From 868af821c96254fe590340abf543db74f9f506d7 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 9 Mar 2022 10:26:25 +0100 Subject: [PATCH 01/21] Implement PSA client-side ECDHE-PSK Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 147 +++++++++++++++++++++++++++++++++++++ 1 file changed, 147 insertions(+) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 734d3a2e97..ad5b55477d 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -1813,6 +1813,7 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ) static int ssl_parse_server_ecdh_params_psa( mbedtls_ssl_context *ssl, unsigned char **p, @@ -2348,8 +2349,10 @@ start_processing: MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) { if( ssl_parse_server_ecdh_params_psa( ssl, &p, end ) != 0 ) @@ -2365,6 +2368,7 @@ start_processing: else #endif /* MBEDTLS_USE_PSA_CRYPTO && ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ @@ -2998,6 +3002,149 @@ ecdh_calc_secret: MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) + if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; + psa_key_attributes_t key_attributes; + + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + + /* + * opaque psk_identity<0..2^16-1>; + */ + if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 ) + { + /* We don't offer PSK suites if we don't have a PSK, + * and we check that the server's choice is among the + * ciphersuites we offered, so this should never happen. */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + /* Opaque PSKs are currently only supported for PSK-only suites. */ + if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + + header_len = 4; + content_len = ssl->conf->psk_identity_len; + + if( header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, + ( "psk identity too long or SSL buffer too short" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + + ssl->out_msg[header_len++] = MBEDTLS_BYTE_1( content_len ); + ssl->out_msg[header_len++] = MBEDTLS_BYTE_0( content_len ); + + memcpy( ssl->out_msg + header_len, + ssl->conf->psk_identity, + ssl->conf->psk_identity_len ); + header_len += ssl->conf->psk_identity_len; + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) ); + + /* + * Generate EC private key for ECDHE exchange. + */ + + /* The master secret is obtained from the shared ECDH secret by + * applying the TLS 1.2 PRF with a specific salt and label. While + * the PSA Crypto API encourages combining key agreement schemes + * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not + * yet support the provisioning of salt + label to the KDF. + * For the time being, we therefore need to split the computation + * of the ECDH secret and the application of the TLS 1.2 PRF. */ + key_attributes = psa_key_attributes_init(); + psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH ); + psa_set_key_type( &key_attributes, handshake->ecdh_psa_type ); + psa_set_key_bits( &key_attributes, handshake->ecdh_bits ); + + /* Generate ECDH private key. */ + status = psa_generate_key( &key_attributes, + &handshake->ecdh_psa_privkey ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + /* Export the public part of the ECDH private key from PSA. + * The export format is an ECPoint structure as expected by TLS, + * but we just need to add a length byte before that. */ + unsigned char *own_pubkey = ssl->out_msg + header_len + 1; + unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; + size_t own_pubkey_max_len = (size_t)( end - own_pubkey ); + size_t own_pubkey_len; + + status = psa_export_public_key( handshake->ecdh_psa_privkey, + own_pubkey, own_pubkey_max_len, + &own_pubkey_len ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( handshake->ecdh_psa_privkey ); + handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + ssl->out_msg[header_len] = (unsigned char) own_pubkey_len; + content_len = own_pubkey_len + 1; + + /* The ECDH secret is the premaster secret used for key derivation. */ + unsigned char *p = ssl->handshake->premaster; + unsigned char *p_end = p + sizeof( ssl->handshake->premaster ); + size_t zlen; + + /* Compute ECDH shared secret. */ + status = psa_raw_key_agreement( PSA_ALG_ECDH, + handshake->ecdh_psa_privkey, + handshake->ecdh_psa_peerkey, + handshake->ecdh_psa_peerkey_len, + p + 2, + p_end - ( p + 2 ), + &zlen ); + + destruction_status = psa_destroy_key( handshake->ecdh_psa_privkey ); + handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; + + if( status != PSA_SUCCESS || destruction_status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + MBEDTLS_PUT_UINT16_BE( zlen, p, 0 ); + p += 2 + zlen; + + /* opaque psk<0..2^16-1>; */ + if( p_end - p < 2 ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + const unsigned char *psk = NULL; + size_t psk_len = 0; + + if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len ) + == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ) + { + /* + * This should never happen because the existence of a PSK is always + * checked before calling this function + */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 ); + p += 2; + + if( p_end < p || (size_t)( p_end - p ) < psk_len ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + memcpy( p, psk, psk_len ); + p += psk_len; + + ssl->handshake->pmslen = p - ssl->handshake->premaster; + } + else +#endif /* MBEDTLS_USE_PSA_CRYPTO && + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) { From 039db29c7d1e5e9649d9f32daaec98735570fd9a Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 9 Mar 2022 11:38:34 +0100 Subject: [PATCH 02/21] Implement PSA server-side ECDHE-PSK Signed-off-by: Neil Armstrong --- library/ssl_tls12_server.c | 93 +++++++++++++++++++++++++++++++++++++- 1 file changed, 92 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 486632ee8e..1a4571cad8 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -3068,7 +3068,8 @@ curve_matching_done: #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) { psa_status_t status = PSA_ERROR_GENERIC_ERROR; psa_key_attributes_t key_attributes; @@ -4037,6 +4038,96 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) } else #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) + if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + { + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; + uint8_t ecpoint_len; + + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + + if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret ); + psa_destroy_key( handshake->ecdh_psa_privkey ); + handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; + return( ret ); + } + + /* Keep a copy of the peer's public key */ + ecpoint_len = *(p++); + if( (size_t)( end - *p ) < ecpoint_len ) { + psa_destroy_key( handshake->ecdh_psa_privkey ); + handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } + + if( ecpoint_len > sizeof( handshake->ecdh_psa_peerkey ) ) { + psa_destroy_key( handshake->ecdh_psa_privkey ); + handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + memcpy( handshake->ecdh_psa_peerkey, p, ecpoint_len ); + handshake->ecdh_psa_peerkey_len = ecpoint_len; + p += ecpoint_len; + + /* The ECDH secret is the premaster secret used for key derivation. */ + unsigned char *psm = ssl->handshake->premaster; + unsigned char *psm_end = psm + sizeof( ssl->handshake->premaster ); + size_t zlen; + + /* Compute ECDH shared secret. */ + status = psa_raw_key_agreement( PSA_ALG_ECDH, + handshake->ecdh_psa_privkey, + handshake->ecdh_psa_peerkey, + handshake->ecdh_psa_peerkey_len, + psm + 2, + psm_end - ( psm + 2 ), + &zlen ); + + destruction_status = psa_destroy_key( handshake->ecdh_psa_privkey ); + handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; + + if( status != PSA_SUCCESS || destruction_status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + MBEDTLS_PUT_UINT16_BE( zlen, psm, 0 ); + psm += 2 + zlen; + + /* opaque psk<0..2^16-1>; */ + if( psm_end - psm < 2 ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + const unsigned char *psk = NULL; + size_t psk_len = 0; + + if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len ) + == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ) + { + /* + * This should never happen because the existence of a PSK is always + * checked before calling this function + */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + MBEDTLS_PUT_UINT16_BE( psk_len, psm, 0 ); + psm += 2; + + if( psm_end < psm || (size_t)( psm_end - psm ) < psk_len ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + memcpy( psm, psk, psk_len ); + psm += psk_len; + + ssl->handshake->pmslen = psm - ssl->handshake->premaster; + } + else +#endif /* MBEDTLS_USE_PSA_CRYPTO && + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) { From bc5e8f9dd0ac5203886e73fcb9e99d5fff293304 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 17:42:50 +0100 Subject: [PATCH 03/21] Initialize uninitialized variables in ECHDE-PSK part of ssl_write_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index ad5b55477d..af8e9ee6f4 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -3076,7 +3076,7 @@ ecdh_calc_secret: unsigned char *own_pubkey = ssl->out_msg + header_len + 1; unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; size_t own_pubkey_max_len = (size_t)( end - own_pubkey ); - size_t own_pubkey_len; + size_t own_pubkey_len = 0; status = psa_export_public_key( handshake->ecdh_psa_privkey, own_pubkey, own_pubkey_max_len, @@ -3094,7 +3094,7 @@ ecdh_calc_secret: /* The ECDH secret is the premaster secret used for key derivation. */ unsigned char *p = ssl->handshake->premaster; unsigned char *p_end = p + sizeof( ssl->handshake->premaster ); - size_t zlen; + size_t zlen = 0; /* Compute ECDH shared secret. */ status = psa_raw_key_agreement( PSA_ALG_ECDH, From 25400455425ffb1f10bbc863822b90405b21b7ee Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 17:44:07 +0100 Subject: [PATCH 04/21] Update comments in ECHDE-PSK part of ssl_write_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index af8e9ee6f4..2e94505e6e 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -3091,12 +3091,17 @@ ecdh_calc_secret: ssl->out_msg[header_len] = (unsigned char) own_pubkey_len; content_len = own_pubkey_len + 1; - /* The ECDH secret is the premaster secret used for key derivation. */ + /* As RFC 5489 section 2, the premaster secret is formed as follows: + * - a uint16 containing the length (in octets) of the ECDH computation + * - the octet string produced by the ECDH computation + * - a uint16 containing the length (in octets) of the PSK + * - the PSK itself + */ unsigned char *p = ssl->handshake->premaster; unsigned char *p_end = p + sizeof( ssl->handshake->premaster ); size_t zlen = 0; - /* Compute ECDH shared secret. */ + /* Perform ECDH computation after the uint16 reserved for the length */ status = psa_raw_key_agreement( PSA_ALG_ECDH, handshake->ecdh_psa_privkey, handshake->ecdh_psa_peerkey, @@ -3111,6 +3116,7 @@ ecdh_calc_secret: if( status != PSA_SUCCESS || destruction_status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + /* Write the ECDH computation length before the ECDH computation */ MBEDTLS_PUT_UINT16_BE( zlen, p, 0 ); p += 2 + zlen; @@ -3131,12 +3137,14 @@ ecdh_calc_secret: return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } + /* Write the PSK length as uint16 */ MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 ); p += 2; if( p_end < p || (size_t)( p_end - p ) < psk_len ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + /* Write the PSK itself */ memcpy( p, psk, psk_len ); p += psk_len; From b9f319aec1bc8ef24ecbcaeac96f531d37daf8f6 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 17:44:29 +0100 Subject: [PATCH 05/21] Remove useless braces in ECHDE-PSK part of ssl_write_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 2e94505e6e..ca09c3ee15 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -3016,12 +3016,10 @@ ecdh_calc_secret: * opaque psk_identity<0..2^16-1>; */ if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 ) - { /* We don't offer PSK suites if we don't have a PSK, * and we check that the server's choice is among the * ciphersuites we offered, so this should never happen. */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } /* Opaque PSKs are currently only supported for PSK-only suites. */ if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) @@ -3129,13 +3127,11 @@ ecdh_calc_secret: if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len ) == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ) - { /* * This should never happen because the existence of a PSK is always * checked before calling this function */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } /* Write the PSK length as uint16 */ MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 ); From c530aa6b4e1651f4bb489783f93fb74a37e79a5d Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 17:45:01 +0100 Subject: [PATCH 06/21] Return PSA translated errors in ECHDE-PSK part of ssl_write_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index ca09c3ee15..895896c9f2 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -3066,7 +3066,7 @@ ecdh_calc_secret: status = psa_generate_key( &key_attributes, &handshake->ecdh_psa_privkey ); if( status != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + return( psa_ssl_status_to_mbedtls( status ) ); /* Export the public part of the ECDH private key from PSA. * The export format is an ECPoint structure as expected by TLS, @@ -3083,7 +3083,7 @@ ecdh_calc_secret: { psa_destroy_key( handshake->ecdh_psa_privkey ); handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + return( psa_ssl_status_to_mbedtls( status ) ); } ssl->out_msg[header_len] = (unsigned char) own_pubkey_len; @@ -3111,8 +3111,10 @@ ecdh_calc_secret: destruction_status = psa_destroy_key( handshake->ecdh_psa_privkey ); handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; - if( status != PSA_SUCCESS || destruction_status != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + if( status != PSA_SUCCESS ) + return( psa_ssl_status_to_mbedtls( status ) ); + else if( destruction_status != PSA_SUCCESS ) + return( psa_ssl_status_to_mbedtls( destruction_status ) ); /* Write the ECDH computation length before the ECDH computation */ MBEDTLS_PUT_UINT16_BE( zlen, p, 0 ); From d8420cad316b2c9868674b9fc7fdca0ecc9477ce Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 17:46:04 +0100 Subject: [PATCH 07/21] Change to more appropriate pointer declaration in ECHDE-PSK part of ssl_write_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 895896c9f2..91cad8b293 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -3096,7 +3096,8 @@ ecdh_calc_secret: * - the PSK itself */ unsigned char *p = ssl->handshake->premaster; - unsigned char *p_end = p + sizeof( ssl->handshake->premaster ); + const unsigned char* const p_end = p + + sizeof( ssl->handshake->premaster ); size_t zlen = 0; /* Perform ECDH computation after the uint16 reserved for the length */ From 0bdb68a2428af036005aa45aa8b85a751494f73e Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 17:46:32 +0100 Subject: [PATCH 08/21] Introduce zlen size variable in ECHDE-PSK part of ssl_write_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 91cad8b293..d372663873 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -3098,6 +3098,8 @@ ecdh_calc_secret: unsigned char *p = ssl->handshake->premaster; const unsigned char* const p_end = p + sizeof( ssl->handshake->premaster ); + /* uint16 to store length (in octets) of the ECDH computation */ + const size_t zlen_size = 2; size_t zlen = 0; /* Perform ECDH computation after the uint16 reserved for the length */ @@ -3105,8 +3107,8 @@ ecdh_calc_secret: handshake->ecdh_psa_privkey, handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, - p + 2, - p_end - ( p + 2 ), + p + zlen_size, + p_end - ( p + zlen_size ), &zlen ); destruction_status = psa_destroy_key( handshake->ecdh_psa_privkey ); @@ -3119,7 +3121,7 @@ ecdh_calc_secret: /* Write the ECDH computation length before the ECDH computation */ MBEDTLS_PUT_UINT16_BE( zlen, p, 0 ); - p += 2 + zlen; + p += zlen_size + zlen; /* opaque psk<0..2^16-1>; */ if( p_end - p < 2 ) From fc834f2e2c8210ff8115135ad31eb8e54c076609 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 17:54:38 +0100 Subject: [PATCH 09/21] Introduce content_len_size variable in ECHDE-PSK part of ssl_write_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index d372663873..92c1cd3700 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -3025,10 +3025,14 @@ ecdh_calc_secret: if( ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + /* uint16 to store content length */ + const size_t content_len_size = 2; + header_len = 4; content_len = ssl->conf->psk_identity_len; - if( header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN ) + if( header_len + content_len_size + content_len + > MBEDTLS_SSL_OUT_CONTENT_LEN ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or SSL buffer too short" ) ); From 549a3e47376ce01591904e0e42566cc29dc97326 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 18:16:24 +0100 Subject: [PATCH 10/21] Initialize uninitialized variable in ECHDE-PSK part of ssl_parse_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 1a4571cad8..5ab800c5d1 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4077,7 +4077,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) /* The ECDH secret is the premaster secret used for key derivation. */ unsigned char *psm = ssl->handshake->premaster; unsigned char *psm_end = psm + sizeof( ssl->handshake->premaster ); - size_t zlen; + size_t zlen = 0; /* Compute ECDH shared secret. */ status = psa_raw_key_agreement( PSA_ALG_ECDH, From 3bcef083354f3b359567158e20a80b345fa6e0c4 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 18:16:54 +0100 Subject: [PATCH 11/21] Update comments in ECHDE-PSK part of ssl_parse_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_server.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 5ab800c5d1..34dbcbcad8 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4074,7 +4074,12 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) handshake->ecdh_psa_peerkey_len = ecpoint_len; p += ecpoint_len; - /* The ECDH secret is the premaster secret used for key derivation. */ + /* As RFC 5489 section 2, the premaster secret is formed as follows: + * - a uint16 containing the length (in octets) of the ECDH computation + * - the octet string produced by the ECDH computation + * - a uint16 containing the length (in octets) of the PSK + * - the PSK itself + */ unsigned char *psm = ssl->handshake->premaster; unsigned char *psm_end = psm + sizeof( ssl->handshake->premaster ); size_t zlen = 0; @@ -4094,6 +4099,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) if( status != PSA_SUCCESS || destruction_status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + /* Write the ECDH computation length before the ECDH computation */ MBEDTLS_PUT_UINT16_BE( zlen, psm, 0 ); psm += 2 + zlen; @@ -4114,12 +4120,14 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } + /* Write the PSK length as uint16 */ MBEDTLS_PUT_UINT16_BE( psk_len, psm, 0 ); psm += 2; if( psm_end < psm || (size_t)( psm_end - psm ) < psk_len ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + /* Write the PSK itself */ memcpy( psm, psk, psk_len ); psm += psk_len; From 5a1455d8d5452ce41d39f3b598c644ff78ada5d9 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 18:17:01 +0100 Subject: [PATCH 12/21] Remove useless braces in ECHDE-PSK part of ssl_parse_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_server.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 34dbcbcad8..d2c5db9c91 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4112,13 +4112,11 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len ) == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ) - { /* * This should never happen because the existence of a PSK is always * checked before calling this function */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } /* Write the PSK length as uint16 */ MBEDTLS_PUT_UINT16_BE( psk_len, psm, 0 ); From fb0a81ece94b77ec12d0a44258ca7197dfe963e3 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 18:17:11 +0100 Subject: [PATCH 13/21] Return PSA translated errors in ECHDE-PSK part of ssl_parse_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_server.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index d2c5db9c91..b46c39f166 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4096,8 +4096,10 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) destruction_status = psa_destroy_key( handshake->ecdh_psa_privkey ); handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; - if( status != PSA_SUCCESS || destruction_status != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + if( status != PSA_SUCCESS ) + return( psa_ssl_status_to_mbedtls( status ) ); + else if( destruction_status != PSA_SUCCESS ) + return( psa_ssl_status_to_mbedtls( destruction_status ) ); /* Write the ECDH computation length before the ECDH computation */ MBEDTLS_PUT_UINT16_BE( zlen, psm, 0 ); From d6e2759afbdf33947ad0eb75a27ee270a85a96fa Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 18:17:24 +0100 Subject: [PATCH 14/21] Change to more appropriate pointer declaration in ECHDE-PSK part of ssl_parse_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_server.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index b46c39f166..7bf35694ff 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4081,7 +4081,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )  * - the PSK itself  */ unsigned char *psm = ssl->handshake->premaster; - unsigned char *psm_end = psm + sizeof( ssl->handshake->premaster ); + const unsigned char* const psm_end = + psm + sizeof( ssl->handshake->premaster ); size_t zlen = 0; /* Compute ECDH shared secret. */ From 2d63da9269d0f5cea978e68ba425375221aa9d16 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 23 Mar 2022 18:17:31 +0100 Subject: [PATCH 15/21] Introduce zlen size variable in ECHDE-PSK part of ssl_parse_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_server.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 7bf35694ff..fda5db5cbf 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4083,6 +4083,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) unsigned char *psm = ssl->handshake->premaster; const unsigned char* const psm_end = psm + sizeof( ssl->handshake->premaster ); + /* uint16 to store length (in octets) of the ECDH computation */ + const size_t zlen_size = 2; size_t zlen = 0; /* Compute ECDH shared secret. */ @@ -4090,8 +4092,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) handshake->ecdh_psa_privkey, handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, - psm + 2, - psm_end - ( psm + 2 ), + psm + zlen_size, + psm_end - ( psm + zlen_size ), &zlen ); destruction_status = psa_destroy_key( handshake->ecdh_psa_privkey ); @@ -4104,7 +4106,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) /* Write the ECDH computation length before the ECDH computation */ MBEDTLS_PUT_UINT16_BE( zlen, psm, 0 ); - psm += 2 + zlen; + psm += zlen_size + zlen; /* opaque psk<0..2^16-1>; */ if( psm_end - psm < 2 ) From fdf20cb5130fa72fc1f5bced7d49133506c42717 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 24 Mar 2022 09:43:02 +0100 Subject: [PATCH 16/21] Fix command indentation in ssl_parse_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_server.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index fda5db5cbf..bfd8fd3cac 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4075,11 +4075,11 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) p += ecpoint_len; /* As RFC 5489 section 2, the premaster secret is formed as follows: - * - a uint16 containing the length (in octets) of the ECDH computation - * - the octet string produced by the ECDH computation - * - a uint16 containing the length (in octets) of the PSK - * - the PSK itself - */ + * - a uint16 containing the length (in octets) of the ECDH computation + * - the octet string produced by the ECDH computation + * - a uint16 containing the length (in octets) of the PSK + * - the PSK itself + */ unsigned char *psm = ssl->handshake->premaster; const unsigned char* const psm_end = psm + sizeof( ssl->handshake->premaster ); From b7ca76b6523784df127b911f1f0ee4add83302a4 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Mon, 4 Apr 2022 18:27:15 +0200 Subject: [PATCH 17/21] Use intermediate pointer for readability and rename PMS pointer in ECHDE-PSK PSA version of ssl_write_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 45 ++++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 92c1cd3700..f5473f458a 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -3029,9 +3029,8 @@ ecdh_calc_secret: const size_t content_len_size = 2; header_len = 4; - content_len = ssl->conf->psk_identity_len; - if( header_len + content_len_size + content_len + if( header_len + content_len_size + ssl->conf->psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN ) { MBEDTLS_SSL_DEBUG_MSG( 1, @@ -3039,12 +3038,16 @@ ecdh_calc_secret: return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } - ssl->out_msg[header_len++] = MBEDTLS_BYTE_1( content_len ); - ssl->out_msg[header_len++] = MBEDTLS_BYTE_0( content_len ); + unsigned char *p = ssl->out_msg + header_len; - memcpy( ssl->out_msg + header_len, - ssl->conf->psk_identity, + *p++ = MBEDTLS_BYTE_1( ssl->conf->psk_identity_len ); + *p++ = MBEDTLS_BYTE_0( ssl->conf->psk_identity_len ); + header_len += content_len_size; + + memcpy( p, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); + p += ssl->conf->psk_identity_len; + header_len += ssl->conf->psk_identity_len; MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) ); @@ -3075,7 +3078,7 @@ ecdh_calc_secret: /* Export the public part of the ECDH private key from PSA. * The export format is an ECPoint structure as expected by TLS, * but we just need to add a length byte before that. */ - unsigned char *own_pubkey = ssl->out_msg + header_len + 1; + unsigned char *own_pubkey = p + 1; unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; size_t own_pubkey_max_len = (size_t)( end - own_pubkey ); size_t own_pubkey_len = 0; @@ -3090,7 +3093,7 @@ ecdh_calc_secret: return( psa_ssl_status_to_mbedtls( status ) ); } - ssl->out_msg[header_len] = (unsigned char) own_pubkey_len; + *p = (unsigned char) own_pubkey_len; content_len = own_pubkey_len + 1; /* As RFC 5489 section 2, the premaster secret is formed as follows: @@ -3099,8 +3102,8 @@ ecdh_calc_secret: * - a uint16 containing the length (in octets) of the PSK * - the PSK itself */ - unsigned char *p = ssl->handshake->premaster; - const unsigned char* const p_end = p + + unsigned char *pms = ssl->handshake->premaster; + const unsigned char* const pms_end = pms + sizeof( ssl->handshake->premaster ); /* uint16 to store length (in octets) of the ECDH computation */ const size_t zlen_size = 2; @@ -3111,8 +3114,8 @@ ecdh_calc_secret: handshake->ecdh_psa_privkey, handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len, - p + zlen_size, - p_end - ( p + zlen_size ), + pms + zlen_size, + pms_end - ( pms + zlen_size ), &zlen ); destruction_status = psa_destroy_key( handshake->ecdh_psa_privkey ); @@ -3124,11 +3127,11 @@ ecdh_calc_secret: return( psa_ssl_status_to_mbedtls( destruction_status ) ); /* Write the ECDH computation length before the ECDH computation */ - MBEDTLS_PUT_UINT16_BE( zlen, p, 0 ); - p += zlen_size + zlen; + MBEDTLS_PUT_UINT16_BE( zlen, pms, 0 ); + pms += zlen_size + zlen; /* opaque psk<0..2^16-1>; */ - if( p_end - p < 2 ) + if( pms_end - pms < 2 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); const unsigned char *psk = NULL; @@ -3143,17 +3146,17 @@ ecdh_calc_secret: return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); /* Write the PSK length as uint16 */ - MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 ); - p += 2; + MBEDTLS_PUT_UINT16_BE( psk_len, pms, 0 ); + pms += 2; - if( p_end < p || (size_t)( p_end - p ) < psk_len ) + if( pms_end < pms || (size_t)( pms_end - pms ) < psk_len ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); /* Write the PSK itself */ - memcpy( p, psk, psk_len ); - p += psk_len; + memcpy( pms, psk, psk_len ); + pms += psk_len; - ssl->handshake->pmslen = p - ssl->handshake->premaster; + ssl->handshake->pmslen = pms - ssl->handshake->premaster; } else #endif /* MBEDTLS_USE_PSA_CRYPTO && From e18ff952a7ce75b462be180e38b3be070a5efd4f Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Mon, 4 Apr 2022 18:34:55 +0200 Subject: [PATCH 18/21] Get PSK length & check for buffer size before writting in ECHDE-PSK PSA version of ssl_write_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index f5473f458a..e68830eca6 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -3130,10 +3130,6 @@ ecdh_calc_secret: MBEDTLS_PUT_UINT16_BE( zlen, pms, 0 ); pms += zlen_size + zlen; - /* opaque psk<0..2^16-1>; */ - if( pms_end - pms < 2 ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - const unsigned char *psk = NULL; size_t psk_len = 0; @@ -3145,13 +3141,14 @@ ecdh_calc_secret: */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + /* opaque psk<0..2^16-1>; */ + if( (size_t)( pms_end - pms ) < ( 2 + psk_len ) ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + /* Write the PSK length as uint16 */ MBEDTLS_PUT_UINT16_BE( psk_len, pms, 0 ); pms += 2; - if( pms_end < pms || (size_t)( pms_end - pms ) < psk_len ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - /* Write the PSK itself */ memcpy( pms, psk, psk_len ); pms += psk_len; From 3cae167e6ac2b2d1aec5ca070c4cab62c6af994b Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 5 Apr 2022 10:01:15 +0200 Subject: [PATCH 19/21] Check buffer pointers before storing peer's public key in ECHDE-PSK PSA version of ssl_parse_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_server.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index bfd8fd3cac..d9a29dcd00 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4057,8 +4057,15 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) } /* Keep a copy of the peer's public key */ + if( p >= end ) + { + psa_destroy_key( handshake->ecdh_psa_privkey ); + handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + } + ecpoint_len = *(p++); - if( (size_t)( end - *p ) < ecpoint_len ) { + if( (size_t)( end - p ) < ecpoint_len ) { psa_destroy_key( handshake->ecdh_psa_privkey ); handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; return( MBEDTLS_ERR_SSL_DECODE_ERROR ); From ede381c808f501d6d2e99dd4d1beb9cd544d2b4c Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 5 Apr 2022 10:02:59 +0200 Subject: [PATCH 20/21] Get PSK length & check for buffer size before writting in ECHDE-PSK PSA version of ssl_parse_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_server.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index d9a29dcd00..7b6efb1cc7 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4115,10 +4115,6 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_PUT_UINT16_BE( zlen, psm, 0 ); psm += zlen_size + zlen; - /* opaque psk<0..2^16-1>; */ - if( psm_end - psm < 2 ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - const unsigned char *psk = NULL; size_t psk_len = 0; @@ -4130,13 +4126,14 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + /* opaque psk<0..2^16-1>; */ + if( (size_t)( psm_end - psm ) < ( 2 + psk_len ) ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + /* Write the PSK length as uint16 */ MBEDTLS_PUT_UINT16_BE( psk_len, psm, 0 ); psm += 2; - if( psm_end < psm || (size_t)( psm_end - psm ) < psk_len ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - /* Write the PSK itself */ memcpy( psm, psk, psk_len ); psm += psk_len; From 1039ba5c98b35ffc8edc9a45e4b6d13f681f3c45 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 5 Apr 2022 10:03:24 +0200 Subject: [PATCH 21/21] Check if not using Opaque PSK in ECHDE-PSK PSA version of ssl_parse_client_key_exchange() Signed-off-by: Neil Armstrong --- library/ssl_tls12_server.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 7b6efb1cc7..327109cd84 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4046,6 +4046,10 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; uint8_t ecpoint_len; + /* Opaque PSKs are currently only supported for PSK-only. */ + if( ssl_use_opaque_psk( ssl ) == 1 ) + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + mbedtls_ssl_handshake_params *handshake = ssl->handshake; if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )