[development] Remove DHM module

doxygen/input/doc_encdec.h

@@ -39,8 +39,6 @@
  *     and \c mbedtls_des3_crypt_cbc()).
  *   - GCM (AES-GCM and CAMELLIA-GCM) (see \c mbedtls_gcm_init())
  * - Asymmetric:
- *   - Diffie-Hellman-Merkle (see \c mbedtls_dhm_read_public(), \c mbedtls_dhm_make_public()
- *     and \c mbedtls_dhm_calc_secret()).
  *   - RSA (see \c mbedtls_rsa_public() and \c mbedtls_rsa_private()).
  *   - Elliptic Curves over GF(p) (see \c mbedtls_ecp_point_init()).
  *   - Elliptic Curve Digital Signature Algorithm (ECDSA) (see \c mbedtls_ecdsa_init()).

include/mbedtls/ssl.h

@@ -24,10 +24,6 @@
 #include "mbedtls/x509_crl.h"
 #endif
 
-#if defined(MBEDTLS_DHM_C)
-#include "mbedtls/dhm.h"
-#endif
-
 #include "mbedtls/md.h"
 
 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED)
@@ -1562,11 +1558,6 @@ struct mbedtls_ssl_config {
 
     const uint16_t *MBEDTLS_PRIVATE(group_list);     /*!< allowed IANA NamedGroups */
 
-#if defined(MBEDTLS_DHM_C)
-    mbedtls_mpi MBEDTLS_PRIVATE(dhm_P);              /*!< prime modulus for DHM              */
-    mbedtls_mpi MBEDTLS_PRIVATE(dhm_G);              /*!< generator for DHM                  */
-#endif
-
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
 
     mbedtls_svc_key_id_t MBEDTLS_PRIVATE(psk_opaque); /*!< PSA key slot holding opaque PSK. This field
@@ -1642,10 +1633,6 @@ struct mbedtls_ssl_config {
 
     unsigned int MBEDTLS_PRIVATE(badmac_limit);      /*!< limit of records with a bad MAC    */
 
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
-    unsigned int MBEDTLS_PRIVATE(dhm_min_bitlen);    /*!< min. bit length of the DHM prime   */
-#endif
-
     /** User data pointer or handle.
      *
      * The library sets this to \p 0 when creating a context and does not
@@ -3753,49 +3740,6 @@ void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
 #endif /* MBEDTLS_SSL_SRV_C */
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
 
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
-/**
- * \brief          Set the Diffie-Hellman public P and G values
- *                 from big-endian binary presentations.
- *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]_BIN)
- *
- * \param conf     SSL configuration
- * \param dhm_P    Diffie-Hellman-Merkle modulus in big-endian binary form
- * \param P_len    Length of DHM modulus
- * \param dhm_G    Diffie-Hellman-Merkle generator in big-endian binary form
- * \param G_len    Length of DHM generator
- *
- * \return         0 if successful
- */
-int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
-                                  const unsigned char *dhm_P, size_t P_len,
-                                  const unsigned char *dhm_G,  size_t G_len);
-
-/**
- * \brief          Set the Diffie-Hellman public P and G values,
- *                 read from existing context (server-side only)
- *
- * \param conf     SSL configuration
- * \param dhm_ctx  Diffie-Hellman-Merkle context
- *
- * \return         0 if successful
- */
-int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx);
-#endif /* MBEDTLS_DHM_C && defined(MBEDTLS_SSL_SRV_C) */
-
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
-/**
- * \brief          Set the minimum length for Diffie-Hellman parameters.
- *                 (Client-side only.)
- *                 (Default: 1024 bits.)
- *
- * \param conf     SSL configuration
- * \param bitlen   Minimum bit length of the DHM prime
- */
-void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
-                                     unsigned int bitlen);
-#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
-
 /**
  * \brief          Set the allowed groups in order of preference.
  *

library/Makefile

@@ -139,7 +139,6 @@ OBJS_CRYPTO= \
 	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/constant_time.o \
 	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ctr_drbg.o \
 	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/des.o \
-	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/dhm.o \
 	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdh.o \
 	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdsa.o \
 	     $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecjpake.o \

library/ssl_misc.h

@@ -763,10 +763,6 @@ struct mbedtls_ssl_handshake_params {
     const uint16_t *sig_algs;
 #endif
 
-#if defined(MBEDTLS_DHM_C)
-    mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
-#endif
-
 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
     psa_key_type_t xxdh_psa_type;
     size_t xxdh_psa_bits;

library/ssl_tls.c

@@ -911,9 +911,6 @@ static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
 
     handshake->update_checksum = ssl_update_checksum_start;
 
-#if defined(MBEDTLS_DHM_C)
-    mbedtls_dhm_init(&handshake->dhm_ctx);
-#endif
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
     handshake->psa_pake_ctx = psa_pake_operation_init();
     handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
@@ -2431,57 +2428,6 @@ psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type
     return PSA_SUCCESS;
 }
 
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
-int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
-                                  const unsigned char *dhm_P, size_t P_len,
-                                  const unsigned char *dhm_G, size_t G_len)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_mpi_free(&conf->dhm_P);
-    mbedtls_mpi_free(&conf->dhm_G);
-
-    if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
-        (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
-        mbedtls_mpi_free(&conf->dhm_P);
-        mbedtls_mpi_free(&conf->dhm_G);
-        return ret;
-    }
-
-    return 0;
-}
-
-int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx)
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    mbedtls_mpi_free(&conf->dhm_P);
-    mbedtls_mpi_free(&conf->dhm_G);
-
-    if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
-                                     &conf->dhm_P)) != 0 ||
-        (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G,
-                                     &conf->dhm_G)) != 0) {
-        mbedtls_mpi_free(&conf->dhm_P);
-        mbedtls_mpi_free(&conf->dhm_G);
-        return ret;
-    }
-
-    return 0;
-}
-#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
-/*
- * Set the minimum length for Diffie-Hellman parameters
- */
-void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
-                                     unsigned int bitlen)
-{
-    conf->dhm_min_bitlen = bitlen;
-}
-#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
-
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
 /*
@@ -4537,10 +4483,6 @@ void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
     psa_hash_abort(&handshake->fin_sha384_psa);
 #endif
 
-#if defined(MBEDTLS_DHM_C)
-    mbedtls_dhm_free(&handshake->dhm_ctx);
-#endif
-
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
     psa_pake_abort(&handshake->psa_pake_ctx);
     /*
@@ -5551,10 +5493,6 @@ static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
 int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
                                 int endpoint, int transport, int preset)
 {
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-#endif
-
 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
     if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
         mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
@@ -5629,21 +5567,6 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
     memset(conf->renego_period + 2, 0xFF, 6);
 #endif
 
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
-    if (endpoint == MBEDTLS_SSL_IS_SERVER) {
-        const unsigned char dhm_p[] =
-            MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
-        const unsigned char dhm_g[] =
-            MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
-
-        if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
-                                                 dhm_p, sizeof(dhm_p),
-                                                 dhm_g, sizeof(dhm_g))) != 0) {
-            return ret;
-        }
-    }
-#endif
-
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
 
 #if defined(MBEDTLS_SSL_EARLY_DATA)
@@ -5733,10 +5656,6 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
 
             conf->group_list = ssl_preset_default_groups;
-
-#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
-            conf->dhm_min_bitlen = 1024;
-#endif
     }
 
     return 0;
@@ -5751,11 +5670,6 @@ void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
         return;
     }
 
-#if defined(MBEDTLS_DHM_C)
-    mbedtls_mpi_free(&conf->dhm_P);
-    mbedtls_mpi_free(&conf->dhm_G);
-#endif
-
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
     if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
         conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;

programs/Makefile

@@ -38,9 +38,7 @@ APPS = \
 	hash/generic_sum \
 	hash/hello \
 	hash/md_hmac_demo \
-	pkey/dh_client \
 	pkey/dh_genprime \
-	pkey/dh_server \
 	pkey/ecdh_curve25519 \
 	pkey/ecdsa \
 	pkey/gen_key \
@@ -175,18 +173,10 @@ hash/md_hmac_demo$(EXEXT): hash/md_hmac_demo.c $(DEP)
 	echo "  CC    hash/md_hmac_demo.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) hash/md_hmac_demo.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
-pkey/dh_client$(EXEXT): pkey/dh_client.c $(DEP)
-	echo "  CC    pkey/dh_client.c"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/dh_client.c   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
 pkey/dh_genprime$(EXEXT): pkey/dh_genprime.c $(DEP)
 	echo "  CC    pkey/dh_genprime.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/dh_genprime.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
-pkey/dh_server$(EXEXT): pkey/dh_server.c $(DEP)
-	echo "  CC    pkey/dh_server.c"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/dh_server.c   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
-
 pkey/ecdh_curve25519$(EXEXT): pkey/ecdh_curve25519.c $(DEP)
 	echo "  CC    pkey/ecdh_curve25519.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/ecdh_curve25519.c   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@

programs/pkey/CMakeLists.txt

@@ -1,16 +1,3 @@
-set(executables_mbedtls
-    dh_client
-    dh_server
-)
-add_dependencies(${programs_target} ${executables_mbedtls})
-
-foreach(exe IN LISTS executables_mbedtls)
-    add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-    set_base_compile_options(${exe})
-    target_link_libraries(${exe} ${mbedtls_target} ${CMAKE_THREAD_LIBS_INIT})
-    target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include)
-endforeach()
-
 set(executables_mbedcrypto
     dh_genprime
     ecdh_curve25519
@@ -40,6 +27,6 @@ foreach(exe IN LISTS executables_mbedcrypto)
     target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include)
 endforeach()
 
-install(TARGETS ${executables_mbedtls} ${executables_mbedcrypto}
+install(TARGETS ${executables_mbedcrypto}
         DESTINATION "bin"
         PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)