Merge pull request #7296 from valeriosetti/issue7253-part1

driver-only ECDH: enable ECDH-based TLS 1.2 key exchanges -- part 1
2023-03-21 16:09:02 +01:00 · 2023-03-21 16:09:02 +01:00 · e0e161b54a
commit e0e161b54a
parent 3543806026 fdea36d137
7 changed files with 104 additions and 33 deletions
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -304,15 +304,26 @@
 #endif
 #endif /* MBEDTLS_USE_PSA_CRYPTO */

+/* Helper for ECDH dependencies, will be undefined at the end of the file */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(PSA_HAVE_FULL_ECDH)
+#define MBEDTLS_PK_HAVE_ECDH
+#endif
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_ECDH_C)
+#define MBEDTLS_PK_HAVE_ECDH
+#endif
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) &&                 \
-    ( !defined(MBEDTLS_ECDH_C) ||                                       \
+    ( !defined(MBEDTLS_PK_HAVE_ECDH) ||                                       \
      !defined(MBEDTLS_PK_HAVE_ECDSA) ||                                \
      !defined(MBEDTLS_X509_CRT_PARSE_C) )
 #error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites"
 #endif

 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) &&                 \
-    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_RSA_C) ||          \
+    ( !defined(MBEDTLS_PK_HAVE_ECDH) || !defined(MBEDTLS_RSA_C) ||          \
      !defined(MBEDTLS_X509_CRT_PARSE_C) )
 #error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites"
 #endif
@ -1100,6 +1111,7 @@
 /* Undefine helper symbols */
 #undef MBEDTLS_PK_HAVE_ECDSA
 #undef MBEDTLS_PK_HAVE_JPAKE
+#undef MBEDTLS_PK_HAVE_ECDH

 /*
 * Avoid warning from -pedantic. This is a convenient place for this
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@ -853,6 +853,11 @@ extern "C" {
 #define PSA_HAVE_FULL_JPAKE 1
 #endif

+#if defined(PSA_WANT_ALG_ECDH) && defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) && \
+    defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#define PSA_HAVE_FULL_ECDH 1
+#endif
+
 /* These features are always enabled. */
 #define PSA_WANT_KEY_TYPE_DERIVE 1
 #define PSA_WANT_KEY_TYPE_PASSWORD 1
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@ -193,6 +193,12 @@ typedef struct mbedtls_pk_rsassa_pss_options {
 #endif /* PSA_WANT_ALG_ECDSA */
 #endif /* MBEDTLS_USE_PSA_CRYPTO */

+/* Symbol for ECDH capabilities, no matter how it is provided */
+#if (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_HAVE_FULL_ECDH)) || \
+    (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C))
+#define MBEDTLS_PK_CAN_ECDH
+#endif
+
 #if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
 #define MBEDTLS_PK_CAN_ECDSA_SOME
 #endif