ssl_tls12_populate_transform optim

- remove redundant calls to retrieve info - defer calls to where needed for specific ssl_modes Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Mbed-TLS · Jul 21, 2022 · d2a4e4c · d2a4e4c
1 parent a948f05
commit d2a4e4c
Showing 1 changed file with 46 additions and 36 deletions.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
@@ -1818,21 +1818,19 @@ static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
 }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
     mbedtls_ssl_mode_t base_mode,
     int encrypt_then_mac )
 {
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
     if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
         base_mode == MBEDTLS_SSL_MODE_CBC )
     {
         return( MBEDTLS_SSL_MODE_CBC_ETM );
     }
-#else
-    (void) encrypt_then_mac;
-#endif
     return( base_mode );
 }
+#endif
 
 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
                     const mbedtls_ssl_transform *transform )
@@ -1845,11 +1843,12 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
 #endif
         );
 
-    int encrypt_then_mac = 0;
 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
-    encrypt_then_mac = transform->encrypt_then_mac;
-#endif
+    int encrypt_then_mac = transform->encrypt_then_mac;
     return( mbedtls_ssl_get_actual_mode( base_mode, encrypt_then_mac ) );
+#else
+    return( base_mode );
+#endif
 }
 
 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
@@ -1879,10 +1878,11 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
     }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
-#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
-    int encrypt_then_mac = 0;
-#endif
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
     return( mbedtls_ssl_get_actual_mode( base_mode, encrypt_then_mac ) );
+#else
+    return( base_mode );
+#endif
 }
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
@@ -7173,7 +7173,6 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
     mbedtls_ssl_mode_t ssl_mode;
 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
     const mbedtls_cipher_info_t *cipher_info;
-    const mbedtls_md_info_t *md_info;
 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -7226,27 +7225,18 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
     }
 
-    ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
-                                        encrypt_then_mac,
-#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
-                                        ciphersuite_info );
-
-    if( ssl_mode == MBEDTLS_SSL_MODE_AEAD )
-        transform->taglen =
-            ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
-
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     if( ( status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher,
-                                 transform->taglen,
+                                 0,
                                  &alg,
                                  &key_type,
                                  &key_bits ) ) != PSA_SUCCESS )
     {
         ret = psa_ssl_status_to_mbedtls( status );
         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cipher_to_psa", ret );
-        goto end;
+        return( ret );
     }
+    ssl_mode = mbedtls_ssl_get_base_mode( alg );
 #else
     cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
     if( cipher_info == NULL )
@@ -7255,8 +7245,24 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
                                     ciphersuite_info->cipher ) );
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
     }
+    ssl_mode = mbedtls_ssl_get_base_mode(
+                   mbedtls_cipher_info_get_mode( cipher_info ) );
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
+    if( ssl_mode == MBEDTLS_SSL_MODE_AEAD )
+    {
+        transform->taglen =
+            ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+        mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, transform->taglen,
+                                   &alg, &key_type, &key_bits );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    }
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
+    else
+        ssl_mode = mbedtls_ssl_get_actual_mode( ssl_mode, encrypt_then_mac );
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
+
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     mac_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
     if( mac_alg == 0 )
@@ -7265,14 +7271,6 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
                             (unsigned) ciphersuite_info->mac ) );
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
     }
-#else
-    md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
-    if( md_info == NULL )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %u not found",
-                            (unsigned) ciphersuite_info->mac ) );
-        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-    }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@@ -7360,10 +7358,16 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
         ssl_mode == MBEDTLS_SSL_MODE_CBC ||
         ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
     {
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-        size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type );
-#else
-        size_t block_size = cipher_info->block_size;
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+        const mbedtls_md_info_t *md_info;
+        md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
+        if( md_info == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %u not found",
+                                (unsigned) ciphersuite_info->mac ) );
+            ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+            goto end;
+        }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -7401,6 +7405,11 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
              *    otherwise: * first multiple of blocklen greater than maclen
              * 2. IV
              */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+            size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type );
+#else
+            size_t block_size = cipher_info->block_size;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
             if( ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
             {
@@ -7431,7 +7440,8 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto end;
     }
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",