diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 141c40a4e8..e8acc238d3 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -173,6 +173,12 @@ #define MBEDTLS_SSL_SOME_SUITES_USE_MAC #endif +/* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */ +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ + defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM +#endif + #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) @@ -2222,6 +2228,28 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) } #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ +/** + * \brief TLS record protection modes + */ +typedef enum { + MBEDTLS_SSL_MODE_STREAM = 0, + MBEDTLS_SSL_MODE_CBC, + MBEDTLS_SSL_MODE_CBC_ETM, + MBEDTLS_SSL_MODE_AEAD +} mbedtls_ssl_mode_t; + +mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform( + const mbedtls_ssl_transform *transform ); + +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) +mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( + int encrypt_then_mac, + const mbedtls_ssl_ciphersuite_t *suite ); +#else +mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( + const mbedtls_ssl_ciphersuite_t *suite ); +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ + #if defined(MBEDTLS_ECDH_C) int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl, diff --git a/library/ssl_msg.c b/library/ssl_msg.c index c55c60f825..083c8d2e68 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -523,9 +523,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - mbedtls_cipher_mode_t mode; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + mbedtls_ssl_mode_t ssl_mode; int auth_done = 0; unsigned char * data; unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ]; @@ -566,15 +564,13 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } + ssl_mode = mbedtls_ssl_get_mode_from_transform( transform ); + data = rec->buf + rec->data_offset; post_avail = rec->buf_len - ( rec->data_len + rec->data_offset ); MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", data, rec->data_len ); -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %" MBEDTLS_PRINTF_SIZET @@ -654,17 +650,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, * Add MAC before if needed */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER || - ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING -#else - if( mode == MBEDTLS_MODE_STREAM || - ( mode == MBEDTLS_MODE_CBC -#endif -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED -#endif - ) ) + if( ssl_mode == MBEDTLS_SSL_MODE_STREAM || + ssl_mode == MBEDTLS_SSL_MODE_CBC ) { if( post_avail < transform->maclen ) { @@ -748,11 +735,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, * Encrypt */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ) -#else - if( mode == MBEDTLS_MODE_STREAM ) -#endif + if( ssl_mode == MBEDTLS_SSL_MODE_STREAM ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " "including %d bytes of padding", @@ -767,13 +750,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_GCM_C) || \ defined(MBEDTLS_CCM_C) || \ defined(MBEDTLS_CHACHAPOLY_C) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( PSA_ALG_IS_AEAD( transform->psa_alg ) ) -#else - if( mode == MBEDTLS_MODE_GCM || - mode == MBEDTLS_MODE_CCM || - mode == MBEDTLS_MODE_CHACHAPOLY ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ssl_mode == MBEDTLS_SSL_MODE_AEAD ) { unsigned char iv[12]; unsigned char *dynamic_iv; @@ -891,11 +868,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, else #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) -#else - if( mode == MBEDTLS_MODE_CBC ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ssl_mode == MBEDTLS_SSL_MODE_CBC || + ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t padlen, i; @@ -1139,14 +1113,9 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, mbedtls_record *rec ) { size_t olen; -#if defined(MBEDTLS_USE_PSA_CRYPTO) + mbedtls_ssl_mode_t ssl_mode; int ret; -#else - mbedtls_cipher_mode_t mode; - int ret; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - int auth_done = 0; #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) size_t padlen = 0, correct = 1; @@ -1171,9 +1140,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, } data = rec->buf + rec->data_offset; -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + ssl_mode = mbedtls_ssl_get_mode_from_transform( transform ); #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) /* @@ -1187,11 +1154,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ) -#else - if( mode == MBEDTLS_MODE_STREAM ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ssl_mode == MBEDTLS_SSL_MODE_STREAM ) { /* The only supported stream cipher is "NULL", * so there's nothing to do here.*/ @@ -1201,13 +1164,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, #if defined(MBEDTLS_GCM_C) || \ defined(MBEDTLS_CCM_C) || \ defined(MBEDTLS_CHACHAPOLY_C) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( PSA_ALG_IS_AEAD( transform->psa_alg ) ) -#else - if( mode == MBEDTLS_MODE_GCM || - mode == MBEDTLS_MODE_CCM || - mode == MBEDTLS_MODE_CHACHAPOLY ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ssl_mode == MBEDTLS_SSL_MODE_AEAD ) { unsigned char iv[12]; unsigned char *dynamic_iv; @@ -1333,11 +1290,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, else #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) -#else - if( mode == MBEDTLS_MODE_CBC ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( ssl_mode == MBEDTLS_SSL_MODE_CBC || + ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM ) { size_t minlen = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -1391,7 +1345,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, * Authenticate before decrypt if enabled */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) + if( ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 7f658497ef..1c05001a86 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -216,19 +216,23 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, uint32_t lifetime ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - const mbedtls_cipher_info_t *cipher_info; + size_t key_bits; #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_algorithm_t alg; psa_key_type_t key_type; - size_t key_bits; -#endif +#else + const mbedtls_cipher_info_t *cipher_info; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ - ctx->f_rng = f_rng; - ctx->p_rng = p_rng; - - ctx->ticket_lifetime = lifetime; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( mbedtls_ssl_cipher_to_psa( cipher, TICKET_AUTH_TAG_BYTES, + &alg, &key_type, &key_bits ) != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + if( PSA_ALG_IS_AEAD( alg ) == 0 ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); +#else cipher_info = mbedtls_cipher_info_from_type( cipher ); if( mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_GCM && @@ -238,14 +242,18 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - if( mbedtls_cipher_info_get_key_bitlen( cipher_info ) > 8 * MAX_KEY_BYTES ) + key_bits = mbedtls_cipher_info_get_key_bitlen( cipher_info ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + + if( key_bits > 8 * MAX_KEY_BYTES ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + ctx->f_rng = f_rng; + ctx->p_rng = p_rng; + + ctx->ticket_lifetime = lifetime; + #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( mbedtls_ssl_cipher_to_psa( cipher_info->type, TICKET_AUTH_TAG_BYTES, - &alg, &key_type, &key_bits ) != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - ctx->keys[0].alg = alg; ctx->keys[0].key_type = key_type; ctx->keys[0].key_bits = key_bits; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7804cb781d..1702885fd6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -383,11 +383,9 @@ typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *, static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, int ciphersuite, const unsigned char master[48], -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \ - defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) int encrypt_then_mac, -#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC && - MBEDTLS_SSL_SOME_SUITES_USE_MAC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ ssl_tls_prf_t tls_prf, const unsigned char randbytes[64], mbedtls_ssl_protocol_version tls_version, @@ -1715,6 +1713,109 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) +static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode( + psa_algorithm_t alg ) +{ +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) + if( alg == PSA_ALG_CBC_NO_PADDING ) + return( MBEDTLS_SSL_MODE_CBC ); +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ + if( PSA_ALG_IS_AEAD( alg ) ) + return( MBEDTLS_SSL_MODE_AEAD ); + return( MBEDTLS_SSL_MODE_STREAM ); +} + +#else /* MBEDTLS_USE_PSA_CRYPTO */ + +static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode( + mbedtls_cipher_mode_t mode ) +{ +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) + if( mode == MBEDTLS_MODE_CBC ) + return( MBEDTLS_SSL_MODE_CBC ); +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ + +#if defined(MBEDTLS_GCM_C) || \ + defined(MBEDTLS_CCM_C) || \ + defined(MBEDTLS_CHACHAPOLY_C) + if( mode == MBEDTLS_MODE_GCM || + mode == MBEDTLS_MODE_CCM || + mode == MBEDTLS_MODE_CHACHAPOLY ) + return( MBEDTLS_SSL_MODE_AEAD ); +#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ + + return( MBEDTLS_SSL_MODE_STREAM ); +} +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + +static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode( + mbedtls_ssl_mode_t base_mode, + int encrypt_then_mac ) +{ +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && + base_mode == MBEDTLS_SSL_MODE_CBC ) + { + return( MBEDTLS_SSL_MODE_CBC_ETM ); + } +#else + (void) encrypt_then_mac; +#endif + return( base_mode ); +} + +mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform( + const mbedtls_ssl_transform *transform ) +{ + mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode( +#if defined(MBEDTLS_USE_PSA_CRYPTO) + transform->psa_alg +#else + mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) +#endif + ); + + int encrypt_then_mac = 0; +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + encrypt_then_mac = transform->encrypt_then_mac; +#endif + return( mbedtls_ssl_get_actual_mode( base_mode, encrypt_then_mac ) ); +} + +mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + int encrypt_then_mac, +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ + const mbedtls_ssl_ciphersuite_t *suite ) +{ + mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM; + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; + psa_algorithm_t alg; + psa_key_type_t type; + size_t size; + status = mbedtls_ssl_cipher_to_psa( suite->cipher, 0, &alg, &type, &size ); + if( status == PSA_SUCCESS ) + base_mode = mbedtls_ssl_get_base_mode( alg ); +#else + const mbedtls_cipher_info_t *cipher = + mbedtls_cipher_info_from_type( suite->cipher ); + if( cipher != NULL ) + { + base_mode = + mbedtls_ssl_get_base_mode( + mbedtls_cipher_info_get_mode( cipher ) ); + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + +#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + int encrypt_then_mac = 0; +#endif + return( mbedtls_ssl_get_actual_mode( base_mode, encrypt_then_mac ) ); +} + #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_type, size_t taglen, @@ -3615,11 +3716,9 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, ret = ssl_tls12_populate_transform( ssl->transform, ssl->session->ciphersuite, ssl->session->master, -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \ - defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) ssl->session->encrypt_then_mac, -#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC && - MBEDTLS_SSL_SOME_SUITES_USE_MAC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ ssl_tls12prf_from_cs( ssl->session->ciphersuite ), p, /* currently pointing to randbytes */ MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */ @@ -5193,11 +5292,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) ret = ssl_tls12_populate_transform( ssl->transform_negotiate, ssl->session_negotiate->ciphersuite, ssl->session_negotiate->master, -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \ - defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) ssl->session_negotiate->encrypt_then_mac, -#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC && - MBEDTLS_SSL_SOME_SUITES_USE_MAC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ ssl->handshake->tls_prf, ssl->handshake->randbytes, ssl->tls_version, @@ -6789,11 +6886,9 @@ static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf ) static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, int ciphersuite, const unsigned char master[48], -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \ - defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) int encrypt_then_mac, -#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC && - MBEDTLS_SSL_SOME_SUITES_USE_MAC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ ssl_tls_prf_t tls_prf, const unsigned char randbytes[64], mbedtls_ssl_protocol_version tls_version, @@ -6810,8 +6905,9 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, size_t iv_copy_len; size_t keylen; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - const mbedtls_cipher_info_t *cipher_info; + mbedtls_ssl_mode_t ssl_mode; #if !defined(MBEDTLS_USE_PSA_CRYPTO) + const mbedtls_cipher_info_t *cipher_info; const mbedtls_md_info_t *md_info; #endif /* !MBEDTLS_USE_PSA_CRYPTO */ @@ -6836,10 +6932,9 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, /* * Some data just needs copying into the structure */ -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \ - defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) transform->encrypt_then_mac = encrypt_then_mac; -#endif +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ transform->tls_version = tls_version; #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) @@ -6866,6 +6961,28 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } + ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite( +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) + encrypt_then_mac, +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ + ciphersuite_info ); + + if( ssl_mode == MBEDTLS_SSL_MODE_AEAD ) + transform->taglen = + ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ( status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, + transform->taglen, + &alg, + &key_type, + &key_bits ) ) != PSA_SUCCESS ) + { + ret = psa_ssl_status_to_mbedtls( status ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cipher_to_psa", ret ); + goto end; + } +#else cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); if( cipher_info == NULL ) { @@ -6873,6 +6990,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, ciphersuite_info->cipher ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_USE_PSA_CRYPTO) mac_alg = mbedtls_psa_translate_md( ciphersuite_info->mac ); @@ -6932,21 +7050,21 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, * Determine the appropriate key, IV and MAC length. */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + keylen = PSA_BITS_TO_BYTES(key_bits); +#else keylen = mbedtls_cipher_info_get_key_bitlen( cipher_info ) / 8; +#endif #if defined(MBEDTLS_GCM_C) || \ defined(MBEDTLS_CCM_C) || \ defined(MBEDTLS_CHACHAPOLY_C) - if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_GCM || - mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CCM || - mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CHACHAPOLY ) + if( ssl_mode == MBEDTLS_SSL_MODE_AEAD ) { size_t explicit_ivlen; transform->maclen = 0; mac_key_len = 0; - transform->taglen = - ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; /* All modes haves 96-bit IVs, but the length of the static parts vary * with mode and version: @@ -6957,7 +7075,11 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, * sequence number). */ transform->ivlen = 12; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( key_type == PSA_KEY_TYPE_CHACHA20 ) +#else if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CHACHAPOLY ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ transform->fixed_ivlen = 12; else transform->fixed_ivlen = 4; @@ -6969,9 +7091,16 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, else #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) - if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM || - mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CBC ) + if( ssl_mode == MBEDTLS_SSL_MODE_STREAM || + ssl_mode == MBEDTLS_SSL_MODE_CBC || + ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type ); +#else + size_t block_size = cipher_info->block_size; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + #if defined(MBEDTLS_USE_PSA_CRYPTO) /* Get MAC length */ mac_key_len = PSA_HASH_LENGTH(mac_alg); @@ -6990,10 +7119,14 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, transform->maclen = mac_key_len; /* IV length */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + transform->ivlen = PSA_CIPHER_IV_LENGTH( key_type, alg ); +#else transform->ivlen = cipher_info->iv_size; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Minimum length */ - if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM ) + if( ssl_mode == MBEDTLS_SSL_MODE_STREAM ) transform->minlen = transform->maclen; else { @@ -7004,17 +7137,17 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, * 2. IV */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) + if( ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM ) { transform->minlen = transform->maclen - + cipher_info->block_size; + + block_size; } else #endif { transform->minlen = transform->maclen - + cipher_info->block_size - - transform->maclen % cipher_info->block_size; + + block_size + - transform->maclen % block_size; } if( tls_version == MBEDTLS_SSL_VERSION_TLS1_2 ) @@ -7096,17 +7229,6 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, } #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ( status = mbedtls_ssl_cipher_to_psa( cipher_info->type, - transform->taglen, - &alg, - &key_type, - &key_bits ) ) != PSA_SUCCESS ) - { - ret = psa_ssl_status_to_mbedtls( status ); - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cipher_to_psa", ret ); - goto end; - } - transform->psa_alg = alg; if ( alg != MBEDTLS_SSL_NULL_CIPHER ) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 6fd916f29f..8866d4f380 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -1973,20 +1973,13 @@ static void ssl_write_cid_ext( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) { unsigned char *p = buf; const mbedtls_ssl_ciphersuite_t *suite = NULL; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_key_type_t key_type; - psa_algorithm_t alg; - size_t key_bits; -#else - const mbedtls_cipher_info_t *cipher = NULL; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* * RFC 7366: "If a server receives an encrypt-then-MAC request extension @@ -1994,18 +1987,19 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, * with Associated Data (AEAD) ciphersuite, it MUST NOT send an * encrypt-then-MAC response extension back to the client." */ - if( ( suite = mbedtls_ssl_ciphersuite_from_id( - ssl->session_negotiate->ciphersuite ) ) == NULL || -#if defined(MBEDTLS_USE_PSA_CRYPTO) - ( mbedtls_ssl_cipher_to_psa( suite->cipher, 0, &alg, - &key_type, &key_bits ) != PSA_SUCCESS ) || - alg != PSA_ALG_CBC_NO_PADDING ) -#else - ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL || - cipher->mode != MBEDTLS_MODE_CBC ) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - { + suite = mbedtls_ssl_ciphersuite_from_id( + ssl->session_negotiate->ciphersuite ); + if( suite == NULL ) ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; + else + { + mbedtls_ssl_mode_t ssl_mode = + mbedtls_ssl_get_mode_from_ciphersuite( + ssl->session_negotiate->encrypt_then_mac, + suite ); + + if( ssl_mode != MBEDTLS_SSL_MODE_CBC_ETM ) + ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED; } if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ) @@ -2024,7 +2018,7 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, *olen = 4; } -#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl, @@ -2593,7 +2587,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) ext_len += olen; #endif -#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; #endif