From bd81c9d0f710e62a5a493d1c053a87c2db78f78a Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 22 Jul 2024 14:43:56 +0200 Subject: [PATCH 01/57] Implement TLS-Exporter feature The TLS-Exporter is a function to derive shared symmetric keys for the server and client from the secrets generated during the handshake. It is defined in RFC 8446, Section 7.5 for TLS 1.3 and in RFC 5705 for TLS 1.2. Signed-off-by: Max Fillinger --- include/mbedtls/ssl.h | 24 ++++++++++ library/ssl_tls.c | 95 ++++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.c | 34 ++++++++++++++ library/ssl_tls13_keys.h | 16 +++++++ 4 files changed, 169 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 9a02a6a8c2..5bd0b04903 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5388,6 +5388,30 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen); + /** + * \brief TLS-Exporter to derive shared symmetric keys between server and client. + * + * \param ctx SSL context from which to export keys. Must have finished the handshake. + * \param out Output buffer of length at least key_len bytes. + * \param key_len Length of the key to generate in bytes. Must be < 2^16 in TLS 1.3. + * \param label Label for which to generate the key of length label_len. + * \param label_len Length of label in bytes. Must be < 251 in TLS 1.3. + * \param context Context of the key. Can be NULL if context_len or use_context is 0. + * \param context_len Length of context. Must be < 2^16 in TLS1.2. + * \param use_context Indicates if a context should be used in deriving the key. + * + * \note TLS 1.2 makes a distinction between a 0-length context and no context. + * This is why the use_context argument exists. TLS 1.3 does not make + * this distinction. If use_context is 0 and TLS 1.3 is used, context and + * context_len are ignored and a 0-length context is used. + * + * \return 0 on success. An SSL specific error on failure. + */ + int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, + uint8_t *out, size_t key_len, + const char *label, size_t label_len, + const unsigned char *context, size_t context_len, + int use_context); #ifdef __cplusplus } #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 94de3430cc..4c7ce1ee96 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -18,6 +18,7 @@ #include "mbedtls/ssl.h" #include "ssl_client.h" #include "ssl_debug_helpers.h" +#include "ssl_tls13_keys.h" #include "debug_internal.h" #include "mbedtls/error.h" @@ -8929,4 +8930,98 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl, + const mbedtls_md_type_t hash_alg, + uint8_t *out, const size_t key_len, + const char *label, const size_t label_len, + const unsigned char *context, const size_t context_len, + const int use_context) +{ + int ret = 0; + size_t prf_input_len = use_context ? 64 + 2 + context_len : 64; + unsigned char *prf_input = NULL; + char *label_str = NULL; + + if (use_context && context_len >= (1 << 16)) { + ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + goto exit; + } + + prf_input = mbedtls_calloc(prf_input_len, sizeof(unsigned char)); + label_str = mbedtls_calloc(label_len + 1, sizeof(char)); + if (prf_input == NULL || label_str == NULL) { + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto exit; + } + + memcpy(label_str, label, label_len); + label_str[label_len] = '\0'; + + /* The input to the PRF is client_random, then server_random. + * If a context is provided, this is then followed by the context length + * as a 16-bit big-endian integer, and then the context itself. */ + memcpy(prf_input, ssl->transform->randbytes + 32, 32); + memcpy(prf_input + 32, ssl->transform->randbytes, 32); + if (use_context) { + prf_input[64] = (unsigned char)((context_len >> 8) & 0xff); + prf_input[65] = (unsigned char)(context_len & 0xff); + memcpy(prf_input + 66, context, context_len); + } + ret = tls_prf_generic(hash_alg, ssl->session->master, 48, label_str, + prf_input, prf_input_len, + out, key_len); + +exit: + mbedtls_free(prf_input); + mbedtls_free(label_str); + return ret; +} + +static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, + const mbedtls_md_type_t hash_alg, + uint8_t *out, const size_t key_len, + const char *label, const size_t label_len, + const unsigned char *context, const size_t context_len) +{ + const psa_algorithm_t psa_hash_alg = mbedtls_md_psa_alg_from_type(hash_alg); + const size_t hash_len = PSA_HASH_LENGTH(hash_alg); + const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret; + + if (key_len > 0xff || label_len > 250) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + return mbedtls_ssl_tls13_exporter(psa_hash_alg, secret, hash_len, + (const unsigned char *)label, label_len, + context, context_len, out, key_len); +} + +int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, + uint8_t *out, const size_t key_len, + const char *label, const size_t label_len, + const unsigned char *context, const size_t context_len, + const int use_context) +{ + if (!mbedtls_ssl_is_handshake_over(ssl)) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + int ciphersuite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(ssl); + const mbedtls_ssl_ciphersuite_t *ciphersuite = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id); + const mbedtls_md_type_t hash_alg = ciphersuite->mac; + + switch (mbedtls_ssl_get_version_number(ssl)) { + case MBEDTLS_SSL_VERSION_TLS1_2: + return mbedtls_ssl_tls12_export_keying_material(ssl, hash_alg, out, key_len, + label, label_len, + context, context_len, use_context); + case MBEDTLS_SSL_VERSION_TLS1_3: + return mbedtls_ssl_tls13_export_keying_material(ssl, hash_alg, out, key_len, label, label_len, + use_context ? context : NULL, + use_context ? context_len : 0); + default: + return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; + } +} + #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index a421a06de4..38b342ea8b 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1824,4 +1824,38 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ +int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg, + const unsigned char *secret, const size_t secret_len, + const unsigned char *label, const size_t label_len, + const unsigned char *context_value, const size_t context_len, + unsigned char *out, const size_t out_len) +{ + size_t hash_len = PSA_HASH_LENGTH(hash_alg); + unsigned char hkdf_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; + unsigned char hashed_context[PSA_HASH_MAX_SIZE]; + size_t hashed_context_len = 0; + int ret = 0; + psa_status_t status = 0; + + ret = mbedtls_ssl_tls13_derive_secret(hash_alg, secret, secret_len, label, label_len, NULL, 0, + MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, hkdf_secret, hash_len); + if (ret != 0) { + goto exit; + } + + status = psa_hash_compute(hash_alg, context_value, context_len, hashed_context, hash_len, &hashed_context_len); + if (status != PSA_SUCCESS) { + ret = PSA_TO_MBEDTLS_ERR(status); + goto exit; + } + ret = mbedtls_ssl_tls13_hkdf_expand_label(hash_alg, hkdf_secret, hash_len, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exporter), + hashed_context, hashed_context_len, + out, out_len); + +exit: + mbedtls_platform_zeroize(hkdf_secret, sizeof(hkdf_secret)); + return ret; +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index d3a4c6c992..41604c7e29 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -646,6 +646,22 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl, size_t *psk_len); #endif +/** + * \brief Calculate TLS-Exporter function as defined in RFC 8446, Section 7.5. + * + * \param[in] hash_alg The hash algorithm. + * \param[in] secret The secret to use. (Should be the exporter master secret.) + * \param[in] secret_len Length of secret. + * \param[in] label The label of the exported key. + * \param[in] label_len The length of label. + * \param[out] out The output buffer for the exported key. Must have room for at least out_len bytes. + * \param[in] out_len Length of the key to generate. +int mbedtls_ssl_tls13_exporter(psa_algorithm_t hash_alg, + const unsigned char *secret, size_t secret_len, + const unsigned char *label, size_t label_len, + const unsigned char *context_value, size_t context_len, + unsigned char *out, size_t out_len); + #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ From 32ba7f4a17e0e9b82dd9d99909c8f370ebca02f9 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 22 Jul 2024 14:44:09 +0200 Subject: [PATCH 02/57] Add TLS-Exporter options to ssl_server2 The program prints out the derived symmetric key for testing purposes. Signed-off-by: Max Fillinger --- programs/ssl/ssl_server2.c | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 633822297e..c179435332 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -70,6 +70,8 @@ int main(void) #define DFL_NBIO 0 #define DFL_EVENT 0 #define DFL_READ_TIMEOUT 0 +#define DFL_EXP_LABEL NULL +#define DFL_EXP_LEN 20 #define DFL_CA_FILE "" #define DFL_CA_PATH "" #define DFL_CRT_FILE "" @@ -517,6 +519,10 @@ int main(void) " event=%%d default: 0 (loop)\n" \ " options: 1 (level-triggered, implies nbio=1),\n" \ " read_timeout=%%d default: 0 ms (no timeout)\n" \ + " exp_label=%%s Label to input into TLS-Exporter\n" \ + " default: None (don't try to export a key)\n" \ + " exp_len=%%d Length of key to extract from TLS-Exporter \n" \ + " default: 20\n" \ "\n" \ USAGE_DTLS \ USAGE_SRTP \ @@ -608,6 +614,8 @@ struct options { int nbio; /* should I/O be blocking? */ int event; /* loop or event-driven IO? level or edge triggered? */ uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */ + const char *exp_label; /* label to input into mbedtls_ssl_export_keying_material() */ + int exp_len; /* Lenght of key to export using mbedtls_ssl_export_keying_material() */ int response_size; /* pad response with header to requested size */ uint16_t buffer_size; /* IO buffer size */ const char *ca_file; /* the file with the CA certificate(s) */ @@ -1704,6 +1712,8 @@ int main(int argc, char *argv[]) opt.cid_val = DFL_CID_VALUE; opt.cid_val_renego = DFL_CID_VALUE_RENEGO; opt.read_timeout = DFL_READ_TIMEOUT; + opt.exp_label = DFL_EXP_LABEL; + opt.exp_len = DFL_EXP_LEN; opt.ca_file = DFL_CA_FILE; opt.ca_path = DFL_CA_PATH; opt.crt_file = DFL_CRT_FILE; @@ -1883,6 +1893,10 @@ usage: } } else if (strcmp(p, "read_timeout") == 0) { opt.read_timeout = atoi(q); + } else if (strcmp(p, "exp_label") == 0) { + opt.exp_label = q; + } else if (strcmp(p, "exp_len") == 0) { + opt.exp_len = atoi(q); } else if (strcmp(p, "buffer_size") == 0) { opt.buffer_size = atoi(q); if (opt.buffer_size < 1) { @@ -3605,6 +3619,27 @@ handshake: mbedtls_printf("\n"); } + if (opt.exp_label != NULL && opt.exp_len > 0) { + unsigned char *exported_key = calloc((size_t)opt.exp_len, sizeof(unsigned int)); + if (exported_key == NULL) { + mbedtls_printf("Could not allocate %d bytes\n", opt.exp_len); + ret = 3; + goto exit; + } + ret = mbedtls_ssl_export_keying_material(&ssl, exported_key, (size_t)opt.exp_len, + opt.exp_label, strlen(opt.exp_label), + NULL, 0, 0); + if (ret != 0) { + goto exit; + } + mbedtls_printf("Exporting key of length %d with label \"%s\": 0x", opt.exp_len, opt.exp_label); + for (i = 0; i < opt.exp_len; i++) { + mbedtls_printf("%02X", exported_key[i]); + } + mbedtls_printf("\n\n"); + fflush(stdout); + } + #if defined(MBEDTLS_SSL_DTLS_SRTP) else if (opt.use_srtp != 0) { size_t j = 0; From b2718e17e61151a6a6262aff5dae2c8c729a1f23 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 22 Jul 2024 15:09:24 +0200 Subject: [PATCH 03/57] Add TLS-Exporter options to ssl_client2 Prints out the exported key on the command line for testing purposes. Signed-off-by: Max Fillinger --- programs/ssl/ssl_client2.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 6a5fca57de..5ad2327afc 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -102,6 +102,8 @@ int main(void) #define DFL_NSS_KEYLOG 0 #define DFL_NSS_KEYLOG_FILE NULL #define DFL_SKIP_CLOSE_NOTIFY 0 +#define DFL_EXP_LABEL NULL +#define DFL_EXP_LEN 20 #define DFL_QUERY_CONFIG_MODE 0 #define DFL_USE_SRTP 0 #define DFL_SRTP_FORCE_PROFILE 0 @@ -389,6 +391,10 @@ int main(void) " read_timeout=%%d default: 0 ms (no timeout)\n" \ " max_resend=%%d default: 0 (no resend on timeout)\n" \ " skip_close_notify=%%d default: 0 (send close_notify)\n" \ + " exp_label=%%s Label to input into TLS-Exporter\n" \ + " default: None (don't try to export a key)\n" \ + " exp_len=%%d Length of key to extract from TLS-Exporter \n" \ + " default: 20\n" \ "\n" \ USAGE_DTLS \ USAGE_CID \ @@ -534,6 +540,8 @@ struct options { * after renegotiation */ int reproducible; /* make communication reproducible */ int skip_close_notify; /* skip sending the close_notify alert */ + const char *exp_label; /* label to input into mbedtls_ssl_export_keying_material() */ + int exp_len; /* Lenght of key to export using mbedtls_ssl_export_keying_material() */ #if defined(MBEDTLS_SSL_EARLY_DATA) int early_data; /* early data enablement flag */ #endif @@ -1412,6 +1420,10 @@ usage: if (opt.skip_close_notify < 0 || opt.skip_close_notify > 1) { goto usage; } + } else if (strcmp(p, "exp_label") == 0) { + opt.exp_label = q; + } else if (strcmp(p, "exp_len") == 0) { + opt.exp_len = atoi(q); } else if (strcmp(p, "use_srtp") == 0) { opt.use_srtp = atoi(q); } else if (strcmp(p, "srtp_force_profile") == 0) { @@ -2485,6 +2497,27 @@ usage: } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ + if (opt.exp_label != NULL && opt.exp_len > 0) { + unsigned char *exported_key = calloc((size_t)opt.exp_len, sizeof(unsigned int)); + if (exported_key == NULL) { + mbedtls_printf("Could not allocate %d bytes\n", opt.exp_len); + ret = 3; + goto exit; + } + ret = mbedtls_ssl_export_keying_material(&ssl, exported_key, (size_t)opt.exp_len, + opt.exp_label, strlen(opt.exp_label), + NULL, 0, 0); + if (ret != 0) { + goto exit; + } + mbedtls_printf("Exporting key of length %d with label \"%s\": 0x", opt.exp_len, opt.exp_label); + for (i = 0; i < opt.exp_len; i++) { + mbedtls_printf("%02X", exported_key[i]); + } + mbedtls_printf("\n\n"); + fflush(stdout); + } + /* * 6. Write the GET request */ From b84cb4b0492944d1e6577295d3964d705691eaaa Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Thu, 25 Jul 2024 16:16:02 +0200 Subject: [PATCH 04/57] Add changelog entry for TLS-Exporter feature Signed-off-by: Max Fillinger --- ChangeLog.d/add-tls-exporter.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/add-tls-exporter.txt diff --git a/ChangeLog.d/add-tls-exporter.txt b/ChangeLog.d/add-tls-exporter.txt new file mode 100644 index 0000000000..c752a18e1d --- /dev/null +++ b/ChangeLog.d/add-tls-exporter.txt @@ -0,0 +1,4 @@ +Features: + * Add the function mbedtls_ssl_export_keying_material() which allows the + client and server to extract additional shared symmetric keys from an SSL + session, according to the TLS-Exporter specification in RFC 8446 and 5705. From 136fe9e4be154d3dec46d65445cdb7d46d697df3 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 9 Aug 2024 18:54:36 +0200 Subject: [PATCH 05/57] Fix commented out function declaration Signed-off-by: Max Fillinger --- library/ssl_tls13_keys.h | 1 + 1 file changed, 1 insertion(+) diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 41604c7e29..07b970aaf6 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -656,6 +656,7 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl, * \param[in] label_len The length of label. * \param[out] out The output buffer for the exported key. Must have room for at least out_len bytes. * \param[in] out_len Length of the key to generate. + */ int mbedtls_ssl_tls13_exporter(psa_algorithm_t hash_alg, const unsigned char *secret, size_t secret_len, const unsigned char *label, size_t label_len, From c7986427d4c343dc03961515246ded61c392f943 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 9 Aug 2024 19:46:15 +0200 Subject: [PATCH 06/57] Add test for TLS-Exporter in TLS 1.3 Signed-off-by: Max Fillinger --- tests/suites/test_suite_ssl.data | 5 +++++ tests/suites/test_suite_ssl.function | 31 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 565588bea6..25cb965e85 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -2791,6 +2791,11 @@ SSL TLS 1.3 Key schedule: Derive-Secret( ., "res master", hash) depends_on:PSA_WANT_ALG_SHA_256 ssl_tls13_derive_secret:PSA_ALG_SHA_256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls13_label_res_master:"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406" +SSL TLS 1.3 Exporter +# Based on the "exp master" key from RFC 8448, expected result calculated with a HMAC-SHA256 calculator. +depends_on:PSA_WANT_ALG_SHA_256 +ssl_tls13_exporter:PSA_ALG_SHA_256:"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4":"test":"context value":32:"83d0fac39f87c1b4fbcd261369f31149c535391a9199bd4c5daf89fe259c2e94" + SSL TLS 1.3 Key schedule: Early secrets derivation helper # Vector from RFC 8448 depends_on:PSA_WANT_ALG_SHA_256 diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 743b53c007..e5c770a8e9 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1695,6 +1695,37 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +void ssl_tls13_exporter(int hash_alg, + data_t *secret, + char *label, + char *context_value, + int desired_length, + data_t *expected) +{ + unsigned char dst[100]; + + /* Check sanity of test parameters. */ + TEST_ASSERT((size_t) desired_length <= sizeof(dst)); + TEST_ASSERT((size_t) desired_length == expected->len); + + PSA_INIT(); + + TEST_ASSERT(mbedtls_ssl_tls13_exporter( + (psa_algorithm_t) hash_alg, + secret->x, secret->len, + (unsigned char *)label, strlen(label), + (unsigned char *)context_value, strlen(context_value), + dst, desired_length) == 0); + + TEST_MEMORY_COMPARE(dst, desired_length, + expected->x, desired_length); + +exit: + PSA_DONE(); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ void ssl_tls13_derive_early_secrets(int hash_alg, data_t *secret, From 334c367052d739e22b14fcbf41630c9461b8cb8d Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 12 Aug 2024 11:20:39 +0200 Subject: [PATCH 07/57] Simplify mbedtls_ssl_tls13_exporter RFC 8446 made it look like we can't use Derive-Secret for the second step, but actually, Transcript-Hash and Hash are the same thing, so we can. Signed-off-by: Max Fillinger --- library/ssl_tls13_keys.c | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 38b342ea8b..e2ddaa7086 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1832,26 +1832,17 @@ int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg, { size_t hash_len = PSA_HASH_LENGTH(hash_alg); unsigned char hkdf_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; - unsigned char hashed_context[PSA_HASH_MAX_SIZE]; - size_t hashed_context_len = 0; int ret = 0; - psa_status_t status = 0; ret = mbedtls_ssl_tls13_derive_secret(hash_alg, secret, secret_len, label, label_len, NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, hkdf_secret, hash_len); if (ret != 0) { goto exit; } - - status = psa_hash_compute(hash_alg, context_value, context_len, hashed_context, hash_len, &hashed_context_len); - if (status != PSA_SUCCESS) { - ret = PSA_TO_MBEDTLS_ERR(status); - goto exit; - } - ret = mbedtls_ssl_tls13_hkdf_expand_label(hash_alg, hkdf_secret, hash_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exporter), - hashed_context, hashed_context_len, - out, out_len); + ret = mbedtls_ssl_tls13_derive_secret(hash_alg, hkdf_secret, hash_len, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exporter), + context_value, context_len, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, + out, out_len); exit: mbedtls_platform_zeroize(hkdf_secret, sizeof(hkdf_secret)); From 81dfc8830bedf49de26a33ce3f4a74c0e3cc3149 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 12 Aug 2024 12:51:02 +0200 Subject: [PATCH 08/57] Actually set exporter defaults in ssl_client2 Signed-off-by: Max Fillinger --- programs/ssl/ssl_client2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 5ad2327afc..71592ef987 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -984,6 +984,8 @@ int main(int argc, char *argv[]) opt.nss_keylog = DFL_NSS_KEYLOG; opt.nss_keylog_file = DFL_NSS_KEYLOG_FILE; opt.skip_close_notify = DFL_SKIP_CLOSE_NOTIFY; + opt.exp_label = DFL_EXP_LABEL; + opt.exp_len = DFL_EXP_LEN; opt.query_config_mode = DFL_QUERY_CONFIG_MODE; opt.use_srtp = DFL_USE_SRTP; opt.force_srtp_profile = DFL_SRTP_FORCE_PROFILE; From 91cff4406bf3f3aea5b56f65fba97443d3f0efce Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 12 Aug 2024 13:20:46 +0200 Subject: [PATCH 09/57] Fix key_len check in TLS-Exporter The length of the generated key must fit into a uint16_t, so it must not be larger than 0xffff. Signed-off-by: Max Fillinger --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4c7ce1ee96..5f5ea39318 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8987,7 +8987,7 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, const size_t hash_len = PSA_HASH_LENGTH(hash_alg); const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret; - if (key_len > 0xff || label_len > 250) { + if (key_len > 0xffff || label_len > 250) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } From 9c9989fc6d7044434596dadb4caedafb36786c3f Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 14 Aug 2024 16:44:50 +0200 Subject: [PATCH 10/57] Fix mismatches in function declarations Missed some const keywords in function declarations. Signed-off-by: Max Fillinger --- include/mbedtls/ssl.h | 8 ++++---- library/ssl_tls.c | 8 ++++---- library/ssl_tls13_keys.h | 10 +++++----- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 5bd0b04903..5f2bdf3372 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5408,10 +5408,10 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, * \return 0 on success. An SSL specific error on failure. */ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, - uint8_t *out, size_t key_len, - const char *label, size_t label_len, - const unsigned char *context, size_t context_len, - int use_context); + uint8_t *out, const size_t key_len, + const char *label, const size_t label_len, + const unsigned char *context, const size_t context_len, + const int use_context); #ifdef __cplusplus } #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5f5ea39318..afbf76af71 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8997,10 +8997,10 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, } int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, - uint8_t *out, const size_t key_len, - const char *label, const size_t label_len, - const unsigned char *context, const size_t context_len, - const int use_context) + uint8_t *out, const size_t key_len, + const char *label, const size_t label_len, + const unsigned char *context, const size_t context_len, + const int use_context) { if (!mbedtls_ssl_is_handshake_over(ssl)) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 07b970aaf6..a4b012f36e 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -657,11 +657,11 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl, * \param[out] out The output buffer for the exported key. Must have room for at least out_len bytes. * \param[in] out_len Length of the key to generate. */ -int mbedtls_ssl_tls13_exporter(psa_algorithm_t hash_alg, - const unsigned char *secret, size_t secret_len, - const unsigned char *label, size_t label_len, - const unsigned char *context_value, size_t context_len, - unsigned char *out, size_t out_len); +int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg, + const unsigned char *secret, const size_t secret_len, + const unsigned char *label, const size_t label_len, + const unsigned char *context_value, const size_t context_len, + uint8_t *out, const size_t out_len); #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ From 55619940206c9de34af5b92f946ba2df2d28cabf Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 20 Sep 2024 15:22:06 +0200 Subject: [PATCH 11/57] Fix typos in comment Signed-off-by: Max Fillinger --- include/mbedtls/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 5f2bdf3372..dc13713d14 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5397,7 +5397,7 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, * \param label Label for which to generate the key of length label_len. * \param label_len Length of label in bytes. Must be < 251 in TLS 1.3. * \param context Context of the key. Can be NULL if context_len or use_context is 0. - * \param context_len Length of context. Must be < 2^16 in TLS1.2. + * \param context_len Length of context. Must be < 2^16 in TLS 1.2. * \param use_context Indicates if a context should be used in deriving the key. * * \note TLS 1.2 makes a distinction between a 0-length context and no context. From ae7d66a1d5c383f1d8f42e5851667a25fcf37cc0 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 20 Sep 2024 17:50:16 +0200 Subject: [PATCH 12/57] Fix doxygen comment parameter name Signed-off-by: Max Fillinger --- include/mbedtls/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index dc13713d14..fd7b0f6a61 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5391,7 +5391,7 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, /** * \brief TLS-Exporter to derive shared symmetric keys between server and client. * - * \param ctx SSL context from which to export keys. Must have finished the handshake. + * \param ssl SSL context from which to export keys. Must have finished the handshake. * \param out Output buffer of length at least key_len bytes. * \param key_len Length of the key to generate in bytes. Must be < 2^16 in TLS 1.3. * \param label Label for which to generate the key of length label_len. From 9073e041fce7536fc0b13a6e48478400b4365633 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 20 Sep 2024 17:57:52 +0200 Subject: [PATCH 13/57] Fix TLS exporter changelog entry Signed-off-by: Max Fillinger --- ChangeLog.d/add-tls-exporter.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/add-tls-exporter.txt b/ChangeLog.d/add-tls-exporter.txt index c752a18e1d..2b06c5f294 100644 --- a/ChangeLog.d/add-tls-exporter.txt +++ b/ChangeLog.d/add-tls-exporter.txt @@ -1,4 +1,4 @@ -Features: +Features * Add the function mbedtls_ssl_export_keying_material() which allows the client and server to extract additional shared symmetric keys from an SSL session, according to the TLS-Exporter specification in RFC 8446 and 5705. From 7b72220d421bca2d64bcfa7ec16040d863273ea3 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Sat, 21 Sep 2024 10:48:57 +0200 Subject: [PATCH 14/57] Fix coding style Signed-off-by: Max Fillinger --- include/mbedtls/ssl.h | 40 ++++++++++++++-------------- library/ssl_tls.c | 31 ++++++++++++++------- library/ssl_tls13_keys.c | 14 +++++++--- programs/ssl/ssl_client2.c | 8 +++--- programs/ssl/ssl_server2.c | 8 +++--- tests/suites/test_suite_ssl.function | 4 +-- 6 files changed, 63 insertions(+), 42 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index fd7b0f6a61..c011b9e4d9 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5388,26 +5388,26 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen); - /** - * \brief TLS-Exporter to derive shared symmetric keys between server and client. - * - * \param ssl SSL context from which to export keys. Must have finished the handshake. - * \param out Output buffer of length at least key_len bytes. - * \param key_len Length of the key to generate in bytes. Must be < 2^16 in TLS 1.3. - * \param label Label for which to generate the key of length label_len. - * \param label_len Length of label in bytes. Must be < 251 in TLS 1.3. - * \param context Context of the key. Can be NULL if context_len or use_context is 0. - * \param context_len Length of context. Must be < 2^16 in TLS 1.2. - * \param use_context Indicates if a context should be used in deriving the key. - * - * \note TLS 1.2 makes a distinction between a 0-length context and no context. - * This is why the use_context argument exists. TLS 1.3 does not make - * this distinction. If use_context is 0 and TLS 1.3 is used, context and - * context_len are ignored and a 0-length context is used. - * - * \return 0 on success. An SSL specific error on failure. - */ - int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, +/** + * \brief TLS-Exporter to derive shared symmetric keys between server and client. + * + * \param ssl SSL context from which to export keys. Must have finished the handshake. + * \param out Output buffer of length at least key_len bytes. + * \param key_len Length of the key to generate in bytes. Must be < 2^16 in TLS 1.3. + * \param label Label for which to generate the key of length label_len. + * \param label_len Length of label in bytes. Must be < 251 in TLS 1.3. + * \param context Context of the key. Can be NULL if context_len or use_context is 0. + * \param context_len Length of context. Must be < 2^16 in TLS 1.2. + * \param use_context Indicates if a context should be used in deriving the key. + * + * \note TLS 1.2 makes a distinction between a 0-length context and no context. + * This is why the use_context argument exists. TLS 1.3 does not make + * this distinction. If use_context is 0 and TLS 1.3 is used, context and + * context_len are ignored and a 0-length context is used. + * + * \return 0 on success. An SSL specific error on failure. + */ +int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, uint8_t *out, const size_t key_len, const char *label, const size_t label_len, const unsigned char *context, const size_t context_len, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index afbf76af71..661ae29cc8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8932,9 +8932,12 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl, const mbedtls_md_type_t hash_alg, - uint8_t *out, const size_t key_len, - const char *label, const size_t label_len, - const unsigned char *context, const size_t context_len, + uint8_t *out, + const size_t key_len, + const char *label, + const size_t label_len, + const unsigned char *context, + const size_t context_len, const int use_context) { int ret = 0; @@ -8963,8 +8966,8 @@ static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *s memcpy(prf_input, ssl->transform->randbytes + 32, 32); memcpy(prf_input + 32, ssl->transform->randbytes, 32); if (use_context) { - prf_input[64] = (unsigned char)((context_len >> 8) & 0xff); - prf_input[65] = (unsigned char)(context_len & 0xff); + prf_input[64] = (unsigned char) ((context_len >> 8) & 0xff); + prf_input[65] = (unsigned char) (context_len & 0xff); memcpy(prf_input + 66, context, context_len); } ret = tls_prf_generic(hash_alg, ssl->session->master, 48, label_str, @@ -8979,9 +8982,12 @@ exit: static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, const mbedtls_md_type_t hash_alg, - uint8_t *out, const size_t key_len, - const char *label, const size_t label_len, - const unsigned char *context, const size_t context_len) + uint8_t *out, + const size_t key_len, + const char *label, + const size_t label_len, + const unsigned char *context, + const size_t context_len) { const psa_algorithm_t psa_hash_alg = mbedtls_md_psa_alg_from_type(hash_alg); const size_t hash_len = PSA_HASH_LENGTH(hash_alg); @@ -8992,7 +8998,7 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, } return mbedtls_ssl_tls13_exporter(psa_hash_alg, secret, hash_len, - (const unsigned char *)label, label_len, + (const unsigned char *) label, label_len, context, context_len, out, key_len); } @@ -9016,7 +9022,12 @@ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, label, label_len, context, context_len, use_context); case MBEDTLS_SSL_VERSION_TLS1_3: - return mbedtls_ssl_tls13_export_keying_material(ssl, hash_alg, out, key_len, label, label_len, + return mbedtls_ssl_tls13_export_keying_material(ssl, + hash_alg, + out, + key_len, + label, + label_len, use_context ? context : NULL, use_context ? context_len : 0); default: diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index e2ddaa7086..ef897e88be 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1835,14 +1835,20 @@ int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg, int ret = 0; ret = mbedtls_ssl_tls13_derive_secret(hash_alg, secret, secret_len, label, label_len, NULL, 0, - MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, hkdf_secret, hash_len); + MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, hkdf_secret, + hash_len); if (ret != 0) { goto exit; } - ret = mbedtls_ssl_tls13_derive_secret(hash_alg, hkdf_secret, hash_len, + ret = mbedtls_ssl_tls13_derive_secret(hash_alg, + hkdf_secret, + hash_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exporter), - context_value, context_len, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, - out, out_len); + context_value, + context_len, + MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, + out, + out_len); exit: mbedtls_platform_zeroize(hkdf_secret, sizeof(hkdf_secret)); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 71592ef987..e443635b00 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2500,19 +2500,21 @@ usage: #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ if (opt.exp_label != NULL && opt.exp_len > 0) { - unsigned char *exported_key = calloc((size_t)opt.exp_len, sizeof(unsigned int)); + unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int)); if (exported_key == NULL) { mbedtls_printf("Could not allocate %d bytes\n", opt.exp_len); ret = 3; goto exit; } - ret = mbedtls_ssl_export_keying_material(&ssl, exported_key, (size_t)opt.exp_len, + ret = mbedtls_ssl_export_keying_material(&ssl, exported_key, (size_t) opt.exp_len, opt.exp_label, strlen(opt.exp_label), NULL, 0, 0); if (ret != 0) { goto exit; } - mbedtls_printf("Exporting key of length %d with label \"%s\": 0x", opt.exp_len, opt.exp_label); + mbedtls_printf("Exporting key of length %d with label \"%s\": 0x", + opt.exp_len, + opt.exp_label); for (i = 0; i < opt.exp_len; i++) { mbedtls_printf("%02X", exported_key[i]); } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index c179435332..88d2e3deaf 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3620,19 +3620,21 @@ handshake: } if (opt.exp_label != NULL && opt.exp_len > 0) { - unsigned char *exported_key = calloc((size_t)opt.exp_len, sizeof(unsigned int)); + unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int)); if (exported_key == NULL) { mbedtls_printf("Could not allocate %d bytes\n", opt.exp_len); ret = 3; goto exit; } - ret = mbedtls_ssl_export_keying_material(&ssl, exported_key, (size_t)opt.exp_len, + ret = mbedtls_ssl_export_keying_material(&ssl, exported_key, (size_t) opt.exp_len, opt.exp_label, strlen(opt.exp_label), NULL, 0, 0); if (ret != 0) { goto exit; } - mbedtls_printf("Exporting key of length %d with label \"%s\": 0x", opt.exp_len, opt.exp_label); + mbedtls_printf("Exporting key of length %d with label \"%s\": 0x", + opt.exp_len, + opt.exp_label); for (i = 0; i < opt.exp_len; i++) { mbedtls_printf("%02X", exported_key[i]); } diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index e5c770a8e9..ab61e03465 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1714,8 +1714,8 @@ void ssl_tls13_exporter(int hash_alg, TEST_ASSERT(mbedtls_ssl_tls13_exporter( (psa_algorithm_t) hash_alg, secret->x, secret->len, - (unsigned char *)label, strlen(label), - (unsigned char *)context_value, strlen(context_value), + (unsigned char *) label, strlen(label), + (unsigned char *) context_value, strlen(context_value), dst, desired_length) == 0); TEST_MEMORY_COMPARE(dst, desired_length, From 29beade80faabc9c4a2807323736d8517033e269 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Sat, 21 Sep 2024 11:06:28 +0200 Subject: [PATCH 15/57] Fix build when one of TLS 1.2 or 1.3 is disabled Signed-off-by: Max Fillinger --- library/ssl_tls.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 661ae29cc8..b6d7b4bafc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8930,6 +8930,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl, const mbedtls_md_type_t hash_alg, uint8_t *out, @@ -8979,7 +8980,9 @@ exit: mbedtls_free(label_str); return ret; } +#endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, const mbedtls_md_type_t hash_alg, uint8_t *out, @@ -9001,6 +9004,7 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, (const unsigned char *) label, label_len, context, context_len, out, key_len); } +#endif int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, uint8_t *out, const size_t key_len, @@ -9017,10 +9021,13 @@ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, const mbedtls_md_type_t hash_alg = ciphersuite->mac; switch (mbedtls_ssl_get_version_number(ssl)) { +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) case MBEDTLS_SSL_VERSION_TLS1_2: return mbedtls_ssl_tls12_export_keying_material(ssl, hash_alg, out, key_len, label, label_len, context, context_len, use_context); +#endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) case MBEDTLS_SSL_VERSION_TLS1_3: return mbedtls_ssl_tls13_export_keying_material(ssl, hash_alg, @@ -9030,6 +9037,7 @@ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, label_len, use_context ? context : NULL, use_context ? context_len : 0); +#endif default: return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; } From e10c9849e23b8f5657764415d0d3baebb99f8992 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Sun, 22 Sep 2024 01:28:12 +0200 Subject: [PATCH 16/57] Fix coding style Signed-off-by: Max Fillinger --- include/mbedtls/ssl.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c011b9e4d9..d88e67cec5 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5408,10 +5408,10 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, * \return 0 on success. An SSL specific error on failure. */ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, - uint8_t *out, const size_t key_len, - const char *label, const size_t label_len, - const unsigned char *context, const size_t context_len, - const int use_context); + uint8_t *out, const size_t key_len, + const char *label, const size_t label_len, + const unsigned char *context, const size_t context_len, + const int use_context); #ifdef __cplusplus } #endif From 48150f5dc3641204dc6c7d262a1281e9c55be087 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 18 Oct 2024 16:19:39 +0200 Subject: [PATCH 17/57] Store randbytes for TLS 1.2 TLS-Exporter Previously, if MBEDTLS_SSL_CONTEXT_SERIALIZATION is not defined, randbytes are not stored after the handshake is done, but they are needed for TLS-Exporter in TLS 1.2. This commit also saves randbytes if MBEDTLS_SSL_PROTO_TLS1_2 is defined. Signed-off-by: Max Fillinger --- library/ssl_misc.h | 6 +++--- library/ssl_tls.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index e51a3df5ed..0f74cd5303 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1118,10 +1118,10 @@ struct mbedtls_ssl_transform { unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || defined(MBEDTLS_SSL_PROTO_TLS1_2) /* We need the Hello random bytes in order to re-derive keys from the - * Master Secret and other session info, - * see ssl_tls12_populate_transform() */ + * Master Secret and other session info, see ssl_tls12_populate_transform(). + * They are also needed for the TLS 1.2 TLS-Exporter. */ unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN + MBEDTLS_CLIENT_HELLO_RANDOM_LEN]; /*!< ServerHello.random+ClientHello.random */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b6d7b4bafc..38b69809fc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7746,7 +7746,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ transform->tls_version = tls_version; -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || defined(MBEDTLS_SSL_PROTO_TLS1_2) memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes)); #endif From f2dda15ce8260fbb2a458694d37dc35afec2f956 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 23 Oct 2024 15:47:23 +0200 Subject: [PATCH 18/57] Add label length argument to tls_prf_generic() This way, it's not required that the label is null-terminated. This allows us to avoid an allocation in mbedtls_ssl_tls12_export_keying_material(). Signed-off-by: Max Fillinger --- library/ssl_tls.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 38b69809fc..a62d4e1962 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6192,7 +6192,7 @@ static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *der MBEDTLS_CHECK_RETURN_CRITICAL static int tls_prf_generic(mbedtls_md_type_t md_type, const unsigned char *secret, size_t slen, - const char *label, + const char *label, size_t label_len, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen) { @@ -6232,7 +6232,7 @@ static int tls_prf_generic(mbedtls_md_type_t md_type, NULL, 0, random, rlen, (unsigned char const *) label, - (size_t) strlen(label), + label_len, NULL, 0, dlen); if (status != PSA_SUCCESS) { @@ -6273,7 +6273,7 @@ static int tls_prf_sha256(const unsigned char *secret, size_t slen, unsigned char *dstbuf, size_t dlen) { return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen, - label, random, rlen, dstbuf, dlen); + label, strlen(label), random, rlen, dstbuf, dlen); } #endif /* PSA_WANT_ALG_SHA_256*/ @@ -6285,7 +6285,7 @@ static int tls_prf_sha384(const unsigned char *secret, size_t slen, unsigned char *dstbuf, size_t dlen) { return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen, - label, random, rlen, dstbuf, dlen); + label, strlen(label), random, rlen, dstbuf, dlen); } #endif /* PSA_WANT_ALG_SHA_384*/ @@ -8944,7 +8944,6 @@ static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *s int ret = 0; size_t prf_input_len = use_context ? 64 + 2 + context_len : 64; unsigned char *prf_input = NULL; - char *label_str = NULL; if (use_context && context_len >= (1 << 16)) { ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; @@ -8952,15 +8951,11 @@ static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *s } prf_input = mbedtls_calloc(prf_input_len, sizeof(unsigned char)); - label_str = mbedtls_calloc(label_len + 1, sizeof(char)); - if (prf_input == NULL || label_str == NULL) { + if (prf_input == NULL) { ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; goto exit; } - memcpy(label_str, label, label_len); - label_str[label_len] = '\0'; - /* The input to the PRF is client_random, then server_random. * If a context is provided, this is then followed by the context length * as a 16-bit big-endian integer, and then the context itself. */ @@ -8971,13 +8966,13 @@ static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *s prf_input[65] = (unsigned char) (context_len & 0xff); memcpy(prf_input + 66, context, context_len); } - ret = tls_prf_generic(hash_alg, ssl->session->master, 48, label_str, + ret = tls_prf_generic(hash_alg, ssl->session->master, 48, + label, label_len, prf_input, prf_input_len, out, key_len); exit: mbedtls_free(prf_input); - mbedtls_free(label_str); return ret; } #endif From 155cea090025bc9846a66c0889c66b62330c38ce Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 23 Oct 2024 16:32:54 +0200 Subject: [PATCH 19/57] Use fewer magic numbers in TLS-Exporter functions Signed-off-by: Max Fillinger --- library/ssl_tls.c | 53 ++++++++++++++++++++++++++++------------------- 1 file changed, 32 insertions(+), 21 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a62d4e1962..d8fbd77b91 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8942,36 +8942,43 @@ static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *s const int use_context) { int ret = 0; - size_t prf_input_len = use_context ? 64 + 2 + context_len : 64; unsigned char *prf_input = NULL; - if (use_context && context_len >= (1 << 16)) { - ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - goto exit; - } - - prf_input = mbedtls_calloc(prf_input_len, sizeof(unsigned char)); - if (prf_input == NULL) { - ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; - goto exit; - } - /* The input to the PRF is client_random, then server_random. * If a context is provided, this is then followed by the context length * as a 16-bit big-endian integer, and then the context itself. */ - memcpy(prf_input, ssl->transform->randbytes + 32, 32); - memcpy(prf_input + 32, ssl->transform->randbytes, 32); + const size_t randbytes_len = MBEDTLS_CLIENT_HELLO_RANDOM_LEN + MBEDTLS_SERVER_HELLO_RANDOM_LEN; + size_t prf_input_len = randbytes_len; if (use_context) { - prf_input[64] = (unsigned char) ((context_len >> 8) & 0xff); - prf_input[65] = (unsigned char) (context_len & 0xff); - memcpy(prf_input + 66, context, context_len); + if (context_len > UINT16_MAX) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + /* This does not overflow a 32-bit size_t because the current value of + * prf_input_len is 64 (length of client_random + server_random) and + * context_len fits into two bytes (checked above). */ + prf_input_len += sizeof(uint16_t) + context_len; } - ret = tls_prf_generic(hash_alg, ssl->session->master, 48, + + prf_input = mbedtls_calloc(prf_input_len, sizeof(unsigned char)); + if (prf_input == NULL) { + return MBEDTLS_ERR_SSL_ALLOC_FAILED; + } + + memcpy(prf_input, + ssl->transform->randbytes + MBEDTLS_SERVER_HELLO_RANDOM_LEN, + MBEDTLS_CLIENT_HELLO_RANDOM_LEN); + memcpy(prf_input + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, + ssl->transform->randbytes, + MBEDTLS_SERVER_HELLO_RANDOM_LEN); + if (use_context) { + MBEDTLS_PUT_UINT16_BE(context_len, prf_input, randbytes_len); + memcpy(prf_input + randbytes_len + sizeof(uint16_t), context, context_len); + } + ret = tls_prf_generic(hash_alg, ssl->session->master, sizeof(ssl->session->master), label, label_len, prf_input, prf_input_len, out, key_len); - -exit: mbedtls_free(prf_input); return ret; } @@ -8991,7 +8998,11 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, const size_t hash_len = PSA_HASH_LENGTH(hash_alg); const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret; - if (key_len > 0xffff || label_len > 250) { + /* Check that the label and key_len fit into the HkdfLabel struct as defined + * in RFC 8446, Section 7.1. key_len must fit into an uint16 and the label + * must be at most 250 bytes long. (The struct allows up to 256 bytes for + * the label, but it is prefixed with "tls13 ".) */ + if (key_len > UINT16_MAX || label_len > 250) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } From dbe864569e247fd481678bf4d08d8c2a06906829 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 23 Oct 2024 17:21:40 +0200 Subject: [PATCH 20/57] Fix typos in comments Signed-off-by: Max Fillinger --- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index e443635b00..ffb2afaac6 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -541,7 +541,7 @@ struct options { int reproducible; /* make communication reproducible */ int skip_close_notify; /* skip sending the close_notify alert */ const char *exp_label; /* label to input into mbedtls_ssl_export_keying_material() */ - int exp_len; /* Lenght of key to export using mbedtls_ssl_export_keying_material() */ + int exp_len; /* Length of key to export using mbedtls_ssl_export_keying_material() */ #if defined(MBEDTLS_SSL_EARLY_DATA) int early_data; /* early data enablement flag */ #endif diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 88d2e3deaf..881c9fa77e 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -615,7 +615,7 @@ struct options { int event; /* loop or event-driven IO? level or edge triggered? */ uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */ const char *exp_label; /* label to input into mbedtls_ssl_export_keying_material() */ - int exp_len; /* Lenght of key to export using mbedtls_ssl_export_keying_material() */ + int exp_len; /* Length of key to export using mbedtls_ssl_export_keying_material() */ int response_size; /* pad response with header to requested size */ uint16_t buffer_size; /* IO buffer size */ const char *ca_file; /* the file with the CA certificate(s) */ From c9f2c9adbac2cf5d88ef35861163690d204ae79d Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 23 Oct 2024 17:24:03 +0200 Subject: [PATCH 21/57] Revert "Store randbytes for TLS 1.2 TLS-Exporter" This reverts commit cb01dd1333f8083af469e9a0c59f316f1eb0cfe3. Signed-off-by: Max Fillinger --- library/ssl_misc.h | 6 +++--- library/ssl_tls.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 0f74cd5303..e51a3df5ed 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1118,10 +1118,10 @@ struct mbedtls_ssl_transform { unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) /* We need the Hello random bytes in order to re-derive keys from the - * Master Secret and other session info, see ssl_tls12_populate_transform(). - * They are also needed for the TLS 1.2 TLS-Exporter. */ + * Master Secret and other session info, + * see ssl_tls12_populate_transform() */ unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN + MBEDTLS_CLIENT_HELLO_RANDOM_LEN]; /*!< ServerHello.random+ClientHello.random */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d8fbd77b91..f1b7994440 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7746,7 +7746,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ transform->tls_version = tls_version; -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes)); #endif From 281fb791166465ad50db97e4b0e47f51e9b2d867 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 23 Oct 2024 18:35:09 +0200 Subject: [PATCH 22/57] Remove TLS 1.2 Exporter if we don't have randbytes The TLS-Exporter in TLS 1.2 requires client_random and server_random. Unless MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined, these aren't stored after the handshake is completed. Therefore, mbedtls_ssl_export_keying_material() exists only if either MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined or MBEDTLS_SSL_PROTO_TLS1_2 is *not* defined. Signed-off-by: Max Fillinger --- include/mbedtls/ssl.h | 2 ++ library/ssl_tls.c | 9 +++++++-- programs/ssl/ssl_client2.c | 12 +++++++----- programs/ssl/ssl_server2.c | 12 +++++++----- 4 files changed, 23 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d88e67cec5..9ded4e6d22 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5407,11 +5407,13 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, * * \return 0 on success. An SSL specific error on failure. */ + #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2) int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, uint8_t *out, const size_t key_len, const char *label, const size_t label_len, const unsigned char *context, const size_t context_len, const int use_context); +#endif #ifdef __cplusplus } #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f1b7994440..e4450b681d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8930,6 +8930,9 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ + +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2) + #if defined(MBEDTLS_SSL_PROTO_TLS1_2) static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl, const mbedtls_md_type_t hash_alg, @@ -8982,7 +8985,7 @@ static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *s mbedtls_free(prf_input); return ret; } -#endif +#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, @@ -9010,7 +9013,7 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, (const unsigned char *) label, label_len, context, context_len, out, key_len); } -#endif +#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) */ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, uint8_t *out, const size_t key_len, @@ -9049,4 +9052,6 @@ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, } } +#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2) */ + #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index ffb2afaac6..9e38f690af 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -336,7 +336,11 @@ int main(void) " in the form of base64 code (serialize option\n" \ " must be set)\n" \ " default: \"\" (do nothing)\n" \ - " option: a file path\n" + " option: a file path\n" \ + " exp_label=%%s Label to input into TLS-Exporter\n" \ + " default: None (don't try to export a key)\n" \ + " exp_len=%%d Length of key to extract from TLS-Exporter \n" \ + " default: 20\n" #else #define USAGE_SERIALIZATION "" #endif @@ -391,10 +395,6 @@ int main(void) " read_timeout=%%d default: 0 ms (no timeout)\n" \ " max_resend=%%d default: 0 (no resend on timeout)\n" \ " skip_close_notify=%%d default: 0 (send close_notify)\n" \ - " exp_label=%%s Label to input into TLS-Exporter\n" \ - " default: None (don't try to export a key)\n" \ - " exp_len=%%d Length of key to extract from TLS-Exporter \n" \ - " default: 20\n" \ "\n" \ USAGE_DTLS \ USAGE_CID \ @@ -2499,6 +2499,7 @@ usage: } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) if (opt.exp_label != NULL && opt.exp_len > 0) { unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int)); if (exported_key == NULL) { @@ -2521,6 +2522,7 @@ usage: mbedtls_printf("\n\n"); fflush(stdout); } +#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) */ /* * 6. Write the GET request diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 881c9fa77e..9eab6cddb1 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -471,7 +471,11 @@ int main(void) " in the form of base64 code (serialize option\n" \ " must be set)\n" \ " default: \"\" (do nothing)\n" \ - " option: a file path\n" + " option: a file path\n" \ + " exp_label=%%s Label to input into TLS-Exporter\n" \ + " default: None (don't try to export a key)\n" \ + " exp_len=%%d Length of key to extract from TLS-Exporter \n" \ + " default: 20\n" #else #define USAGE_SERIALIZATION "" #endif @@ -519,10 +523,6 @@ int main(void) " event=%%d default: 0 (loop)\n" \ " options: 1 (level-triggered, implies nbio=1),\n" \ " read_timeout=%%d default: 0 ms (no timeout)\n" \ - " exp_label=%%s Label to input into TLS-Exporter\n" \ - " default: None (don't try to export a key)\n" \ - " exp_len=%%d Length of key to extract from TLS-Exporter \n" \ - " default: 20\n" \ "\n" \ USAGE_DTLS \ USAGE_SRTP \ @@ -3619,6 +3619,7 @@ handshake: mbedtls_printf("\n"); } +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) if (opt.exp_label != NULL && opt.exp_len > 0) { unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int)); if (exported_key == NULL) { @@ -3641,6 +3642,7 @@ handshake: mbedtls_printf("\n\n"); fflush(stdout); } +#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALZIATION) */ #if defined(MBEDTLS_SSL_DTLS_SRTP) else if (opt.use_srtp != 0) { From 2fe35f61bf90ea0d589ce2485482356a1263c017 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 25 Oct 2024 00:52:24 +0200 Subject: [PATCH 23/57] Create MBEDTLS_SSL_KEYING_MATERIAL_EXPORT option Add the option MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to mbedtls_config.h to control if the function mbedtls_ssl_export_keying_material() should be available. By default, the option is disabled. This is because the exporter for TLS 1.2 requires client_random and server_random need to be stored after the handshake is complete. Signed-off-by: Max Fillinger --- include/mbedtls/mbedtls_config.h | 14 ++++++++++++++ include/mbedtls/ssl.h | 10 +++++++++- library/ssl_misc.h | 7 ++++--- library/ssl_tls.c | 7 +++---- programs/ssl/ssl_client2.c | 21 ++++++++++++++------- programs/ssl/ssl_server2.c | 15 +++++++++++---- 6 files changed, 55 insertions(+), 19 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 2dc475b9f7..ca1486dbdf 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -737,6 +737,20 @@ */ //#define MBEDTLS_SSL_RECORD_SIZE_LIMIT +/* + * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT + * + * When this option is enabled, the client and server can extract additional + * shared symmetric keys after an SSL handshake using the function + * mbedtls_ssl_export_keying_material(). + * + * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and + * in RFC 8446, Section 7.5, for TLS 1.3. + * + * Uncomment this macro to enable mbedtls_ssl_export_keying_material(). + */ +//#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT + /** * \def MBEDTLS_SSL_RENEGOTIATION * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 9ded4e6d22..8383ead054 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -676,6 +676,14 @@ union mbedtls_ssl_premaster_secret { /* Length in number of bytes of the TLS sequence number */ #define MBEDTLS_SSL_SEQUENCE_NUMBER_LEN 8 +/* Helper to state that client_random and server_random need to be stored + * after the handshake is complete. This is required for context serialization + * and for the keying material exporter in TLS 1.2. */ +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || \ + (defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) && defined(MBEDTLS_SSL_PROTO_TLS1_2)) +#define MBEDTLS_SSL_KEEP_RANDBYTES +#endif + #ifdef __cplusplus extern "C" { #endif @@ -5407,7 +5415,7 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, * * \return 0 on success. An SSL specific error on failure. */ - #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, uint8_t *out, const size_t key_len, const char *label, const size_t label_len, diff --git a/library/ssl_misc.h b/library/ssl_misc.h index e51a3df5ed..596e7bc833 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1118,10 +1118,11 @@ struct mbedtls_ssl_transform { unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) +#if defined(MBEDTLS_SSL_KEEP_RANDBYTES) /* We need the Hello random bytes in order to re-derive keys from the - * Master Secret and other session info, - * see ssl_tls12_populate_transform() */ + * Master Secret and other session info and for the keying material + * exporter in TLS 1.2. + * See ssl_tls12_populate_transform() */ unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN + MBEDTLS_CLIENT_HELLO_RANDOM_LEN]; /*!< ServerHello.random+ClientHello.random */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e4450b681d..c20a68d2e0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7746,7 +7746,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ transform->tls_version = tls_version; -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) +#if defined(MBEDTLS_SSL_KEEP_RANDBYTES) memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes)); #endif @@ -8930,8 +8930,7 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ - -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) #if defined(MBEDTLS_SSL_PROTO_TLS1_2) static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl, @@ -9052,6 +9051,6 @@ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, } } -#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) || !defined(MBEDTLS_SSL_PROTO_TLS1_2) */ +#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 9e38f690af..061096bdf0 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -336,11 +336,7 @@ int main(void) " in the form of base64 code (serialize option\n" \ " must be set)\n" \ " default: \"\" (do nothing)\n" \ - " option: a file path\n" \ - " exp_label=%%s Label to input into TLS-Exporter\n" \ - " default: None (don't try to export a key)\n" \ - " exp_len=%%d Length of key to extract from TLS-Exporter \n" \ - " default: 20\n" + " option: a file path\n" #else #define USAGE_SERIALIZATION "" #endif @@ -370,6 +366,16 @@ int main(void) #define USAGE_TLS1_3_KEY_EXCHANGE_MODES "" #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#define USAGE_EXPORT \ + " exp_label=%%s Label to input into TLS-Exporter\n" \ + " default: None (don't try to export a key)\n" \ + " exp_len=%%d Length of key to extract from TLS-Exporter \n" \ + " default: 20\n" +#else +#define USAGE_EXPORT "" +#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ + /* USAGE is arbitrarily split to stay under the portable string literal * length limit: 4095 bytes in C99. */ #define USAGE1 \ @@ -456,6 +462,7 @@ int main(void) " otherwise. The expansion of the macro\n" \ " is printed if it is defined\n" \ USAGE_SERIALIZATION \ + USAGE_EXPORT \ "\n" /* @@ -2499,7 +2506,7 @@ usage: } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) +#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) if (opt.exp_label != NULL && opt.exp_len > 0) { unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int)); if (exported_key == NULL) { @@ -2522,7 +2529,7 @@ usage: mbedtls_printf("\n\n"); fflush(stdout); } -#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) */ +#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ /* * 6. Write the GET request diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 9eab6cddb1..5186006886 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -471,13 +471,19 @@ int main(void) " in the form of base64 code (serialize option\n" \ " must be set)\n" \ " default: \"\" (do nothing)\n" \ - " option: a file path\n" \ + " option: a file path\n" +#else +#define USAGE_SERIALIZATION "" +#endif + +#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +#define USAGE_EXPORT \ " exp_label=%%s Label to input into TLS-Exporter\n" \ " default: None (don't try to export a key)\n" \ " exp_len=%%d Length of key to extract from TLS-Exporter \n" \ " default: 20\n" #else -#define USAGE_SERIALIZATION "" +#define USAGE_EXPORT "" #endif #define USAGE_KEY_OPAQUE_ALGS \ @@ -587,6 +593,7 @@ int main(void) " otherwise. The expansion of the macro\n" \ " is printed if it is defined\n" \ USAGE_SERIALIZATION \ + USAGE_EXPORT \ "\n" #define PUT_UINT64_BE(out_be, in_le, i) \ @@ -3619,7 +3626,7 @@ handshake: mbedtls_printf("\n"); } -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) +#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) if (opt.exp_label != NULL && opt.exp_len > 0) { unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int)); if (exported_key == NULL) { @@ -3642,7 +3649,7 @@ handshake: mbedtls_printf("\n\n"); fflush(stdout); } -#endif /* defined(MBEDTLS_SSL_CONTEXT_SERIALZIATION) */ +#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ #if defined(MBEDTLS_SSL_DTLS_SRTP) else if (opt.use_srtp != 0) { From 51bec543bb90092c81548bc6297f21d6ff67bac2 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 28 Oct 2024 13:14:39 +0100 Subject: [PATCH 24/57] Enable MBEDTLS_SSL_KEYING_MATERIAL_EXPORT by default Signed-off-by: Max Fillinger --- include/mbedtls/mbedtls_config.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index ca1486dbdf..40e16e108a 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -747,9 +747,9 @@ * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and * in RFC 8446, Section 7.5, for TLS 1.3. * - * Uncomment this macro to enable mbedtls_ssl_export_keying_material(). + * Comment this macro to disable mbedtls_ssl_export_keying_material(). */ -//#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT /** * \def MBEDTLS_SSL_RENEGOTIATION From 07473882541ee08aa886b0152f75ce23be45dbe5 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 28 Oct 2024 14:44:25 +0100 Subject: [PATCH 25/57] Fix #endif comment Signed-off-by: Max Fillinger --- library/ssl_misc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 596e7bc833..9a2485db9d 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1126,7 +1126,7 @@ struct mbedtls_ssl_transform { unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN + MBEDTLS_CLIENT_HELLO_RANDOM_LEN]; /*!< ServerHello.random+ClientHello.random */ -#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ +#endif /* defined(MBEDTLS_SSL_KEEP_RANDBYTES) */ }; /* From a5b63c5e40c438a2aedc434890acb4b9459b17c4 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 28 Oct 2024 14:46:46 +0100 Subject: [PATCH 26/57] Mention MBEDTLS_SSL_KEYING_MATERIAL_EXPORT in change log Signed-off-by: Max Fillinger --- ChangeLog.d/add-tls-exporter.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog.d/add-tls-exporter.txt b/ChangeLog.d/add-tls-exporter.txt index 2b06c5f294..1aea653e09 100644 --- a/ChangeLog.d/add-tls-exporter.txt +++ b/ChangeLog.d/add-tls-exporter.txt @@ -2,3 +2,5 @@ Features * Add the function mbedtls_ssl_export_keying_material() which allows the client and server to extract additional shared symmetric keys from an SSL session, according to the TLS-Exporter specification in RFC 8446 and 5705. + This requires MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to be defined in + mbedtls_config.h. From cf007ca8bba163c73f947eafaa527e2b94073f75 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Tue, 29 Oct 2024 16:57:09 +0100 Subject: [PATCH 27/57] Add more tests for keying material export Signed-off-by: Max Fillinger --- tests/include/test/ssl_helpers.h | 7 + tests/src/test_helpers/ssl_helpers.c | 49 ++++++ tests/suites/test_suite_ssl.data | 64 ++++++++ tests/suites/test_suite_ssl.function | 231 ++++++++++++++++++++++++++- 4 files changed, 350 insertions(+), 1 deletion(-) diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 3ba314f832..772278135a 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -589,6 +589,13 @@ int mbedtls_test_ssl_exchange_data( mbedtls_ssl_context *ssl_2, int msg_len_2, const int expected_fragments_2); +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +int mbedtls_test_ssl_do_handshake_with_endpoints( + mbedtls_test_ssl_endpoint *server_ep, + mbedtls_test_ssl_endpoint *client_ep, + mbedtls_ssl_protocol_version proto); +#endif /* defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) */ + #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) void mbedtls_test_ssl_perform_handshake( mbedtls_test_handshake_test_options *options); diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index bffb35372b..65ad10c6f4 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -2028,6 +2028,55 @@ exit: } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +int mbedtls_test_ssl_do_handshake_with_endpoints( + mbedtls_test_ssl_endpoint *server_ep, + mbedtls_test_ssl_endpoint *client_ep, + mbedtls_ssl_protocol_version proto) +{ + enum { BUFFSIZE = 1024 }; + + int ret = -1; + mbedtls_test_handshake_test_options options; + + mbedtls_test_init_handshake_options(&options); + options.server_min_version = proto; + options.client_min_version = proto; + options.server_max_version = proto; + options.client_max_version = proto; + + ret = mbedtls_test_ssl_endpoint_init(client_ep, MBEDTLS_SSL_IS_CLIENT, &options, + NULL, NULL, NULL); + if (ret != 0) { + return ret; + } + ret = mbedtls_test_ssl_endpoint_init(server_ep, MBEDTLS_SSL_IS_SERVER, &options, + NULL, NULL, NULL); + if (ret != 0) { + return ret; + } + + ret = mbedtls_test_mock_socket_connect(&client_ep->socket, &server_ep->socket, BUFFSIZE); + if (ret != 0) { + return ret; + } + + ret = mbedtls_test_move_handshake_to_state(&server_ep->ssl, &client_ep->ssl, MBEDTLS_SSL_HANDSHAKE_OVER); + if (ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { + return ret; + } + ret = mbedtls_test_move_handshake_to_state(&client_ep->ssl, &server_ep->ssl, MBEDTLS_SSL_HANDSHAKE_OVER); + if (ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { + return ret; + } + if (!mbedtls_ssl_is_handshake_over(&client_ep->ssl) || !mbedtls_ssl_is_handshake_over(&server_ep->ssl)) { + return -1; + } + + return 0; +} +#endif /* defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) */ + #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) void mbedtls_test_ssl_perform_handshake( mbedtls_test_handshake_test_options *options) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 25cb965e85..ad0d2851f3 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3334,3 +3334,67 @@ tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3:3 TLS 1.3 srv, max early data size, HRR, 98, wsz=49 tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0 + +TLS 1.2 Keying Material Exporter: Consistent results, no context +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:24:0 + +TLS 1.2 Keying Material Exporter: Consistent results, with context +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:24:1 + +TLS 1.2 Keying Material Exporter: Consistent results, large keys +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:UINT16_MAX:0 + +TLS 1.2 Keying Material Exporter: Uses label +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_uses_label:MBEDTLS_SSL_VERSION_TLS1_2 + +TLS 1.2 Keying Material Exporter: Uses context +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_uses_context:MBEDTLS_SSL_VERSION_TLS1_2 + +TLS 1.2 Keying Material Exporter: Context too long +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_2:24:251:UINT16_MAX + 1 + +TLS 1.2 Keying Material Exporter: Handshake not done +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_2:1:MBEDTLS_SSL_SERVER_CERTIFICATE + +TLS 1.3 Keying Material Exporter: Consistent results, no context +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:0 + +TLS 1.3 Keying Material Exporter: Consistent results, with context +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:1 + +TLS 1.3 Keying Material Exporter: Consistent results, large keys +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:UINT16_MAX:0 + +TLS 1.3 Keying Material Exporter: Uses label +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_uses_label:MBEDTLS_SSL_VERSION_TLS1_3 + +TLS 1.3 Keying Material Exporter: Uses context +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_uses_context:MBEDTLS_SSL_VERSION_TLS1_3 + +TLS 1.3 Keying Material Exporter: Uses length +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls13_exporter_uses_length + +TLS 1.3 Keying Material Exporter: Exported key too long +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:UINT16_MAX + 1:20:20 + +TLS 1.3 Keying Material Exporter: Label too long +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:251:10 + +TLS 1.3 Keying Material Exporter: Handshake not done +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTIFICATE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index ab61e03465..33012493e9 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1695,7 +1695,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ void ssl_tls13_exporter(int hash_alg, data_t *secret, char *label, @@ -5229,5 +5229,234 @@ exit: mbedtls_debug_set_threshold(0); mbedtls_free(first_frag); PSA_DONE(); +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int use_context) +{ + /* Test that the client and server generate the same key. */ + + int ret = -1; + uint8_t *key_buffer_server = NULL; + uint8_t *key_buffer_client = NULL; + mbedtls_test_ssl_endpoint client_ep, server_ep; + + MD_OR_USE_PSA_INIT(); + + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + TEST_ASSERT(ret == 0); + + TEST_ASSERT(exported_key_length > 0); + TEST_CALLOC(key_buffer_server, exported_key_length); + TEST_CALLOC(key_buffer_client, exported_key_length); + + char label[] = "test-label"; + unsigned char context[128] = { 0 }; + ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, + key_buffer_server, (size_t)exported_key_length, + label, sizeof(label), + context, sizeof(context), use_context); + TEST_ASSERT(ret == 0); + ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, + key_buffer_client, (size_t)exported_key_length, + label, sizeof(label), + context, sizeof(context), use_context); + TEST_ASSERT(ret == 0); + TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, (size_t)exported_key_length) == 0); + +exit: + MD_OR_USE_PSA_DONE(); + mbedtls_free(key_buffer_server); + mbedtls_free(key_buffer_client); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls_exporter_uses_label(int proto) +{ + /* Test that the client and server export different keys when using different labels. */ + + int ret = -1; + mbedtls_test_ssl_endpoint client_ep, server_ep; + + MD_OR_USE_PSA_INIT(); + + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + TEST_ASSERT(ret == 0); + + char label_server[] = "test-label-server"; + char label_client[] = "test-label-client"; + uint8_t key_buffer_server[24] = { 0 }; + uint8_t key_buffer_client[24] = { 0 }; + unsigned char context[128] = { 0 }; + ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, + key_buffer_server, sizeof(key_buffer_server), + label_server, sizeof(label_server), + context, sizeof(context), 1); + TEST_ASSERT(ret == 0); + ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, + key_buffer_client, sizeof(key_buffer_client), + label_client, sizeof(label_client), + context, sizeof(context), 1); + TEST_ASSERT(ret == 0); + TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); + +exit: + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls_exporter_uses_context(int proto) +{ + /* Test that the client and server export different keys when using different contexts. */ + + int ret = -1; + mbedtls_test_ssl_endpoint client_ep, server_ep; + + MD_OR_USE_PSA_INIT(); + + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + TEST_ASSERT(ret == 0); + + char label[] = "test-label"; + uint8_t key_buffer_server[24] = { 0 }; + uint8_t key_buffer_client[24] = { 0 }; + unsigned char context_server[128] = { 0 }; + unsigned char context_client[128] = { 23 }; + ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, + key_buffer_server, sizeof(key_buffer_server), + label, sizeof(label), + context_server, sizeof(context_server), 1); + TEST_ASSERT(ret == 0); + ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, + key_buffer_client, sizeof(key_buffer_client), + label, sizeof(label), + context_client, sizeof(context_client), 1); + TEST_ASSERT(ret == 0); + TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); + +exit: + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls13_exporter_uses_length(void) +{ + /* In TLS 1.3, when two keys are exported with the same parameters except one is shorter, + * the shorter key should NOT be a prefix of the longer one. */ + + int ret = -1; + mbedtls_test_ssl_endpoint client_ep, server_ep; + + MD_OR_USE_PSA_INIT(); + + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, MBEDTLS_SSL_VERSION_TLS1_3); + TEST_ASSERT(ret == 0); + + char label[] = "test-label"; + uint8_t key_buffer_server[16] = { 0 }; + uint8_t key_buffer_client[24] = { 0 }; + unsigned char context[128] = { 0 }; + ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, + key_buffer_server, sizeof(key_buffer_server), + label, sizeof(label), + context, sizeof(context), 1); + TEST_ASSERT(ret == 0); + ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, + key_buffer_client, sizeof(key_buffer_client), + label, sizeof(label), + context, sizeof(context), 1); + TEST_ASSERT(ret == 0); + TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); + +exit: + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls_exporter_rejects_bad_parameters( + int proto, int exported_key_length, int label_length, int context_length) +{ + MD_OR_USE_PSA_INIT(); + + int ret = -1; + uint8_t *key_buffer = NULL; + char *label = NULL; + uint8_t *context = NULL; + mbedtls_test_ssl_endpoint client_ep, server_ep; + + TEST_ASSERT(exported_key_length > 0); + TEST_ASSERT(label_length > 0); + TEST_ASSERT(context_length > 0); + TEST_CALLOC(key_buffer, exported_key_length); + TEST_CALLOC(label, label_length); + TEST_CALLOC(context, context_length); + + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + TEST_ASSERT(ret == 0); + + ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, + key_buffer, exported_key_length, + label, label_length, + context, context_length, 1); + TEST_ASSERT(ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); + +exit: + MD_OR_USE_PSA_DONE(); + mbedtls_free(key_buffer); + mbedtls_free(label); + mbedtls_free(context); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls_exporter_too_early(int proto, int check_server, int state) +{ + enum { BUFFSIZE = 1024 }; + + int ret = -1; + mbedtls_test_ssl_endpoint server_ep, client_ep; + + mbedtls_test_handshake_test_options options; + mbedtls_test_init_handshake_options(&options); + options.server_min_version = proto; + options.client_min_version = proto; + options.server_max_version = proto; + options.client_max_version = proto; + + MD_OR_USE_PSA_INIT(); + + ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, &options, + NULL, NULL, NULL); + TEST_ASSERT(ret == 0); + ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, &options, + NULL, NULL, NULL); + TEST_ASSERT(ret == 0); + + ret = mbedtls_test_mock_socket_connect(&client_ep.socket, &server_ep.socket, BUFFSIZE); + TEST_ASSERT(ret == 0); + + if (check_server) { + ret = mbedtls_test_move_handshake_to_state(&server_ep.ssl, &client_ep.ssl, state); + } else { + ret = mbedtls_test_move_handshake_to_state(&client_ep.ssl, &server_ep.ssl, state); + } + TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_WANT_READ || MBEDTLS_ERR_SSL_WANT_WRITE); + + char label[] = "test-label"; + uint8_t key_buffer[24] = { 0 }; + ret = mbedtls_ssl_export_keying_material(check_server ? &server_ep.ssl : &client_ep.ssl, + key_buffer, sizeof(key_buffer), + label, sizeof(label), + NULL, 0, 0); + + /* FIXME: A more appropriate error code should be created for this case. */ + TEST_ASSERT(ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); + +exit: + MD_OR_USE_PSA_DONE(); } /* END_CASE */ From 28916ac8feb83852de9f94f7d2dcb6857d17991d Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Tue, 29 Oct 2024 18:49:30 +0100 Subject: [PATCH 28/57] Increase allowed output size of HKDF-Expand-Label Signed-off-by: Max Fillinger --- library/ssl_tls13_keys.c | 12 +++++------- library/ssl_tls13_keys.h | 12 +++++------- tests/suites/test_suite_ssl.data | 2 +- 3 files changed, 11 insertions(+), 15 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index ef897e88be..895176d0c6 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -107,15 +107,13 @@ static void ssl_tls13_hkdf_encode_label( unsigned char *p = dst; - /* Add the size of the expanded key material. - * We're hardcoding the high byte to 0 here assuming that we never use - * TLS 1.3 HKDF key expansion to more than 255 Bytes. */ -#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255 -#error "The implementation of ssl_tls13_hkdf_encode_label() is not fit for the \ - value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN" + /* Add the size of the expanded key material. */ +#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > UINT16_MAX +#error "The desired key length must fit into an uint16 but \ + MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN is greater than UINT16_MAX" #endif - *p++ = 0; + *p++ = MBEDTLS_BYTE_1(desired_length); *p++ = MBEDTLS_BYTE_0(desired_length); /* Add label incl. prefix */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index a4b012f36e..31ffe4481e 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -70,13 +70,11 @@ extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels; PSA_HASH_MAX_SIZE /* Maximum desired length for expanded key material generated - * by HKDF-Expand-Label. - * - * Warning: If this ever needs to be increased, the implementation - * ssl_tls13_hkdf_encode_label() in ssl_tls13_keys.c needs to be - * adjusted since it currently assumes that HKDF key expansion - * is never used with more than 255 Bytes of output. */ -#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255 + * by HKDF-Expand-Label. This algorithm can output up to 255 * hash_size + * bytes of key material where hash_size is the output size of the + * underlying hash function. */ +#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN \ + (255 * MBEDTLS_TLS1_3_MD_MAX_SIZE) /** * \brief The \c HKDF-Expand-Label function from diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index ad0d2851f3..2f3b1ebee6 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3373,7 +3373,7 @@ ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:1 TLS 1.3 Keying Material Exporter: Consistent results, large keys depends_on:MBEDTLS_SSL_PROTO_TLS1_3 -ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:UINT16_MAX:0 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:1024:0 TLS 1.3 Keying Material Exporter: Uses label depends_on:MBEDTLS_SSL_PROTO_TLS1_3 From 3e1291866d50de06be5201163b876b0ed21da39f Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Tue, 29 Oct 2024 19:18:54 +0100 Subject: [PATCH 29/57] Fix output size check for key material exporter HKDF-Expand can produce at most 255 * hash_size bytes of key material, so this limit applies to the TLS 1.3 key material exporter. Signed-off-by: Max Fillinger --- include/mbedtls/ssl.h | 3 ++- library/ssl_tls.c | 15 ++++++++++----- tests/suites/test_suite_ssl.data | 4 ++-- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 8383ead054..e3772891b0 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5401,7 +5401,8 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, * * \param ssl SSL context from which to export keys. Must have finished the handshake. * \param out Output buffer of length at least key_len bytes. - * \param key_len Length of the key to generate in bytes. Must be < 2^16 in TLS 1.3. + * \param key_len Length of the key to generate in bytes. In TLS 1.3, this can be at most + * 8160 if SHA256 is used as hash function or 12240 if SHA384 is used. * \param label Label for which to generate the key of length label_len. * \param label_len Length of label in bytes. Must be < 251 in TLS 1.3. * \param context Context of the key. Can be NULL if context_len or use_context is 0. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c20a68d2e0..79bd623ebd 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -9000,11 +9000,16 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, const size_t hash_len = PSA_HASH_LENGTH(hash_alg); const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret; - /* Check that the label and key_len fit into the HkdfLabel struct as defined - * in RFC 8446, Section 7.1. key_len must fit into an uint16 and the label - * must be at most 250 bytes long. (The struct allows up to 256 bytes for - * the label, but it is prefixed with "tls13 ".) */ - if (key_len > UINT16_MAX || label_len > 250) { + /* Validate the length of the label and the desired key length. The key + * length can be at most 255 * hash_len by definition of HKDF-Expand in + * RFC 5869. + * + * The length of the label must be at most 250 bytes long to fit into the + * HkdfLabel struct as defined in RFC 8446, Section 7.1. This struct also + * requires that key_len fits into a uint16, but until we have to deal with + * a hash function with more than 2048 bits of output, the 255 * hash_len + * limit will guarantee that. */ + if (key_len > 255 * hash_len || label_len > 250) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 2f3b1ebee6..692cb9ba74 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3373,7 +3373,7 @@ ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:1 TLS 1.3 Keying Material Exporter: Consistent results, large keys depends_on:MBEDTLS_SSL_PROTO_TLS1_3 -ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:1024:0 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:255 * 32:0 TLS 1.3 Keying Material Exporter: Uses label depends_on:MBEDTLS_SSL_PROTO_TLS1_3 @@ -3389,7 +3389,7 @@ ssl_tls13_exporter_uses_length TLS 1.3 Keying Material Exporter: Exported key too long depends_on:MBEDTLS_SSL_PROTO_TLS1_3 -ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:UINT16_MAX + 1:20:20 +ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:255 * 48 + 1:20:20 TLS 1.3 Keying Material Exporter: Label too long depends_on:MBEDTLS_SSL_PROTO_TLS1_3 From 8f12e312234466e7a8633a1d14860e932dbfb0e7 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 30 Oct 2024 00:29:37 +0100 Subject: [PATCH 30/57] Exportert tests: Free endpoints and options Signed-off-by: Max Fillinger --- tests/include/test/ssl_helpers.h | 1 + tests/src/test_helpers/ssl_helpers.c | 16 +++++++------- tests/suites/test_suite_ssl.function | 33 +++++++++++++++++++++++----- 3 files changed, 37 insertions(+), 13 deletions(-) diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 772278135a..769749da4f 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -593,6 +593,7 @@ int mbedtls_test_ssl_exchange_data( int mbedtls_test_ssl_do_handshake_with_endpoints( mbedtls_test_ssl_endpoint *server_ep, mbedtls_test_ssl_endpoint *client_ep, + mbedtls_test_handshake_test_options *options, mbedtls_ssl_protocol_version proto); #endif /* defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) */ diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 65ad10c6f4..354ca13bfc 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -2032,25 +2032,25 @@ exit: int mbedtls_test_ssl_do_handshake_with_endpoints( mbedtls_test_ssl_endpoint *server_ep, mbedtls_test_ssl_endpoint *client_ep, + mbedtls_test_handshake_test_options *options, mbedtls_ssl_protocol_version proto) { enum { BUFFSIZE = 1024 }; int ret = -1; - mbedtls_test_handshake_test_options options; - mbedtls_test_init_handshake_options(&options); - options.server_min_version = proto; - options.client_min_version = proto; - options.server_max_version = proto; - options.client_max_version = proto; + mbedtls_test_init_handshake_options(options); + options->server_min_version = proto; + options->client_min_version = proto; + options->server_max_version = proto; + options->client_max_version = proto; - ret = mbedtls_test_ssl_endpoint_init(client_ep, MBEDTLS_SSL_IS_CLIENT, &options, + ret = mbedtls_test_ssl_endpoint_init(client_ep, MBEDTLS_SSL_IS_CLIENT, options, NULL, NULL, NULL); if (ret != 0) { return ret; } - ret = mbedtls_test_ssl_endpoint_init(server_ep, MBEDTLS_SSL_IS_SERVER, &options, + ret = mbedtls_test_ssl_endpoint_init(server_ep, MBEDTLS_SSL_IS_SERVER, options, NULL, NULL, NULL); if (ret != 0) { return ret; diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 33012493e9..099e0e10b0 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5240,10 +5240,11 @@ void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int uint8_t *key_buffer_server = NULL; uint8_t *key_buffer_client = NULL; mbedtls_test_ssl_endpoint client_ep, server_ep; + mbedtls_test_handshake_test_options options; MD_OR_USE_PSA_INIT(); - ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto); TEST_ASSERT(ret == 0); TEST_ASSERT(exported_key_length > 0); @@ -5266,6 +5267,9 @@ void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int exit: MD_OR_USE_PSA_DONE(); + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_free_handshake_options(&options); mbedtls_free(key_buffer_server); mbedtls_free(key_buffer_client); } @@ -5278,10 +5282,11 @@ void ssl_tls_exporter_uses_label(int proto) int ret = -1; mbedtls_test_ssl_endpoint client_ep, server_ep; + mbedtls_test_handshake_test_options options; MD_OR_USE_PSA_INIT(); - ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto); TEST_ASSERT(ret == 0); char label_server[] = "test-label-server"; @@ -5302,6 +5307,9 @@ void ssl_tls_exporter_uses_label(int proto) TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); exit: + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_free_handshake_options(&options); MD_OR_USE_PSA_DONE(); } /* END_CASE */ @@ -5313,10 +5321,11 @@ void ssl_tls_exporter_uses_context(int proto) int ret = -1; mbedtls_test_ssl_endpoint client_ep, server_ep; + mbedtls_test_handshake_test_options options; MD_OR_USE_PSA_INIT(); - ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto); TEST_ASSERT(ret == 0); char label[] = "test-label"; @@ -5337,6 +5346,9 @@ void ssl_tls_exporter_uses_context(int proto) TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); exit: + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_free_handshake_options(&options); MD_OR_USE_PSA_DONE(); } /* END_CASE */ @@ -5349,10 +5361,11 @@ void ssl_tls13_exporter_uses_length(void) int ret = -1; mbedtls_test_ssl_endpoint client_ep, server_ep; + mbedtls_test_handshake_test_options options; MD_OR_USE_PSA_INIT(); - ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, MBEDTLS_SSL_VERSION_TLS1_3); + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, MBEDTLS_SSL_VERSION_TLS1_3); TEST_ASSERT(ret == 0); char label[] = "test-label"; @@ -5372,6 +5385,9 @@ void ssl_tls13_exporter_uses_length(void) TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); exit: + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_free_handshake_options(&options); MD_OR_USE_PSA_DONE(); } /* END_CASE */ @@ -5387,6 +5403,7 @@ void ssl_tls_exporter_rejects_bad_parameters( char *label = NULL; uint8_t *context = NULL; mbedtls_test_ssl_endpoint client_ep, server_ep; + mbedtls_test_handshake_test_options options; TEST_ASSERT(exported_key_length > 0); TEST_ASSERT(label_length > 0); @@ -5395,7 +5412,7 @@ void ssl_tls_exporter_rejects_bad_parameters( TEST_CALLOC(label, label_length); TEST_CALLOC(context, context_length); - ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto); TEST_ASSERT(ret == 0); ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, @@ -5406,6 +5423,9 @@ void ssl_tls_exporter_rejects_bad_parameters( exit: MD_OR_USE_PSA_DONE(); + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_free_handshake_options(&options); mbedtls_free(key_buffer); mbedtls_free(label); mbedtls_free(context); @@ -5458,5 +5478,8 @@ void ssl_tls_exporter_too_early(int proto, int check_server, int state) exit: MD_OR_USE_PSA_DONE(); + mbedtls_test_ssl_endpoint_free(&server_ep, NULL); + mbedtls_test_ssl_endpoint_free(&client_ep, NULL); + mbedtls_test_free_handshake_options(&options); } /* END_CASE */ From 8a2d2adf8cce4522629bf6b9805412ad7d90cc6d Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 30 Oct 2024 00:39:54 +0100 Subject: [PATCH 31/57] Exporter tests: Initialize allocated memory Signed-off-by: Max Fillinger --- tests/suites/test_suite_ssl.function | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 099e0e10b0..b759d94690 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5251,6 +5251,9 @@ void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int TEST_CALLOC(key_buffer_server, exported_key_length); TEST_CALLOC(key_buffer_client, exported_key_length); + memset(key_buffer_server, 0, exported_key_length); + memset(key_buffer_client, 0, exported_key_length); + char label[] = "test-label"; unsigned char context[128] = { 0 }; ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, @@ -5412,6 +5415,10 @@ void ssl_tls_exporter_rejects_bad_parameters( TEST_CALLOC(label, label_length); TEST_CALLOC(context, context_length); + memset(key_buffer, 0, exported_key_length); + memset(label, 0, label_length); + memset(context, 0, context_length); + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto); TEST_ASSERT(ret == 0); From ea1e777c0189e7302f24fb547c53e16fb168e2f5 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 30 Oct 2024 00:49:10 +0100 Subject: [PATCH 32/57] Coding style cleanup Signed-off-by: Max Fillinger --- tests/src/test_helpers/ssl_helpers.c | 11 ++++++++--- tests/suites/test_suite_ssl.function | 11 +++++++---- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 354ca13bfc..672e94c2cb 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -2061,15 +2061,20 @@ int mbedtls_test_ssl_do_handshake_with_endpoints( return ret; } - ret = mbedtls_test_move_handshake_to_state(&server_ep->ssl, &client_ep->ssl, MBEDTLS_SSL_HANDSHAKE_OVER); + ret = mbedtls_test_move_handshake_to_state(&server_ep->ssl, + &client_ep->ssl, + MBEDTLS_SSL_HANDSHAKE_OVER); if (ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { return ret; } - ret = mbedtls_test_move_handshake_to_state(&client_ep->ssl, &server_ep->ssl, MBEDTLS_SSL_HANDSHAKE_OVER); + ret = mbedtls_test_move_handshake_to_state(&client_ep->ssl, + &server_ep->ssl, + MBEDTLS_SSL_HANDSHAKE_OVER); if (ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { return ret; } - if (!mbedtls_ssl_is_handshake_over(&client_ep->ssl) || !mbedtls_ssl_is_handshake_over(&server_ep->ssl)) { + if (!mbedtls_ssl_is_handshake_over(&client_ep->ssl) || + !mbedtls_ssl_is_handshake_over(&server_ep->ssl)) { return -1; } diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index b759d94690..1961e2e7e0 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5257,16 +5257,16 @@ void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int char label[] = "test-label"; unsigned char context[128] = { 0 }; ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, - key_buffer_server, (size_t)exported_key_length, + key_buffer_server, (size_t) exported_key_length, label, sizeof(label), context, sizeof(context), use_context); TEST_ASSERT(ret == 0); ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, - key_buffer_client, (size_t)exported_key_length, + key_buffer_client, (size_t) exported_key_length, label, sizeof(label), context, sizeof(context), use_context); TEST_ASSERT(ret == 0); - TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, (size_t)exported_key_length) == 0); + TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, (size_t) exported_key_length) == 0); exit: MD_OR_USE_PSA_DONE(); @@ -5368,7 +5368,10 @@ void ssl_tls13_exporter_uses_length(void) MD_OR_USE_PSA_INIT(); - ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, MBEDTLS_SSL_VERSION_TLS1_3); + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, + &client_ep, + &options, + MBEDTLS_SSL_VERSION_TLS1_3); TEST_ASSERT(ret == 0); char label[] = "test-label"; From 364afea9d3f1c29633019d23c941c89ac985f6d6 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 30 Oct 2024 18:58:50 +0100 Subject: [PATCH 33/57] Exporter tests: Fix possible uninitialized variable use Signed-off-by: Max Fillinger --- tests/suites/test_suite_ssl.function | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 1961e2e7e0..aaf6eb0c5d 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5402,8 +5402,6 @@ exit: void ssl_tls_exporter_rejects_bad_parameters( int proto, int exported_key_length, int label_length, int context_length) { - MD_OR_USE_PSA_INIT(); - int ret = -1; uint8_t *key_buffer = NULL; char *label = NULL; @@ -5418,9 +5416,7 @@ void ssl_tls_exporter_rejects_bad_parameters( TEST_CALLOC(label, label_length); TEST_CALLOC(context, context_length); - memset(key_buffer, 0, exported_key_length); - memset(label, 0, label_length); - memset(context, 0, context_length); + MD_OR_USE_PSA_INIT(); ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto); TEST_ASSERT(ret == 0); From 9dc7b19a6a1e750dccc1ae16f13cb616868d3d56 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Thu, 31 Oct 2024 12:43:19 +0100 Subject: [PATCH 34/57] Exporter tests: Free endpoints before PSA_DONE() Signed-off-by: Max Fillinger --- tests/suites/test_suite_ssl.function | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index aaf6eb0c5d..84286eb7ce 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5269,12 +5269,12 @@ void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, (size_t) exported_key_length) == 0); exit: - MD_OR_USE_PSA_DONE(); mbedtls_test_ssl_endpoint_free(&server_ep, NULL); mbedtls_test_ssl_endpoint_free(&client_ep, NULL); mbedtls_test_free_handshake_options(&options); mbedtls_free(key_buffer_server); mbedtls_free(key_buffer_client); + MD_OR_USE_PSA_DONE(); } /* END_CASE */ @@ -5428,13 +5428,13 @@ void ssl_tls_exporter_rejects_bad_parameters( TEST_ASSERT(ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); exit: - MD_OR_USE_PSA_DONE(); mbedtls_test_ssl_endpoint_free(&server_ep, NULL); mbedtls_test_ssl_endpoint_free(&client_ep, NULL); mbedtls_test_free_handshake_options(&options); mbedtls_free(key_buffer); mbedtls_free(label); mbedtls_free(context); + MD_OR_USE_PSA_DONE(); } /* END_CASE */ @@ -5483,9 +5483,9 @@ void ssl_tls_exporter_too_early(int proto, int check_server, int state) TEST_ASSERT(ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); exit: - MD_OR_USE_PSA_DONE(); mbedtls_test_ssl_endpoint_free(&server_ep, NULL); mbedtls_test_ssl_endpoint_free(&client_ep, NULL); mbedtls_test_free_handshake_options(&options); + MD_OR_USE_PSA_DONE(); } /* END_CASE */ From a9a9e99a6b3ddfdce2e1084a103230f7768ca8b6 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Thu, 31 Oct 2024 15:31:55 +0100 Subject: [PATCH 35/57] Exporter tests: Reduce key size in long key tests Signed-off-by: Max Fillinger --- tests/suites/test_suite_ssl.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 692cb9ba74..017ab8529a 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3345,7 +3345,7 @@ ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:24:1 TLS 1.2 Keying Material Exporter: Consistent results, large keys depends_on:MBEDTLS_SSL_PROTO_TLS1_2 -ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:UINT16_MAX:0 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:255 * 32:0 TLS 1.2 Keying Material Exporter: Uses label depends_on:MBEDTLS_SSL_PROTO_TLS1_2 From c6fd1a24d27055c250dff9258ac9f595dfc5969b Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 1 Nov 2024 16:05:34 +0100 Subject: [PATCH 36/57] Use one maximum key_len for all exported keys Signed-off-by: Max Fillinger --- include/mbedtls/ssl.h | 14 ++++++++++---- library/ssl_tls.c | 19 ++++++++++--------- tests/suites/test_suite_ssl.data | 6 +++--- 3 files changed, 23 insertions(+), 16 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index e3772891b0..7304a3bfc0 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5396,15 +5396,22 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen); +#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) +/* Maximum value for key_len in mbedtls_ssl_export_keying material. Depending on the TLS + * version and the negotiated ciphersuite, larger keys could in principle be exported, + * but for simplicity, we define one limit that works in all cases. TLS 1.3 with SHA256 + * has the strictest limit: 255 blocks of SHA256 output, or 8160 bytes. */ +#define MBEDTLS_SSL_EXPORT_MAX_KEY_LEN 8160 + /** * \brief TLS-Exporter to derive shared symmetric keys between server and client. * * \param ssl SSL context from which to export keys. Must have finished the handshake. * \param out Output buffer of length at least key_len bytes. - * \param key_len Length of the key to generate in bytes. In TLS 1.3, this can be at most - * 8160 if SHA256 is used as hash function or 12240 if SHA384 is used. + * \param key_len Length of the key to generate in bytes, must be at most + * MBEDTLS_SSL_EXPORT_MAX_KEY_LEN (8160). * \param label Label for which to generate the key of length label_len. - * \param label_len Length of label in bytes. Must be < 251 in TLS 1.3. + * \param label_len Length of label in bytes. Must be at most 250 in TLS 1.3. * \param context Context of the key. Can be NULL if context_len or use_context is 0. * \param context_len Length of context. Must be < 2^16 in TLS 1.2. * \param use_context Indicates if a context should be used in deriving the key. @@ -5416,7 +5423,6 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, * * \return 0 on success. An SSL specific error on failure. */ -#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, uint8_t *out, const size_t key_len, const char *label, const size_t label_len, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 79bd623ebd..46197c95ca 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -9000,16 +9000,13 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, const size_t hash_len = PSA_HASH_LENGTH(hash_alg); const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret; - /* Validate the length of the label and the desired key length. The key - * length can be at most 255 * hash_len by definition of HKDF-Expand in - * RFC 5869. + /* The length of the label must be at most 250 bytes to fit into the HkdfLabel + * struct as defined in RFC 8446, Section 7.1. * - * The length of the label must be at most 250 bytes long to fit into the - * HkdfLabel struct as defined in RFC 8446, Section 7.1. This struct also - * requires that key_len fits into a uint16, but until we have to deal with - * a hash function with more than 2048 bits of output, the 255 * hash_len - * limit will guarantee that. */ - if (key_len > 255 * hash_len || label_len > 250) { + * The length of the context is unlimited even though the context field in the + * struct can only hold up to 256 bytes. This is because we place a *hash* of + * the context in the field. */ + if (label_len > 250) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } @@ -9029,6 +9026,10 @@ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } + if (key_len > MBEDTLS_SSL_EXPORT_MAX_KEY_LEN) { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + int ciphersuite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(ssl); const mbedtls_ssl_ciphersuite_t *ciphersuite = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id); const mbedtls_md_type_t hash_alg = ciphersuite->mac; diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 017ab8529a..6d6812c4e6 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3345,7 +3345,7 @@ ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:24:1 TLS 1.2 Keying Material Exporter: Consistent results, large keys depends_on:MBEDTLS_SSL_PROTO_TLS1_2 -ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:255 * 32:0 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_EXPORT_MAX_KEY_LEN:0 TLS 1.2 Keying Material Exporter: Uses label depends_on:MBEDTLS_SSL_PROTO_TLS1_2 @@ -3373,7 +3373,7 @@ ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:1 TLS 1.3 Keying Material Exporter: Consistent results, large keys depends_on:MBEDTLS_SSL_PROTO_TLS1_3 -ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:255 * 32:0 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_EXPORT_MAX_KEY_LEN:0 TLS 1.3 Keying Material Exporter: Uses label depends_on:MBEDTLS_SSL_PROTO_TLS1_3 @@ -3389,7 +3389,7 @@ ssl_tls13_exporter_uses_length TLS 1.3 Keying Material Exporter: Exported key too long depends_on:MBEDTLS_SSL_PROTO_TLS1_3 -ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:255 * 48 + 1:20:20 +ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_EXPORT_MAX_KEY_LEN + 1:20:20 TLS 1.3 Keying Material Exporter: Label too long depends_on:MBEDTLS_SSL_PROTO_TLS1_3 From 8e0b8c9d9f851053697e53eeff35fdf37efc7b0a Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 1 Nov 2024 14:14:19 +0100 Subject: [PATCH 37/57] Exporter tests: Add missing depends-ons Signed-off-by: Max Fillinger --- tests/suites/test_suite_ssl.data | 32 ++++++++++++++-------------- tests/suites/test_suite_ssl.function | 12 +++++------ 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 6d6812c4e6..50ad780e2b 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3336,65 +3336,65 @@ TLS 1.3 srv, max early data size, HRR, 98, wsz=49 tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0 TLS 1.2 Keying Material Exporter: Consistent results, no context -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:24:0 TLS 1.2 Keying Material Exporter: Consistent results, with context -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:24:1 TLS 1.2 Keying Material Exporter: Consistent results, large keys -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_EXPORT_MAX_KEY_LEN:0 TLS 1.2 Keying Material Exporter: Uses label -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY ssl_tls_exporter_uses_label:MBEDTLS_SSL_VERSION_TLS1_2 TLS 1.2 Keying Material Exporter: Uses context -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY ssl_tls_exporter_uses_context:MBEDTLS_SSL_VERSION_TLS1_2 TLS 1.2 Keying Material Exporter: Context too long -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_2:24:251:UINT16_MAX + 1 TLS 1.2 Keying Material Exporter: Handshake not done -depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_2:1:MBEDTLS_SSL_SERVER_CERTIFICATE TLS 1.3 Keying Material Exporter: Consistent results, no context -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:0 TLS 1.3 Keying Material Exporter: Consistent results, with context -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:1 TLS 1.3 Keying Material Exporter: Consistent results, large keys -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_EXPORT_MAX_KEY_LEN:0 TLS 1.3 Keying Material Exporter: Uses label -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 ssl_tls_exporter_uses_label:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3 Keying Material Exporter: Uses context -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 ssl_tls_exporter_uses_context:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3 Keying Material Exporter: Uses length -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 ssl_tls13_exporter_uses_length TLS 1.3 Keying Material Exporter: Exported key too long -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_EXPORT_MAX_KEY_LEN + 1:20:20 TLS 1.3 Keying Material Exporter: Label too long -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:251:10 TLS 1.3 Keying Material Exporter: Handshake not done -depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTIFICATE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 84286eb7ce..74d824ac82 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5231,7 +5231,7 @@ exit: PSA_DONE(); /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int use_context) { /* Test that the client and server generate the same key. */ @@ -5278,7 +5278,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ void ssl_tls_exporter_uses_label(int proto) { /* Test that the client and server export different keys when using different labels. */ @@ -5317,7 +5317,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ void ssl_tls_exporter_uses_context(int proto) { /* Test that the client and server export different keys when using different contexts. */ @@ -5356,7 +5356,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ void ssl_tls13_exporter_uses_length(void) { /* In TLS 1.3, when two keys are exported with the same parameters except one is shorter, @@ -5398,7 +5398,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ void ssl_tls_exporter_rejects_bad_parameters( int proto, int exported_key_length, int label_length, int context_length) { @@ -5438,7 +5438,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ void ssl_tls_exporter_too_early(int proto, int check_server, int state) { enum { BUFFSIZE = 1024 }; From d6e0095478a14b3978ea033ce5670e72154e678a Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Tue, 5 Nov 2024 19:45:41 +0100 Subject: [PATCH 38/57] Exporter tests: Don't use unavailbable constant Signed-off-by: Max Fillinger --- tests/suites/test_suite_ssl.data | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 50ad780e2b..0a1d0e0ca5 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3345,7 +3345,7 @@ ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:24:1 TLS 1.2 Keying Material Exporter: Consistent results, large keys depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY -ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:MBEDTLS_SSL_EXPORT_MAX_KEY_LEN:0 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:255 * 32:0 TLS 1.2 Keying Material Exporter: Uses label depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY @@ -3373,7 +3373,7 @@ ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:1 TLS 1.3 Keying Material Exporter: Consistent results, large keys depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 -ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_EXPORT_MAX_KEY_LEN:0 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:255 * 32:0 TLS 1.3 Keying Material Exporter: Uses label depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 @@ -3389,7 +3389,7 @@ ssl_tls13_exporter_uses_length TLS 1.3 Keying Material Exporter: Exported key too long depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 -ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:MBEDTLS_SSL_EXPORT_MAX_KEY_LEN + 1:20:20 +ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:255 * 32 + 1:20:20 TLS 1.3 Keying Material Exporter: Label too long depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 From ee467aae6957d4b89f04f6bd26392c339dd755a8 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 8 Nov 2024 22:17:33 +0100 Subject: [PATCH 39/57] mbedtls_test_ssl_do_handshake_with_endpoints: Zeroize endpoints Signed-off-by: Max Fillinger --- tests/src/test_helpers/ssl_helpers.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index 672e94c2cb..020631ad5a 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -2039,6 +2039,9 @@ int mbedtls_test_ssl_do_handshake_with_endpoints( int ret = -1; + mbedtls_platform_zeroize(server_ep, sizeof(mbedtls_test_ssl_endpoint)); + mbedtls_platform_zeroize(client_ep, sizeof(mbedtls_test_ssl_endpoint)); + mbedtls_test_init_handshake_options(options); options->server_min_version = proto; options->client_min_version = proto; From 92b7a7e233e686ad3371651a9f6153514f5f6545 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 11 Nov 2024 17:50:34 +0100 Subject: [PATCH 40/57] ssl-opt.sh: Add tests for keying material export Signed-off-by: Max Fillinger --- tests/ssl-opt.sh | 65 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0634c26a67..ad4d8c3e40 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1191,6 +1191,26 @@ check_server_hello_time() { fi } +# Extract the exported key from the output. +get_exported_key() { + OUTPUT="$1" + EXPORTED_KEY1=$(sed -n '/Exporting key of length 20 with label ".*": /s/.*: //p' $OUTPUT) +} + +# Check that the exported key from the output matches the one obtained in get_exported_key(). +check_exported_key() { + OUTPUT="$1" + EXPORTED_KEY2=$(sed -n '/Exporting key of length 20 with label ".*": /s/.*: //p' $OUTPUT) + test "$EXPORTED_KEY1" = "$EXPORTED_KEY2" +} + +# Check that the exported key from the output matches the one obtained in get_exported_key(). +check_exported_key_openssl() { + OUTPUT="$1" + EXPORTED_KEY2=0x$(sed -n '/Keying material: /s/.*: //p' $OUTPUT) + test "$EXPORTED_KEY1" = "$EXPORTED_KEY2" +} + # Get handshake memory usage from server or client output and put it into the variable specified by the first argument handshake_memory_get() { OUTPUT_VARIABLE="$1" @@ -1933,6 +1953,34 @@ run_tests_memory_after_handshake() run_test_memory_after_handshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K" } +run_test_export_keying_material() { + unset EXPORTED_KEY1 + unset EXPORTED_KEY2 + TLS_VERSION="$1" + run_test "TLS $TLS_VERSION: Export keying material" \ + "$P_SRV debug_level=4 force_version=$TLS_VERSION exp_label=test-label" \ + "$P_CLI debug_level=4 force_version=$TLS_VERSION exp_label=test-label" \ + 0 \ + -s "Exporting key of length 20 with label \".*\": 0x" \ + -c "Exporting key of length 20 with label \".*\": 0x" \ + -f get_exported_key \ + -F check_exported_key +} + +run_test_export_keying_material_openssl_compat() { + unset EXPORTED_KEY1 + unset EXPORTED_KEY2 + TLS_VERSION="$1" + run_test "TLS $TLS_VERSION: Export keying material (OpenSSL compatibility)" \ + "$P_SRV debug_level=4 force_version=$TLS_VERSION exp_label=test-label" \ + "$O_CLI -keymatexport=test-label" \ + 0 \ + -s "Exporting key of length 20 with label \".*\": 0x" \ + -c "Keying material exporter:" \ + -F get_exported_key \ + -f check_exported_key_openssl +} + cleanup() { rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION rm -f context_srv.txt @@ -2954,6 +3002,23 @@ run_test "Saving the serialized context to a file" \ 0 \ -s "Save serialized context to a file... ok" \ -c "Save serialized context to a file... ok" + +requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +requires_protocol_version tls12 +run_test_export_keying_material tls12 + +requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +requires_protocol_version tls12 +run_test_export_keying_material_openssl_compat tls12 + +requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +requires_protocol_version tls13 +run_test_export_keying_material tls13 + +requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +requires_protocol_version tls13 +run_test_export_keying_material_openssl_compat tls13 + rm -f context_srv.txt rm -f context_cli.txt From 144cccecb7abe37d2c96af77ad8e543ec0b8befc Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 13 Nov 2024 15:19:03 +0100 Subject: [PATCH 41/57] Fix memory leak in example programs Signed-off-by: Max Fillinger --- programs/ssl/ssl_client2.c | 2 ++ programs/ssl/ssl_server2.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 061096bdf0..9b69b170bc 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2518,6 +2518,7 @@ usage: opt.exp_label, strlen(opt.exp_label), NULL, 0, 0); if (ret != 0) { + mbedtls_free(exported_key); goto exit; } mbedtls_printf("Exporting key of length %d with label \"%s\": 0x", @@ -2528,6 +2529,7 @@ usage: } mbedtls_printf("\n\n"); fflush(stdout); + mbedtls_free(exported_key); } #endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 5186006886..a0a3a68009 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3638,6 +3638,7 @@ handshake: opt.exp_label, strlen(opt.exp_label), NULL, 0, 0); if (ret != 0) { + mbedtls_free(exported_key); goto exit; } mbedtls_printf("Exporting key of length %d with label \"%s\": 0x", @@ -3648,6 +3649,7 @@ handshake: } mbedtls_printf("\n\n"); fflush(stdout); + mbedtls_free(exported_key); } #endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ From f8059db4ee5b99dec2d4c93961d9e1d7163e4bca Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 13 Nov 2024 15:27:23 +0100 Subject: [PATCH 42/57] Print names of new tests properly Signed-off-by: Max Fillinger --- tests/ssl-opt.sh | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ad4d8c3e40..698c53a5b2 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1957,7 +1957,13 @@ run_test_export_keying_material() { unset EXPORTED_KEY1 unset EXPORTED_KEY2 TLS_VERSION="$1" - run_test "TLS $TLS_VERSION: Export keying material" \ + + case $TLS_VERSION in + tls12) TLS_VERSION_PRINT="TLS 1.2";; + tls13) TLS_VERSION_PRINT="TLS 1.3";; + esac + + run_test "$TLS_VERSION_PRINT: Export keying material" \ "$P_SRV debug_level=4 force_version=$TLS_VERSION exp_label=test-label" \ "$P_CLI debug_level=4 force_version=$TLS_VERSION exp_label=test-label" \ 0 \ @@ -1971,7 +1977,13 @@ run_test_export_keying_material_openssl_compat() { unset EXPORTED_KEY1 unset EXPORTED_KEY2 TLS_VERSION="$1" - run_test "TLS $TLS_VERSION: Export keying material (OpenSSL compatibility)" \ + + case TLS_VERSION in + tls12) TLS_VERSION_PRINT="TLS 1.2";; + tls13) TLS_VERSION_PRINT="TLS 1.3";; + esac + + run_test "$TLS_VERSION_PRINT: Export keying material (OpenSSL compatibility)" \ "$P_SRV debug_level=4 force_version=$TLS_VERSION exp_label=test-label" \ "$O_CLI -keymatexport=test-label" \ 0 \ From 6d53a3a647af3c6e6cba6c534c156d8d6d9da4be Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Thu, 14 Nov 2024 15:28:05 +0100 Subject: [PATCH 43/57] Fix openssl s_client invocation Signed-off-by: Max Fillinger --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 698c53a5b2..0d13964198 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1985,7 +1985,7 @@ run_test_export_keying_material_openssl_compat() { run_test "$TLS_VERSION_PRINT: Export keying material (OpenSSL compatibility)" \ "$P_SRV debug_level=4 force_version=$TLS_VERSION exp_label=test-label" \ - "$O_CLI -keymatexport=test-label" \ + "$O_CLI -keymatexport test-label" \ 0 \ -s "Exporting key of length 20 with label \".*\": 0x" \ -c "Keying material exporter:" \ From 7b97712164f810095b1b7f59ab8e94d753b0409e Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Thu, 14 Nov 2024 15:32:01 +0100 Subject: [PATCH 44/57] Remove exporter compatibility test for TLS 1.3 The openssl version in the docker image doesn't support TLS 1.3, so we can't run the test. Signed-off-by: Max Fillinger --- tests/ssl-opt.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0d13964198..d7f795a7b6 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3027,10 +3027,6 @@ requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT requires_protocol_version tls13 run_test_export_keying_material tls13 -requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT -requires_protocol_version tls13 -run_test_export_keying_material_openssl_compat tls13 - rm -f context_srv.txt rm -f context_cli.txt From 4e21703bcf35596305207b43996a762511691306 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Thu, 14 Nov 2024 17:50:42 +0100 Subject: [PATCH 45/57] Add fixed compatibility test for TLS 1.3 Exporter When testing TLS 1.3, use O_NEXT_CLI. Signed-off-by: Max Fillinger --- tests/ssl-opt.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d7f795a7b6..85d2bb398b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1978,14 +1978,14 @@ run_test_export_keying_material_openssl_compat() { unset EXPORTED_KEY2 TLS_VERSION="$1" - case TLS_VERSION in - tls12) TLS_VERSION_PRINT="TLS 1.2";; - tls13) TLS_VERSION_PRINT="TLS 1.3";; + case $TLS_VERSION in + tls12) TLS_VERSION_PRINT="TLS 1.2"; OPENSSL_CLIENT="$O_CLI";; + tls13) TLS_VERSION_PRINT="TLS 1.3"; OPENSSL_CLIENT="$O_NEXT_CLI";; esac run_test "$TLS_VERSION_PRINT: Export keying material (OpenSSL compatibility)" \ "$P_SRV debug_level=4 force_version=$TLS_VERSION exp_label=test-label" \ - "$O_CLI -keymatexport test-label" \ + "$OPENSSL_CLIENT -keymatexport test-label" \ 0 \ -s "Exporting key of length 20 with label \".*\": 0x" \ -c "Keying material exporter:" \ @@ -3027,6 +3027,11 @@ requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT requires_protocol_version tls13 run_test_export_keying_material tls13 +requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +requires_protocol_version tls13 +requires_openssl_next +run_test_export_keying_material_openssl_compat tls13 + rm -f context_srv.txt rm -f context_cli.txt From 22728dc5e335af5370594f11ecfdae438ca79827 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Thu, 14 Nov 2024 20:41:03 +0100 Subject: [PATCH 46/57] Use mbedtls_calloc, not regular calloc Also fix the allocation size. Signed-off-by: Max Fillinger --- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 9b69b170bc..8fea581b16 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2508,7 +2508,7 @@ usage: #if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) if (opt.exp_label != NULL && opt.exp_len > 0) { - unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int)); + unsigned char *exported_key = mbedtls_calloc((size_t) opt.exp_len, sizeof(unsigned char)); if (exported_key == NULL) { mbedtls_printf("Could not allocate %d bytes\n", opt.exp_len); ret = 3; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index a0a3a68009..3c9fb7e2e0 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3628,7 +3628,7 @@ handshake: #if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) if (opt.exp_label != NULL && opt.exp_len > 0) { - unsigned char *exported_key = calloc((size_t) opt.exp_len, sizeof(unsigned int)); + unsigned char *exported_key = mbedtls_calloc((size_t) opt.exp_len, sizeof(unsigned char)); if (exported_key == NULL) { mbedtls_printf("Could not allocate %d bytes\n", opt.exp_len); ret = 3; From d23579c746b636160f2ca0cd251da4705b22236f Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Thu, 14 Nov 2024 21:11:26 +0100 Subject: [PATCH 47/57] Fix requirements for TLS 1.3 Exporter compat test Signed-off-by: Max Fillinger --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 85d2bb398b..90b31433d6 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3028,8 +3028,8 @@ requires_protocol_version tls13 run_test_export_keying_material tls13 requires_config_enabled MBEDTLS_SSL_KEYING_MATERIAL_EXPORT -requires_protocol_version tls13 -requires_openssl_next +requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_openssl_tls1_3_with_compatible_ephemeral run_test_export_keying_material_openssl_compat tls13 rm -f context_srv.txt From 53d91685024d0e999cac045cdf30c63a9431b0b7 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 18 Nov 2024 18:22:51 +0100 Subject: [PATCH 48/57] Document BAD_INPUT_DATA error in key material exporter Signed-off-by: Max Fillinger --- include/mbedtls/ssl.h | 4 +++- library/ssl_tls.c | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 7304a3bfc0..a0e6074713 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5421,7 +5421,9 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, * this distinction. If use_context is 0 and TLS 1.3 is used, context and * context_len are ignored and a 0-length context is used. * - * \return 0 on success. An SSL specific error on failure. + * \return 0 on success. + * \return MBEDTLS_ERR_SSL_BAD_INPUT_DATA if the handshake is not yet completed. + * \return An SSL-specific error on failure. */ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, uint8_t *out, const size_t key_len, diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 46197c95ca..7ea8e3217e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -9023,6 +9023,7 @@ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, const int use_context) { if (!mbedtls_ssl_is_handshake_over(ssl)) { + /* TODO: Change this to a more appropriate error code when one is available. */ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } From 9c5bae5026bd884ca4b5c794a443714d06927db1 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Thu, 21 Nov 2024 12:33:46 +0100 Subject: [PATCH 49/57] Fix max. label length in key material exporter Signed-off-by: Max Fillinger --- include/mbedtls/ssl.h | 2 +- library/ssl_tls.c | 6 +++--- tests/suites/test_suite_ssl.data | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index a0e6074713..88a31f2c36 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -5411,7 +5411,7 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, * \param key_len Length of the key to generate in bytes, must be at most * MBEDTLS_SSL_EXPORT_MAX_KEY_LEN (8160). * \param label Label for which to generate the key of length label_len. - * \param label_len Length of label in bytes. Must be at most 250 in TLS 1.3. + * \param label_len Length of label in bytes. Must be at most 249 in TLS 1.3. * \param context Context of the key. Can be NULL if context_len or use_context is 0. * \param context_len Length of context. Must be < 2^16 in TLS 1.2. * \param use_context Indicates if a context should be used in deriving the key. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7ea8e3217e..9812a2a7fc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -9000,13 +9000,13 @@ static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, const size_t hash_len = PSA_HASH_LENGTH(hash_alg); const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret; - /* The length of the label must be at most 250 bytes to fit into the HkdfLabel + /* The length of the label must be at most 249 bytes to fit into the HkdfLabel * struct as defined in RFC 8446, Section 7.1. * * The length of the context is unlimited even though the context field in the - * struct can only hold up to 256 bytes. This is because we place a *hash* of + * struct can only hold up to 255 bytes. This is because we place a *hash* of * the context in the field. */ - if (label_len > 250) { + if (label_len > 249) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 0a1d0e0ca5..52b8db0988 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3393,7 +3393,7 @@ ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:255 * 32 + 1: TLS 1.3 Keying Material Exporter: Label too long depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 -ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:251:10 +ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:250:10 TLS 1.3 Keying Material Exporter: Handshake not done depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 From 9f843332e819e8e216b121b1926568abae063034 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 25 Nov 2024 20:21:29 +0100 Subject: [PATCH 50/57] Exporter: Add min. and max. label tests Signed-off-by: Max Fillinger --- tests/suites/test_suite_ssl.data | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 52b8db0988..1931b00fca 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -2796,6 +2796,16 @@ SSL TLS 1.3 Exporter depends_on:PSA_WANT_ALG_SHA_256 ssl_tls13_exporter:PSA_ALG_SHA_256:"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4":"test":"context value":32:"83d0fac39f87c1b4fbcd261369f31149c535391a9199bd4c5daf89fe259c2e94" +SSL TLS 1.3 Exporter, 0-byte label and context +# Expected output taken from OpenSSL. +depends_on:PSA_WANT_ALG_SHA_384 +ssl_tls13_exporter:PSA_ALG_SHA_384:"9f355772f34017927ecc81d16e653c7408f945e7f62dc632d3f59e6310ef49401e62a2e3be886e3f930d4bf6300ce30a":"":"":20:"18268580D7C6769194794A84B7A3EE35317DB88A" + +SSL TLS 1.3 Exporter, 249-byte label and 0-byte context +# Expected output taken from OpenSSL. +depends_on:PSA_WANT_ALG_SHA_384 +ssl_tls13_exporter:PSA_ALG_SHA_384:"c453aeae318ebae00617c430a0066cf586593a4b0150219107420798933cf9e6e4434337cccc2cae5429dc4f77401e39":"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345678":"":20:"259531766AAA10FBAB6BF2D11D23264B321743D9" + SSL TLS 1.3 Key schedule: Early secrets derivation helper # Vector from RFC 8448 depends_on:PSA_WANT_ALG_SHA_256 From 5826883ca5dd39aad5305be5926cbfd960585e58 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 25 Nov 2024 20:38:04 +0100 Subject: [PATCH 51/57] Allow maximum label length in Hkdf-Expand-Label Previously, the length of the label was limited to the maximal length that would be used in the TLS 1.3 key schedule. With the keying material exporter, labels of up to 249 bytes may be used. Signed-off-by: Max Fillinger --- library/ssl_tls13_keys.c | 6 +++--- library/ssl_tls13_keys.h | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 895176d0c6..ff4aa0e87a 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -64,7 +64,7 @@ struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels = * hardcoding the writing of the high bytes. * - (label, label_len): label + label length, without "tls13 " prefix * The label length MUST be less than or equal to - * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN + * MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN. * It is the caller's responsibility to ensure this. * All (label, label length) pairs used in TLS 1.3 * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(). @@ -91,7 +91,7 @@ static const char tls13_label_prefix[6] = "tls13 "; #define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \ SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \ sizeof(tls13_label_prefix) + \ - MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \ + MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN, \ MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN) static void ssl_tls13_hkdf_encode_label( @@ -147,7 +147,7 @@ int mbedtls_ssl_tls13_hkdf_expand_label( psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; - if (label_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN) { + if (label_len > MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN) { /* Should never happen since this is an internal * function, and we know statically which labels * are allowed. */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 31ffe4481e..14f6e4876c 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -60,8 +60,9 @@ extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels; mbedtls_ssl_tls13_labels.LABEL, \ MBEDTLS_SSL_TLS1_3_LBL_LEN(LABEL) -#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \ - sizeof(union mbedtls_ssl_tls13_labels_union) +/* Maximum length of the label field in the HkdfLabel struct defined in + * RFC 8446, Section 7.1, excluding the "tls13 " prefix. */ +#define MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN 249 /* The maximum length of HKDF contexts used in the TLS 1.3 standard. * Since contexts are always hashes of message transcripts, this can From ee33b31f0bd5208b75cd3bc6551306c9a28c23fa Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 2 Dec 2024 19:26:13 +0100 Subject: [PATCH 52/57] Fix HkdfLabel comment Signed-off-by: Max Fillinger --- library/ssl_tls13_keys.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index ff4aa0e87a..00297af3b0 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -56,12 +56,8 @@ struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels = * }; * * Parameters: - * - desired_length: Length of expanded key material - * Even though the standard allows expansion to up to - * 2**16 Bytes, TLS 1.3 never uses expansion to more than - * 255 Bytes, so we require `desired_length` to be at most - * 255. This allows us to save a few Bytes of code by - * hardcoding the writing of the high bytes. + * - desired_length: Length of expanded key material. + * As the type implies, this must be less than 2**16 bytes. * - (label, label_len): label + label length, without "tls13 " prefix * The label length MUST be less than or equal to * MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN. From af2035fcad40ee1ff868679b9f90310b518bb3b0 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Mon, 2 Dec 2024 19:34:40 +0100 Subject: [PATCH 53/57] Fix mistake in previous comment change Signed-off-by: Max Fillinger --- library/ssl_tls13_keys.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 00297af3b0..0d6c391394 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -57,7 +57,12 @@ struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels = * * Parameters: * - desired_length: Length of expanded key material. - * As the type implies, this must be less than 2**16 bytes. + * The length field can hold numbers up to 2**16, but HKDF + * can only generate outputs of up to 255 * HASH_LEN bytes. + * It is the caller's responsibility to ensure that this + * limit is not exceeded. In TLS 1.3, SHA256 is the hash + * function with the smallest block size, so a length + * <= 255 * 32 = 8160 is always safe. * - (label, label_len): label + label length, without "tls13 " prefix * The label length MUST be less than or equal to * MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN. From 7577c9e3737401d29e96c41af76f68f31bc1eab7 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 17 Jan 2025 14:10:08 +0100 Subject: [PATCH 54/57] Fix doxygen for MBEDTLS_SSL_KEYING_MATERIAL_EXPORT Error was introduced while resolving a merge conflict. Signed-off-by: Max Fillinger --- include/mbedtls/mbedtls_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 40e16e108a..d5a488341d 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -737,7 +737,7 @@ */ //#define MBEDTLS_SSL_RECORD_SIZE_LIMIT -/* +/** * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT * * When this option is enabled, the client and server can extract additional From 29f8f9a49d5fcdefbde261f56614c57b30a2192d Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Tue, 21 Jan 2025 21:40:04 +0100 Subject: [PATCH 55/57] Fix dependencies for TLS-Exporter tests Signed-off-by: Max Fillinger --- tests/suites/test_suite_ssl.data | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 1931b00fca..378c5339fe 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3374,37 +3374,37 @@ depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_2:1:MBEDTLS_SSL_SERVER_CERTIFICATE TLS 1.3 Keying Material Exporter: Consistent results, no context -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:0 TLS 1.3 Keying Material Exporter: Consistent results, with context -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:1 TLS 1.3 Keying Material Exporter: Consistent results, large keys -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:255 * 32:0 TLS 1.3 Keying Material Exporter: Uses label -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT ssl_tls_exporter_uses_label:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3 Keying Material Exporter: Uses context -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT ssl_tls_exporter_uses_context:MBEDTLS_SSL_VERSION_TLS1_3 TLS 1.3 Keying Material Exporter: Uses length -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT ssl_tls13_exporter_uses_length TLS 1.3 Keying Material Exporter: Exported key too long -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:255 * 32 + 1:20:20 TLS 1.3 Keying Material Exporter: Label too long -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:250:10 TLS 1.3 Keying Material Exporter: Handshake not done -depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_PKCS1 +depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:MBEDTLS_X509_RSASSA_PSS_SUPPORT ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTIFICATE From 1a1ec2fccee002bb886a960fc0909f29fca3a7dd Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Fri, 28 Mar 2025 17:54:08 +0100 Subject: [PATCH 56/57] Fix up merge conflict resolution Signed-off-by: Max Fillinger --- tests/suites/test_suite_ssl.function | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 74d824ac82..8ec582ab9e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5229,6 +5229,7 @@ exit: mbedtls_debug_set_threshold(0); mbedtls_free(first_frag); PSA_DONE(); +} /* END_CASE */ /* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ From dba07e152e60112570773921db89e6fcc6d549f1 Mon Sep 17 00:00:00 2001 From: Max Fillinger Date: Wed, 16 Apr 2025 14:35:24 +0200 Subject: [PATCH 57/57] Add missing ifdef for mbedtls_ssl_tls13_exporter Signed-off-by: Max Fillinger --- library/ssl_tls13_keys.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 0d6c391394..dbc703a6c1 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1823,6 +1823,7 @@ int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ +#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg, const unsigned char *secret, const size_t secret_len, const unsigned char *label, const size_t label_len, @@ -1853,5 +1854,6 @@ exit: mbedtls_platform_zeroize(hkdf_secret, sizeof(hkdf_secret)); return ret; } +#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */