Merge pull request #7627 from mprse/ffdh_tls13_v2

Make use of FFDH keys in TLS 1.3 v.2
2025-07-29 11:41:15 +03:00 · 2023-07-03 10:12:33 +02:00
parent 45e009aa97 3484db4ce7
commit 56b159a12a
30 changed files with 4528 additions and 364 deletions
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -1497,7 +1497,7 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl)
    return ret;
 }

-#if defined(PSA_WANT_ALG_ECDH)
+#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)

 int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
                                              const unsigned char *buf,
@ -1522,7 +1522,36 @@ int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
    return 0;
 }

-int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
+static psa_status_t  mbedtls_ssl_get_psa_ffdh_info_from_tls_id(
+    uint16_t tls_id, size_t *bits, psa_key_type_t *key_type)
+{
+    switch (tls_id) {
+        case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:
+            *bits = 2048;
+            *key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
+            return PSA_SUCCESS;
+        case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:
+            *bits = 3072;
+            *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
+            return PSA_SUCCESS;
+        case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:
+            *bits = 4096;
+            *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
+            return PSA_SUCCESS;
+        case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:
+            *bits = 6144;
+            *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
+            return PSA_SUCCESS;
+        case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:
+            *bits = 8192;
+            *key_type =  PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
+            return PSA_SUCCESS;
+        default:
+            return PSA_ERROR_NOT_SUPPORTED;
+    }
+}
+
+int mbedtls_ssl_tls13_generate_and_write_dh_key_exchange(
    mbedtls_ssl_context *ssl,
    uint16_t named_group,
    unsigned char *buf,
@ -1534,26 +1563,45 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
    psa_key_attributes_t key_attributes;
    size_t own_pubkey_len;
    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
-    psa_ecc_family_t ec_psa_family = 0;
-    size_t ec_bits = 0;
+    size_t bits = 0;
+    psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
+    psa_algorithm_t alg = PSA_ALG_NONE;
+    size_t buf_size = (size_t) (end - buf);

-    MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
+    MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH/FFDH computation."));

    /* Convert EC's TLS ID to PSA key type. */
+#if defined(PSA_WANT_ALG_ECDH)
    if (mbedtls_ssl_get_psa_curve_info_from_tls_id(
-            named_group, &ec_psa_family, &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
+            named_group, &key_type, &bits) == PSA_SUCCESS) {
+        alg = PSA_ALG_ECDH;
+    }
+#endif
+#if defined(PSA_WANT_ALG_FFDH)
+    if (mbedtls_ssl_get_psa_ffdh_info_from_tls_id(named_group, &bits,
+                                                  &key_type) == PSA_SUCCESS) {
+        alg = PSA_ALG_FFDH;
+    }
+#endif
+
+    if (key_type == PSA_KEY_TYPE_NONE) {
        return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
    }
-    handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family);
-    ssl->handshake->ecdh_bits = ec_bits;
+
+    if (buf_size < PSA_BITS_TO_BYTES(bits)) {
+        return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+    }
+
+    handshake->ecdh_psa_type = key_type;
+    ssl->handshake->ecdh_bits = bits;

    key_attributes = psa_key_attributes_init();
    psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
-    psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
+    psa_set_key_algorithm(&key_attributes, alg);
    psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
    psa_set_key_bits(&key_attributes, handshake->ecdh_bits);

-    /* Generate ECDH private key. */
+    /* Generate ECDH/FFDH private key. */
    status = psa_generate_key(&key_attributes,
                              &handshake->ecdh_psa_privkey);
    if (status != PSA_SUCCESS) {
@ -1563,22 +1611,22 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(

    }

-    /* Export the public part of the ECDH private key from PSA. */
+    /* Export the public part of the ECDH/FFDH private key from PSA. */
    status = psa_export_public_key(handshake->ecdh_psa_privkey,
-                                   buf, (size_t) (end - buf),
+                                   buf, buf_size,
                                   &own_pubkey_len);
+
    if (status != PSA_SUCCESS) {
        ret = PSA_TO_MBEDTLS_ERR(status);
        MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
        return ret;
-
    }

    *out_len = own_pubkey_len;

    return 0;
 }
-#endif /* PSA_WANT_ALG_ECDH */
+#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */

 /* RFC 8446 section 4.2
 *