher_algorithm_t ptls_mbedtls_aes256ctr = { "AES128-CTR", PTLS_AES256_KEY_SIZE, PTLS_AES_BLOCK_SIZE, 16 /* iv size */, sizeof(struct st_ptls_mbedtls_cipher_context_t), setup_aes256ctr}; #if 0 /* CHACHA20 backend using PSA API is disabled for now, as there seems to be an issue when setting the 16 bytes long IV that we * need. */ static int setup_chacha20(ptls_cipher_context_t *ctx, int is_enc, const void *key_bytes) { return cipher_setup(ctx, is_enc, key_bytes, PSA_ALG_CTR, PSA_KEY_TYPE_CHACHA20); } ptls_cipher_algorithm_t ptls_mbedtls_chacha20 = { "CHACHA20", PTLS_CHACHA20_KEY_SIZE, 1 /* block size */, PTLS_CHACHA20_IV_SIZE, sizeof(struct st_ptls_mbedtls_cipher_context_t), setup_chacha20}; #else /* Implementation of ChaCha20 using the low level ChaCha20 API. * TODO: remove this and the reference to chacha20.h as soon as the IV bug in the generic implementation is fixed. */ struct st_ptls_mbedtls_chacha20_context_t { ptls_cipher_context_t super; mbedtls_chacha20_context mctx; }; static void chacha20_init(ptls_cipher_context_t *_ctx, const void *v_iv) { struct st_ptls_mbedtls_chacha20_context_t *ctx = (struct st_ptls_mbedtls_chacha20_context_t *)_ctx; const uint8_t *iv = (const uint8_t *)v_iv; uint32_t ctr = iv[0] | ((uint32_t)iv[1] << 8) | ((uint32_t)iv[2] << 16) | ((uint32_t)iv[3] << 24); int ret = mbedtls_chacha20_starts(&ctx->mctx, (const uint8_t *)(iv + 4), ctr); if (ret != 0) PSA_FUNC_FAILED(mbedtls_chacha20_starts, ret); } static void chacha20_transform(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len) { struct st_ptls_mbedtls_chacha20_context_t *ctx = (struct st_ptls_mbedtls_chacha20_context_t *)_ctx; int ret = mbedtls_chacha20_update(&ctx->mctx, len, (const uint8_t *)input, (uint8_t *)output); if (ret != 0) PSA_FUNC_FAILED(mbedtls_chacha20_update, ret); } static void chacha20_dispose(ptls_cipher_context_t *_ctx) { struct st_ptls_mbedtls_chacha20_context_t *ctx = (struct st_ptls_mbedtls_chacha20_context_t *)_ctx; mbedtls_chacha20_free(&ctx->mctx); } static int setup_chacha20(ptls_cipher_context_t *_ctx, int is_enc, const void *key) { struct st_ptls_mbedtls_chacha20_context_t *ctx = (struct st_ptls_mbedtls_chacha20_context_t *)_ctx; mbedtls_chacha20_init(&ctx->mctx); if (mbedtls_chacha20_setkey(&ctx->mctx, key) != 0) return PTLS_ERROR_LIBRARY; ctx->super.do_dispose = chacha20_dispose; ctx->super.do_init = chacha20_init; ctx->super.do_transform = chacha20_transform; return 0; } ptls_cipher_algorithm_t ptls_mbedtls_chacha20 = {"CHACHA20", PTLS_CHACHA20_KEY_SIZE, 1 /* block size */, PTLS_CHACHA20_IV_SIZE, sizeof(struct st_ptls_mbedtls_chacha20_context_t), setup_chacha20}; #endif struct ptls_mbedtls_aead_context_t { struct st_ptls_aead_context_t super; uint8_t static_iv[PTLS_MAX_IV_SIZE]; psa_algorithm_t alg; psa_key_id_t key; }; static void aead_dispose_crypto(struct st_ptls_aead_context_t *_ctx) { struct ptls_mbedtls_aead_context_t *ctx = (struct ptls_mbedtls_aead_context_t *)_ctx; psa_destroy_key(ctx->key); } static void aead_get_iv(ptls_aead_context_t *_ctx, void *iv) { struct ptls_mbedtls_aead_context_t *ctx = (struct ptls_mbedtls_aead_context_t *)_ctx; memcpy(iv, ctx->static_iv, ctx->super.algo->iv_size); } static void aead_set_iv(ptls_aead_context_t *_ctx, const void *iv) { struct ptls_mbedtls_aead_context_t *ctx = (struct ptls_mbedtls_aead_context_t *)_ctx; memcpy(ctx->static_iv, iv, ctx->super.algo->iv_size); } static void aead_encrypt_v(struct st_ptls_aead_context_t *_ctx, void *output, ptls_iovec_t *input, size_t incnt, uint64_t seq, const void *aad, size_t aadlen) { struct ptls_mbedtls_aead_context_t *ctx = (struct ptls_mbedtls_aead_context_t *)_ctx; psa_aead_operation_t op = psa_aead_operation_init(); uint8_t *dst = output, iv[PTLS_MAX_IV_SIZE], tag[PSA_AEAD_TAG_MAX_SIZE]; size_t outlen, taglen; /* setup op */ CALL_WITH_CHECK(psa_aead_encrypt_setup, &op, ctx->key, ctx->alg); ptls_aead__build_iv(ctx->super.algo, iv, ctx->static_iv, seq); CALL_WITH_CHECK(psa_aead_set_nonce, &op, iv, ctx->super.algo->iv_size); CALL_WITH_CHECK(psa_aead_update_ad, &op, aad, aadlen); /* encrypt */ for (size_t i = 0; i < incnt; i++) { CALL_WITH_CHECK(psa_aead_update, &op, input[i].base, input[i].len, dst, SIZE_MAX, &outlen); dst += outlen; } CALL_WITH_CHECK(psa_aead_finish, &op, dst, SIZE_MAX, &outlen, tag, sizeof(tag), &taglen); dst += outlen; memcpy(dst, tag, taglen); /* destroy op */ psa_aead_abort(&op); } static size_t aead_decrypt(struct st_ptls_aead_context_t *_ctx, void *output, const void *input, size_t inlen, uint64_t seq, const void *aad, size_t aadlen) { struct ptls_mbedtls_aead_context_t *ctx = (struct ptls_mbedtls_aead_context_t *)_ctx; uint8_t iv[PTLS_MAX_IV_SIZE]; size_t outlen; ptls_aead__build_iv(ctx->super.algo, iv, ctx->static_iv, seq); psa_status_t ret = psa_aead_decrypt(ctx->key, ctx->alg, iv, ctx->super.algo->iv_size, aad, aadlen, input, inlen, output, inlen, &outlen); switch (ret) { case PSA_SUCCESS: break; case PSA_ERROR_INVALID_SIGNATURE: outlen = SIZE_MAX; break; default: PSA_FUNC_FAILED(psa_aead_decrypt, ret); break; } return outlen; } static int aead_setup(ptls_aead_context_t *_ctx, int is_enc, const void *key_bytes, const void *iv, psa_algorithm_t psa_alg, size_t key_bits, psa_key_type_t key_type) { struct ptls_mbedtls_aead_context_t *ctx = (struct ptls_mbedtls_aead_context_t *)_ctx; { /* setup key */ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_usage_flags(&attributes, is_enc ? PSA_KEY_USAGE_ENCRYPT : PSA_KEY_USAGE_DECRYPT); psa_set_key_algorithm(&attributes, psa_alg); psa_set_key_type(&attributes, key_type); psa_set_key_bits(&attributes, key_bits); if (psa_import_key(&attributes, key_bytes, key_bits / 8, &ctx->key) != PSA_SUCCESS) return PTLS_ERROR_LIBRARY; } /* setup the rest */ ctx->super.dispose_crypto = aead_dispose_crypto; ctx->super.do_get_iv = aead_get_iv; ctx->super.do_set_iv = aead_set_iv; if (is_enc) { ctx->super.do_encrypt = ptls_aead__do_encrypt; ctx->super.do_encrypt_v = aead_encrypt_v; } else { ctx->super.do_decrypt = aead_decrypt; } memcpy(ctx->static_iv, iv, ctx->super.algo->iv_size); ctx->alg = psa_alg; return 0; } static int aead_setup_aes128gcm(ptls_aead_context_t *_ctx, int is_enc, const void *key_bytes, const void *iv) { return aead_setup(_ctx, is_enc, key_bytes, iv, PSA_ALG_GCM, 128, PSA_KEY_TYPE_AES); } ptls_aead_algorithm_t ptls_mbedtls_aes128gcm = {"AES128-GCM", PTLS_AESGCM_CONFIDENTIALITY_LIMIT, PTLS_AESGCM_INTEGRITY_LIMIT, &ptls_mbedtls_aes128ctr, &ptls_mbedtls_aes128ecb, PTLS_AES128_KEY_SIZE, PTLS_AESGCM_IV_SIZE, PTLS_AESGCM_TAG_SIZE, {PTLS_TLS12_AESGCM_FIXED_IV_SIZE, PTLS_TLS12_AESGCM_RECORD_IV_SIZE}, 0, 0, sizeof(struct ptls_mbedtls_aead_context_t), aead_setup_aes128gcm}; ptls_cipher_suite_t ptls_mbedtls_aes128gcmsha256 = {.id = PTLS_CIPHER_SUITE_AES_128_GCM_SHA256, .name = PTLS_CIPHER_SUITE_NAME_AES_128_GCM_SHA256, .aead = &ptls_mbedtls_aes128gcm, .hash = &ptls_mbedtls_sha256}; static int aead_setup_aes256gcm(ptls_aead_context_t *_ctx, int is_enc, const void *key_bytes, const void *iv) { return aead_setup(_ctx, is_enc, key_bytes, iv, PSA_ALG_GCM, 256, PSA_KEY_TYPE_AES); } ptls_aead_algorithm_t ptls_mbedtls_aes256gcm = {"AES256-GCM", PTLS_AESGCM_CONFIDENTIALITY_LIMIT, PTLS_AESGCM_INTEGRITY_LIMIT, &ptls_mbedtls_aes256ctr, &ptls_mbedtls_aes256ecb, PTLS_AES256_KEY_SIZE, PTLS_AESGCM_IV_SIZE, PTLS_AESGCM_TAG_SIZE, {PTLS_TLS12_AESGCM_FIXED_IV_SIZE, PTLS_TLS12_AESGCM_RECORD_IV_SIZE}, 0, 0, sizeof(struct ptls_mbedtls_aead_context_t), aead_setup_aes256gcm}; #if defined(MBEDTLS_SHA384_C) ptls_cipher_suite_t ptls_mbedtls_aes256gcmsha384 = {.id = PTLS_CIPHER_SUITE_AES_256_GCM_SHA384, .name = PTLS_CIPHER_SUITE_NAME_AES_256_GCM_SHA384, .aead = &ptls_mbedtls_aes256gcm, .hash = &ptls_mbedtls_sha384}; #endif static int aead_setup_chacha20poly1305(ptls_aead_context_t *_ctx, int is_enc, const void *key_bytes, const void *iv) { return aead_setup(_ctx, is_enc, key_bytes, iv, PSA_ALG_CHACHA20_POLY1305, 256, PSA_KEY_TYPE_CHACHA20); } ptls_aead_algorithm_t ptls_mbedtls_chacha20poly1305 = {"CHACHA20-POLY1305", PTLS_CHACHA20POLY1305_CONFIDENTIALITY_LIMIT, PTLS_CHACHA20POLY1305_INTEGRITY_LIMIT, &ptls_mbedtls_chacha20, NULL, PTLS_CHACHA20_KEY_SIZE, PTLS_CHACHA20POLY1305_IV_SIZE, PTLS_CHACHA20POLY1305_TAG_SIZE, {PTLS_TLS12_CHACHAPOLY_FIXED_IV_SIZE, PTLS_TLS12_CHACHAPOLY_RECORD_IV_SIZE}, 0, 0, sizeof(struct ptls_mbedtls_aead_context_t), aead_setup_chacha20poly1305}; ptls_cipher_suite_t ptls_mbedtls_chacha20poly1305sha256 = {.id = PTLS_CIPHER_SUITE_CHACHA20_POLY1305_SHA256, .name = PTLS_CIPHER_SUITE_NAME_CHACHA20_POLY1305_SHA256, .aead = &ptls_mbedtls_chacha20poly1305, .hash = &ptls_mbedtls_sha256}; ptls_cipher_suite_t *ptls_mbedtls_cipher_suites[] = { #if defined(MBEDTLS_SHA384_C) &ptls_mbedtls_aes256gcmsha384, #endif &ptls_mbedtls_aes128gcmsha256, &ptls_mbedtls_chacha20poly1305sha256, NULL}; #define PTLS_MBEDTLS_ECDH_PUBKEY_MAX 129 static const struct ptls_mbedtls_key_exchange_params_t { psa_algorithm_t alg; psa_ecc_family_t curve; size_t curve_bits; size_t secret_size; } secp256r1_params = {PSA_ALG_ECDH, PSA_ECC_FAMILY_SECP_R1, 256, 32}, x25519_params = {PSA_ALG_ECDH, PSA_ECC_FAMILY_MONTGOMERY, 255, 32}; struct ptls_mbedtls_key_exchange_context_t { ptls_key_exchange_context_t super; const struct ptls_mbedtls_key_exchange_params_t *params; psa_key_id_t private_key; uint8_t pubkeybuf[PTLS_MBEDTLS_ECDH_PUBKEY_MAX]; }; /** * Generates a private key. For now, we only support ECC. */ static int generate_private_key(psa_key_id_t *private_key, const struct ptls_mbedtls_key_exchange_params_t *params) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; int ret = 0; psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); psa_set_key_algorithm(&attributes, params->alg); psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(params->curve)); psa_set_key_bits(&attributes, params->curve_bits); if (psa_generate_key(&attributes, private_key) != 0) { ret = -1; } return ret; } static int key_exchange_on_exchange(struct st_ptls_key_exchange_context_t **_keyex, int release, ptls_iovec_t *secret, ptls_iovec_t peerkey) { struct ptls_mbedtls_key_exchange_context_t *keyex = (struct ptls_mbedtls_key_exchange_context_t *)*_keyex; int ret = 0; if (secret == NULL) goto Exit; /* derive shared secret */ if ((secret->base = malloc(keyex->params->secret_size)) == NULL) { ret = PTLS_ERROR_NO_MEMORY; goto Exit; } if (psa_raw_key_agreement(keyex->params->alg, keyex->private_key, peerkey.base, peerkey.len, secret->base, keyex->params->secret_size, &secret->len) != 0) { ret = PTLS_ERROR_LIBRARY; goto Exit; } assert(keyex->params->secret_size == secret->len); ret = 0; Exit: if (ret != 0 && secret != NULL) { free(secret->base); *secret = ptls_iovec_init(NULL, 0); } if (release) { psa_destroy_key(keyex->private_key); free(keyex); *_keyex = NULL; } return ret; } static int key_exchange_create(ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **ctx, const struct ptls_mbedtls_key_exchange_params_t *params) { struct ptls_mbedtls_key_exchange_context_t *keyex; *ctx = NULL; /* setup context */ if ((keyex = malloc(sizeof(*keyex))) == NULL) return PTLS_ERROR_NO_MEMORY; *keyex = (struct ptls_mbedtls_key_exchange_context_t){ .super.algo = algo, .super.pubkey.base = keyex->pubkeybuf, .super.on_exchange = key_exchange_on_exchange, .params = params, }; /* generate private key */ if (generate_private_key(&keyex->private_key, keyex->params) != 0) { free(keyex); return PTLS_ERROR_LIBRARY; } { /* export public key */ psa_status_t ret = psa_export_public_key(keyex->private_key, keyex->pubkeybuf, sizeof(keyex->pubkeybuf), &keyex->super.pubkey.len); if (ret != 0) PSA_FUNC_FAILED(psa_export_public_key, ret); } *ctx = &keyex->super; return 0; } static int key_exchange_exchange(ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey, const struct ptls_mbedtls_key_exchange_params_t *params) { psa_key_id_t private_key; int ret; *pubkey = ptls_iovec_init(NULL, 0); *secret = ptls_iovec_init(NULL, 0); /* generate private key (and return immediately upon failure) */ if (generate_private_key(&private_key, params) != 0) return PTLS_ERROR_LIBRARY; /* allocate buffers */ if ((secret->base = malloc(params->secret_size)) == NULL) { ret = PTLS_ERROR_NO_MEMORY; goto Exit; } if ((pubkey->base = malloc(PTLS_MBEDTLS_ECDH_PUBKEY_MAX)) == NULL) { ret = PTLS_ERROR_NO_MEMORY; goto Exit; } /* export public key and call key agrement function */ if (psa_export_public_key(private_key, pubkey->base, PTLS_MBEDTLS_ECDH_PUBKEY_MAX, &pubkey->len) != 0 || psa_raw_key_agreement(params->alg, private_key, peerkey.base, peerkey.len, secret->base, params->secret_size, &secret->len) != 0) { ret = PTLS_ERROR_LIBRARY; goto Exit; } ret = 0; Exit: if (ret != 0) { free(pubkey->base); *pubkey = ptls_iovec_init(NULL, 0); free(secret->base); *secret = ptls_iovec_init(NULL, 0); } psa_destroy_key(private_key); return ret; } static int secp256r1_create(const struct st_ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **ctx) { return key_exchange_create(algo, ctx, &secp256r1_params); } static int secp256r1_exchange(const struct st_ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey) { return key_exchange_exchange(algo, pubkey, secret, peerkey, &secp256r1_params); } ptls_key_exchange_algorithm_t ptls_mbedtls_secp256r1 = { .id = PTLS_GROUP_SECP256R1, .name = PTLS_GROUP_NAME_SECP256R1, .create = secp256r1_create, .exchange = secp256r1_exchange}; static int x25519_create(const struct st_ptls_key_exchange_algorithm_t *algo, ptls_key_exchange_context_t **ctx) { return key_exchange_create(algo, ctx, &x25519_params); } static int x25519_exchange(const struct st_ptls_key_exchange_algorithm_t *algo, ptls_iovec_t *pubkey, ptls_iovec_t *secret, ptls_iovec_t peerkey) { return key_exchange_exchange(algo, pubkey, secret, peerkey, &x25519_params); } ptls_key_exchange_algorithm_t ptls_mbedtls_x25519 = { .id = PTLS_GROUP_X25519, .name = PTLS_GROUP_NAME_X25519, .create = x25519_create, .exchange = x25519_exchange}; ptls_key_exchange_algorithm_t *ptls_mbedtls_key_exchanges[] = {&ptls_mbedtls_secp256r1, NULL};