mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-29 11:41:15 +03:00
Merge pull request #7858 from mprse/ffdh_tls13_v2_f
Make use of FFDH keys in TLS 1.3 - follow-up
This commit is contained in:
Manuel Pégourié-Gonnard
GitHub
@ -272,7 +272,7 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
|
||||
}
|
||||
#endif
|
||||
#if defined(PSA_WANT_ALG_FFDH)
|
||||
if (mbedtls_ssl_tls13_named_group_is_dhe(*group_list)) {
|
||||
if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
|
||||
propose_group = 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -755,18 +755,26 @@ struct mbedtls_ssl_handshake_params {
|
||||
mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
|
||||
#endif /* MBEDTLS_ECDH_C && !MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#if defined(PSA_WANT_ALG_ECDH) && defined(PSA_WANT_ALG_FFDH)
|
||||
#if (MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH >= MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH)
|
||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH
|
||||
#else
|
||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
|
||||
#endif
|
||||
#elif defined(PSA_WANT_ALG_ECDH)
|
||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
|
||||
#else
|
||||
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH
|
||||
#endif
|
||||
|
||||
#if (defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)) && \
|
||||
(defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
|
||||
psa_key_type_t ecdh_psa_type;
|
||||
size_t ecdh_bits;
|
||||
mbedtls_svc_key_id_t ecdh_psa_privkey;
|
||||
uint8_t ecdh_psa_privkey_is_external;
|
||||
#if defined(PSA_WANT_ALG_FFDH)
|
||||
unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH];
|
||||
#else
|
||||
unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
|
||||
#endif
|
||||
size_t ecdh_psa_peerkey_len;
|
||||
psa_key_type_t xxdh_psa_type;
|
||||
size_t xxdh_bits;
|
||||
mbedtls_svc_key_id_t xxdh_psa_privkey;
|
||||
uint8_t xxdh_psa_privkey_is_external;
|
||||
unsigned char xxdh_psa_peerkey[SSL_XXDH_PSA_PEERKEY_SIZE];
|
||||
size_t xxdh_psa_peerkey_len;
|
||||
#endif /* (PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH) &&
|
||||
(MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3) */
|
||||
|
||||
@ -2117,7 +2125,7 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl);
|
||||
|
||||
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_tls13_generate_and_write_dh_key_exchange(
|
||||
int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
|
||||
mbedtls_ssl_context *ssl,
|
||||
uint16_t named_group,
|
||||
unsigned char *buf,
|
||||
@ -2215,7 +2223,7 @@ static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)
|
||||
named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448;
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_tls13_named_group_is_dhe(uint16_t named_group)
|
||||
static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)
|
||||
{
|
||||
return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
|
||||
named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192;
|
||||
@ -2250,7 +2258,7 @@ static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
|
||||
}
|
||||
#endif
|
||||
#if defined(PSA_WANT_ALG_FFDH)
|
||||
if (mbedtls_ssl_tls13_named_group_is_dhe(named_group)) {
|
||||
if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
@ -2652,7 +2660,7 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
|
||||
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
|
||||
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
|
||||
int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
size_t buf_len);
|
||||
|
||||
|
||||
@ -4218,8 +4218,8 @@ void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
|
||||
|
||||
#if (defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)) && \
|
||||
(defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
|
||||
if (handshake->ecdh_psa_privkey_is_external == 0) {
|
||||
psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
if (handshake->xxdh_psa_privkey_is_external == 0) {
|
||||
psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
}
|
||||
#endif /* (PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH) &&
|
||||
(MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3) */
|
||||
|
||||
@ -1761,8 +1761,8 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
|
||||
&ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
|
||||
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
|
||||
}
|
||||
handshake->ecdh_psa_type = key_type;
|
||||
handshake->ecdh_bits = ec_bits;
|
||||
handshake->xxdh_psa_type = key_type;
|
||||
handshake->xxdh_bits = ec_bits;
|
||||
|
||||
/* Keep a copy of the peer's public key */
|
||||
ecpoint_len = *(*p)++;
|
||||
@ -1770,14 +1770,21 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
|
||||
return MBEDTLS_ERR_SSL_DECODE_ERROR;
|
||||
}
|
||||
|
||||
/* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
|
||||
the sizes of the FFDH keys which are at least 2048 bits.
|
||||
The size of the array is thus greater than 256 bytes which is greater than any
|
||||
possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
|
||||
#if !defined(PSA_WANT_ALG_FFDH)
|
||||
if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) {
|
||||
if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
|
||||
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
|
||||
}
|
||||
#else
|
||||
MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
|
||||
"peer key buffer too small");
|
||||
#endif
|
||||
|
||||
memcpy(handshake->ecdh_psa_peerkey, *p, ecpoint_len);
|
||||
handshake->ecdh_psa_peerkey_len = ecpoint_len;
|
||||
memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
|
||||
handshake->xxdh_psa_peerkey_len = ecpoint_len;
|
||||
*p += ecpoint_len;
|
||||
|
||||
return 0;
|
||||
@ -2038,27 +2045,27 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
|
||||
/* If the above conversion to TLS ID was fine, then also this one will be,
|
||||
so there is no need to check the return value here */
|
||||
mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
|
||||
&ssl->handshake->ecdh_bits);
|
||||
&ssl->handshake->xxdh_bits);
|
||||
|
||||
ssl->handshake->ecdh_psa_type = key_type;
|
||||
ssl->handshake->xxdh_psa_type = key_type;
|
||||
|
||||
/* Store peer's public key in psa format. */
|
||||
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
|
||||
memcpy(ssl->handshake->ecdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
|
||||
ssl->handshake->ecdh_psa_peerkey_len = peer_pk->pub_raw_len;
|
||||
memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
|
||||
ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len;
|
||||
ret = 0;
|
||||
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
|
||||
size_t olen = 0;
|
||||
ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
|
||||
MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
|
||||
ssl->handshake->ecdh_psa_peerkey,
|
||||
ssl->handshake->xxdh_psa_peerkey,
|
||||
MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH);
|
||||
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
|
||||
return ret;
|
||||
}
|
||||
ssl->handshake->ecdh_psa_peerkey_len = olen;
|
||||
ssl->handshake->xxdh_psa_peerkey_len = olen;
|
||||
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
|
||||
#else /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
|
||||
@ -2788,12 +2795,12 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
key_attributes = psa_key_attributes_init();
|
||||
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
|
||||
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
|
||||
psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
|
||||
psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
|
||||
psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
|
||||
psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
|
||||
|
||||
/* Generate ECDH private key. */
|
||||
status = psa_generate_key(&key_attributes,
|
||||
&handshake->ecdh_psa_privkey);
|
||||
&handshake->xxdh_psa_privkey);
|
||||
if (status != PSA_SUCCESS) {
|
||||
return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
|
||||
}
|
||||
@ -2806,12 +2813,12 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
|
||||
size_t own_pubkey_len;
|
||||
|
||||
status = psa_export_public_key(handshake->ecdh_psa_privkey,
|
||||
status = psa_export_public_key(handshake->xxdh_psa_privkey,
|
||||
own_pubkey, own_pubkey_max_len,
|
||||
&own_pubkey_len);
|
||||
if (status != PSA_SUCCESS) {
|
||||
psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
|
||||
}
|
||||
|
||||
@ -2822,15 +2829,15 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
|
||||
/* Compute ECDH shared secret. */
|
||||
status = psa_raw_key_agreement(PSA_ALG_ECDH,
|
||||
handshake->ecdh_psa_privkey,
|
||||
handshake->ecdh_psa_peerkey,
|
||||
handshake->ecdh_psa_peerkey_len,
|
||||
handshake->xxdh_psa_privkey,
|
||||
handshake->xxdh_psa_peerkey,
|
||||
handshake->xxdh_psa_peerkey_len,
|
||||
ssl->handshake->premaster,
|
||||
sizeof(ssl->handshake->premaster),
|
||||
&ssl->handshake->pmslen);
|
||||
|
||||
destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
|
||||
if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
|
||||
return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
|
||||
@ -2960,12 +2967,12 @@ ecdh_calc_secret:
|
||||
key_attributes = psa_key_attributes_init();
|
||||
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
|
||||
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
|
||||
psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
|
||||
psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
|
||||
psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
|
||||
psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
|
||||
|
||||
/* Generate ECDH private key. */
|
||||
status = psa_generate_key(&key_attributes,
|
||||
&handshake->ecdh_psa_privkey);
|
||||
&handshake->xxdh_psa_privkey);
|
||||
if (status != PSA_SUCCESS) {
|
||||
return PSA_TO_MBEDTLS_ERR(status);
|
||||
}
|
||||
@ -2978,12 +2985,12 @@ ecdh_calc_secret:
|
||||
size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
|
||||
size_t own_pubkey_len = 0;
|
||||
|
||||
status = psa_export_public_key(handshake->ecdh_psa_privkey,
|
||||
status = psa_export_public_key(handshake->xxdh_psa_privkey,
|
||||
own_pubkey, own_pubkey_max_len,
|
||||
&own_pubkey_len);
|
||||
if (status != PSA_SUCCESS) {
|
||||
psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
return PSA_TO_MBEDTLS_ERR(status);
|
||||
}
|
||||
|
||||
@ -3005,15 +3012,15 @@ ecdh_calc_secret:
|
||||
|
||||
/* Perform ECDH computation after the uint16 reserved for the length */
|
||||
status = psa_raw_key_agreement(PSA_ALG_ECDH,
|
||||
handshake->ecdh_psa_privkey,
|
||||
handshake->ecdh_psa_peerkey,
|
||||
handshake->ecdh_psa_peerkey_len,
|
||||
handshake->xxdh_psa_privkey,
|
||||
handshake->xxdh_psa_peerkey,
|
||||
handshake->xxdh_psa_peerkey_len,
|
||||
pms + zlen_size,
|
||||
pms_end - (pms + zlen_size),
|
||||
&zlen);
|
||||
|
||||
destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
return PSA_TO_MBEDTLS_ERR(status);
|
||||
|
||||
@ -2628,19 +2628,20 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
|
||||
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
|
||||
}
|
||||
|
||||
ssl->handshake->ecdh_psa_privkey = pk->priv_id;
|
||||
/* Key should not be destroyed in the TLS library */
|
||||
ssl->handshake->ecdh_psa_privkey_is_external = 1;
|
||||
ssl->handshake->xxdh_psa_privkey = pk->priv_id;
|
||||
|
||||
status = psa_get_key_attributes(ssl->handshake->ecdh_psa_privkey,
|
||||
/* Key should not be destroyed in the TLS library */
|
||||
ssl->handshake->xxdh_psa_privkey_is_external = 1;
|
||||
|
||||
status = psa_get_key_attributes(ssl->handshake->xxdh_psa_privkey,
|
||||
&key_attributes);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
return PSA_TO_MBEDTLS_ERR(status);
|
||||
}
|
||||
|
||||
ssl->handshake->ecdh_psa_type = psa_get_key_type(&key_attributes);
|
||||
ssl->handshake->ecdh_bits = psa_get_key_bits(&key_attributes);
|
||||
ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
|
||||
ssl->handshake->xxdh_bits = psa_get_key_bits(&key_attributes);
|
||||
|
||||
psa_reset_key_attributes(&key_attributes);
|
||||
|
||||
@ -2664,16 +2665,16 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
|
||||
/* If the above conversion to TLS ID was fine, then also this one will
|
||||
be, so there is no need to check the return value here */
|
||||
mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
|
||||
&ssl->handshake->ecdh_bits);
|
||||
&ssl->handshake->xxdh_bits);
|
||||
|
||||
ssl->handshake->ecdh_psa_type = key_type;
|
||||
ssl->handshake->xxdh_psa_type = key_type;
|
||||
|
||||
key_attributes = psa_key_attributes_init();
|
||||
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
|
||||
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
|
||||
psa_set_key_type(&key_attributes,
|
||||
PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->ecdh_psa_type));
|
||||
psa_set_key_bits(&key_attributes, ssl->handshake->ecdh_bits);
|
||||
PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
|
||||
psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_bits);
|
||||
|
||||
key_len = PSA_BITS_TO_BYTES(key->grp.pbits);
|
||||
ret = mbedtls_ecp_write_key(key, buf, key_len);
|
||||
@ -2683,7 +2684,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
|
||||
}
|
||||
|
||||
status = psa_import_key(&key_attributes, buf, key_len,
|
||||
&ssl->handshake->ecdh_psa_privkey);
|
||||
&ssl->handshake->xxdh_psa_privkey);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
mbedtls_platform_zeroize(buf, sizeof(buf));
|
||||
@ -2980,14 +2981,14 @@ curve_matching_done:
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
|
||||
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
|
||||
}
|
||||
handshake->ecdh_psa_type = key_type;
|
||||
handshake->ecdh_bits = ec_bits;
|
||||
handshake->xxdh_psa_type = key_type;
|
||||
handshake->xxdh_bits = ec_bits;
|
||||
|
||||
key_attributes = psa_key_attributes_init();
|
||||
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
|
||||
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
|
||||
psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
|
||||
psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
|
||||
psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
|
||||
psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
|
||||
|
||||
/*
|
||||
* ECParameters curve_params
|
||||
@ -3004,7 +3005,7 @@ curve_matching_done:
|
||||
|
||||
/* Generate ECDH private key. */
|
||||
status = psa_generate_key(&key_attributes,
|
||||
&handshake->ecdh_psa_privkey);
|
||||
&handshake->xxdh_psa_privkey);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
|
||||
@ -3026,14 +3027,14 @@ curve_matching_done:
|
||||
size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
- (own_pubkey - ssl->out_msg));
|
||||
|
||||
status = psa_export_public_key(handshake->ecdh_psa_privkey,
|
||||
status = psa_export_public_key(handshake->xxdh_psa_privkey,
|
||||
own_pubkey, own_pubkey_max_len,
|
||||
&len);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
|
||||
(void) psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
(void) psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -3728,27 +3729,27 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
}
|
||||
|
||||
/* Store peer's ECDH public key. */
|
||||
memcpy(handshake->ecdh_psa_peerkey, p, data_len);
|
||||
handshake->ecdh_psa_peerkey_len = data_len;
|
||||
memcpy(handshake->xxdh_psa_peerkey, p, data_len);
|
||||
handshake->xxdh_psa_peerkey_len = data_len;
|
||||
|
||||
/* Compute ECDH shared secret. */
|
||||
status = psa_raw_key_agreement(
|
||||
PSA_ALG_ECDH, handshake->ecdh_psa_privkey,
|
||||
handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len,
|
||||
PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
|
||||
handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
|
||||
handshake->premaster, sizeof(handshake->premaster),
|
||||
&handshake->pmslen);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
|
||||
if (handshake->ecdh_psa_privkey_is_external == 0) {
|
||||
(void) psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
if (handshake->xxdh_psa_privkey_is_external == 0) {
|
||||
(void) psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
}
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
return ret;
|
||||
}
|
||||
|
||||
if (handshake->ecdh_psa_privkey_is_external == 0) {
|
||||
status = psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
if (handshake->xxdh_psa_privkey_is_external == 0) {
|
||||
status = psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
@ -3756,7 +3757,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
#else
|
||||
if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
|
||||
p, end - p)) != 0) {
|
||||
@ -3889,35 +3890,42 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
|
||||
if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
|
||||
psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Keep a copy of the peer's public key */
|
||||
if (p >= end) {
|
||||
psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
return MBEDTLS_ERR_SSL_DECODE_ERROR;
|
||||
}
|
||||
|
||||
ecpoint_len = *(p++);
|
||||
if ((size_t) (end - p) < ecpoint_len) {
|
||||
psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
return MBEDTLS_ERR_SSL_DECODE_ERROR;
|
||||
}
|
||||
|
||||
/* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
|
||||
the sizes of the FFDH keys which are at least 2048 bits.
|
||||
The size of the array is thus greater than 256 bytes which is greater than any
|
||||
possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
|
||||
#if !defined(PSA_WANT_ALG_FFDH)
|
||||
if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) {
|
||||
psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
|
||||
psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
|
||||
}
|
||||
#else
|
||||
MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
|
||||
"peer key buffer too small");
|
||||
#endif
|
||||
|
||||
memcpy(handshake->ecdh_psa_peerkey, p, ecpoint_len);
|
||||
handshake->ecdh_psa_peerkey_len = ecpoint_len;
|
||||
memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
|
||||
handshake->xxdh_psa_peerkey_len = ecpoint_len;
|
||||
p += ecpoint_len;
|
||||
|
||||
/* As RFC 5489 section 2, the premaster secret is formed as follows:
|
||||
@ -3935,15 +3943,15 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
|
||||
|
||||
/* Compute ECDH shared secret. */
|
||||
status = psa_raw_key_agreement(PSA_ALG_ECDH,
|
||||
handshake->ecdh_psa_privkey,
|
||||
handshake->ecdh_psa_peerkey,
|
||||
handshake->ecdh_psa_peerkey_len,
|
||||
handshake->xxdh_psa_privkey,
|
||||
handshake->xxdh_psa_peerkey,
|
||||
handshake->xxdh_psa_peerkey_len,
|
||||
psm + zlen_size,
|
||||
psm_end - (psm + zlen_size),
|
||||
&zlen);
|
||||
|
||||
destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
return PSA_TO_MBEDTLS_ERR(status);
|
||||
|
||||
@ -196,19 +196,19 @@ static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
|
||||
|
||||
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
|
||||
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
|
||||
mbedtls_ssl_tls13_named_group_is_dhe(group_id)) {
|
||||
mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
/* Destroy generated private key. */
|
||||
status = psa_destroy_key(ssl->handshake->ecdh_psa_privkey);
|
||||
status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
return 0;
|
||||
} else
|
||||
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
|
||||
@ -247,7 +247,7 @@ static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
|
||||
}
|
||||
#endif
|
||||
#if defined(PSA_WANT_ALG_FFDH)
|
||||
if (mbedtls_ssl_tls13_named_group_is_dhe(*group_list)) {
|
||||
if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
|
||||
*group_id = *group_list;
|
||||
return 0;
|
||||
}
|
||||
@ -301,7 +301,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
|
||||
/* HRR could already have requested something else. */
|
||||
group_id = ssl->handshake->offered_group_id;
|
||||
if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&
|
||||
!mbedtls_ssl_tls13_named_group_is_dhe(group_id)) {
|
||||
!mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
|
||||
MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,
|
||||
&group_id));
|
||||
}
|
||||
@ -317,7 +317,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
|
||||
client_shares = p;
|
||||
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
|
||||
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
|
||||
mbedtls_ssl_tls13_named_group_is_dhe(group_id)) {
|
||||
mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
|
||||
/* Pointer to group */
|
||||
unsigned char *group = p;
|
||||
/* Length of key_exchange */
|
||||
@ -329,7 +329,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
|
||||
*/
|
||||
MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
|
||||
p += 4;
|
||||
ret = mbedtls_ssl_tls13_generate_and_write_dh_key_exchange(
|
||||
ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
|
||||
ssl, group_id, p, end, &key_exchange_len);
|
||||
p += key_exchange_len;
|
||||
if (ret != 0) {
|
||||
@ -429,7 +429,7 @@ static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
|
||||
}
|
||||
#endif /* PSA_WANT_ALG_ECDH */
|
||||
#if defined(PSA_WANT_ALG_FFDH)
|
||||
if (mbedtls_ssl_tls13_named_group_is_dhe(*group_list)) {
|
||||
if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
|
||||
found = 1;
|
||||
break;
|
||||
}
|
||||
@ -505,10 +505,10 @@ static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
|
||||
|
||||
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
|
||||
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
|
||||
mbedtls_ssl_tls13_named_group_is_dhe(group)) {
|
||||
mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2,
|
||||
("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));
|
||||
ret = mbedtls_ssl_tls13_read_public_ecdhe_share(ssl, p, end - p);
|
||||
ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -1499,7 +1499,7 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl)
|
||||
|
||||
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
|
||||
|
||||
int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
|
||||
int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
size_t buf_len)
|
||||
{
|
||||
@ -1516,8 +1516,8 @@ int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
|
||||
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len);
|
||||
|
||||
/* Store peer's ECDH public key. */
|
||||
memcpy(handshake->ecdh_psa_peerkey, p, peerkey_len);
|
||||
handshake->ecdh_psa_peerkey_len = peerkey_len;
|
||||
memcpy(handshake->xxdh_psa_peerkey, p, peerkey_len);
|
||||
handshake->xxdh_psa_peerkey_len = peerkey_len;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -1551,7 +1551,7 @@ static psa_status_t mbedtls_ssl_get_psa_ffdh_info_from_tls_id(
|
||||
}
|
||||
}
|
||||
|
||||
int mbedtls_ssl_tls13_generate_and_write_dh_key_exchange(
|
||||
int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
|
||||
mbedtls_ssl_context *ssl,
|
||||
uint16_t named_group,
|
||||
unsigned char *buf,
|
||||
@ -1592,18 +1592,18 @@ int mbedtls_ssl_tls13_generate_and_write_dh_key_exchange(
|
||||
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
handshake->ecdh_psa_type = key_type;
|
||||
ssl->handshake->ecdh_bits = bits;
|
||||
handshake->xxdh_psa_type = key_type;
|
||||
ssl->handshake->xxdh_bits = bits;
|
||||
|
||||
key_attributes = psa_key_attributes_init();
|
||||
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
|
||||
psa_set_key_algorithm(&key_attributes, alg);
|
||||
psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
|
||||
psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
|
||||
psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
|
||||
psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
|
||||
|
||||
/* Generate ECDH/FFDH private key. */
|
||||
status = psa_generate_key(&key_attributes,
|
||||
&handshake->ecdh_psa_privkey);
|
||||
&handshake->xxdh_psa_privkey);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
|
||||
@ -1612,7 +1612,7 @@ int mbedtls_ssl_tls13_generate_and_write_dh_key_exchange(
|
||||
}
|
||||
|
||||
/* Export the public part of the ECDH/FFDH private key from PSA. */
|
||||
status = psa_export_public_key(handshake->ecdh_psa_privkey,
|
||||
status = psa_export_public_key(handshake->xxdh_psa_privkey,
|
||||
buf, buf_size,
|
||||
&own_pubkey_len);
|
||||
|
||||
|
||||
@ -1492,7 +1492,7 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
|
||||
*/
|
||||
if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
|
||||
if (mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) ||
|
||||
mbedtls_ssl_tls13_named_group_is_dhe(handshake->offered_group_id)) {
|
||||
mbedtls_ssl_tls13_named_group_is_ffdh(handshake->offered_group_id)) {
|
||||
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
|
||||
psa_algorithm_t alg =
|
||||
mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) ?
|
||||
@ -1502,7 +1502,7 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
|
||||
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
|
||||
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
|
||||
|
||||
status = psa_get_key_attributes(handshake->ecdh_psa_privkey,
|
||||
status = psa_get_key_attributes(handshake->xxdh_psa_privkey,
|
||||
&key_attributes);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
@ -1516,8 +1516,8 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
|
||||
}
|
||||
|
||||
status = psa_raw_key_agreement(
|
||||
alg, handshake->ecdh_psa_privkey,
|
||||
handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len,
|
||||
alg, handshake->xxdh_psa_privkey,
|
||||
handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
|
||||
shared_secret, shared_secret_len, &shared_secret_len);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
@ -1525,14 +1525,14 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
status = psa_destroy_key(handshake->ecdh_psa_privkey);
|
||||
status = psa_destroy_key(handshake->xxdh_psa_privkey);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = PSA_TO_MBEDTLS_ERR(status);
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
|
||||
} else {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("Group not supported."));
|
||||
|
||||
@ -914,11 +914,11 @@ static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl,
|
||||
* ECDHE and FFDHE groups are supported
|
||||
*/
|
||||
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
|
||||
mbedtls_ssl_tls13_named_group_is_dhe(group)) {
|
||||
mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH/FFDH group: %s (%04x)",
|
||||
mbedtls_ssl_named_group_to_str(group),
|
||||
group));
|
||||
ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
|
||||
ret = mbedtls_ssl_tls13_read_public_xxdhe_share(
|
||||
ssl, key_exchange - 2, key_exchange_len + 2);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
@ -1915,12 +1915,12 @@ static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl,
|
||||
|
||||
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
|
||||
if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group) ||
|
||||
mbedtls_ssl_tls13_named_group_is_dhe(named_group)) {
|
||||
ret = mbedtls_ssl_tls13_generate_and_write_dh_key_exchange(
|
||||
mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
|
||||
ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
|
||||
ssl, named_group, buf, end, out_len);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(
|
||||
1, "mbedtls_ssl_tls13_generate_and_write_dh_key_exchange",
|
||||
1, "mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange",
|
||||
ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user