650650/* Dummy type used only for its size */
651651union mbedtls_ssl_premaster_secret {
652652 unsigned char dummy ; /* Make the union non-empty even with SSL disabled */
653- #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED )
654- unsigned char _pms_rsa [48 ]; /* RFC 5246 8.1.1 */
655- #endif
656653#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ) || \
657654 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) || \
658655 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ) || \
@@ -1002,80 +999,14 @@ typedef int mbedtls_ssl_async_sign_t(mbedtls_ssl_context *ssl,
1002999 mbedtls_md_type_t md_alg ,
10031000 const unsigned char * hash ,
10041001 size_t hash_len );
1005-
1006- /**
1007- * \brief Callback type: start external decryption operation.
1008- *
1009- * This callback is called during an SSL handshake to start
1010- * an RSA decryption operation using an
1011- * external processor. The parameter \p cert contains
1012- * the public key; it is up to the callback function to
1013- * determine how to access the associated private key.
1014- *
1015- * This function typically sends or enqueues a request, and
1016- * does not wait for the operation to complete. This allows
1017- * the handshake step to be non-blocking.
1018- *
1019- * The parameters \p ssl and \p cert are guaranteed to remain
1020- * valid throughout the handshake. On the other hand, this
1021- * function must save the contents of \p input if the value
1022- * is needed for later processing, because the \p input buffer
1023- * is no longer valid after this function returns.
1024- *
1025- * This function may call mbedtls_ssl_set_async_operation_data()
1026- * to store an operation context for later retrieval
1027- * by the resume or cancel callback.
1028- *
1029- * \warning RSA decryption as used in TLS is subject to a potential
1030- * timing side channel attack first discovered by Bleichenbacher
1031- * in 1998. This attack can be remotely exploitable
1032- * in practice. To avoid this attack, you must ensure that
1033- * if the callback performs an RSA decryption, the time it
1034- * takes to execute and return the result does not depend
1035- * on whether the RSA decryption succeeded or reported
1036- * invalid padding.
1037- *
1038- * \param ssl The SSL connection instance. It should not be
1039- * modified other than via
1040- * mbedtls_ssl_set_async_operation_data().
1041- * \param cert Certificate containing the public key.
1042- * In simple cases, this is one of the pointers passed to
1043- * mbedtls_ssl_conf_own_cert() when configuring the SSL
1044- * connection. However, if other callbacks are used, this
1045- * property may not hold. For example, if an SNI callback
1046- * is registered with mbedtls_ssl_conf_sni(), then
1047- * this callback determines what certificate is used.
1048- * \param input Buffer containing the input ciphertext. This buffer
1049- * is no longer valid when the function returns.
1050- * \param input_len Size of the \p input buffer in bytes.
1051- *
1052- * \return 0 if the operation was started successfully and the SSL
1053- * stack should call the resume callback immediately.
1054- * \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
1055- * was started successfully and the SSL stack should return
1056- * immediately without calling the resume callback yet.
1057- * \return #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
1058- * processor does not support this key. The SSL stack will
1059- * use the private key object instead.
1060- * \return Any other error indicates a fatal failure and is
1061- * propagated up the call chain. The callback should
1062- * use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
1063- * use \c MBEDTLS_ERR_SSL_xxx error codes except as
1064- * directed in the documentation of this callback.
1065- */
1066- typedef int mbedtls_ssl_async_decrypt_t (mbedtls_ssl_context * ssl ,
1067- mbedtls_x509_crt * cert ,
1068- const unsigned char * input ,
1069- size_t input_len );
10701002#endif /* MBEDTLS_X509_CRT_PARSE_C */
10711003
10721004/**
10731005 * \brief Callback type: resume external operation.
10741006 *
10751007 * This callback is called during an SSL handshake to resume
10761008 * an external operation started by the
1077- * ::mbedtls_ssl_async_sign_t or
1078- * ::mbedtls_ssl_async_decrypt_t callback.
1009+ * ::mbedtls_ssl_async_sign_t callback.
10791010 *
10801011 * This function typically checks the status of a pending
10811012 * request or causes the request queue to make progress, and
@@ -1541,7 +1472,6 @@ struct mbedtls_ssl_config {
15411472#if defined(MBEDTLS_SSL_ASYNC_PRIVATE )
15421473#if defined(MBEDTLS_X509_CRT_PARSE_C )
15431474 mbedtls_ssl_async_sign_t * MBEDTLS_PRIVATE (f_async_sign_start ); /*!< start asynchronous signature operation */
1544- mbedtls_ssl_async_decrypt_t * MBEDTLS_PRIVATE (f_async_decrypt_start ); /*!< start asynchronous decryption operation */
15451475#endif /* MBEDTLS_X509_CRT_PARSE_C */
15461476 mbedtls_ssl_async_resume_t * MBEDTLS_PRIVATE (f_async_resume ); /*!< resume asynchronous operation */
15471477 mbedtls_ssl_async_cancel_t * MBEDTLS_PRIVATE (f_async_cancel ); /*!< cancel asynchronous operation */
@@ -2857,17 +2787,10 @@ static inline uintptr_t mbedtls_ssl_get_user_data_n(
28572787 * external processor does not support any signature
28582788 * operation; in this case the private key object
28592789 * associated with the certificate will be used.
2860- * \param f_async_decrypt Callback to start a decryption operation. See
2861- * the description of ::mbedtls_ssl_async_decrypt_t
2862- * for more information. This may be \c NULL if the
2863- * external processor does not support any decryption
2864- * operation; in this case the private key object
2865- * associated with the certificate will be used.
28662790 * \param f_async_resume Callback to resume an asynchronous operation. See
28672791 * the description of ::mbedtls_ssl_async_resume_t
28682792 * for more information. This may not be \c NULL unless
2869- * \p f_async_sign and \p f_async_decrypt are both
2870- * \c NULL.
2793+ * \p f_async_sign is \c NULL.
28712794 * \param f_async_cancel Callback to cancel an asynchronous operation. See
28722795 * the description of ::mbedtls_ssl_async_cancel_t
28732796 * for more information. This may be \c NULL if
@@ -2879,7 +2802,6 @@ static inline uintptr_t mbedtls_ssl_get_user_data_n(
28792802 */
28802803void mbedtls_ssl_conf_async_private_cb (mbedtls_ssl_config * conf ,
28812804 mbedtls_ssl_async_sign_t * f_async_sign ,
2882- mbedtls_ssl_async_decrypt_t * f_async_decrypt ,
28832805 mbedtls_ssl_async_resume_t * f_async_resume ,
28842806 mbedtls_ssl_async_cancel_t * f_async_cancel ,
28852807 void * config_data );
0 commit comments