lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merge remote-tracking branch 'development' into HEAD

Browse Source
This commit is contained in:
Gilles Peskine
2025-05-07 14:41:13 +02:00
parent 47c8579ed0 2439c4c14a
commit 1876efc157
753 changed files with 5856 additions and 286571 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.github/ISSUE_TEMPLATE/bug_report.md vendored
View File

@ -7,6 +7,12 @@ assignees: ''
---
**WARNING:** if the bug you are reporting has or may have security implications,
we ask that you report it privately to
<mbed-tls-security@lists.trustedfirmware.org>
so that we can prepare and release a fix before publishing the details.
See [SECURITY.md](https://github.com/Mbed-TLS/mbedtls/blob/development/SECURITY.md).
### Summary
@ -25,6 +31,10 @@ Additional environment information:
### Actual behavior
**WARNING:* if the actual behaviour suggests memory corruption (like a crash or an error
from a memory checker), then the bug should be assumed to have security
implications (until proven otherwise), and we ask what you report it privately,
see the note at the top of this template.
### Steps to reproduce

2
.github/pull_request_template.md vendored
View File

@ -11,9 +11,9 @@ If the provided content is part of the present PR remove the # symbol.
- [ ] **changelog** provided | not required because:
- [ ] **development PR** provided # | not required because:
- [ ] **TF-PSA-Crypto PR** provided # | not required because:
- [ ] **framework PR** provided Mbed-TLS/mbedtls-framework# | not required
- [ ] **3.6 PR** provided # | not required because:
- [ ] **2.28 PR** provided # | not required because:
- **tests** provided | not required because:

2
.gitignore vendored
View File

@ -1,7 +1,5 @@
# Random seed file created by test scripts and sample programs
seedfile
# MBEDTLS_PSA_INJECT_ENTROPY seed file created by the test framework
00000000ffffff52.psa_its
# Log files created by all.sh to reduce the logs in case a component runs
# successfully
quiet-make.*

3
.gitmodules vendored
View File

@ -1,3 +1,6 @@
[submodule "framework"]
path = framework
url = https://github.com/Mbed-TLS/mbedtls-framework
[submodule "tf-psa-crypto"]
path = tf-psa-crypto
url = https://github.com/Mbed-TLS/TF-PSA-Crypto.git

11
.pylintrc
View File

@ -70,6 +70,17 @@ disable=locally-disabled,locally-enabled,logging-format-interpolation,no-else-re
# Don't diplay statistics. Just the facts.
reports=no
[STRING]
# Complain about
# ```
# list_of_strings = [
# 'foo' # <-- missing comma
# 'bar',
# 'corge',
# ]
# ```
check-str-concat-over-line-jumps=yes
[VARIABLES]
# Allow unused variables if their name starts with an underscore.
# [unused-argument]

8
.readthedocs.yaml
View File

@ -5,10 +5,10 @@
# Required
version: 2
# Include the framework submodule in the build
# Include all submodules in the build
submodules:
include:
- framework
include: all
recursive: true
# Set the version of Python and other tools you might need
build:
@ -17,7 +17,7 @@ build:
python: "3.9"
jobs:
pre_build:
- ./scripts/apidoc_full.sh
- ./framework/scripts/apidoc_full.sh
- breathe-apidoc -o docs/api apidoc/xml
post_build:
- |

4
BRANCHES.md
View File

@ -11,7 +11,6 @@ At any point in time, we have a number of maintained branches, currently consist
as well as all the new features and bug fixes and security fixes.
- One or more long-time support (LTS) branches: these only get bug fixes and
security fixes. Currently, the supported LTS branches are:
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28).
- [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6).
We retain a number of historical branches, whose names are prefixed by `archive/`,
@ -108,8 +107,5 @@ The following branches are currently maintained:
- [`mbedtls-3.6`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-3.6)
maintained until March 2027, see
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0>.
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
maintained until the end of 2024, see
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.8>.
Users are urged to always use the latest version of a maintained branch.

18
CMakeLists.txt
View File

@ -351,7 +351,7 @@ if(CMAKE_BUILD_TYPE STREQUAL "Check" AND TEST_CPP)
endif()
if (NOT EXISTS "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt")
if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/.git/")
if (EXISTS "${MBEDTLS_DIR}/.git")
message(FATAL_ERROR "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt not found (and does appear to be a git checkout). Run `git submodule update --init` from the source tree to fetch the submodule contents.")
else ()
message(FATAL_ERROR "${MBEDTLS_FRAMEWORK_DIR}/CMakeLists.txt not found (and does not appear to be a git checkout). Please ensure you have downloaded the right archive from the release page on GitHub.")
@ -420,20 +420,22 @@ if(ENABLE_TESTING OR ENABLE_PROGRAMS)
if(GEN_FILES)
add_custom_command(
OUTPUT
${MBEDTLS_FRAMEWORK_DIR}/tests/src/test_keys.h
${CMAKE_CURRENT_BINARY_DIR}/tests/include/test/test_keys.h
COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/tests/include/test
COMMAND
"${MBEDTLS_PYTHON_EXECUTABLE}"
"${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py"
"--output"
"${MBEDTLS_FRAMEWORK_DIR}/tests/src/test_keys.h"
"${CMAKE_CURRENT_BINARY_DIR}/tests/include/test/test_keys.h"
DEPENDS
${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py
)
add_custom_target(mbedtls_test_keys_header
DEPENDS ${MBEDTLS_FRAMEWORK_DIR}/tests/src/test_keys.h)
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/tests/include/test/test_keys.h)
add_dependencies(mbedtls_test mbedtls_test_keys_header)
endif()
target_include_directories(mbedtls_test
PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/tests/include
PRIVATE ${MBEDTLS_FRAMEWORK_DIR}/tests/include
PRIVATE tests/include
PRIVATE include
@ -454,20 +456,22 @@ if(ENABLE_TESTING OR ENABLE_PROGRAMS)
if(GEN_FILES)
add_custom_command(
OUTPUT
${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h
${CMAKE_CURRENT_BINARY_DIR}/tests/include/test/test_certs.h
COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/tests/include/test
COMMAND
"${MBEDTLS_PYTHON_EXECUTABLE}"
"${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py"
"--output"
"${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h"
"${CMAKE_CURRENT_BINARY_DIR}/tests/include/test/test_certs.h"
DEPENDS
${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py
)
add_custom_target(mbedtls_test_certs_header
DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h)
DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/tests/include/test/test_certs.h)
add_dependencies(mbedtls_test_helpers mbedtls_test_certs_header)
endif()
target_include_directories(mbedtls_test_helpers
PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/tests/include
PRIVATE ${MBEDTLS_FRAMEWORK_DIR}/tests/include
PRIVATE tests/include
PRIVATE include

4
ChangeLog.d/00README.md
View File

@ -86,6 +86,6 @@ See [existing entries](../ChangeLog) for examples.
## How `ChangeLog` is updated
Run [`../scripts/assemble_changelog.py`](../scripts/assemble_changelog.py)
from a Git working copy
Run [`../framework/scripts/assemble_changelog.py`]
(../framework/scripts/assemble_changelog.py) from a Git working copy
to move the entries from files in `ChangeLog.d` to the main `ChangeLog` file.

2
ChangeLog.d/9684.txt Normal file
View File

@ -0,0 +1,2 @@
Removals
* Remove support for the DHE-PSK key exchange in TLS 1.2.

2
ChangeLog.d/9685.txt Normal file
View File

@ -0,0 +1,2 @@
Removals
* Remove support for the DHE-RSA key exchange in TLS 1.2.

5
ChangeLog.d/9874.txt Normal file
View File

@ -0,0 +1,5 @@
API changes
* Align the mbedtls_ssl_ticket_setup() function with the PSA Crypto API.
Instead of taking a mbedtls_cipher_type_t as an argument, this function
now takes 3 new arguments: a PSA algorithm, key type and key size, to
specify the AEAD for ticket protection.

4
ChangeLog.d/9892.txt Normal file
View File

@ -0,0 +1,4 @@
Removals
* Remove deprecated mbedtls_x509write_crt_set_serial(). The function was
already deprecated and superseeded by
mbedtls_x509write_crt_set_serial_raw().

6
ChangeLog.d/9956.txt Normal file
View File

@ -0,0 +1,6 @@
Removals
* Following the removal of DHM module (#9972 and TF-PSA-Crypto#175) the
following SSL functions are removed:
- mbedtls_ssl_conf_dh_param_bin
- mbedtls_ssl_conf_dh_param_ctx
- mbedtls_ssl_conf_dhm_min_bitlen

25
ChangeLog.d/9964.txt Normal file
View File

@ -0,0 +1,25 @@
Removals
* Removal of the following sample programs:
pkey/rsa_genkey.c
pkey/pk_decrypt.c
pkey/dh_genprime.c
pkey/rsa_verify.c
pkey/mpi_demo.c
pkey/rsa_decrypt.c
pkey/key_app.c
pkey/dh_server.c
pkey/ecdh_curve25519.c
pkey/pk_encrypt.c
pkey/rsa_sign.c
pkey/key_app_writer.c
pkey/dh_client.c
pkey/ecdsa.c
pkey/rsa_encrypt.c
wince_main.c
aes/crypt_and_hash.c
random/gen_random_ctr_drbg.c
random/gen_entropy.c
hash/md_hmac_demo.c
hash/hello.c
hash/generic_sum.c
cipher/cipher_aead_demo.c

6
ChangeLog.d/add-tls-exporter.txt Normal file
View File

@ -0,0 +1,6 @@
Features
* Add the function mbedtls_ssl_export_keying_material() which allows the
client and server to extract additional shared symmetric keys from an SSL
session, according to the TLS-Exporter specification in RFC 8446 and 5705.
This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in
mbedtls_config.h.

11
ChangeLog.d/error-unification.txt Normal file
View File

@ -0,0 +1,11 @@
API changes
* The PSA and Mbed TLS error spaces are now unified. mbedtls_xxx()
functions can now return PSA_ERROR_xxx values.
There is no longer a distinction between "low-level" and "high-level"
Mbed TLS error codes.
This will not affect most applications since the error values are
between -32767 and -1 as before.
Removals
* Remove mbedtls_low_level_sterr() and mbedtls_high_level_strerr(),
since these concepts no longer exists. There is just mbedtls_strerror().

5
ChangeLog.d/fix-msvc-version-guard-format-zu.txt Normal file
View File

@ -0,0 +1,5 @@
Bugfix
* Fix definition of MBEDTLS_PRINTF_SIZET to prevent runtime crashes that
occurred whenever SSL debugging was enabled on a copy of Mbed TLS built
with Visual Studio 2013 or MinGW.
Fixes #10017.

16
ChangeLog.d/mbedtls_ssl_set_hostname.txt Normal file
View File

@ -0,0 +1,16 @@
Default behavior changes
* In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
mbedtls_ssl_handshake() now fails with
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if certificate-based authentication of the server is attempted.
This is because authenticating a server without knowing what name
to expect is usually insecure.
Security
* Note that TLS clients should generally call mbedtls_ssl_set_hostname()
if they use certificate authentication (i.e. not pre-shared keys).
Otherwise, in many scenarios, the server could be impersonated.
The library will now prevent the handshake and return
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if mbedtls_ssl_set_hostname() has not been called.
Reported by Daniel Stenberg.

7
ChangeLog.d/psa-always-on.txt
View File

@ -1,9 +1,10 @@
Default behavior changes
* The PK, X.509, PKCS7 and TLS modules now always use the PSA subsystem
to perform cryptographic operations, with a few exceptions documented
in docs/use-psa-crypto.md. This corresponds to the behavior of
Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. In effect,
MBEDTLS_USE_PSA_CRYPTO is now always enabled.
in docs/architecture/psa-migration/psa-limitations.md. This
corresponds to the behavior of Mbed TLS 3.x when
MBEDTLS_USE_PSA_CRYPTO is enabled. In effect, MBEDTLS_USE_PSA_CRYPTO
is now always enabled.
* psa_crypto_init() must be called before performing any cryptographic
operation, including indirect requests such as parsing a key or
certificate or starting a TLS handshake.

5
ChangeLog.d/removal-of-rng.txt Normal file
View File

@ -0,0 +1,5 @@
API changes
* All API functions now use the PSA random generator psa_get_random()
internally. As a consequence, functions no longer take RNG parameters.
Please refer to the migration guide at :
tf-psa-crypto/docs/4.0-migration-guide.md.

2
ChangeLog.d/remove_RSA_key_exchange.txt Normal file
View File

@ -0,0 +1,2 @@
Removals
* Remove support for the RSA key exchange in TLS 1.2.

5
ChangeLog.d/repo-split.txt Normal file
View File

@ -0,0 +1,5 @@
Changes
* Move the crypto part of the library (content of tf-psa-crypto directory)
from the Mbed TLS to the TF-PSA-Crypto repository. The crypto code and
tests development will now occur in TF-PSA-Crypto, which Mbed TLS
references as a Git submodule.

4
ChangeLog.d/rm-ssl-conf-curves.txt Normal file
View File

@ -0,0 +1,4 @@
Removals
* Remove the function mbedtls_ssl_conf_curves() which had been deprecated
in favour of mbedtls_ssl_conf_groups() since Mbed TLS 3.1.

7
ChangeLog.d/tls-hs-defrag-in.txt Normal file
View File

@ -0,0 +1,7 @@
Bugfix
* Support re-assembly of fragmented handshake messages in TLS (both
1.2 and 1.3). The lack of support was causing handshake failures with
some servers, especially with TLS 1.3 in practice. There are a few
limitations, notably a fragmented ClientHello is only supported when
TLS 1.3 support is enabled. See the documentation of
mbedtls_ssl_handshake() for details.

6
ChangeLog.d/tls12-check-finished-calc.txt Normal file
View File

@ -0,0 +1,6 @@
Security
* Fix a vulnerability in the TLS 1.2 handshake. If memory allocation failed
or there was a cryptographic hardware failure when calculating the
Finished message, it could be calculated incorrectly. This would break
the security guarantees of the TLS handshake.
CVE-2025-27810

11
Makefile
View File

@ -6,7 +6,7 @@ ifneq (,$(filter-out lib library/%,$(or $(MAKECMDGOALS),all)))
ifeq (,$(wildcard framework/exported.make))
# Use the define keyword to get a multi-line message.
# GNU make appends ". Stop.", so tweak the ending of our message accordingly.
ifeq (,$(wildcard .git))
ifneq (,$(wildcard .git))
define error_message
${MBEDTLS_PATH}/framework/exported.make not found (and does appear to be a git checkout). Run `git submodule update --init` from the source tree to fetch the submodule contents.
This is a fatal error
@ -49,11 +49,14 @@ tests: mbedtls_test
mbedtls_test:
$(MAKE) -C tests mbedtls_test
library/%:
.PHONY: FORCE
FORCE:
library/%: FORCE
$(MAKE) -C library $*
programs/%:
programs/%: FORCE
$(MAKE) -C programs $*
tests/%:
tests/%: FORCE
$(MAKE) -C tests $*
.PHONY: generated_files

6
README.md
View File

@ -79,7 +79,7 @@ Any of the following methods are available to generate the configuration-indepen
* If not cross-compiling, running `make` with any target, or just `make`, will automatically generate required files.
* On non-Windows systems, when not cross-compiling, CMake will generate the required files automatically.
* Run `make generated_files` to generate all the configuration-independent files.
* On Unix/POSIX systems, run `tests/scripts/check-generated-files.sh -u` to generate all the configuration-independent files.
* On Unix/POSIX systems, run `framework/scripts/make_generated_files.py` to generate all the configuration-independent files.
* On Windows, run `scripts\make_generated_files.bat` to generate all the configuration-independent files.
### Make
@ -295,13 +295,11 @@ Arm welcomes feedback on the design of the API. If you think something could be
Mbed TLS includes a reference implementation of the PSA Cryptography API.
However, it does not aim to implement the whole specification; in particular it does not implement all the algorithms.
The X.509 and TLS code can use PSA cryptography for most operations. To enable this support, activate the compilation option `MBEDTLS_USE_PSA_CRYPTO` in `mbedtls_config.h`. Note that TLS 1.3 uses PSA cryptography for most operations regardless of this option. See `docs/use-psa-crypto.md` for details.
### PSA drivers
Mbed TLS supports drivers for cryptographic accelerators, secure elements and random generators. This is work in progress. Please note that the driver interfaces are not fully stable yet and may change without notice. We intend to preserve backward compatibility for application code (using the PSA Crypto API), but the code of the drivers may have to change in future minor releases of Mbed TLS.
Please see the [PSA driver example and guide](docs/psa-driver-example-and-guide.md) for information on writing a driver.
Please see the [PSA driver example and guide](https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/docs/psa-driver-example-and-guide.md) for information on writing a driver.
License
-------

19
SECURITY.md
View File

@ -144,3 +144,22 @@ Policy](https://github.com/hacl-star/hacl-star/blob/main/SECURITY.md).)
The Everest variant is only used when `MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED`
configuration option is defined. This option is off by default.
#### Formatting of X.509 certificates and certificate signing requests
When parsing X.509 certificates and certificate signing requests (CSRs),
Mbed TLS does not check that they are strictly compliant with X.509 and other
relevant standards. In the case of signed certificates, the signing party is
assumed to have performed this validation (and the certificate is trusted to
be correctly formatted as long as the signature is correct).
Similarly, CSRs are implicitly trusted by Mbed TLS to be standards-compliant.
**Warning!** Mbed TLS must not be used to sign untrusted CSRs unless extra
validation is performed separately to ensure that they are compliant to the
relevant specifications. This makes Mbed TLS on its own unsuitable for use in
a Certificate Authority (CA).
However, Mbed TLS aims to protect against memory corruption and other
undefined behavior when parsing certificates and CSRs. If a CSR or signed
certificate causes undefined behavior when it is parsed by Mbed TLS, that
is considered a security vulnerability.

28
configs/crypto-config-ccm-aes-sha256.h
View File

@ -1,28 +0,0 @@
/**
* \file configs/crypto-config-ccm-aes-sha256.h
*
* \brief PSA crypto configuration with only symmetric cryptography: CCM-AES,
* SHA-256 and key derivation (uses HMAC).
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#ifndef PSA_CRYPTO_CONFIG_H
#define PSA_CRYPTO_CONFIG_H
#define PSA_WANT_ALG_CCM 1
#define PSA_WANT_ALG_SHA_256 1
#define PSA_WANT_ALG_TLS12_PRF 1
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
#define PSA_WANT_KEY_TYPE_DERIVE 1
#define PSA_WANT_KEY_TYPE_AES 1
#define PSA_WANT_KEY_TYPE_RAW_DATA 1
#define MBEDTLS_PSA_CRYPTO_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
#endif /* PSA_CRYPTO_CONFIG_H */

1
configs/crypto-config-ccm-psk-tls1_2.h
View File

@ -31,6 +31,7 @@
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_PLATFORM_C
/* Save RAM at the expense of ROM */
#define MBEDTLS_AES_ROM_TABLES

3
configs/crypto-config-suite-b.h
View File

@ -1,5 +1,5 @@
/**
* \file crypto-config-symmetric-only.h
* \file crypto-config-suite-b.h
*
* \brief \brief Minimal crypto configuration for
* TLS NSA Suite B Profile (RFC 6460).
@ -49,6 +49,7 @@
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_PLATFORM_C
#define MBEDTLS_OID_C
#define MBEDTLS_PK_C
#define MBEDTLS_PK_PARSE_C

91
configs/crypto-config-symmetric-only.h
View File

@ -1,91 +0,0 @@
/**
* \file crypto-config-symmetric-only.h
*
* \brief Crypto configuration without any asymmetric cryptography.
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/**
* To be used in conjunction with configs/config-symmetric-only.h. */
#ifndef PSA_CRYPTO_CONFIG_H
#define PSA_CRYPTO_CONFIG_H
#define PSA_WANT_ALG_CBC_NO_PADDING 1
#define PSA_WANT_ALG_CBC_PKCS7 1
#define PSA_WANT_ALG_CCM 1
#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1
#define PSA_WANT_ALG_CFB 1
#define PSA_WANT_ALG_CHACHA20_POLY1305 1
#define PSA_WANT_ALG_CMAC 1
#define PSA_WANT_ALG_CTR 1
#define PSA_WANT_ALG_ECB_NO_PADDING 1
#define PSA_WANT_ALG_GCM 1
#define PSA_WANT_ALG_HKDF 1
#define PSA_WANT_ALG_HKDF_EXTRACT 1
#define PSA_WANT_ALG_HKDF_EXPAND 1
#define PSA_WANT_ALG_HMAC 1
#define PSA_WANT_ALG_MD5 1
#define PSA_WANT_ALG_OFB 1
#define PSA_WANT_ALG_RIPEMD160 1
#define PSA_WANT_ALG_SHA_1 1
#define PSA_WANT_ALG_STREAM_CIPHER 1
#define PSA_WANT_ALG_SHA_224 1
#define PSA_WANT_ALG_SHA_256 1
#define PSA_WANT_ALG_SHA_384 1
#define PSA_WANT_ALG_SHA_512 1
#define PSA_WANT_ALG_SHA3_224 1
#define PSA_WANT_ALG_SHA3_256 1
#define PSA_WANT_ALG_SHA3_384 1
#define PSA_WANT_ALG_SHA3_512 1
#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
#define PSA_WANT_ALG_TLS12_PRF 1
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
/* XTS is not yet supported via the PSA API in Mbed TLS. */
//#define PSA_WANT_ALG_XTS 1
#define PSA_WANT_KEY_TYPE_AES 1
#define PSA_WANT_KEY_TYPE_ARIA 1
#define PSA_WANT_KEY_TYPE_CAMELLIA 1
#define PSA_WANT_KEY_TYPE_CHACHA20 1
#define PSA_WANT_KEY_TYPE_DES 1
#define PSA_WANT_KEY_TYPE_HMAC 1
#define MBEDTLS_SELF_TEST
#define MBEDTLS_PSA_CRYPTO_C
/* System support */
//#define MBEDTLS_HAVE_ASM
#define MBEDTLS_HAVE_TIME
#define MBEDTLS_HAVE_TIME_DATE
#define MBEDTLS_FS_IO
#define MBEDTLS_ENTROPY_NV_SEED
/* Mbed TLS modules */
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_BASE64_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_ERROR_C
#define MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_NIST_KW_C
#define MBEDTLS_OID_C
#define MBEDTLS_PEM_PARSE_C
#define MBEDTLS_PEM_WRITE_C
#define MBEDTLS_PKCS5_C
#define MBEDTLS_PKCS12_C
#define MBEDTLS_PLATFORM_C
#define MBEDTLS_PSA_CRYPTO_SE_C
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
#define MBEDTLS_PSA_ITS_FILE_C
//#define MBEDTLS_THREADING_C
#endif /* PSA_CRYPTO_CONFIG_H */

1
configs/crypto-config-thread.h
View File

@ -56,6 +56,7 @@
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_PLATFORM_C
#define MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_MD_C
#define MBEDTLS_OID_C

16
configs/ext/README.md
View File

@ -1,26 +1,22 @@
Summary
-------
The two files:
The file:
* crypto_config_profile_medium.h
* tfm_mbedcrypto_config_profile_medium.h
are copyright The Mbed TLS Contributors, and are distributed under the license normally
is copyright The Mbed TLS Contributors, and is distributed under the license normally
used by Mbed TLS: a dual Apache 2.0 or GPLv2-or-later license.
Background
----------
The two files crypto_config_profile_medium.h and tfm_mbedcrypto_config_profile_medium.h
are taken verbatim from the TF-M source code here:
The file tfm_mbedcrypto_config_profile_medium.h was derived from the file tfm_mbedcrypto_config_profile_medium.h taken from the TF-M source code here:
https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/lib/ext/mbedcrypto/mbedcrypto_config
In TF-M, they are distributed under a 3-Clause BSD license, as noted at the top of the files.
It was derived according to the Mbed TLS configuration file split that occurred as part of the Mbed TLS repository split, see https://github.com/Mbed-TLS/mbedtls/blob/development/docs/proposed/config-split.md.
In Mbed TLS, with permission from the TF-M project, they are distributed under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license, with copyright assigned to The Mbed TLS Contributors.
In TF-M, the original file is distributed under a 3-Clause BSD license, as noted at the top of the file.
We only retain the note at the top of the files because the intent is to take these files verbatim,
for ease of maintenance. Currently however, they contain changes, showing how these configurations
will need to be adapted for 4.0.
In Mbed TLS, with permission from the TF-M project, tfm_mbedcrypto_config_profile_medium.h is distributed under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license, with copyright assigned to The Mbed TLS Contributors.

705
configs/ext/crypto_config_profile_medium.h
View File

@ -1,705 +0,0 @@
/*
* Copyright (c) 2018-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
*/
/**
* \file psa/crypto_config.h
* \brief PSA crypto configuration options (set of defines)
*
*/
#ifndef PROFILE_M_PSA_CRYPTO_CONFIG_H
#define PROFILE_M_PSA_CRYPTO_CONFIG_H
/**
* \name SECTION: Platform abstraction layer
*
* This section sets platform specific settings.
* \{
*/
/**
* \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
*
* Enable the buffer allocator implementation that makes use of a (stack)
* based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
* calls)
*
* Module: library/memory_buffer_alloc.c
*
* Requires: MBEDTLS_PLATFORM_C
* MBEDTLS_PLATFORM_MEMORY (to use it within Mbed TLS)
*
* Enable this module to enable the buffer memory allocator.
*/
#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
/**
* \def MBEDTLS_PLATFORM_C
*
* Enable the platform abstraction layer that allows you to re-assign
* functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
*
* Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
* or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
* above to be specified at runtime or compile time respectively.
*
* \note This abstraction layer must be enabled on Windows (including MSYS2)
* as other modules rely on it for a fixed snprintf implementation.
*
* Module: library/platform.c
* Caller: Most other .c files
*
* This module enables abstraction of common (libc) functions.
*/
#define MBEDTLS_PLATFORM_C
/**
* \def MBEDTLS_PLATFORM_MEMORY
*
* Enable the memory allocation layer.
*
* By default Mbed TLS uses the system-provided calloc() and free().
* This allows different allocators (self-implemented or provided) to be
* provided to the platform abstraction layer.
*
* Enabling #MBEDTLS_PLATFORM_MEMORY without the
* MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
* "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
* free() function pointer at runtime.
*
* Enabling #MBEDTLS_PLATFORM_MEMORY and specifying
* MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
* alternate function at compile time.
*
* An overview of how the value of mbedtls_calloc is determined:
*
* - if !MBEDTLS_PLATFORM_MEMORY
* - mbedtls_calloc = calloc
* - if MBEDTLS_PLATFORM_MEMORY
* - if (MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO):
* - mbedtls_calloc = MBEDTLS_PLATFORM_CALLOC_MACRO
* - if !(MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO):
* - Dynamic setup via mbedtls_platform_set_calloc_free is now possible with a default value MBEDTLS_PLATFORM_STD_CALLOC.
* - How is MBEDTLS_PLATFORM_STD_CALLOC handled?
* - if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS:
* - MBEDTLS_PLATFORM_STD_CALLOC is not set to anything;
* - MBEDTLS_PLATFORM_STD_MEM_HDR can be included if present;
* - if !MBEDTLS_PLATFORM_NO_STD_FUNCTIONS:
* - if MBEDTLS_PLATFORM_STD_CALLOC is present:
* - User-defined MBEDTLS_PLATFORM_STD_CALLOC is respected;
* - if !MBEDTLS_PLATFORM_STD_CALLOC:
* - MBEDTLS_PLATFORM_STD_CALLOC = calloc
*
* - At this point the presence of MBEDTLS_PLATFORM_STD_CALLOC is checked.
* - if !MBEDTLS_PLATFORM_STD_CALLOC
* - MBEDTLS_PLATFORM_STD_CALLOC = uninitialized_calloc
*
* - mbedtls_calloc = MBEDTLS_PLATFORM_STD_CALLOC.
*
* Defining MBEDTLS_PLATFORM_CALLOC_MACRO and #MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible.
* MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time.
* #MBEDTLS_PLATFORM_STD_CALLOC and #MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used,
* dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases.
* An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer.
* An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything.
*
* Requires: MBEDTLS_PLATFORM_C
*
* Enable this layer to allow use of alternative memory allocators.
*/
#define MBEDTLS_PLATFORM_MEMORY
/**
* \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
*
* Do not assign standard functions in the platform layer (e.g. calloc() to
* MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
*
* This makes sure there are no linking errors on platforms that do not support
* these functions. You will HAVE to provide alternatives, either at runtime
* via the platform_set_xxx() functions or at compile time by setting
* the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
* MBEDTLS_PLATFORM_XXX_MACRO.
*
* Requires: MBEDTLS_PLATFORM_C
*
* Uncomment to prevent default assignment of standard functions in the
* platform layer.
*/
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
#define MBEDTLS_PLATFORM_PRINTF_ALT
/* To use the following function macros, MBEDTLS_PLATFORM_C must be enabled. */
/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
#include <stdio.h>
#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE
#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS
#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h>
/** \} name SECTION: Platform abstraction layer */
/**
* \name SECTION: SECTION Cryptographic mechanism selection (PSA API)
*
* This section sets PSA API settings.
* \{
*/
/*
* CBC-MAC is not yet supported via the PSA API in Mbed TLS.
*/
//#define PSA_WANT_ALG_CBC_MAC 1
//#define PSA_WANT_ALG_CBC_NO_PADDING 1
//#define PSA_WANT_ALG_CBC_PKCS7 1
#define PSA_WANT_ALG_CCM 1
//#define PSA_WANT_ALG_CMAC 1
//#define PSA_WANT_ALG_CFB 1
//#define PSA_WANT_ALG_CHACHA20_POLY1305 1
//#define PSA_WANT_ALG_CTR 1
//#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
//#define PSA_WANT_ALG_ECB_NO_PADDING 1
#define PSA_WANT_ALG_ECDH 1
#define PSA_WANT_ALG_ECDSA 1
//#define PSA_WANT_ALG_GCM 1
#define PSA_WANT_ALG_HKDF 1
#define PSA_WANT_ALG_HMAC 1
//#define PSA_WANT_ALG_MD5 1
//#define PSA_WANT_ALG_OFB 1
/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
* Note: when adding support, also adjust include/mbedtls/config_psa.h */
//#define PSA_WANT_ALG_PBKDF2_HMAC 1
//#define PSA_WANT_ALG_RIPEMD160 1
//#define PSA_WANT_ALG_RSA_OAEP 1
//#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1
//#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1
//#define PSA_WANT_ALG_RSA_PSS 1
//#define PSA_WANT_ALG_SHA_1 1
#define PSA_WANT_ALG_SHA_224 1
#define PSA_WANT_ALG_SHA_256 1
//#define PSA_WANT_ALG_SHA_384 1
//#define PSA_WANT_ALG_SHA_512 1
//#define PSA_WANT_ALG_STREAM_CIPHER 1
#define PSA_WANT_ALG_TLS12_PRF 1
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
* Note: when adding support, also adjust include/mbedtls/config_psa.h */
//#define PSA_WANT_ALG_XTS 1
//#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1
//#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1
//#define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1
//#define PSA_WANT_ECC_MONTGOMERY_255 1
//#define PSA_WANT_ECC_MONTGOMERY_448 1
//#define PSA_WANT_ECC_SECP_K1_192 1
/*
* SECP224K1 is buggy via the PSA API in Mbed TLS
* (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by
* default.
*/
//#define PSA_WANT_ECC_SECP_K1_224 1
//#define PSA_WANT_ECC_SECP_K1_256 1
//#define PSA_WANT_ECC_SECP_R1_192 1
//#define PSA_WANT_ECC_SECP_R1_224 1
#define PSA_WANT_ECC_SECP_R1_256 1
//#define PSA_WANT_ECC_SECP_R1_384 1
//#define PSA_WANT_ECC_SECP_R1_521 1
#define PSA_WANT_KEY_TYPE_DERIVE 1
#define PSA_WANT_KEY_TYPE_HMAC 1
#define PSA_WANT_KEY_TYPE_AES 1
//#define PSA_WANT_KEY_TYPE_ARIA 1
//#define PSA_WANT_KEY_TYPE_CAMELLIA 1
//#define PSA_WANT_KEY_TYPE_CHACHA20 1
//#define PSA_WANT_KEY_TYPE_DES 1
//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1 /* Deprecated */
#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
#define PSA_WANT_KEY_TYPE_RAW_DATA 1
//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1 /* Deprecated */
//#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
/*
* The following symbols extend and deprecate the legacy
* PSA_WANT_KEY_TYPE_xxx_KEY_PAIR ones. They include the usage of that key in
* the name's suffix. "_USE" is the most generic and it can be used to describe
* a generic suport, whereas other ones add more features on top of that and
* they are more specific.
*/
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
/** \} name SECTION Cryptographic mechanism selection (PSA API) */
/**
* \name SECTION: PSA core
*
* This section sets PSA specific settings.
* \{
*/
/**
* \def MBEDTLS_ENTROPY_C
*
* Enable the platform-specific entropy code.
*
* Module: library/entropy.c
* Caller:
*
* Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
*
* This module provides a generic entropy pool
*/
#define MBEDTLS_ENTROPY_C
/**
* \def MBEDTLS_ENTROPY_NV_SEED
*
* Enable the non-volatile (NV) seed file-based entropy source.
* (Also enables the NV seed read/write functions in the platform layer)
*
* This is crucial (if not required) on systems that do not have a
* cryptographic entropy source (in hardware or kernel) available.
*
* Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
*
* \note The read/write functions that are used by the entropy source are
* determined in the platform layer, and can be modified at runtime and/or
* compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
*
* \note If you use the default implementation functions that read a seedfile
* with regular fopen(), please make sure you make a seedfile with the
* proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
* least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
* and written to or you will get an entropy source error! The default
* implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
* bytes from the file.
*
* \note The entropy collector will write to the seed file before entropy is
* given to an external source, to update it.
*/
#define MBEDTLS_ENTROPY_NV_SEED
/**
* \def MBEDTLS_NO_PLATFORM_ENTROPY
*
* Do not use built-in platform entropy functions.
* This is useful if your platform does not support
* standards like the /dev/urandom or Windows CryptoAPI.
*
* Uncomment this macro to disable the built-in platform entropy functions.
*/
#define MBEDTLS_NO_PLATFORM_ENTROPY
/**
* \def MBEDTLS_PSA_CRYPTO_C
*
* Enable the Platform Security Architecture cryptography API.
*
* Module: library/psa_crypto.c
*
* Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
* or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C,
* or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
* Auto-enables: MBEDTLS_CIPHER_C if any unauthenticated (ie, non-AEAD) cipher
* is enabled in PSA (unless it's fully accelerated, see
* docs/driver-only-builds.md about that).
*/
#define MBEDTLS_PSA_CRYPTO_C
/**
* \def MBEDTLS_PSA_CRYPTO_SPM
*
* When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure
* Partition Manager) integration which separates the code into two parts: a
* NSPE (Non-Secure Process Environment) and an SPE (Secure Process
* Environment).
*
* If you enable this option, your build environment must include a header
* file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS
* header files, or in another directory on the compiler's include search
* path). Alternatively, your platform may customize the header
* `psa/crypto_platform.h`, in which case it can skip or replace the
* inclusion of `"crypto_spe.h"`.
*
* Module: library/psa_crypto.c
* Requires: MBEDTLS_PSA_CRYPTO_C
*
*/
#define MBEDTLS_PSA_CRYPTO_SPM
/**
* \def MBEDTLS_PSA_CRYPTO_STORAGE_C
*
* Enable the Platform Security Architecture persistent key storage.
*
* Module: library/psa_crypto_storage.c
*
* Requires: MBEDTLS_PSA_CRYPTO_C,
* either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
* the PSA ITS interface
*/
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
/** \} name SECTION: PSA core */
/**
* \name SECTION: Builtin drivers
*
* This section sets driver specific settings.
* \{
*/
/**
* \def MBEDTLS_AES_ROM_TABLES
*
* Use precomputed AES tables stored in ROM.
*
* Uncomment this macro to use precomputed AES tables stored in ROM.
* Comment this macro to generate AES tables in RAM at runtime.
*
* Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
* (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
* initialization time before the first AES operation can be performed.
* It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
* MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
* performance if ROM access is slower than RAM access.
*
* This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
*/
#define MBEDTLS_AES_ROM_TABLES
/**
* \def MBEDTLS_AES_FEWER_TABLES
*
* Use less ROM/RAM for AES tables.
*
* Uncommenting this macro omits 75% of the AES tables from
* ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
* by computing their values on the fly during operations
* (the tables are entry-wise rotations of one another).
*
* Tradeoff: Uncommenting this reduces the RAM / ROM footprint
* by ~6kb but at the cost of more arithmetic operations during
* runtime. Specifically, one has to compare 4 accesses within
* different tables to 4 accesses with additional arithmetic
* operations within the same table. The performance gain/loss
* depends on the system and memory details.
*
* This option is independent of \c MBEDTLS_AES_ROM_TABLES.
*/
#define MBEDTLS_AES_FEWER_TABLES
/**
* \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
*
* Use only 128-bit keys in AES operations to save ROM.
*
* Uncomment this macro to remove support for AES operations that use 192-
* or 256-bit keys.
*
* Uncommenting this macro reduces the size of AES code by ~300 bytes
* on v8-M/Thumb2.
*
* Module: library/aes.c
*
* Requires: MBEDTLS_AES_C
*/
#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
/**
* \def MBEDTLS_ECP_NIST_OPTIM
*
* Enable specific 'modulo p' routines for each NIST prime.
* Depending on the prime and architecture, makes operations 4 to 8 times
* faster on the corresponding curve.
*
* Comment this macro to disable NIST curves optimisation.
*/
#define MBEDTLS_ECP_NIST_OPTIM
/**
* \def MBEDTLS_HAVE_ASM
*
* The compiler has support for asm().
*
* Requires support for asm() in compiler.
*
* Used in:
* library/aesni.h
* library/aria.c
* library/bn_mul.h
* library/constant_time.c
*
* Required by:
* MBEDTLS_AESCE_C
* MBEDTLS_AESNI_C (on some platforms)
*
* Comment to disable the use of assembly code.
*/
#define MBEDTLS_HAVE_ASM
/**
* Uncomment to enable p256-m. This is an alternative implementation of
* key generation, ECDH and (randomized) ECDSA on the curve SECP256R1.
* Compared to the default implementation:
*
* - p256-m has a much smaller code size and RAM footprint.
* - p256-m is only available via the PSA API. This includes the pk module.
* - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols
* over the core arithmetic, or deterministic derivation of keys.
*
* We recommend enabling this option if your application uses the PSA API
* and the only elliptic curve support it needs is ECDH and ECDSA over
* SECP256R1.
*
* If you enable this option, you do not need to enable any ECC-related
* MBEDTLS_xxx option. You do need to separately request support for the
* cryptographic mechanisms through the PSA API:
* - #MBEDTLS_PSA_CRYPTO_C for PSA-based configuration;
* - #PSA_WANT_ECC_SECP_R1_256;
* - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed;
* - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC,
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT,
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed.
*
* \note To benefit from the smaller code size of p256-m, make sure that you
* do not enable any ECC-related option not supported by p256-m: this
* would cause the built-in ECC implementation to be built as well, in
* order to provide the required option.
* Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than
* SECP256R1 are disabled as they are not supported by this driver.
* Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or
* #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of
* the built-in ECC implementation, see docs/driver-only-builds.md.
*/
#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
/**
* \def MBEDTLS_SHA256_SMALLER
*
* Enable an implementation of SHA-256 that has lower ROM footprint but also
* lower performance.
*
* The default implementation is meant to be a reasonable compromise between
* performance and size. This version optimizes more aggressively for size at
* the expense of performance. Eg on Cortex-M4 it reduces the size of
* mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
* 30%.
*
* Uncomment to enable the smaller implementation of SHA256.
*/
#define MBEDTLS_SHA256_SMALLER
/* ECP options */
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */
/** \} name SECTION: Builtin drivers */
/**
* \name SECTION: Legacy cryptography
*
* This section sets legacy settings.
* \{
*/
/**
* \def MBEDTLS_AES_C
*
* Enable the AES block cipher.
*
* Module: library/aes.c
* Caller: library/cipher.c
* library/pem.c
* library/ctr_drbg.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
* MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
* MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
* MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
* MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
* MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
* MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
* MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
* MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
* MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
* MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
* MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
* MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
* MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
* MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
* MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
* MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
* MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
* MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
*
* PEM_PARSE uses AES for decrypting encrypted keys.
*/
#define MBEDTLS_AES_C
/**
* \def MBEDTLS_CIPHER_C
*
* Enable the generic cipher layer.
*
* Module: library/cipher.c
* Caller: library/ccm.c
* library/cmac.c
* library/gcm.c
* library/nist_kw.c
* library/pkcs12.c
* library/pkcs5.c
* library/psa_crypto_aead.c
* library/psa_crypto_mac.c
* library/ssl_ciphersuites.c
* library/ssl_msg.c
* Auto-enabled by: MBEDTLS_PSA_CRYPTO_C depending on which ciphers are enabled
* (see the documentation of that option for details).
*
* Uncomment to enable generic cipher wrappers.
*/
#define MBEDTLS_CIPHER_C
/**
* \def MBEDTLS_CTR_DRBG_C
*
* Enable the CTR_DRBG AES-based random generator.
* The CTR_DRBG generator uses AES-256 by default.
* To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
*
* AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA.
* Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA
* is used.
*
* \warning When using PSA, the user should call `psa_crypto_init()` before
* using any CTR_DRBG operation (except `mbedtls_ctr_drbg_init()`).
*
* \note AES-128 will be used if \c MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set.
*
* \note To achieve a 256-bit security strength with CTR_DRBG,
* you must use AES-256 *and* use sufficient entropy.
* See ctr_drbg.h for more details.
*
* Module: library/ctr_drbg.c
* Caller:
*
* Requires: MBEDTLS_AES_C or
* (PSA_WANT_KEY_TYPE_AES and PSA_WANT_ALG_ECB_NO_PADDING and
* MBEDTLS_PSA_CRYPTO_C)
*
* This module provides the CTR_DRBG AES random number generator.
*/
#define MBEDTLS_CTR_DRBG_C
/** \} name SECTION: Legacy cryptography */
/***********************************************************/
/* Tweak the configuration to remove dependencies on TF-M. */
/***********************************************************/
/* MBEDTLS_PSA_CRYPTO_SPM needs third-party files, so disable it. */
#undef MBEDTLS_PSA_CRYPTO_SPM
/* Disable buffer-based memory allocator. This isn't strictly required,
* but using the native allocator is faster and works better with
* memory management analysis frameworks such as ASan. */
#undef MBEDTLS_MEMORY_BUFFER_ALLOC_C
// This macro is enabled in TFM Medium but is disabled here because it is
// incompatible with baremetal builds in Mbed TLS.
#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
// This macro is enabled in TFM Medium but is disabled here because it is
// incompatible with baremetal builds in Mbed TLS.
#undef MBEDTLS_ENTROPY_NV_SEED
// These platform-related TF-M settings are not useful here.
#undef MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
#undef MBEDTLS_PLATFORM_STD_MEM_HDR
#undef MBEDTLS_PLATFORM_SNPRINTF_MACRO
#undef MBEDTLS_PLATFORM_PRINTF_ALT
#undef MBEDTLS_PLATFORM_STD_EXIT_SUCCESS
#undef MBEDTLS_PLATFORM_STD_EXIT_FAILURE
/*
* In order to get an example config that works cleanly out-of-the-box
* for both baremetal and non-baremetal builds, we detect baremetal builds
* (either IAR, Arm compiler or __ARM_EABI__ defined), and adjust some
* variables accordingly.
*/
#if defined(__IAR_SYSTEMS_ICC__) || defined(__ARMCC_VERSION) || defined(__ARM_EABI__)
#define MBEDTLS_NO_PLATFORM_ENTROPY
#else
/* Use built-in platform entropy functions (TF-M provides its own). */
#undef MBEDTLS_NO_PLATFORM_ENTROPY
#endif
/***********************************************************************
* Local changes to crypto config below this delimiter
**********************************************************************/
// We expect TF-M to pick this up soon
#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
/* CCM is the only cipher/AEAD enabled in TF-M configuration files, but it
* does not need CIPHER_C to be enabled, so we can disable it in order
* to reduce code size further. */
#undef MBEDTLS_CIPHER_C
#if CRYPTO_NV_SEED
#include "tfm_mbedcrypto_config_extra_nv_seed.h"
#endif /* CRYPTO_NV_SEED */
#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED)
#include "mbedtls_entropy_nv_seed_config.h"
#endif
#ifdef CRYPTO_HW_ACCELERATOR
#include "crypto_accelerator_config.h"
#endif
#endif /* PROFILE_M_PSA_CRYPTO_CONFIG_H */

16
docs/3.0-migration-guide.md
View File

@ -71,7 +71,7 @@ If you were accessing structure fields directly, and these fields are not docume
If no accessor function exists, please open an [enhancement request against Mbed TLS](https://github.com/Mbed-TLS/mbedtls/issues/new?template=feature_request.md) and describe your use case. The Mbed TLS development team is aware that some useful accessor functions are missing in the 3.0 release, and we expect to add them to the first minor release(s) (3.1, etc.).
As a last resort, you can access the field `foo` of a structure `bar` by writing `bar.MBEDTLS_PRIVATE(foo)`. Note that you do so at your own risk, since such code is likely to break in a future minor version of Mbed TLS.
As a last resort, you can access the field `foo` of a structure `bar` by writing `bar.MBEDTLS_PRIVATE(foo)`. Note that you do so at your own risk, since such code is likely to break in a future minor version of Mbed TLS. In the Mbed TLS 3.6 LTS this will tend to be safer than in a normal minor release because LTS versions try to maintain ABI stability.
### Move part of timing module out of the library
@ -349,7 +349,7 @@ original names of those functions. The renamed functions are:
| `mbedtls_sha512_finish_ret` | `mbedtls_sha512_finish` |
| `mbedtls_sha512_ret` | `mbedtls_sha512` |
To migrate to the this change the user can keep the `*_ret` names in their code
To migrate to this change the user can keep the `*_ret` names in their code
and include the `compat_2.x.h` header file which holds macros with proper
renaming or to rename those functions in their code according to the list from
mentioned header file.
@ -409,7 +409,7 @@ using the multi-part API.
Previously, the documentation didn't state explicitly if it was OK to call
`mbedtls_cipher_check_tag()` or `mbedtls_cipher_write_tag()` directly after
the last call to `mbedtls_cipher_update()` — that is, without calling
`mbedtls_cipher_finish()` in-between. If you code was missing that call,
`mbedtls_cipher_finish()` in-between. If your code was missing that call,
please add it and be prepared to get as much as 15 bytes of output.
Currently the output is always 0 bytes, but it may be more when alternative
@ -422,7 +422,7 @@ This change affects users of the MD2, MD4, RC4, Blowfish and XTEA algorithms.
They are already niche or obsolete and most of them are weak or broken. For
those reasons possible users should consider switching to modern and safe
alternatives to be found in literature.
alternatives to be found in the literature.
### Deprecated functions were removed from cipher
@ -748,7 +748,7 @@ for both DTLS-CID and TLS 1.3.
The default preference order for curves in TLS now favors resource usage (performance and memory consumption) over size. The exact order is unspecified and may change, but generally you can expect 256-bit curves to be preferred over larger curves.
If you prefer a different order, call `mbedtls_ssl_conf_curves()` when configuring a TLS connection.
If you prefer a different order, call `mbedtls_ssl_conf_groups()` when configuring a TLS connection.
### SSL key export interface change
@ -806,11 +806,11 @@ multiple times on the same SSL configuration.
In Mbed TLS 2.x, users would observe later calls overwriting
the effect of earlier calls, with the prevailing PSK being
the one that has been configured last. In Mbed TLS 3.0,
calling `mbedtls_ssl_conf_[opaque_]psk()` multiple times
calling `mbedtls_ssl_conf_psk[_opaque]()` multiple times
will return an error, leaving the first PSK intact.
To achieve equivalent functionality when migrating to Mbed TLS 3.0,
users calling `mbedtls_ssl_conf_[opaque_]psk()` multiple times should
users calling `mbedtls_ssl_conf_psk[_opaque]()` multiple times should
remove all but the last call, so that only one call to _either_
`mbedtls_ssl_conf_psk()` _or_ `mbedtls_ssl_conf_psk_opaque()`
remains.
@ -1025,7 +1025,7 @@ mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default;
my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 );
```
If you still need to allow hashes and curves in TLS that have been removed from the default configuration, call `mbedtls_ssl_conf_sig_hashes()` and `mbedtls_ssl_conf_curves()` with the desired lists.
If you still need to allow hashes and curves in TLS that have been removed from the default configuration, call `mbedtls_ssl_conf_sig_hashes()` and `mbedtls_ssl_conf_groups()` with the desired lists.
### Remove 3DES ciphersuites

612
docs/architecture/psa-migration/md-cipher-dispatch.md
View File

@ -1,612 +0,0 @@
PSA migration strategy for hashes and ciphers
=============================================
## Introduction
This document discusses a migration strategy for code that is not subject to `MBEDTLS_USE_PSA_CRYPTO`, is currently using legacy cryptography APIs, and should transition to PSA, without a major version change.
### Relationship with the main strategy document
This is complementary to the main [strategy document](strategy.html) and is intended as a refinement. However, at this stage, there may be contradictions between the strategy proposed here and some of the earlier strategy.
A difference between the original strategy and the current one is that in this work, we are not treating PSA as a black box. We can change experimental features, and we can call internal interfaces.
## Requirements
### User stories
#### Backward compatibility user story
As a developer of an application that uses Mbed TLS's interfaces (including legacy crypto),
I want Mbed TLS to preserve backward compatibility,
so that my code keeps working in new minor versions of Mbed TLS.
#### Interface design user story
As a developer of library code that uses Mbed TLS to perform cryptographic operations,
I want to know which functions to call and which feature macros to check,
so that my code works in all Mbed TLS configurations.
Note: this is the same problem we face in X.509 and TLS.
#### Hardware accelerator vendor user stories
As a vendor of a platform with hardware acceleration for some crypto,
I want to build Mbed TLS in a way that uses my hardware wherever relevant,
so that my customers maximally benefit from my hardware.
As a vendor of a platform with hardware acceleration for some crypto,
I want to build Mbed TLS without software that replicates what my hardware does,
to minimize the code size.
#### Maintainer user stories
As a maintainer of Mbed TLS,
I want to have clear rules for when to use which interface,
to avoid bugs in “unusual” configurations.
As a maintainer of Mbed TLS,
I want to avoid duplicating code,
because this is inefficient and error-prone.
### Use PSA more
In the long term, all code using cryptography should use PSA interfaces, to benefit from PSA drivers, allow eliminating legacy interfaces (less code size, less maintenance). However, this can't be done without breaking [backward compatibility](#backward-compatibility).
The goal of this work is to arrange for more non-PSA interfaces to use PSA interfaces under the hood, without breaking code in the cases where this doesn't work. Using PSA interfaces has two benefits:
* Where a PSA driver is available, it likely has better performance, and sometimes better security, than the built-in software implementation.
* In many scenarios, where a PSA driver is available, this allows removing the software implementation altogether.
* We may be able to get rid of some redundancies, for example the duplication between the implementations of HMAC in `md.c` and in `psa_crypto_mac.c`, and HKDF in `hkdf.c` and `psa_crypto.c`.
### Correct dependencies
Traditionally, to determine whether a cryptographic mechanism was available, you had to check whether the corresponding Mbed TLS module or submodule was present: `MBEDTLS_SHA256_C` for SHA256, `MBEDTLS_AES_C && MBEDTLS_CIPHER_MODE_CBC` for AES-CBC, etc. In code that uses the PSA interfaces, this needs to change to `PSA_WANT_xxx` symbols.
### Backward compatibility
All documented behavior must be preserved, except for interfaces currently described as experimental or unstable. Those interfaces can change, but we should minimize disruption by providing a transition path for reasonable use cases.
#### Changeable configuration options
The following configuration options are described as experimental, and are likely to change at least marginally:
* `MBEDTLS_PSA_CRYPTO_CLIENT`: “This interface is experimental and may change or be removed without notice.” In practice we don't want to remove this, but we may constrain how it's used.
* `MBEDTLS_PSA_CRYPTO_DRIVERS`: “This interface is experimental. We intend to maintain backward compatibility with application code that relies on drivers, but the driver interfaces may change without notice.” In practice, this may mean constraints not only on how to write drivers, but also on how to integrate drivers into code that is platform code more than application code.
### Non-goals
It is not a goal at this stage to make more code directly call `psa_xxx` functions. Rather, the goal is to make more code call PSA drivers where available. How dispatch is done is secondary.
## Problem analysis
### Scope analysis
#### Limitations of `MBEDTLS_USE_PSA_CRYPTO`
The option `MBEDTLS_USE_PSA_CRYPTO` causes parts of the library to call the PSA API instead of legacy APIs for cryptographic calculations. `MBEDTLS_USE_PSA_CRYPTO` only applies to `pk.h`, X.509 and TLS. When this option is enabled, applications must call `psa_crypto_init()` before calling any of the functions in these modules.
In this work, we want two things:
* Make non-covered modules call PSA, but only [when this will actually work](#why-psa-is-not-always-possible). This effectively brings those modules to a partial use-PSA behavior (benefiting from PSA accelerators when they're usable) regardless of whether the option is enabled.
* Call PSA when a covered module calls a non-covered module which calls another module, for example X.509 calling pk for PSS verification which calls RSA which calculates a hash ([see issue \#6497](https://github.com/Mbed-TLS/mbedtls/issues/6497)). This effectively extends the option to modules that aren't directly covered.
#### Classification of callers
We can classify code that implements or uses cryptographic mechanisms into several groups:
* Software implementations of primitive cryptographic mechanisms. These are not expected to change.
* Software implementations of constructed cryptographic mechanisms (e.g. HMAC, CTR_DRBG, RSA (calling a hash for PSS/OAEP, and needing to know the hash length in PKCS1v1.5 sign/verify), …). These need to keep working whenever a legacy implementation of the auxiliary mechanism is available, regardless of whether a PSA implementation is also available.
* Code implementing the PSA crypto interface. This is not expected to change, except perhaps to expose some internal functionality to overhauled glue code.
* Code that's subject to `MBEDTLS_USE_PSA_CRYPTO`: `pk.h`, X.509, TLS (excluding parts specific TLS 1.3).
* Code that always uses PSA for crypto: TLS 1.3 (except things common with 1.2), LMS.
For the purposes of this work, three domains emerge:
* **Legacy domain**: does not interact with PSA. Implementations of hashes, of cipher primitives, of arithmetic.
* **Mixed domain**: does not currently use PSA, but should [when possible](#why-psa-is-not-always-possible). This consists of the constructed cryptographic primitives (except LMS), as well as pk, X.509 and TLS when `MBEDTLS_USE_PSA_CRYPTO` is disabled.
* **PSA domain**: includes pk, X.509 and TLS when `MBEDTLS_USE_PSA_CRYPTO` is enabled. Also TLS 1.3, LMS.
#### Non-use-PSA modules
The following modules in Mbed TLS call another module to perform cryptographic operations which, in the long term, will be provided through a PSA interface, but cannot make any PSA-related assumption.
Hashes and HMAC (after the work on driver-only hashes):
* entropy (hashes via MD-light)
* ECDSA (HMAC\_DRBG; `md.h` exposed through API)
* ECJPAKE (hashes via MD-light; `md.h` exposed through API)
* MD (hashes and HMAC)
* HKDF (HMAC via `md.h`; `md.h` exposed through API)
* HMAC\_DRBG (hashes and HMAC via `md.h`; `md.h` exposed through API)
* PKCS12 (hashes via MD-light)
* PKCS5 (HMAC via `md.h`; `md.h` exposed through API)
* PKCS7 (hashes via MD)
* RSA (hash via MD-light for PSS and OAEP; `md.h` exposed through API)
* PEM (MD5 hash via MD-light)
Symmetric ciphers and AEADs (before work on driver-only cipher):
* PEM:
* AES, DES or 3DES in CBC mode without padding, decrypt only (!).
* Currently using low-level non-generic APIs.
* No hard dependency, features guarded by `AES_C` resp. `DES_C`.
* Functions called: `setkey_dec()` + `crypt_cbc()`.
* PKCS12:
* In practice: 2DES or 3DES in CBC mode with PKCS7 padding, decrypt only
(when called from pkparse).
* In principle: any cipher-mode (default padding), passed an
`mbedtls_cipher_type_t` as an argument, no documented restriction.
* Cipher, generically, selected from ASN.1 or function parameters;
no documented restriction but in practice TODO (inc. padding and
en/decrypt, look at standards and tests)
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
* Note: `cipher.h` exposed through API.
* Functions called: `setup`, `setkey`, `set_iv`, `reset`, `update`, `finish` (in sequence, once).
* PKCS5 (PBES2, `mbedtls_pkcs5_pbes2()`):
* 3DES or DES in CBC mode with PKCS7 padding, both encrypt and decrypt.
* Note: could also be AES in the future, see #7038.
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
* Functions called: `setup`, `setkey`, `crypt`.
* CTR\_DRBG:
* AES in ECB mode, encrypt only.
* Currently using low-level non-generic API (`aes.h`).
* Unconditional dependency on `AES_C` in `check_config.h`.
* Functions called: `setkey_enc`, `crypt_ecb`.
* CCM:
* AES, Camellia or Aria in ECB mode, encrypt only.
* Unconditional dependency on `AES_C || CAMELLIA_C || ARIA_C` in `check_config.h`.
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
* Note: also called by `cipher.c` if enabled.
* Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
* CMAC:
* AES or DES in ECB mode, encrypt only.
* Unconditional dependency on `AES_C || DES_C` in `check_config.h`.
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
* Note: also called by `cipher.c` if enabled.
* Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
* GCM:
* AES, Camellia or Aria in ECB mode, encrypt only.
* Unconditional dependency on `AES_C || CAMELLIA_C || ARIA_C` in `check_config.h`.
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
* Note: also called by `cipher.c` if enabled.
* Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
* NIST\_KW:
* AES in ECB mode, both encryt and decrypt.
* Unconditional dependency on `AES_C || DES_C` in `check_config.h`.
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
* Note: also called by `cipher.c` if enabled.
* Note: `cipher.h` exposed through API.
* Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
* Cipher:
* potentially any cipher/AEAD in any mode and any direction
Note: PSA cipher is built on Cipher, but PSA AEAD directly calls the underlying AEAD modules (GCM, CCM, ChachaPoly).
### Difficulties
#### Why PSA is not always possible
Here are some reasons why calling `psa_xxx()` to perform a hash or cipher calculation might not be desirable in some circumstances, explaining why the application would arrange to call the legacy software implementation instead.
* `MBEDTLS_PSA_CRYPTO_C` is disabled.
* There is a PSA driver which has not been initialized (this happens in `psa_crypto_init()`).
* For ciphers, the keystore is not initialized yet, and Mbed TLS uses a custom implementation of PSA ITS where the file system is not accessible yet (because something else needs to happen first, and the application takes care that it happens before it calls `psa_crypto_init()`). A possible workaround may be to dispatch to the internal functions that are called after the keystore lookup, rather than to the PSA API functions (but this is incompatible with `MBEDTLS_PSA_CRYPTO_CLIENT`).
* The requested mechanism is enabled in the legacy interface but not in the PSA interface. This was not really intended, but is possible, for example, if you enable `MBEDTLS_MD5_C` for PEM decoding with PBKDF1 but don't want `PSA_ALG_WANT_MD5` because it isn't supported for `PSA_ALG_RSA_PSS` and `PSA_ALG_DETERMINISTIC_ECDSA`.
* `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, and the client has not yet activated the connection to the server (this happens in `psa_crypto_init()`).
* `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, but the operation is part of the implementation of an encrypted communication with the crypto service, or the local implementation is faster because it avoids a costly remote procedure call.
#### Indirect knowledge
Consider for example the code in `rsa.c` to perform an RSA-PSS signature. It needs to calculate a hash. If `mbedtls_rsa_rsassa_pss_sign()` is called directly by application code, it is supposed to call the built-in implementation: calling a PSA accelerator would be a behavior change, acceptable only if this does not add a risk of failure or performance degradation ([PSA is impossible or undesirable in some circumstances](#why-psa-is-not-always-possible)). Note that this holds regardless of the state of `MBEDTLS_USE_PSA_CRYPTO`, since `rsa.h` is outside the scope of `MBEDTLS_USE_PSA_CRYPTO`. On the other hand, if `mbedtls_rsa_rsassa_pss_sign()` is called from X.509 code, it should use PSA to calculate hashes. It doesn't, currently, which is [bug \#6497](https://github.com/Mbed-TLS/mbedtls/issues/6497).
Generally speaking, modules in the mixed domain:
* must call PSA if called by a module in the PSA domain;
* must not call PSA (or must have a fallback) if their caller is not in the PSA domain and the PSA call is not guaranteed to work.
#### Non-support guarantees: requirements
Generally speaking, just because some feature is not enabled in `mbedtls_config.h` or `psa_config.h` doesn't guarantee that it won't be enabled in the build. We can enable additional features through `build_info.h`.
If `PSA_WANT_xxx` is disabled, this should guarantee that attempting xxx through the PSA API will fail. This is generally guaranteed by the test suite `test_suite_psa_crypto_not_supported` with automatically enumerated test cases, so it would be inconvenient to carve out an exception.
### Technical requirements
Based on the preceding analysis, the core of the problem is: for code in the mixed domain (see [“Classification of callers”](#classification-of-callers)), how do we handle a cryptographic mechanism? This has several related subproblems:
* How the mechanism is encoded (e.g. `mbedtls_md_type_t` vs `const *mbedtls_md_info_t` vs `psa_algorithm_t` for hashes).
* How to decide whether a specific algorithm or key type is supported (eventually based on `MBEDTLS_xxx_C` vs `PSA_WANT_xxx`).
* How to obtain metadata about algorithms (e.g. hash/MAC/tag size, key size).
* How to perform the operation (context type, which functions to call).
We need a way to decide this based on the available information:
* Who's the ultimate caller — see [indirect knowledge](#indirect-knowledge) — which is not actually available.
* Some parameter indicating which algorithm to use.
* The available cryptographic implementations, based on preprocessor symbols (`MBEDTLS_xxx_C`, `PSA_WANT_xxx`, `MBEDTLS_PSA_ACCEL_xxx`, etc.).
* Possibly additional runtime state (for example, we might check whether `psa_crypto_init` has been called).
And we need to take care of the [the cases where PSA is not possible](#why-psa-is-not-always-possible): either make sure the current behavior is preserved, or (where allowed by backward compatibility) document a behavior change and, preferably, a workaround.
### Working through an example: RSA-PSS
Let us work through the example of RSA-PSS which calculates a hash, as in [see issue \#6497](https://github.com/Mbed-TLS/mbedtls/issues/6497).
RSA is in the [mixed domain](#classification-of-callers). So:
* When called from `psa_sign_hash` and other PSA functions, it must call the PSA hash accelerator if there is one.
* When called from user code, it must call the built-in hash implementation if PSA is not available (regardless of whether this is because `MBEDTLS_PSA_CRYPTO_C` is disabled, or because `PSA_WANT_ALG_xxx` is disabled for this hash, or because there is an accelerator driver which has not been initialized yet).
RSA knows which hash algorithm to use based on a parameter of type `mbedtls_md_type_t`. (More generally, all mixed-domain modules that take an algorithm specification as a parameter take it via a numerical type, except HMAC\_DRBG and HKDF which take a `const mbedtls_md_info_t*` instead, and CMAC which takes a `const mbedtls_cipher_info_t *`.)
#### Double encoding solution
A natural solution is to double up the encoding of hashes in `mbedtls_md_type_t`. Pass `MBEDTLS_MD_SHA256` and `md` will dispatch to the legacy code, pass a new constant `MBEDTLS_MD_SHA256_USE_PSA` and `md` will dispatch through PSA.
This maximally preserves backward compatibility, but then no non-PSA code benefits from PSA accelerators, and there's little potential for removing the software implementation.
#### Availability of hashes in RSA-PSS
Here we try to answer the question: As a caller of RSA-PSS via `rsa.h`, how do I know whether it can use a certain hash?
* For a caller in the legacy domain: if e.g. `MBEDTLS_SHA256_C` is enabled, then I want RSA-PSS to support SHA-256. I don't care about negative support. So `MBEDTLS_SHA256_C` must imply support for RSA-PSS-SHA-256. It must work at all times, regardless of the state of PSA (e.g. drivers not initialized).
* For a caller in the PSA domain: if e.g. `PSA_WANT_ALG_SHA_256` is enabled, then I want RSA-PSS to support SHA-256, provided that `psa_crypto_init()` has been called. In some limited cases, such as `test_suite_psa_crypto_not_supported` when PSA implements RSA-PSS in software, we care about negative support: if `PSA_WANT_ALG_SHA_256` is disabled then `psa_verify_hash` must reject `PSA_WANT_ALG_SHA_256`. This can be done at the level of PSA before it calls the RSA module, though, so it doesn't have any implication on the RSA module. As far as `rsa.c` is concerned, what matters is that `PSA_WANT_ALG_SHA_256` implies that SHA-256 is supported after `psa_crypto_init()` has been called.
* For a caller in the mixed domain: requirements depend on the caller. Whatever solution RSA has to determine the availability of algorithms will apply to its caller as well.
Conclusion so far: RSA must be able to do SHA-256 if either `MBEDTLS_SHA256_C` or `PSA_WANT_ALG_SHA_256` is enabled. If only `PSA_WANT_ALG_SHA_256` and not `MBEDTLS_SHA256_C` is enabled (which implies that PSA's SHA-256 comes from an accelerator driver), then SHA-256 only needs to work if `psa_crypto_init()` has been called.
#### More in-depth discussion of compile-time availability determination
The following combinations of compile-time support are possible:
* `MBEDTLS_PSA_CRYPTO_CLIENT`. Then calling PSA may or may not be desirable for performance. There are plausible use cases where only the server has access to an accelerator so it's best to call the server, and plausible use cases where calling the server has overhead that negates the savings from using acceleration, if there are savings at all. In any case, calling PSA only works if the connection to the server has been established, meaning `psa_crypto_init` has been called successfully. In the rest of this case enumeration, assume `MBEDTLS_PSA_CRYPTO_CLIENT` is disabled.
* No PSA accelerator. Then just call `mbedtls_sha256`, it's all there is, and it doesn't matter (from an API perspective) exactly what call chain leads to it.
* PSA accelerator, no software implementation. Then we might as well call the accelerator, unless it's important that the call fails. At the time of writing, I can't think of a case where we would want to guarantee that if `MBEDTLS_xxx_C` is not enabled, but xxx is enabled through PSA, then a request to use algorithm xxx through some legacy interface must fail.
* Both PSA acceleration and the built-in implementation. In this case, we would prefer PSA for the acceleration, but we can only do this if the accelerator driver is working. For hashes, it's enough to assume the driver is initialized; we've [considered requiring hash drivers to work without initialization](https://github.com/Mbed-TLS/mbedtls/pull/6470). For ciphers, this is more complicated because the cipher functions require the keystore, and plausibly a cipher accelerator might want entropy (for side channel countermeasures) which might not be available at boot time.
Note that it's a bit tricky to determine which algorithms are available. In the case where there is a PSA accelerator but no software implementation, we don't want the preprocessor symbols to indicate that the algorithm is available through the legacy domain, only through the PSA domain. What does this mean for the interfaces in the mixed domain? They can't guarantee the availability of the algorithm, but they must try if requested.
### Designing an interface for hashes
In this section, we specify a hash metadata and calculation for the [mixed domain](#classification-of-callers), i.e. code that can be called both from legacy code and from PSA code.
#### Availability of hashes
Generalizing the analysis in [“Availability of hashes in RSA-PSS”](#availability-of-hashes-in-RSA-PSS):
A hash is available through the mixed-domain interface iff either of the following conditions is true:
* A legacy hash interface is available and the hash algorithm is implemented in software.
* PSA crypto is enabled and the hash algorithm is implemented via PSA.
We could go further and make PSA accelerators available to legacy callers that call any legacy hash interface, e.g. `md.h` or `shaX.h`. There is little point in doing this, however: callers should just use the mixed-domain interface.
#### Implications between legacy availability and PSA availability
There is no mandatory relationship between PSA support and legacy support for a mechanism. Users can configure legacy support and PSA support independently. Legacy support is automatically enabled if PSA support is requested, but only if there is no accelerator.
It is strongly desirable to allow mechanisms available through PSA but not legacy: this allows saving code size when an accelerator is present.
There is no strong reason to allow mechanisms available through legacy but not PSA when `MBEDTLS_PSA_CRYPTO_C` is enabled. This would only save at best a very small amount of code size in the PSA dispatch code. This may be more desirable when `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled (having a mechanism available only locally and not in the crypto service), but we do not have an explicit request for this and it would be entirely reasonable to forbid it.
In this analysis, we have not found a compelling reason to require all legacy mechanisms to also be available through PSA. However, this can simplify both the implementation and the use of dispatch code thanks to some simplifying properties:
* Mixed-domain code can call PSA code if it knows that `psa_crypto_init()` has been called, without having to inspect the specifics of algorithm support.
* Mixed-domain code can assume that PSA buffer calculations work correctly for all algorithms that it supports.
#### Shape of the mixed-domain hash interface
We now need to create an abstraction for mixed-domain hash calculation. (We could not create an abstraction, but that would require every piece of mixed-domain code to replicate the logic here. We went that route in Mbed TLS 3.3, but it made it effectively impossible to get something that works correctly.)
Requirements: given a hash algorithm,
* Obtain some metadata about it (size, block size).
* Calculate the hash.
* Set up a multipart operation to calculate the hash. The operation must support update, finish, reset, abort, clone.
The existing interface in `md.h` is close to what we want, but not perfect. What's wrong with it?
* It has an extra step of converting from `mbedtls_md_type_t` to `const mbedtls_md_info_t *`.
* It includes extra fluff such as names and HMAC. This costs code size.
* The md module has some legacy baggage dating from when it was more open, which we don't care about anymore. This may cost code size.
These problems are easily solvable.
* `mbedtls_md_info_t` can become a very thin type. We can't remove the extra function call from the source code of callers, but we can make it a very thin abstraction that compilers can often optimize.
* We can make names and HMAC optional. The mixed-domain hash interface won't be the full `MBEDTLS_MD_C` but a subset.
* We can optimize `md.c` without making API changes to `md.h`.
### Scope reductions and priorities for 3.x
This section documents things that we chose to temporarily exclude from the scope in the 3.x branch (which will eventually be in scope again after 4.0) as well as things we chose to prioritize if we don't have time to support everything.
#### Don't support PK, X.509 and TLS without `MBEDTLS_USE_PSA_CRYPTO`
We do not need to support driver-only hashes and ciphers in PK. X.509 and TLS without `MBEDTLS_USE_PSA_CRYPTO`. Users who want to take full advantage of drivers will need to enabled this macro.
Note that this applies to TLS 1.3 as well, as some uses of hashes and all uses of ciphers there are common with TLS 1.2, hence governed by `MBEDTLS_USE_PSA_CRYPTO`, see [this macro's extended documentation](../../docs/use-psa-crypto.html).
This will go away naturally in 4.0 when this macros is not longer an option (because it's always on).
#### Don't support for `MBEDTLS_PSA_CRYPTO_CLIENT` without `MBEDTLS_PSA_CRYPTO_C`
We generally don't really support builds with `MBEDTLS_PSA_CRYPTO_CLIENT` without `MBEDTLS_PSA_CRYPTO_C`. For example, both `MBEDTLS_USE_PSA_CRYPTO` and `MBEDTLS_SSL_PROTO_TLS1_3` require `MBEDTLS_PSA_CRYPTO_C`, while in principle they should only require `MBEDTLS_PSA_CRYPTO_CLIENT`.
Considering this existing restriction which we do not plan to lift before 4.0, it is acceptable driver-only hashes and cipher support to have the same restriction in 3.x.
It is however desirable for the design to keep support for `MBEDTLS_PSA_CRYPTO_CLIENT` in mind, in order to avoid making it more difficult to add in the future.
#### For cipher: prioritize constrained devices and modern TLS
The primary target is a configuration like TF-M's medium profile, plus TLS with only AEAD ciphersuites.
This excludes things like:
- Support for encrypted PEM, PKCS5 and PKCS12 encryption, and PKCS8 encrypted keys in PK parse. (Not widely used on highly constrained devices.)
- Support for NIST-KW. (Same justification.)
- Support for CMAC. (Same justification, plus can be directly accelerated.)
- Support for CBC ciphersuites in TLS. (They've been recommended against for a while now.)
### Dual-dispatch for block cipher primitives
Considering the priorities stated above, initially we want to support GCM, CCM and CTR-DRBG. All three of them use the block cipher primitive only in the encrypt direction. Currently, GCM and CCM use the Cipher layer in order to work with AES, Aria and Camellia (DES is excluded by the standards due to its smaller block size) and CTR-DRBG directly uses the low-level API from `aes.h`. In all cases, access to the "block cipher primitive" is done by using "ECB mode" (which for both Cipher and `aes.h` only allows a single block, contrary to PSA which implements actual ECB mode).
The two AEAD modes, GCM and CCM, have very similar needs and positions in the stack, strongly suggesting using the same design for both. On the other hand, there are a number of differences between CTR-DRBG and them.
- CTR-DRBG only uses AES (and there is no plan to extend it to other block ciphers at the moment), while GCM and CCM need to work with 3 block ciphers already.
- CTR-DRBG holds a special position in the stack: most users don't care about it per se, they only care about getting random numbers - in fact PSA users don't even need to know what DRBG is used. In particular, no part of the stack is asking questions like "is CTR-DRBG-AES available?" - an RNG needs to be available and that's it - contrary to similar questions about AES-GCM etc. which are asked for example by TLS.
So, it makes sense to use different designs for CTR-DRBG on one hand, and GCM/CCM on the other hand:
- CTR-DRBG can just check if `AES_C` is present and "fall back" to PSA if not.
- GCM and CCM need an common abstraction layer that allows:
- Using AES, Aria or Camellia in a uniform way.
- Dispatching to built-in or driver.
The abstraction layer used by GCM and CCM may either be a new internal module, or a subset of the existing Cipher API, extended with the ability to dispatch to a PSA driver.
Reasons for making this layer's API a subset of the existing Cipher API:
- No need to design, implement and test a new module. (Will need to test the new subset though, as well as the extended behaviour.)
- No code change in GCM and CCM - only need to update dependencies.
- No risk for code duplication between a potential new module and Cipher: source-level, and in in particular in builds that still have `CIPHER_C` enabled. (Compiled-code duplication could be avoided by excluding the new module in such builds, though.)
- If want to support other users of Cipher later (such as NIST-KW, CMAC, PKCS5 and PKCS12), we can just extend dual-dispatch support to other modes/operations in Cipher and keep those extra modules unchanged as well.
Possible costs of re-using (a subset of) the existing Cipher API instead of defining a new one:
- We carry over costs associated with `cipher_info_t` structures. (Currently the info structure is used for 3 things: (1) to check if the cipher is supported, (2) to check its block size, (3) because `setup()` requires it).
- We carry over questionable implementation decisions, like dynamic allocation of context.
Those costs could be avoided by refactoring (parts of) Cipher, but that would probably mean either:
- significant differences in how the `cipher.h` API is implemented between builds with the full Cipher or only a subset;
- or more work to apply the simplifications to all of Cipher.
Prototyping both approaches showed better code size savings and cleaner code with a new internal module (see section "Internal "block cipher" abstraction (Cipher light)" below).
## Specification
### MD light
#### Definition of MD light
MD light is a subset of `md.h` that implements the hash calculation interface described in ”[Designing an interface for hashes](#designing-an-interface-for-hashes)”. It is activated by `MBEDTLS_MD_LIGHT` in `mbedtls_config.h`.
The following things enable MD light automatically in `build_info.h`:
* A [mixed-domain](#classification-of-callers) module that needs to calculate hashes is enabled.
* `MBEDTLS_MD_C` is enabled.
MD light includes the following types:
* `mbedtls_md_type_t`
* `mbedtls_md_info_t`
* `mbedtls_md_context_t`
MD light includes the following functions:
* `mbedtls_md_info_from_type`
* `mbedtls_md_init`
* `mbedtls_md_free`
* `mbedtls_md_setup` — but `hmac` must be 0 if `MBEDTLS_MD_C` is disabled.
* `mbedtls_md_clone`
* `mbedtls_md_get_size`
* `mbedtls_md_get_type`
* `mbedtls_md_starts`
* `mbedtls_md_update`
* `mbedtls_md_finish`
* `mbedtls_md`
Unlike the full MD, MD light does not support null pointers as `mbedtls_md_context_t *`. At least some functions still need to support null pointers as `const mbedtls_md_info_t *` because this arises when you try to use an unsupported algorithm (`mbedtls_md_info_from_type` returns `NULL`).
#### MD algorithm support macros
For each hash algorithm, `md.h` defines a macro `MBEDTLS_MD_CAN_xxx` whenever the corresponding hash is available through MD light. These macros are only defined when `MBEDTLS_MD_LIGHT` is enabled. Per “[Availability of hashes](#availability-of-hashes)”, `MBEDTLS_MD_CAN_xxx` is enabled if:
* the corresponding `MBEDTLS_xxx_C` is defined; or
* one of `MBEDTLS_PSA_CRYPTO_C` or `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, and the corresponding `PSA_WANT_ALG_xxx` is enabled.
Note that some algorithms have different spellings in legacy and PSA. Since MD is a legacy interface, we'll use the legacy names. Thus, for example:
```
#if defined(MBEDTLS_MD_LIGHT)
#if defined(MBEDTLS_SHA256_C) || \
(defined(MBEDTLS_PSA_CRYPTO_C) && PSA_WANT_ALG_SHA_256)
#define MBEDTLS_MD_CAN_SHA256
#endif
#endif
```
Note: in the future, we may want to replace `defined(MBEDTLS_PSA_CRYPTO_C)`
with `defined(MBEDTLS_PSA_CRYTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)` but
for now this is out of scope.
#### MD light internal support macros
* If at least one hash has a PSA driver, define `MBEDTLS_MD_SOME_PSA`.
* If at least one hash has a legacy implementation, defined `MBEDTLS_MD_SOME_LEGACY`.
#### Support for PSA in the MD context
An MD context needs to contain either a legacy module's context (or a pointer to one, as is the case now), or a PSA context (or a pointer to one).
I am inclined to remove the pointer indirection, but this means that an MD context would always be as large as the largest supported hash context. So for the time being, this specification keeps a pointer. For uniformity, PSA will also have a pointer (we may simplify this later).
```
enum {
MBEDTLS_MD_ENGINE_LEGACY,
MBEDTLS_MD_ENGINE_PSA,
} mbedtls_md_engine_t; // private type
typedef struct mbedtls_md_context_t {
mbedtls_md_type_t type;
#if defined(MBEDTLS_MD_SOME_PSA)
mbedtls_md_engine_t engine;
#endif
void *md_ctx; // mbedtls_xxx_context or psa_hash_operation
#if defined(MBEDTLS_MD_C)
void *hmac_ctx;
#endif
} mbedtls_md_context_t;
```
All fields are private.
The `engine` field is almost redundant with knowledge about `type`. However, when an algorithm is available both via a legacy module and a PSA accelerator, we will choose based on the runtime availability of the accelerator when the context is set up. This choice needs to be recorded in the context structure.
#### Inclusion of MD info structures
MD light needs to support hashes that are only enabled through PSA. Therefore the `mbedtls_md_info_t` structures must be included based on `MBEDTLS_MD_CAN_xxx` instead of just the legacy module.
The same criterion applies in `mbedtls_md_info_from_type`.
#### Conversion to PSA encoding
The implementation needs to convert from a legacy type encoding to a PSA encoding.
```
static inline psa_algorithm_t psa_alg_of_md_info(
const mbedtls_md_info_t *md_info );
```
#### Determination of PSA support at runtime
```
int psa_can_do_hash(psa_algorithm_t hash_alg);
```
The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA.
As a starting point, return 1 if PSA crypto's driver subsystem has been initialized.
Usage note: for algorithms that are not enabled via PSA, calling `psa_can_do_hash` is generally safe: whether it returns 0 or 1, you can call a PSA hash function on the algorithm and it will return `PSA_ERROR_NOT_SUPPORTED`.
#### Support for PSA dispatch in hash operations
Each function that performs some hash operation or context management needs to know whether to dispatch via PSA or legacy.
If given an established context, use its `engine` field.
If given an algorithm as an `mbedtls_md_type_t type` (possibly being the `type` field of a `const mbedtls_md_info_t *`):
* If there is a PSA accelerator for this hash and `psa_can_do_hash(alg)`, call the corresponding PSA function, and if applicable set the engine to `MBEDTLS_MD_ENGINE_PSA`. (Skip this is `MBEDTLS_MD_SOME_PSA` is not defined.)
* Otherwise dispatch to the legacy module based on the type as currently done. (Skip this is `MBEDTLS_MD_SOME_LEGACY` is not defined.)
* If no dispatch is possible, return `MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE`.
Note that this assumes that an operation that has been started via PSA can be completed. This implies that `mbedtls_psa_crypto_free` must not be called while an operation using PSA is in progress. Document this.
#### Error code conversion
After calling a PSA function, MD light calls `mbedtls_md_error_from_psa` to convert its status code.
### Support all legacy algorithms in PSA
As discussed in [“Implications between legacy availability and PSA availability”](#implications-between-legacy-availability-and-psa-availability), we require the following property:
> If an algorithm has a legacy implementation, it is also available through PSA.
### MD light optimizations
This section is not necessary to implement MD light, but will cut down its code size.
#### Split names out of MD light
Remove hash names from `mbedtls_md_info_t`. Use a simple switch-case or a separate list to implement `mbedtls_md_info_from_string` and `mbedtls_md_get_name`.
#### Remove metadata from the info structure
In `mbedtls_md_get_size` and in modules that want a hash's block size, instead of looking up hash metadata in the info structure, call the PSA macros.
#### Optimize type conversions
To allow optimizing conversions between `mbedtls_md_type_t` and `psa_algorithm_t`, renumber the `mbedtls_md_type_t` enum so that the values are the 8 lower bits of the PSA encoding.
With this optimization,
```
static inline psa_algorithm_t psa_alg_of_md_info(
const mbedtls_md_info_t *md_info )
{
if( md_info == NULL )
return( PSA_ALG_NONE );
return( PSA_ALG_CATEGORY_HASH | md_info->type );
}
```
Work in progress on this conversion is at https://github.com/gilles-peskine-arm/mbedtls/tree/hash-unify-ids-wip-1
#### Unify HMAC with PSA
PSA has its own HMAC implementation. In builds with both `MBEDTLS_MD_C` and `PSA_WANT_ALG_HMAC` not fully provided by drivers, we should have a single implementation. Replace the one in `md.h` by calls to the PSA driver interface. This will also give mixed-domain modules access to HMAC accelerated directly by a PSA driver (eliminating the need to a HMAC interface in software if all supported hashes have an accelerator that includes HMAC support).
### Improving support for `MBEDTLS_PSA_CRYPTO_CLIENT`
So far, MD light only dispatches to PSA if an algorithm is available via `MBEDTLS_PSA_CRYPTO_C`, not if it's available via `MBEDTLS_PSA_CRYPTO_CLIENT`. This is acceptable because `MBEDTLS_USE_PSA_CRYPTO` requires `MBEDTLS_PSA_CRYPTO_C`, hence mixed-domain code never invokes PSA.
The architecture can be extended to support `MBEDTLS_PSA_CRYPTO_CLIENT` with a little extra work. Here is an overview of the task breakdown, which should be fleshed up after we've done the first [migration](#migration-to-md-light):
* Compile-time dependencies: instead of checking `defined(MBEDTLS_PSA_CRYPTO_C)`, check `defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)`.
* Implementers of `MBEDTLS_PSA_CRYPTO_CLIENT` will need to provide `psa_can_do_hash()` (or a more general function `psa_can_do`) alongside `psa_crypto_init()`. Note that at this point, it will become a public interface, hence we won't be able to change it at a whim.
### Internal "block cipher" abstraction (previously known as "Cipher light")
#### Definition
The new module is automatically enabled in `config_adjust_legacy_crypto.h` by modules that need
it (namely: CCM, GCM) only when `CIPHER_C` is not available, or the new module
is needed for PSA dispatch (see next section). Note: CCM and GCM currently
depend on the full `CIPHER_C` (enforced by `check_config.h`); this hard
dependency would be replaced by the above auto-enablement.
The following API functions are offered:
```
void mbedtls_block_cipher_init(mbedtls_block_cipher_context_t *ctx);
void mbedtls_block_cipher_free(mbedtls_block_cipher_context_t *ctx);
int mbedtls_block_cipher_setup(mbedtls_block_cipher_context_t *ctx,
mbedtls_cipher_id_t cipher_id);
int mbedtls_block_cipher_setkey(mbedtls_block_cipher_context_t *ctx,
const unsigned char *key,
unsigned key_bitlen);
int mbedtls_block_cipher_encrypt(mbedtls_block_cipher_context_t *ctx,
const unsigned char input[16],
unsigned char output[16]);
```
The only supported ciphers are AES, ARIA and Camellia. They are identified by
an `mbedtls_cipher_id_t` in the `setup()` function, because that's how they're
identifed by callers (GCM/CCM).
#### Block cipher dual dispatch
Support for dual dispatch in the new internal module `block_cipher` is extremely similar to that in MD light.
A block cipher context contains either a legacy module's context (AES, ARIA, Camellia) or a PSA key identifier; it has a field indicating which one is in use. All fields are private.
The `engine` field is almost redundant with knowledge about `type`. However, when an algorithm is available both via a legacy module and a PSA accelerator, we will choose based on the runtime availability of the accelerator when the context is set up. This choice needs to be recorded in the context structure.
Support is determined at runtime using the new internal function
```
int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg);
```
The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA. As a starting point, return 1 if PSA crypto's driver subsystem has been initialized.
Each function in the module needs to know whether to dispatch via PSA or legacy. All functions consult the context's `engine` field, except `setup()` which will set it according to the key type and the return value of `psa_can_do_cipher()` as discussed above.
Note that this assumes that an operation that has been started via PSA can be completed. This implies that `mbedtls_psa_crypto_free` must not be called while an operation using PSA is in progress.
After calling a PSA function, `block_cipher` functions call `mbedtls_cipher_error_from_psa` to convert its status code.

7
docs/architecture/psa-migration/outcome-analysis.sh
View File

@ -3,10 +3,9 @@
# This script runs tests before and after a PR and analyzes the results in
# order to highlight any difference in the set of tests skipped.
#
# It can be used to check the first testing criterion mentioned in strategy.md,
# end of section "Supporting builds with drivers without the software
# implementation", namely: the sets of tests skipped in the default config and
# the full config must be the same before and after the PR.
# It can be used to check for unintended consequences when making non-trivial
# changes to compile time guards: the sets of tests skipped in the default
# config and the full config must be the same before and after the PR.
#
# USAGE:
# - First, commit any uncommited changes. (Also, see warning below.)

344
docs/architecture/psa-migration/psa-legacy-bridges.md
View File

@ -1,344 +0,0 @@
Bridges between legacy and PSA crypto APIs
==========================================
## Introduction
### Goal of this document
This document explores the needs of applications that use both Mbed TLS legacy crypto interfaces and PSA crypto interfaces. Based on [requirements](#requirements), we [analyze gaps](#gap-analysis) and [API design](#api-design).
This is a design document. The target audience is library maintainers. See the companion document [“Transitioning to the PSA API”](../../psa-transition.md) for a user focus on the same topic.
### Keywords
* [TODO] A part of the analysis that isn't finished.
* [OPEN] Open question: a specific aspect of the design where there are several plausible decisions.
* [ACTION] A finalized part of the design that will need to be carried out.
### Context
Mbed TLS 3.x supports two cryptographic APIs:
* The legacy API `mbedtls_xxx` is inherited from PolarSSL.
* The PSA API `psa_xxx` was introduced in Mbed TLS 2.17.
Mbed TLS is gradually shifting from the legacy API to the PSA API. Mbed TLS 4.0 will be the first version where the PSA API is considered the main API, and large parts of the legacy API will be removed.
In Mbed TLS 4.0, the cryptography will be provided by a separate project [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto). For simplicity, in this document, we just refer to the whole as “Mbed TLS”.
### Document history
This document was originally written when preparing Mbed TLS 3.6. Mbed TLS 3.6 includes both PSA and legacy APIs covering largely overlapping ground. Many legacy APIs will be removed in Mbed TLS 4.0.
## Requirements
### Why mix APIs?
There is functionality that is tied to one API and is not directly available in the other API:
* Only PSA fully supports PSA accelerators and secure element integration.
* Only PSA supports isolating cryptographic material in a secure service.
* The legacy API has features that are not present (yet) in PSA, notably parsing and formatting asymmetric keys.
The legacy API can partially leverage PSA features via `MBEDTLS_USE_PSA_CRYPTO`, but this has limited scope.
In addition, many applications cannot be migrated in a single go. For large projects, it is impractical to rewrite a significant part of the code all at once. (For example, Mbed TLS itself will have taken more than 6 years to transition.) Projects that use one or more library in addition to Mbed TLS must follow the evolution of these libraries, each of which might have its own pace.
### Where mixing happens
Mbed TLS can be, and normally is, built with support for both APIs. Therefore no special effort is necessary to allow an application to use both APIs.
Special effort is necessary to use both APIs as part of the implementation of the same feature. From an informal analysis of typical application requirements, we identify four parts of the use of cryptography which can be provided by different APIs:
* Metadata manipulation: parsing and producing encrypted or signed files, finding mutually supported algorithms in a network protocol negotiation, etc.
* Key management: parsing, generating, deriving and formatting cryptographic keys.
* Data manipulation other than keys. In practice, most data formats within the scope of the legacy crypto APIs are trivial (ciphertexts, hashes, MACs, shared secrets). The one exception is ECDSA signatures.
* Cryptographic operations: hash, sign, encrypt, etc.
From this, we deduce the following requirements:
* Convert between PSA and legacy metadata.
* Creating a key with the legacy API and consuming it in the PSA API.
* Creating a key with the PSA API and consuming it in the legacy API.
* Manipulating data formats, other than keys, where the PSA API is lacking.
### Scope limitations
The goal of this document is to bridge the legacy API and the PSA API. The goal is not to provide a PSA way to do everything that is currently possible with the legacy API. The PSA API is less flexible in some regards, and extending it is out of scope in the present study.
With respect to the legacy API, we do not consider functionality of low-level modules for individual algorithms. Our focus is on applications that use high-level legacy crypto modules (md, cipher, pk) and need to combine that with uses of the PSA APIs.
## Gap analysis
The document [“Transitioning to the PSA API”](../../psa-transition.md) enumerates the public header files in Mbed TLS 3.4 and the API elements (especially enums and functions) that they provide, listing PSA equivalents where they exist. There are gaps in two cases:
* Where the PSA equivalents do not provide the same functionality. A typical example is parsing and formatting asymmetric keys.
* To convert between data representations used by legacy APIs and data representations used by PSA APIs.
Based on “[Where mixing happens](#where-mixing-happens)”, we focus the gap analysis on two topics: metadata and keys. This chapter explores the gaps in each family of cryptographic mechanisms.
### Generic metadata gaps
#### Need for error code conversion
Do we need public functions to convert between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` error codes? We have such functions for internal use.
Mbed TLS needs these conversions because it has many functions that expose one API (legacy/API) but are implemented on top of the other API. Most applications would convert legacy and PSA error code to their own error codes, and converting between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` is not particularly helpful for that. Application code might need such conversion functions when implementing an X.509 or TLS callback (returning `MBEDTLS_ERR_xxx`) on top of PSA functions, but this is a very limited use case.
Conclusion: no need for public error code conversion functions.
### Hash gap analysis
Hashes do not involve keys, and involves no nontrivial data format. Therefore the only gap is with metadata, namely specifying a hash algorithm.
Hashes are often used as building blocks for other mechanisms (HMAC, signatures, key derivation, etc.). Therefore metadata about hashes is relevant not only when calculating hashes, but also when performing many other cryptographic operations.
Gap: functions to convert between `psa_algorithm_t` hash algorithms and `mbedtls_md_type_t`. Such functions exist in Mbed TLS 3.5 (`mbedtls_md_psa_alg_from_type`, `mbedtls_md_type_from_psa_alg`) but they are declared only in private headers.
### MAC gap analysis
[TODO]
### Cipher and AEAD gap analysis
[TODO]
### Key derivation gap analysis
[TODO]
### Random generation gap analysis
[TODO]
### Asymmetric cryptography gap analysis
#### Asymmetric cryptography metadata
The legacy API only has generic support for two key types: RSA and ECC, via the pk module. ECC keys can also be further classified according to their curve. The legacy API also supports DHM (Diffie-Hellman-Merkle = FFDH: finite-field Diffie-Hellman) keys, but those are not integrated in the pk module.
An RSA or ECC key can potentially be used for different algorithms in the scope of the pk module:
* RSA: PKCS#1v1.5 signature, PSS signature, PKCS#1v1.5 encryption, OAEP encryption.
* ECC: ECDSA signature (randomized or deterministic), ECDH key agreement (via `mbedtls_pk_ec`).
ECC keys are also involved in EC-JPAKE, but this happens internally: the EC-JPAKE interface only needs one piece of metadata, namely, to identify a curve.
Since there is no algorithm that can be used with multiple types, and PSA keys have a policy that (for the most part) limits them to one algorithm, there does not seem to be a need to convert between legacy and PSA asymmetric key types on their own. The useful metadata conversions are:
* Selecting an **elliptic curve**.
This means converting between an `mbedtls_ecp_group_id` and a pair of `{psa_ecc_family_t; size_t}`.
This is fulfilled by `mbedtls_ecc_group_to_psa` and `mbedtls_ecc_group_from_psa`, which were introduced into the public API between Mbed TLS 3.5 and 3.6 ([#8664](https://github.com/Mbed-TLS/mbedtls/pull/8664)).
* Selecting A **DHM group**.
PSA only supports predefined groups, whereas legacy only supports ad hoc groups. An existing application referring to `MBEDTLS_DHM_RFC7919_FFDHExxx` values would need to refer to `PSA_DH_FAMILY_RFC7919`; an existing application using arbitrary groups cannot migrate to PSA.
* Simultaneously supporting **a key type and an algorithm**.
On the legacy side, this is an `mbedtls_pk_type_t` value and more. For ECDSA, the choice between randomized and deterministic is made at compile time. For RSA, the choice of encryption or signature algorithm is made either by configuring the underlying `mbedtls_rsa_context` or when calling the operation function.
On the PSA side, this is a `psa_key_type_t` value and an algorithm which is normally encoded as policy information in a `psa_key_attributes_t`. The algorithm is also needed in its own right when calling operation functions.
#### Using a legacy key pair or public key with PSA
There are several scenarios where an application has a legacy key pair or public key (`mbedtls_pk_context`) and needs to create a PSA key object (`psa_key_id_t`).
Reasons for first creating a legacy key object, where it's impossible or impractical to directly create a PSA key:
* A very common case where the input is a legacy key object is parsing. PSA does not (yet) have an equivalent of the `mbedtls_pk_parse_xxx` functions.
* The PSA key creation interface is less flexible in some cases. In particular, PSA RSA key generation does not (yet) allow choosing the public exponent.
* The pk object may be created by a part of the application (or a third-party library) that hasn't been migrated to the PSA API yet.
Reasons for needing a PSA key object:
* Using the key with third-party interface that takes a PSA key identifier as input. (Mbed TLS itself has a few TLS functions that take PSA key identifiers, but as of Mbed TLS 3.5, it is always possible to use a legacy key instead.)
* Benefiting from a PSA accelerator, or from PSA's world separation, even without `MBEDTLS_USE_PSA_CRYPTO`. (Not a priority scenario: we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA.)
Gap: a way to create a PSA key object from an `mbedtls_pk_context`. This partially exists in the form of `mbedtls_pk_wrap_as_opaque`, but it is not fully satisfactory, for reasons that are detailed in “[API to create a PSA key from a PK context](#api-to-create-a-psa-key-from-a-pk-context)” below.
#### Using a PSA key as a PK context
There are several scenarios where an application has a PSA key and needs to use it through an interface that wants an `mbedtls_pk_context` object. Typically, there is an existing key in the PSA key store (possibly in a secure element and non-exportable), and the key needs to be used in an interface that requires a `mbedtls_pk_context *` input, such as Mbed TLS's X.509 and TLS APIs or a similar third-party interface, or the `mbedtls_pk_write_xxx` interfaces which do not (yet) have PSA equivalents.
There is a function `mbedtls_pk_setup_opaque` that mostly does this. However, it has several limitations:
* It creates a PK key of type `MBEDTLS_PK_OPAQUE` that wraps the PSA key. This is good enough in some scenarios, but not others. For example, it's ok for pkwrite, because we've upgraded the pkwrite code to handle `MBEDTLS_PK_OPAQUE`. That doesn't help users of third-party libraries that haven't yet been upgraded.
* It ties the lifetime of the PK object to the PSA key, which is error-prone: if the PSA key is destroyed but the PK object isn't, there is no way to reliably detect any subsequent misuse of the PK object.
* It is only available under `MBEDTLS_USE_PSA_CRYPTO`. This is not a priority concern, since we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA. However, this function is useful to use specific PSA keys in X.509/TLS regardless of whether X.509/TLS use the PSA API for all cryptographic operations, so this is a wart in the current API.
It therefore appears that we need two ways to “convert” a PSA key to PK:
* Wrapping, which is what `mbedtls_pk_setup_opaque` does. This works for any PSA key but is limited by the key's lifetime and creates a PK object with limited functionality.
* Copying, which requires a new function. This requires an exportable key but creates a fully independent, fully functional PK object.
Gap: a way to copy a PSA key into a PK context. This can only be expected to work if the PSA key is exportable.
After some discussion, have not identified anything we want to change in the behavior of `mbedtls_pk_setup_opaque`. We only want to generalize it to non-`MBEDTLS_USE_PSA_CRYPTO` and to document it better.
#### Signature formats
The pk module uses signature formats intended for X.509. The PSA module uses the simplest sensible signature format.
* For RSA, the formats are the same.
* For ECDSA, PSA uses a fixed-size concatenation of (r,s), whereas X.509 and pk use an ASN.1 DER encoding of the sequence (r,s).
Gap: We need APIs to convert between these two formats. The conversion code already exists under the hood, but it's in pieces that can't be called directly.
There is a design choice here: do we provide conversions functions for ECDSA specifically, or do we provide conversion functions that take an algorithm as argument and just happen to be a no-op with RSA? One factor is plausible extensions. These conversions functions will remain useful in Mbed TLS 4.x and perhaps beyond. We will at least add EdDSA support, and its signature encoding is the fixed-size concatenation (r,s) even in X.509. We may well also add support for some post-quantum signatures, and their concrete format is still uncertain.
Given the uncertainty, it would be nice to provide a sufficiently generic interface to convert between the PSA and the pk signature format, parametrized by the algorithm. However, it is difficult to predict exactly what parameters are needed. For example, converting from an ASN.1 ECDSA signature to (r,s) requires the knowledge of the curve, or at least the curve's size. Therefore we are not going to add a generic function at this stage.
For ECDSA, there are two plausible APIs: follow the ASN.1/X.509 write/parse APIs, or present an ordinary input/output API. The ASN.1 APIs are the way they are to accommodate nested TLV structures. But ECDSA signatures do not appear nested in TLV structures in either TLS (there's just a signature field) or X.509 (the signature is inside a BITSTRING, not directly in a SEQUENCE). So there does not seem to be a need for an ASN.1-like API for the ASN.1 format, just the format conversion itself in a buffer that just contains the signature.
#### Asymmetric cryptography TODO
[TODO] Other gaps?
## New APIs
This section presents new APIs to implement based on the [gap analysis](#gap-analysis).
### General notes
Each action to implement a function entails:
* Implement the library function.
* Document it precisely, including error conditions.
* Unit-test it.
* Mention it where relevant in the PSA transition guide.
### Hash APIs
Based on the [gap analysis](#hash-gap-analysis):
[ACTION] [#8340](https://github.com/Mbed-TLS/mbedtls/issues/8340) Move `mbedtls_md_psa_alg_from_type` and `mbedtls_md_type_from_psa_alg` from `library/md_psa.h` to `include/mbedtls/md.h`.
### MAC APIs
[TODO]
### Cipher and AEAD APIs
[TODO]
### Key derivation APIs
[TODO]
### Random generation APIs
[TODO]
### Asymmetric cryptography APIs
#### Asymmetric cryptography metadata APIs
Based on the [gap analysis](#asymmetric-cryptography-metadata):
* No further work is needed about RSA specifically. The amount of metadata other than hashes is sufficiently small to be handled in ad hoc ways in applications, and hashes have [their own conversions](#hash-apis).
* No further work is needed about ECC specifically. We have just added adequate functions.
* No further work is needed about DHM specifically. There is no good way to translate the relevant information.
* [OPEN] Is there a decent way to convert between `mbedtls_pk_type_t` plus extra information, and `psa_key_type_t` plus policy information? The two APIs are different in crucial ways, with different splits between key type, policy information and operation algorithm.
Thinking so far: there isn't really a nice way to present this conversion. For a specific key, `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_copy_from_psa` do the job.
#### API to create a PSA key from a PK context
Based on the [gap analysis](#using-a-legacy-key-pair-or-public-key-with-psa):
Given an `mbedtls_pk_context`, we want a function that creates a PSA key with the same key material and algorithm. “Same key material” is straightforward, but “same algorithm” is not, because a PK context has incomplete algorithm information. For example, there is no way to distinguish between an RSA key that is intended for signature or for encryption. Between algorithms of the same nature, there is no way to distinguish a key intended for PKCS#1v1.5 and one intended for PKCS#1v2.1 (OAEP/PSS): this is indicated in the underlying RSA context, but the indication there is only a default that can be overridden by calling `mbedtls_pk_{sign,verify}_ext`. Also there is no way to distinguish between `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)` and `PSA_ALG_RSA_PKCS1V15_SIGN_RAW`: in the legacy interface, this is only determined when actually doing a signature/verification operation. Therefore the function that creates the PSA key needs extra information to indicate which algorithm to put in the key's policy.
When creating a PSA key, apart from the key material, the key is determined by attributes, which fall under three categories:
* Type and size. These are directly related to the key material and can be deduced from it if the key material is in a structured format, which is the case with an `mbedtls_pk_context` input.
* Policy. This includes the chosen algorithm, which as discussed above cannot be fully deduced from the `mbedtls_pk_context` object. Just choosing one algorithm is problematic because it doesn't allow implementation-specific extensions, such as Mbed TLS's enrollment algorithm. The intended usage flags cannot be deduced from the PK context either, but the conversion function could sensibly just enable all the relevant usage flags. Users who want a more restrictive usage can call `psa_copy_key` and `psa_destroy_key` to obtain a PSA key object with a more restrictive usage.
* Persistence and location. This is completely orthogonal to the information from the `mbedtls_pk_context` object. It is convenient, but not necessary, for the conversion function to allow customizing these aspects. If it doesn't, users can call the conversion function and then call `psa_copy_key` and `psa_destroy_key` to move the key to its desired location.
To allow the full flexibility around policies, and make the creation of a persistent key more convenient, the conversion function shall take a `const psa_key_attributes_t *` input, like all other functions that create a PSA key. In addition, there shall be a helper function to populate a `psa_key_attributes_t` with a sensible default. This lets the caller choose a more flexible, or just different usage policy, unlike the default-then-copy approach which only allows restricting the policy.
This is close to the existing function `mbedtls_pk_wrap_as_opaque`, but does not bake in the implementation-specific consideration that a PSA key has exactly two algorithms, and also allows the caller to benefit from default for the policy in more cases.
[ACTION] [#8708](https://github.com/Mbed-TLS/mbedtls/issues/8708) Implement `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_import_into_psa` as described below. These functions are available whenever `MBEDTLS_PK_C` and `MBEDTLS_PSA_CRYPTO_CLIENT` are both defined. Deprecate `mbedtls_pk_wrap_as_opaque`.
```
int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
psa_key_usage_flags_t usage,
psa_key_attributes_t *attributes);
int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk,
const psa_key_attributes_t *attributes,
mbedtls_svc_key_id_t *key_id);
```
* `mbedtls_pk_get_psa_attributes` does not change the id/lifetime fields of the attributes (which indicate a volatile key by default).
* [OPEN] Or should it reset them to 0? Resetting is more convenient for the case where the pk key is a `MBEDTLS_PK_OPAQUE`. But that's an uncommon use case. It's probably less surprising if this function leaves the lifetime-related alone, since its job is to set the type-related and policy-related attributes.
* `mbedtls_pk_get_psa_attributes` sets the type and size based on what's in the pk context.
* The key type is a key pair if the context contains a private key and the indicated usage is a private-key usage. The key type is a public key if the context only contains a public key, in which case a private-key usage is an error.
* `mbedtls_pk_get_psa_attributes` sets the usage flags based on the `usage` parameter. It extends the usage to other usage that is possible:
* `EXPORT` and `COPY` are always set.
* If `SIGN_{HASH,MESSAGE}` is set then so is `VERIFY_{HASH,MESSAGE}`.
* If `DECRYPT` is set then so is `ENCRYPT`.
* It is an error if `usage` has more than one flag set, or has a usage that is incompatible with the key type.
* `mbedtls_pk_get_psa_attributes` sets the algorithm usage policy based on information in the key object and on `usage`.
* For an RSA key with the `MBEDTLS_RSA_PKCS_V15` padding mode, the algorithm policy is `PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_PKCS1V15_CRYPT` for an encrypt/decrypt usage.
* For an RSA key with the `MBEDTLS_RSA_PKCS_V21` padding mode, the algorithm policy is `PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_OAEP(hash)` for an encrypt/decrypt usage where `hash` is from the RSA key's parameters. (Note that `PSA_ALG_ANY_HASH` is only allowed in signature algorithms.)
* For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDSA` with a sign/verify usage, the algorithm policy is `PSA_ALG_DETERMINISTIC_ECDSA` if `MBEDTLS_ECDSA_DETERMINISTIC` is enabled and `PSA_ALG_ECDSA` otherwise. In either case, the hash policy is `PSA_ALG_ANY_HASH`.
* For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDKEY_DH` with the usage `PSA_KEY_USAGE_DERIVE`, the algorithm is `PSA_ALG_ECDH`.
* For a `MBEDTLS_PK_OPAQUE`, this function reads the attributes of the existing PK key and copies them (without overriding the lifetime and key identifier in `attributes`), then applies a public-key restriction if needed.
* Public-key restriction: if `usage` is a public-key usage, change the type to the corresponding public-key type, and remove private-key usage flags from the usage flags read from the existing key.
* `mbedtls_pk_import_into_psa` checks that the type field in the attributes is consistent with the content of the `mbedtls_pk_context` object (RSA/ECC, and availability of the private key).
* The key type can be a public key even if the private key is available.
* `mbedtls_pk_import_into_psa` does not need to check the bit-size in the attributes: `psa_import_key` will do enough checks.
* `mbedtls_pk_import_into_psa` does not check that the policy in the attributes is sensible. That's on the user.
#### API to copy a PSA key to a PK context
Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
[ACTION] [#8709](https://github.com/Mbed-TLS/mbedtls/issues/8709) Implement `mbedtls_pk_copy_from_psa` as described below.
```
int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id,
mbedtls_pk_context *pk);
```
* `pk` must be initialized, but not set up.
* It is an error if the key is neither a key pair nor a public key.
* It is an error if the key is not exportable.
* The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. That's `MBEDTLS_PK_RSA` for RSA keys (since pk objects don't use `MBEDTLS_PK_RSASSA_PSS` as a type), and `MBEDTLS_PK_ECKEY` for ECC keys (following the example of pkparse).
* Once this function returns, the pk object is completely independent of the PSA key.
* Calling `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt` on the resulting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm policy (`psa_get_key_algorithm`) if that is a matching operation type (sign/verify, encrypt/decrypt), but with no restriction on the hash (as if the policy had `PSA_ALG_ANY_HASH` instead of a specific hash, and with `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` merged with `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)`).
* For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting `MBEDTLS_ECDSA_DETERMINISTIC`, like `mbedtls_pk_sign` today.
* For an RSA key, the output key will allow both encrypt/decrypt and sign/verify regardless of the original key's policy. The original key's policy determines the output key's padding mode.
* The primary intent of this requirement is to allow an application to switch to PSA for creating the key material (for example to benefit from a PSA accelerator driver, or to start using a secure element), without modifying the code that consumes the key. For RSA keys, the PSA primary algorithm policy is how one conveys the same information as RSA key padding information in the legacy API. Convey this in the documentation.
#### API to create a PK object that wraps a PSA key
Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
[ACTION] [#8712](https://github.com/Mbed-TLS/mbedtls/issues/8712) Clarify the documentation of `mbedtls_pk_setup_opaque` regarding which algorithms the resulting key will perform with `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt`.
[ACTION] [#8710](https://github.com/Mbed-TLS/mbedtls/issues/8710) Provide `mbedtls_pk_setup_opaque` whenever `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, not just when `MBEDTLS_USE_PSA_CRYPTO` is enabled. This is nice-to-have, not critical. Update `use-psa-crypto.md` accordingly.
[OPEN] What about `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext`?
#### API to convert between signature formats
Based on the [gap analysis](#signature-formats):
[ACTION] [#7765](https://github.com/Mbed-TLS/mbedtls/issues/7765) Implement `mbedtls_ecdsa_raw_to_der` and `mbedtls_ecdsa_der_to_raw` as described below.
```
int mbedtls_ecdsa_raw_to_der(size_t bits,
const unsigned char *raw, size_t raw_len,
unsigned char *der, size_t der_size, size_t *der_len);
int mbedtls_ecdsa_der_to_raw(size_t bits,
const unsigned char *der, size_t der_len,
unsigned char *raw, size_t raw_size, size_t *raw_len);
```
* These functions convert between the signature format used by `mbedtls_pk_{sign,verify}{,_ext}` and the signature format used by `psa_{sign,verify}_{hash,message}`.
* The input and output buffers can overlap.
* The `bits` parameter is necessary in the DER-to-raw direction because the DER format lacks leading zeros, so something else needs to convey the size of (r,s). The `bits` parameter is redundant in the raw-to-DER direction, but we have it anyway because [it helps catch errors](https://github.com/Mbed-TLS/mbedtls/pull/8681#discussion_r1445980971), and it isn't a burden on the caller because the information is readily available in practice.
* Should these functions rely on the ASN.1 module? We experimented [calling ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8681), [reimplementing simpler ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8696), and [providing the functions from the ASN.1 module](https://github.com/Mbed-TLS/mbedtls/pull/8703). Providing the functions from the ASN.1 module [won on a compromise of code size and simplicity](https://github.com/Mbed-TLS/mbedtls/issues/7765#issuecomment-1893670015).

13
docs/architecture/psa-migration/psa-limitations.md
View File

@ -1,7 +1,8 @@
This document lists current limitations of the PSA Crypto API (as of version
1.1) that may impact our ability to (1) use it for all crypto operations in
TLS and X.509 and (2) support isolation of all long-term secrets in TLS (that
is, goals G1 and G2 in [strategy.md](strategy.md) in the same directory).
is, goals G1 and G2 in
[strategy.md](https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-3.6/docs/architecture/psa-migration/strategy.md)).
This is supposed to be a complete list, based on a exhaustive review of crypto
operations done in TLS and X.509 code, but of course it's still possible that
@ -21,11 +22,11 @@ TLS have not yet been adapted to take advantage of the new PSA APIs. See:
- <https://github.com/Mbed-TLS/mbedtls/issues/7293>;
- <https://github.com/Mbed-TLS/mbedtls/issues/7294>.
Currently, when `MBEDTLS_USE_PSA_CRYPTO` and `MBEDTLS_ECP_RESTARTABLE` are
both enabled, some operations that should be restartable are not (ECDH in TLS
1.2 clients using ECDHE-ECDSA), as they are using PSA instead, and some
operations that should use PSA do not (signature generation & verification) as
they use the legacy API instead, in order to get restartable behaviour.
Currently, when `MBEDTLS_ECP_RESTARTABLE` is enabled, some operations that
should be restartable are not (ECDH in TLS 1.2 clients using ECDHE-ECDSA), as
they are using PSA instead, and some operations that should use PSA do not
(signature generation & verification) as they use the legacy API instead, in
order to get restartable behaviour.
Things that are in the API but not implemented yet
--------------------------------------------------

486
docs/architecture/psa-migration/strategy.md
View File

@ -1,486 +0,0 @@
This document explains the strategy that was used so far in starting the
migration to PSA Crypto and mentions future perspectives and open questions.
Goals
=====
Several benefits are expected from migrating to PSA Crypto:
G1. Use PSA Crypto drivers when available.
G2. Allow isolation of long-term secrets (for example, private keys).
G3. Allow isolation of short-term secrets (for example, TLS session keys).
G4. Have a clean, unified API for Crypto (retire the legacy API).
G5. Code size: compile out our implementation when a driver is available.
As of Mbed TLS 3.2, most of (G1) and all of (G2) is implemented when
`MBEDTLS_USE_PSA_CRYPTO` is enabled. For (G2) to take effect, the application
needs to be changed to use new APIs. For a more detailed account of what's
implemented, see `docs/use-psa-crypto.md`, where new APIs are about (G2), and
internal changes implement (G1).
As of early 2023, work towards G5 is in progress: Mbed TLS 3.3 and 3.4 saw
some improvements in this area, and more will be coming in future releases.
Generally speaking, the numbering above doesn't mean that each goal requires
the preceding ones to be completed.
Compile-time options
====================
We currently have a few compile-time options that are relevant to the migration:
- `MBEDTLS_PSA_CRYPTO_C` - enabled by default, controls the presence of the PSA
Crypto APIs.
- `MBEDTLS_USE_PSA_CRYPTO` - disabled by default (enabled in "full" config),
controls usage of PSA Crypto APIs to perform operations in X.509 and TLS
(G1 above), as well as the availability of some new APIs (G2 above).
- `PSA_CRYPTO_CONFIG` - disabled by default, supports builds with drivers and
without the corresponding software implementation (G5 above).
The reasons why `MBEDTLS_USE_PSA_CRYPTO` is optional and disabled by default
are:
- it's not fully compatible with `MBEDTLS_ECP_RESTARTABLE`: you can enable
both, but then you won't get the full effect of RESTARTBLE (see the
documentation of this option in `mbedtls_config.h`);
- to avoid a hard/default dependency of TLS, X.509 and PK on
`MBEDTLS_PSA_CRYPTO_C`, for backward compatibility reasons:
- When `MBEDTLS_PSA_CRYPTO_C` is enabled and used, applications need to call
`psa_crypto_init()` before TLS/X.509 uses PSA functions. (This prevents us
from even enabling the option by default.)
- `MBEDTLS_PSA_CRYPTO_C` has a hard dependency on `MBEDTLS_ENTROPY_C ||
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` but it's
currently possible to compile TLS and X.509 without any of the options.
Also, we can't just auto-enable `MBEDTLS_ENTROPY_C` as it doesn't build
out of the box on all platforms, and even less
`MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` as it requires a user-provided RNG
function.
The downside of this approach is that until we are able to make
`MBDEDTLS_USE_PSA_CRYPTO` non-optional (always enabled), we have to maintain
two versions of some parts of the code: one using PSA, the other using the
legacy APIs. However, see next section for strategies that can lower that
cost. The rest of this section explains the reasons for the
incompatibilities mentioned above.
At the time of writing (early 2022) it is unclear what could be done about the
backward compatibility issues, and in particular if the cost of implementing
solutions to these problems would be higher or lower than the cost of
maintaining dual code paths until the next major version. (Note: these
solutions would probably also solve other problems at the same time.)
### `MBEDTLS_ECP_RESTARTABLE`
Currently this option controls not only the presence of restartable APIs in
the crypto library, but also their use in the TLS and X.509 layers. Since PSA
Crypto does not support restartable operations, there's a clear conflict: the
TLS and X.509 layers can't both use only PSA APIs and get restartable
behaviour.
Support for restartable (aka interruptible) ECDSA sign/verify operation was
added to PSA in Mbed TLS 3.4, but support for ECDH is not present yet.
It will then require follow-up work to make use of the new PSA APIs in
PK/X.509/TLS in all places where we currently allow restartable operations.
### Backward compatibility issues with making `MBEDTLS_USE_PSA_CRYPTO` always on
1. Existing applications may not be calling `psa_crypto_init()` before using
TLS, X.509 or PK. We can try to work around that by calling (the relevant
part of) it ourselves under the hood as needed, but that would likely require
splitting init between the parts that can fail and the parts that can't (see
<https://github.com/ARM-software/psa-crypto-api/pull/536> for that).
2. It's currently not possible to enable `MBEDTLS_PSA_CRYPTO_C` in
configurations that don't have `MBEDTLS_ENTROPY_C`, and we can't just
auto-enable the latter, as it won't build or work out of the box on all
platforms. There are two kinds of things we'd need to do if we want to work
around that:
1. Make it possible to enable the parts of PSA Crypto that don't require an
RNG (typically, public key operations, symmetric crypto, some key
management functions (destroy etc)) in configurations that don't have
`ENTROPY_C`. This requires going through the PSA code base to adjust
dependencies. Risk: there may be annoying dependencies, some of which may be
surprising.
2. For operations that require an RNG, provide an alternative function
accepting an explicit `f_rng` parameter (see #5238), that would be
available in entropy-less builds. (Then code using those functions still needs
to have one version using it, for entropy-less builds, and one version using
the standard function, for driver support in build with entropy.)
See <https://github.com/Mbed-TLS/mbedtls/issues/5156>.
Taking advantage of the existing abstractions layers - or not
=============================================================
The Crypto library in Mbed TLS currently has 3 abstraction layers that offer
algorithm-agnostic APIs for a class of algorithms:
- MD for messages digests aka hashes (including HMAC)
- Cipher for symmetric ciphers (included AEAD)
- PK for asymmetric (aka public-key) cryptography (excluding key exchange)
Note: key exchange (FFDH, ECDH) is not covered by an abstraction layer.
These abstraction layers typically provide, in addition to the API for crypto
operations, types and numerical identifiers for algorithms (for
example `mbedtls_cipher_mode_t` and its values). The
current strategy is to keep using those identifiers in most of the code, in
particular in existing structures and public APIs, even when
`MBEDTLS_USE_PSA_CRYPTO` is enabled. (This is not an issue for G1, G2, G3
above, and is only potentially relevant for G4.)
The are multiple strategies that can be used regarding the place of those
layers in the migration to PSA.
Silently call to PSA from the abstraction layer
-----------------------------------------------
- Provide a new definition (conditionally on `USE_PSA_CRYPTO`) of wrapper
functions in the abstraction layer, that calls PSA instead of the legacy
crypto API.
- Upside: changes contained to a single place, no need to change TLS or X.509
code anywhere.
- Downside: tricky to implement if the PSA implementation is currently done on
top of that layer (dependency loop).
This strategy is currently (early 2023) used for all operations in the PK
layer; the MD layer uses a variant where it dispatches to PSA if a driver is
available and the driver subsystem has been initialized, regardless of whether
`USE_PSA_CRYPTO` is enabled; see `md-cipher-dispatch.md` in the same directory
for details.
This strategy is not very well suited to the Cipher layer, as the PSA
implementation is currently done on top of that layer.
This strategy will probably be used for some time for the PK layer, while we
figure out what the future of that layer is: parts of it (parse/write, ECDSA
signatures in the format that X.509 & TLS want) are not covered by PSA, so
they will need to keep existing in some way. (Also, the PK layer is a good
place for dispatching to either PSA or `mbedtls_xxx_restartable` while that
part is not covered by PSA yet, if we decide to do that.)
Replace calls for each operation
--------------------------------
- For every operation that's done through this layer in TLS or X.509, just
replace function call with calls to PSA (conditionally on `USE_PSA_CRYPTO`)
- Upside: conceptually simple, and if the PSA implementation is currently done
on top of that layer, avoids concerns about dependency loops.
- Upside: opens the door to building TLS/X.509 without that layer, saving some
code size.
- Downside: TLS/X.509 code has to be done for each operation.
This strategy is currently (early 2023) used for the MD layer and the Cipher
layer in X.509 and TLS. Crypto modules however always call to MD which may
then dispatch to PSA, see `md-cipher-dispatch.md`.
Opt-in use of PSA from the abstraction layer
--------------------------------------------
- Provide a new way to set up a context that causes operations on that context
to be done via PSA.
- Upside: changes mostly contained in one place, TLS/X.509 code only needs to
be changed when setting up the context, but not when using it. In
particular, no changes to/duplication of existing public APIs that expect a
key to be passed as a context of this layer (eg, `mbedtls_pk_context`).
- Upside: avoids dependency loop when PSA implemented on top of that layer.
- Downside: when the context is typically set up by the application, requires
changes in application code.
This strategy is not useful when no context is used, for example with the
one-shot function `mbedtls_md()`.
There are two variants of this strategy: one where using the new setup
function also allows for key isolation (the key is only held by PSA,
supporting both G1 and G2 in that area), and one without isolation (the key is
still stored outside of PSA most of the time, supporting only G1).
This strategy, with support for key isolation, is currently (early 2022) used for
private-key operations in the PK layer - see `mbedtls_pk_setup_opaque()`. This
allows use of PSA-held private ECDSA keys in TLS and X.509 with no change to
the TLS/X.509 code, but a contained change in the application.
This strategy, without key isolation, was also previously used (until 3.1
included) in the Cipher layer - see `mbedtls_cipher_setup_psa()`. This allowed
use of PSA for cipher operations in TLS with no change to the application
code, and a contained change in TLS code. (It only supported a subset of
ciphers.)
Note: for private key operations in the PK layer, both the "silent" and the
"opt-in" strategy can apply, and can complement each other, as one provides
support for key isolation, but at the (unavoidable) code of change in
application code, while the other requires no application change to get
support for drivers, but fails to provide isolation support.
Summary
-------
Strategies currently (early 2022) used with each abstraction layer:
- PK (for G1): silently call PSA
- PK (for G2): opt-in use of PSA (new key type)
- Cipher (G1): replace calls at each call site
- MD (G1, X.509 and TLS): replace calls at each call site (depending on
`USE_PSA_CRYPTO`)
- MD (G5): silently call PSA when a driver is available, see
`md-cipher-dispatch.md`.
Supporting builds with drivers without the software implementation
==================================================================
This section presents a plan towards G5: save code size by compiling out our
software implementation when a driver is available.
Let's expand a bit on the definition of the goal: in such a configuration
(driver used, software implementation and abstraction layer compiled out),
we want:
a. the library to build in a reasonably-complete configuration,
b. with all tests passing,
c. and no more tests skipped than the same configuration with software
implementation.
Criterion (c) ensures not only test coverage, but that driver-based builds are
at feature parity with software-based builds.
We can roughly divide the work needed to get there in the following steps:
0. Have a working driver interface for the algorithms we want to replace.
1. Have users of these algorithms call to PSA or an abstraction layer than can
dispatch to PSA, but not the low-level legacy API, for all operations.
(This is G1, and for PK, X.509 and TLS this is controlled by
`MBEDTLS_USE_PSA_CRYPTO`.) This needs to be done in the library and tests.
2. Have users of these algorithms not depend on the legacy API for information
management (getting a size for a given algorithm, etc.)
3. Adapt compile-time guards used to query availability of a given algorithm;
this needs to be done in the library (for crypto operations and data) and
tests.
Note: the first two steps enable use of drivers, but not by themselves removal
of the software implementation.
Note: the fact that step 1 is not achieved for all of libmbedcrypto (see
below) is the reason why criterion (a) has "a reasonably-complete
configuration", to allow working around internal crypto dependencies when
working on other parts such as X.509 and TLS - for example, a configuration
without RSA PKCS#1 v2.1 still allows reasonable use of X.509 and TLS.
Note: this is a conceptual division that will sometimes translate to how the
work is divided into PRs, sometimes not. For example, in situations where it's
not possible to achieve good test coverage at the end of step 1 or step 2, it
is preferable to group with the next step(s) in the same PR until good test
coverage can be reached.
**Status as of end of March 2023 (shortly after 3.4):**
- Step 0 is achieved for most algorithms, with only a few gaps remaining.
- Step 1 is achieved for most of PK, X.509, and TLS when
`MBEDTLS_USE_PSA_CRYPTO` is enabled with only a few gaps remaining (see
docs/use-psa-crypto.md).
- Step 1 is achieved for the crypto library regarding hashes: everything uses
MD (not low-level hash APIs), which then dispatches to PSA if applicable.
- Step 1 is not achieved for all of the crypto library when it come to
ciphers. For example,`ctr_drbg.c` calls the legacy API `mbedtls_aes`.
- Step 2 is achieved for most of X.509 and TLS (same gaps as step 1) when
`MBEDTLS_USE_PSA_CRYPTO` is enabled.
- Step 3 is done for hashes and top-level ECC modules (ECDSA, ECDH, ECJPAKE).
**Strategy for step 1:**
Regarding PK, X.509, and TLS, this is mostly achieved with only a few gaps.
(The strategy was outlined in the previous section.)
Regarding libmbedcrypto:
- for hashes and ciphers, see `md-cipher-dispatch.md` in the same directory;
- for ECC, we have no internal uses of the top-level algorithms (ECDSA, ECDH,
ECJPAKE), however they all depend on `ECP_C` which in turn depends on
`BIGNUM_C`. So, direct calls from TLS, X.509 and PK to ECP and Bignum will
need to be replaced; see <https://github.com/Mbed-TLS/mbedtls/issues/6839> and
linked issues for a summary of intermediate steps and open points.
**Strategy for step 2:**
The most satisfying situation here is when we can just use the PSA Crypto API
for information management as well. However sometimes it may not be
convenient, for example in parts of the code that accept old-style identifiers
(such as `mbedtls_md_type_t`) in their API and can't assume PSA to be
compiled in (such as `rsa.c`).
When using an existing abstraction layer such as MD, it can provide
information management functions. In other cases, information that was in a
low-level module but logically belongs in a higher-level module can be moved
to that module (for example, TLS identifiers of curves and there conversion
to/from PSA or legacy identifiers belongs in TLS, not `ecp.c`).
**Strategy for step 3:**
There are currently two (complementary) ways for crypto-using code to check if a
particular algorithm is supported: using `MBEDTLS_xxx` macros, and using
`PSA_WANT_xxx` macros. For example, PSA-based code that want to use SHA-256
will check for `PSA_WANT_ALG_SHA_256`, while legacy-based code that wants to
use SHA-256 will check for `MBEDTLS_SHA256_C` if using the `mbedtls_sha256`
API, or for `MBEDTLS_MD_C && MBEDTLS_SHA256_C` if using the `mbedtls_md` API.
Code that obeys `MBEDTLS_USE_PSA_CRYPTO` will want to use one of the two
dependencies above depending on whether `MBEDTLS_USE_PSA_CRYPTO` is defined:
if it is, the code want the algorithm available in PSA, otherwise, it wants it
available via the legacy API(s) is it using (MD and/or low-level).
As much as possible, we're trying to create for each algorithm a single new
macro that can be used to express dependencies everywhere (except pure PSA
code that should always use `PSA_WANT`). For example, for hashes this is the
`MBEDTLS_MD_CAN_xxx` family. For ECC algorithms, we have similar
`MBEDTLS_PK_CAN_xxx` macros.
Note that in order to achieve that goal, even for code that obeys
`USE_PSA_CRYPTO`, it is useful to impose that all algorithms that are
available via the legacy APIs are also available via PSA.
Executing step 3 will mostly consist of using the right dependency macros in
the right places (once the previous steps are done).
**Note on testing**
Since supporting driver-only builds is not about adding features, but about
supporting existing features in new types of builds, testing will not involve
adding cases to the test suites, but instead adding new components in `all.sh`
that build and run tests in newly-supported configurations. For example, if
we're making some part of the library work with hashes provided only by
drivers when `MBEDTLS_USE_PSA_CRYPTO` is defined, there should be a place in
`all.sh` that builds and run tests in such a configuration.
There is however a risk, especially in step 3 where we change how dependencies
are expressed (sometimes in bulk), to get things wrong in a way that would
result in more tests being skipped, which is easy to miss. Care must be
taken to ensure this does not happen. The following criteria can be used:
1. The sets of tests skipped in the default config and the full config must be
the same before and after the PR that implements step 3. This is tested
manually for each PR that changes dependency declarations by using the script
`outcome-analysis.sh` in the present directory.
2. The set of tests skipped in the driver-only build is the same as in an
equivalent software-based configuration. This is tested automatically by the
CI in the "Results analysis" stage, by running
`tests/scripts/analyze_outcomes.py`. See the
`analyze_driver_vs_reference_xxx` actions in the script and the comments above
their declaration for how to do that locally.
Migrating away from the legacy API
==================================
This section briefly introduces questions and possible plans towards G4,
mainly as they relate to choices in previous stages.
The role of the PK/Cipher/MD APIs in user migration
---------------------------------------------------
We're currently taking advantage of the existing PK layer in order
to reduce the number of places where library code needs to be changed. It's
only natural to consider using the same strategy (with the PK, MD and Cipher
layers) for facilitating migration of application code.
Note: a necessary first step for that would be to make sure PSA is no longer
implemented of top of the concerned layers
### Zero-cost compatibility layer?
The most favourable case is if we can have a zero-cost abstraction (no
runtime, RAM usage or code size penalty), for example just a bunch of
`#define`s, essentially mapping `mbedtls_` APIs to their `psa_` equivalent.
Unfortunately that's unlikely to fully work. For example, the MD layer uses the
same context type for hashes and HMACs, while the PSA API (rightfully) has
distinct operation types. Similarly, the Cipher layer uses the same context
type for unauthenticated and AEAD ciphers, which again the PSA API
distinguishes.
It is unclear how much value, if any, a zero-cost compatibility layer that's
incomplete (for example, for MD covering only hashes, or for Cipher covering
only AEAD) or differs significantly from the existing API (for example,
introducing new context types) would provide to users.
### Low-cost compatibility layers?
Another possibility is to keep most or all of the existing API for the PK, MD
and Cipher layers, implemented on top of PSA, aiming for the lowest possible
cost. For example, `mbedtls_md_context_t` would be defined as a (tagged) union
of `psa_hash_operation_t` and `psa_mac_operation_t`, then `mbedtls_md_setup()`
would initialize the correct part, and the rest of the functions be simple
wrappers around PSA functions. This would vastly reduce the complexity of the
layers compared to the existing (no need to dispatch through function
pointers, just call the corresponding PSA API).
Since this would still represent a non-zero cost, not only in terms of code
size, but also in terms of maintenance (testing, etc.) this would probably
be a temporary solution: for example keep the compatibility layers in 4.0 (and
make them optional), but remove them in 5.0.
Again, this provides the most value to users if we can manage to keep the
existing API unchanged. Their might be conflicts between this goal and that of
reducing the cost, and judgment calls may need to be made.
Note: when it comes to holding public keys in the PK layer, depending on how
the rest of the code is structured, it may be worth holding the key data in
memory controlled by the PK layer as opposed to a PSA key slot, moving it to a
slot only when needed (see current `ecdsa_verify_wrap` when
`MBEDTLS_USE_PSA_CRYPTO` is defined) For example, when parsing a large
number, N, of X.509 certificates (for example the list of trusted roots), it
might be undesirable to use N PSA key slots for their public keys as long as
the certs are loaded. OTOH, this could also be addressed by merging the "X.509
parsing on-demand" (#2478), and then the public key data would be held as
bytes in the X.509 CRT structure, and only moved to a PK context / PSA slot
when it's actually used.
Note: the PK layer actually consists of two relatively distinct parts: crypto
operations, which will be covered by PSA, and parsing/writing (exporting)
from/to various formats, which is currently not fully covered by the PSA
Crypto API.
### Algorithm identifiers and other identifiers
It should be easy to provide the user with a bunch of `#define`s for algorithm
identifiers, for example `#define MBEDTLS_MD_SHA256 PSA_ALG_SHA_256`; most of
those would be in the MD, Cipher and PK compatibility layers mentioned above,
but there might be some in other modules that may be worth considering, for
example identifiers for elliptic curves.
### Lower layers
Generally speaking, we would retire all of the low-level, non-generic modules,
such as AES, SHA-256, RSA, DHM, ECDH, ECP, bignum, etc, without providing
compatibility APIs for them. People would be encouraged to switch to the PSA
API. (The compatibility implementation of the existing PK, MD, Cipher APIs
would mostly benefit people who already used those generic APis rather than
the low-level, alg-specific ones.)
### APIs in TLS and X.509
Public APIs in TLS and X.509 may be affected by the migration in at least two
ways:
1. APIs that rely on a legacy `mbedtls_` crypto type: for example
`mbedtls_ssl_conf_own_cert()` to configure a (certificate and the
associated) private key. Currently the private key is passed as a
`mbedtls_pk_context` object, which would probably change to a `psa_key_id_t`.
Since some users would probably still be using the compatibility PK layer, it
would need a way to easily extract the PSA key ID from the PK context.
2. APIs the accept list of identifiers: for example
`mbedtls_ssl_conf_curves()` taking a list of `mbedtls_ecp_group_id`s. This
could be changed to accept a list of pairs (`psa_ecc_family_t`, size) but we
should probably take this opportunity to move to a identifier independent from
the underlying crypto implementation and use TLS-specific identifiers instead
(based on IANA values or custom enums), as is currently done in the new
`mbedtls_ssl_conf_groups()` API, see #4859).
Testing
-------
An question that needs careful consideration when we come around to removing
the low-level crypto APIs and making PK, MD and Cipher optional compatibility
layers is to be sure to preserve testing quality. A lot of the existing test
cases use the low level crypto APIs; we would need to either keep using that
API for tests, or manually migrate tests to the PSA Crypto API. Perhaps a
combination of both, perhaps evolving gradually over time.

2
docs/architecture/psa-migration/syms.sh
View File

@ -11,7 +11,7 @@
#
# Usage:
# - build the library with debug symbols and the config you're interested in
# (default, full minus MBEDTLS_USE_PSA_CRYPTO, full, etc.)
# (default, full, etc.)
# - launch this script with 1 or more arguments depending on the analysis' goal:
# - if only 1 argument is used (which is the name of the used config,
# ex: full), then the analysis is done on libmbedx509 and libmbedtls

99
docs/architecture/psa-migration/testing.md
View File

@ -1,99 +0,0 @@
Testing strategy for `MBEDTLS_USE_PSA_CRYPTO`
=============================================
This document records the testing strategy used so far in implementing
`MBEDTLS_USE_PSA_CRYPTO`.
General considerations
----------------------
There needs to be at least one build in `all.sh` that enables
`MBEDTLS_USE_PSA_CRYPTO` and runs the full battery of tests; currently that's
ensured by the fact that `scripts/config.py full` enables
`MBEDTLS_USE_PSA_CRYPTO`. There needs to be at least one build with
`MBEDTLS_USE_PSA_CRYPTO` disabled (as long as it's optional); currently that's
ensured by the fact that it's disabled in the default config.
Generally, code review is enough to ensure that PSA APIs are indeed used where
they should be when `MBEDTLS_USE_PSA_CRYPTO` is enabled.
However, when it comes to TLS, we also have the option of using debug messages
to confirm which code path is taken. This is generally unnecessary, except when
a decision is made at run-time about whether to use the PSA or legacy code
path. (For example, for record protection, previously (until 3.1), some ciphers were supported
via PSA while some others weren't, with a run-time fallback. In this case, it's
good to have a debug message checked by the test case to confirm that the
right decision was made at run-time, i. e. that we didn't use the fallback for
ciphers that are supposed to be supported.)
New APIs meant for application use
----------------------------------
For example, `mbedtls_pk_setup_opaque()` is meant to be used by applications
in order to create PK contexts that can then be passed to existing TLS and
X.509 APIs (which remain unchanged).
In that case, we want:
- unit testing of the new API and directly-related APIs - for example:
- in `test_suite_pk` we have a new test function `pk_psa_utils` that exercises
`mbedtls_pk_setup_opaque()` and checks that various utility functions
(`mbedtls_pk_get_type()` etc.) work and the functions that are expected to
fail (`mbedtls_pk_verify()` etc) return the expected error.
- in `test_suite_pk` we modified the existing `pk_psa_sign` test function to
check that signature generation works as expected
- in `test_suite_pkwrite` we should have a new test function checking that
exporting (writing out) the public part of the key works as expected and
that exporting the private key fails as expected.
- integration testing of the new API with each existing API which should
accepts a context created this way - for example:
- in `programs/ssl/ssl_client2` a new option `key_opaque` that causes the
new API to be used, and one or more tests in `ssl-opt.sh` using that.
(We should have the same server-side.)
- in `test_suite_x509write` we have a new test function
`x509_csr_check_opaque()` checking integration of the new API with the
existing `mbedtls_x509write_csr_set_key()`. (And also
`mbedtls_x509write_crt_set_issuer_key()` since #5710.)
For some APIs, for example with `mbedtls_ssl_conf_psk_opaque()`, testing in
`test_suite_ssl` was historically not possible, so we only have testing in
`ssl-opt.sh`.
New APIs meant for internal use
-------------------------------
For example, `mbedtls_cipher_setup_psa()` (no longer used, soon to be
deprecated - #5261) was meant to be used by the TLS layer, but probably not
directly by applications.
In that case, we want:
- unit testing of the new API and directly-related APIs - for example:
- in `test_suite_cipher`, the existing test functions `auth_crypt_tv` and
`test_vec_crypt` gained a new parameter `use_psa` and corresponding test
cases
- integration testing:
- usually already covered by existing tests for higher-level modules:
- for example simple use of `mbedtls_cipher_setup_psa()` in TLS is already
covered by running the existing TLS tests in a build with
`MBEDTLS_USA_PSA_CRYPTO` enabled
- however if use of the new API in higher layers involves more logic that
use of the old API, specific integrations test may be required
- for example, the logic to fall back from `mbedtls_cipher_setup_psa()` to
`mbedtls_cipher_setup()` in TLS is tested by `run_test_psa` in
`ssl-opt.sh`.
Internal changes
----------------
For example, use of PSA to compute the TLS 1.2 PRF.
Changes in this category rarely require specific testing, as everything should
be already be covered by running the existing tests in a build with
`MBEDTLS_USE_PSA_CRYPTO` enabled; however we need to make sure the existing
test have sufficient coverage, and improve them if necessary.
However, if additional logic is involved, or there are run-time decisions about
whether to use the PSA or legacy code paths, specific tests might be in order.

2
docs/architecture/testing/invasive-testing.md
View File

@ -275,7 +275,7 @@ This section lists some strategies that are currently used for invasive testing,
Goal: test that `mbedtls_platform_zeroize` does wipe the memory buffer.
Solution ([debugger](#debugger-based-testing)): implemented in `tests/scripts/test_zeroize.gdb`.
Solution ([debugger](#debugger-based-testing)): implemented in `framework/tests/programs/test_zeroize.gdb`.
Rationale: this cannot be tested by adding C code, because the danger is that the compiler optimizes the zeroization away, and any C code that observes the zeroization would cause the compiler not to optimize it away.

4
docs/architecture/tls13-support.md
View File

@ -115,10 +115,7 @@ Support description
| MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED | no |
| | |
| MBEDTLS_KEY_EXCHANGE_PSK_ENABLED | n/a (2) |
| MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_RSA_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED | n/a |
| MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED | n/a |
@ -126,7 +123,6 @@ Support description
| MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED | n/a |
| | |
| MBEDTLS_PSA_CRYPTO_C | no (1) |
| MBEDTLS_USE_PSA_CRYPTO | yes |
(1) These options must remain in their default state of enabled.
(2) See the TLS 1.3 specific build options section below.

4
docs/proposed/Makefile
View File

@ -4,10 +4,6 @@ default: all
all_markdown = \
config-split.md \
psa-conditional-inclusion-c.md \
psa-driver-developer-guide.md \
psa-driver-integration-guide.md \
psa-driver-interface.md \
# This line is intentionally left blank
html: $(all_markdown:.md=.html)

2
docs/proposed/config-split.md
View File

@ -290,7 +290,6 @@ PSA_WANT_\* macros as in current `crypto_config.h`.
//#define MBEDTLS_SHA512_SMALLER
//#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
//#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
//#define MBEDTLS_USE_PSA_CRYPTO
//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1
//#define MBEDTLS_ECP_WINDOW_SIZE 4
@ -398,7 +397,6 @@ PSA_WANT_\* macros as in current `crypto_config.h`.
//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
#define MBEDTLS_SSL_ALPN
//#define MBEDTLS_SSL_ASYNC_PRIVATE

8
docs/psa-transition.md
View File

@ -50,8 +50,6 @@ Then use the [summary of API modules](#summary-of-api-modules), the table of con
To make the PSA API available, make sure that the configuration option [`MBEDTLS_PSA_CRYPTO_C`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#c.MBEDTLS_PSA_CRYPTO_C) is enabled. (It is enabled in the default configuration.)
You should probably enable [`MBEDTLS_USE_PSA_CRYPTO`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/mbedtls__config_8h/#mbedtls__config_8h_1a70fd7b97d5f11170546583f2095942a6) as well (it is disabled by default). This option causes the PK, X.509 and TLS modules to use PSA crypto under the hood.
By default, the PSA crypto API offers a similar set of cryptographic mechanisms as those offered by the legacy API (configured by `MBEDTLS_XXX` macros). The PSA crypto API also has its own configuration mechanism; see “[Cryptographic mechanism availability](#cryptographic-mechanism-availability)”.
### Header files
@ -228,7 +226,7 @@ The PSA Crypto API may use accelerator drivers. In this case any options control
In the Mbed TLS legacy interface, you can replace some cryptographic primitives and modes by an alternative implementation, by enabling configuration options of the form `MBEDTLS_xxx_ALT` and linking with your own implementation of the affected function or module. Alternative implementations remain supported in Mbed TLS 3.x even if the application code uses the PSA API. However, they will be removed from the next version of the library.
The corresponding PSA feature is accelerator drivers. To implement an accelerator driver, see the [PSA cryptoprocessor driver example and guide](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-driver-example-and-guide.md). In an application that uses both the legacy interface and the PSA interface for the same mechanism, only some algorithms support calling a PSA driver from the legacy interface. See the [Guide to driver-only builds](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/driver-only-builds.md) for more information.
The corresponding PSA feature is accelerator drivers. To implement an accelerator driver, see the [PSA cryptoprocessor driver example and guide](https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/docs/psa-driver-example-and-guide.md). In an application that uses both the legacy interface and the PSA interface for the same mechanism, only some algorithms support calling a PSA driver from the legacy interface. See the [Guide to driver-only builds](https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/docs/driver-only-builds.md) for more information.
### Self-tests
@ -908,7 +906,7 @@ This section discusses how to use a PSA key in a context that requires a PK obje
* [`mbedtls_pk_copy_from_psa`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/pk_8h/#pk_8h_1ab8e88836fd9ee344ffe630c40447bd08) copies a PSA key into a PK object. The PSA key must be exportable. The PK object remains valid even if the PSA key is destroyed.
* [`mbedtls_pk_copy_public_from_psa`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/pk_8h/#pk_8h_1a2a50247a528889c12ea0ddddb8b15a4e) copies the public part of a PSA key into a PK object. The PK object remains valid even if the PSA key is destroyed.
* [`mbedtls_pk_setup_opaque`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/pk_8h/#pk_8h_1a4c04ac22ab9c1ae09cc29438c308bf05) sets up a PK object that wraps the PSA key. This functionality is only available when `MBEDTLS_USE_PSA_CRYPTO` is enabled. The PK object has the type `MBEDTLS_PK_OPAQUE` regardless of whether the key is an RSA or ECC key. The PK object can only be used as permitted by the PSA key's policy. The PK object contains a reference to the PSA key identifier, therefore PSA key must not be destroyed as long as the PK object remains alive.
* [`mbedtls_pk_setup_opaque`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/file/pk_8h/#pk_8h_1a4c04ac22ab9c1ae09cc29438c308bf05) sets up a PK object that wraps the PSA key. The PK object has the type `MBEDTLS_PK_OPAQUE` regardless of whether the key is an RSA or ECC key. The PK object can only be used as permitted by the PSA key's policy. The PK object contains a reference to the PSA key identifier, therefore PSA key must not be destroyed as long as the PK object remains alive.
Here is some sample code illustrating how to use the PK module to format a PSA public key or the public key of a PSA key pair.
```
@ -1278,7 +1276,7 @@ The PSA API is a cryptography API, not an arithmetic API. As a consequence, ther
#### RSA-ALT interface
Implementers of the RSA-ALT interface (`MBEDTLS_PK_RSA_ALT` pk type, `mbedtls_pk_setup_rsa_alt` setup function) should migrate to the [PSA cryptoprocessor driver interface](https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-driver-example-and-guide.md).
Implementers of the RSA-ALT interface (`MBEDTLS_PK_RSA_ALT` pk type, `mbedtls_pk_setup_rsa_alt` setup function) should migrate to the [PSA cryptoprocessor driver interface](https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/docs/psa-driver-example-and-guide.md).
* If the purpose of the ALT interface is acceleration only: use the accelerator driver interface. This is fully transparent to application code.
* If the purpose of the ALT interface is to isolate the private key in a high-security environment: use the opaque driver interface. This is mostly transparent to user code. Code that uses a key via its key identifier does not need to know whether the key is transparent (equivalent of `MBEDTLS_PK_RSA`) or opaque (equivalent of `MBEDTLS_PK_RSA_ALT`). When creating a key, it will be transparent by default; to create an opaque key, call [`psa_set_key_lifetime`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1gac03ccf09ca6d36cc3d5b43f8303db6f7) to set the key's location to the chosen location value for the driver, e.g.

169
docs/use-psa-crypto.md
View File

@ -1,169 +0,0 @@
This document describes the compile-time configuration option
`MBEDTLS_USE_PSA_CRYPTO` from a user's perspective.
This option:
- makes the X.509 and TLS libraries use PSA for cryptographic operations as
much as possible, see "Internal changes" below;
- enables new APIs for using keys handled by PSA Crypto, such as
`mbedtls_pk_setup_opaque()` and `mbedtls_ssl_conf_psk_opaque()`, see
"New APIs / API extensions" below.
General considerations
----------------------
**Application code:** when this option is enabled, you need to call
`psa_crypto_init()` before calling any function from the SSL/TLS, X.509 or PK
modules, except for the various mbedtls_xxx_init() functions which can be called
at any time.
**Why enable this option:** to fully take advantage of PSA drivers in PK,
X.509 and TLS. For example, enabling this option is what allows use of drivers
for ECDSA, ECDH and EC J-PAKE in those modules. However, note that even with
this option disabled, some code in PK, X.509, TLS or the crypto library might
still use PSA drivers, if it can determine it's safe to do so; currently
that's the case for hashes.
**Relationship with other options:** This option depends on
`MBEDTLS_PSA_CRYPTO_C`. These two options differ in the following way:
- `MBEDTLS_PSA_CRYPTO_C` enables the implementation of the PSA Crypto API.
When it is enabled, `psa_xxx()` APIs are available and you must call
`psa_crypto_init()` before you call any other `psa_xxx()` function. Other
modules in the library (non-PSA crypto APIs, X.509, TLS) may or may not use
PSA Crypto but you're not required to call `psa_crypto_init()` before calling
non-PSA functions, unless explicitly documented (TLS 1.3).
- `MBEDTLS_USE_PSA_CRYPTO` means that X.509 and TLS will use PSA Crypto as
much as possible (that is, everywhere except for features that are not
supported by PSA Crypto, see "Internal Changes" below for a complete list of
exceptions). When it is enabled, you need to call `psa_crypto_init()` before
calling any function from PK, X.509 or TLS; however it doesn't change anything
for the rest of the library.
**Scope:** `MBEDTLS_USE_PSA_CRYPTO` has no effect on modules other than PK,
X.509 and TLS. It also has no effect on most of the TLS 1.3 code, which always
uses PSA crypto. The parts of the TLS 1.3 code that will use PSA Crypto or not
depending on this option being set or not are:
- record protection;
- running handshake hash;
- asymmetric signature verification & generation;
- X.509 certificate chain verification.
You need to enable `MBEDTLS_USE_PSA_CRYPTO` if you want TLS 1.3 to use PSA
everywhere.
**Historical note:** This option was introduced at a time when PSA Crypto was
still beta and not ready for production, so we made its use in X.509 and TLS
opt-in: by default, these modules would keep using the stable,
production-ready legacy (pre-PSA) crypto APIs. So, the scope of was X.509 and
TLS, as well as some of PK for technical reasons. Nowadays PSA Crypto is no
longer beta, and production quality, so there's no longer any reason to make
its use in other modules opt-in. However, PSA Crypto functions require that
`psa_crypto_init()` has been called before their use, and for backwards
compatibility reasons we can't impose this requirement on non-PSA functions
that didn't have such a requirement before. So, nowadays the main meaning of
`MBEDTLS_USE_PSA_CRYPTO` is that the user promises to call `psa_crypto_init()`
before calling any PK, X.509 or TLS functions. For the same compatibility
reasons, we can't extend its scope. However, new modules in the library, such
as TLS 1.3, can be introduced with a requirement to call `psa_crypto_init()`.
New APIs / API extensions
-------------------------
### PSA-held (opaque) keys in the PK layer
**New API function:** `mbedtls_pk_setup_opaque()` - can be used to
wrap a PSA key pair into a PK context. The key can be used for private-key
operations and its public part can be exported.
**Benefits:** isolation of long-term secrets, use of PSA Crypto drivers.
**Limitations:** please refer to the documentation of `mbedtls_pk_setup_opaque()`
for a full list of supported operations and limitations.
**Use in X.509 and TLS:** opt-in. The application needs to construct the PK context
using the new API in order to get the benefits; it can then pass the
resulting context to the following existing APIs:
- `mbedtls_ssl_conf_own_cert()` or `mbedtls_ssl_set_hs_own_cert()` to use the
key together with a certificate for certificate-based key exchanges;
- `mbedtls_x509write_csr_set_key()` to generate a CSR (certificate signature
request);
- `mbedtls_x509write_crt_set_issuer_key()` to generate a certificate.
### PSA-held (opaque) keys for TLS pre-shared keys (PSK)
**New API functions:** `mbedtls_ssl_conf_psk_opaque()` and
`mbedtls_ssl_set_hs_psk_opaque()`. Call one of these from an application to
register a PSA key for use with a PSK key exchange.
**Benefits:** isolation of long-term secrets.
**Limitations:** none.
**Use in TLS:** opt-in. The application needs to register the key using one of
the new APIs to get the benefits.
### PSA-held (opaque) keys for TLS 1.2 EC J-PAKE key exchange
**New API function:** `mbedtls_ssl_set_hs_ecjpake_password_opaque()`.
Call this function from an application to register a PSA key for use with the
TLS 1.2 EC J-PAKE key exchange.
**Benefits:** isolation of long-term secrets.
**Limitations:** none.
**Use in TLS:** opt-in. The application needs to register the key using one of
the new APIs to get the benefits.
### PSA-based operations in the Cipher layer
There is a new API function `mbedtls_cipher_setup_psa()` to set up a context
that will call PSA to store the key and perform the operations.
This function only worked for a small number of ciphers. It is now deprecated
and it is recommended to use `psa_cipher_xxx()` or `psa_aead_xxx()` functions
directly instead.
**Warning:** This function will be removed in a future version of Mbed TLS. If
you are using it and would like us to keep it, please let us know about your
use case.
Internal changes
----------------
All of these internal changes are active as soon as `MBEDTLS_USE_PSA_CRYPTO`
is enabled, no change required on the application side.
### TLS: most crypto operations based on PSA
Current exceptions:
- Finite-field (non-EC) Diffie-Hellman (used in key exchanges: DHE-RSA,
DHE-PSK).
- Restartable operations when `MBEDTLS_ECP_RESTARTABLE` is also enabled (see
the documentation of that option).
Other than the above exceptions, all crypto operations are based on PSA when
`MBEDTLS_USE_PSA_CRYPTO` is enabled.
### X.509: most crypto operations based on PSA
Current exceptions:
- Restartable operations when `MBEDTLS_ECP_RESTARTABLE` is also enabled (see
the documentation of that option).
Other than the above exception, all crypto operations are based on PSA when
`MBEDTLS_USE_PSA_CRYPTO` is enabled.
### PK layer: most crypto operations based on PSA
Current exceptions:
- Verification of RSA-PSS signatures with an MGF hash that's different from
the message hash.
- Restartable operations when `MBEDTLS_ECP_RESTARTABLE` is also enabled (see
the documentation of that option).
Other than the above exceptions, all crypto operations are based on PSA when
`MBEDTLS_USE_PSA_CRYPTO` is enabled.

2
doxygen/input/doc_encdec.h
View File

@ -39,8 +39,6 @@
* and \c mbedtls_des3_crypt_cbc()).
* - GCM (AES-GCM and CAMELLIA-GCM) (see \c mbedtls_gcm_init())
* - Asymmetric:
* - Diffie-Hellman-Merkle (see \c mbedtls_dhm_read_public(), \c mbedtls_dhm_make_public()
* and \c mbedtls_dhm_calc_secret()).
* - RSA (see \c mbedtls_rsa_public() and \c mbedtls_rsa_private()).
* - Elliptic Curves over GF(p) (see \c mbedtls_ecp_point_init()).
* - Elliptic Curve Digital Signature Algorithm (ECDSA) (see \c mbedtls_ecdsa_init()).

2
framework

Submodule framework updated: ff4c33600a...1a83e0c84d

51
include/mbedtls/check_config.h
View File

@ -43,7 +43,6 @@
defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \
defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \
@ -70,21 +69,11 @@
#error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) && !defined(MBEDTLS_DHM_C)
#error "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) && \
!defined(MBEDTLS_CAN_ECDH)
#error "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
( !defined(MBEDTLS_DHM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) )
#error "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
( !defined(MBEDTLS_CAN_ECDH) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) )
@ -98,26 +87,12 @@
#error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_PKCS1_V15) )
#error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
( !defined(PSA_WANT_ALG_JPAKE) || \
!defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
!defined(PSA_WANT_ECC_SECP_R1_256) )
#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
#endif
#else /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
( !defined(MBEDTLS_ECJPAKE_C) || \
!defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) )
#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
#endif
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Use of EC J-PAKE in TLS requires SHA-256. */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
@ -174,20 +149,22 @@
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
!(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
!(defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) )
#error "One or more versions of the TLS protocol are enabled " \
"but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
!(defined(PSA_WANT_ALG_SHA_1) || defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_512))
#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_EARLY_DATA) && \
( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \
( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \
@ -215,11 +192,6 @@
#error "MBEDTLS_SSL_ASYNC_PRIVATE defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_TLS_C) && !(defined(MBEDTLS_CIPHER_C) || \
defined(MBEDTLS_USE_PSA_CRYPTO))
#error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
#endif
/* TLS 1.2 and 1.3 require SHA-256 or SHA-384 (running handshake hash) */
#if defined(MBEDTLS_SSL_TLS_C) && \
!(defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_384))
@ -294,11 +266,6 @@
#error "MBEDTLS_SSL_RENEGOTIATION defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_TICKET_C) && ( !defined(MBEDTLS_CIPHER_C) && \
!defined(MBEDTLS_USE_PSA_CRYPTO) )
#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_TICKET_C) && \
!( defined(PSA_WANT_ALG_CCM) || defined(PSA_WANT_ALG_GCM) || \
defined(PSA_WANT_ALG_CHACHA20_POLY1305) )
@ -321,15 +288,13 @@
#if defined(MBEDTLS_X509_USE_C) && \
(!defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) || \
!defined(MBEDTLS_PK_PARSE_C) || \
( !defined(MBEDTLS_MD_C) && !defined(MBEDTLS_USE_PSA_CRYPTO) ) )
!defined(MBEDTLS_PK_PARSE_C))
#error "MBEDTLS_X509_USE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CREATE_C) && \
(!defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_WRITE_C) || \
!defined(MBEDTLS_PK_PARSE_C) || \
( !defined(MBEDTLS_MD_C) && !defined(MBEDTLS_USE_PSA_CRYPTO) ) )
!defined(MBEDTLS_PK_PARSE_C))
#error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites"
#endif

3
include/mbedtls/config_adjust_ssl.h
View File

@ -61,12 +61,9 @@
#undef MBEDTLS_SSL_ENCRYPT_THEN_MAC
#undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET
#undef MBEDTLS_SSL_RENEGOTIATION
#undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
#undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
#undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
#undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
#undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
#undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED

6
include/mbedtls/debug.h
View File

@ -108,16 +108,16 @@
*
* This module provides debugging functions.
*/
#if (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800)
#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900)
#include <inttypes.h>
#define MBEDTLS_PRINTF_SIZET PRIuPTR
#define MBEDTLS_PRINTF_LONGLONG "I64d"
#else \
/* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */
/* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */
#define MBEDTLS_PRINTF_SIZET "zu"
#define MBEDTLS_PRINTF_LONGLONG "lld"
#endif \
/* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */
/* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */
#if !defined(MBEDTLS_PRINTF_MS_TIME)
#include <inttypes.h>

30
include/mbedtls/error.h
View File

@ -30,36 +30,6 @@ extern "C" {
*/
void mbedtls_strerror(int errnum, char *buffer, size_t buflen);
/**
* \brief Translate the high-level part of an Mbed TLS error code into a string
* representation.
*
* This function returns a const pointer to an un-modifiable string. The caller
* must not try to modify the string. It is intended to be used mostly for
* logging purposes.
*
* \param error_code error code
*
* \return The string representation of the error code, or \c NULL if the error
* code is unknown.
*/
const char *mbedtls_high_level_strerr(int error_code);
/**
* \brief Translate the low-level part of an Mbed TLS error code into a string
* representation.
*
* This function returns a const pointer to an un-modifiable string. The caller
* must not try to modify the string. It is intended to be used mostly for
* logging purposes.
*
* \param error_code error code
*
* \return The string representation of the error code, or \c NULL if the error
* code is unknown.
*/
const char *mbedtls_low_level_strerr(int error_code);
#ifdef __cplusplus
}
#endif

1588
include/mbedtls/mbedtls_config.h
View File

File diff suppressed because it is too large Load Diff

2
include/mbedtls/net_sockets.h
View File

@ -229,7 +229,7 @@ int mbedtls_net_recv(void *ctx, unsigned char *buf, size_t len);
/**
* \brief Write at most 'len' characters. If no error occurs,
* the actual amount read is returned.
* the actual amount written is returned.
*
* \param ctx Socket
* \param buf The buffer to read from

373
include/mbedtls/ssl.h
View File

@ -24,10 +24,6 @@
#include "mbedtls/x509_crl.h"
#endif
#if defined(MBEDTLS_DHM_C)
#include "mbedtls/dhm.h"
#endif
#include "mbedtls/md.h"
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED)
@ -169,6 +165,39 @@
#define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00
/** Invalid value in SSL config */
#define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80
/* Error space gap */
/** Attempt to verify a certificate without an expected hostname.
* This is usually insecure.
*
* In TLS clients, when a client authenticates a server through its
* certificate, the client normally checks three things:
* - the certificate chain must be valid;
* - the chain must start from a trusted CA;
* - the certificate must cover the server name that is expected by the client.
*
* Omitting any of these checks is generally insecure, and can allow a
* malicious server to impersonate a legitimate server.
*
* The third check may be safely skipped in some unusual scenarios,
* such as networks where eavesdropping is a risk but not active attacks,
* or a private PKI where the client equally trusts all servers that are
* accredited by the root CA.
*
* You should call mbedtls_ssl_set_hostname() with the expected server name
* before starting a TLS handshake on a client (unless the client is
* set up to only use PSK-based authentication, which does not rely on the
* host name). If you have determined that server name verification is not
* required for security in your scenario, call mbedtls_ssl_set_hostname()
* with \p NULL as the server name.
*
* This error is raised if all of the following conditions are met:
*
* - A TLS client is configured with the authentication mode
* #MBEDTLS_SSL_VERIFY_REQUIRED (default).
* - Certificate authentication is enabled.
* - The client does not call mbedtls_ssl_set_hostname().
*/
#define MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME -0x5D80
/*
* Constants from RFC 8446 for TLS 1.3 PSK modes
@ -654,12 +683,6 @@
/* Dummy type used only for its size */
union mbedtls_ssl_premaster_secret {
unsigned char dummy; /* Make the union non-empty even with SSL disabled */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
unsigned char _pms_rsa[48]; /* RFC 5246 8.1.1 */
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
unsigned char _pms_dhm[MBEDTLS_MPI_MAX_SIZE]; /* RFC 5246 8.1.2 */
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
@ -669,10 +692,6 @@ union mbedtls_ssl_premaster_secret {
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
unsigned char _pms_psk[4 + 2 * MBEDTLS_PSK_MAX_LEN]; /* RFC 4279 2 */
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
unsigned char _pms_dhe_psk[4 + MBEDTLS_MPI_MAX_SIZE
+ MBEDTLS_PSK_MAX_LEN]; /* RFC 4279 3 */
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
unsigned char _pms_ecdhe_psk[4 + MBEDTLS_ECP_MAX_BYTES
+ MBEDTLS_PSK_MAX_LEN]; /* RFC 5489 2 */
@ -690,6 +709,14 @@ union mbedtls_ssl_premaster_secret {
/* Length in number of bytes of the TLS sequence number */
#define MBEDTLS_SSL_SEQUENCE_NUMBER_LEN 8
/* Helper to state that client_random and server_random need to be stored
* after the handshake is complete. This is required for context serialization
* and for the keying material exporter in TLS 1.2. */
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || \
(defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) && defined(MBEDTLS_SSL_PROTO_TLS1_2))
#define MBEDTLS_SSL_KEEP_RANDBYTES
#endif
#ifdef __cplusplus
extern "C" {
#endif
@ -1013,71 +1040,6 @@ typedef int mbedtls_ssl_async_sign_t(mbedtls_ssl_context *ssl,
mbedtls_md_type_t md_alg,
const unsigned char *hash,
size_t hash_len);
/**
* \brief Callback type: start external decryption operation.
*
* This callback is called during an SSL handshake to start
* an RSA decryption operation using an
* external processor. The parameter \p cert contains
* the public key; it is up to the callback function to
* determine how to access the associated private key.
*
* This function typically sends or enqueues a request, and
* does not wait for the operation to complete. This allows
* the handshake step to be non-blocking.
*
* The parameters \p ssl and \p cert are guaranteed to remain
* valid throughout the handshake. On the other hand, this
* function must save the contents of \p input if the value
* is needed for later processing, because the \p input buffer
* is no longer valid after this function returns.
*
* This function may call mbedtls_ssl_set_async_operation_data()
* to store an operation context for later retrieval
* by the resume or cancel callback.
*
* \warning RSA decryption as used in TLS is subject to a potential
* timing side channel attack first discovered by Bleichenbacher
* in 1998. This attack can be remotely exploitable
* in practice. To avoid this attack, you must ensure that
* if the callback performs an RSA decryption, the time it
* takes to execute and return the result does not depend
* on whether the RSA decryption succeeded or reported
* invalid padding.
*
* \param ssl The SSL connection instance. It should not be
* modified other than via
* mbedtls_ssl_set_async_operation_data().
* \param cert Certificate containing the public key.
* In simple cases, this is one of the pointers passed to
* mbedtls_ssl_conf_own_cert() when configuring the SSL
* connection. However, if other callbacks are used, this
* property may not hold. For example, if an SNI callback
* is registered with mbedtls_ssl_conf_sni(), then
* this callback determines what certificate is used.
* \param input Buffer containing the input ciphertext. This buffer
* is no longer valid when the function returns.
* \param input_len Size of the \p input buffer in bytes.
*
* \return 0 if the operation was started successfully and the SSL
* stack should call the resume callback immediately.
* \return #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
* was started successfully and the SSL stack should return
* immediately without calling the resume callback yet.
* \return #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
* processor does not support this key. The SSL stack will
* use the private key object instead.
* \return Any other error indicates a fatal failure and is
* propagated up the call chain. The callback should
* use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
* use \c MBEDTLS_ERR_SSL_xxx error codes except as
* directed in the documentation of this callback.
*/
typedef int mbedtls_ssl_async_decrypt_t(mbedtls_ssl_context *ssl,
mbedtls_x509_crt *cert,
const unsigned char *input,
size_t input_len);
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/**
@ -1085,8 +1047,7 @@ typedef int mbedtls_ssl_async_decrypt_t(mbedtls_ssl_context *ssl,
*
* This callback is called during an SSL handshake to resume
* an external operation started by the
* ::mbedtls_ssl_async_sign_t or
* ::mbedtls_ssl_async_decrypt_t callback.
* ::mbedtls_ssl_async_sign_t callback.
*
* This function typically checks the status of a pending
* request or causes the request queue to make progress, and
@ -1302,7 +1263,7 @@ struct mbedtls_ssl_session {
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C)
char *ticket_alpn; /*!< ALPN negotiated in the session
char *MBEDTLS_PRIVATE(ticket_alpn); /*!< ALPN negotiated in the session
during which the ticket was generated. */
#endif
@ -1485,10 +1446,6 @@ struct mbedtls_ssl_config {
void(*MBEDTLS_PRIVATE(f_dbg))(void *, int, const char *, int, const char *);
void *MBEDTLS_PRIVATE(p_dbg); /*!< context for the debug function */
/** Callback for getting (pseudo-)random numbers */
int(*MBEDTLS_PRIVATE(f_rng))(void *, unsigned char *, size_t);
void *MBEDTLS_PRIVATE(p_rng); /*!< context for the RNG function */
/** Callback to retrieve a session from the cache */
mbedtls_ssl_cache_get_t *MBEDTLS_PRIVATE(f_get_cache);
/** Callback to store a session into the cache */
@ -1552,7 +1509,6 @@ struct mbedtls_ssl_config {
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_async_sign_t *MBEDTLS_PRIVATE(f_async_sign_start); /*!< start asynchronous signature operation */
mbedtls_ssl_async_decrypt_t *MBEDTLS_PRIVATE(f_async_decrypt_start); /*!< start asynchronous decryption operation */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
mbedtls_ssl_async_resume_t *MBEDTLS_PRIVATE(f_async_resume); /*!< resume asynchronous operation */
mbedtls_ssl_async_cancel_t *MBEDTLS_PRIVATE(f_async_cancel); /*!< cancel asynchronous operation */
@ -1567,27 +1523,16 @@ struct mbedtls_ssl_config {
const uint16_t *MBEDTLS_PRIVATE(sig_algs); /*!< allowed signature algorithms */
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
const mbedtls_ecp_group_id *MBEDTLS_PRIVATE(curve_list); /*!< allowed curves */
#endif
const uint16_t *MBEDTLS_PRIVATE(group_list); /*!< allowed IANA NamedGroups */
#if defined(MBEDTLS_DHM_C)
mbedtls_mpi MBEDTLS_PRIVATE(dhm_P); /*!< prime modulus for DHM */
mbedtls_mpi MBEDTLS_PRIVATE(dhm_G); /*!< generator for DHM */
#endif
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t MBEDTLS_PRIVATE(psk_opaque); /*!< PSA key slot holding opaque PSK. This field
* should only be set via
* mbedtls_ssl_conf_psk_opaque().
* If either no PSK or a raw PSK have been
* configured, this has value \c 0.
*/
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char *MBEDTLS_PRIVATE(psk); /*!< The raw pre-shared key. This field should
* only be set via mbedtls_ssl_conf_psk().
* If either no PSK or an opaque PSK
@ -1655,10 +1600,6 @@ struct mbedtls_ssl_config {
unsigned int MBEDTLS_PRIVATE(badmac_limit); /*!< limit of records with a bad MAC */
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
unsigned int MBEDTLS_PRIVATE(dhm_min_bitlen); /*!< min. bit length of the DHM prime */
#endif
/** User data pointer or handle.
*
* The library sets this to \p 0 when creating a context and does not
@ -1682,6 +1623,14 @@ struct mbedtls_ssl_context {
* Miscellaneous
*/
int MBEDTLS_PRIVATE(state); /*!< SSL handshake: current state */
/** Mask of `MBEDTLS_SSL_CONTEXT_FLAG_XXX`.
* See `mbedtls_ssl_context_flags_t` in ssl_misc.h.
*
* This field is not saved by mbedtls_ssl_session_save().
*/
uint32_t MBEDTLS_PRIVATE(flags);
#if defined(MBEDTLS_SSL_RENEGOTIATION)
int MBEDTLS_PRIVATE(renego_status); /*!< Initial, in progress, pending? */
int MBEDTLS_PRIVATE(renego_records_seen); /*!< Records since renego request, or with DTLS,
@ -1808,6 +1757,8 @@ struct mbedtls_ssl_context {
size_t MBEDTLS_PRIVATE(in_hslen); /*!< current handshake message length,
including the handshake header */
size_t MBEDTLS_PRIVATE(in_hsfraglen); /*!< accumulated length of hs fragments
(up to in_hslen) */
int MBEDTLS_PRIVATE(nb_zero); /*!< # of 0-length encrypted messages */
int MBEDTLS_PRIVATE(keep_current_message); /*!< drop or reuse current message
@ -1987,6 +1938,17 @@ void mbedtls_ssl_init(mbedtls_ssl_context *ssl);
* \note The PSA crypto subsystem must have been initialized by
* calling psa_crypto_init() before calling this function.
*
* \note After setting up a client context, if certificate-based
* authentication is enabled, you should call
* mbedtls_ssl_set_hostname() to specifiy the expected
* name of the server. Otherwise, if server authentication
* is required (which is the case by default) and the
* selected key exchange involves a certificate (i.e. is not
* based on a pre-shared key), the certificate authentication
* will fail. See
* #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* for more information.
*
* \param ssl SSL context
* \param conf SSL configuration to use
*
@ -2154,17 +2116,6 @@ void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
void *p_vrfy);
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/**
* \brief Set the random number generator callback
*
* \param conf SSL configuration
* \param f_rng RNG function (mandatory)
* \param p_rng RNG parameter
*/
void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng);
/**
* \brief Set the debug callback
*
@ -2881,17 +2832,10 @@ static inline uintptr_t mbedtls_ssl_get_user_data_n(
* external processor does not support any signature
* operation; in this case the private key object
* associated with the certificate will be used.
* \param f_async_decrypt Callback to start a decryption operation. See
* the description of ::mbedtls_ssl_async_decrypt_t
* for more information. This may be \c NULL if the
* external processor does not support any decryption
* operation; in this case the private key object
* associated with the certificate will be used.
* \param f_async_resume Callback to resume an asynchronous operation. See
* the description of ::mbedtls_ssl_async_resume_t
* for more information. This may not be \c NULL unless
* \p f_async_sign and \p f_async_decrypt are both
* \c NULL.
* \p f_async_sign is \c NULL.
* \param f_async_cancel Callback to cancel an asynchronous operation. See
* the description of ::mbedtls_ssl_async_cancel_t
* for more information. This may be \c NULL if
@ -2903,7 +2847,6 @@ static inline uintptr_t mbedtls_ssl_get_user_data_n(
*/
void mbedtls_ssl_conf_async_private_cb(mbedtls_ssl_config *conf,
mbedtls_ssl_async_sign_t *f_async_sign,
mbedtls_ssl_async_decrypt_t *f_async_decrypt,
mbedtls_ssl_async_resume_t *f_async_resume,
mbedtls_ssl_async_cancel_t *f_async_cancel,
void *config_data);
@ -3636,7 +3579,6 @@ int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
const unsigned char *psk, size_t psk_len,
const unsigned char *psk_identity, size_t psk_identity_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/**
* \brief Configure one or more opaque pre-shared keys (PSKs) and
* their identities to be used in PSK-based ciphersuites.
@ -3678,7 +3620,6 @@ int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
mbedtls_svc_key_id_t psk,
const unsigned char *psk_identity,
size_t psk_identity_len);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/**
* \brief Set the pre-shared Key (PSK) for the current handshake.
@ -3699,7 +3640,6 @@ int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
const unsigned char *psk, size_t psk_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/**
* \brief Set an opaque pre-shared Key (PSK) for the current handshake.
*
@ -3722,7 +3662,6 @@ int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
*/
int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
mbedtls_svc_key_id_t psk);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_SRV_C)
/**
@ -3770,97 +3709,6 @@ void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
#endif /* MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
/**
* \brief Set the Diffie-Hellman public P and G values
* from big-endian binary presentations.
* (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]_BIN)
*
* \param conf SSL configuration
* \param dhm_P Diffie-Hellman-Merkle modulus in big-endian binary form
* \param P_len Length of DHM modulus
* \param dhm_G Diffie-Hellman-Merkle generator in big-endian binary form
* \param G_len Length of DHM generator
*
* \return 0 if successful
*/
int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
const unsigned char *dhm_P, size_t P_len,
const unsigned char *dhm_G, size_t G_len);
/**
* \brief Set the Diffie-Hellman public P and G values,
* read from existing context (server-side only)
*
* \param conf SSL configuration
* \param dhm_ctx Diffie-Hellman-Merkle context
*
* \return 0 if successful
*/
int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx);
#endif /* MBEDTLS_DHM_C && defined(MBEDTLS_SSL_SRV_C) */
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
/**
* \brief Set the minimum length for Diffie-Hellman parameters.
* (Client-side only.)
* (Default: 1024 bits.)
*
* \param conf SSL configuration
* \param bitlen Minimum bit length of the DHM prime
*/
void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
unsigned int bitlen);
#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_ECP_C)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/**
* \brief Set the allowed curves in order of preference.
*
* On server: this only affects selection of the ECDHE curve;
* the curves used for ECDH and ECDSA are determined by the
* list of available certificates instead.
*
* On client: this affects the list of curves offered for any
* use. The server can override our preference order.
*
* Both sides: limits the set of curves accepted for use in
* ECDHE and in the peer's end-entity certificate.
*
* \deprecated Superseded by mbedtls_ssl_conf_groups().
*
* \note This has no influence on which curves are allowed inside the
* certificate chains, see \c mbedtls_ssl_conf_cert_profile()
* for that. For the end-entity certificate however, the key
* will be accepted only if it is allowed both by this list
* and by the cert profile.
*
* \note This list should be ordered by decreasing preference
* (preferred curve first).
*
* \note The default list is the same set of curves that
* #mbedtls_x509_crt_profile_default allows, plus
* ECDHE-only curves selected according to the same criteria.
* The order favors curves with the lowest resource usage.
*
* \note New minor versions of Mbed TLS may extend this list,
* for example if new curves are added to the library.
* New minor versions of Mbed TLS will not remove items
* from this list unless serious security concerns require it.
* New minor versions of Mbed TLS may change the order in
* keeping with the general principle of favoring the lowest
* resource usage.
*
* \param conf SSL configuration
* \param curves Ordered list of allowed curves,
* terminated by MBEDTLS_ECP_DP_NONE.
*/
void MBEDTLS_DEPRECATED mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
const mbedtls_ecp_group_id *curves);
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_ECP_C */
/**
* \brief Set the allowed groups in order of preference.
*
@ -3872,13 +3720,6 @@ void MBEDTLS_DEPRECATED mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
* Both sides: limits the set of groups accepted for use in
* key sharing.
*
* \note This function replaces the deprecated mbedtls_ssl_conf_curves(),
* which only allows ECP curves to be configured.
*
* \note The most recent invocation of either mbedtls_ssl_conf_curves()
* or mbedtls_ssl_conf_groups() nullifies all previous invocations
* of both.
*
* \note This list should be ordered by decreasing preference
* (preferred group first).
*
@ -3957,16 +3798,29 @@ void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
* \brief Set or reset the hostname to check against the received
* server certificate. It sets the ServerName TLS extension,
* too, if that extension is enabled. (client-side only)
* peer certificate. On a client, this also sets the
* ServerName TLS extension, if that extension is enabled.
* On a TLS 1.3 client, this also sets the server name in
* the session resumption ticket, if that feature is enabled.
*
* \param ssl SSL context
* \param hostname the server hostname, may be NULL to clear hostname
* \note Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
* \param hostname The server hostname. This may be \c NULL to clear
* the hostname.
*
* \return 0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
* allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
* \note Maximum hostname length #MBEDTLS_SSL_MAX_HOST_NAME_LEN.
*
* \note If the hostname is \c NULL on a client, then the server
* is not authenticated: it only needs to have a valid
* certificate, not a certificate matching its name.
* Therefore you should always call this function on a client,
* unless the connection is set up to only allow
* pre-shared keys, or in scenarios where server
* impersonation is not a concern. See the documentation of
* #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* for more details.
*
* \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on
* allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
* too long input hostname.
*
* Hostname set to the one provided on success (cleared
@ -4430,6 +4284,10 @@ void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
* with \c mbedtls_ssl_read()), not handshake messages.
* With DTLS, this affects both ApplicationData and handshake.
*
* \note Defragmentation of TLS handshake messages is supported
* with some limitations. See the documentation of
* mbedtls_ssl_handshake() for details.
*
* \note This sets the maximum length for a record's payload,
* excluding record overhead that will be added to it, see
* \c mbedtls_ssl_get_record_expansion().
@ -4919,6 +4777,24 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
* currently being processed might or might not contain further
* DTLS records.
*
* \note In TLS, reception of fragmented handshake messages is
* supported with some limitations (those limitations do
* not apply to DTLS, where defragmentation is fully
* supported):
* - On an Mbed TLS server that only accepts TLS 1.2,
* the initial ClientHello message must not be fragmented.
* A TLS 1.2 ClientHello may be fragmented if the server
* also accepts TLS 1.3 connections (meaning
* that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the
* accepted versions have not been restricted with
* mbedtls_ssl_conf_max_tls_version() or the like).
* - The first fragment of a handshake message must be
* at least 4 bytes long.
* - Non-handshake records must not be interleaved between
* the fragments of a handshake message. (This is permitted
* in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it
* even in TLS 1.2.)
*
* \note The PSA crypto subsystem must have been initialized by
* calling psa_crypto_init() before calling this function.
*/
@ -5585,6 +5461,41 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
const unsigned char *random, size_t rlen,
unsigned char *dstbuf, size_t dlen);
#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/* Maximum value for key_len in mbedtls_ssl_export_keying material. Depending on the TLS
* version and the negotiated ciphersuite, larger keys could in principle be exported,
* but for simplicity, we define one limit that works in all cases. TLS 1.3 with SHA256
* has the strictest limit: 255 blocks of SHA256 output, or 8160 bytes. */
#define MBEDTLS_SSL_EXPORT_MAX_KEY_LEN 8160
/**
* \brief TLS-Exporter to derive shared symmetric keys between server and client.
*
* \param ssl SSL context from which to export keys. Must have finished the handshake.
* \param out Output buffer of length at least key_len bytes.
* \param key_len Length of the key to generate in bytes, must be at most
* MBEDTLS_SSL_EXPORT_MAX_KEY_LEN (8160).
* \param label Label for which to generate the key of length label_len.
* \param label_len Length of label in bytes. Must be at most 249 in TLS 1.3.
* \param context Context of the key. Can be NULL if context_len or use_context is 0.
* \param context_len Length of context. Must be < 2^16 in TLS 1.2.
* \param use_context Indicates if a context should be used in deriving the key.
*
* \note TLS 1.2 makes a distinction between a 0-length context and no context.
* This is why the use_context argument exists. TLS 1.3 does not make
* this distinction. If use_context is 0 and TLS 1.3 is used, context and
* context_len are ignored and a 0-length context is used.
*
* \return 0 on success.
* \return MBEDTLS_ERR_SSL_BAD_INPUT_DATA if the handshake is not yet completed.
* \return An SSL-specific error on failure.
*/
int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
uint8_t *out, const size_t key_len,
const char *label, const size_t label_len,
const unsigned char *context, const size_t context_len,
const int use_context);
#endif
#ifdef __cplusplus
}
#endif

110
include/mbedtls/ssl_ciphersuites.h
View File

@ -24,62 +24,19 @@ extern "C" {
/*
* Supported ciphersuites (Official IANA names)
*/
#define MBEDTLS_TLS_RSA_WITH_NULL_MD5 0x01 /**< Weak! */
#define MBEDTLS_TLS_RSA_WITH_NULL_SHA 0x02 /**< Weak! */
#define MBEDTLS_TLS_PSK_WITH_NULL_SHA 0x2C /**< Weak! */
#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA 0x2D /**< Weak! */
#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 0x2F
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x33
#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 0x35
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x39
#define MBEDTLS_TLS_RSA_WITH_NULL_SHA256 0x3B /**< Weak! */
#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 0x3C /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 0x3D /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x41
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x45
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x67 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x6B /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x84
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x88
#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 0x8C
#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 0x8D
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 0x90
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 0x91
#define MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 0x9C /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 0x9D /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x9E /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x9F /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 0xA8 /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 0xA9 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 0xAA /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 0xAB /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 0xAE
#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 0xAF
#define MBEDTLS_TLS_PSK_WITH_NULL_SHA256 0xB0 /**< Weak! */
#define MBEDTLS_TLS_PSK_WITH_NULL_SHA384 0xB1 /**< Weak! */
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 0xB2
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 0xB3
#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256 0xB4 /**< Weak! */
#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384 0xB5 /**< Weak! */
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBA /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBE /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC0 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4 /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001 /**< Weak! */
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005
@ -122,10 +79,6 @@ extern "C" {
#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 0xC03A
#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 0xC03B
#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A /**< TLS 1.2 */
@ -134,10 +87,6 @@ extern "C" {
#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 0xC050 /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053 /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E /**< TLS 1.2 */
@ -148,12 +97,8 @@ extern "C" {
#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063 /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064 /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC066 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC067 /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 0xC06B /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 0xC06C /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 0xC06D /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC070 /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC071 /**< TLS 1.2 */
@ -166,10 +111,6 @@ extern "C" {
#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC078
#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC079
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC07A /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC07B /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC07C /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC07D /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC086 /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC087 /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC088 /**< TLS 1.2 */
@ -181,32 +122,16 @@ extern "C" {
#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC08E /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC08F /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC090 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC091 /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC094
#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC095
#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC096
#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC097
#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC09A
#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC09B
#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM 0xC09C /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM 0xC09D /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM 0xC09E /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM 0xC09F /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8 0xC0A0 /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8 0xC0A1 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8 0xC0A2 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8 0xC0A3 /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM 0xC0A4 /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM 0xC0A5 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM 0xC0A6 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM 0xC0A7 /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8 0xC0A8 /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8 0xC0A9 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8 0xC0AA /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8 0xC0AB /**< TLS 1.2 */
/* The last two are named with PSK_DHE in the RFC, which looks like a typo */
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC /**< TLS 1.2 */
@ -219,10 +144,8 @@ extern "C" {
/* RFC 7905 */
#define MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8 /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA /**< TLS 1.2 */
#define MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAB /**< TLS 1.2 */
#define MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC /**< TLS 1.2 */
#define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD /**< TLS 1.2 */
/* RFC 8446, Appendix B.4 */
#define MBEDTLS_TLS1_3_AES_128_GCM_SHA256 0x1301 /**< TLS 1.3 */
@ -236,12 +159,9 @@ extern "C" {
*/
typedef enum {
MBEDTLS_KEY_EXCHANGE_NONE = 0,
MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_KEY_EXCHANGE_DHE_RSA,
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
MBEDTLS_KEY_EXCHANGE_PSK,
MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
@ -249,9 +169,7 @@ typedef enum {
} mbedtls_key_exchange_type_t;
/* Key exchanges using a certificate */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
@ -297,8 +215,7 @@ typedef enum {
#endif
/* Key exchanges involving server signature in ServerKeyExchange */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
#define MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED
#endif
@ -310,16 +227,13 @@ typedef enum {
#endif
/* Key exchanges that don't involve ephemeral keys */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
#define MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED
#endif
/* Key exchanges that involve ephemeral keys */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
@ -328,17 +242,10 @@ typedef enum {
/* Key exchanges using a PSK */
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
#define MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
#endif
/* Key exchanges using DHE */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
#define MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED
#endif
/* Key exchanges using ECDHE */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
@ -382,19 +289,12 @@ typedef enum {
#define MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED
#endif
/* TLS 1.2 XXDH key exchanges: ECDH or ECDHE or FFDH */
#if (defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED))
#define MBEDTLS_KEY_EXCHANGE_SOME_XXDH_1_2_ENABLED
#endif
/* The handshake params structure has a set of fields called xxdh_psa which are used:
* - by TLS 1.2 to do ECDH or ECDHE;
* - by TLS 1.3 to do ECDHE or FFDHE.
* The following macros can be used to guard their declaration and use.
*/
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
#define MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_1_2_ENABLED
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_1_2_ENABLED) || \

18
include/mbedtls/ssl_cookie.h
View File

@ -15,11 +15,6 @@
#include "mbedtls/ssl.h"
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_THREADING_C)
#include "mbedtls/threading.h"
#endif
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
/**
* \name SECTION: Module settings
@ -42,23 +37,14 @@ extern "C" {
* \brief Context for the default cookie functions.
*/
typedef struct mbedtls_ssl_cookie_ctx {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t MBEDTLS_PRIVATE(psa_hmac_key); /*!< key id for the HMAC portion */
psa_algorithm_t MBEDTLS_PRIVATE(psa_hmac_alg); /*!< key algorithm for the HMAC portion */
#else
mbedtls_md_context_t MBEDTLS_PRIVATE(hmac_ctx); /*!< context for the HMAC portion */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if !defined(MBEDTLS_HAVE_TIME)
unsigned long MBEDTLS_PRIVATE(serial); /*!< serial number for expiration */
#endif
unsigned long MBEDTLS_PRIVATE(timeout); /*!< timeout delay, in seconds if HAVE_TIME,
or in number of tickets issued */
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_THREADING_C)
mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
#endif
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
} mbedtls_ssl_cookie_ctx;
/**
@ -69,9 +55,7 @@ void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx);
/**
* \brief Setup cookie context (generate keys)
*/
int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng);
int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx);
/**
* \brief Set expiration delay for cookies

19
include/mbedtls/ssl_ticket.h
View File

@ -20,15 +20,12 @@
*/
#include "mbedtls/ssl.h"
#include "mbedtls/cipher.h"
#if defined(MBEDTLS_HAVE_TIME)
#include "mbedtls/platform_time.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#endif
#if defined(MBEDTLS_THREADING_C)
#include "mbedtls/threading.h"
@ -54,14 +51,10 @@ typedef struct mbedtls_ssl_ticket_key {
* tickets created under that key.
*/
uint32_t MBEDTLS_PRIVATE(lifetime);
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_cipher_context_t MBEDTLS_PRIVATE(ctx); /*!< context for auth enc/decryption */
#else
mbedtls_svc_key_id_t MBEDTLS_PRIVATE(key); /*!< key used for auth enc/decryption */
psa_algorithm_t MBEDTLS_PRIVATE(alg); /*!< algorithm of auth enc/decryption */
psa_key_type_t MBEDTLS_PRIVATE(key_type); /*!< key type */
size_t MBEDTLS_PRIVATE(key_bits); /*!< key length in bits */
#endif
}
mbedtls_ssl_ticket_key;
@ -75,8 +68,6 @@ typedef struct mbedtls_ssl_ticket_context {
uint32_t MBEDTLS_PRIVATE(ticket_lifetime); /*!< lifetime of tickets in seconds */
/** Callback for getting (pseudo-)random numbers */
int(*MBEDTLS_PRIVATE(f_rng))(void *, unsigned char *, size_t);
void *MBEDTLS_PRIVATE(p_rng); /*!< context for the RNG function */
#if defined(MBEDTLS_THREADING_C)
mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
@ -97,10 +88,9 @@ void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx);
* \brief Prepare context to be actually used
*
* \param ctx Context to be set up
* \param f_rng RNG callback function (mandatory)
* \param p_rng RNG callback context
* \param cipher AEAD cipher to use for ticket protection.
* Recommended value: MBEDTLS_CIPHER_AES_256_GCM.
* \param alg AEAD cipher to use for ticket protection.
* \param key_type Cryptographic key type to use.
* \param key_bits Cryptographic key size to use in bits.
* \param lifetime Tickets lifetime in seconds
* Recommended value: 86400 (one day).
*
@ -122,8 +112,7 @@ void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx);
* or a specific MBEDTLS_ERR_XXX error code
*/
int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_cipher_type_t cipher,
psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits,
uint32_t lifetime);
/**

37
include/mbedtls/x509_crt.h
View File

@ -943,28 +943,6 @@ void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx);
*/
void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version);
#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
/**
* \brief Set the serial number for a Certificate.
*
* \deprecated This function is deprecated and will be removed in a
* future version of the library. Please use
* mbedtls_x509write_crt_set_serial_raw() instead.
*
* \note Even though the MBEDTLS_BIGNUM_C guard looks redundant since
* X509 depends on PK and PK depends on BIGNUM, this emphasizes
* a direct dependency between X509 and BIGNUM which is going
* to be deprecated in the future.
*
* \param ctx CRT context to use
* \param serial serial number to set
*
* \return 0 if successful
*/
int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial(
mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial);
#endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED
/**
* \brief Set the serial number for a Certificate.
*
@ -1162,17 +1140,11 @@ void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx);
* \param ctx certificate to write away
* \param buf buffer to write to
* \param size size of the buffer
* \param f_rng RNG function. This must not be \c NULL.
* \param p_rng RNG parameter
*
* \return length of data written if successful, or a specific
* error code
*
* \note \p f_rng is used for the signature operation.
*/
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng);
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size);
#if defined(MBEDTLS_PEM_WRITE_C)
/**
@ -1181,16 +1153,11 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, s
* \param ctx certificate to write away
* \param buf buffer to write to
* \param size size of the buffer
* \param f_rng RNG function. This must not be \c NULL.
* \param p_rng RNG parameter
*
* \return 0 if successful, or a specific error code
*
* \note \p f_rng is used for the signature operation.
*/
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng);
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size);
#endif /* MBEDTLS_PEM_WRITE_C */
#endif /* MBEDTLS_X509_CRT_WRITE_C */

14
include/mbedtls/x509_csr.h
View File

@ -337,17 +337,12 @@ void mbedtls_x509write_csr_free(mbedtls_x509write_csr *ctx);
* \param ctx CSR to write away
* \param buf buffer to write to
* \param size size of the buffer
* \param f_rng RNG function. This must not be \c NULL.
* \param p_rng RNG parameter
*
* \return length of data written if successful, or a specific
* error code
*
* \note \p f_rng is used for the signature operation.
*/
int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng);
int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size);
#if defined(MBEDTLS_PEM_WRITE_C)
/**
@ -357,16 +352,11 @@ int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, si
* \param ctx CSR to write away
* \param buf buffer to write to
* \param size size of the buffer
* \param f_rng RNG function. This must not be \c NULL.
* \param p_rng RNG parameter
*
* \return 0 if successful, or a specific error code
*
* \note \p f_rng is used for the signature operation.
*/
int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng);
int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size);
#endif /* MBEDTLS_PEM_WRITE_C */
#endif /* MBEDTLS_X509_CSR_WRITE_C */

2
library/Makefile
View File

@ -113,7 +113,6 @@ OBJS_CRYPTO= \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_client.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_se.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_slot_management.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_storage.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_its_file.o \
@ -139,7 +138,6 @@ OBJS_CRYPTO= \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/constant_time.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ctr_drbg.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/des.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/dhm.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdh.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdsa.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecjpake.o \

574
library/ssl_ciphersuites.c
View File

@ -16,9 +16,7 @@
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/ssl.h"
#include "ssl_misc.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/psa_util.h"
#endif
#include <string.h>
@ -51,123 +49,75 @@ static const int ciphersuite_preference[] =
/* Chacha-Poly ephemeral suites */
MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
/* All AES-256 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8,
/* All CAMELLIA-256 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
/* All ARIA-256 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
/* All AES-128 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
/* All CAMELLIA-128 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
/* All ARIA-128 ephemeral suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
/* The PSK ephemeral suites */
MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8,
MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM,
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
/* The ECJPAKE suite */
MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
/* All AES-256 suites */
MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8,
/* All CAMELLIA-256 suites */
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
@ -176,28 +126,18 @@ static const int ciphersuite_preference[] =
/* All ARIA-256 suites */
MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
/* All AES-128 suites */
MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8,
/* All CAMELLIA-128 suites */
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
@ -206,10 +146,8 @@ static const int ciphersuite_preference[] =
/* All ARIA-128 suites */
MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
/* The PSK suites */
MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
@ -239,13 +177,7 @@ static const int ciphersuite_preference[] =
MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384,
MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256,
MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA,
MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384,
MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256,
MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA,
MBEDTLS_TLS_RSA_WITH_NULL_SHA256,
MBEDTLS_TLS_RSA_WITH_NULL_SHA,
MBEDTLS_TLS_RSA_WITH_NULL_MD5,
MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA,
MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA,
MBEDTLS_TLS_PSK_WITH_NULL_SHA384,
@ -318,14 +250,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
{ MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
"TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
{ MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
"TLS-PSK-WITH-CHACHA20-POLY1305-SHA256",
@ -342,14 +266,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
{ MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
"TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 &&
PSA_WANT_ALG_SHA_256 &&
MBEDTLS_SSL_PROTO_TLS1_2 */
@ -551,225 +467,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES)
#if defined(PSA_WANT_ALG_SHA_384) && \
defined(PSA_WANT_ALG_GCM)
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 && PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(PSA_WANT_ALG_GCM)
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#if defined(PSA_WANT_ALG_CCM)
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM, "TLS-DHE-RSA-WITH-AES-256-CCM",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8, "TLS-DHE-RSA-WITH-AES-256-CCM-8",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM, "TLS-DHE-RSA-WITH-AES-128-CCM",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8, "TLS-DHE-RSA-WITH-AES-128-CCM-8",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CCM */
#endif /* PSA_WANT_KEY_TYPE_AES */
#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#if defined(PSA_WANT_ALG_GCM)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* PSA_WANT_ALG_GCM */
#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES)
#if defined(PSA_WANT_ALG_SHA_384) && \
defined(PSA_WANT_ALG_GCM)
{ MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 && PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(PSA_WANT_ALG_GCM)
{ MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256",
MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
{ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS-RSA-WITH-AES-256-CBC-SHA256",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_1)
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
{ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, "TLS-RSA-WITH-AES-256-CBC-SHA",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#endif /* PSA_WANT_ALG_SHA_1 */
#if defined(PSA_WANT_ALG_CCM)
{ MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8, "TLS-RSA-WITH-AES-256-CCM-8",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_128_CCM, "TLS-RSA-WITH-AES-128-CCM",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8, "TLS-RSA-WITH-AES-128-CCM-8",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CCM */
#endif /* PSA_WANT_KEY_TYPE_AES */
#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#if defined(PSA_WANT_ALG_GCM)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* PSA_WANT_ALG_GCM */
#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES)
#if defined(PSA_WANT_ALG_SHA_1)
@ -1051,107 +748,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES)
#if defined(PSA_WANT_ALG_GCM)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256",
MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* PSA_WANT_ALG_GCM */
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA",
MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_1 */
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#if defined(PSA_WANT_ALG_CCM)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_CIPHERSUITE_SHORT_TAG,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_CCM */
#endif /* PSA_WANT_KEY_TYPE_AES */
#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
#if defined(PSA_WANT_ALG_GCM)
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256",
MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* PSA_WANT_ALG_GCM */
#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
#if defined(PSA_WANT_KEY_TYPE_AES)
@ -1218,29 +814,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(PSA_WANT_ALG_MD5)
{ MBEDTLS_TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA",
@ -1264,29 +837,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA, "TLS-DHE-PSK-WITH-NULL-SHA",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_1 */
#if defined(PSA_WANT_ALG_SHA_256)
{ MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256, "TLS-DHE-PSK-WITH-NULL-SHA256",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if defined(PSA_WANT_ALG_SHA_384)
{ MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_CIPHERSUITE_WEAK,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif /* PSA_WANT_ALG_SHA_384 */
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
#if defined(PSA_WANT_ALG_SHA_1)
{ MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA, "TLS-ECDHE-PSK-WITH-NULL-SHA",
@ -1313,41 +863,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(PSA_WANT_KEY_TYPE_ARIA)
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
"TLS-RSA-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
"TLS-RSA-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
"TLS-RSA-WITH-ARIA-128-GCM-SHA256",
MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
"TLS-RSA-WITH-ARIA-128-CBC-SHA256",
MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
@ -1544,76 +1059,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
"TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
"TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
"TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256",
MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
"TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256",
MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
"TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_384))
{ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
"TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
"TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256",
MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
defined(PSA_WANT_ALG_SHA_256))
{ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
"TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256",
MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
0,
MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 },
#endif
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#endif /* PSA_WANT_KEY_TYPE_ARIA */
@ -1732,7 +1177,6 @@ int mbedtls_ssl_get_ciphersuite_id(const char *ciphersuite_name)
size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersuite_t *info)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_type_t key_type;
psa_algorithm_t alg;
@ -1747,20 +1191,12 @@ size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersui
}
return key_bits;
#else
const mbedtls_cipher_info_t * const cipher_info =
mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) info->cipher);
return mbedtls_cipher_info_get_key_bitlen(cipher_info);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#if defined(MBEDTLS_PK_C)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_RSA:
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return MBEDTLS_PK_RSA;
@ -1776,13 +1212,9 @@ mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphe
}
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_RSA:
return PSA_ALG_RSA_PKCS1V15_CRYPT;
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return PSA_ALG_RSA_PKCS1V15_SIGN(
mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac));
@ -1802,9 +1234,6 @@ psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_cip
psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_RSA:
return PSA_KEY_USAGE_DECRYPT;
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
return PSA_KEY_USAGE_SIGN_HASH;
@ -1817,12 +1246,10 @@ psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_c
return 0;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return MBEDTLS_PK_RSA;
@ -1863,7 +1290,6 @@ int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_PSK:
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
return 1;

24
library/ssl_ciphersuites_internal.h
View File

@ -14,10 +14,8 @@
#if defined(MBEDTLS_PK_C)
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_ciphersuite_t *info);
psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_ciphersuite_t *info);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
#endif /* MBEDTLS_PK_C */
@ -28,8 +26,6 @@ int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
@ -48,7 +44,6 @@ static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
case MBEDTLS_KEY_EXCHANGE_RSA:
case MBEDTLS_KEY_EXCHANGE_PSK:
return 1;
@ -75,8 +70,6 @@ static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuit
static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_RSA:
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
@ -91,8 +84,6 @@ static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_cip
static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_RSA:
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
@ -104,20 +95,6 @@ static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_cipher
}
}
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
return 1;
default:
return 0;
}
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info)
{
@ -138,7 +115,6 @@ static inline int mbedtls_ssl_ciphersuite_uses_server_signature(
const mbedtls_ssl_ciphersuite_t *info)
{
switch (info->MBEDTLS_PRIVATE(key_exchange)) {
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
return 1;

9
library/ssl_client.c
View File

@ -222,7 +222,7 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
unsigned char *p = buf;
unsigned char *named_group_list; /* Start of named_group_list */
size_t named_group_list_len; /* Length of named_group_list */
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
const uint16_t *group_list = ssl->conf->group_list;
*out_len = 0;
@ -725,8 +725,7 @@ static int ssl_generate_random(mbedtls_ssl_context *ssl)
#endif /* MBEDTLS_HAVE_TIME */
}
ret = ssl->conf->f_rng(ssl->conf->p_rng,
randbytes + gmt_unix_time_len,
ret = psa_generate_random(randbytes + gmt_unix_time_len,
MBEDTLS_CLIENT_HELLO_RANDOM_LEN - gmt_unix_time_len);
return ret;
}
@ -867,8 +866,8 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl)
if (session_id_len != session_negotiate->id_len) {
session_negotiate->id_len = session_id_len;
if (session_id_len > 0) {
ret = ssl->conf->f_rng(ssl->conf->p_rng,
session_negotiate->id,
ret = psa_generate_random(session_negotiate->id,
session_id_len);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "creating session id failed", ret);

134
library/ssl_cookie.c
View File

@ -22,7 +22,6 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/psa_util.h"
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
@ -33,7 +32,6 @@ static int local_err_translation(psa_status_t status)
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
/*
* If DTLS is in use, then at least one of SHA-256 or SHA-384 is
@ -59,21 +57,12 @@ static int local_err_translation(psa_status_t status)
void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ctx->psa_hmac_key = MBEDTLS_SVC_KEY_ID_INIT;
#else
mbedtls_md_init(&ctx->hmac_ctx);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if !defined(MBEDTLS_HAVE_TIME)
ctx->serial = 0;
#endif
ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_init(&ctx->mutex);
#endif
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
}
void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long delay)
@ -87,30 +76,17 @@ void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx)
return;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(ctx->psa_hmac_key);
#else
mbedtls_md_free(&ctx->hmac_ctx);
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_free(&ctx->mutex);
#endif
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ssl_cookie_ctx));
}
int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_algorithm_t alg;
(void) f_rng;
(void) p_rng;
alg = mbedtls_md_psa_alg_from_type(COOKIE_MD);
if (alg == 0) {
@ -130,57 +106,10 @@ int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
&ctx->psa_hmac_key)) != PSA_SUCCESS) {
return PSA_TO_MBEDTLS_ERR(status);
}
#else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char key[COOKIE_MD_OUTLEN];
if ((ret = f_rng(p_rng, key, sizeof(key))) != 0) {
return ret;
}
ret = mbedtls_md_setup(&ctx->hmac_ctx, mbedtls_md_info_from_type(COOKIE_MD), 1);
if (ret != 0) {
return ret;
}
ret = mbedtls_md_hmac_starts(&ctx->hmac_ctx, key, sizeof(key));
if (ret != 0) {
return ret;
}
mbedtls_platform_zeroize(key, sizeof(key));
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return 0;
}
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
/*
* Generate the HMAC part of a cookie
*/
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_cookie_hmac(mbedtls_md_context_t *hmac_ctx,
const unsigned char time[4],
unsigned char **p, unsigned char *end,
const unsigned char *cli_id, size_t cli_id_len)
{
unsigned char hmac_out[COOKIE_MD_OUTLEN];
MBEDTLS_SSL_CHK_BUF_PTR(*p, end, COOKIE_HMAC_LEN);
if (mbedtls_md_hmac_reset(hmac_ctx) != 0 ||
mbedtls_md_hmac_update(hmac_ctx, time, 4) != 0 ||
mbedtls_md_hmac_update(hmac_ctx, cli_id, cli_id_len) != 0 ||
mbedtls_md_hmac_finish(hmac_ctx, hmac_out) != 0) {
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
memcpy(*p, hmac_out, COOKIE_HMAC_LEN);
*p += COOKIE_HMAC_LEN;
return 0;
}
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
/*
* Generate cookie for DTLS ClientHello verification
@ -189,11 +118,9 @@ int mbedtls_ssl_cookie_write(void *p_ctx,
unsigned char **p, unsigned char *end,
const unsigned char *cli_id, size_t cli_id_len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t sign_mac_length = 0;
#endif
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
unsigned long t;
@ -213,7 +140,6 @@ int mbedtls_ssl_cookie_write(void *p_ctx,
MBEDTLS_PUT_UINT32_BE(t, *p, 0);
*p += 4;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_sign_setup(&operation, ctx->psa_hmac_key,
ctx->psa_hmac_alg);
if (status != PSA_SUCCESS) {
@ -243,31 +169,12 @@ int mbedtls_ssl_cookie_write(void *p_ctx,
*p += COOKIE_HMAC_LEN;
ret = 0;
#else
#if defined(MBEDTLS_THREADING_C)
if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
}
#endif
ret = ssl_cookie_hmac(&ctx->hmac_ctx, *p - 4,
p, end, cli_id, cli_id_len);
#if defined(MBEDTLS_THREADING_C)
if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
MBEDTLS_ERR_THREADING_MUTEX_ERROR);
}
#endif
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
exit:
status = psa_mac_abort(&operation);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return ret;
}
@ -278,13 +185,8 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
const unsigned char *cookie, size_t cookie_len,
const unsigned char *cli_id, size_t cli_id_len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#else
unsigned char ref_hmac[COOKIE_HMAC_LEN];
unsigned char *p = ref_hmac;
#endif
int ret = 0;
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
unsigned long cur_time, cookie_time;
@ -297,7 +199,6 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
return -1;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_verify_setup(&operation, ctx->psa_hmac_key,
ctx->psa_hmac_alg);
if (status != PSA_SUCCESS) {
@ -326,35 +227,6 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
}
ret = 0;
#else
#if defined(MBEDTLS_THREADING_C)
if ((ret = mbedtls_mutex_lock(&ctx->mutex)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret);
}
#endif
if (ssl_cookie_hmac(&ctx->hmac_ctx, cookie,
&p, p + sizeof(ref_hmac),
cli_id, cli_id_len) != 0) {
ret = -1;
}
#if defined(MBEDTLS_THREADING_C)
if (mbedtls_mutex_unlock(&ctx->mutex) != 0) {
ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_SSL_INTERNAL_ERROR,
MBEDTLS_ERR_THREADING_MUTEX_ERROR);
}
#endif
if (ret != 0) {
goto exit;
}
if (mbedtls_ct_memcmp(cookie + 4, ref_hmac, sizeof(ref_hmac)) != 0) {
ret = -1;
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_HAVE_TIME)
cur_time = (unsigned long) mbedtls_time(NULL);
@ -370,14 +242,10 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
}
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_abort(&operation);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
#else
mbedtls_platform_zeroize(ref_hmac, sizeof(ref_hmac));
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return ret;
}
#endif /* MBEDTLS_SSL_COOKIE_C */

188
library/ssl_misc.h
View File

@ -16,12 +16,14 @@
#include "mbedtls/error.h"
#include "mbedtls/ssl.h"
#include "mbedtls/debug.h"
#include "debug_internal.h"
#include "mbedtls/cipher.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
#include "psa/crypto.h"
#include "psa_util_internal.h"
#endif
extern const mbedtls_error_pair_t psa_to_ssl_errors[7];
#if defined(PSA_WANT_ALG_MD5)
#include "mbedtls/md5.h"
@ -39,11 +41,6 @@
#include "mbedtls/sha512.h"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
!defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/ecjpake.h"
#endif
#include "mbedtls/pk.h"
#include "ssl_ciphersuites_internal.h"
#include "x509_internal.h"
@ -57,6 +54,22 @@
#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
#endif
/** Flag values for mbedtls_ssl_context::flags. */
typedef enum {
/** Set if mbedtls_ssl_set_hostname() has been called. */
MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET = 1,
} mbedtls_ssl_context_flags_t;
/** Flags from ::mbedtls_ssl_context_flags_t to keep in
* mbedtls_ssl_session_reset().
*
* The flags that are in this list are kept until explicitly updated or
* until mbedtls_ssl_free(). The flags that are not listed here are
* reset to 0 in mbedtls_ssl_session_reset().
*/
#define MBEDTLS_SSL_CONTEXT_FLAGS_KEEP_AT_SESSION \
(MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET)
#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
@ -769,16 +782,6 @@ struct mbedtls_ssl_handshake_params {
const uint16_t *sig_algs;
#endif
#if defined(MBEDTLS_DHM_C)
mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
#endif
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
#endif /* !MBEDTLS_USE_PSA_CRYPTO &&
MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
psa_key_type_t xxdh_psa_type;
size_t xxdh_psa_bits;
@ -789,13 +792,9 @@ struct mbedtls_ssl_handshake_params {
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */
mbedtls_svc_key_id_t psa_pake_password;
uint8_t psa_pake_ctx_is_ok;
#else
mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_CLI_C)
unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
size_t ecjpake_cache_len; /*!< Length of cached data */
@ -809,13 +808,8 @@ struct mbedtls_ssl_handshake_params {
#endif
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
uint8_t psk_opaque_is_internal;
#else
unsigned char *psk; /*!< PSK from the callback */
size_t psk_len; /*!< Length of PSK from callback */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
uint16_t selected_identity;
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
@ -923,18 +917,10 @@ struct mbedtls_ssl_handshake_params {
* Checksum contexts
*/
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_operation_t fin_sha256_psa;
#else
mbedtls_md_context_t fin_sha256;
#endif
#endif
#if defined(PSA_WANT_ALG_SHA_384)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_operation_t fin_sha384_psa;
#else
mbedtls_md_context_t fin_sha384;
#endif
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
@ -1018,7 +1004,6 @@ struct mbedtls_ssl_handshake_params {
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
/** Asynchronous operation context. This field is meant for use by the
* asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
* mbedtls_ssl_config::f_async_decrypt_start,
* mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
* The library does not use it internally. */
void *user_async_ctx;
@ -1129,14 +1114,9 @@ struct mbedtls_ssl_transform {
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
#else
mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
int encrypt_then_mac; /*!< flag for EtM activation */
@ -1146,14 +1126,9 @@ struct mbedtls_ssl_transform {
mbedtls_ssl_protocol_version tls_version;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
psa_algorithm_t psa_alg; /*!< psa algorithm */
#else
mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
uint8_t in_cid_len;
@ -1162,14 +1137,15 @@ struct mbedtls_ssl_transform {
unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
#if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
/* We need the Hello random bytes in order to re-derive keys from the
* Master Secret and other session info,
* see ssl_tls12_populate_transform() */
* Master Secret and other session info and for the keying material
* exporter in TLS 1.2.
* See ssl_tls12_populate_transform() */
unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
/*!< ServerHello.random+ClientHello.random */
#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
#endif /* defined(MBEDTLS_SSL_KEEP_RANDBYTES) */
};
/*
@ -1332,12 +1308,30 @@ int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
#if defined(MBEDTLS_DEBUG_C)
/* Declared in "ssl_debug_helpers.h". We can't include this file from
* "ssl_misc.h" because it includes "ssl_misc.h" because it needs some
* type definitions. TODO: split the type definitions and the helper
* functions into different headers.
*/
const char *mbedtls_ssl_states_str(mbedtls_ssl_states state);
#endif
static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
mbedtls_ssl_states state)
{
MBEDTLS_SSL_DEBUG_MSG(3, ("handshake state: %d (%s) -> %d (%s)",
ssl->state, mbedtls_ssl_states_str(ssl->state),
(int) state, mbedtls_ssl_states_str(state)));
ssl->state = (int) state;
}
static inline void mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context *ssl)
{
mbedtls_ssl_handshake_set_state(ssl, ssl->state + 1);
}
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
@ -1498,20 +1492,11 @@ int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
unsigned hs_type,
size_t total_hs_len);
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl,
mbedtls_key_exchange_type_t key_ex);
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
#if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C)
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/**
* Get the first defined opaque PSK by order of precedence:
* 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
@ -1532,31 +1517,6 @@ static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
return MBEDTLS_SVC_KEY_ID_INIT;
}
#else
/**
* Get the first defined PSK by order of precedence:
* 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
* 2. static PSK configured by \c mbedtls_ssl_conf_psk()
* Return a code and update the pair (PSK, PSK length) passed to this function
*/
static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
const unsigned char **psk, size_t *psk_len)
{
if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
*psk = ssl->handshake->psk;
*psk_len = ssl->handshake->psk_len;
} else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
*psk = ssl->conf->psk;
*psk_len = ssl->conf->psk_len;
} else {
*psk = NULL;
*psk_len = 0;
return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
}
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
@ -1799,9 +1759,7 @@ void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform,
mbedtls_record *rec,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng);
mbedtls_record *rec);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
mbedtls_ssl_transform *transform,
@ -1829,10 +1787,11 @@ void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl);
void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl);
void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform);
void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
@ -2267,30 +2226,6 @@ int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
size_t dst_len,
size_t *olen);
/*
* Return supported groups.
*
* In future, invocations can be changed to ssl->conf->group_list
* when mbedtls_ssl_conf_curves() is deleted.
*
* ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
* identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
* ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
*
*/
static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl)
{
#if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
return ssl->conf->group_list;
#else
if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) {
return ssl->handshake->group_list;
} else {
return ssl->conf->group_list;
}
#endif
}
/*
* Helper functions for NamedGroup.
*/
@ -2333,7 +2268,7 @@ static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)
static inline int mbedtls_ssl_named_group_is_offered(
const mbedtls_ssl_context *ssl, uint16_t named_group)
{
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
const uint16_t *group_list = ssl->conf->group_list;
if (group_list == NULL) {
return 0;
@ -2627,7 +2562,6 @@ static inline int mbedtls_ssl_sig_alg_is_supported(
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
/* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
* Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
* guaranteed to not be a valid PSA algorithm identifier.
@ -2688,10 +2622,8 @@ static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t stat
}
}
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
typedef enum {
MBEDTLS_ECJPAKE_ROUND_ONE,
@ -2734,7 +2666,7 @@ int mbedtls_psa_ecjpake_write_round(
size_t len, size_t *olen,
mbedtls_ecjpake_rounds_t round);
#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
/**
* \brief TLS record protection modes
@ -2965,12 +2897,9 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
* max_data_len. In particular, this function always reads exactly \p
* max_data_len bytes from \p data.
*
* \param ctx The HMAC context. It must have keys configured
* with mbedtls_md_hmac_starts() and use one of the
* following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
* It is reset using mbedtls_md_hmac_reset() after
* the computation is complete to prepare for the
* next computation.
* \param key The HMAC key.
* \param mac_alg The hash algorithm.
* Must be one of SHA-384, SHA-256, SHA-1 or MD-5.
* \param add_data The first part of the message whose HMAC is being
* calculated. This must point to a readable buffer
* of \p add_data_len bytes.
@ -2993,7 +2922,6 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
* \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
* The hardware accelerator failed.
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
psa_algorithm_t mac_alg,
const unsigned char *add_data,
@ -3003,16 +2931,6 @@ int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
size_t min_data_len,
size_t max_data_len,
unsigned char *output);
#else
int mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
const unsigned char *add_data,
size_t add_data_len,
const unsigned char *data,
size_t data_len_secret,
size_t min_data_len,
size_t max_data_len,
unsigned char *output);
#endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
#endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */
#endif /* ssl_misc.h */

495
library/ssl_msg.c
View File

@ -26,16 +26,13 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa_util_internal.h"
#include "psa/crypto.h"
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#include "mbedtls/oid.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
@ -45,11 +42,9 @@ static int local_err_translation(psa_status_t status)
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(PSA_WANT_ALG_SHA_384)
#define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH(PSA_ALG_SHA_384)
@ -179,99 +174,6 @@ cleanup:
#undef MAX_HASH_BLOCK_LENGTH
#else
MBEDTLS_STATIC_TESTABLE
int mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
const unsigned char *add_data,
size_t add_data_len,
const unsigned char *data,
size_t data_len_secret,
size_t min_data_len,
size_t max_data_len,
unsigned char *output)
{
/*
* This function breaks the HMAC abstraction and uses the md_clone()
* extension to the MD API in order to get constant-flow behaviour.
*
* HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
* concatenation, and okey/ikey are the XOR of the key with some fixed bit
* patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
*
* We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
* minlen, then cloning the context, and for each byte up to maxlen
* finishing up the hash computation, keeping only the correct result.
*
* Then we only need to compute HASH(okey + inner_hash) and we're done.
*/
const mbedtls_md_type_t md_alg = mbedtls_md_get_type(ctx->md_info);
/* TLS 1.2 only supports SHA-384, SHA-256, SHA-1, MD-5,
* all of which have the same block size except SHA-384. */
const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
const unsigned char * const ikey = ctx->hmac_ctx;
const unsigned char * const okey = ikey + block_size;
const size_t hash_size = mbedtls_md_get_size(ctx->md_info);
unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
mbedtls_md_context_t aux;
size_t offset;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_init(&aux);
#define MD_CHK(func_call) \
do { \
ret = (func_call); \
if (ret != 0) \
goto cleanup; \
} while (0)
MD_CHK(mbedtls_md_setup(&aux, ctx->md_info, 0));
/* After hmac_start() of hmac_reset(), ikey has already been hashed,
* so we can start directly with the message */
MD_CHK(mbedtls_md_update(ctx, add_data, add_data_len));
MD_CHK(mbedtls_md_update(ctx, data, min_data_len));
/* Fill the hash buffer in advance with something that is
* not a valid hash (barring an attack on the hash and
* deliberately-crafted input), in case the caller doesn't
* check the return status properly. */
memset(output, '!', hash_size);
/* For each possible length, compute the hash up to that point */
for (offset = min_data_len; offset <= max_data_len; offset++) {
MD_CHK(mbedtls_md_clone(&aux, ctx));
MD_CHK(mbedtls_md_finish(&aux, aux_out));
/* Keep only the correct inner_hash in the output buffer */
mbedtls_ct_memcpy_if(mbedtls_ct_uint_eq(offset, data_len_secret),
output, aux_out, NULL, hash_size);
if (offset < max_data_len) {
MD_CHK(mbedtls_md_update(ctx, data + offset, 1));
}
}
/* The context needs to finish() before it starts() again */
MD_CHK(mbedtls_md_finish(ctx, aux_out));
/* Now compute HASH(okey + inner_hash) */
MD_CHK(mbedtls_md_starts(ctx));
MD_CHK(mbedtls_md_update(ctx, okey, block_size));
MD_CHK(mbedtls_md_update(ctx, output, hash_size));
MD_CHK(mbedtls_md_finish(ctx, output));
/* Done, get ready for next time */
MD_CHK(mbedtls_md_hmac_reset(ctx));
#undef MD_CHK
cleanup:
mbedtls_md_free(&aux);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
@ -899,9 +801,7 @@ static void ssl_build_record_nonce(unsigned char *dst_iv,
int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform,
mbedtls_record *rec,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
mbedtls_record *rec)
{
mbedtls_ssl_mode_t ssl_mode;
int auth_done = 0;
@ -923,14 +823,6 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
((void) ssl);
#endif
/* The PRNG is used for dynamic IV generation that's used
* for CBC transformations in TLS 1.2. */
#if !(defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
defined(MBEDTLS_SSL_PROTO_TLS1_2))
((void) f_rng);
((void) p_rng);
#endif
MBEDTLS_SSL_DEBUG_MSG(2, ("=> encrypt buf"));
if (transform == NULL) {
@ -1039,17 +931,14 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t sign_mac_length = 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ssl_extract_add_data_from_record(add_data, &add_data_len, rec,
transform->tls_version,
transform->taglen);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_sign_setup(&operation, transform->psa_mac_enc,
transform->psa_mac_alg);
if (status != PSA_SUCCESS) {
@ -1071,25 +960,6 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
if (status != PSA_SUCCESS) {
goto hmac_failed_etm_disabled;
}
#else
ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, add_data,
add_data_len);
if (ret != 0) {
goto hmac_failed_etm_disabled;
}
ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, data, rec->data_len);
if (ret != 0) {
goto hmac_failed_etm_disabled;
}
ret = mbedtls_md_hmac_finish(&transform->md_ctx_enc, mac);
if (ret != 0) {
goto hmac_failed_etm_disabled;
}
ret = mbedtls_md_hmac_reset(&transform->md_ctx_enc);
if (ret != 0) {
goto hmac_failed_etm_disabled;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
memcpy(data + rec->data_len, mac, transform->maclen);
#endif
@ -1103,13 +973,11 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
hmac_failed_etm_disabled:
mbedtls_platform_zeroize(mac, transform->maclen);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = PSA_TO_MBEDTLS_ERR(status);
status = psa_mac_abort(&operation);
if (ret == 0 && status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_hmac_xxx", ret);
return ret;
@ -1138,9 +1006,7 @@ hmac_failed_etm_disabled:
size_t dynamic_iv_len;
int dynamic_iv_is_explicit =
ssl_transform_aead_dynamic_iv_is_explicit(transform);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
/* Check that there's space for the authentication tag. */
@ -1192,7 +1058,6 @@ hmac_failed_etm_disabled:
/*
* Encrypt and authenticate
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_aead_encrypt(transform->psa_key_enc,
transform->psa_alg,
iv, transform->ivlen,
@ -1206,18 +1071,6 @@ hmac_failed_etm_disabled:
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_encrypt_buf", ret);
return ret;
}
#else
if ((ret = mbedtls_cipher_auth_encrypt_ext(&transform->cipher_ctx_enc,
iv, transform->ivlen,
add_data, add_data_len,
data, rec->data_len, /* src */
data, rec->buf_len - (size_t) (data - rec->buf), /* dst */
&rec->data_len,
transform->taglen)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_encrypt_ext", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_BUF(4, "after encrypt: tag",
data + rec->data_len - transform->taglen,
@ -1248,11 +1101,9 @@ hmac_failed_etm_disabled:
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t padlen, i;
size_t olen;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t part_len;
psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Currently we're always using minimal padding
* (up to 255 bytes would be allowed). */
@ -1279,10 +1130,6 @@ hmac_failed_etm_disabled:
* Prepend per-record IV for block cipher in TLS v1.2 as per
* Method 1 (6.2.3.2. in RFC4346 and RFC5246)
*/
if (f_rng == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("No PRNG provided to encrypt_record routine"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
if (rec->data_offset < transform->ivlen) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Buffer provided for encrypted record not large enough"));
@ -1292,7 +1139,7 @@ hmac_failed_etm_disabled:
/*
* Generate IV
*/
ret = f_rng(p_rng, transform->iv_enc, transform->ivlen);
ret = psa_generate_random(transform->iv_enc, transform->ivlen);
if (ret != 0) {
return ret;
}
@ -1307,7 +1154,6 @@ hmac_failed_etm_disabled:
rec->data_len, transform->ivlen,
padlen + 1));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_cipher_encrypt_setup(&cipher_op,
transform->psa_key_enc, transform->psa_alg);
@ -1349,16 +1195,6 @@ hmac_failed_etm_disabled:
}
olen += part_len;
#else
if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_enc,
transform->iv_enc,
transform->ivlen,
data, rec->data_len,
data, &olen)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (rec->data_len != olen) {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
@ -1372,10 +1208,8 @@ hmac_failed_etm_disabled:
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
if (auth_done == 0) {
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
size_t sign_mac_length = 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* MAC(MAC_write_key, add_data, IV, ENC(content + padding + padding_length))
*/
@ -1392,7 +1226,6 @@ hmac_failed_etm_disabled:
MBEDTLS_SSL_DEBUG_MSG(3, ("using encrypt then mac"));
MBEDTLS_SSL_DEBUG_BUF(4, "MAC'd meta-data", add_data,
add_data_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_sign_setup(&operation, transform->psa_mac_enc,
transform->psa_mac_alg);
if (status != PSA_SUCCESS) {
@ -1414,27 +1247,6 @@ hmac_failed_etm_disabled:
if (status != PSA_SUCCESS) {
goto hmac_failed_etm_enabled;
}
#else
ret = mbedtls_md_hmac_update(&transform->md_ctx_enc, add_data,
add_data_len);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_update(&transform->md_ctx_enc,
data, rec->data_len);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_finish(&transform->md_ctx_enc, mac);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_reset(&transform->md_ctx_enc);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
memcpy(data + rec->data_len, mac, transform->maclen);
@ -1444,13 +1256,11 @@ hmac_failed_etm_disabled:
hmac_failed_etm_enabled:
mbedtls_platform_zeroize(mac, transform->maclen);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = PSA_TO_MBEDTLS_ERR(status);
status = psa_mac_abort(&operation);
if (ret == 0 && status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "HMAC calculation failed", ret);
return ret;
@ -1547,9 +1357,7 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
unsigned char iv[12];
unsigned char *dynamic_iv;
size_t dynamic_iv_len;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* Extract dynamic part of nonce for AEAD decryption.
@ -1619,7 +1427,6 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
/*
* Decrypt and authenticate
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_aead_decrypt(transform->psa_key_dec,
transform->psa_alg,
iv, transform->ivlen,
@ -1633,23 +1440,6 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
MBEDTLS_SSL_DEBUG_RET(1, "psa_aead_decrypt", ret);
return ret;
}
#else
if ((ret = mbedtls_cipher_auth_decrypt_ext
(&transform->cipher_ctx_dec,
iv, transform->ivlen,
add_data, add_data_len,
data, rec->data_len + transform->taglen, /* src */
data, rec->buf_len - (size_t) (data - rec->buf), &olen, /* dst */
transform->taglen)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_auth_decrypt_ext", ret);
if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
return MBEDTLS_ERR_SSL_INVALID_MAC;
}
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
auth_done++;
@ -1664,11 +1454,9 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
if (ssl_mode == MBEDTLS_SSL_MODE_CBC ||
ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
size_t minlen = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t part_len;
psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* Check immediate ciphertext sanity
@ -1716,11 +1504,7 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
*/
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
#else
unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_MSG(3, ("using encrypt then mac"));
@ -1742,7 +1526,6 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
/* Calculate expected MAC. */
MBEDTLS_SSL_DEBUG_BUF(4, "MAC'd meta-data", add_data,
add_data_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_verify_setup(&operation, transform->psa_mac_dec,
transform->psa_mac_alg);
if (status != PSA_SUCCESS) {
@ -1765,51 +1548,14 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
if (status != PSA_SUCCESS) {
goto hmac_failed_etm_enabled;
}
#else
ret = mbedtls_md_hmac_update(&transform->md_ctx_dec, add_data,
add_data_len);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_update(&transform->md_ctx_dec,
data, rec->data_len);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_finish(&transform->md_ctx_dec, mac_expect);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
ret = mbedtls_md_hmac_reset(&transform->md_ctx_dec);
if (ret != 0) {
goto hmac_failed_etm_enabled;
}
MBEDTLS_SSL_DEBUG_BUF(4, "message mac", data + rec->data_len,
transform->maclen);
MBEDTLS_SSL_DEBUG_BUF(4, "expected mac", mac_expect,
transform->maclen);
/* Compare expected MAC with MAC at the end of the record. */
if (mbedtls_ct_memcmp(data + rec->data_len, mac_expect,
transform->maclen) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("message mac does not match"));
ret = MBEDTLS_ERR_SSL_INVALID_MAC;
goto hmac_failed_etm_enabled;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
auth_done++;
hmac_failed_etm_enabled:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = PSA_TO_MBEDTLS_ERR(status);
status = psa_mac_abort(&operation);
if (ret == 0 && status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
}
#else
mbedtls_platform_zeroize(mac_expect, transform->maclen);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) {
if (ret != MBEDTLS_ERR_SSL_INVALID_MAC) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_hmac_xxx", ret);
@ -1847,7 +1593,6 @@ hmac_failed_etm_enabled:
/* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_cipher_decrypt_setup(&cipher_op,
transform->psa_key_dec, transform->psa_alg);
@ -1886,15 +1631,6 @@ hmac_failed_etm_enabled:
}
olen += part_len;
#else
if ((ret = mbedtls_cipher_crypt(&transform->cipher_ctx_dec,
transform->iv_dec, transform->ivlen,
data, rec->data_len, data, &olen)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_crypt", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Double-check that length hasn't changed during decryption. */
if (rec->data_len != olen) {
@ -2036,18 +1772,11 @@ hmac_failed_etm_enabled:
const size_t max_len = rec->data_len + padlen;
const size_t min_len = (max_len > 256) ? max_len - 256 : 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = mbedtls_ct_hmac(transform->psa_mac_dec,
transform->psa_mac_alg,
add_data, add_data_len,
data, rec->data_len, min_len, max_len,
mac_expect);
#else
ret = mbedtls_ct_hmac(&transform->md_ctx_dec,
add_data, add_data_len,
data, rec->data_len, min_len, max_len,
mac_expect);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ct_hmac", ret);
goto hmac_failed_etm_disabled;
@ -2982,8 +2711,7 @@ int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush)
rec.cid_len = 0;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
if ((ret = mbedtls_ssl_encrypt_buf(ssl, ssl->transform_out, &rec,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
if ((ret = mbedtls_ssl_encrypt_buf(ssl, ssl->transform_out, &rec)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "ssl_encrypt_buf", ret);
return ret;
}
@ -3219,6 +2947,12 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl)
int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
{
if (ssl->in_hsfraglen == 0) {
/* The handshake message must at least include the header.
* We may not have the full message yet in case of fragmentation.
* To simplify the code, we insist on having the header (and in
* particular the handshake message length) in the first
* fragment. */
if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen));
@ -3226,12 +2960,21 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
}
ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl);
}
MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen ="
" %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %"
MBEDTLS_PRINTF_SIZET,
ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen));
if (ssl->transform_in != NULL) {
MBEDTLS_SSL_DEBUG_MSG(4, ("decrypted handshake message:"
" iv-buf=%d hdr-buf=%d hdr-buf=%d",
(int) (ssl->in_iv - ssl->in_buf),
(int) (ssl->in_hdr - ssl->in_buf),
(int) (ssl->in_msg - ssl->in_buf)));
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3291,10 +3034,105 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
}
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
/* With TLS we don't handle fragmentation (for now) */
if (ssl->in_msglen < ssl->in_hslen) {
MBEDTLS_SSL_DEBUG_MSG(1, ("TLS handshake fragmentation not supported"));
return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
{
unsigned char *const reassembled_record_start =
ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
unsigned char *const payload_start =
reassembled_record_start + mbedtls_ssl_in_hdr_len(ssl);
unsigned char *payload_end = payload_start + ssl->in_hsfraglen;
/* How many more bytes we want to have a complete handshake message. */
const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen;
/* How many bytes of the current record are part of the first
* handshake message. There may be more handshake messages (possibly
* incomplete) in the same record; if so, we leave them after the
* current record, and ssl_consume_current_message() will take
* care of consuming the next handshake message. */
const size_t hs_this_fragment_len =
ssl->in_msglen > hs_remain ? hs_remain : ssl->in_msglen;
(void) hs_this_fragment_len;
MBEDTLS_SSL_DEBUG_MSG(3,
("%s handshake fragment: %" MBEDTLS_PRINTF_SIZET
", %" MBEDTLS_PRINTF_SIZET
"..%" MBEDTLS_PRINTF_SIZET
" of %" MBEDTLS_PRINTF_SIZET,
(ssl->in_hsfraglen != 0 ?
"subsequent" :
hs_this_fragment_len == ssl->in_hslen ?
"sole" :
"initial"),
ssl->in_msglen,
ssl->in_hsfraglen,
ssl->in_hsfraglen + hs_this_fragment_len,
ssl->in_hslen));
/* Move the received handshake fragment to have the whole message
* (at least the part received so far) in a single segment at a
* known offset in the input buffer.
* - When receiving a non-initial handshake fragment, append it to
* the initial segment.
* - Even the initial handshake fragment is moved, if it was
* encrypted with an explicit IV: decryption leaves the payload
* after the explicit IV, but here we move it to start where the
* IV was.
*/
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t const in_buf_len = ssl->in_buf_len;
#else
size_t const in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
#endif
if (payload_end + ssl->in_msglen > ssl->in_buf + in_buf_len) {
MBEDTLS_SSL_DEBUG_MSG(1,
("Shouldn't happen: no room to move handshake fragment %"
MBEDTLS_PRINTF_SIZET " from %p to %p (buf=%p len=%"
MBEDTLS_PRINTF_SIZET ")",
ssl->in_msglen,
(void *) ssl->in_msg, (void *) payload_end,
(void *) ssl->in_buf, in_buf_len));
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
memmove(payload_end, ssl->in_msg, ssl->in_msglen);
ssl->in_hsfraglen += ssl->in_msglen;
payload_end += ssl->in_msglen;
if (ssl->in_hsfraglen < ssl->in_hslen) {
MBEDTLS_SSL_DEBUG_MSG(3, ("Prepare: waiting for more handshake fragments %"
MBEDTLS_PRINTF_SIZET "/%"
MBEDTLS_PRINTF_SIZET,
ssl->in_hsfraglen, ssl->in_hslen));
ssl->in_hdr = payload_end;
ssl->in_msglen = 0;
mbedtls_ssl_update_in_pointers(ssl);
return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
} else {
ssl->in_msglen = ssl->in_hsfraglen;
ssl->in_hsfraglen = 0;
ssl->in_hdr = reassembled_record_start;
mbedtls_ssl_update_in_pointers(ssl);
/* Update the record length in the fully reassembled record */
if (ssl->in_msglen > 0xffff) {
MBEDTLS_SSL_DEBUG_MSG(1,
("Shouldn't happen: in_msglen=%"
MBEDTLS_PRINTF_SIZET " > 0xffff",
ssl->in_msglen));
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);
size_t record_len = mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen;
(void) record_len;
MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record",
ssl->in_hdr, record_len);
if (ssl->in_hslen < ssl->in_msglen) {
MBEDTLS_SSL_DEBUG_MSG(3,
("More handshake messages in the record: "
"%" MBEDTLS_PRINTF_SIZET " + %" MBEDTLS_PRINTF_SIZET,
ssl->in_hslen,
ssl->in_msglen - ssl->in_hslen));
}
}
}
return 0;
@ -3861,6 +3699,7 @@ static int ssl_parse_record_header(mbedtls_ssl_context const *ssl,
rec->buf_len = rec->data_offset + rec->data_len;
if (rec->data_len == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("rejecting empty record"));
return MBEDTLS_ERR_SSL_INVALID_RECORD;
}
@ -4639,6 +4478,14 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
if (ssl->in_hsfraglen != 0) {
/* Not all handshake fragments have arrived, do not consume. */
MBEDTLS_SSL_DEBUG_MSG(3, ("Consume: waiting for more handshake fragments %"
MBEDTLS_PRINTF_SIZET "/%" MBEDTLS_PRINTF_SIZET,
ssl->in_hsfraglen, ssl->in_hslen));
return 0;
}
/*
* Get next Handshake message in the current record
*/
@ -4664,6 +4511,7 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl)
ssl->in_msglen -= ssl->in_hslen;
memmove(ssl->in_msg, ssl->in_msg + ssl->in_hslen,
ssl->in_msglen);
MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0);
MBEDTLS_SSL_DEBUG_BUF(4, "remaining content in record",
ssl->in_msg, ssl->in_msglen);
@ -5027,6 +4875,18 @@ int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
/* If we're in the middle of a fragmented TLS handshake message,
* we don't accept any other message type. For TLS 1.3, the spec forbids
* interleaving other message types between handshake fragments. For TLS
* 1.2, the spec does not forbid it but we do. */
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM &&
ssl->in_hsfraglen != 0 &&
ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("non-handshake message in the middle"
" of a fragmented handshake message"));
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
/*
* Handle particular types of records
*/
@ -5185,7 +5045,7 @@ int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl)
ssl->out_msglen = 1;
ssl->out_msg[0] = 1;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@ -5247,7 +5107,7 @@ int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl)
mbedtls_ssl_update_in_pointers(ssl);
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse change cipher spec"));
@ -5338,7 +5198,7 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl)
} else
#endif
{
ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
ssl->in_ctr = ssl->in_buf;
ssl->in_len = ssl->in_hdr + 3;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ssl->in_cid = ssl->in_len;
@ -5354,24 +5214,35 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl)
* Setup an SSL context
*/
void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl)
void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl)
{
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
ssl->in_hdr = ssl->in_buf;
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
{
ssl->in_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
}
/* Derive other internal pointers. */
mbedtls_ssl_update_in_pointers(ssl);
}
void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl)
{
/* Set the incoming and outgoing record pointers. */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
ssl->out_hdr = ssl->out_buf;
ssl->in_hdr = ssl->in_buf;
} else
#endif /* MBEDTLS_SSL_PROTO_DTLS */
{
ssl->out_ctr = ssl->out_buf;
ssl->out_hdr = ssl->out_buf + 8;
ssl->in_hdr = ssl->in_buf + 8;
ssl->out_hdr = ssl->out_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
}
/* Derive other internal pointers. */
mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */);
mbedtls_ssl_update_in_pointers(ssl);
}
/*
@ -5440,10 +5311,8 @@ int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl)
size_t transform_expansion = 0;
const mbedtls_ssl_transform *transform = ssl->transform_out;
unsigned block_size;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
size_t out_hdr_len = mbedtls_ssl_out_hdr_len(ssl);
@ -5452,7 +5321,6 @@ int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl)
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (transform->psa_alg == PSA_ALG_GCM ||
transform->psa_alg == PSA_ALG_CCM ||
transform->psa_alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 8) ||
@ -5483,41 +5351,6 @@ int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl)
("Unsupported psa_alg spotted in mbedtls_ssl_get_record_expansion()"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
#else
switch (mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)) {
case MBEDTLS_MODE_GCM:
case MBEDTLS_MODE_CCM:
case MBEDTLS_MODE_CHACHAPOLY:
case MBEDTLS_MODE_STREAM:
transform_expansion = transform->minlen;
break;
case MBEDTLS_MODE_CBC:
block_size = mbedtls_cipher_get_block_size(
&transform->cipher_ctx_enc);
/* Expansion due to the addition of the MAC. */
transform_expansion += transform->maclen;
/* Expansion due to the addition of CBC padding;
* Theoretically up to 256 bytes, but we never use
* more than the block size of the underlying cipher. */
transform_expansion += block_size;
/* For TLS 1.2 or higher, an explicit IV is added
* after the record header. */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
transform_expansion += block_size;
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
break;
default:
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if (transform->out_cid_len != 0) {
@ -6202,22 +6035,12 @@ void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform)
return;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(transform->psa_key_enc);
psa_destroy_key(transform->psa_key_dec);
#else
mbedtls_cipher_free(&transform->cipher_ctx_enc);
mbedtls_cipher_free(&transform->cipher_ctx_dec);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(transform->psa_mac_enc);
psa_destroy_key(transform->psa_mac_dec);
#else
mbedtls_md_free(&transform->md_ctx_enc);
mbedtls_md_free(&transform->md_ctx_dec);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif
mbedtls_platform_zeroize(transform, sizeof(mbedtls_ssl_transform));

114
library/ssl_ticket.c
View File

@ -17,7 +17,6 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
@ -27,7 +26,6 @@ static int local_err_translation(psa_status_t status)
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
/*
* Initialize context
@ -67,9 +65,7 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
unsigned char buf[MAX_KEY_BYTES] = { 0 };
mbedtls_ssl_ticket_key *key = ctx->keys + index;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
#endif
#if defined(MBEDTLS_HAVE_TIME)
key->generation_time = mbedtls_time(NULL);
@ -79,15 +75,14 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
*/
key->lifetime = ctx->ticket_lifetime;
if ((ret = ctx->f_rng(ctx->p_rng, key->name, sizeof(key->name))) != 0) {
if ((ret = psa_generate_random(key->name, sizeof(key->name))) != 0) {
return ret;
}
if ((ret = ctx->f_rng(ctx->p_rng, buf, sizeof(buf))) != 0) {
if ((ret = psa_generate_random(buf, sizeof(buf))) != 0) {
return ret;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_set_key_usage_flags(&attributes,
PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
psa_set_key_algorithm(&attributes, key->alg);
@ -98,12 +93,6 @@ static int ssl_ticket_gen_key(mbedtls_ssl_ticket_context *ctx,
psa_import_key(&attributes, buf,
PSA_BITS_TO_BYTES(key->key_bits),
&key->key));
#else
/* With GCM and CCM, same context can encrypt & decrypt */
ret = mbedtls_cipher_setkey(&key->ctx, buf,
mbedtls_cipher_get_key_bitlen(&key->ctx),
MBEDTLS_ENCRYPT);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_platform_zeroize(buf, sizeof(buf));
@ -124,9 +113,7 @@ static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx)
mbedtls_time_t current_time = mbedtls_time(NULL);
mbedtls_time_t key_time = key->generation_time;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif
if (current_time >= key_time &&
(uint64_t) (current_time - key_time) < key->lifetime) {
@ -135,11 +122,9 @@ static int ssl_ticket_update_keys(mbedtls_ssl_ticket_context *ctx)
ctx->active = 1 - ctx->active;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_destroy_key(ctx->keys[ctx->active].key)) != PSA_SUCCESS) {
return PSA_TO_MBEDTLS_ERR(status);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return ssl_ticket_gen_key(ctx, ctx->active);
} else
@ -159,19 +144,14 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
mbedtls_ssl_ticket_key * const key = ctx->keys + idx;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
const size_t bitlen = key->key_bits;
#else
const int bitlen = mbedtls_cipher_get_key_bitlen(&key->ctx);
#endif
if (nlength < TICKET_KEY_NAME_BYTES || klength * 8 < (size_t) bitlen) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_destroy_key(key->key)) != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
return ret;
@ -189,12 +169,6 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
ret = PSA_TO_MBEDTLS_ERR(status);
return ret;
}
#else
ret = mbedtls_cipher_setkey(&key->ctx, k, bitlen, MBEDTLS_ENCRYPT);
if (ret != 0) {
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ctx->active = idx;
ctx->ticket_lifetime = lifetime;
@ -211,51 +185,21 @@ int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
* Setup context for actual use
*/
int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_cipher_type_t cipher,
psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits,
uint32_t lifetime)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t key_bits;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t alg;
psa_key_type_t key_type;
#else
const mbedtls_cipher_info_t *cipher_info;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_ssl_cipher_to_psa(cipher, TICKET_AUTH_TAG_BYTES,
&alg, &key_type, &key_bits) != PSA_SUCCESS) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
if (PSA_ALG_IS_AEAD(alg) == 0) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
#else
cipher_info = mbedtls_cipher_info_from_type(cipher);
if (mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_GCM &&
mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_CCM &&
mbedtls_cipher_info_get_mode(cipher_info) != MBEDTLS_MODE_CHACHAPOLY) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
key_bits = mbedtls_cipher_info_get_key_bitlen(cipher_info);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (key_bits > 8 * MAX_KEY_BYTES) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
ctx->f_rng = f_rng;
ctx->p_rng = p_rng;
ctx->ticket_lifetime = lifetime;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ctx->keys[0].alg = alg;
ctx->keys[0].key_type = key_type;
ctx->keys[0].key_bits = key_bits;
@ -263,15 +207,6 @@ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
ctx->keys[1].alg = alg;
ctx->keys[1].key_type = key_type;
ctx->keys[1].key_bits = key_bits;
#else
if ((ret = mbedtls_cipher_setup(&ctx->keys[0].ctx, cipher_info)) != 0) {
return ret;
}
if ((ret = mbedtls_cipher_setup(&ctx->keys[1].ctx, cipher_info)) != 0) {
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = ssl_ticket_gen_key(ctx, 0)) != 0 ||
(ret = ssl_ticket_gen_key(ctx, 1)) != 0) {
@ -311,13 +246,11 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
size_t clear_len, ciph_len;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif
*tlen = 0;
if (ctx == NULL || ctx->f_rng == NULL) {
if (ctx == NULL) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
@ -341,7 +274,7 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
memcpy(key_name, key->name, TICKET_KEY_NAME_BYTES);
if ((ret = ctx->f_rng(ctx->p_rng, iv, TICKET_IV_BYTES)) != 0) {
if ((ret = psa_generate_random(iv, TICKET_IV_BYTES)) != 0) {
goto cleanup;
}
@ -355,7 +288,6 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
MBEDTLS_PUT_UINT16_BE(clear_len, state_len_bytes, 0);
/* Encrypt and authenticate */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_aead_encrypt(key->key, key->alg, iv, TICKET_IV_BYTES,
key_name, TICKET_ADD_DATA_LEN,
state, clear_len,
@ -364,17 +296,6 @@ int mbedtls_ssl_ticket_write(void *p_ticket,
ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup;
}
#else
if ((ret = mbedtls_cipher_auth_encrypt_ext(&key->ctx,
iv, TICKET_IV_BYTES,
/* Additional data: key name, IV and length */
key_name, TICKET_ADD_DATA_LEN,
state, clear_len,
state, (size_t) (end - state), &ciph_len,
TICKET_AUTH_TAG_BYTES)) != 0) {
goto cleanup;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ciph_len != clear_len + TICKET_AUTH_TAG_BYTES) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@ -428,11 +349,9 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
size_t enc_len, clear_len;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif
if (ctx == NULL || ctx->f_rng == NULL) {
if (ctx == NULL) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
@ -466,7 +385,6 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
}
/* Decrypt and authenticate */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((status = psa_aead_decrypt(key->key, key->alg, iv, TICKET_IV_BYTES,
key_name, TICKET_ADD_DATA_LEN,
ticket, enc_len + TICKET_AUTH_TAG_BYTES,
@ -474,21 +392,6 @@ int mbedtls_ssl_ticket_parse(void *p_ticket,
ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup;
}
#else
if ((ret = mbedtls_cipher_auth_decrypt_ext(&key->ctx,
iv, TICKET_IV_BYTES,
/* Additional data: key name, IV and length */
key_name, TICKET_ADD_DATA_LEN,
ticket, enc_len + TICKET_AUTH_TAG_BYTES,
ticket, enc_len, &clear_len,
TICKET_AUTH_TAG_BYTES)) != 0) {
if (ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED) {
ret = MBEDTLS_ERR_SSL_INVALID_MAC;
}
goto cleanup;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (clear_len != enc_len) {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@ -537,13 +440,8 @@ void mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context *ctx)
return;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(ctx->keys[0].key);
psa_destroy_key(ctx->keys[1].key);
#else
mbedtls_cipher_free(&ctx->keys[0].ctx);
mbedtls_cipher_free(&ctx->keys[1].ctx);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_free(&ctx->mutex);

1270
library/ssl_tls.c
View File

File diff suppressed because it is too large Load Diff

542
library/ssl_tls12_client.c
View File

@ -17,7 +17,6 @@
#include "mbedtls/error.h"
#include "mbedtls/constant_time.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa_util_internal.h"
#include "psa/crypto.h"
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
@ -31,7 +30,6 @@ static int local_err_translation(psa_status_t status)
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include <string.h>
@ -136,15 +134,9 @@ static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
*olen = 0;
/* Skip costly extension if we can't use EC J-PAKE anyway */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
return 0;
}
#else
if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_MSG(3,
("client hello, adding ecjpake_kkpp extension"));
@ -163,7 +155,6 @@ static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
ssl->handshake->ecjpake_cache_len == 0) {
MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
p + 2, end - p - 2, &kkpp_len,
MBEDTLS_ECJPAKE_ROUND_ONE);
@ -173,16 +164,6 @@ static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
return ret;
}
#else
ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
p + 2, end - p - 2, &kkpp_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1,
"mbedtls_ecjpake_write_round_one", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
if (ssl->handshake->ecjpake_cache == NULL) {
@ -828,15 +809,6 @@ static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
while (list_size > 0) {
if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
ssl->handshake->ecdh_ctx.point_format = p[0];
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
p[0]);
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
return 0;
}
@ -873,7 +845,6 @@ static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
ssl->handshake->ecjpake_cache = NULL;
ssl->handshake->ecjpake_cache_len = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_psa_ecjpake_read_round(
&ssl->handshake->psa_pake_ctx, buf, len,
MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
@ -889,19 +860,6 @@ static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
}
return 0;
#else
if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
buf, len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
return ret;
}
return 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@ -1160,7 +1118,7 @@ static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
ssl->handshake->cookie_len = cookie_len;
/* Start over at ClientHello */
ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
ret = mbedtls_ssl_reset_checksum(ssl);
if (0 != ret) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
@ -1369,7 +1327,7 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
ssl->session_negotiate->ciphersuite != i ||
ssl->session_negotiate->id_len != n ||
memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
ssl->handshake->resume = 0;
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = mbedtls_time(NULL);
@ -1378,7 +1336,7 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
ssl->session_negotiate->id_len = n;
memcpy(ssl->session_negotiate->id, buf + 35, n);
} else {
ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
}
MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
@ -1660,49 +1618,6 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
return 0;
}
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
unsigned char **p,
unsigned char *end)
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
size_t dhm_actual_bitlen;
/*
* Ephemeral DH parameters:
*
* struct {
* opaque dh_p<1..2^16-1>;
* opaque dh_g<1..2^16-1>;
* opaque dh_Ys<1..2^16-1>;
* } ServerDHParams;
*/
if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
return ret;
}
dhm_actual_bitlen = mbedtls_dhm_get_bitlen(&ssl->handshake->dhm_ctx);
if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
dhm_actual_bitlen,
ssl->conf->dhm_min_bitlen));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
return ret;
}
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
@ -1776,89 +1691,6 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#else
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
{
uint16_t tls_id;
mbedtls_ecp_group_id grp_id;
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
grp_id = ssl->handshake->ecdh_ctx.grp.id;
#else
grp_id = ssl->handshake->ecdh_ctx.grp_id;
#endif
tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
if (tls_id == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
mbedtls_ssl_get_curve_name_from_tls_id(tls_id)));
if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
return -1;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_QP);
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
unsigned char **p,
unsigned char *end)
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
/*
* Ephemeral ECDH parameters:
*
* struct {
* ECParameters curve_params;
* ECPoint public;
* } ServerECDHParams;
*/
if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
(const unsigned char **) p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
}
#endif
return ret;
}
if (ssl_check_server_ecdh_params(ssl) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1,
("bad server key exchange message (ECDHE curve)"));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
return ret;
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
@ -1900,83 +1732,6 @@ static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
/*
* Generate a pre-master secret and encrypt it with the server's RSA key
*/
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
size_t offset, size_t *olen,
size_t pms_offset)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len_bytes = 2;
unsigned char *p = ssl->handshake->premaster + pms_offset;
mbedtls_pk_context *peer_pk;
if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
}
/*
* Generate (part of) the pre-master as
* struct {
* ProtocolVersion client_version;
* opaque random[46];
* } PreMasterSecret;
*/
mbedtls_ssl_write_version(p, ssl->conf->transport,
MBEDTLS_SSL_VERSION_TLS1_2);
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
return ret;
}
ssl->handshake->pmslen = 48;
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
peer_pk = &ssl->handshake->peer_pubkey;
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if (ssl->session_negotiate->peer_cert == NULL) {
/* Should never happen */
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
peer_pk = &ssl->session_negotiate->peer_cert->pk;
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
/*
* Now write it out, encrypted
*/
if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
if ((ret = mbedtls_pk_encrypt(peer_pk,
p, ssl->handshake->pmslen,
ssl->out_msg + offset + len_bytes, olen,
MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
return ret;
}
if (len_bytes == 2) {
MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
*olen += 2;
}
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it. */
mbedtls_pk_free(peer_pk);
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
@ -2007,7 +1762,6 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
#endif /* !defined(MBEDTLS_PK_USE_PSA_EC_DATA) */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
uint16_t tls_id = 0;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(peer_pk);
@ -2049,18 +1803,6 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
}
ssl->handshake->xxdh_psa_peerkey_len = olen;
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#else /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
MBEDTLS_ECDH_THEIRS)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
return ret;
}
if (ssl_check_server_ecdh_params(ssl) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it,
* so that more RAM is available for upcoming expensive
@ -2083,16 +1825,6 @@ static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
ssl->state++;
return 0;
}
((void) p);
((void) end);
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
@ -2107,7 +1839,7 @@ static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
}
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
((void) p);
@ -2171,7 +1903,6 @@ start_processing:
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
@ -2189,21 +1920,6 @@ start_processing:
; /* nothing more to do */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
} else
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
@ -2224,7 +1940,6 @@ start_processing:
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/*
* The first 3 bytes are:
* [0] MBEDTLS_ECP_TLS_NAMED_CURVE
@ -2261,18 +1976,6 @@ start_processing:
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
#else
ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
p, end - p);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
{
@ -2444,7 +2147,7 @@ start_processing:
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
exit:
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
@ -2462,7 +2165,7 @@ static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -2489,7 +2192,7 @@ static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -2507,7 +2210,7 @@ static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
ssl->handshake->client_auth =
(ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
@ -2678,7 +2381,7 @@ static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@ -2703,40 +2406,6 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
/*
* DHM key exchange -- send G^X mod P
*/
content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
header_len = 6;
ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
(int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
&ssl->out_msg[header_len], content_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
return ret;
}
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
ssl->handshake->premaster,
MBEDTLS_PREMASTER_SIZE,
&ssl->handshake->pmslen,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
return ret;
}
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
} else
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
@ -2745,7 +2414,6 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t key_attributes;
@ -2817,74 +2485,12 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
}
#else
/*
* ECDH key exchange -- send client public value
*/
header_len = 4;
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ssl->handshake->ecrs_enabled) {
if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
goto ecdh_calc_secret;
}
mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
}
#endif
ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
&content_len,
&ssl->out_msg[header_len], 1000,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
}
#endif
return ret;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Q);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ssl->handshake->ecrs_enabled) {
ssl->handshake->ecrs_n = content_len;
ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
}
ecdh_calc_secret:
if (ssl->handshake->ecrs_enabled) {
content_len = ssl->handshake->ecrs_n;
}
#endif
if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
MBEDTLS_MPI_MAX_SIZE,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
}
#endif
return ret;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Z);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
@ -3007,8 +2613,7 @@ ecdh_calc_secret:
MBEDTLS_PUT_UINT16_BE(zlen, pms, 0);
pms += zlen_size + zlen;
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO &&
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
/*
@ -3043,101 +2648,17 @@ ecdh_calc_secret:
content_len = 0;
} else
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
/*
* ClientDiffieHellmanPublic public (DHM send G^X mod P)
*/
content_len = mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx);
if (header_len + 2 + content_len >
MBEDTLS_SSL_OUT_CONTENT_LEN) {
MBEDTLS_SSL_DEBUG_MSG(1,
("psk identity or DHM size too long or SSL buffer too short"));
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
}
ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
(int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
&ssl->out_msg[header_len], content_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
return ret;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char *pms = ssl->handshake->premaster;
unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
size_t pms_len;
/* Write length only when we know the actual value */
if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
pms + 2, pms_end - (pms + 2), &pms_len,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
return ret;
}
MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
pms += 2 + pms_len;
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
#endif
} else
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
/*
* ClientECDiffieHellmanPublic public;
*/
ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
&content_len,
&ssl->out_msg[header_len],
MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
return ret;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Q);
} else
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
{
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
(mbedtls_key_exchange_type_t) ciphersuite_info->
key_exchange)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1,
"mbedtls_ssl_psk_derive_premaster", ret);
return ret;
}
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
header_len = 4;
if ((ret = ssl_write_encrypted_pms(ssl, header_len,
&content_len, 0)) != 0) {
return ret;
}
} else
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
header_len = 4;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char *out_p = ssl->out_msg + header_len;
unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
header_len;
@ -3150,27 +2671,8 @@ ecdh_calc_secret:
MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
return ret;
}
#else
ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
ssl->out_msg + header_len,
MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
&content_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
return ret;
}
ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
{
((void) ciphersuite_info);
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
@ -3181,7 +2683,7 @@ ecdh_calc_secret:
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@ -3210,7 +2712,7 @@ static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -3252,14 +2754,14 @@ static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
if (ssl->handshake->client_auth == 0 ||
mbedtls_ssl_own_cert(ssl) == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -3325,7 +2827,7 @@ sign:
ssl->out_msg + 6 + offset,
out_buf_len - 6 - offset,
&n,
ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
rs_ctx)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
@ -3341,7 +2843,7 @@ sign:
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@ -3415,7 +2917,7 @@ static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
/* We're not waiting for a NewSessionTicket message any more */
ssl->handshake->new_session_ticket = 0;
ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
/*
* Zero-length ticket means the server changed his mind and doesn't want
@ -3476,13 +2978,13 @@ int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
ssl->handshake->new_session_ticket != 0) {
ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_NEW_SESSION_TICKET);
}
#endif
switch (ssl->state) {
case MBEDTLS_SSL_HELLO_REQUEST:
ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
break;
/*
@ -3567,7 +3069,7 @@ int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
case MBEDTLS_SSL_FLUSH_BUFFERS:
MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:

641
library/ssl_tls12_server.c
View File

@ -20,7 +20,6 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
@ -33,7 +32,6 @@ static int local_err_translation(psa_status_t status)
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
#endif
#if defined(MBEDTLS_ECP_C)
#include "mbedtls/ecp.h"
@ -88,11 +86,9 @@ static int ssl_conf_has_psk_or_cb(mbedtls_ssl_config const *conf)
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
return 1;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (conf->psk != NULL && conf->psk_len != 0) {
return 1;
@ -261,15 +257,6 @@ static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
while (list_size > 0) {
if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
ssl->handshake->ecdh_ctx.point_format = p[0];
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_ecjpake_set_point_format(&ssl->handshake->ecjpake_ctx,
p[0]);
#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
return 0;
}
@ -292,17 +279,11 @@ static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (ssl->handshake->psa_pake_ctx_is_ok != 1)
#else
if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
if (ssl->handshake->psa_pake_ctx_is_ok != 1) {
MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
return 0;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_psa_ecjpake_read_round(
&ssl->handshake->psa_pake_ctx, buf, len,
MBEDTLS_ECJPAKE_ROUND_ONE)) != 0) {
@ -317,15 +298,6 @@ static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
return ret;
}
#else
if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
buf, len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Only mark the extension as OK when we're sure it is */
ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
@ -682,20 +654,16 @@ static int ssl_check_key_curve(mbedtls_pk_context *pk,
* Try picking a certificate for this ciphersuite,
* return 0 on success and -1 on failure.
*/
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_pick_cert(mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
{
mbedtls_ssl_key_cert *cur, *list;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t pk_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(ciphersuite_info);
psa_key_usage_t pk_usage =
mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(ciphersuite_info);
#else
mbedtls_pk_type_t pk_alg =
mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
uint32_t flags;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
@ -706,11 +674,7 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
list = ssl->conf->key_cert;
int pk_alg_is_none = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
pk_alg_is_none = (pk_alg == PSA_ALG_NONE);
#else
pk_alg_is_none = (pk_alg == MBEDTLS_PK_NONE);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (pk_alg_is_none) {
return 0;
}
@ -728,19 +692,14 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
cur->cert);
int key_type_matches = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
key_type_matches = ((ssl->conf->f_async_sign_start != NULL ||
ssl->conf->f_async_decrypt_start != NULL ||
mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage)) &&
mbedtls_pk_can_do_ext(&cur->cert->pk, pk_alg, pk_usage));
#else
key_type_matches = (
mbedtls_pk_can_do_ext(cur->key, pk_alg, pk_usage));
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
#else
key_type_matches = mbedtls_pk_can_do(&cur->cert->pk, pk_alg);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (!key_type_matches) {
MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: key type"));
continue;
@ -786,6 +745,8 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
return -1;
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/*
@ -848,6 +809,8 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
}
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/*
* Final check: if ciphersuite requires us to have a
@ -863,7 +826,6 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
}
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* If the ciphersuite requires signing, check whether
* a suitable hash algorithm is present. */
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg(suite_info);
@ -1056,28 +1018,6 @@ read_record_header:
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
{
size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1);
MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u",
(unsigned) handshake_len));
/* The record layer has a record size limit of 2^14 - 1 and
* fragmentation is not supported, so buf[1] should be zero. */
if (buf[1] != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0",
(unsigned) buf[1]));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
/* We don't support fragmentation of ClientHello (yet?) */
if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u",
(unsigned) msg_len,
(unsigned) mbedtls_ssl_hs_hdr_len(ssl),
(unsigned) handshake_len));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@ -1657,7 +1597,7 @@ have_ciphersuite:
ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl->handshake->ciphersuite_info = ciphersuite_info;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@ -1948,7 +1888,6 @@ static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
p += 2;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx,
p + 2, (size_t) (end - p - 2), &kkpp_len,
MBEDTLS_ECJPAKE_ROUND_ONE);
@ -1958,15 +1897,6 @@ static void ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_output", ret);
return;
}
#else
ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
p + 2, (size_t) (end - p - 2), &kkpp_len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_one", ret);
return;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
p += 2;
@ -2085,7 +2015,7 @@ static int ssl_write_hello_verify_request(mbedtls_ssl_context *ssl)
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@ -2203,14 +2133,14 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
(long long) t));
#else
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
if ((ret = psa_generate_random(p, 4)) != 0) {
return ret;
}
p += 4;
#endif /* MBEDTLS_HAVE_TIME */
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 20)) != 0) {
if ((ret = psa_generate_random(p, 20)) != 0) {
return ret;
}
p += 20;
@ -2236,7 +2166,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
} else
#endif
{
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 8)) != 0) {
if ((ret = psa_generate_random(p, 8)) != 0) {
return ret;
}
}
@ -2253,7 +2183,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
* New session, create a new session id,
* unless we're about to issue a session ticket
*/
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = mbedtls_time(NULL);
@ -2267,7 +2197,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
{
ssl->session_negotiate->id_len = n = 32;
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, ssl->session_negotiate->id,
if ((ret = psa_generate_random(ssl->session_negotiate->id,
n)) != 0) {
return ret;
}
@ -2277,7 +2207,7 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
* Resuming a session
*/
n = ssl->session_negotiate->id_len;
ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC);
if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
@ -2403,7 +2333,7 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate request"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -2426,7 +2356,7 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate request"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
@ -2585,7 +2515,6 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
#if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED))
#if defined(MBEDTLS_USE_PSA_CRYPTO)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
{
@ -2732,33 +2661,6 @@ exit:
return ret;
}
#else /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
if (private_key == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("got no server private key"));
return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
}
if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_ECKEY)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
MBEDTLS_ECDH_OURS)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
return ret;
}
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
@ -2831,7 +2733,6 @@ static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char *out_p = ssl->out_msg + ssl->out_msglen;
unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN -
ssl->out_msglen;
@ -2868,89 +2769,20 @@ static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
output_offset += output_len;
ssl->out_msglen += output_offset;
#else
size_t len = 0;
ret = mbedtls_ecjpake_write_round_two(
&ssl->handshake->ecjpake_ctx,
ssl->out_msg + ssl->out_msglen,
MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
return ret;
}
ssl->out_msglen += len;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
/*
* For (EC)DHE key exchanges with PSK, parameters are prefixed by support
* For ECDHE key exchanges with PSK, parameters are prefixed by support
* identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
* we use empty support identity hints here.
**/
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
ssl->out_msg[ssl->out_msglen++] = 0x00;
ssl->out_msg[ssl->out_msglen++] = 0x00;
}
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
/*
* - DHE key exchanges
*/
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
if (mbedtls_ssl_ciphersuite_uses_dhe(ciphersuite_info)) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
if (ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("no DH parameters set"));
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
/*
* Ephemeral DH parameters:
*
* struct {
* opaque dh_p<1..2^16-1>;
* opaque dh_g<1..2^16-1>;
* opaque dh_Ys<1..2^16-1>;
* } ServerDHParams;
*/
if ((ret = mbedtls_dhm_set_group(&ssl->handshake->dhm_ctx,
&ssl->conf->dhm_P,
&ssl->conf->dhm_G)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_set_group", ret);
return ret;
}
if ((ret = mbedtls_dhm_make_params(
&ssl->handshake->dhm_ctx,
(int) mbedtls_dhm_get_len(&ssl->handshake->dhm_ctx),
ssl->out_msg + ssl->out_msglen, &len,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_params", ret);
return ret;
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
dig_signed = ssl->out_msg + ssl->out_msglen;
#endif
ssl->out_msglen += len;
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED */
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
/*
* - ECDHE key exchanges
@ -2966,7 +2798,7 @@ static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl,
* } ServerECDHParams;
*/
uint16_t *curr_tls_id = ssl->handshake->curves_tls_id;
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
const uint16_t *group_list = ssl->conf->group_list;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
@ -2992,7 +2824,6 @@ curve_matching_done:
MBEDTLS_SSL_DEBUG_MSG(2, ("ECDHE curve: %s",
mbedtls_ssl_get_curve_name_from_tls_id(*curr_tls_id)));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
psa_key_attributes_t key_attributes;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@ -3074,28 +2905,6 @@ curve_matching_done:
/* Determine full message length. */
len += header_size;
#else
mbedtls_ecp_group_id curr_grp_id =
mbedtls_ssl_get_ecp_group_id_from_tls_id(*curr_tls_id);
if ((ret = mbedtls_ecdh_setup(&ssl->handshake->ecdh_ctx,
curr_grp_id)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecp_group_load", ret);
return ret;
}
if ((ret = mbedtls_ecdh_make_params(
&ssl->handshake->ecdh_ctx, &len,
ssl->out_msg + ssl->out_msglen,
MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_params", ret);
return ret;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Q);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
dig_signed = ssl->out_msg + ssl->out_msglen;
@ -3226,9 +3035,7 @@ curve_matching_done:
md_alg, hash, hashlen,
ssl->out_msg + ssl->out_msglen + 2,
out_buf_len - ssl->out_msglen - 2,
signature_len,
ssl->conf->f_rng,
ssl->conf->p_rng)) != 0) {
signature_len)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
return ret;
}
@ -3273,7 +3080,7 @@ static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
/* Key exchanges not involving ephemeral keys don't use
* ServerKeyExchange, so end here. */
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
@ -3327,7 +3134,7 @@ static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl)
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
@ -3349,7 +3156,7 @@ static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
@ -3375,233 +3182,6 @@ static int ssl_write_server_hello_done(mbedtls_ssl_context *ssl)
return 0;
}
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_client_dh_public(mbedtls_ssl_context *ssl, unsigned char **p,
const unsigned char *end)
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
size_t n;
/*
* Receive G^Y mod P, premaster = (G^Y)^X mod P
*/
if (*p + 2 > end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
n = MBEDTLS_GET_UINT16_BE(*p, 0);
*p += 2;
if (*p + n > end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if ((ret = mbedtls_dhm_read_public(&ssl->handshake->dhm_ctx, *p, n)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_read_public", ret);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
*p += n;
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
return ret;
}
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_resume_decrypt_pms(mbedtls_ssl_context *ssl,
unsigned char *peer_pms,
size_t *peer_pmslen,
size_t peer_pmssize)
{
int ret = ssl->conf->f_async_resume(ssl,
peer_pms, peer_pmslen, peer_pmssize);
if (ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
ssl->handshake->async_in_progress = 0;
mbedtls_ssl_set_async_operation_data(ssl, NULL);
}
MBEDTLS_SSL_DEBUG_RET(2, "ssl_decrypt_encrypted_pms", ret);
return ret;
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_decrypt_encrypted_pms(mbedtls_ssl_context *ssl,
const unsigned char *p,
const unsigned char *end,
unsigned char *peer_pms,
size_t *peer_pmslen,
size_t peer_pmssize)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_x509_crt *own_cert = mbedtls_ssl_own_cert(ssl);
if (own_cert == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("got no local certificate"));
return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
}
mbedtls_pk_context *public_key = &own_cert->pk;
mbedtls_pk_context *private_key = mbedtls_ssl_own_key(ssl);
size_t len = mbedtls_pk_get_len(public_key);
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
/* If we have already started decoding the message and there is an ongoing
* decryption operation, resume signing. */
if (ssl->handshake->async_in_progress != 0) {
MBEDTLS_SSL_DEBUG_MSG(2, ("resuming decryption operation"));
return ssl_resume_decrypt_pms(ssl,
peer_pms, peer_pmslen, peer_pmssize);
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
/*
* Prepare to decrypt the premaster using own private RSA key
*/
if (p + 2 > end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if (*p++ != MBEDTLS_BYTE_1(len) ||
*p++ != MBEDTLS_BYTE_0(len)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if (p + len != end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
/*
* Decrypt the premaster secret
*/
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
if (ssl->conf->f_async_decrypt_start != NULL) {
ret = ssl->conf->f_async_decrypt_start(ssl,
mbedtls_ssl_own_cert(ssl),
p, len);
switch (ret) {
case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
/* act as if f_async_decrypt_start was null */
break;
case 0:
ssl->handshake->async_in_progress = 1;
return ssl_resume_decrypt_pms(ssl,
peer_pms,
peer_pmslen,
peer_pmssize);
case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
ssl->handshake->async_in_progress = 1;
return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
default:
MBEDTLS_SSL_DEBUG_RET(1, "f_async_decrypt_start", ret);
return ret;
}
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
if (!mbedtls_pk_can_do(private_key, MBEDTLS_PK_RSA)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("got no RSA private key"));
return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
}
ret = mbedtls_pk_decrypt(private_key, p, len,
peer_pms, peer_pmslen, peer_pmssize,
ssl->conf->f_rng, ssl->conf->p_rng);
return ret;
}
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_encrypted_pms(mbedtls_ssl_context *ssl,
const unsigned char *p,
const unsigned char *end,
size_t pms_offset)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *pms = ssl->handshake->premaster + pms_offset;
unsigned char ver[2];
unsigned char fake_pms[48], peer_pms[48];
size_t peer_pmslen;
mbedtls_ct_condition_t diff;
/* In case of a failure in decryption, the decryption may write less than
* 2 bytes of output, but we always read the first two bytes. It doesn't
* matter in the end because diff will be nonzero in that case due to
* ret being nonzero, and we only care whether diff is 0.
* But do initialize peer_pms and peer_pmslen for robustness anyway. This
* also makes memory analyzers happy (don't access uninitialized memory,
* even if it's an unsigned char). */
peer_pms[0] = peer_pms[1] = ~0;
peer_pmslen = 0;
ret = ssl_decrypt_encrypted_pms(ssl, p, end,
peer_pms,
&peer_pmslen,
sizeof(peer_pms));
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) {
return ret;
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
mbedtls_ssl_write_version(ver, ssl->conf->transport,
ssl->session_negotiate->tls_version);
/* Avoid data-dependent branches while checking for invalid
* padding, to protect against timing-based Bleichenbacher-type
* attacks. */
diff = mbedtls_ct_bool(ret);
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pmslen, 48));
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[0], ver[0]));
diff = mbedtls_ct_bool_or(diff, mbedtls_ct_uint_ne(peer_pms[1], ver[1]));
/*
* Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
* must not cause the connection to end immediately; instead, send a
* bad_record_mac later in the handshake.
* To protect against timing-based variants of the attack, we must
* not have any branch that depends on whether the decryption was
* successful. In particular, always generate the fake premaster secret,
* regardless of whether it will ultimately influence the output or not.
*/
ret = ssl->conf->f_rng(ssl->conf->p_rng, fake_pms, sizeof(fake_pms));
if (ret != 0) {
/* It's ok to abort on an RNG failure, since this does not reveal
* anything about the RSA decryption. */
return ret;
}
#if defined(MBEDTLS_SSL_DEBUG_ALL)
if (diff != MBEDTLS_CT_FALSE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange message"));
}
#endif
if (sizeof(ssl->handshake->premaster) < pms_offset ||
sizeof(ssl->handshake->premaster) - pms_offset < 48) {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
ssl->handshake->pmslen = 48;
/* Set pms to either the true or the fake PMS, without
* data-dependent branches. */
mbedtls_ct_memcpy_if(diff, pms, fake_pms, peer_pms, ssl->handshake->pmslen);
return 0;
}
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_client_psk_identity(mbedtls_ssl_context *ssl, unsigned char **p,
@ -3668,16 +3248,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client key exchange"));
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA &&
(ssl->handshake->async_in_progress != 0)) {
/* We've already read a record and there is an asynchronous
* operation in progress to decrypt it. So skip reading the
* record. */
MBEDTLS_SSL_DEBUG_MSG(3, ("will resume decryption of previously-read record"));
} else
#endif
if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
return ret;
@ -3696,30 +3266,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
return ret;
}
if (p != end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
ssl->handshake->premaster,
MBEDTLS_PREMASTER_SIZE,
&ssl->handshake->pmslen,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
} else
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
@ -3728,7 +3274,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t data_len = (size_t) (*p++);
size_t buf_len = (size_t) (end - p);
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
@ -3789,28 +3334,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
}
}
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
#else
if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
p, (size_t) (end - p))) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_QP);
if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
&ssl->handshake->pmslen,
ssl->handshake->premaster,
MBEDTLS_MPI_MAX_SIZE,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Z);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
@ -3828,61 +3351,10 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
(mbedtls_key_exchange_type_t) ciphersuite_info->
key_exchange)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
return ret;
}
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
return ret;
}
if ((ret = ssl_parse_client_dh_public(ssl, &p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_dh_public"), ret);
return ret;
}
if (p != end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client key exchange"));
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char *pms = ssl->handshake->premaster;
unsigned char *pms_end = pms + sizeof(ssl->handshake->premaster);
size_t pms_len;
/* Write length only when we know the actual value */
if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
pms + 2, pms_end - (pms + 2), &pms_len,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
return ret;
}
MBEDTLS_PUT_UINT16_BE(pms_len, pms, 0);
pms += 2 + pms_len;
MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
#else
if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
(mbedtls_key_exchange_type_t) ciphersuite_info->
key_exchange)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
size_t ecpoint_len;
@ -3964,41 +3436,10 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_PUT_UINT16_BE(zlen, psm, 0);
psm += zlen_size + zlen;
#else /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
return ret;
}
if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
p, (size_t) (end - p))) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_read_public", ret);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_QP);
if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
(mbedtls_key_exchange_type_t) ciphersuite_info->
key_exchange)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_psk_derive_premaster", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
if ((ret = ssl_parse_encrypted_pms(ssl, p, end, 0)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_parse_encrypted_pms_secret"), ret);
return ret;
}
} else
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_psa_ecjpake_read_round(
&ssl->handshake->psa_pake_ctx, p, (size_t) (end - p),
MBEDTLS_ECJPAKE_ROUND_TWO)) != 0) {
@ -4008,22 +3449,6 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_RET(1, "psa_pake_input round two", ret);
return ret;
}
#else
ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
p, (size_t) (end - p));
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
ssl->conf->f_rng, ssl->conf->p_rng);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
} else
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
{
@ -4036,7 +3461,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
return ret;
}
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse client key exchange"));
@ -4054,7 +3479,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
@ -4080,20 +3505,20 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
if (ssl->session_negotiate->peer_cert == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if (ssl->session_negotiate->peer_cert_digest == NULL) {
MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate verify"));
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
return 0;
}
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
@ -4105,7 +3530,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
return ret;
}
ssl->state++;
mbedtls_ssl_handshake_increment_state(ssl);
/* Process the message contents */
if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
@ -4289,7 +3714,7 @@ int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
switch (ssl->state) {
case MBEDTLS_SSL_HELLO_REQUEST:
ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
break;
/*
@ -4378,7 +3803,7 @@ int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
case MBEDTLS_SSL_FLUSH_BUFFERS:
MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:

5
library/ssl_tls13_client.c
View File

@ -216,7 +216,7 @@ static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
const uint16_t *group_list = ssl->conf->group_list;
/* Pick first available ECDHE group compatible with TLS 1.3 */
if (group_list == NULL) {
return MBEDTLS_ERR_SSL_BAD_CONFIG;
@ -318,6 +318,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
ssl, group_id, p, end, &key_exchange_len);
p += key_exchange_len;
if (ret != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("client hello: failed generating xxdh key exchange"));
return ret;
}
@ -381,7 +382,7 @@ static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
int selected_group;
int found = 0;
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
const uint16_t *group_list = ssl->conf->group_list;
if (group_list == NULL) {
return MBEDTLS_ERR_SSL_BAD_CONFIG;
}

5
library/ssl_tls13_generic.c
View File

@ -518,7 +518,7 @@ int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
switch (ret) {
case 0: /*ok*/
break;
case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
case MBEDTLS_ERR_OID_NOT_FOUND:
/* Ignore certificate with an unknown algorithm: maybe a
prior certificate was already trusted. */
break;
@ -978,8 +978,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
if ((ret = mbedtls_pk_sign_ext(pk_type, own_key,
md_alg, verify_hash, verify_hash_len,
p + 4, (size_t) (end - (p + 4)), &signature_len,
ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
p + 4, (size_t) (end - (p + 4)), &signature_len)) != 0) {
MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature failed with %s",
mbedtls_ssl_sig_alg_to_str(*sig_alg)));
MBEDTLS_SSL_DEBUG_RET(2, "mbedtls_pk_sign_ext", ret);

122
library/ssl_tls13_keys.c
View File

@ -56,15 +56,16 @@ struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
* };
*
* Parameters:
* - desired_length: Length of expanded key material
* Even though the standard allows expansion to up to
* 2**16 Bytes, TLS 1.3 never uses expansion to more than
* 255 Bytes, so we require `desired_length` to be at most
* 255. This allows us to save a few Bytes of code by
* hardcoding the writing of the high bytes.
* - desired_length: Length of expanded key material.
* The length field can hold numbers up to 2**16, but HKDF
* can only generate outputs of up to 255 * HASH_LEN bytes.
* It is the caller's responsibility to ensure that this
* limit is not exceeded. In TLS 1.3, SHA256 is the hash
* function with the smallest block size, so a length
* <= 255 * 32 = 8160 is always safe.
* - (label, label_len): label + label length, without "tls13 " prefix
* The label length MUST be less than or equal to
* MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
* MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN.
* It is the caller's responsibility to ensure this.
* All (label, label length) pairs used in TLS 1.3
* can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
@ -91,7 +92,7 @@ static const char tls13_label_prefix[6] = "tls13 ";
#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
sizeof(tls13_label_prefix) + \
MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \
MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN, \
MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN)
static void ssl_tls13_hkdf_encode_label(
@ -107,15 +108,13 @@ static void ssl_tls13_hkdf_encode_label(
unsigned char *p = dst;
/* Add the size of the expanded key material.
* We're hardcoding the high byte to 0 here assuming that we never use
* TLS 1.3 HKDF key expansion to more than 255 Bytes. */
#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
#error "The implementation of ssl_tls13_hkdf_encode_label() is not fit for the \
value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
/* Add the size of the expanded key material. */
#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > UINT16_MAX
#error "The desired key length must fit into an uint16 but \
MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN is greater than UINT16_MAX"
#endif
*p++ = 0;
*p++ = MBEDTLS_BYTE_1(desired_length);
*p++ = MBEDTLS_BYTE_0(desired_length);
/* Add label incl. prefix */
@ -149,7 +148,7 @@ int mbedtls_ssl_tls13_hkdf_expand_label(
psa_key_derivation_operation_t operation =
PSA_KEY_DERIVATION_OPERATION_INIT;
if (label_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN) {
if (label_len > MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN) {
/* Should never happen since this is an internal
* function, and we know statically which labels
* are allowed. */
@ -925,23 +924,17 @@ int mbedtls_ssl_tls13_populate_transform(
mbedtls_ssl_key_set const *traffic_keys,
mbedtls_ssl_context *ssl /* DEBUG ONLY */)
{
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
int ret;
mbedtls_cipher_info_t const *cipher_info;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
unsigned char const *key_enc;
unsigned char const *iv_enc;
unsigned char const *key_dec;
unsigned char const *iv_dec;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_type_t key_type;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg;
size_t key_bits;
psa_status_t status = PSA_SUCCESS;
#endif
#if !defined(MBEDTLS_DEBUG_C)
ssl = NULL; /* make sure we don't use it except for those cases */
@ -955,29 +948,6 @@ int mbedtls_ssl_tls13_populate_transform(
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->cipher);
if (cipher_info == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
ciphersuite_info->cipher));
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
/*
* Setup cipher contexts in target transform
*/
if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
cipher_info)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
return ret;
}
if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
cipher_info)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_SRV_C)
if (endpoint == MBEDTLS_SSL_IS_SERVER) {
@ -1003,21 +973,6 @@ int mbedtls_ssl_tls13_populate_transform(
memcpy(transform->iv_enc, iv_enc, traffic_keys->iv_len);
memcpy(transform->iv_dec, iv_dec, traffic_keys->iv_len);
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc,
key_enc, (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
MBEDTLS_ENCRYPT)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
return ret;
}
if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec,
key_dec, (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
MBEDTLS_DECRYPT)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* Setup other fields in SSL transform
@ -1041,7 +996,6 @@ int mbedtls_ssl_tls13_populate_transform(
transform->minlen =
transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/*
* Setup psa keys and alg
*/
@ -1082,7 +1036,6 @@ int mbedtls_ssl_tls13_populate_transform(
return PSA_TO_MBEDTLS_ERR(status);
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return 0;
}
@ -1298,8 +1251,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context *ssl)
ret = mbedtls_ssl_tls13_evolve_secret(hash_alg, NULL, psk, psk_len,
handshake->tls13_master_secrets.early);
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
mbedtls_free((void *) psk);
#endif
if (ret != 0) {
@ -1839,7 +1791,6 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
unsigned char **psk,
size_t *psk_len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
@ -1869,15 +1820,40 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
return PSA_TO_MBEDTLS_ERR(status);
}
return 0;
#else
*psk = ssl->handshake->psk;
*psk_len = ssl->handshake->psk_len;
if (*psk == NULL) {
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
return 0;
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg,
const unsigned char *secret, const size_t secret_len,
const unsigned char *label, const size_t label_len,
const unsigned char *context_value, const size_t context_len,
unsigned char *out, const size_t out_len)
{
size_t hash_len = PSA_HASH_LENGTH(hash_alg);
unsigned char hkdf_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
int ret = 0;
ret = mbedtls_ssl_tls13_derive_secret(hash_alg, secret, secret_len, label, label_len, NULL, 0,
MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, hkdf_secret,
hash_len);
if (ret != 0) {
goto exit;
}
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
hkdf_secret,
hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exporter),
context_value,
context_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
out,
out_len);
exit:
mbedtls_platform_zeroize(hkdf_secret, sizeof(hkdf_secret));
return ret;
}
#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

34
library/ssl_tls13_keys.h
View File

@ -60,8 +60,9 @@ extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels;
mbedtls_ssl_tls13_labels.LABEL, \
MBEDTLS_SSL_TLS1_3_LBL_LEN(LABEL)
#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \
sizeof(union mbedtls_ssl_tls13_labels_union)
/* Maximum length of the label field in the HkdfLabel struct defined in
* RFC 8446, Section 7.1, excluding the "tls13 " prefix. */
#define MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN 249
/* The maximum length of HKDF contexts used in the TLS 1.3 standard.
* Since contexts are always hashes of message transcripts, this can
@ -70,13 +71,11 @@ extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels;
PSA_HASH_MAX_SIZE
/* Maximum desired length for expanded key material generated
* by HKDF-Expand-Label.
*
* Warning: If this ever needs to be increased, the implementation
* ssl_tls13_hkdf_encode_label() in ssl_tls13_keys.c needs to be
* adjusted since it currently assumes that HKDF key expansion
* is never used with more than 255 Bytes of output. */
#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255
* by HKDF-Expand-Label. This algorithm can output up to 255 * hash_size
* bytes of key material where hash_size is the output size of the
* underlying hash function. */
#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN \
(255 * MBEDTLS_TLS1_3_MD_MAX_SIZE)
/**
* \brief The \c HKDF-Expand-Label function from
@ -646,6 +645,23 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
size_t *psk_len);
#endif
/**
* \brief Calculate TLS-Exporter function as defined in RFC 8446, Section 7.5.
*
* \param[in] hash_alg The hash algorithm.
* \param[in] secret The secret to use. (Should be the exporter master secret.)
* \param[in] secret_len Length of secret.
* \param[in] label The label of the exported key.
* \param[in] label_len The length of label.
* \param[out] out The output buffer for the exported key. Must have room for at least out_len bytes.
* \param[in] out_len Length of the key to generate.
*/
int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg,
const unsigned char *secret, const size_t secret_len,
const unsigned char *label, const size_t label_len,
const unsigned char *context_value, const size_t context_len,
uint8_t *out, const size_t out_len);
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */

28
library/ssl_tls13_server.c
View File

@ -91,7 +91,7 @@ static void ssl_tls13_select_ciphersuite(
return;
}
MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx",
MBEDTLS_SSL_DEBUG_MSG(1, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx",
(unsigned) psk_ciphersuite_id,
(unsigned long) psk_hash_alg));
}
@ -435,9 +435,7 @@ static int ssl_tls13_offered_psks_check_binder_match(
psk, psk_len, psk_type,
transcript,
server_computed_binder);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_free((void *) psk);
#endif
if (ret != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("PSK binder calculation failed."));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
@ -739,11 +737,7 @@ static int ssl_tls13_write_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
*olen = 0;
int not_using_psk = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
not_using_psk = (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque));
#else
not_using_psk = (ssl->handshake->psk == NULL);
#endif
if (not_using_psk) {
/* We shouldn't have called this extension writer unless we've
* chosen to use a PSK. */
@ -1078,7 +1072,6 @@ static int ssl_tls13_key_exchange_is_ephemeral_available(mbedtls_ssl_context *ss
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
{
switch (sig_alg) {
@ -1104,7 +1097,6 @@ static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg(uint16_t sig_alg)
return PSA_ALG_NONE;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* Pick best ( private key, certificate chain ) pair based on the signature
@ -1139,9 +1131,7 @@ static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
for (key_cert = key_cert_list; key_cert != NULL;
key_cert = key_cert->next) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t psa_alg = PSA_ALG_NONE;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_CRT(3, "certificate (chain) candidate",
key_cert->cert);
@ -1165,17 +1155,13 @@ static int ssl_tls13_pick_key_cert(mbedtls_ssl_context *ssl)
"check signature algorithm %s [%04x]",
mbedtls_ssl_sig_alg_to_str(*sig_alg),
*sig_alg));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_alg = ssl_tls13_iana_sig_alg_to_psa_alg(*sig_alg);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ssl_tls13_check_sig_alg_cert_key_match(
*sig_alg, &key_cert->cert->pk)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
&& psa_alg != PSA_ALG_NONE &&
mbedtls_pk_can_do_ext(&key_cert->cert->pk, psa_alg,
PSA_KEY_USAGE_SIGN_HASH) == 1
#endif /* MBEDTLS_USE_PSA_CRYPTO */
) {
ssl->handshake->key_cert = key_cert;
MBEDTLS_SSL_DEBUG_MSG(3,
@ -1379,6 +1365,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
}
if (ret == 0) {
MBEDTLS_SSL_DEBUG_MSG(2, ("no supported_versions extension"));
return SSL_CLIENT_HELLO_TLS1_2;
}
@ -1400,6 +1387,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
* the TLS version to negotiate.
*/
if (MBEDTLS_SSL_VERSION_TLS1_2 == ret) {
MBEDTLS_SSL_DEBUG_MSG(2, ("supported_versions without 1.3"));
return SSL_CLIENT_HELLO_TLS1_2;
}
}
@ -1978,6 +1966,7 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
}
ssl->keep_current_message = 1;
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
MBEDTLS_SSL_DEBUG_MSG(1, ("non-1.3 ClientHello left for later processing"));
return 0;
}
@ -2007,9 +1996,9 @@ static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
unsigned char *server_randbytes =
ssl->handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN;
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, server_randbytes,
if ((ret = psa_generate_random(server_randbytes,
MBEDTLS_SERVER_HELLO_RANDOM_LEN)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_random", ret);
return ret;
}
@ -3183,8 +3172,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
#endif
/* Generate ticket_age_add */
if ((ret = ssl->conf->f_rng(ssl->conf->p_rng,
(unsigned char *) &session->ticket_age_add,
if ((ret = psa_generate_random((unsigned char *) &session->ticket_age_add,
sizeof(session->ticket_age_add)) != 0)) {
MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_age_add", ret);
return ret;
@ -3193,7 +3181,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
(unsigned int) session->ticket_age_add));
/* Generate ticket_nonce */
ret = ssl->conf->f_rng(ssl->conf->p_rng, ticket_nonce, ticket_nonce_size);
ret = psa_generate_random(ticket_nonce, ticket_nonce_size);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "generate_ticket_nonce", ret);
return ret;

5
library/x509_crl.c
View File

@ -582,11 +582,6 @@ int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path)
#endif /* MBEDTLS_FS_IO */
#if !defined(MBEDTLS_X509_REMOVE_INFO)
/*
* Return an informational string about the certificate.
*/
#define BEFORE_COLON 14
#define BC "14"
/*
* Return an informational string about the CRL.
*/

42
library/x509_crt.c
View File

@ -32,11 +32,9 @@
#include "mbedtls/pem.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "psa_util_internal.h"
#include "mbedtls/psa_util.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include "pk_internal.h"
#include "mbedtls/platform.h"
@ -1745,15 +1743,15 @@ static int x509_info_cert_policies(char **buf, size_t *size,
/*
* Return an informational string about the certificate.
*/
#define BEFORE_COLON 18
#define BC "18"
#define MBEDTLS_BEFORE_COLON 18
#define MBEDTLS_BEFORE_COLON_STR "18"
int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
const mbedtls_x509_crt *crt)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n;
char *p;
char key_size_str[BEFORE_COLON];
char key_size_str[MBEDTLS_BEFORE_COLON];
p = buf;
n = size;
@ -1807,13 +1805,13 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
MBEDTLS_X509_SAFE_SNPRINTF;
/* Key size */
if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
if ((ret = mbedtls_x509_key_size_helper(key_size_str, MBEDTLS_BEFORE_COLON,
mbedtls_pk_get_name(&crt->pk))) != 0) {
return ret;
}
ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
(int) mbedtls_pk_get_bitlen(&crt->pk));
ret = mbedtls_snprintf(p, n, "\n%s%-" MBEDTLS_BEFORE_COLON_STR "s: %d bits",
prefix, key_size_str, (int) mbedtls_pk_get_bitlen(&crt->pk));
MBEDTLS_X509_SAFE_SNPRINTF;
/*
@ -2013,11 +2011,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
{
int flags = 0;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t psa_algorithm;
#else
const mbedtls_md_info_t *md_info;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
size_t hash_length;
if (ca == NULL) {
@ -2051,7 +2045,6 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
flags |= MBEDTLS_X509_BADCRL_BAD_PK;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm = mbedtls_md_psa_alg_from_type(crl_list->sig_md);
if (psa_hash_compute(psa_algorithm,
crl_list->tbs.p,
@ -2063,18 +2056,6 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
break;
}
#else
md_info = mbedtls_md_info_from_type(crl_list->sig_md);
hash_length = mbedtls_md_get_size(md_info);
if (mbedtls_md(md_info,
crl_list->tbs.p,
crl_list->tbs.len,
hash) != 0) {
/* Note: this can't happen except after an internal error */
flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
break;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (x509_profile_check_key(profile, &ca->pk) != 0) {
flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
@ -2126,16 +2107,6 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
{
size_t hash_len;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
const mbedtls_md_info_t *md_info;
md_info = mbedtls_md_info_from_type(child->sig_md);
hash_len = mbedtls_md_get_size(md_info);
/* Note: hash errors can happen only after an internal error */
if (mbedtls_md(md_info, child->tbs.p, child->tbs.len, hash) != 0) {
return -1;
}
#else
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(child->sig_md);
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
@ -2149,7 +2120,6 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Skip expensive computation on obvious mismatch */
if (!mbedtls_pk_can_do(&parent->pk, child->sig_pk)) {
return -1;

12
library/x509_csr.c
View File

@ -519,8 +519,8 @@ int mbedtls_x509_csr_parse_file(mbedtls_x509_csr *csr, const char *path)
#endif /* MBEDTLS_FS_IO */
#if !defined(MBEDTLS_X509_REMOVE_INFO)
#define BEFORE_COLON 14
#define BC "14"
#define MBEDTLS_BEFORE_COLON 14
#define MBEDTLS_BEFORE_COLON_STR "14"
/*
* Return an informational string about the CSR.
*/
@ -530,7 +530,7 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n;
char *p;
char key_size_str[BEFORE_COLON];
char key_size_str[MBEDTLS_BEFORE_COLON];
p = buf;
n = size;
@ -551,13 +551,13 @@ int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
csr->sig_opts);
MBEDTLS_X509_SAFE_SNPRINTF;
if ((ret = mbedtls_x509_key_size_helper(key_size_str, BEFORE_COLON,
if ((ret = mbedtls_x509_key_size_helper(key_size_str, MBEDTLS_BEFORE_COLON,
mbedtls_pk_get_name(&csr->pk))) != 0) {
return ret;
}
ret = mbedtls_snprintf(p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
(int) mbedtls_pk_get_bitlen(&csr->pk));
ret = mbedtls_snprintf(p, n, "\n%s%-" MBEDTLS_BEFORE_COLON_STR "s: %d bits\n",
prefix, key_size_str, (int) mbedtls_pk_get_bitlen(&csr->pk));
MBEDTLS_X509_SAFE_SNPRINTF;
/*

2
library/x509write.c
View File

@ -22,11 +22,9 @@
#include "mbedtls/pem.h"
#endif /* MBEDTLS_PEM_WRITE_C */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "md_psa.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#define CHECK_OVERFLOW_ADD(a, b) \
do \

60
library/x509write_crt.c
View File

@ -30,11 +30,9 @@
#include "mbedtls/pem.h"
#endif /* MBEDTLS_PEM_WRITE_C */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "psa_util_internal.h"
#include "mbedtls/psa_util.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
{
@ -92,30 +90,6 @@ int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx,
return mbedtls_x509_string_to_names(&ctx->issuer, issuer_name);
}
#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx,
const mbedtls_mpi *serial)
{
int ret;
size_t tmp_len;
/* Ensure that the MPI value fits into the buffer */
tmp_len = mbedtls_mpi_size(serial);
if (tmp_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) {
return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
}
ctx->serial_len = tmp_len;
ret = mbedtls_mpi_write_binary(serial, ctx->serial, tmp_len);
if (ret < 0) {
return ret;
}
return 0;
}
#endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED
int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx,
unsigned char *serial, size_t serial_len)
{
@ -203,10 +177,8 @@ static int mbedtls_x509write_crt_set_key_identifier(mbedtls_x509write_cert *ctx,
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
unsigned char *c = buf + sizeof(buf);
size_t len = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t hash_length;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
memset(buf, 0, sizeof(buf));
MBEDTLS_ASN1_CHK_ADD(len,
@ -217,7 +189,6 @@ static int mbedtls_x509write_crt_set_key_identifier(mbedtls_x509write_cert *ctx,
ctx->subject_key));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_compute(PSA_ALG_SHA_1,
buf + sizeof(buf) - len,
len,
@ -227,14 +198,6 @@ static int mbedtls_x509write_crt_set_key_identifier(mbedtls_x509write_cert *ctx,
if (status != PSA_SUCCESS) {
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
#else
ret = mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
buf + sizeof(buf) - len, len,
buf + sizeof(buf) - 20);
if (ret != 0) {
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
c = buf + sizeof(buf) - 20;
len = 20;
@ -416,9 +379,7 @@ static int x509_write_time(unsigned char **p, unsigned char *start,
}
int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
unsigned char *buf, size_t size)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const char *sig_oid;
@ -427,10 +388,8 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
size_t hash_length = 0;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_algorithm_t psa_algorithm;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
@ -596,7 +555,6 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
*/
/* Compute hash of CRT. */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm = mbedtls_md_psa_alg_from_type(ctx->md_alg);
status = psa_hash_compute(psa_algorithm,
@ -608,17 +566,10 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
if (status != PSA_SUCCESS) {
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
#else
if ((ret = mbedtls_md(mbedtls_md_info_from_type(ctx->md_alg), c,
len, hash)) != 0) {
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = mbedtls_pk_sign(ctx->issuer_key, ctx->md_alg,
hash, hash_length, sig, sizeof(sig), &sig_len,
f_rng, p_rng)) != 0) {
hash, hash_length, sig, sizeof(sig), &sig_len)) != 0) {
return ret;
}
@ -660,15 +611,12 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
#if defined(MBEDTLS_PEM_WRITE_C)
int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *crt,
unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
unsigned char *buf, size_t size)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t olen;
if ((ret = mbedtls_x509write_crt_der(crt, buf, size,
f_rng, p_rng)) < 0) {
if ((ret = mbedtls_x509write_crt_der(crt, buf, size)) < 0) {
return ret;
}

32
library/x509write_csr.c
View File

@ -20,11 +20,9 @@
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "psa_util_internal.h"
#include "mbedtls/psa_util.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include <string.h>
#include <stdlib.h>
@ -133,9 +131,7 @@ int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx,
static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
unsigned char *buf,
size_t size,
unsigned char *sig, size_t sig_size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
unsigned char *sig, size_t sig_size)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const char *sig_oid;
@ -145,10 +141,8 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
mbedtls_pk_type_t pk_alg;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t hash_len;
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ctx->md_alg);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Write the CSR backwards starting from the end of buf */
c = buf + size;
@ -213,7 +207,6 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
* Sign the written CSR data into the sig buffer
* Note: hash errors can happen only after an internal error
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (psa_hash_compute(hash_alg,
c,
len,
@ -222,15 +215,8 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
&hash_len) != PSA_SUCCESS) {
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
#else /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_md(mbedtls_md_info_from_type(ctx->md_alg), c, len, hash);
if (ret != 0) {
return ret;
}
#endif
if ((ret = mbedtls_pk_sign(ctx->key, ctx->md_alg, hash, 0,
sig, sig_size, &sig_len,
f_rng, p_rng)) != 0) {
sig, sig_size, &sig_len)) != 0) {
return ret;
}
@ -285,9 +271,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
}
int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf,
size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
size_t size)
{
int ret;
unsigned char *sig;
@ -297,8 +281,7 @@ int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf,
}
ret = x509write_csr_der_internal(ctx, buf, size,
sig, MBEDTLS_PK_SIGNATURE_MAX_SIZE,
f_rng, p_rng);
sig, MBEDTLS_PK_SIGNATURE_MAX_SIZE);
mbedtls_free(sig);
@ -309,15 +292,12 @@ int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf,
#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
#if defined(MBEDTLS_PEM_WRITE_C)
int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t olen = 0;
if ((ret = mbedtls_x509write_csr_der(ctx, buf, size,
f_rng, p_rng)) < 0) {
if ((ret = mbedtls_x509write_csr_der(ctx, buf, size)) < 0) {
return ret;
}

23
programs/.gitignore vendored
View File

@ -5,36 +5,14 @@
*.sln
*.vcxproj
aes/crypt_and_hash
cipher/cipher_aead_demo
hash/generic_sum
hash/hello
hash/md_hmac_demo
hash/md5sum
hash/sha1sum
hash/sha2sum
pkey/dh_client
pkey/dh_genprime
pkey/dh_server
pkey/ecdh_curve25519
pkey/ecdsa
pkey/gen_key
pkey/key_app
pkey/key_app_writer
pkey/mpi_demo
pkey/pk_decrypt
pkey/pk_encrypt
pkey/pk_sign
pkey/pk_verify
pkey/rsa_decrypt
pkey/rsa_encrypt
pkey/rsa_genkey
pkey/rsa_sign
pkey/rsa_sign_pss
pkey/rsa_verify
pkey/rsa_verify_pss
random/gen_entropy
random/gen_random_ctr_drbg
ssl/dtls_client
ssl/dtls_server
ssl/mini_client
@ -46,7 +24,6 @@ ssl/ssl_mail_client
ssl/ssl_pthread_server
ssl/ssl_server
ssl/ssl_server2
test/benchmark
test/cpp_dummy_build
test/cpp_dummy_build.cpp
test/dlopen

4
programs/CMakeLists.txt
View File

@ -1,14 +1,10 @@
set(programs_target "${MBEDTLS_TARGET_PREFIX}programs")
add_custom_target(${programs_target})
add_subdirectory(aes)
add_subdirectory(cipher)
if (NOT WIN32)
add_subdirectory(fuzz)
endif()
add_subdirectory(hash)
add_subdirectory(pkey)
add_subdirectory(random)
add_subdirectory(ssl)
add_subdirectory(test)
add_subdirectory(util)

151
programs/Makefile
View File

@ -1,4 +1,5 @@
MBEDTLS_TEST_PATH = ../tests
FRAMEWORK = ${MBEDTLS_PATH}/framework
include ../scripts/common.make
ifeq ($(shell uname -s),Linux)
@ -24,6 +25,8 @@ else
BUILD_DLOPEN =
endif
LOCAL_CFLAGS += -I$(FRAMEWORK)/tests/programs
## The following assignment is the list of base names of applications that
## will be built on Windows. Extra Linux/Unix/POSIX-only applications can
## be declared by appending with `APPS += ...` afterwards.
@ -33,30 +36,10 @@ endif
## Note: Variables cannot be used to define an apps path. This cannot be
## substituted by the script generate_visualc_files.pl.
APPS = \
aes/crypt_and_hash \
cipher/cipher_aead_demo \
hash/generic_sum \
hash/hello \
hash/md_hmac_demo \
pkey/dh_client \
pkey/dh_genprime \
pkey/dh_server \
pkey/ecdh_curve25519 \
pkey/ecdsa \
pkey/gen_key \
pkey/key_app \
pkey/key_app_writer \
pkey/mpi_demo \
pkey/pk_decrypt \
pkey/pk_encrypt \
pkey/pk_sign \
pkey/pk_verify \
pkey/rsa_decrypt \
pkey/rsa_encrypt \
pkey/rsa_genkey \
pkey/rsa_sign \
pkey/rsa_sign_pss \
pkey/rsa_verify \
pkey/rsa_verify_pss \
../tf-psa-crypto/programs/psa/aead_demo \
../tf-psa-crypto/programs/psa/crypto_examples \
@ -64,8 +47,7 @@ APPS = \
../tf-psa-crypto/programs/psa/key_ladder_demo \
../tf-psa-crypto/programs/psa/psa_constant_names \
../tf-psa-crypto/programs/psa/psa_hash \
random/gen_entropy \
random/gen_random_ctr_drbg \
../tf-psa-crypto/programs/test/which_aes \
ssl/dtls_client \
ssl/dtls_server \
ssl/mini_client \
@ -76,7 +58,6 @@ APPS = \
ssl/ssl_mail_client \
ssl/ssl_server \
ssl/ssl_server2 \
test/benchmark \
test/metatest \
test/query_compile_time_config \
test/query_included_headers \
@ -155,70 +136,10 @@ test/query_config.c:
echo " Gen $@"
$(PERL) ../scripts/generate_query_config.pl
aes/crypt_and_hash$(EXEXT): aes/crypt_and_hash.c $(DEP)
echo " CC aes/crypt_and_hash.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) aes/crypt_and_hash.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
cipher/cipher_aead_demo$(EXEXT): cipher/cipher_aead_demo.c $(DEP)
echo " CC cipher/cipher_aead_demo.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) cipher/cipher_aead_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
hash/generic_sum$(EXEXT): hash/generic_sum.c $(DEP)
echo " CC hash/generic_sum.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) hash/generic_sum.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
hash/hello$(EXEXT): hash/hello.c $(DEP)
echo " CC hash/hello.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) hash/hello.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
hash/md_hmac_demo$(EXEXT): hash/md_hmac_demo.c $(DEP)
echo " CC hash/md_hmac_demo.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) hash/md_hmac_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/dh_client$(EXEXT): pkey/dh_client.c $(DEP)
echo " CC pkey/dh_client.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/dh_client.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/dh_genprime$(EXEXT): pkey/dh_genprime.c $(DEP)
echo " CC pkey/dh_genprime.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/dh_genprime.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/dh_server$(EXEXT): pkey/dh_server.c $(DEP)
echo " CC pkey/dh_server.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/dh_server.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/ecdh_curve25519$(EXEXT): pkey/ecdh_curve25519.c $(DEP)
echo " CC pkey/ecdh_curve25519.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/ecdh_curve25519.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/ecdsa$(EXEXT): pkey/ecdsa.c $(DEP)
echo " CC pkey/ecdsa.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/ecdsa.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/gen_key$(EXEXT): pkey/gen_key.c $(DEP)
echo " CC pkey/gen_key.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/gen_key.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/key_app$(EXEXT): pkey/key_app.c $(DEP)
echo " CC pkey/key_app.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/key_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/key_app_writer$(EXEXT): pkey/key_app_writer.c $(DEP)
echo " CC pkey/key_app_writer.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/key_app_writer.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/mpi_demo$(EXEXT): pkey/mpi_demo.c $(DEP)
echo " CC pkey/mpi_demo.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/mpi_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/pk_decrypt$(EXEXT): pkey/pk_decrypt.c $(DEP)
echo " CC pkey/pk_decrypt.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/pk_decrypt.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/pk_encrypt$(EXEXT): pkey/pk_encrypt.c $(DEP)
echo " CC pkey/pk_encrypt.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/pk_encrypt.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/pk_sign$(EXEXT): pkey/pk_sign.c $(DEP)
echo " CC pkey/pk_sign.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/pk_sign.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@ -227,18 +148,6 @@ pkey/pk_verify$(EXEXT): pkey/pk_verify.c $(DEP)
echo " CC pkey/pk_verify.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/pk_verify.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_genkey$(EXEXT): pkey/rsa_genkey.c $(DEP)
echo " CC pkey/rsa_genkey.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_genkey.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_sign$(EXEXT): pkey/rsa_sign.c $(DEP)
echo " CC pkey/rsa_sign.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_sign.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_verify$(EXEXT): pkey/rsa_verify.c $(DEP)
echo " CC pkey/rsa_verify.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_verify.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_sign_pss$(EXEXT): pkey/rsa_sign_pss.c $(DEP)
echo " CC pkey/rsa_sign_pss.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_sign_pss.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@ -247,14 +156,6 @@ pkey/rsa_verify_pss$(EXEXT): pkey/rsa_verify_pss.c $(DEP)
echo " CC pkey/rsa_verify_pss.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_verify_pss.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_decrypt$(EXEXT): pkey/rsa_decrypt.c $(DEP)
echo " CC pkey/rsa_decrypt.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_decrypt.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
pkey/rsa_encrypt$(EXEXT): pkey/rsa_encrypt.c $(DEP)
echo " CC pkey/rsa_encrypt.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_encrypt.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
../tf-psa-crypto/programs/psa/aead_demo$(EXEXT): ../tf-psa-crypto/programs/psa/aead_demo.c $(DEP)
echo " CC psa/aead_demo.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/aead_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@ -279,13 +180,9 @@ pkey/rsa_encrypt$(EXEXT): pkey/rsa_encrypt.c $(DEP)
echo " CC psa/psa_hash.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/psa_hash.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
random/gen_entropy$(EXEXT): random/gen_entropy.c $(DEP)
echo " CC random/gen_entropy.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) random/gen_entropy.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
random/gen_random_ctr_drbg$(EXEXT): random/gen_random_ctr_drbg.c $(DEP)
echo " CC random/gen_random_ctr_drbg.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) random/gen_random_ctr_drbg.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
../tf-psa-crypto/programs/test/which_aes$(EXEXT): ../tf-psa-crypto/programs/test/which_aes.c $(DEP)
echo " CC test/which_aes.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/test/which_aes.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ssl/dtls_client$(EXEXT): ssl/dtls_client.c $(DEP)
echo " CC ssl/dtls_client.c"
@ -301,7 +198,7 @@ ssl/ssl_client1$(EXEXT): ssl/ssl_client1.c $(DEP)
SSL_TEST_OBJECTS = test/query_config.o ssl/ssl_test_lib.o
SSL_TEST_DEPS = $(SSL_TEST_OBJECTS) \
test/query_config.h \
$(FRAMEWORK)/tests/programs/query_config.h \
ssl/ssl_test_lib.h \
ssl/ssl_test_common_source.c \
$(DEP)
@ -322,7 +219,7 @@ ssl/ssl_server2$(EXEXT): ssl/ssl_server2.c $(SSL_TEST_DEPS)
echo " CC ssl/ssl_server2.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server2.c $(SSL_TEST_OBJECTS) $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ssl/ssl_context_info$(EXEXT): ssl/ssl_context_info.c test/query_config.o test/query_config.h $(DEP)
ssl/ssl_context_info$(EXEXT): ssl/ssl_context_info.c test/query_config.o $(FRAMEWORK)/tests/programs/query_config.h $(DEP)
echo " CC ssl/ssl_context_info.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_context_info.c test/query_config.o $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@ -342,10 +239,6 @@ ssl/mini_client$(EXEXT): ssl/mini_client.c $(DEP)
echo " CC ssl/mini_client.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/mini_client.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/benchmark$(EXEXT): test/benchmark.c $(DEP)
echo " CC test/benchmark.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/benchmark.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/cpp_dummy_build.cpp: test/generate_cpp_dummy_build.sh
echo " Gen test/cpp_dummy_build.cpp"
test/generate_cpp_dummy_build.sh
@ -363,17 +256,17 @@ test/dlopen$(EXEXT): test/dlopen.c $(DEP)
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/dlopen.c $(LDFLAGS) $(DLOPEN_LDFLAGS) -o $@
endif
test/metatest$(EXEXT): test/metatest.c $(DEP)
echo " CC test/metatest.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -I../library -I../tf-psa-crypto/core test/metatest.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/metatest$(EXEXT): $(FRAMEWORK)/tests/programs/metatest.c $(DEP)
echo " CC $(FRAMEWORK)/tests/programs/metatest.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -I../library -I../tf-psa-crypto/core $(FRAMEWORK)/tests/programs/metatest.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/query_config.o: test/query_config.c test/query_config.h $(DEP)
test/query_config.o: test/query_config.c $(FRAMEWORK)/tests/programs/query_config.h $(DEP)
echo " CC test/query_config.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c test/query_config.c -o $@
test/query_included_headers$(EXEXT): test/query_included_headers.c $(DEP)
echo " CC test/query_included_headers.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/query_included_headers.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/query_included_headers$(EXEXT): $(FRAMEWORK)/tests/programs/query_included_headers.c $(DEP)
echo " CC $(FRAMEWORK)/tests/programs/query_included_headers.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $(FRAMEWORK)/tests/programs/query_included_headers.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/selftest$(EXEXT): test/selftest.c $(DEP)
echo " CC test/selftest.c"
@ -383,13 +276,13 @@ test/udp_proxy$(EXEXT): test/udp_proxy.c $(DEP)
echo " CC test/udp_proxy.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/udp_proxy.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/zeroize$(EXEXT): test/zeroize.c $(DEP)
echo " CC test/zeroize.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/zeroize.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/zeroize$(EXEXT): $(FRAMEWORK)/tests/programs/zeroize.c $(DEP)
echo " CC $(FRAMEWORK)/tests/programs/zeroize.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $(FRAMEWORK)/tests/programs/zeroize.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/query_compile_time_config$(EXEXT): test/query_compile_time_config.c test/query_config.o test/query_config.h $(DEP)
echo " CC test/query_compile_time_config.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/query_compile_time_config.c test/query_config.o $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/query_compile_time_config$(EXEXT): $(FRAMEWORK)/tests/programs/query_compile_time_config.c test/query_config.o $(FRAMEWORK)/tests/programs/query_config.h $(DEP)
echo " CC $(FRAMEWORK)/tests/programs/query_compile_time_config.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $(FRAMEWORK)/tests/programs/query_compile_time_config.c test/query_config.o $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
util/pem2der$(EXEXT): util/pem2der.c $(DEP)
echo " CC util/pem2der.c"

52
programs/README.md
View File

@ -3,63 +3,16 @@ Mbed TLS sample programs
This subdirectory mostly contains sample programs that illustrate specific features of the library, as well as a few test and support programs.
## Symmetric cryptography (AES) examples
* [`aes/crypt_and_hash.c`](aes/crypt_and_hash.c): file encryption and authentication, demonstrating the generic cipher interface and the generic hash interface.
## Hash (digest) examples
* [`hash/generic_sum.c`](hash/generic_sum.c): file hash calculator and verifier, demonstrating the message digest (`md`) interface.
* [`hash/hello.c`](hash/hello.c): hello-world program for MD5.
## Public-key cryptography examples
### Generic public-key cryptography (`pk`) examples
* [`pkey/gen_key.c`](pkey/gen_key.c): generates a key for any of the supported public-key algorithms (RSA or ECC) and writes it to a file that can be used by the other pk sample programs.
* [`pkey/key_app.c`](pkey/key_app.c): loads a PEM or DER public key or private key file and dumps its content.
* [`pkey/key_app_writer.c`](pkey/key_app_writer.c): loads a PEM or DER public key or private key file and writes it to a new PEM or DER file.
* [`pkey/pk_encrypt.c`](pkey/pk_encrypt.c), [`pkey/pk_decrypt.c`](pkey/pk_decrypt.c): loads a PEM or DER public/private key file and uses the key to encrypt/decrypt a short string through the generic public-key interface.
* [`pkey/pk_sign.c`](pkey/pk_sign.c), [`pkey/pk_verify.c`](pkey/pk_verify.c): loads a PEM or DER private/public key file and uses the key to sign/verify a short string.
### ECDSA and RSA signature examples
* [`pkey/ecdsa.c`](pkey/ecdsa.c): generates an ECDSA key, signs a fixed message and verifies the signature.
* [`pkey/rsa_encrypt.c`](pkey/rsa_encrypt.c), [`pkey/rsa_decrypt.c`](pkey/rsa_decrypt.c): loads an RSA public/private key and uses it to encrypt/decrypt a short string through the low-level RSA interface.
* [`pkey/rsa_genkey.c`](pkey/rsa_genkey.c): generates an RSA key and writes it to a file that can be used with the other RSA sample programs.
* [`pkey/rsa_sign.c`](pkey/rsa_sign.c), [`pkey/rsa_verify.c`](pkey/rsa_verify.c): loads an RSA private/public key and uses it to sign/verify a short string with the RSA PKCS#1 v1.5 algorithm.
* [`pkey/rsa_sign_pss.c`](pkey/rsa_sign_pss.c), [`pkey/rsa_verify_pss.c`](pkey/rsa_verify_pss.c): loads an RSA private/public key and uses it to sign/verify a short string with the RSASSA-PSS algorithm.
### Diffie-Hellman key exchange examples
* [`pkey/dh_client.c`](pkey/dh_client.c), [`pkey/dh_server.c`](pkey/dh_server.c): secure channel demonstrators (client, server). This pair of programs illustrates how to set up a secure channel using RSA for authentication and Diffie-Hellman to generate a shared AES session key.
* [`pkey/ecdh_curve25519.c`](pkey/ecdh_curve25519.c): demonstration of a elliptic curve Diffie-Hellman (ECDH) key agreement.
### Bignum (`mpi`) usage examples
* [`pkey/dh_genprime.c`](pkey/dh_genprime.c): shows how to use the bignum (`mpi`) interface to generate Diffie-Hellman parameters.
* [`pkey/mpi_demo.c`](pkey/mpi_demo.c): demonstrates operations on big integers.
## Random number generator (RNG) examples
* [`random/gen_entropy.c`](random/gen_entropy.c): shows how to use the default entropy sources to generate random data.
Note: most applications should only use the entropy generator to seed a cryptographic pseudorandom generator, as illustrated by `random/gen_random_ctr_drbg.c`.
* [`random/gen_random_ctr_drbg.c`](random/gen_random_ctr_drbg.c): shows how to use the default entropy sources to seed a pseudorandom generator, and how to use the resulting random generator to generate random data.
## SSL/TLS examples
### SSL/TLS sample applications
* [`ssl/dtls_client.c`](ssl/dtls_client.c): a simple DTLS client program, which sends one datagram to the server and reads one datagram in response.
@ -90,13 +43,11 @@ In addition to providing options for testing client-side features, the `ssl_clie
## Test utilities
* [`test/benchmark.c`](test/benchmark.c): benchmark for cryptographic algorithms.
* [`test/selftest.c`](test/selftest.c): runs the self-test function in each library module.
* [`test/udp_proxy.c`](test/udp_proxy.c): a UDP proxy that can inject certain failures (delay, duplicate, drop). Useful for testing DTLS.
* [`test/zeroize.c`](test/zeroize.c): a test program for `mbedtls_platform_zeroize`, used by [`tests/scripts/test_zeroize.gdb`](tests/scripts/test_zeroize.gdb).
* [`test/zeroize.c`](../framework/tests/programs/zeroize.c): a test program for `mbedtls_platform_zeroize`, used by [`test_zeroize.gdb`](../framework/tests/programs/test_zeroize.gdb).
## Development utilities
@ -115,4 +66,3 @@ In addition to providing options for testing client-side features, the `ssl_clie
* [`x509/crl_app.c`](x509/crl_app.c): loads and dumps a certificate revocation list (CRL).
* [`x509/req_app.c`](x509/req_app.c): loads and dumps a certificate signing request (CSR).

15
programs/aes/CMakeLists.txt
View File

@ -1,15 +0,0 @@
set(executables
crypt_and_hash
)
add_dependencies(${programs_target} ${executables})
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
set_base_compile_options(${exe})
target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include)
endforeach()
install(TARGETS ${executables}
DESTINATION "bin"
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)

577
programs/aes/crypt_and_hash.c
View File

@ -1,577 +0,0 @@
/*
* \brief Generic file encryption program using generic wrappers for configured
* security.
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/* Enable definition of fileno() even when compiling with -std=c99. Must be
* set before mbedtls_config.h, which pulls in glibc's features.h indirectly.
* Harmless on other platforms. */
#define _POSIX_C_SOURCE 200112L
#include "mbedtls/build_info.h"
#include "mbedtls/platform.h"
#if defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_MD_C) && \
defined(MBEDTLS_FS_IO)
#include "mbedtls/cipher.h"
#include "mbedtls/md.h"
#include "mbedtls/platform_util.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#endif
#if defined(_WIN32)
#include <windows.h>
#if !defined(_WIN32_WCE)
#include <io.h>
#endif
#else
#include <sys/types.h>
#include <unistd.h>
#endif
#define MODE_ENCRYPT 0
#define MODE_DECRYPT 1
#define USAGE \
"\n crypt_and_hash <mode> <input filename> <output filename> <cipher> <mbedtls_md> <key>\n" \
"\n <mode>: 0 = encrypt, 1 = decrypt\n" \
"\n example: crypt_and_hash 0 file file.aes AES-128-CBC SHA1 hex:E76B2413958B00E193\n" \
"\n"
#if !defined(MBEDTLS_CIPHER_C) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_CIPHER_C and/or MBEDTLS_MD_C and/or MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
#else
int main(int argc, char *argv[])
{
int ret = 1, i;
unsigned n;
int exit_code = MBEDTLS_EXIT_FAILURE;
int mode;
size_t keylen, ilen, olen;
FILE *fkey, *fin = NULL, *fout = NULL;
char *p;
unsigned char IV[16];
unsigned char key[512];
unsigned char digest[MBEDTLS_MD_MAX_SIZE];
unsigned char buffer[1024];
unsigned char output[1024];
unsigned char diff;
const mbedtls_cipher_info_t *cipher_info;
const mbedtls_md_info_t *md_info;
mbedtls_cipher_context_t cipher_ctx;
mbedtls_md_context_t md_ctx;
mbedtls_cipher_mode_t cipher_mode;
unsigned int cipher_block_size;
unsigned char md_size;
#if defined(_WIN32_WCE)
long filesize, offset;
#elif defined(_WIN32)
LARGE_INTEGER li_size;
__int64 filesize, offset;
#else
off_t filesize, offset;
#endif
mbedtls_cipher_init(&cipher_ctx);
mbedtls_md_init(&md_ctx);
/*
* Parse the command-line arguments.
*/
if (argc != 7) {
const int *list;
mbedtls_printf(USAGE);
mbedtls_printf("Available ciphers:\n");
list = mbedtls_cipher_list();
while (*list) {
cipher_info = mbedtls_cipher_info_from_type(*list);
const char *name = mbedtls_cipher_info_get_name(cipher_info);
if (name) {
mbedtls_printf(" %s\n", mbedtls_cipher_info_get_name(cipher_info));
}
list++;
}
mbedtls_printf("\nAvailable message digests:\n");
list = mbedtls_md_list();
while (*list) {
md_info = mbedtls_md_info_from_type(*list);
mbedtls_printf(" %s\n", mbedtls_md_get_name(md_info));
list++;
}
goto exit;
}
mode = atoi(argv[1]);
if (mode != MODE_ENCRYPT && mode != MODE_DECRYPT) {
mbedtls_fprintf(stderr, "invalid operation mode\n");
goto exit;
}
if (strcmp(argv[2], argv[3]) == 0) {
mbedtls_fprintf(stderr, "input and output filenames must differ\n");
goto exit;
}
if ((fin = fopen(argv[2], "rb")) == NULL) {
mbedtls_fprintf(stderr, "fopen(%s,rb) failed\n", argv[2]);
goto exit;
}
if ((fout = fopen(argv[3], "wb+")) == NULL) {
mbedtls_fprintf(stderr, "fopen(%s,wb+) failed\n", argv[3]);
goto exit;
}
/* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */
mbedtls_setbuf(fin, NULL);
mbedtls_setbuf(fout, NULL);
/*
* Read the Cipher and MD from the command line
*/
cipher_info = mbedtls_cipher_info_from_string(argv[4]);
if (cipher_info == NULL) {
mbedtls_fprintf(stderr, "Cipher '%s' not found\n", argv[4]);
goto exit;
}
if ((ret = mbedtls_cipher_setup(&cipher_ctx, cipher_info)) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_setup failed\n");
goto exit;
}
md_info = mbedtls_md_info_from_string(argv[5]);
if (md_info == NULL) {
mbedtls_fprintf(stderr, "Message Digest '%s' not found\n", argv[5]);
goto exit;
}
if (mbedtls_md_setup(&md_ctx, md_info, 1) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_setup failed\n");
goto exit;
}
/*
* Read the secret key from file or command line
*/
if ((fkey = fopen(argv[6], "rb")) != NULL) {
keylen = fread(key, 1, sizeof(key), fkey);
fclose(fkey);
} else {
if (memcmp(argv[6], "hex:", 4) == 0) {
p = &argv[6][4];
keylen = 0;
while (sscanf(p, "%02X", (unsigned int *) &n) > 0 &&
keylen < (int) sizeof(key)) {
key[keylen++] = (unsigned char) n;
p += 2;
}
} else {
keylen = strlen(argv[6]);
if (keylen > (int) sizeof(key)) {
keylen = (int) sizeof(key);
}
memcpy(key, argv[6], keylen);
}
}
#if defined(_WIN32_WCE)
filesize = fseek(fin, 0L, SEEK_END);
#else
#if defined(_WIN32)
/*
* Support large files (> 2Gb) on Win32
*/
li_size.QuadPart = 0;
li_size.LowPart =
SetFilePointer((HANDLE) _get_osfhandle(_fileno(fin)),
li_size.LowPart, &li_size.HighPart, FILE_END);
if (li_size.LowPart == 0xFFFFFFFF && GetLastError() != NO_ERROR) {
mbedtls_fprintf(stderr, "SetFilePointer(0,FILE_END) failed\n");
goto exit;
}
filesize = li_size.QuadPart;
#else
if ((filesize = lseek(fileno(fin), 0, SEEK_END)) < 0) {
perror("lseek");
goto exit;
}
#endif
#endif
if (fseek(fin, 0, SEEK_SET) < 0) {
mbedtls_fprintf(stderr, "fseek(0,SEEK_SET) failed\n");
goto exit;
}
md_size = mbedtls_md_get_size(md_info);
cipher_block_size = mbedtls_cipher_get_block_size(&cipher_ctx);
if (mode == MODE_ENCRYPT) {
/*
* Generate the initialization vector as:
* IV = MD( filesize || filename )[0..15]
*/
for (i = 0; i < 8; i++) {
buffer[i] = (unsigned char) (filesize >> (i << 3));
}
p = argv[2];
if (mbedtls_md_starts(&md_ctx) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_starts() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, buffer, 8) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, (unsigned char *) p, strlen(p))
!= 0) {
mbedtls_fprintf(stderr, "mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_finish(&md_ctx, digest) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_finish() returned error\n");
goto exit;
}
memcpy(IV, digest, 16);
/*
* Append the IV at the beginning of the output.
*/
if (fwrite(IV, 1, 16, fout) != 16) {
mbedtls_fprintf(stderr, "fwrite(%d bytes) failed\n", 16);
goto exit;
}
/*
* Hash the IV and the secret key together 8192 times
* using the result to setup the AES context and HMAC.
*/
memset(digest, 0, 32);
memcpy(digest, IV, 16);
for (i = 0; i < 8192; i++) {
if (mbedtls_md_starts(&md_ctx) != 0) {
mbedtls_fprintf(stderr,
"mbedtls_md_starts() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, digest, 32) != 0) {
mbedtls_fprintf(stderr,
"mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, key, keylen) != 0) {
mbedtls_fprintf(stderr,
"mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_finish(&md_ctx, digest) != 0) {
mbedtls_fprintf(stderr,
"mbedtls_md_finish() returned error\n");
goto exit;
}
}
if (mbedtls_cipher_setkey(&cipher_ctx,
digest,
(int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
MBEDTLS_ENCRYPT) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_setkey() returned error\n");
goto exit;
}
if (mbedtls_cipher_set_iv(&cipher_ctx, IV, 16) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_set_iv() returned error\n");
goto exit;
}
if (mbedtls_cipher_reset(&cipher_ctx) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_reset() returned error\n");
goto exit;
}
if (mbedtls_md_hmac_starts(&md_ctx, digest, 32) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_starts() returned error\n");
goto exit;
}
/*
* Encrypt and write the ciphertext.
*/
for (offset = 0; offset < filesize; offset += cipher_block_size) {
ilen = ((unsigned int) filesize - offset > cipher_block_size) ?
cipher_block_size : (unsigned int) (filesize - offset);
if (fread(buffer, 1, ilen, fin) != ilen) {
mbedtls_fprintf(stderr, "fread(%ld bytes) failed\n", (long) ilen);
goto exit;
}
if (mbedtls_cipher_update(&cipher_ctx, buffer, ilen, output, &olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_update() returned error\n");
goto exit;
}
if (mbedtls_md_hmac_update(&md_ctx, output, olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_update() returned error\n");
goto exit;
}
if (fwrite(output, 1, olen, fout) != olen) {
mbedtls_fprintf(stderr, "fwrite(%ld bytes) failed\n", (long) olen);
goto exit;
}
}
if (mbedtls_cipher_finish(&cipher_ctx, output, &olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_finish() returned error\n");
goto exit;
}
if (mbedtls_md_hmac_update(&md_ctx, output, olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_update() returned error\n");
goto exit;
}
if (fwrite(output, 1, olen, fout) != olen) {
mbedtls_fprintf(stderr, "fwrite(%ld bytes) failed\n", (long) olen);
goto exit;
}
/*
* Finally write the HMAC.
*/
if (mbedtls_md_hmac_finish(&md_ctx, digest) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_finish() returned error\n");
goto exit;
}
if (fwrite(digest, 1, md_size, fout) != md_size) {
mbedtls_fprintf(stderr, "fwrite(%d bytes) failed\n", md_size);
goto exit;
}
}
if (mode == MODE_DECRYPT) {
/*
* The encrypted file must be structured as follows:
*
* 00 .. 15 Initialization Vector
* 16 .. 31 Encrypted Block #1
* ..
* N*16 .. (N+1)*16 - 1 Encrypted Block #N
* (N+1)*16 .. (N+1)*16 + n Hash(ciphertext)
*/
if (filesize < 16 + md_size) {
mbedtls_fprintf(stderr, "File too short to be encrypted.\n");
goto exit;
}
if (cipher_block_size == 0) {
mbedtls_fprintf(stderr, "Invalid cipher block size: 0. \n");
goto exit;
}
/*
* Check the file size.
*/
cipher_mode = mbedtls_cipher_info_get_mode(cipher_info);
if (cipher_mode != MBEDTLS_MODE_GCM &&
cipher_mode != MBEDTLS_MODE_CTR &&
cipher_mode != MBEDTLS_MODE_CFB &&
cipher_mode != MBEDTLS_MODE_OFB &&
((filesize - md_size) % cipher_block_size) != 0) {
mbedtls_fprintf(stderr, "File content not a multiple of the block size (%u).\n",
cipher_block_size);
goto exit;
}
/*
* Subtract the IV + HMAC length.
*/
filesize -= (16 + md_size);
/*
* Read the IV and original filesize modulo 16.
*/
if (fread(buffer, 1, 16, fin) != 16) {
mbedtls_fprintf(stderr, "fread(%d bytes) failed\n", 16);
goto exit;
}
memcpy(IV, buffer, 16);
/*
* Hash the IV and the secret key together 8192 times
* using the result to setup the AES context and HMAC.
*/
memset(digest, 0, 32);
memcpy(digest, IV, 16);
for (i = 0; i < 8192; i++) {
if (mbedtls_md_starts(&md_ctx) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_starts() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, digest, 32) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_update(&md_ctx, key, keylen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_update() returned error\n");
goto exit;
}
if (mbedtls_md_finish(&md_ctx, digest) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_finish() returned error\n");
goto exit;
}
}
if (mbedtls_cipher_setkey(&cipher_ctx,
digest,
(int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
MBEDTLS_DECRYPT) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_setkey() returned error\n");
goto exit;
}
if (mbedtls_cipher_set_iv(&cipher_ctx, IV, 16) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_set_iv() returned error\n");
goto exit;
}
if (mbedtls_cipher_reset(&cipher_ctx) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_reset() returned error\n");
goto exit;
}
if (mbedtls_md_hmac_starts(&md_ctx, digest, 32) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_starts() returned error\n");
goto exit;
}
/*
* Decrypt and write the plaintext.
*/
for (offset = 0; offset < filesize; offset += cipher_block_size) {
ilen = ((unsigned int) filesize - offset > cipher_block_size) ?
cipher_block_size : (unsigned int) (filesize - offset);
if (fread(buffer, 1, ilen, fin) != ilen) {
mbedtls_fprintf(stderr, "fread(%u bytes) failed\n",
cipher_block_size);
goto exit;
}
if (mbedtls_md_hmac_update(&md_ctx, buffer, ilen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_update() returned error\n");
goto exit;
}
if (mbedtls_cipher_update(&cipher_ctx, buffer, ilen, output,
&olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_update() returned error\n");
goto exit;
}
if (fwrite(output, 1, olen, fout) != olen) {
mbedtls_fprintf(stderr, "fwrite(%ld bytes) failed\n", (long) olen);
goto exit;
}
}
/*
* Verify the message authentication code.
*/
if (mbedtls_md_hmac_finish(&md_ctx, digest) != 0) {
mbedtls_fprintf(stderr, "mbedtls_md_hmac_finish() returned error\n");
goto exit;
}
if (fread(buffer, 1, md_size, fin) != md_size) {
mbedtls_fprintf(stderr, "fread(%d bytes) failed\n", md_size);
goto exit;
}
/* Use constant-time buffer comparison */
diff = 0;
for (i = 0; i < md_size; i++) {
diff |= digest[i] ^ buffer[i];
}
if (diff != 0) {
mbedtls_fprintf(stderr, "HMAC check failed: wrong key, "
"or file corrupted.\n");
goto exit;
}
/*
* Write the final block of data
*/
if (mbedtls_cipher_finish(&cipher_ctx, output, &olen) != 0) {
mbedtls_fprintf(stderr, "mbedtls_cipher_finish() returned error\n");
goto exit;
}
if (fwrite(output, 1, olen, fout) != olen) {
mbedtls_fprintf(stderr, "fwrite(%ld bytes) failed\n", (long) olen);
goto exit;
}
}
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
if (fin) {
fclose(fin);
}
if (fout) {
fclose(fout);
}
/* Zeroize all command line arguments to also cover
the case when the user has missed or reordered some,
in which case the key might not be in argv[6]. */
for (i = 0; i < argc; i++) {
mbedtls_platform_zeroize(argv[i], strlen(argv[i]));
}
mbedtls_platform_zeroize(IV, sizeof(IV));
mbedtls_platform_zeroize(key, sizeof(key));
mbedtls_platform_zeroize(buffer, sizeof(buffer));
mbedtls_platform_zeroize(output, sizeof(output));
mbedtls_platform_zeroize(digest, sizeof(digest));
mbedtls_cipher_free(&cipher_ctx);
mbedtls_md_free(&md_ctx);
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_CIPHER_C && MBEDTLS_MD_C && MBEDTLS_FS_IO */

15
programs/cipher/CMakeLists.txt
View File

@ -1,15 +0,0 @@
set(executables
cipher_aead_demo
)
add_dependencies(${programs_target} ${executables})
foreach(exe IN LISTS executables)
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
set_base_compile_options(${exe})
target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include)
endforeach()
install(TARGETS ${executables}
DESTINATION "bin"
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)

259
programs/cipher/cipher_aead_demo.c
View File

@ -1,259 +0,0 @@
/**
* Cipher API multi-part AEAD demonstration.
*
* This program AEAD-encrypts a message, using the algorithm and key size
* specified on the command line, using the multi-part API.
*
* It comes with a companion program psa/aead_demo.c, which does the same
* operations with the PSA Crypto API. The goal is that comparing the two
* programs will help people migrating to the PSA Crypto API.
*
* When used with multi-part AEAD operations, the `mbedtls_cipher_context`
* serves a triple purpose (1) hold the key, (2) store the algorithm when no
* operation is active, and (3) save progress information for the current
* operation. With PSA those roles are held by disinct objects: (1) a
* psa_key_id_t to hold the key, a (2) psa_algorithm_t to represent the
* algorithm, and (3) a psa_operation_t for multi-part progress.
*
* On the other hand, with PSA, the algorithms encodes the desired tag length;
* with Cipher the desired tag length needs to be tracked separately.
*
* This program and its companion psa/aead_demo.c illustrate this by doing the
* same sequence of multi-part AEAD computation with both APIs; looking at the
* two side by side should make the differences and similarities clear.
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/* First include Mbed TLS headers to get the Mbed TLS configuration and
* platform definitions that we'll use in this program. Also include
* standard C headers for functions we'll use here. */
#include "mbedtls/build_info.h"
#include "mbedtls/cipher.h"
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* If the build options we need are not enabled, compile a placeholder. */
#if !defined(MBEDTLS_CIPHER_C) || \
!defined(MBEDTLS_AES_C) || !defined(MBEDTLS_GCM_C) || \
!defined(MBEDTLS_CHACHAPOLY_C)
int main(void)
{
printf("MBEDTLS_MD_C and/or "
"MBEDTLS_AES_C and/or MBEDTLS_GCM_C and/or "
"MBEDTLS_CHACHAPOLY_C not defined\r\n");
return 0;
}
#else
/* The real program starts here. */
const char usage[] =
"Usage: cipher_aead_demo [aes128-gcm|aes256-gcm|aes128-gcm_8|chachapoly]";
/* Dummy data for encryption: IV/nonce, additional data, 2-part message */
const unsigned char iv1[12] = { 0x00 };
const unsigned char add_data1[] = { 0x01, 0x02 };
const unsigned char msg1_part1[] = { 0x03, 0x04 };
const unsigned char msg1_part2[] = { 0x05, 0x06, 0x07 };
/* Dummy data (2nd message) */
const unsigned char iv2[12] = { 0x10 };
const unsigned char add_data2[] = { 0x11, 0x12 };
const unsigned char msg2_part1[] = { 0x13, 0x14 };
const unsigned char msg2_part2[] = { 0x15, 0x16, 0x17 };
/* Maximum total size of the messages */
#define MSG1_SIZE (sizeof(msg1_part1) + sizeof(msg1_part2))
#define MSG2_SIZE (sizeof(msg2_part1) + sizeof(msg2_part2))
#define MSG_MAX_SIZE (MSG1_SIZE > MSG2_SIZE ? MSG1_SIZE : MSG2_SIZE)
/* Dummy key material - never do this in production!
* 32-byte is enough to all the key size supported by this program. */
const unsigned char key_bytes[32] = { 0x2a };
/* Print the contents of a buffer in hex */
static void print_buf(const char *title, unsigned char *buf, size_t len)
{
printf("%s:", title);
for (size_t i = 0; i < len; i++) {
printf(" %02x", buf[i]);
}
printf("\n");
}
/* Run an Mbed TLS function and bail out if it fails.
* A string description of the error code can be recovered with:
* programs/util/strerror <value> */
#define CHK(expr) \
do \
{ \
ret = (expr); \
if (ret != 0) \
{ \
printf("Error %d at line %d: %s\n", \
ret, \
__LINE__, \
#expr); \
goto exit; \
} \
} while (0)
/*
* Prepare encryption material:
* - interpret command-line argument
* - set up key
* - outputs: context and tag length, which together hold all the information
*/
static int aead_prepare(const char *info,
mbedtls_cipher_context_t *ctx,
size_t *tag_len)
{
int ret;
/* Convert arg to type + tag_len */
mbedtls_cipher_type_t type;
if (strcmp(info, "aes128-gcm") == 0) {
type = MBEDTLS_CIPHER_AES_128_GCM;
*tag_len = 16;
} else if (strcmp(info, "aes256-gcm") == 0) {
type = MBEDTLS_CIPHER_AES_256_GCM;
*tag_len = 16;
} else if (strcmp(info, "aes128-gcm_8") == 0) {
type = MBEDTLS_CIPHER_AES_128_GCM;
*tag_len = 8;
} else if (strcmp(info, "chachapoly") == 0) {
type = MBEDTLS_CIPHER_CHACHA20_POLY1305;
*tag_len = 16;
} else {
puts(usage);
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
/* Prepare context for the given type */
CHK(mbedtls_cipher_setup(ctx,
mbedtls_cipher_info_from_type(type)));
/* Import key */
int key_len = mbedtls_cipher_get_key_bitlen(ctx);
CHK(mbedtls_cipher_setkey(ctx, key_bytes, key_len, MBEDTLS_ENCRYPT));
exit:
return ret;
}
/*
* Print out some information.
*
* All of this information was present in the command line argument, but his
* function demonstrates how each piece can be recovered from (ctx, tag_len).
*/
static void aead_info(const mbedtls_cipher_context_t *ctx, size_t tag_len)
{
mbedtls_cipher_type_t type = mbedtls_cipher_get_type(ctx);
const mbedtls_cipher_info_t *info = mbedtls_cipher_info_from_type(type);
const char *ciph = mbedtls_cipher_info_get_name(info);
int key_bits = mbedtls_cipher_get_key_bitlen(ctx);
mbedtls_cipher_mode_t mode = mbedtls_cipher_get_cipher_mode(ctx);
const char *mode_str = mode == MBEDTLS_MODE_GCM ? "GCM"
: mode == MBEDTLS_MODE_CHACHAPOLY ? "ChachaPoly"
: "???";
printf("%s, %d, %s, %u\n",
ciph, key_bits, mode_str, (unsigned) tag_len);
}
/*
* Encrypt a 2-part message.
*/
static int aead_encrypt(mbedtls_cipher_context_t *ctx, size_t tag_len,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *part1, size_t part1_len,
const unsigned char *part2, size_t part2_len)
{
int ret;
size_t olen;
#define MAX_TAG_LENGTH 16
unsigned char out[MSG_MAX_SIZE + MAX_TAG_LENGTH];
unsigned char *p = out;
CHK(mbedtls_cipher_set_iv(ctx, iv, iv_len));
CHK(mbedtls_cipher_reset(ctx));
CHK(mbedtls_cipher_update_ad(ctx, ad, ad_len));
CHK(mbedtls_cipher_update(ctx, part1, part1_len, p, &olen));
p += olen;
CHK(mbedtls_cipher_update(ctx, part2, part2_len, p, &olen));
p += olen;
CHK(mbedtls_cipher_finish(ctx, p, &olen));
p += olen;
CHK(mbedtls_cipher_write_tag(ctx, p, tag_len));
p += tag_len;
olen = p - out;
print_buf("out", out, olen);
exit:
return ret;
}
/*
* AEAD demo: set up key/alg, print out info, encrypt messages.
*/
static int aead_demo(const char *info)
{
int ret = 0;
mbedtls_cipher_context_t ctx;
size_t tag_len;
mbedtls_cipher_init(&ctx);
CHK(aead_prepare(info, &ctx, &tag_len));
aead_info(&ctx, tag_len);
CHK(aead_encrypt(&ctx, tag_len,
iv1, sizeof(iv1), add_data1, sizeof(add_data1),
msg1_part1, sizeof(msg1_part1),
msg1_part2, sizeof(msg1_part2)));
CHK(aead_encrypt(&ctx, tag_len,
iv2, sizeof(iv2), add_data2, sizeof(add_data2),
msg2_part1, sizeof(msg2_part1),
msg2_part2, sizeof(msg2_part2)));
exit:
mbedtls_cipher_free(&ctx);
return ret;
}
/*
* Main function
*/
int main(int argc, char **argv)
{
/* Check usage */
if (argc != 2) {
puts(usage);
return 1;
}
int ret;
/* Run the demo */
CHK(aead_demo(argv[1]));
exit:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
#endif

137
programs/demo_common.sh
View File

@ -1,137 +0,0 @@
## Common shell functions used by demo scripts programs/*/*.sh.
## How to write a demo script
## ==========================
##
## Include this file near the top of each demo script:
## . "${0%/*}/../demo_common.sh"
##
## Start with a "msg" call that explains the purpose of the script.
## Then call the "depends_on" function to ensure that all config
## dependencies are met.
##
## As the last thing in the script, call the cleanup function.
##
## You can use the functions and variables described below.
set -e -u
## $root_dir is the root directory of the Mbed TLS source tree.
root_dir="${0%/*}"
# Find a nice path to the root directory, avoiding unnecessary "../".
# The code supports demo scripts nested up to 4 levels deep.
# The code works no matter where the demo script is relative to the current
# directory, even if it is called with a relative path.
n=4 # limit the search depth
while ! [ -d "$root_dir/programs" ] || ! [ -d "$root_dir/library" ]; do
if [ $n -eq 0 ]; then
echo >&2 "This doesn't seem to be an Mbed TLS source tree."
exit 125
fi
n=$((n - 1))
case $root_dir in
.) root_dir="..";;
..|?*/..) root_dir="$root_dir/..";;
?*/*) root_dir="${root_dir%/*}";;
/*) root_dir="/";;
*) root_dir=".";;
esac
done
## $programs_dir is the directory containing the sample programs.
# Assume an in-tree build.
programs_dir="$root_dir/programs"
## msg LINE...
## msg <TEXT_ORIGIN
## Display an informational message.
msg () {
if [ $# -eq 0 ]; then
sed 's/^/# /'
else
for x in "$@"; do
echo "# $x"
done
fi
}
## run "Message" COMMAND ARGUMENT...
## Display the message, then run COMMAND with the specified arguments.
run () {
echo
echo "# $1"
shift
echo "+ $*"
"$@"
}
## Like '!', but stop on failure with 'set -e'
not () {
if "$@"; then false; fi
}
## run_bad "Message" COMMAND ARGUMENT...
## Like run, but the command is expected to fail.
run_bad () {
echo
echo "$1 This must fail."
shift
echo "+ ! $*"
not "$@"
}
## config_has SYMBOL...
## Succeeds if the library configuration has all SYMBOLs set.
config_has () {
for x in "$@"; do
"$programs_dir/test/query_compile_time_config" "$x"
done
}
## depends_on SYMBOL...
## Exit if the library configuration does not have all SYMBOLs set.
depends_on () {
m=
for x in "$@"; do
if ! config_has "$x"; then
m="$m $x"
fi
done
if [ -n "$m" ]; then
cat >&2 <<EOF
$0: this demo requires the following
configuration options to be enabled at compile time:
$m
EOF
# Exit with a success status so that this counts as a pass for run_demos.py.
exit
fi
}
## Add the names of files to clean up to this whitespace-separated variable.
## The file names must not contain whitespace characters.
files_to_clean=
## Call this function at the end of each script.
## It is called automatically if the script is killed by a signal.
cleanup () {
rm -f -- $files_to_clean
}
################################################################
## End of the public interfaces. Code beyond this point is not
## meant to be called directly from a demo script.
trap 'cleanup; trap - HUP; kill -HUP $$' HUP
trap 'cleanup; trap - INT; kill -INT $$' INT
trap 'cleanup; trap - TERM; kill -TERM $$' TERM
if config_has MBEDTLS_ENTROPY_NV_SEED; then
# Create a seedfile that's sufficiently long in all library configurations.
# This is necessary for programs that use randomness.
# Assume that the name of the seedfile is the default name.
files_to_clean="$files_to_clean seedfile"
dd if=/dev/urandom of=seedfile ibs=64 obs=64 count=1
fi

2
programs/fuzz/common.c
View File

@ -1,3 +1,5 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include "common.h"
#include <limits.h>
#include <stdio.h>

5
programs/fuzz/fuzz_client.c
View File

@ -1,3 +1,5 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
@ -139,9 +141,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
//There may be other options to add :
// mbedtls_ssl_conf_cert_profile, mbedtls_ssl_conf_sig_hashes
srand(1);
mbedtls_ssl_conf_rng(&conf, dummy_random, &ctr_drbg);
if (mbedtls_ssl_setup(&ssl, &conf) != 0) {
goto exit;
}

4
programs/fuzz/fuzz_dtlsclient.c
View File

@ -1,3 +1,5 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
@ -66,7 +68,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
srand(1);
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
goto exit;
@ -83,7 +84,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
#endif
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(&conf, dummy_random, &ctr_drbg);
if (mbedtls_ssl_setup(&ssl, &conf) != 0) {
goto exit;

11
programs/fuzz/fuzz_dtlsserver.c
View File

@ -1,3 +1,5 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
@ -80,8 +82,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
return 1;
}
if (mbedtls_pk_parse_key(&pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0,
dummy_random, &ctr_drbg) != 0) {
mbedtls_test_srv_key_len, NULL, 0) != 0) {
return 1;
}
#endif
@ -97,10 +98,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
goto exit;
}
srand(1);
mbedtls_ssl_conf_rng(&conf, dummy_random, &ctr_drbg);
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_ssl_conf_ca_chain(&conf, srvcert.next, NULL);
if (mbedtls_ssl_conf_own_cert(&conf, &srvcert, &pkey) != 0) {
@ -108,7 +105,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
}
#endif
if (mbedtls_ssl_cookie_setup(&cookie_ctx, dummy_random, &ctr_drbg) != 0) {
if (mbedtls_ssl_cookie_setup(&cookie_ctx) != 0) {
goto exit;
}

2
programs/fuzz/fuzz_pkcs7.c
View File

@ -1,3 +1,5 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include <stdint.h>
#include "mbedtls/pkcs7.h"
#include "common.h"

Some files were not shown because too many files have changed in this diff Show More