lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merge remote-tracking branch 'development' into HEAD

Browse Source
This commit is contained in:
Gilles Peskine
2025-05-07 14:41:13 +02:00
parent 47c8579ed0 2439c4c14a
commit 1876efc157
753 changed files with 5856 additions and 286571 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
library/Makefile
View File

@ -113,7 +113,6 @@ OBJS_CRYPTO= \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_client.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_se.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_slot_management.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_storage.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_its_file.o \
@ -139,7 +138,6 @@ OBJS_CRYPTO= \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/constant_time.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ctr_drbg.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/des.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/dhm.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdh.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdsa.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecjpake.o \

574
library/ssl_ciphersuites.c
View File

@ -16,9 +16,7 @@
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/ssl.h"
#include "ssl_misc.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/psa_util.h"
#endif
#include <string.h>
@ -51,123 +49,75 @@ static const int ciphersuite_preference[] =
/* Chacha-Poly ephemeral suites */
MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
/* All AES-256 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8,
/* All CAMELLIA-256 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
/* All ARIA-256 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
/* All AES-128 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
/* All CAMELLIA-128 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
/* All ARIA-128 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
/* The PSK ephemeral suites */
MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8,
MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM,
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
/* The ECJPAKE suite */
MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
/* All AES-256 suites */
MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8,
/* All CAMELLIA-256 suites */
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
@ -176,28 +126,18 @@ static const int ciphersuite_preference[] =
/* All ARIA-256 suites */
MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
/* All AES-128 suites */
MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8,
/* All CAMELLIA-128 suites */
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
@ -206,10 +146,8 @@ static const int ciphersuite_preference[] =
/* All ARIA-128 suites */
MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
/* The PSK suites */
MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
@ -239,13 +177,7 @@ static const int ciphersuite_preference[] =
MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384,
MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256,
MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA,
MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA,
MBEDTLS_TLS_RSA_WITH_NULL_SHA256,
MBEDTLS_TLS_RSA_WITH_NULL_SHA,
MBEDTLS_TLS_RSA_WITH_NULL_MD5,
MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA,
MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA,
MBEDTLS_TLS_PSK_WITH_NULL_SHA384,
@ -318,14 +250,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
{ MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
"TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
{ MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
"TLS-PSK-WITH-CHACHA20-POLY1305-SHA256",
@ -342,14 +266,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
{ MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
"TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 &&
PSA_WANT_ALG_SHA_256 &&
MBEDTLS_SSL_PROTO_TLS1_2 */
@ -551,225 +467,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES)
#if defined(PSA_WANT_ALG_SHA_384) && \
defined(PSA_WANT_ALG_GCM)
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 && PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(PSA_WANT_ALG_GCM)
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#if defined(PSA_WANT_ALG_CCM)
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM, "TLS-DHE-RSA-WITH-AES-256-CCM",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8, "TLS-DHE-RSA-WITH-AES-256-CCM-8",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM, "TLS-DHE-RSA-WITH-AES-128-CCM",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8, "TLS-DHE-RSA-WITH-AES-128-CCM-8",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CCM */
#endif /* PSA_WANT_KEY_TYPE_AES */
#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#if defined(PSA_WANT_ALG_GCM)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* PSA_WANT_ALG_GCM */
#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES)
#if defined(PSA_WANT_ALG_SHA_384) && \
defined(PSA_WANT_ALG_GCM)
{ MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 && PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(PSA_WANT_ALG_GCM)
{ MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256",
MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
{ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS-RSA-WITH-AES-256-CBC-SHA256",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_1)
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
{ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, "TLS-RSA-WITH-AES-256-CBC-SHA",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#endif /* PSA_WANT_ALG_SHA_1 */
#if defined(PSA_WANT_ALG_CCM)
{ MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8, "TLS-RSA-WITH-AES-256-CCM-8",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_128_CCM, "TLS-RSA-WITH-AES-128-CCM",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8, "TLS-RSA-WITH-AES-128-CCM-8",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CCM */
#endif /* PSA_WANT_KEY_TYPE_AES */
#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#if defined(PSA_WANT_ALG_GCM)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* PSA_WANT_ALG_GCM */
#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES)
#if defined(PSA_WANT_ALG_SHA_1)
@ -1051,107 +748,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES)
#if defined(PSA_WANT_ALG_GCM)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256",
MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#if defined(PSA_WANT_ALG_CCM)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CCM */
#endif /* PSA_WANT_KEY_TYPE_AES */
#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#if defined(PSA_WANT_ALG_GCM)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* PSA_WANT_ALG_GCM */
#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES)
@ -1218,29 +814,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(PSA_WANT_ALG_MD5)
{ MBEDTLS_TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA",
@ -1264,29 +837,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA, "TLS-DHE-PSK-WITH-NULL-SHA",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_1 */
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256, "TLS-DHE-PSK-WITH-NULL-SHA256",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA, "TLS-ECDHE-PSK-WITH-NULL-SHA",
@ -1313,41 +863,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(PSA_WANT_KEY_TYPE_ARIA)
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
"TLS-RSA-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
"TLS-RSA-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
"TLS-RSA-WITH-ARIA-128-GCM-SHA256",
MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
"TLS-RSA-WITH-ARIA-128-CBC-SHA256",
MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
@ -1544,76 +1059,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
"TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
"TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
"TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256",
MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
"TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256",
MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
"TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
"TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
"TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256",
MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
"TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256",
MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#endif /* PSA_WANT_KEY_TYPE_ARIA */
@ -1732,7 +1177,6 @@ int mbedtls_ssl_get_ciphersuite_id(const char *ciphersuite_name)
size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersuite_t *info)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_type_t key_type;
psa_algorithm_t alg;
@ -1747,20 +1191,12 @@ size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersui
}
return key_bits;
#else
const mbedtls_cipher_info_t * const cipher_info =
mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) info->cipher);
return mbedtls_cipher_info_get_key_bitlen(cipher_info);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#if defined(MBEDTLS_PK_C)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_RSA:
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return MBEDTLS_PK_RSA;
@ -1776,13 +1212,9 @@ mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphe
}
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_RSA:
return PSA_ALG_RSA_PKCS1V15_CRYPT;
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return PSA_ALG_RSA_PKCS1V15_SIGN(
mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
@ -1802,9 +1234,6 @@ psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_cip
psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_RSA:
return PSA_KEY_USAGE_DECRYPT;
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
return PSA_KEY_USAGE_SIGN_HASH;
@ -1817,12 +1246,10 @@ psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_c
return 0;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return MBEDTLS_PK_RSA;
@ -1863,7 +1290,6 @@ int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_PSK:
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
return 1;

24
library/ssl_ciphersuites_internal.h
View File

@ -14,10 +14,8 @@
#if defined(MBEDTLS_PK_C)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info);
psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
#endif /* MBEDTLS_PK_C */
@ -28,8 +26,6 @@ int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
@ -48,7 +44,6 @@ static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
case MBEDTLS_KEY_EXCHANGE_RSA:
case MBEDTLS_KEY_EXCHANGE_PSK:
return 1;
@ -75,8 +70,6 @@ static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuit
static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_RSA:
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
@ -91,8 +84,6 @@ static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_cip
static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_RSA:
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
@ -104,20 +95,6 @@ static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_cipher
}
}
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
return 1;
default:
return 0;
}
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info)
{
@ -138,7 +115,6 @@ static inline int mbedtls_ssl_ciphersuite_uses_server_signature(
const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
return 1;

13
library/ssl_client.c
View File

@ -222,7 +222,7 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
unsigned char *p = buf;
unsigned char *named_group_list; /* Start of named_group_list */
size_t named_group_list_len; /* Length of named_group_list */
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
const uint16_t *group_list = ssl->conf->group_list;
*out_len = 0;
@ -725,9 +725,8 @@ static int ssl_generate_random(mbedtls_ssl_context *ssl)
#endif /* MBEDTLS_HAVE_TIME */
}
ret = ssl->conf->f_rng(ssl->conf->p_rng,
randbytes + gmt_unix_time_len,
MBEDTLS_CLIENT_HELLO_RANDOM_LEN - gmt_unix_time_len);
ret = psa_generate_random(randbytes + gmt_unix_time_len,
MBEDTLS_CLIENT_HELLO_RANDOM_LEN - gmt_unix_time_len);
return ret;
}
@ -867,9 +866,9 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
if (session_id_len != session_negotiate->id_len) {
session_negotiate->id_len = session_id_len;
if (session_id_len > 0) {
ret = ssl->conf->f_rng(ssl->conf->p_rng,
session_negotiate->id,
session_id_len);
ret = psa_generate_random(session_negotiate->id,
session_id_len);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "creating session id failed", ret);
return ret;

134
library/ssl_cookie.c
View File

@ -22,7 +22,6 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/psa_util.h"
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
@ -33,7 +32,6 @@ static int local_err_translation(psa_status_t status)
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
/*
* If DTLS is in use, then at least one of SHA-256 or SHA-384 is
@ -59,21 +57,12 @@ static int local_err_translation(psa_status_t status)
void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ctx->psa_hmac_key = MBEDTLS_SVC_KEY_ID_INIT;
#else
mbedtls_md_init(&ctx->hmac_ctx);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if !defined(MBEDTLS_HAVE_TIME)
ctx->serial = 0;
#endif
ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_init(&ctx->mutex);
#endif
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
}
void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long delay)
@ -87,30 +76,17 @@ void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx)
return;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(ctx->psa_hmac_key);
#else
mbedtls_md_free(&ctx->hmac_ctx);
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_free(&ctx->mutex);
#endif
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_cookie_ctx));
}
int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_algorithm_t alg;
(void) f_rng;
(void) p_rng;
alg = mbedtls_md_psa_alg_from_type(COOKIE_MD);
if (alg == 0) {
@ -130,57 +106,10 @@ int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
&ctx->psa_hmac_key)) != PSA_SUCCESS) {
return PSA_TO_MBEDTLS_ERR(status);
}
#else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char key[COOKIE_MD_OUTLEN];
if ((ret = f_rng(p_rng, key, sizeof(key))) != 0) {
return ret;
}
ret = mbedtls_md_setup(&ctx->hmac_ctx, mbedtls_md_info_from_type(COOKIE_MD), 1);
if (ret != 0) {
return ret;
}
ret = mbedtls_md_hmac_starts(&ctx->hmac_ctx, key, sizeof(key));
if (ret != 0) {
return ret;
}
mbedtls_platform_zeroize(key, sizeof(key));
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return 0;
}
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
/*
* Generate the HMAC part of a cookie
*/
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_cookie_hmac(mbedtls_md_context_t *hmac_ctx,
const unsigned char time[4],
unsigned char **p, unsigned char *end,
const unsigned char *cli_id, size_t cli_id_len)
{
unsigned char hmac_out[COOKIE_MD_OUTLEN];
MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_HMAC_LEN);
if (mbedtls_md_hmac_reset(hmac_ctx) != 0 ||
mbedtls_md_hmac_update(hmac_ctx, time, 4) != 0 ||
mbedtls_md_hmac_update(hmac_ctx, cli_id, cli_id_len) != 0 ||
mbedtls_md_hmac_finish(hmac_ctx, hmac_out) != 0) {
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
memcpy(*p, hmac_out, COOKIE_HMAC_LEN);
*p += COOKIE_HMAC_LEN;
return 0;
}
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
/*
* Generate cookie for DTLS ClientHello verification
@ -189,11 +118,9 @@ int mbedtls_ssl_cookie_write(void *p_ctx,
unsigned char **p, unsigned char *end,
const unsigned char *cli_id, size_t cli_id_len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t sign_mac_length = 0;
#endif
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
unsigned long t;
@ -213,7 +140,6 @@ int mbedtls_ssl_cookie_write(void *p_ctx,
MBEDTLS_PUT_UINT32_BE(t, *p, 0);
*p += 4;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_sign_setup(&operation, ctx->psa_hmac_key,
ctx->psa_hmac_alg);
if (status != PSA_SUCCESS) {
@ -243,31 +169,12 @@ int mbedtls_ssl_cookie_write(void *p_ctx,
*p += COOKIE_HMAC_LEN;
ret = 0;
#else
#if defined(MBEDTLS_THREADING_C)
if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
}
#endif
ret = ssl_cookie_hmac(&ctx->hmac_ctx, *p - 4,
p, end, cli_id, cli_id_len);
#if defined(MBEDTLS_THREADING_C)
if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
MBEDTLS_ERR_THREADING_MUTEX_ERROR);
}
#endif
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
exit:
status = psa_mac_abort(&operation);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return ret;
}
@ -278,13 +185,8 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
const unsigned char *cookie, size_t cookie_len,
const unsigned char *cli_id, size_t cli_id_len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#else
unsigned char ref_hmac[COOKIE_HMAC_LEN];
unsigned char *p = ref_hmac;
#endif
int ret = 0;
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
unsigned long cur_time, cookie_time;
@ -297,7 +199,6 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
return -1;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_verify_setup(&operation, ctx->psa_hmac_key,
ctx->psa_hmac_alg);
if (status != PSA_SUCCESS) {
@ -326,35 +227,6 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
}
ret = 0;
#else
#if defined(MBEDTLS_THREADING_C)
if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
}
#endif
if (ssl_cookie_hmac(&ctx->hmac_ctx, cookie,
&p, p + sizeof(ref_hmac),
cli_id, cli_id_len) != 0) {
ret = -1;
}
#if defined(MBEDTLS_THREADING_C)
if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
MBEDTLS_ERR_THREADING_MUTEX_ERROR);
}
#endif
if (ret != 0) {
goto exit;
}
if (mbedtls_ct_memcmp(cookie + 4, ref_hmac, sizeof(ref_hmac)) != 0) {
ret = -1;
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_HAVE_TIME)
cur_time = (unsigned long) mbedtls_time(NULL);
@ -370,14 +242,10 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
}
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_abort(&operation);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
#else
mbedtls_platform_zeroize(ref_hmac, sizeof(ref_hmac));
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return ret;
}
#endif /* MBEDTLS_SSL_COOKIE_C */

188
library/ssl_misc.h
View File

@ -16,12 +16,14 @@
#include "mbedtls/error.h"
#include "mbedtls/ssl.h"
#include "mbedtls/debug.h"
#include "debug_internal.h"
#include "mbedtls/cipher.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
#include "psa/crypto.h"
#include "psa_util_internal.h"
#endif
extern const mbedtls_error_pair_t psa_to_ssl_errors[7];
#if defined(PSA_WANT_ALG_MD5)
#include "mbedtls/md5.h"
@ -39,11 +41,6 @@
#include "mbedtls/sha512.h"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
!defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/ecjpake.h"
#endif
#include "mbedtls/pk.h"
#include "ssl_ciphersuites_internal.h"
#include "x509_internal.h"
@ -57,6 +54,22 @@
#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
#endif
/** Flag values for mbedtls_ssl_context::flags. */
typedef enum {
/** Set if mbedtls_ssl_set_hostname() has been called. */
MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET = 1,
} mbedtls_ssl_context_flags_t;
/** Flags from ::mbedtls_ssl_context_flags_t to keep in
* mbedtls_ssl_session_reset().
*
* The flags that are in this list are kept until explicitly updated or
* until mbedtls_ssl_free(). The flags that are not listed here are
* reset to 0 in mbedtls_ssl_session_reset().
*/
#define MBEDTLS_SSL_CONTEXT_FLAGS_KEEP_AT_SESSION \
(MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET)
#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
@ -769,16 +782,6 @@ struct mbedtls_ssl_handshake_params {
const uint16_t *sig_algs;
#endif
#if defined(MBEDTLS_DHM_C)
mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
#endif
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
#endif /* !MBEDTLS_USE_PSA_CRYPTO &&
MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
psa_key_type_t xxdh_psa_type;
size_t xxdh_psa_bits;
@ -789,13 +792,9 @@ struct mbedtls_ssl_handshake_params {
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */
mbedtls_svc_key_id_t psa_pake_password;
uint8_t psa_pake_ctx_is_ok;
#else
mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_CLI_C)
unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
size_t ecjpake_cache_len; /*!< Length of cached data */
@ -809,13 +808,8 @@ struct mbedtls_ssl_handshake_params {
#endif
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
uint8_t psk_opaque_is_internal;
#else
unsigned char *psk; /*!< PSK from the callback */
size_t psk_len; /*!< Length of PSK from callback */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
uint16_t selected_identity;
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
@ -923,18 +917,10 @@ struct mbedtls_ssl_handshake_params {
* Checksum contexts
*/
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_operation_t fin_sha256_psa;
#else
mbedtls_md_context_t fin_sha256;
#endif
#endif
#if defined(PSA_WANT_ALG_SHA_384)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_operation_t fin_sha384_psa;
#else
mbedtls_md_context_t fin_sha384;
#endif
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
@ -1018,7 +1004,6 @@ struct mbedtls_ssl_handshake_params {
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
/** Asynchronous operation context. This field is meant for use by the
* asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
* mbedtls_ssl_config::f_async_decrypt_start,
* mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
* The library does not use it internally. */
void *user_async_ctx;
@ -1129,14 +1114,9 @@ struct mbedtls_ssl_transform {
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
#else
mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
int encrypt_then_mac; /*!< flag for EtM activation */
@ -1146,14 +1126,9 @@ struct mbedtls_ssl_transform {
mbedtls_ssl_protocol_version tls_version;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
psa_algorithm_t psa_alg; /*!< psa algorithm */
#else
mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
uint8_t in_cid_len;
@ -1162,14 +1137,15 @@ struct mbedtls_ssl_transform {
unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
#if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
/* We need the Hello random bytes in order to re-derive keys from the
* Master Secret and other session info,
* see ssl_tls12_populate_transform() */
* Master Secret and other session info and for the keying material
* exporter in TLS 1.2.
* See ssl_tls12_populate_transform() */
unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
/*!< ServerHello.random+ClientHello.random */
#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
#endif /* defined(MBEDTLS_SSL_KEEP_RANDBYTES) */
};
/*
@ -1332,12 +1308,30 @@ int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
#if defined(MBEDTLS_DEBUG_C)
/* Declared in "ssl_debug_helpers.h". We can't include this file from
* "ssl_misc.h" because it includes "ssl_misc.h" because it needs some
* type definitions. TODO: split the type definitions and the helper
* functions into different headers.
*/
const char *mbedtls_ssl_states_str(mbedtls_ssl_states state);
#endif
static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
mbedtls_ssl_states state)
{
MBEDTLS_SSL_DEBUG_MSG(3, ("handshake state: %d (%s) -> %d (%s)",
ssl->state, mbedtls_ssl_states_str(ssl->state),
(int) state, mbedtls_ssl_states_str(state)));
ssl->state = (int) state;
}
static inline void mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context *ssl)
{
mbedtls_ssl_handshake_set_state(ssl, ssl->state + 1);
}
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
@ -1498,20 +1492,11 @@ int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
unsigned hs_type,
size_t total_hs_len);
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl,
mbedtls_key_exchange_type_t key_ex);
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
#if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C)
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/**
* Get the first defined opaque PSK by order of precedence:
* 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
@ -1532,31 +1517,6 @@ static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
return MBEDTLS_SVC_KEY_ID_INIT;
}
#else
/**
* Get the first defined PSK by order of precedence:
* 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
* 2. static PSK configured by \c mbedtls_ssl_conf_psk()
* Return a code and update the pair (PSK, PSK length) passed to this function
*/
static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
const unsigned char **psk, size_t *psk_len)
{
if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
*psk = ssl->handshake->psk;
*psk_len = ssl->handshake->psk_len;
} else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
*psk = ssl->conf->psk;
*psk_len = ssl->conf->psk_len;
} else {
*psk = NULL;
*psk_len = 0;
return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
}
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
@ -1799,9 +1759,7 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform,
mbedtls_record *rec,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng);
mbedtls_record *rec);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
mbedtls_ssl_transform *transform,
@ -1829,10 +1787,11 @@ void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl);
void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl);
void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform);
void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
@ -2267,30 +2226,6 @@ int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
size_t dst_len,
size_t *olen);
/*
* Return supported groups.
*
* In future, invocations can be changed to ssl->conf->group_list
* when mbedtls_ssl_conf_curves() is deleted.
*
* ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
* identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
* ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
*
*/
static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl)
{
#if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
return ssl->conf->group_list;
#else
if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) {
return ssl->handshake->group_list;
} else {
return ssl->conf->group_list;
}
#endif
}
/*
* Helper functions for NamedGroup.
*/
@ -2333,7 +2268,7 @@ static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)
static inline int mbedtls_ssl_named_group_is_offered(
const mbedtls_ssl_context *ssl, uint16_t named_group)
{
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
const uint16_t *group_list = ssl->conf->group_list;
if (group_list == NULL) {
return 0;
@ -2627,7 +2562,6 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
* Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
* guaranteed to not be a valid PSA algorithm identifier.
@ -2688,10 +2622,8 @@ static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t stat
}
}
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
typedef enum {
MBEDTLS_ECJPAKE_ROUND_ONE,
@ -2734,7 +2666,7 @@ int mbedtls_psa_ecjpake_write_round(
size_t len, size_t *olen,
mbedtls_ecjpake_rounds_t round);
#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
/**
* \brief TLS record protection modes
@ -2965,12 +2897,9 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
* max_data_len. In particular, this function always reads exactly \p
* max_data_len bytes from \p data.
*
* \param ctx The HMAC context. It must have keys configured
* with mbedtls_md_hmac_starts() and use one of the
* following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
* It is reset using mbedtls_md_hmac_reset() after
* the computation is complete to prepare for the
* next computation.
* \param key The HMAC key.
* \param mac_alg The hash algorithm.
* Must be one of SHA-384, SHA-256, SHA-1 or MD-5.
* \param add_data The first part of the message whose HMAC is being
* calculated. This must point to a readable buffer
* of \p add_data_len bytes.
@ -2993,7 +2922,6 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
* \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
* The hardware accelerator failed.
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
psa_algorithm_t mac_alg,
const unsigned char *add_data,
@ -3003,16 +2931,6 @@ int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
size_t min_data_len,
size_t max_data_len,
unsigned char *output);
#else
int mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
const unsigned char *add_data,
size_t add_data_len,
const unsigned char *data,
size_t data_len_secret,
size_t min_data_len,
size_t max_data_len,
unsigned char *output);
#endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
#endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */
#endif /* ssl_misc.h */

507
library/ssl_msg.c
View File

@ -26,16 +26,13 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa_util_internal.h"
#include "psa/crypto.h"
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#include "mbedtls/oid.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
@ -45,11 +42,9 @@ static int local_err_translation(psa_status_t status)
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(PSA_WANT_ALG_SHA_384)
#define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH(PSA_ALG_SHA_384)
@ -179,99 +174,6 @@ cleanup:
#undef MAX_HASH_BLOCK_LENGTH
#else
MBEDTLS_STATIC_TESTABLE
int mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
const unsigned char *add_data,
size_t add_data_len,
const unsigned char *data,
size_t data_len_secret,
size_t min_data_len,
size_t max_data_len,
unsigned char *output)
{
/*
* This function breaks the HMAC abstraction and uses the md_clone()
* extension to the MD API in order to get constant-flow behaviour.
*
* HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
* concatenation, and okey/ikey are the XOR of the key with some fixed bit
* patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
*
* We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
* minlen, then cloning the context, and for each byte up to maxlen
* finishing up the hash computation, keeping only the correct result.
*
* Then we only need to compute HASH(okey + inner_hash) and we're done.
*/
const mbedtls_md_type_t md_alg = mbedtls_md_get_type(ctx->md_info);
/* TLS 1.2 only supports SHA-384, SHA-256, SHA-1, MD-5,
* all of which have the same block size except SHA-384. */
const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
const unsigned char * const ikey = ctx->hmac_ctx;
const unsigned char * const okey = ikey + block_size;
const size_t hash_size = mbedtls_md_get_size(ctx->md_info);
unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
mbedtls_md_context_t aux;
size_t offset;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_init(&aux);
#define MD_CHK(func_call) \
do { \
ret = (func_call); \
if (ret != 0) \
goto cleanup; \
} while (0)
MD_CHK(mbedtls_md_setup(&aux, ctx->md_info, 0));
/* After hmac_start() of hmac_reset(), ikey has already been hashed,
* so we can start directly with the message */
MD_CHK(mbedtls_md_update(ctx, add_data, add_data_len));
MD_CHK(mbedtls_md_update(ctx, data, min_data_len));
/* Fill the hash buffer in advance with something that is
* not a valid hash (barring an attack on the hash and
* deliberately-crafted input), in case the caller doesn't
* check the return status properly. */
memset(output, '!', hash_size);
/* For each possible length, compute the hash up to that point */
for (offset = min_data_len; offset <= max_data_len; offset++) {
MD_CHK(mbedtls_md_clone(&aux, ctx));
MD_CHK(mbedtls_md_finish(&aux, aux_out));
/* Keep only the correct inner_hash in the output buffer */
mbedtls_ct_memcpy_if(mbedtls_ct_uint_eq(offset, data_len_secret),
output, aux_out, NULL, hash_size);
if (offset < max_data_len) {
MD_CHK(mbedtls_md_update(ctx, data + offset, 1));
}
}
/* The context needs to finish() before it starts() again */
MD_CHK(mbedtls_md_finish(ctx, aux_out));
/* Now compute HASH(okey + inner_hash) */
MD_CHK(mbedtls_md_starts(ctx));
MD_CHK(mbedtls_md_update(ctx, okey, block_size));
MD_CHK(mbedtls_md_update(ctx, output, hash_size));
MD_CHK(mbedtls_md_finish(ctx, output));
/* Done, get ready for next time */
MD_CHK(mbedtls_md_hmac_reset(ctx));
#undef MD_CHK
cleanup:
mbedtls_md_free(&aux);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
@ -899,9 +801,7 @@ static void ssl_build_record_nonce(unsigned char *dst_iv,
int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform,
mbedtls_record *rec,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
mbedtls_record *rec)
{
mbedtls_ssl_mode_t ssl_mode;
int auth_done = 0;
@ -923,14 +823,6 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
((void) ssl);
#endif
/* The PRNG is used for dynamic IV generation that's used
* for CBC transformations in TLS 1.2. */
#if !(defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
defined(MBEDTLS_SSL_PROTO_TLS1_2))
((void) f_rng);
((void) p_rng);
#endif
MBEDTLS_SSL_DEBUG_MSG(2, ("=> encrypt buf"));
if (transform == NULL) {
@ -1039,17 +931,14 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t sign_mac_length = 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
transform->tls_version,
transform->taglen);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_sign_setup(&operation, transform->psa_mac_enc,
transform->psa_mac_alg);
if (status != PSA_SUCCESS) {
@ -1071,25 +960,6 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
if (status != PSA_SUCCESS) {
goto hmac_failed_etm_disabled;
}
#else
ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, add_data,
add_data_len);
if (ret != 0) {
goto hmac_failed_etm_disabled;
}
ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, data, rec->data_len);
if (ret != 0) {
goto hmac_failed_etm_disabled;
}
ret = mbedtls_md_hmac_finish(&transform->md_ctx_enc, mac);
if (ret != 0) {
goto hmac_failed_etm_disabled;
}
ret = mbedtls_md_hmac_reset(&transform->md_ctx_enc);
if (ret != 0) {
goto hmac_failed_etm_disabled;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
memcpy(data + rec->data_len, mac, transform->maclen);
#endif
@ -1103,13 +973,11 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
hmac_failed_etm_disabled:
mbedtls_platform_zeroize(mac, transform->maclen);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = PSA_TO_MBEDTLS_ERR(status);
status = psa_mac_abort(&operation);
if (ret == 0 && status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_hmac_xxx", ret);
return ret;
@ -1138,9 +1006,7 @@ hmac_failed_etm_disabled:
size_t dynamic_iv_len;
int dynamic_iv_is_explicit =
ssl_transform_aead_dynamic_iv_is_explicit(transform);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
/* Check that there's space for the authentication tag. */
@ -1192,7 +1058,6 @@ hmac_failed_etm_disabled:
/*
* Encrypt and authenticate
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_aead_encrypt(transform->psa_key_enc,
transform->psa_alg,
iv, transform->ivlen,
@ -1206,18 +1071,6 @@ hmac_failed_etm_disabled:
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_encrypt_buf", ret);
return ret;
}
#else
if ((ret = mbedtls_cipher_auth_encrypt_ext(&transform->cipher_ctx_enc,
iv, transform->ivlen,
add_data, add_data_len,
data, rec->data_len, /* src */
data, rec->buf_len - (size_t) (data - rec->buf), /* dst */
&rec->data_len,
transform->taglen)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_encrypt_ext", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_BUF(4, "after encrypt: tag",
data + rec->data_len - transform->taglen,
@ -1248,11 +1101,9 @@ hmac_failed_etm_disabled:
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t padlen, i;
size_t olen;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t part_len;
psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Currently we're always using minimal padding
* (up to 255 bytes would be allowed). */
@ -1279,10 +1130,6 @@ hmac_failed_etm_disabled:
* Prepend per-record IV for block cipher in TLS v1.2 as per
* Method 1 (6.2.3.2. in RFC4346 and RFC5246)
*/
if (f_rng == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("No PRNG provided to encrypt_record routine"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
if (rec->data_offset < transform->ivlen) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
@ -1292,7 +1139,7 @@ hmac_failed_etm_disabled:
/*
* Generate IV
*/
ret = f_rng(p_rng, transform->iv_enc, transform->ivlen);
ret = psa_generate_random(transform->iv_enc, transform->ivlen);
if (ret != 0) {
return ret;
}
@ -1307,7 +1154,6 @@ hmac_failed_etm_disabled:
rec->data_len, transform->ivlen,
padlen + 1));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_cipher_encrypt_setup(&cipher_op,
transform->psa_key_enc, transform->psa_alg);
@ -1349,16 +1195,6 @@ hmac_failed_etm_disabled:
}
olen += part_len;
#else
if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_enc,
transform->iv_enc,
transform->ivlen,
data, rec->data_len,
data, &olen)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (rec->data_len != olen) {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
@ -1372,10 +1208,8 @@ hmac_failed_etm_disabled:
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
if (auth_done == 0) {
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
size_t sign_mac_length = 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* MAC(MAC_write_key, add_data, IV, ENC(content + padding + padding_length))
*/
@ -1392,7 +1226,6 @@ hmac_failed_etm_disabled:
MBEDTLS_SSL_DEBUG_MSG(3, ("using encrypt then mac"));
MBEDTLS_SSL_DEBUG_BUF(4, "MAC'd meta-data", add_data,
add_data_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_sign_setup(&operation, transform->psa_mac_enc,
transform->psa_mac_alg);
if (status != PSA_SUCCESS) {
@ -1414,27 +1247,6 @@ hmac_failed_etm_disabled:
if (status != PSA_SUCCESS) {
goto hmac_failed_etm_enabled;
}
#else
ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, add_data,
add_data_len);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_update(&transform->md_ctx_enc,
data, rec->data_len);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_finish(&transform->md_ctx_enc, mac);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_reset(&transform->md_ctx_enc);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
memcpy(data + rec->data_len, mac, transform->maclen);
@ -1444,13 +1256,11 @@ hmac_failed_etm_disabled:
hmac_failed_etm_enabled:
mbedtls_platform_zeroize(mac, transform->maclen);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = PSA_TO_MBEDTLS_ERR(status);
status = psa_mac_abort(&operation);
if (ret == 0 && status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "HMAC calculation failed", ret);
return ret;
@ -1547,9 +1357,7 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
unsigned char iv[12];
unsigned char *dynamic_iv;
size_t dynamic_iv_len;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* Extract dynamic part of nonce for AEAD decryption.
@ -1619,7 +1427,6 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
/*
* Decrypt and authenticate
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_aead_decrypt(transform->psa_key_dec,
transform->psa_alg,
iv, transform->ivlen,
@ -1633,23 +1440,6 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
MBEDTLS_SSL_DEBUG_RET(1, "psa_aead_decrypt", ret);
return ret;
}
#else
if ((ret = mbedtls_cipher_auth_decrypt_ext
(&transform->cipher_ctx_dec,
iv, transform->ivlen,
add_data, add_data_len,
data, rec->data_len + transform->taglen, /* src */
data, rec->buf_len - (size_t) (data - rec->buf), &olen, /* dst */
transform->taglen)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_decrypt_ext", ret);
if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
return MBEDTLS_ERR_SSL_INVALID_MAC;
}
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
auth_done++;
@ -1664,11 +1454,9 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
if (ssl_mode == MBEDTLS_SSL_MODE_CBC ||
ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
size_t minlen = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t part_len;
psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* Check immediate ciphertext sanity
@ -1716,11 +1504,7 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
*/
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
#else
unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_MSG(3, ("using encrypt then mac"));
@ -1742,7 +1526,6 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
/* Calculate expected MAC. */
MBEDTLS_SSL_DEBUG_BUF(4, "MAC'd meta-data", add_data,
add_data_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_verify_setup(&operation, transform->psa_mac_dec,
transform->psa_mac_alg);
if (status != PSA_SUCCESS) {
@ -1765,51 +1548,14 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
if (status != PSA_SUCCESS) {
goto hmac_failed_etm_enabled;
}
#else
ret = mbedtls_md_hmac_update(&transform->md_ctx_dec, add_data,
add_data_len);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_update(&transform->md_ctx_dec,
data, rec->data_len);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_finish(&transform->md_ctx_dec, mac_expect);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_reset(&transform->md_ctx_dec);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
MBEDTLS_SSL_DEBUG_BUF(4, "message mac", data + rec->data_len,
transform->maclen);
MBEDTLS_SSL_DEBUG_BUF(4, "expected mac", mac_expect,
transform->maclen);
/* Compare expected MAC with MAC at the end of the record. */
if (mbedtls_ct_memcmp(data + rec->data_len, mac_expect,
transform->maclen) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("message mac does not match"));
ret = MBEDTLS_ERR_SSL_INVALID_MAC;
goto hmac_failed_etm_enabled;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
auth_done++;
hmac_failed_etm_enabled:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = PSA_TO_MBEDTLS_ERR(status);
status = psa_mac_abort(&operation);
if (ret == 0 && status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
#else
mbedtls_platform_zeroize(mac_expect, transform->maclen);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) {
if (ret != MBEDTLS_ERR_SSL_INVALID_MAC) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_hmac_xxx", ret);
@ -1847,7 +1593,6 @@ hmac_failed_etm_enabled:
/* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_cipher_decrypt_setup(&cipher_op,
transform->psa_key_dec, transform->psa_alg);
@ -1886,15 +1631,6 @@ hmac_failed_etm_enabled:
}
olen += part_len;
#else
if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_dec,
transform->iv_dec, transform->ivlen,
data, rec->data_len, data, &olen)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Double-check that length hasn't changed during decryption. */
if (rec->data_len != olen) {
@ -2036,18 +1772,11 @@ hmac_failed_etm_enabled:
const size_t max_len = rec->data_len + padlen;
const size_t min_len = (max_len > 256) ? max_len - 256 : 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = mbedtls_ct_hmac(transform->psa_mac_dec,
transform->psa_mac_alg,
add_data, add_data_len,
data, rec->data_len, min_len, max_len,
mac_expect);
#else
ret = mbedtls_ct_hmac(&transform->md_ctx_dec,
add_data, add_data_len,
data, rec->data_len, min_len, max_len,
mac_expect);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ct_hmac", ret);
goto hmac_failed_etm_disabled;
@ -2982,8 +2711,7 @@ int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush)
rec.cid_len = 0;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
if ((ret = mbedtls_ssl_encrypt_buf(ssl, ssl->transform_out, &rec,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
if ((ret = mbedtls_ssl_encrypt_buf(ssl, ssl->transform_out, &rec)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret);
return ret;
}
@ -3219,19 +2947,34 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl)
int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
{
if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}
if (ssl->in_hsfraglen == 0) {
/* The handshake message must at least include the header.
* We may not have the full message yet in case of fragmentation.
* To simplify the code, we insist on having the header (and in
* particular the handshake message length) in the first
* fragment. */
if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}
ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
}
MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen ="
" %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %"
MBEDTLS_PRINTF_SIZET,
ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen));
if (ssl->transform_in != NULL) {
MBEDTLS_SSL_DEBUG_MSG(4, ("decrypted handshake message:"
" iv-buf=%d hdr-buf=%d hdr-buf=%d",
(int) (ssl->in_iv - ssl->in_buf),
(int) (ssl->in_hdr - ssl->in_buf),
(int) (ssl->in_msg - ssl->in_buf)));
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3291,10 +3034,105 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
}
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
/* With TLS we don't handle fragmentation (for now) */
if (ssl->in_msglen < ssl->in_hslen) {
MBEDTLS_SSL_DEBUG_MSG(1, ("TLS handshake fragmentation not supported"));
return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
{
unsigned char *const reassembled_record_start =
ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
unsigned char *const payload_start =
reassembled_record_start + mbedtls_ssl_in_hdr_len(ssl);
unsigned char *payload_end = payload_start + ssl->in_hsfraglen;
/* How many more bytes we want to have a complete handshake message. */
const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen;
/* How many bytes of the current record are part of the first
* handshake message. There may be more handshake messages (possibly
* incomplete) in the same record; if so, we leave them after the
* current record, and ssl_consume_current_message() will take
* care of consuming the next handshake message. */
const size_t hs_this_fragment_len =
ssl->in_msglen > hs_remain ? hs_remain : ssl->in_msglen;
(void) hs_this_fragment_len;
MBEDTLS_SSL_DEBUG_MSG(3,
("%s handshake fragment: %" MBEDTLS_PRINTF_SIZET
", %" MBEDTLS_PRINTF_SIZET
"..%" MBEDTLS_PRINTF_SIZET
" of %" MBEDTLS_PRINTF_SIZET,
(ssl->in_hsfraglen != 0 ?
"subsequent" :
hs_this_fragment_len == ssl->in_hslen ?
"sole" :
"initial"),
ssl->in_msglen,
ssl->in_hsfraglen,
ssl->in_hsfraglen + hs_this_fragment_len,
ssl->in_hslen));
/* Move the received handshake fragment to have the whole message
* (at least the part received so far) in a single segment at a
* known offset in the input buffer.
* - When receiving a non-initial handshake fragment, append it to
* the initial segment.
* - Even the initial handshake fragment is moved, if it was
* encrypted with an explicit IV: decryption leaves the payload
* after the explicit IV, but here we move it to start where the
* IV was.
*/
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t const in_buf_len = ssl->in_buf_len;
#else
size_t const in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
#endif
if (payload_end + ssl->in_msglen > ssl->in_buf + in_buf_len) {
MBEDTLS_SSL_DEBUG_MSG(1,
("Shouldn't happen: no room to move handshake fragment %"
MBEDTLS_PRINTF_SIZET " from %p to %p (buf=%p len=%"
MBEDTLS_PRINTF_SIZET ")",
ssl->in_msglen,
(void *) ssl->in_msg, (void *) payload_end,
(void *) ssl->in_buf, in_buf_len));
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
memmove(payload_end, ssl->in_msg, ssl->in_msglen);
ssl->in_hsfraglen += ssl->in_msglen;
payload_end += ssl->in_msglen;
if (ssl->in_hsfraglen < ssl->in_hslen) {
MBEDTLS_SSL_DEBUG_MSG(3, ("Prepare: waiting for more handshake fragments %"
MBEDTLS_PRINTF_SIZET "/%"
MBEDTLS_PRINTF_SIZET,
ssl->in_hsfraglen, ssl->in_hslen));
ssl->in_hdr = payload_end;
ssl->in_msglen = 0;
mbedtls_ssl_update_in_pointers(ssl);
return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
} else {
ssl->in_msglen = ssl->in_hsfraglen;
ssl->in_hsfraglen = 0;
ssl->in_hdr = reassembled_record_start;
mbedtls_ssl_update_in_pointers(ssl);
/* Update the record length in the fully reassembled record */
if (ssl->in_msglen > 0xffff) {
MBEDTLS_SSL_DEBUG_MSG(1,
("Shouldn't happen: in_msglen=%"
MBEDTLS_PRINTF_SIZET " > 0xffff",
ssl->in_msglen));
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);
size_t record_len = mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen;
(void) record_len;
MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record",
ssl->in_hdr, record_len);
if (ssl->in_hslen < ssl->in_msglen) {
MBEDTLS_SSL_DEBUG_MSG(3,
("More handshake messages in the record: "
"%" MBEDTLS_PRINTF_SIZET " + %" MBEDTLS_PRINTF_SIZET,
ssl->in_hslen,
ssl->in_msglen - ssl->in_hslen));
}
}
}
return 0;
@ -3861,6 +3699,7 @@ static int ssl_parse_record_header(mbedtls_ssl_context const *ssl,
rec->buf_len = rec->data_offset + rec->data_len;
if (rec->data_len == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("rejecting empty record"));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}
@ -4639,6 +4478,14 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
if (ssl->in_hsfraglen != 0) {
/* Not all handshake fragments have arrived, do not consume. */
MBEDTLS_SSL_DEBUG_MSG(3, ("Consume: waiting for more handshake fragments %"
MBEDTLS_PRINTF_SIZET "/%" MBEDTLS_PRINTF_SIZET,
ssl->in_hsfraglen, ssl->in_hslen));
return 0;
}
/*
* Get next Handshake message in the current record
*/
@ -4664,6 +4511,7 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl)
ssl->in_msglen -= ssl->in_hslen;
memmove(ssl->in_msg, ssl->in_msg + ssl->in_hslen,
ssl->in_msglen);
MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);
MBEDTLS_SSL_DEBUG_BUF(4, "remaining content in record",
ssl->in_msg, ssl->in_msglen);
@ -5027,6 +4875,18 @@ int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
/* If we're in the middle of a fragmented TLS handshake message,
* we don't accept any other message type. For TLS 1.3, the spec forbids
* interleaving other message types between handshake fragments. For TLS
* 1.2, the spec does not forbid it but we do. */
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM &&
ssl->in_hsfraglen != 0 &&
ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("non-handshake message in the middle"
" of a fragmented handshake message"));
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
/*
* Handle particular types of records
*/
@ -5185,7 +5045,7 @@ int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl)
ssl->out_msglen = 1;
ssl->out_msg[0] = 1;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@ -5247,7 +5107,7 @@ int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl)
mbedtls_ssl_update_in_pointers(ssl);
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse change cipher spec"));
@ -5338,7 +5198,7 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl)
} else
#endif
{
ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
ssl->in_ctr = ssl->in_buf;
ssl->in_len = ssl->in_hdr + 3;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ssl->in_cid = ssl->in_len;
@ -5354,24 +5214,35 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl)
* Setup an SSL context
*/
void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl)
void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl)
{
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
ssl->in_hdr = ssl->in_buf;
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
{
ssl->in_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
}
/* Derive other internal pointers. */
mbedtls_ssl_update_in_pointers(ssl);
}
void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl)
{
/* Set the incoming and outgoing record pointers. */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
ssl->out_hdr = ssl->out_buf;
ssl->in_hdr = ssl->in_buf;
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
{
ssl->out_ctr = ssl->out_buf;
ssl->out_hdr = ssl->out_buf + 8;
ssl->in_hdr = ssl->in_buf + 8;
ssl->out_hdr = ssl->out_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
}
/* Derive other internal pointers. */
mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */);
mbedtls_ssl_update_in_pointers(ssl);
}
/*
@ -5440,10 +5311,8 @@ int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl)
size_t transform_expansion = 0;
const mbedtls_ssl_transform *transform = ssl->transform_out;
unsigned block_size;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
size_t out_hdr_len = mbedtls_ssl_out_hdr_len(ssl);
@ -5452,7 +5321,6 @@ int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl)
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (transform->psa_alg == PSA_ALG_GCM ||
transform->psa_alg == PSA_ALG_CCM ||
transform->psa_alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8) ||
@ -5483,41 +5351,6 @@ int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl)
("Unsupported psa_alg spotted in mbedtls_ssl_get_record_expansion()"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
#else
switch (mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)) {
case MBEDTLS_MODE_GCM:
case MBEDTLS_MODE_CCM:
case MBEDTLS_MODE_CHACHAPOLY:
case MBEDTLS_MODE_STREAM:
transform_expansion = transform->minlen;
break;
case MBEDTLS_MODE_CBC:
block_size = mbedtls_cipher_get_block_size(
&transform->cipher_ctx_enc);
/* Expansion due to the addition of the MAC. */
transform_expansion += transform->maclen;
/* Expansion due to the addition of CBC padding;
* Theoretically up to 256 bytes, but we never use
* more than the block size of the underlying cipher. */
transform_expansion += block_size;
/* For TLS 1.2 or higher, an explicit IV is added
* after the record header. */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
transform_expansion += block_size;
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
break;
default:
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if (transform->out_cid_len != 0) {
@ -6202,22 +6035,12 @@ void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform)
return;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(transform->psa_key_enc);
psa_destroy_key(transform->psa_key_dec);
#else
mbedtls_cipher_free(&transform->cipher_ctx_enc);
mbedtls_cipher_free(&transform->cipher_ctx_dec);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(transform->psa_mac_enc);
psa_destroy_key(transform->psa_mac_dec);
#else
mbedtls_md_free(&transform->md_ctx_enc);
mbedtls_md_free(&transform->md_ctx_dec);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif
mbedtls_platform_zeroize(transform, sizeof(mbedtls_ssl_transform));

114
library/ssl_ticket.c
View File

@ -17,7 +17,6 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
@ -27,7 +26,6 @@ static int local_err_translation(psa_status_t status)
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
/*
* Initialize context
@ -67,9 +65,7 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
unsigned char buf[MAX_KEY_BYTES] = { 0 };
mbedtls_ssl_ticket_key *key = ctx->keys + index;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
#endif
#if defined(MBEDTLS_HAVE_TIME)
key->generation_time = mbedtls_time(NULL);
@ -79,15 +75,14 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
*/
key->lifetime = ctx->ticket_lifetime;
if ((ret = ctx->f_rng(ctx->p_rng, key->name, sizeof(key->name))) != 0) {
if ((ret = psa_generate_random(key->name, sizeof(key->name))) != 0) {
return ret;
}
if ((ret = ctx->f_rng(ctx->p_rng, buf, sizeof(buf))) != 0) {
if ((ret = psa_generate_random(buf, sizeof(buf))) != 0) {
return ret;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_set_key_usage_flags(&attributes,
PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
psa_set_key_algorithm(&attributes, key->alg);
@ -98,12 +93,6 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
psa_import_key(&attributes, buf,
PSA_BITS_TO_BYTES(key->key_bits),
&key->key));
#else
/* With GCM and CCM, same context can encrypt & decrypt */
ret = mbedtls_cipher_setkey(&key->ctx, buf,
mbedtls_cipher_get_key_bitlen(&key->ctx),
MBEDTLS_ENCRYPT);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_platform_zeroize(buf, sizeof(buf));
@ -124,9 +113,7 @@ static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx)
mbedtls_time_t current_time = mbedtls_time(NULL);
mbedtls_time_t key_time = key->generation_time;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif
if (current_time >= key_time &&
(uint64_t) (current_time - key_time) < key->lifetime) {
@ -135,11 +122,9 @@ static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx)
ctx->active = 1 - ctx->active;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_destroy_key(ctx->keys[ctx->active].key)) != PSA_SUCCESS) {
return PSA_TO_MBEDTLS_ERR(status);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return ssl_ticket_gen_key(ctx, ctx->active);
} else
@ -159,19 +144,14 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
mbedtls_ssl_ticket_key * const key = ctx->keys + idx;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
const size_t bitlen = key->key_bits;
#else
const int bitlen = mbedtls_cipher_get_key_bitlen(&key->ctx);
#endif
if (nlength < TICKET_KEY_NAME_BYTES || klength * 8 < (size_t) bitlen) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_destroy_key(key->key)) != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
return ret;
@ -189,12 +169,6 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
ret = PSA_TO_MBEDTLS_ERR(status);
return ret;
}
#else
ret = mbedtls_cipher_setkey(&key->ctx, k, bitlen, MBEDTLS_ENCRYPT);
if (ret != 0) {
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ctx->active = idx;
ctx->ticket_lifetime = lifetime;
@ -211,51 +185,21 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
* Setup context for actual use
*/
int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_cipher_type_t cipher,
psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits,
uint32_t lifetime)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t key_bits;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t alg;
psa_key_type_t key_type;
#else
const mbedtls_cipher_info_t *cipher_info;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_ssl_cipher_to_psa(cipher, TICKET_AUTH_TAG_BYTES,
&alg, &key_type, &key_bits) != PSA_SUCCESS) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
if (PSA_ALG_IS_AEAD(alg) == 0) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
#else
cipher_info = mbedtls_cipher_info_from_type(cipher);
if (mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_GCM &&
mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_CCM &&
mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_CHACHAPOLY) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
key_bits = mbedtls_cipher_info_get_key_bitlen(cipher_info);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (key_bits > 8 * MAX_KEY_BYTES) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
ctx->f_rng = f_rng;
ctx->p_rng = p_rng;
ctx->ticket_lifetime = lifetime;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ctx->keys[0].alg = alg;
ctx->keys[0].key_type = key_type;
ctx->keys[0].key_bits = key_bits;
@ -263,15 +207,6 @@ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
ctx->keys[1].alg = alg;
ctx->keys[1].key_type = key_type;
ctx->keys[1].key_bits = key_bits;
#else
if ((ret = mbedtls_cipher_setup(&ctx->keys[0].ctx, cipher_info)) != 0) {
return ret;
}
if ((ret = mbedtls_cipher_setup(&ctx->keys[1].ctx, cipher_info)) != 0) {
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = ssl_ticket_gen_key(ctx, 0)) != 0 ||
(ret = ssl_ticket_gen_key(ctx, 1)) != 0) {
@ -311,13 +246,11 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
size_t clear_len, ciph_len;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif
*tlen = 0;
if (ctx == NULL || ctx->f_rng == NULL) {
if (ctx == NULL) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
@ -341,7 +274,7 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
memcpy(key_name, key->name, TICKET_KEY_NAME_BYTES);
if ((ret = ctx->f_rng(ctx->p_rng, iv, TICKET_IV_BYTES)) != 0) {
if ((ret = psa_generate_random(iv, TICKET_IV_BYTES)) != 0) {
goto cleanup;
}
@ -355,7 +288,6 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
MBEDTLS_PUT_UINT16_BE(clear_len, state_len_bytes, 0);
/* Encrypt and authenticate */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_aead_encrypt(key->key, key->alg, iv, TICKET_IV_BYTES,
key_name, TICKET_ADD_DATA_LEN,
state, clear_len,
@ -364,17 +296,6 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup;
}
#else
if ((ret = mbedtls_cipher_auth_encrypt_ext(&key->ctx,
iv, TICKET_IV_BYTES,
/* Additional data: key name, IV and length */
key_name, TICKET_ADD_DATA_LEN,
state, clear_len,
state, (size_t) (end - state), &ciph_len,
TICKET_AUTH_TAG_BYTES)) != 0) {
goto cleanup;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ciph_len != clear_len + TICKET_AUTH_TAG_BYTES) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@ -428,11 +349,9 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
size_t enc_len, clear_len;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif
if (ctx == NULL || ctx->f_rng == NULL) {
if (ctx == NULL) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
@ -466,7 +385,6 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
}
/* Decrypt and authenticate */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_aead_decrypt(key->key, key->alg, iv, TICKET_IV_BYTES,
key_name, TICKET_ADD_DATA_LEN,
ticket, enc_len + TICKET_AUTH_TAG_BYTES,
@ -474,21 +392,6 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup;
}
#else
if ((ret = mbedtls_cipher_auth_decrypt_ext(&key->ctx,
iv, TICKET_IV_BYTES,
/* Additional data: key name, IV and length */
key_name, TICKET_ADD_DATA_LEN,
ticket, enc_len + TICKET_AUTH_TAG_BYTES,
ticket, enc_len, &clear_len,
TICKET_AUTH_TAG_BYTES)) != 0) {
if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
ret = MBEDTLS_ERR_SSL_INVALID_MAC;
}
goto cleanup;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (clear_len != enc_len) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@ -537,13 +440,8 @@ void mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context *ctx)
return;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(ctx->keys[0].key);
psa_destroy_key(ctx->keys[1].key);
#else
mbedtls_cipher_free(&ctx->keys[0].ctx);
mbedtls_cipher_free(&ctx->keys[1].ctx);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_free(&ctx->mutex);

1270
library/ssl_tls.c
View File

File diff suppressed because it is too large Load Diff

542
library/ssl_tls12_client.c
View File

@ -17,7 +17,6 @@
#include "mbedtls/error.h"
#include "mbedtls/constant_time.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa_util_internal.h"
#include "psa/crypto.h"
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
@ -31,7 +30,6 @@ static int local_err_translation(psa_status_t status)
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include <string.h>
@ -136,15 +134,9 @@ static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
*olen = 0;
/* Skip costly extension if we can't use EC J-PAKE anyway */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
return 0;
}
#else
if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_MSG(3,
("client hello, adding ecjpake_kkpp extension"));
@ -163,7 +155,6 @@ static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
ssl->handshake->ecjpake_cache_len == 0) {
MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
p + 2, end - p - 2, &kkpp_len,
MBEDTLS_ECJPAKE_ROUND_ONE);
@ -173,16 +164,6 @@ static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
return ret;
}
#else
ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
p + 2, end - p - 2, &kkpp_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1,
"mbedtls_ecjpake_write_round_one", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
if (ssl->handshake->ecjpake_cache == NULL) {
@ -828,15 +809,6 @@ static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
while (list_size > 0) {
if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
ssl->handshake->ecdh_ctx.point_format = p[0];
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
p[0]);
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
return 0;
}
@ -873,7 +845,6 @@ static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
ssl->handshake->ecjpake_cache = NULL;
ssl->handshake->ecjpake_cache_len = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_psa_ecjpake_read_round(
&ssl->handshake->psa_pake_ctx, buf, len,
MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
@ -889,19 +860,6 @@ static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
}
return 0;
#else
if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
buf, len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
return ret;
}
return 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@ -1160,7 +1118,7 @@ static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
ssl->handshake->cookie_len = cookie_len;
/* Start over at ClientHello */
ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
ret = mbedtls_ssl_reset_checksum(ssl);
if (0 != ret) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
@ -1369,7 +1327,7 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
ssl->session_negotiate->ciphersuite != i ||
ssl->session_negotiate->id_len != n ||
memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
ssl->handshake->resume = 0;
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = mbedtls_time(NULL);
@ -1378,7 +1336,7 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
ssl->session_negotiate->id_len = n;
memcpy(ssl->session_negotiate->id, buf + 35, n);
} else {
ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
}
MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
@ -1660,49 +1618,6 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
return 0;
}
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
unsigned char **p,
unsigned char *end)
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
size_t dhm_actual_bitlen;
/*
* Ephemeral DH parameters:
*
* struct {
* opaque dh_p<1..2^16-1>;
* opaque dh_g<1..2^16-1>;
* opaque dh_Ys<1..2^16-1>;
* } ServerDHParams;
*/
if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
return ret;
}
dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx);
if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
dhm_actual_bitlen,
ssl->conf->dhm_min_bitlen));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
return ret;
}
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
@ -1776,89 +1691,6 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#else
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
{
uint16_t tls_id;
mbedtls_ecp_group_id grp_id;
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
grp_id = ssl->handshake->ecdh_ctx.grp.id;
#else
grp_id = ssl->handshake->ecdh_ctx.grp_id;
#endif
tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
if (tls_id == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
return -1;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_QP);
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
unsigned char **p,
unsigned char *end)
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
/*
* Ephemeral ECDH parameters:
*
* struct {
* ECParameters curve_params;
* ECPoint public;
* } ServerECDHParams;
*/
if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
(const unsigned char **) p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
}
#endif
return ret;
}
if (ssl_check_server_ecdh_params(ssl) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1,
("bad server key exchange message (ECDHE curve)"));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
return ret;
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
@ -1900,83 +1732,6 @@ static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
/*
* Generate a pre-master secret and encrypt it with the server's RSA key
*/
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
size_t offset, size_t *olen,
size_t pms_offset)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len_bytes = 2;
unsigned char *p = ssl->handshake->premaster + pms_offset;
mbedtls_pk_context *peer_pk;
if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
}
/*
* Generate (part of) the pre-master as
* struct {
* ProtocolVersion client_version;
* opaque random[46];
* } PreMasterSecret;
*/
mbedtls_ssl_write_version(p, ssl->conf->transport,
MBEDTLS_SSL_VERSION_TLS1_2);
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
return ret;
}
ssl->handshake->pmslen = 48;
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
peer_pk = &ssl->handshake->peer_pubkey;
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if (ssl->session_negotiate->peer_cert == NULL) {
/* Should never happen */
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
peer_pk = &ssl->session_negotiate->peer_cert->pk;
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
/*
* Now write it out, encrypted
*/
if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
if ((ret = mbedtls_pk_encrypt(peer_pk,
p, ssl->handshake->pmslen,
ssl->out_msg + offset + len_bytes, olen,
MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
return ret;
}
if (len_bytes == 2) {
MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
*olen += 2;
}
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it. */
mbedtls_pk_free(peer_pk);
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
@ -2007,7 +1762,6 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
#endif /* !defined(MBEDTLS_PK_USE_PSA_EC_DATA) */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
uint16_t tls_id = 0;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(peer_pk);
@ -2049,18 +1803,6 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
}
ssl->handshake->xxdh_psa_peerkey_len = olen;
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#else /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
MBEDTLS_ECDH_THEIRS)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
return ret;
}
if (ssl_check_server_ecdh_params(ssl) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it,
* so that more RAM is available for upcoming expensive
@ -2083,16 +1825,6 @@ static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
ssl->state++;
return 0;
}
((void) p);
((void) end);
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
@ -2107,7 +1839,7 @@ static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
}
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
((void) p);
@ -2171,7 +1903,6 @@ start_processing:
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
@ -2189,21 +1920,6 @@ start_processing:
; /* nothing more to do */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
} else
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
@ -2224,7 +1940,6 @@ start_processing:
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/*
* The first 3 bytes are:
* [0] MBEDTLS_ECP_TLS_NAMED_CURVE
@ -2261,18 +1976,6 @@ start_processing:
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
#else
ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
p, end - p);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
{
@ -2444,7 +2147,7 @@ start_processing:
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
exit:
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
@ -2462,7 +2165,7 @@ static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -2489,7 +2192,7 @@ static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -2507,7 +2210,7 @@ static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
ssl->handshake->client_auth =
(ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
@ -2678,7 +2381,7 @@ static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@ -2703,40 +2406,6 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
/*
* DHM key exchange -- send G^X mod P
*/
content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
header_len = 6;
ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
(int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
&ssl->out_msg[header_len], content_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
return ret;
}
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
ssl->handshake->premaster,
MBEDTLS_PREMASTER_SIZE,
&ssl->handshake->pmslen,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
return ret;
}
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
} else
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
@ -2745,7 +2414,6 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t key_attributes;
@ -2817,74 +2485,12 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
}
#else
/*
* ECDH key exchange -- send client public value
*/
header_len = 4;
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ssl->handshake->ecrs_enabled) {
if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
goto ecdh_calc_secret;
}
mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
}
#endif
ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
&content_len,
&ssl->out_msg[header_len], 1000,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
}
#endif
return ret;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Q);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ssl->handshake->ecrs_enabled) {
ssl->handshake->ecrs_n = content_len;
ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
}
ecdh_calc_secret:
if (ssl->handshake->ecrs_enabled) {
content_len = ssl->handshake->ecrs_n;
}
#endif
if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
MBEDTLS_MPI_MAX_SIZE,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
}
#endif
return ret;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Z);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
@ -3007,8 +2613,7 @@ ecdh_calc_secret:
MBEDTLS_PUT_UINT16_BE(zlen, pms, 0);
pms += zlen_size + zlen;
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO &&
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
/*
@ -3043,101 +2648,17 @@ ecdh_calc_secret:
content_len = 0;
} else
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
/*
* ClientDiffieHellmanPublic public (DHM send G^X mod P)
*/
content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
if (header_len + 2 + content_len >
MBEDTLS_SSL_OUT_CONTENT_LEN) {
MBEDTLS_SSL_DEBUG_MSG(1,
("psk identity or DHM size too long or SSL buffer too short"));
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
}
ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
(int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
&ssl->out_msg[header_len], content_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
return ret;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char *pms = ssl->handshake->premaster;
unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
size_t pms_len;
/* Write length only when we know the actual value */
if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
pms + 2, pms_end - (pms + 2), &pms_len,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
return ret;
}
MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
pms += 2 + pms_len;
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
#endif
} else
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
/*
* ClientECDiffieHellmanPublic public;
*/
ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
&content_len,
&ssl->out_msg[header_len],
MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
return ret;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Q);
} else
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
{
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
(mbedtls_key_exchange_type_t) ciphersuite_info->
key_exchange)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1,
"mbedtls_ssl_psk_derive_premaster", ret);
return ret;
}
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
header_len = 4;
if ((ret = ssl_write_encrypted_pms(ssl, header_len,
&content_len, 0)) != 0) {
return ret;
}
} else
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
header_len = 4;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char *out_p = ssl->out_msg + header_len;
unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
header_len;
@ -3150,27 +2671,8 @@ ecdh_calc_secret:
MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
return ret;
}
#else
ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
ssl->out_msg + header_len,
MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
&content_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
return ret;
}
ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
{
((void) ciphersuite_info);
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
@ -3181,7 +2683,7 @@ ecdh_calc_secret:
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@ -3210,7 +2712,7 @@ static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -3252,14 +2754,14 @@ static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
if (ssl->handshake->client_auth == 0 ||
mbedtls_ssl_own_cert(ssl) == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -3325,7 +2827,7 @@ sign:
ssl->out_msg + 6 + offset,
out_buf_len - 6 - offset,
&n,
ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
rs_ctx)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
@ -3341,7 +2843,7 @@ sign:
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@ -3415,7 +2917,7 @@ static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
/* We're not waiting for a NewSessionTicket message any more */
ssl->handshake->new_session_ticket = 0;
ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
/*
* Zero-length ticket means the server changed his mind and doesn't want
@ -3476,13 +2978,13 @@ int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
ssl->handshake->new_session_ticket != 0) {
ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_NEW_SESSION_TICKET);
}
#endif
switch (ssl->state) {
case MBEDTLS_SSL_HELLO_REQUEST:
ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
break;
/*
@ -3567,7 +3069,7 @@ int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
case MBEDTLS_SSL_FLUSH_BUFFERS:
MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:

643
library/ssl_tls12_server.c
View File

@ -20,7 +20,6 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
@ -33,7 +32,6 @@ static int local_err_translation(psa_status_t status)
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
#endif
#if defined(MBEDTLS_ECP_C)
#include "mbedtls/ecp.h"
@ -88,11 +86,9 @@ static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
return 1;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (conf->psk != NULL && conf->psk_len != 0) {
return 1;
@ -261,15 +257,6 @@ static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
while (list_size > 0) {
if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
ssl->handshake->ecdh_ctx.point_format = p[0];
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
p[0]);
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
return 0;
}
@ -292,17 +279,11 @@ static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (ssl->handshake->psa_pake_ctx_is_ok != 1)
#else
if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
return 0;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_psa_ecjpake_read_round(
&ssl->handshake->psa_pake_ctx, buf, len,
MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
@ -317,15 +298,6 @@ static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
return ret;
}
#else
if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
buf, len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Only mark the extension as OK when we're sure it is */
ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
@ -682,20 +654,16 @@ static int ssl_check_key_curve(mbedtls_pk_context *pk,
* Try picking a certificate for this ciphersuite,
* return 0 on success and -1 on failure.
*/
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_pick_cert(mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
{
mbedtls_ssl_key_cert *cur, *list;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t pk_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
psa_key_usage_t pk_usage =
mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
#else
mbedtls_pk_type_t pk_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
uint32_t flags;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
@ -706,11 +674,7 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
list = ssl->conf->key_cert;
int pk_alg_is_none = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
#else
pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (pk_alg_is_none) {
return 0;
}
@ -728,19 +692,14 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
cur->cert);
int key_type_matches = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
ssl->conf->f_async_decrypt_start != NULL ||
mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
#else
key_type_matches = (
mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
#else
key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (!key_type_matches) {
MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
continue;
@ -786,6 +745,8 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
return -1;
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/*
@ -848,6 +809,8 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
}
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/*
* Final check: if ciphersuite requires us to have a
@ -863,7 +826,6 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
}
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* If the ciphersuite requires signing, check whether
* a suitable hash algorithm is present. */
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
@ -1056,28 +1018,6 @@ read_record_header:
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
{
size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
(unsigned) handshake_len));
/* The record layer has a record size limit of 2^14 - 1 and
* fragmentation is not supported, so buf[1] should be zero. */
if (buf[1] != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
(unsigned) buf[1]));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
/* We don't support fragmentation of ClientHello (yet?) */
if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
(unsigned) msg_len,
(unsigned) mbedtls_ssl_hs_hdr_len(ssl),
(unsigned) handshake_len));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@ -1657,7 +1597,7 @@ have_ciphersuite:
ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl->handshake->ciphersuite_info = ciphersuite_info;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@ -1948,7 +1888,6 @@ static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
p += 2;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
p + 2, (size_t) (end - p - 2), &kkpp_len,
MBEDTLS_ECJPAKE_ROUND_ONE);
@ -1958,15 +1897,6 @@ static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
return;
}
#else
ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
p + 2, (size_t) (end - p - 2), &kkpp_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
return;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
p += 2;
@ -2085,7 +2015,7 @@ static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@ -2203,14 +2133,14 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
(long long) t));
#else
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
if ((ret = psa_generate_random(p, 4)) != 0) {
return ret;
}
p += 4;
#endif /* MBEDTLS_HAVE_TIME */
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
if ((ret = psa_generate_random(p, 20)) != 0) {
return ret;
}
p += 20;
@ -2236,7 +2166,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
} else
#endif
{
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
if ((ret = psa_generate_random(p, 8)) != 0) {
return ret;
}
}
@ -2253,7 +2183,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
* New session, create a new session id,
* unless we're about to issue a session ticket
*/
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = mbedtls_time(NULL);
@ -2267,8 +2197,8 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
{
ssl->session_negotiate->id_len = n = 32;
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
n)) != 0) {
if ((ret = psa_generate_random(ssl->session_negotiate->id,
n)) != 0) {
return ret;
}
}
@ -2277,7 +2207,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
* Resuming a session
*/
n = ssl->session_negotiate->id_len;
ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
@ -2403,7 +2333,7 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -2426,7 +2356,7 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
@ -2585,7 +2515,6 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
#if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
#if defined(MBEDTLS_USE_PSA_CRYPTO)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
{
@ -2732,33 +2661,6 @@ exit:
return ret;
}
#else /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
if (private_key == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key"));
return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
}
if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
MBEDTLS_ECDH_OURS)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
return ret;
}
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
@ -2831,7 +2733,6 @@ static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
ssl->out_msglen;
@ -2868,89 +2769,20 @@ static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
output_offset += output_len;
ssl->out_msglen += output_offset;
#else
size_t len = 0;
ret = mbedtls_ecjpake_write_round_two(
&ssl->handshake->ecjpake_ctx,
ssl->out_msg + ssl->out_msglen,
MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
return ret;
}
ssl->out_msglen += len;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
/*
* For (EC)DHE key exchanges with PSK, parameters are prefixed by support
* For ECDHE key exchanges with PSK, parameters are prefixed by support
* identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
* we use empty support identity hints here.
**/
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
ssl->out_msg[ssl->out_msglen++] = 0x00;
ssl->out_msg[ssl->out_msglen++] = 0x00;
}
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
/*
* - DHE key exchanges
*/
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
/*
* Ephemeral DH parameters:
*
* struct {
* opaque dh_p<1..2^16-1>;
* opaque dh_g<1..2^16-1>;
* opaque dh_Ys<1..2^16-1>;
* } ServerDHParams;
*/
if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
&ssl->conf->dhm_P,
&ssl->conf->dhm_G)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
return ret;
}
if ((ret = mbedtls_dhm_make_params(
&ssl->handshake->dhm_ctx,
(int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
ssl->out_msg + ssl->out_msglen, &len,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
return ret;
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
dig_signed = ssl->out_msg + ssl->out_msglen;
#endif
ssl->out_msglen += len;
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
/*
* - ECDHE key exchanges
@ -2966,7 +2798,7 @@ static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
* } ServerECDHParams;
*/
uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
const uint16_t *group_list = ssl->conf->group_list;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
@ -2992,7 +2824,6 @@ curve_matching_done:
MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
psa_key_attributes_t key_attributes;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@ -3074,28 +2905,6 @@ curve_matching_done:
/* Determine full message length. */
len += header_size;
#else
mbedtls_ecp_group_id curr_grp_id =
mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
curr_grp_id)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
return ret;
}
if ((ret = mbedtls_ecdh_make_params(
&ssl->handshake->ecdh_ctx, &len,
ssl->out_msg + ssl->out_msglen,
MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
return ret;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Q);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
dig_signed = ssl->out_msg + ssl->out_msglen;
@ -3226,9 +3035,7 @@ curve_matching_done:
md_alg, hash, hashlen,
ssl->out_msg + ssl->out_msglen + 2,
out_buf_len - ssl->out_msglen - 2,
signature_len,
ssl->conf->f_rng,
ssl->conf->p_rng)) != 0) {
signature_len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
return ret;
}
@ -3273,7 +3080,7 @@ static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
/* Key exchanges not involving ephemeral keys don't use
* ServerKeyExchange, so end here. */
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
@ -3327,7 +3134,7 @@ static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@ -3349,7 +3156,7 @@ static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@ -3375,233 +3182,6 @@ static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
return 0;
}
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
const unsigned char *end)
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
size_t n;
/*
* Receive G^Y mod P, premaster = (G^Y)^X mod P
*/
if (*p + 2 > end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
n = MBEDTLS_GET_UINT16_BE(*p, 0);
*p += 2;
if (*p + n > end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
*p += n;
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
return ret;
}
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
unsigned char *peer_pms,
size_t *peer_pmslen,
size_t peer_pmssize)
{
int ret = ssl->conf->f_async_resume(ssl,
peer_pms, peer_pmslen, peer_pmssize);
if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
ssl->handshake->async_in_progress = 0;
mbedtls_ssl_set_async_operation_data(ssl, NULL);
}
MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
return ret;
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
const unsigned char *p,
const unsigned char *end,
unsigned char *peer_pms,
size_t *peer_pmslen,
size_t peer_pmssize)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
if (own_cert == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
}
mbedtls_pk_context *public_key = &own_cert->pk;
mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
size_t len = mbedtls_pk_get_len(public_key);
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
/* If we have already started decoding the message and there is an ongoing
* decryption operation, resume signing. */
if (ssl->handshake->async_in_progress != 0) {
MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
return ssl_resume_decrypt_pms(ssl,
peer_pms, peer_pmslen, peer_pmssize);
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
/*
* Prepare to decrypt the premaster using own private RSA key
*/
if (p + 2 > end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if (*p++ != MBEDTLS_BYTE_1(len) ||
*p++ != MBEDTLS_BYTE_0(len)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if (p + len != end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
/*
* Decrypt the premaster secret
*/
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
if (ssl->conf->f_async_decrypt_start != NULL) {
ret = ssl->conf->f_async_decrypt_start(ssl,
mbedtls_ssl_own_cert(ssl),
p, len);
switch (ret) {
case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
/* act as if f_async_decrypt_start was null */
break;
case 0:
ssl->handshake->async_in_progress = 1;
return ssl_resume_decrypt_pms(ssl,
peer_pms,
peer_pmslen,
peer_pmssize);
case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
ssl->handshake->async_in_progress = 1;
return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
default:
MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
return ret;
}
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
}
ret = mbedtls_pk_decrypt(private_key, p, len,
peer_pms, peer_pmslen, peer_pmssize,
ssl->conf->f_rng, ssl->conf->p_rng);
return ret;
}
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
const unsigned char *p,
const unsigned char *end,
size_t pms_offset)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *pms = ssl->handshake->premaster + pms_offset;
unsigned char ver[2];
unsigned char fake_pms[48], peer_pms[48];
size_t peer_pmslen;
mbedtls_ct_condition_t diff;
/* In case of a failure in decryption, the decryption may write less than
* 2 bytes of output, but we always read the first two bytes. It doesn't
* matter in the end because diff will be nonzero in that case due to
* ret being nonzero, and we only care whether diff is 0.
* But do initialize peer_pms and peer_pmslen for robustness anyway. This
* also makes memory analyzers happy (don't access uninitialized memory,
* even if it's an unsigned char). */
peer_pms[0] = peer_pms[1] = ~0;
peer_pmslen = 0;
ret = ssl_decrypt_encrypted_pms(ssl, p, end,
peer_pms,
&peer_pmslen,
sizeof(peer_pms));
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
return ret;
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
mbedtls_ssl_write_version(ver, ssl->conf->transport,
ssl->session_negotiate->tls_version);
/* Avoid data-dependent branches while checking for invalid
* padding, to protect against timing-based Bleichenbacher-type
* attacks. */
diff = mbedtls_ct_bool(ret);
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
/*
* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
* must not cause the connection to end immediately; instead, send a
* bad_record_mac later in the handshake.
* To protect against timing-based variants of the attack, we must
* not have any branch that depends on whether the decryption was
* successful. In particular, always generate the fake premaster secret,
* regardless of whether it will ultimately influence the output or not.
*/
ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
if (ret != 0) {
/* It's ok to abort on an RNG failure, since this does not reveal
* anything about the RSA decryption. */
return ret;
}
#if defined(MBEDTLS_SSL_DEBUG_ALL)
if (diff != MBEDTLS_CT_FALSE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
}
#endif
if (sizeof(ssl->handshake->premaster) < pms_offset ||
sizeof(ssl->handshake->premaster) - pms_offset < 48) {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
ssl->handshake->pmslen = 48;
/* Set pms to either the true or the fake PMS, without
* data-dependent branches. */
mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
@ -3668,16 +3248,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA &&
(ssl->handshake->async_in_progress != 0)) {
/* We've already read a record and there is an asynchronous
* operation in progress to decrypt it. So skip reading the
* record. */
MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
} else
#endif
if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
return ret;
@ -3696,30 +3266,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
return ret;
}
if (p != end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
ssl->handshake->premaster,
MBEDTLS_PREMASTER_SIZE,
&ssl->handshake->pmslen,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
} else
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
@ -3728,7 +3274,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t data_len = (size_t) (*p++);
size_t buf_len = (size_t) (end - p);
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
@ -3789,28 +3334,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
}
}
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
#else
if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
p, (size_t) (end - p))) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_QP);
if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
MBEDTLS_MPI_MAX_SIZE,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Z);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
@ -3828,61 +3351,10 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
(mbedtls_key_exchange_type_t) ciphersuite_info->
key_exchange)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
return ret;
}
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
return ret;
}
if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
return ret;
}
if (p != end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char *pms = ssl->handshake->premaster;
unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
size_t pms_len;
/* Write length only when we know the actual value */
if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
pms + 2, pms_end - (pms + 2), &pms_len,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
return ret;
}
MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
pms += 2 + pms_len;
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
#else
if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
(mbedtls_key_exchange_type_t) ciphersuite_info->
key_exchange)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
size_t ecpoint_len;
@ -3964,41 +3436,10 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
psm += zlen_size + zlen;
#else /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
return ret;
}
if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
p, (size_t) (end - p))) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_QP);
if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
(mbedtls_key_exchange_type_t) ciphersuite_info->
key_exchange)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
return ret;
}
} else
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_psa_ecjpake_read_round(
&ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
@ -4008,22 +3449,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
return ret;
}
#else
ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
p, (size_t) (end - p));
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
{
@ -4036,7 +3461,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
return ret;
}
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
@ -4054,7 +3479,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -4080,20 +3505,20 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
if (ssl->session_negotiate->peer_cert == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if (ssl->session_negotiate->peer_cert_digest == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
@ -4105,7 +3530,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
return ret;
}
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
/* Process the message contents */
if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
@ -4289,7 +3714,7 @@ int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
switch (ssl->state) {
case MBEDTLS_SSL_HELLO_REQUEST:
ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
break;
/*
@ -4378,7 +3803,7 @@ int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
case MBEDTLS_SSL_FLUSH_BUFFERS:
MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:

5
library/ssl_tls13_client.c
View File

@ -216,7 +216,7 @@ static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
const uint16_t *group_list = ssl->conf->group_list;
/* Pick first available ECDHE group compatible with TLS 1.3 */
if (group_list == NULL) {
return MBEDTLS_ERR_SSL_BAD_CONFIG;
@ -318,6 +318,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
ssl, group_id, p, end, &key_exchange_len);
p += key_exchange_len;
if (ret != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("client hello: failed generating xxdh key exchange"));
return ret;
}
@ -381,7 +382,7 @@ static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
int selected_group;
int found = 0;
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
const uint16_t *group_list = ssl->conf->group_list;
if (group_list == NULL) {
return MBEDTLS_ERR_SSL_BAD_CONFIG;
}

5
library/ssl_tls13_generic.c
View File

@ -518,7 +518,7 @@ int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
switch (ret) {
case 0: /*ok*/
break;
case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
case MBEDTLS_ERR_OID_NOT_FOUND:
/* Ignore certificate with an unknown algorithm: maybe a
prior certificate was already trusted. */
break;
@ -978,8 +978,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
if ((ret = mbedtls_pk_sign_ext(pk_type, own_key,
md_alg, verify_hash, verify_hash_len,
p + 4, (size_t) (end - (p + 4)), &signature_len,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
p + 4, (size_t) (end - (p + 4)), &signature_len)) != 0) {
MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature failed with %s",
mbedtls_ssl_sig_alg_to_str(*sig_alg)));
MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_pk_sign_ext", ret);

122
library/ssl_tls13_keys.c
View File

@ -56,15 +56,16 @@ struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
* };
*
* Parameters:
* - desired_length: Length of expanded key material
* Even though the standard allows expansion to up to
* 2**16 Bytes, TLS 1.3 never uses expansion to more than
* 255 Bytes, so we require `desired_length` to be at most
* 255. This allows us to save a few Bytes of code by
* hardcoding the writing of the high bytes.
* - desired_length: Length of expanded key material.
* The length field can hold numbers up to 2**16, but HKDF
* can only generate outputs of up to 255 * HASH_LEN bytes.
* It is the caller's responsibility to ensure that this
* limit is not exceeded. In TLS 1.3, SHA256 is the hash
* function with the smallest block size, so a length
* <= 255 * 32 = 8160 is always safe.
* - (label, label_len): label + label length, without "tls13 " prefix
* The label length MUST be less than or equal to
* MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
* MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN.
* It is the caller's responsibility to ensure this.
* All (label, label length) pairs used in TLS 1.3
* can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
@ -91,7 +92,7 @@ static const char tls13_label_prefix[6] = "tls13 ";
#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
sizeof(tls13_label_prefix) + \
MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \
MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN, \
MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN)
static void ssl_tls13_hkdf_encode_label(
@ -107,15 +108,13 @@ static void ssl_tls13_hkdf_encode_label(
unsigned char *p = dst;
/* Add the size of the expanded key material.
* We're hardcoding the high byte to 0 here assuming that we never use
* TLS 1.3 HKDF key expansion to more than 255 Bytes. */
#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
#error "The implementation of ssl_tls13_hkdf_encode_label() is not fit for the \
value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
/* Add the size of the expanded key material. */
#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > UINT16_MAX
#error "The desired key length must fit into an uint16 but \
MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN is greater than UINT16_MAX"
#endif
*p++ = 0;
*p++ = MBEDTLS_BYTE_1(desired_length);
*p++ = MBEDTLS_BYTE_0(desired_length);
/* Add label incl. prefix */
@ -149,7 +148,7 @@ int mbedtls_ssl_tls13_hkdf_expand_label(
psa_key_derivation_operation_t operation =
PSA_KEY_DERIVATION_OPERATION_INIT;
if (label_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN) {
if (label_len > MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN) {
/* Should never happen since this is an internal
* function, and we know statically which labels
* are allowed. */
@ -925,23 +924,17 @@ int mbedtls_ssl_tls13_populate_transform(
mbedtls_ssl_key_set const *traffic_keys,
mbedtls_ssl_context *ssl /* DEBUG ONLY */)
{
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
int ret;
mbedtls_cipher_info_t const *cipher_info;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
unsigned char const *key_enc;
unsigned char const *iv_enc;
unsigned char const *key_dec;
unsigned char const *iv_dec;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_type_t key_type;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg;
size_t key_bits;
psa_status_t status = PSA_SUCCESS;
#endif
#if !defined(MBEDTLS_DEBUG_C)
ssl = NULL; /* make sure we don't use it except for those cases */
@ -955,29 +948,6 @@ int mbedtls_ssl_tls13_populate_transform(
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->cipher);
if (cipher_info == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
ciphersuite_info->cipher));
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
/*
* Setup cipher contexts in target transform
*/
if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
cipher_info)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
return ret;
}
if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
cipher_info)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_SRV_C)
if (endpoint == MBEDTLS_SSL_IS_SERVER) {
@ -1003,21 +973,6 @@ int mbedtls_ssl_tls13_populate_transform(
memcpy(transform->iv_enc, iv_enc, traffic_keys->iv_len);
memcpy(transform->iv_dec, iv_dec, traffic_keys->iv_len);
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc,
key_enc, (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
MBEDTLS_ENCRYPT)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
return ret;
}
if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec,
key_dec, (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
MBEDTLS_DECRYPT)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* Setup other fields in SSL transform
@ -1041,7 +996,6 @@ int mbedtls_ssl_tls13_populate_transform(
transform->minlen =
transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/*
* Setup psa keys and alg
*/
@ -1082,7 +1036,6 @@ int mbedtls_ssl_tls13_populate_transform(
return PSA_TO_MBEDTLS_ERR(status);
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return 0;
}
@ -1298,8 +1251,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context *ssl)
ret = mbedtls_ssl_tls13_evolve_secret(hash_alg, NULL, psk, psk_len,
handshake->tls13_master_secrets.early);
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
mbedtls_free((void *) psk);
#endif
if (ret != 0) {
@ -1839,7 +1791,6 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
unsigned char **psk,
size_t *psk_len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
@ -1869,15 +1820,40 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
return PSA_TO_MBEDTLS_ERR(status);
}
return 0;
#else
*psk = ssl->handshake->psk;
*psk_len = ssl->handshake->psk_len;
if (*psk == NULL) {
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
return 0;
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg,
const unsigned char *secret, const size_t secret_len,
const unsigned char *label, const size_t label_len,
const unsigned char *context_value, const size_t context_len,
unsigned char *out, const size_t out_len)
{
size_t hash_len = PSA_HASH_LENGTH(hash_alg);
unsigned char hkdf_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
int ret = 0;
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, secret, secret_len, label, label_len, NULL, 0,
MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, hkdf_secret,
hash_len);
if (ret != 0) {
goto exit;
}
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
hkdf_secret,
hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exporter),
context_value,
context_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
out,
out_len);
exit:
mbedtls_platform_zeroize(hkdf_secret, sizeof(hkdf_secret));
return ret;
}
#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

34
library/ssl_tls13_keys.h
View File

@ -60,8 +60,9 @@ extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels;
mbedtls_ssl_tls13_labels.LABEL, \
MBEDTLS_SSL_TLS1_3_LBL_LEN(LABEL)
#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \
sizeof(union mbedtls_ssl_tls13_labels_union)
/* Maximum length of the label field in the HkdfLabel struct defined in
* RFC 8446, Section 7.1, excluding the "tls13 " prefix. */
#define MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN 249
/* The maximum length of HKDF contexts used in the TLS 1.3 standard.
* Since contexts are always hashes of message transcripts, this can
@ -70,13 +71,11 @@ extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels;
PSA_HASH_MAX_SIZE
/* Maximum desired length for expanded key material generated
* by HKDF-Expand-Label.
*
* Warning: If this ever needs to be increased, the implementation
* ssl_tls13_hkdf_encode_label() in ssl_tls13_keys.c needs to be
* adjusted since it currently assumes that HKDF key expansion
* is never used with more than 255 Bytes of output. */
#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255
* by HKDF-Expand-Label. This algorithm can output up to 255 * hash_size
* bytes of key material where hash_size is the output size of the
* underlying hash function. */
#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN \
(255 * MBEDTLS_TLS1_3_MD_MAX_SIZE)
/**
* \brief The \c HKDF-Expand-Label function from
@ -646,6 +645,23 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
size_t *psk_len);
#endif
/**
* \brief Calculate TLS-Exporter function as defined in RFC 8446, Section 7.5.
*
* \param[in] hash_alg The hash algorithm.
* \param[in] secret The secret to use. (Should be the exporter master secret.)
* \param[in] secret_len Length of secret.
* \param[in] label The label of the exported key.
* \param[in] label_len The length of label.
* \param[out] out The output buffer for the exported key. Must have room for at least out_len bytes.
* \param[in] out_len Length of the key to generate.
*/
int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg,
const unsigned char *secret, const size_t secret_len,
const unsigned char *label, const size_t label_len,
const unsigned char *context_value, const size_t context_len,
uint8_t *out, const size_t out_len);
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */

32
library/ssl_tls13_server.c
View File

@ -91,7 +91,7 @@ static void ssl_tls13_select_ciphersuite(
return;
}
MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx",
MBEDTLS_SSL_DEBUG_MSG(1, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx",
(unsigned) psk_ciphersuite_id,
(unsigned long) psk_hash_alg));
}
@ -435,9 +435,7 @@ static int ssl_tls13_offered_psks_check_binder_match(
psk, psk_len, psk_type,
transcript,
server_computed_binder);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_free((void *) psk);
#endif
if (ret != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("PSK binder calculation failed."));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
@ -739,11 +737,7 @@ static int ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
*olen = 0;
int not_using_psk = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
not_using_psk = (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque));
#else
not_using_psk = (ssl->handshake->psk == NULL);
#endif
if (not_using_psk) {
/* We shouldn't have called this extension writer unless we've
* chosen to use a PSK. */
@ -1078,7 +1072,6 @@ static int ssl_tls13_key_exchange_is_ephemeral_available(mbedtls_ssl_context *ss
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
{
switch (sig_alg) {
@ -1104,7 +1097,6 @@ static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
return PSA_ALG_NONE;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* Pick best ( private key, certificate chain ) pair based on the signature
@ -1139,9 +1131,7 @@ static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
for (key_cert = key_cert_list; key_cert != NULL;
key_cert = key_cert->next) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t psa_alg = PSA_ALG_NONE;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_CRT(3, "certificate (chain) candidate",
key_cert->cert);
@ -1165,17 +1155,13 @@ static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
"check signature algorithm %s [%04x]",
mbedtls_ssl_sig_alg_to_str(*sig_alg),
*sig_alg));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg(*sig_alg);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
*sig_alg, &key_cert->cert->pk)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
&& psa_alg != PSA_ALG_NONE &&
mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
PSA_KEY_USAGE_SIGN_HASH) == 1
#endif /* MBEDTLS_USE_PSA_CRYPTO */
) {
ssl->handshake->key_cert = key_cert;
MBEDTLS_SSL_DEBUG_MSG(3,
@ -1379,6 +1365,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
}
if (ret == 0) {
MBEDTLS_SSL_DEBUG_MSG(2, ("no supported_versions extension"));
return SSL_CLIENT_HELLO_TLS1_2;
}
@ -1400,6 +1387,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
* the TLS version to negotiate.
*/
if (MBEDTLS_SSL_VERSION_TLS1_2 == ret) {
MBEDTLS_SSL_DEBUG_MSG(2, ("supported_versions without 1.3"));
return SSL_CLIENT_HELLO_TLS1_2;
}
}
@ -1978,6 +1966,7 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
}
ssl->keep_current_message = 1;
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
MBEDTLS_SSL_DEBUG_MSG(1, ("non-1.3 ClientHello left for later processing"));
return 0;
}
@ -2007,9 +1996,9 @@ static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
unsigned char *server_randbytes =
ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes,
MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
if ((ret = psa_generate_random(server_randbytes,
MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_random", ret);
return ret;
}
@ -3183,9 +3172,8 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
#endif
/* Generate ticket_age_add */
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng,
(unsigned char *) &session->ticket_age_add,
sizeof(session->ticket_age_add)) != 0)) {
if ((ret = psa_generate_random((unsigned char *) &session->ticket_age_add,
sizeof(session->ticket_age_add)) != 0)) {
MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret);
return ret;
}
@ -3193,7 +3181,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
(unsigned int) session->ticket_age_add));
/* Generate ticket_nonce */
ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size);
ret = psa_generate_random(ticket_nonce, ticket_nonce_size);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret);
return ret;

5
library/x509_crl.c
View File

@ -582,11 +582,6 @@ int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path)
#endif /* MBEDTLS_FS_IO */
#if !defined(MBEDTLS_X509_REMOVE_INFO)
/*
* Return an informational string about the certificate.
*/
#define BEFORE_COLON 14
#define BC "14"
/*
* Return an informational string about the CRL.
*/

42
library/x509_crt.c
View File

@ -32,11 +32,9 @@
#include "mbedtls/pem.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "psa_util_internal.h"
#include "mbedtls/psa_util.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include "pk_internal.h"
#include "mbedtls/platform.h"
@ -1745,15 +1743,15 @@ static int x509_info_cert_policies(char **buf, size_t *size,
/*
* Return an informational string about the certificate.
*/
#define BEFORE_COLON 18
#define BC "18"
#define MBEDTLS_BEFORE_COLON 18
#define MBEDTLS_BEFORE_COLON_STR "18"
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
const mbedtls_x509_crt *crt)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n;
char *p;
char key_size_str[BEFORE_COLON];
char key_size_str[MBEDTLS_BEFORE_COLON];
p = buf;
n = size;
@ -1807,13 +1805,13 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
MBEDTLS_X509_SAFE_SNPRINTF;
/* Key size */
if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
if ((ret = mbedtls_x509_key_size_helper(key_size_str, MBEDTLS_BEFORE_COLON,
mbedtls_pk_get_name(&crt->pk))) != 0) {
return ret;
}
ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
(int) mbedtls_pk_get_bitlen(&crt->pk));
ret = mbedtls_snprintf(p, n, "\n%s%-" MBEDTLS_BEFORE_COLON_STR "s: %d bits",
prefix, key_size_str, (int) mbedtls_pk_get_bitlen(&crt->pk));
MBEDTLS_X509_SAFE_SNPRINTF;
/*
@ -2013,11 +2011,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
{
int flags = 0;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t psa_algorithm;
#else
const mbedtls_md_info_t *md_info;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
size_t hash_length;
if (ca == NULL) {
@ -2051,7 +2045,6 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
flags |= MBEDTLS_X509_BADCRL_BAD_PK;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm = mbedtls_md_psa_alg_from_type(crl_list->sig_md);
if (psa_hash_compute(psa_algorithm,
crl_list->tbs.p,
@ -2063,18 +2056,6 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
break;
}
#else
md_info = mbedtls_md_info_from_type(crl_list->sig_md);
hash_length = mbedtls_md_get_size(md_info);
if (mbedtls_md(md_info,
crl_list->tbs.p,
crl_list->tbs.len,
hash) != 0) {
/* Note: this can't happen except after an internal error */
flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
break;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (x509_profile_check_key(profile, &ca->pk) != 0) {
flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
@ -2126,16 +2107,6 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
{
size_t hash_len;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
const mbedtls_md_info_t *md_info;
md_info = mbedtls_md_info_from_type(child->sig_md);
hash_len = mbedtls_md_get_size(md_info);
/* Note: hash errors can happen only after an internal error */
if (mbedtls_md(md_info, child->tbs.p, child->tbs.len, hash) != 0) {
return -1;
}
#else
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(child->sig_md);
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
@ -2149,7 +2120,6 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Skip expensive computation on obvious mismatch */
if (!mbedtls_pk_can_do(&parent->pk, child->sig_pk)) {
return -1;

12
library/x509_csr.c
View File

@ -519,8 +519,8 @@ int mbedtls_x509_csr_parse_file(mbedtls_x509_csr *csr, const char *path)
#endif /* MBEDTLS_FS_IO */
#if !defined(MBEDTLS_X509_REMOVE_INFO)
#define BEFORE_COLON 14
#define BC "14"
#define MBEDTLS_BEFORE_COLON 14
#define MBEDTLS_BEFORE_COLON_STR "14"
/*
* Return an informational string about the CSR.
*/
@ -530,7 +530,7 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n;
char *p;
char key_size_str[BEFORE_COLON];
char key_size_str[MBEDTLS_BEFORE_COLON];
p = buf;
n = size;
@ -551,13 +551,13 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
csr->sig_opts);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
if ((ret = mbedtls_x509_key_size_helper(key_size_str, MBEDTLS_BEFORE_COLON,
mbedtls_pk_get_name(&csr->pk))) != 0) {
return ret;
}
ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
(int) mbedtls_pk_get_bitlen(&csr->pk));
ret = mbedtls_snprintf(p, n, "\n%s%-" MBEDTLS_BEFORE_COLON_STR "s: %d bits\n",
prefix, key_size_str, (int) mbedtls_pk_get_bitlen(&csr->pk));
MBEDTLS_X509_SAFE_SNPRINTF;
/*

2
library/x509write.c
View File

@ -22,11 +22,9 @@
#include "mbedtls/pem.h"
#endif /* MBEDTLS_PEM_WRITE_C */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "md_psa.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#define CHECK_OVERFLOW_ADD(a, b) \
do \

60
library/x509write_crt.c
View File

@ -30,11 +30,9 @@
#include "mbedtls/pem.h"
#endif /* MBEDTLS_PEM_WRITE_C */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "psa_util_internal.h"
#include "mbedtls/psa_util.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
{
@ -92,30 +90,6 @@ int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx,
return mbedtls_x509_string_to_names(&ctx->issuer, issuer_name);
}
#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx,
const mbedtls_mpi *serial)
{
int ret;
size_t tmp_len;
/* Ensure that the MPI value fits into the buffer */
tmp_len = mbedtls_mpi_size(serial);
if (tmp_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) {
return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
}
ctx->serial_len = tmp_len;
ret = mbedtls_mpi_write_binary(serial, ctx->serial, tmp_len);
if (ret < 0) {
return ret;
}
return 0;
}
#endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED
int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx,
unsigned char *serial, size_t serial_len)
{
@ -203,10 +177,8 @@ static int mbedtls_x509write_crt_set_key_identifier(mbedtls_x509write_cert *ctx,
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
unsigned char *c = buf + sizeof(buf);
size_t len = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t hash_length;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
memset(buf, 0, sizeof(buf));
MBEDTLS_ASN1_CHK_ADD(len,
@ -217,7 +189,6 @@ static int mbedtls_x509write_crt_set_key_identifier(mbedtls_x509write_cert *ctx,
ctx->subject_key));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_compute(PSA_ALG_SHA_1,
buf + sizeof(buf) - len,
len,
@ -227,14 +198,6 @@ static int mbedtls_x509write_crt_set_key_identifier(mbedtls_x509write_cert *ctx,
if (status != PSA_SUCCESS) {
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
#else
ret = mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
buf + sizeof(buf) - len, len,
buf + sizeof(buf) - 20);
if (ret != 0) {
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
c = buf + sizeof(buf) - 20;
len = 20;
@ -416,9 +379,7 @@ static int x509_write_time(unsigned char **p, unsigned char *start,
}
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
unsigned char *buf, size_t size)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const char *sig_oid;
@ -427,10 +388,8 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
size_t hash_length = 0;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_algorithm_t psa_algorithm;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
@ -596,7 +555,6 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
*/
/* Compute hash of CRT. */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm = mbedtls_md_psa_alg_from_type(ctx->md_alg);
status = psa_hash_compute(psa_algorithm,
@ -608,17 +566,10 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
if (status != PSA_SUCCESS) {
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
#else
if ((ret = mbedtls_md(mbedtls_md_info_from_type(ctx->md_alg), c,
len, hash)) != 0) {
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = mbedtls_pk_sign(ctx->issuer_key, ctx->md_alg,
hash, hash_length, sig, sizeof(sig), &sig_len,
f_rng, p_rng)) != 0) {
hash, hash_length, sig, sizeof(sig), &sig_len)) != 0) {
return ret;
}
@ -660,15 +611,12 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
#if defined(MBEDTLS_PEM_WRITE_C)
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *crt,
unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
unsigned char *buf, size_t size)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t olen;
if ((ret = mbedtls_x509write_crt_der(crt, buf, size,
f_rng, p_rng)) < 0) {
if ((ret = mbedtls_x509write_crt_der(crt, buf, size)) < 0) {
return ret;
}

32
library/x509write_csr.c
View File

@ -20,11 +20,9 @@
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "psa_util_internal.h"
#include "mbedtls/psa_util.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include <string.h>
#include <stdlib.h>
@ -133,9 +131,7 @@ int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx,
static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
unsigned char *buf,
size_t size,
unsigned char *sig, size_t sig_size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
unsigned char *sig, size_t sig_size)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const char *sig_oid;
@ -145,10 +141,8 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
mbedtls_pk_type_t pk_alg;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t hash_len;
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ctx->md_alg);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Write the CSR backwards starting from the end of buf */
c = buf + size;
@ -213,7 +207,6 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
* Sign the written CSR data into the sig buffer
* Note: hash errors can happen only after an internal error
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (psa_hash_compute(hash_alg,
c,
len,
@ -222,15 +215,8 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
&hash_len) != PSA_SUCCESS) {
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
#else /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_md(mbedtls_md_info_from_type(ctx->md_alg), c, len, hash);
if (ret != 0) {
return ret;
}
#endif
if ((ret = mbedtls_pk_sign(ctx->key, ctx->md_alg, hash, 0,
sig, sig_size, &sig_len,
f_rng, p_rng)) != 0) {
sig, sig_size, &sig_len)) != 0) {
return ret;
}
@ -285,9 +271,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
}
int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf,
size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
size_t size)
{
int ret;
unsigned char *sig;
@ -297,8 +281,7 @@ int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf,
}
ret = x509write_csr_der_internal(ctx, buf, size,
sig, MBEDTLS_PK_SIGNATURE_MAX_SIZE,
f_rng, p_rng);
sig, MBEDTLS_PK_SIGNATURE_MAX_SIZE);
mbedtls_free(sig);
@ -309,15 +292,12 @@ int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf,
#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
#if defined(MBEDTLS_PEM_WRITE_C)
int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t olen = 0;
if ((ret = mbedtls_x509write_csr_der(ctx, buf, size,
f_rng, p_rng)) < 0) {
if ((ret = mbedtls_x509write_csr_der(ctx, buf, size)) < 0) {
return ret;
}