From b743d95051b2eaa522f0fe6c1d4cb5513b25277f Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Wed, 4 May 2022 11:06:20 +0200 Subject: [PATCH 1/9] Do not erase input key in psa_tls12_prf_psk_to_ms_set_key() When ALG_TLS12_PSK_TO_MS() is used, first derivation is correct but the following derivations output data is incorrect. This is because input key is erased in psa_tls12_prf_psk_to_ms_set_key() since commit 03faf5d2c174eef1ebab39a8139a4042e77049b8. Fixes: 03faf5d2c174eef1ebab39a8139a4042e77049b8 ("psa_tls12_prf_psk_to_ms_set_key: clear buffers after usage") Signed-off-by: Neil Armstrong --- library/psa_crypto.c | 1 - 1 file changed, 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d58923dbdb..fa6800b4de 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5371,7 +5371,6 @@ static psa_status_t psa_tls12_prf_psk_to_ms_set_key( *cur++ = MBEDTLS_BYTE_1( data_length ); *cur++ = MBEDTLS_BYTE_0( data_length ); memcpy( cur, data, data_length ); - mbedtls_platform_zeroize( (void*) data, data_length ); cur += data_length; status = psa_tls12_prf_set_key( prf, pms, cur - pms ); From 4c3b4e079cc9d195fd89fa6f9ab7af23609402f6 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 3 May 2022 09:24:26 +0200 Subject: [PATCH 2/9] Initialize & free PSA in test_multiple_psks() Signed-off-by: Neil Armstrong --- tests/suites/test_suite_ssl.function | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index e42f8ba487..35f1638cb5 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -5310,6 +5310,7 @@ void test_multiple_psks() mbedtls_ssl_config conf; + USE_PSA_INIT( ); mbedtls_ssl_config_init( &conf ); TEST_ASSERT( mbedtls_ssl_conf_psk( &conf, @@ -5323,6 +5324,8 @@ void test_multiple_psks() exit: mbedtls_ssl_config_free( &conf ); + + USE_PSA_DONE( ); } /* END_CASE */ From 501c93220d80c3b759dc2315f524e91bfe2c0931 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 3 May 2022 09:35:09 +0200 Subject: [PATCH 3/9] Import PSK as opaque PSA key for mbedtls_ssl_conf_psk() & mbedtls_ssl_set_hs_psk() Signed-off-by: Neil Armstrong --- include/mbedtls/ssl.h | 1 + library/ssl_misc.h | 1 + library/ssl_tls.c | 87 ++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 88 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6dac3d1f1d..27883ba9f6 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1427,6 +1427,7 @@ struct mbedtls_ssl_config * If either no PSK or a raw PSK have been * configured, this has value \c 0. */ + uint8_t MBEDTLS_PRIVATE(psk_opaque_is_internal); #endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *MBEDTLS_PRIVATE(psk); /*!< The raw pre-shared key. This field should diff --git a/library/ssl_misc.h b/library/ssl_misc.h index e8acc238d3..6a2a18fa9e 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -652,6 +652,7 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ + uint8_t psk_opaque_is_internal; #endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *psk; /*!< PSK from the callback */ size_t psk_len; /*!< Length of PSK from callback */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 250bae90f2..85cfa488af 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1541,8 +1541,13 @@ static void ssl_conf_remove_psk( mbedtls_ssl_config *conf ) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) { - /* The maintenance of the PSK key slot is the + /* The maintenance of the external PSK key slot is the * user's responsibility. */ + if( conf->psk_opaque_is_internal ) + { + psa_destroy_key( conf->psk_opaque ); + conf->psk_opaque_is_internal = 0; + } conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; } /* This and the following branch should never @@ -1600,6 +1605,11 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, const unsigned char *psk_identity, size_t psk_identity_len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_key_attributes_t key_attributes = psa_key_attributes_init(); + psa_status_t status; + mbedtls_svc_key_id_t key; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* We currently only support one PSK, raw or opaque. */ if( ssl_conf_psk_is_configured( conf ) ) @@ -1613,6 +1623,23 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, if( psk_len > MBEDTLS_PSK_MAX_LEN ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &key_attributes, + PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256) ); + psa_set_key_enrollment_algorithm( &key_attributes, + PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384) ); + psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE ); + + status = psa_import_key( &key_attributes, psk, psk_len, &key ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + /* Allow calling psa_destroy_key() on config psk remove/free */ + conf->psk_opaque_is_internal = 1; + ret = mbedtls_ssl_conf_psk_opaque( conf, key, + psk_identity, psk_identity_len ); +#else if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); conf->psk_len = psk_len; @@ -1622,6 +1649,7 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len ); if( ret != 0 ) ssl_conf_remove_psk( conf ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ return( ret ); } @@ -1631,6 +1659,13 @@ static void ssl_remove_psk( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) { + /* The maintenance of the external PSK key slot is the + * user's responsibility. */ + if( ssl->handshake->psk_opaque_is_internal ) + { + psa_destroy_key( ssl->handshake->psk_opaque ); + ssl->handshake->psk_opaque_is_internal = 0; + } ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; } else @@ -1647,6 +1682,13 @@ static void ssl_remove_psk( mbedtls_ssl_context *ssl ) int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, const unsigned char *psk, size_t psk_len ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_key_attributes_t key_attributes = psa_key_attributes_init(); + psa_status_t status; + psa_algorithm_t alg; + mbedtls_svc_key_id_t key; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( psk == NULL || ssl->handshake == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -1655,6 +1697,24 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, ssl_remove_psk( ssl ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) + alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); + else + alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); + + psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &key_attributes, alg ); + psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE ); + + status = psa_import_key( &key_attributes, psk, psk_len, &key ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + /* Allow calling psa_destroy_key() on psk remove */ + ssl->handshake->psk_opaque_is_internal = 1; + return mbedtls_ssl_set_hs_psk_opaque( ssl, key ); +#else if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); @@ -1662,6 +1722,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len ); return( 0 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -3231,6 +3292,19 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #endif #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) + { + /* The maintenance of the external PSK key slot is the + * user's responsibility. */ + if( ssl->handshake->psk_opaque_is_internal ) + { + psa_destroy_key( ssl->handshake->psk_opaque ); + ssl->handshake->psk_opaque_is_internal = 0; + } + ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( handshake->psk != NULL ) { mbedtls_platform_zeroize( handshake->psk, handshake->psk_len ); @@ -4424,6 +4498,17 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) #endif #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) + { + if( conf->psk_opaque_is_internal ) + { + psa_destroy_key( conf->psk_opaque ); + conf->psk_opaque_is_internal = 0; + } + conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( conf->psk != NULL ) { mbedtls_platform_zeroize( conf->psk, conf->psk_len ); From 61f237afb7b34f643a3d5ee1bcf4d6487c965eb3 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 3 May 2022 09:57:57 +0200 Subject: [PATCH 4/9] Remove PSA-only code dealing with non-opaque PSA key Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 59 ++--------------------------- library/ssl_tls12_server.c | 76 ++++---------------------------------- 2 files changed, 11 insertions(+), 124 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index d286764c59..e2c347ea12 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -72,27 +72,6 @@ int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) return( 0 ); } - -#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ - ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ) || \ - defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) ) -static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf ) -{ - if( conf->psk_identity == NULL || - conf->psk_identity_len == 0 ) - { - return( 0 ); - } - - if( conf->psk != NULL && conf->psk_len != 0 ) - return( 1 ); - - return( 0 ); -} -#endif /* MBEDTLS_USE_PSA_CRYPTO && - ( MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || - MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ) */ - #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #if defined(MBEDTLS_SSL_RENEGOTIATION) @@ -3070,38 +3049,8 @@ ecdh_calc_secret: /* In case of opaque psk skip writting psk to pms. * Opaque key will be handled later. */ - if( ssl_conf_has_static_raw_psk( ssl->conf ) == 1 ) - { - const unsigned char *psk = NULL; - size_t psk_len = 0; - - if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len ) - == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ) - /* - * This should never happen because the existence of a PSK is always - * checked before calling this function - */ - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - - /* opaque psk<0..2^16-1>; */ - if( (size_t)( pms_end - pms ) < ( 2 + psk_len ) ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - - /* Write the PSK length as uint16 */ - MBEDTLS_PUT_UINT16_BE( psk_len, pms, 0 ); - pms += 2; - - /* Write the PSK itself */ - memcpy( pms, psk, psk_len ); - pms += psk_len; - - ssl->handshake->pmslen = pms - ssl->handshake->premaster; - } - else - { - MBEDTLS_SSL_DEBUG_MSG( 1, + MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque ECDHE-PSK" ) ); - } } else #endif /* MBEDTLS_USE_PSA_CRYPTO && @@ -3215,15 +3164,13 @@ ecdh_calc_secret: #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK && - ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) + if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) ); } else - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK && - ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) + if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque RSA-PSK" ) ); diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index a60b5adbdc..7f725a1611 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -170,33 +170,6 @@ static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf ) return( 0 ); } - -#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ - ( defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ) || \ - defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) ) -static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl ) -{ - if( ssl->conf->f_psk != NULL ) - { - /* If we've used a callback to select the PSK, - * the static configuration is irrelevant. */ - - if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) - return( 1 ); - - return( 0 ); - } - - if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) ) - return( 1 ); - - return( 0 ); -} -#endif /* MBEDTLS_USE_PSA_CRYPTO && - ( MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || - MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || - MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl, @@ -4010,18 +3983,17 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_USE_PSA_CRYPTO) - /* For opaque PSKs, we perform the PSK-to-MS derivation atomatically + /* For opaque PSKs, we perform the PSK-to-MS derivation automatically * and skip the intermediate PMS. */ - if( ssl_use_opaque_psk( ssl ) == 1 ) - MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) ); - else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) ); +#else if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, ciphersuite_info->key_exchange ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ @@ -4056,16 +4028,15 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_USE_PSA_CRYPTO) /* For opaque PSKs, we perform the PSK-to-MS derivation automatically * and skip the intermediate PMS. */ - if( ssl_use_opaque_psk( ssl ) == 1 ) - MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque RSA-PSK" ) ); - else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque RSA-PSK" ) ); +#else if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, ciphersuite_info->key_exchange ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ @@ -4175,40 +4146,9 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_PUT_UINT16_BE( zlen, psm, 0 ); psm += zlen_size + zlen; - const unsigned char *psk = NULL; - size_t psk_len = 0; - /* In case of opaque psk skip writting psk to pms. * Opaque key will be handled later. */ - if( ssl_use_opaque_psk( ssl ) == 0 ) - { - if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len ) - == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ) - /* - * This should never happen because the existence of a PSK is always - * checked before calling this function - */ - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - - /* opaque psk<0..2^16-1>; */ - if( (size_t)( psm_end - psm ) < ( 2 + psk_len ) ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - - /* Write the PSK length as uint16 */ - MBEDTLS_PUT_UINT16_BE( psk_len, psm, 0 ); - psm += 2; - - /* Write the PSK itself */ - memcpy( psm, psk, psk_len ); - psm += psk_len; - - ssl->handshake->pmslen = psm - ssl->handshake->premaster; - } - else - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "skip PMS generation for opaque ECDHE-PSK" ) ); - } + MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque ECDHE-PSK" ) ); #else /* MBEDTLS_USE_PSA_CRYPTO */ if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) { From e952a30d47c2e88315682ccc9a07d0e1c025d9ef Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 3 May 2022 10:22:14 +0200 Subject: [PATCH 5/9] Remove RAW PSK when MBEDTLS_USE_PSA_CRYPTO is selected Signed-off-by: Neil Armstrong --- include/mbedtls/ssl.h | 4 ++-- library/ssl_misc.h | 10 +++++++- library/ssl_tls.c | 49 +++++++++----------------------------- library/ssl_tls12_client.c | 6 ++--- library/ssl_tls12_server.c | 5 ++-- 5 files changed, 28 insertions(+), 46 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 27883ba9f6..2ff2a0e615 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1428,8 +1428,7 @@ struct mbedtls_ssl_config * configured, this has value \c 0. */ uint8_t MBEDTLS_PRIVATE(psk_opaque_is_internal); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - +#else unsigned char *MBEDTLS_PRIVATE(psk); /*!< The raw pre-shared key. This field should * only be set via mbedtls_ssl_conf_psk(). * If either no PSK or an opaque PSK @@ -1439,6 +1438,7 @@ struct mbedtls_ssl_config * mbedtls_ssl_conf_psk(). * Its value is non-zero if and only if * \c psk is not \c NULL. */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *MBEDTLS_PRIVATE(psk_identity); /*!< The PSK identity for PSK negotiation. * This field should only be set via diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 6a2a18fa9e..a1bd919f6b 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -653,9 +653,10 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ uint8_t psk_opaque_is_internal; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#else unsigned char *psk; /*!< PSK from the callback */ size_t psk_len; /*!< Length of PSK from callback */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) @@ -1321,6 +1322,12 @@ int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ); static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl, const unsigned char **psk, size_t *psk_len ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + (void) ssl; + *psk = NULL; + *psk_len = 0; + return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); +#else if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 ) { *psk = ssl->handshake->psk; @@ -1341,6 +1348,7 @@ static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl, } return( 0 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 85cfa488af..ba8be94b43 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1527,10 +1527,10 @@ static int ssl_conf_psk_is_configured( mbedtls_ssl_config const *conf ) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) return( 1 ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - +#else if( conf->psk != NULL ) return( 1 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ return( 0 ); } @@ -1550,12 +1550,7 @@ static void ssl_conf_remove_psk( mbedtls_ssl_config *conf ) } conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; } - /* This and the following branch should never - * be taken simultaenously as we maintain the - * invariant that raw and opaque PSKs are never - * configured simultaneously. As a safeguard, - * though, `else` is omitted here. */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#else if( conf->psk != NULL ) { mbedtls_platform_zeroize( conf->psk, conf->psk_len ); @@ -1564,6 +1559,7 @@ static void ssl_conf_remove_psk( mbedtls_ssl_config *conf ) conf->psk = NULL; conf->psk_len = 0; } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Remove reference to PSK identity, if any. */ if( conf->psk_identity != NULL ) @@ -1668,8 +1664,7 @@ static void ssl_remove_psk( mbedtls_ssl_context *ssl ) } ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; } - else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#else if( ssl->handshake->psk != NULL ) { mbedtls_platform_zeroize( ssl->handshake->psk, @@ -1677,6 +1672,7 @@ static void ssl_remove_psk( mbedtls_ssl_context *ssl ) mbedtls_free( ssl->handshake->psk ); ssl->handshake->psk_len = 0; } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, @@ -3304,12 +3300,13 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) } ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#else if( handshake->psk != NULL ) { mbedtls_platform_zeroize( handshake->psk, handshake->psk_len ); mbedtls_free( handshake->psk ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ @@ -4508,7 +4505,7 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) } conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#else if( conf->psk != NULL ) { mbedtls_platform_zeroize( conf->psk, conf->psk_len ); @@ -4516,6 +4513,7 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) conf->psk = NULL; conf->psk_len = 0; } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( conf->psk_identity != NULL ) { @@ -5185,30 +5183,6 @@ static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake, return( 0 ); } - - -#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED ) -static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl ) -{ - if( ssl->conf->f_psk != NULL ) - { - /* If we've used a callback to select the PSK, - * the static configuration is irrelevant. */ - if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) - return( 1 ); - - return( 0 ); - } - - if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) ) - return( 1 ); - - return( 0 ); -} -#endif /* MBEDTLS_USE_PSA_CRYPTO && - MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ - /* * Compute master secret if needed * @@ -5281,8 +5255,7 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) - if( mbedtls_ssl_ciphersuite_uses_psk( handshake->ciphersuite_info ) == 1 && - ssl_use_opaque_psk( ssl ) == 1 ) + if( mbedtls_ssl_ciphersuite_uses_psk( handshake->ciphersuite_info ) == 1 ) { /* Perform PSK-to-MS expansion in a single step. */ psa_status_t status; diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index e2c347ea12..0d2bd0e96f 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -62,12 +62,12 @@ int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) return( 0 ); } - if( conf->psk != NULL && conf->psk_len != 0 ) - return( 1 ); - #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) return( 1 ); +#else + if( conf->psk != NULL && conf->psk_len != 0 ) + return( 1 ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ return( 0 ); diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 7f725a1611..f7cceedb9f 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -160,12 +160,13 @@ static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf ) if( conf->psk_identity_len == 0 || conf->psk_identity == NULL ) return( 0 ); - if( conf->psk != NULL && conf->psk_len != 0 ) - return( 1 ); #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) return( 1 ); +#else + if( conf->psk != NULL && conf->psk_len != 0 ) + return( 1 ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ return( 0 ); From cd05f0b9e5e656af26e2d54477ef2b4f766f5174 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 3 May 2022 10:28:37 +0200 Subject: [PATCH 6/9] Drop skip PMS generation for opaque XXX-PSK now Opaque PSA key is always present when MBEDTLS_USE_PSA_CRYPTO selected Signed-off-by: Neil Armstrong --- library/ssl_tls12_client.c | 31 ++++------- library/ssl_tls12_server.c | 19 ++----- tests/ssl-opt.sh | 102 ------------------------------------- 3 files changed, 13 insertions(+), 139 deletions(-) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 0d2bd0e96f..e15444218d 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -3046,11 +3046,6 @@ ecdh_calc_secret: /* Write the ECDH computation length before the ECDH computation */ MBEDTLS_PUT_UINT16_BE( zlen, pms, 0 ); pms += zlen_size + zlen; - - /* In case of opaque psk skip writting psk to pms. - * Opaque key will be handled later. */ - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "skip PMS generation for opaque ECDHE-PSK" ) ); } else #endif /* MBEDTLS_USE_PSA_CRYPTO && @@ -3164,26 +3159,18 @@ ecdh_calc_secret: #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "skip PMS generation for opaque PSK" ) ); - } - else - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "skip PMS generation for opaque RSA-PSK" ) ); - } - else + if( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK && + ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_RSA_PSK ) #endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ - if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, - ciphersuite_info->key_exchange ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, - "mbedtls_ssl_psk_derive_premaster", ret ); - return( ret ); + if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, + ciphersuite_info->key_exchange ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_psk_derive_premaster", ret ); + return( ret ); + } } } else diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index f7cceedb9f..0c8f0f5ee1 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -3983,18 +3983,14 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - /* For opaque PSKs, we perform the PSK-to-MS derivation automatically - * and skip the intermediate PMS. */ - MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) ); -#else +#if !defined(MBEDTLS_USE_PSA_CRYPTO) if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, ciphersuite_info->key_exchange ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); return( ret ); } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ @@ -4026,18 +4022,14 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) return( ret ); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - /* For opaque PSKs, we perform the PSK-to-MS derivation automatically - * and skip the intermediate PMS. */ - MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque RSA-PSK" ) ); -#else +#if !defined(MBEDTLS_USE_PSA_CRYPTO) if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, ciphersuite_info->key_exchange ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); return( ret ); } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ @@ -4147,9 +4139,6 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_PUT_UINT16_BE( zlen, psm, 0 ); psm += zlen_size + zlen; - /* In case of opaque psk skip writting psk to pms. - * Opaque key will be handled later. */ - MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque ECDHE-PSK" ) ); #else /* MBEDTLS_USE_PSA_CRYPTO */ if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) { diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index dcee5df609..64d1aac64b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6399,8 +6399,6 @@ run_test "PSK callback: opaque psk on client, no callback" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque PSK"\ - -S "skip PMS generation for opaque PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6414,8 +6412,6 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque PSK"\ - -S "skip PMS generation for opaque PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6429,8 +6425,6 @@ run_test "PSK callback: opaque psk on client, no callback, EMS" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque PSK"\ - -S "skip PMS generation for opaque PSK"\ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6444,8 +6438,6 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque PSK"\ - -S "skip PMS generation for opaque PSK"\ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6459,8 +6451,6 @@ run_test "PSK callback: opaque rsa-psk on client, no callback" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque RSA-PSK"\ - -S "skip PMS generation for opaque RSA-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6474,8 +6464,6 @@ run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque RSA-PSK"\ - -S "skip PMS generation for opaque RSA-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6489,8 +6477,6 @@ run_test "PSK callback: opaque rsa-psk on client, no callback, EMS" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque RSA-PSK"\ - -S "skip PMS generation for opaque RSA-PSK"\ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6504,8 +6490,6 @@ run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS" "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque RSA-PSK"\ - -S "skip PMS generation for opaque RSA-PSK"\ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6519,8 +6503,6 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque ECDHE-PSK"\ - -S "skip PMS generation for opaque ECDHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6534,8 +6516,6 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque ECDHE-PSK"\ - -S "skip PMS generation for opaque ECDHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6549,8 +6529,6 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback, EMS" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque ECDHE-PSK"\ - -S "skip PMS generation for opaque ECDHE-PSK"\ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6564,8 +6542,6 @@ run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384, EMS "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque ECDHE-PSK"\ - -S "skip PMS generation for opaque ECDHE-PSK"\ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6579,8 +6555,6 @@ run_test "PSK callback: opaque dhe-psk on client, no callback" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque DHE-PSK"\ - -S "skip PMS generation for opaque DHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6594,8 +6568,6 @@ run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384" \ "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque DHE-PSK"\ - -S "skip PMS generation for opaque DHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6609,8 +6581,6 @@ run_test "PSK callback: opaque dhe-psk on client, no callback, EMS" \ "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque DHE-PSK"\ - -S "skip PMS generation for opaque DHE-PSK"\ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6624,8 +6594,6 @@ run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384, EMS" "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123 psk_opaque=1" \ 0 \ - -c "skip PMS generation for opaque DHE-PSK"\ - -S "skip PMS generation for opaque DHE-PSK"\ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6639,8 +6607,6 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123" \ 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6654,8 +6620,6 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123" \ 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6672,8 +6636,6 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -6688,8 +6650,6 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -6701,8 +6661,6 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123" \ 0 \ - -C "skip PMS generation for opaque RSA-PSK"\ - -s "skip PMS generation for opaque RSA-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6716,8 +6674,6 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123" \ 0 \ - -C "skip PMS generation for opaque RSA-PSK"\ - -s "skip PMS generation for opaque RSA-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6734,8 +6690,6 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque RSA-PSK"\ - -s "skip PMS generation for opaque RSA-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -6750,8 +6704,6 @@ run_test "PSK callback: raw rsa-psk on client, static opaque on server, no ca 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque RSA-PSK"\ - -s "skip PMS generation for opaque RSA-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -6763,8 +6715,6 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123" \ 0 \ - -C "skip PMS generation for opaque ECDHE-PSK"\ - -s "skip PMS generation for opaque ECDHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6778,8 +6728,6 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123" \ 0 \ - -C "skip PMS generation for opaque ECDHE-PSK"\ - -s "skip PMS generation for opaque ECDHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6796,8 +6744,6 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque ECDHE-PSK"\ - -s "skip PMS generation for opaque ECDHE-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -6812,8 +6758,6 @@ run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque ECDHE-PSK"\ - -s "skip PMS generation for opaque ECDHE-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -6825,8 +6769,6 @@ run_test "PSK callback: raw dhe-psk on client, static opaque on server, no ca "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ psk_identity=foo psk=abc123" \ 0 \ - -C "skip PMS generation for opaque DHE-PSK"\ - -s "skip PMS generation for opaque DHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6840,8 +6782,6 @@ run_test "PSK callback: raw dhe-psk on client, static opaque on server, no ca "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=foo psk=abc123" \ 0 \ - -C "skip PMS generation for opaque DHE-PSK"\ - -s "skip PMS generation for opaque DHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6858,8 +6798,6 @@ run_test "PSK callback: raw dhe-psk on client, static opaque on server, no ca 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque DHE-PSK"\ - -s "skip PMS generation for opaque DHE-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -6874,8 +6812,6 @@ run_test "PSK callback: raw dhe-psk on client, static opaque on server, no ca 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque DHE-PSK"\ - -s "skip PMS generation for opaque DHE-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -6887,8 +6823,6 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6902,8 +6836,6 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6920,8 +6852,6 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -6936,8 +6866,6 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -6949,8 +6877,6 @@ run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, o "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque RSA-PSK"\ - -s "skip PMS generation for opaque RSA-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6964,8 +6890,6 @@ run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, o "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque RSA-PSK"\ - -s "skip PMS generation for opaque RSA-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -6982,8 +6906,6 @@ run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, o 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque RSA-PSK"\ - -s "skip PMS generation for opaque RSA-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -6998,8 +6920,6 @@ run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, o 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque RSA-PSK"\ - -s "skip PMS generation for opaque RSA-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -7011,8 +6931,6 @@ run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on serve "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque ECDHE-PSK"\ - -s "skip PMS generation for opaque ECDHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -7026,8 +6944,6 @@ run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on serve "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque ECDHE-PSK"\ - -s "skip PMS generation for opaque ECDHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -7044,8 +6960,6 @@ run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on serve 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque ECDHE-PSK"\ - -s "skip PMS generation for opaque ECDHE-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -7060,8 +6974,6 @@ run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on serve 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque ECDHE-PSK"\ - -s "skip PMS generation for opaque ECDHE-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -7073,8 +6985,6 @@ run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, o "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque DHE-PSK"\ - -s "skip PMS generation for opaque DHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -7088,8 +6998,6 @@ run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, o "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque DHE-PSK"\ - -s "skip PMS generation for opaque DHE-PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -7106,8 +7014,6 @@ run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, o 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque DHE-PSK"\ - -s "skip PMS generation for opaque DHE-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -7122,8 +7028,6 @@ run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, o 0 \ -c "session hash for extended master secret"\ -s "session hash for extended master secret"\ - -C "skip PMS generation for opaque DHE-PSK"\ - -s "skip PMS generation for opaque DHE-PSK"\ -S "SSL - The handshake negotiation failed" \ -S "SSL - Unknown identity received" \ -S "SSL - Verification of the message MAC failed" @@ -7135,8 +7039,6 @@ run_test "PSK callback: raw psk on client, mismatching static raw PSK on serv "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -7150,8 +7052,6 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -7165,7 +7065,6 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ @@ -7179,7 +7078,6 @@ run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on s "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ psk_identity=def psk=beef" \ 0 \ - -C "skip PMS generation for opaque PSK"\ -C "session hash for extended master secret"\ -S "session hash for extended master secret"\ -S "SSL - The handshake negotiation failed" \ From 044a32c4c6ae20ec62e552e266605e9faca20f80 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 3 May 2022 10:35:56 +0200 Subject: [PATCH 7/9] Remove mbedtls_ssl_get_psk() and it's usage when MBEDTLS_USE_PSA_CRYPTO is selected Signed-off-by: Neil Armstrong --- library/ssl_misc.h | 48 +++++++++++++++++++--------------------------- library/ssl_tls.c | 23 ++++++++++------------ 2 files changed, 30 insertions(+), 41 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index a1bd919f6b..b9f456fc74 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1313,6 +1313,26 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ); #endif +#if defined(MBEDTLS_USE_PSA_CRYPTO) +/** + * Get the first defined opaque PSK by order of precedence: + * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK + * callback + * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque() + * Return an opaque PSK + */ +static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( + const mbedtls_ssl_context *ssl ) +{ + if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) + return( ssl->handshake->psk_opaque ); + + if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) ) + return( ssl->conf->psk_opaque ); + + return( MBEDTLS_SVC_KEY_ID_INIT ); +} +#else /** * Get the first defined PSK by order of precedence: * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback @@ -1322,12 +1342,6 @@ int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ); static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl, const unsigned char **psk, size_t *psk_len ) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) - (void) ssl; - *psk = NULL; - *psk_len = 0; - return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); -#else if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 ) { *psk = ssl->handshake->psk; @@ -1348,29 +1362,7 @@ static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl, } return( 0 ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } - -#if defined(MBEDTLS_USE_PSA_CRYPTO) -/** - * Get the first defined opaque PSK by order of precedence: - * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK - * callback - * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque() - * Return an opaque PSK - */ -static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( - const mbedtls_ssl_context *ssl ) -{ - if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) - return( ssl->handshake->psk_opaque ); - - if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) ) - return( ssl->conf->psk_opaque ); - - return( MBEDTLS_SVC_KEY_ID_INIT ); -} - #endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ba8be94b43..dd8ebeb340 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5533,17 +5533,19 @@ void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl, #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ) { +#if !defined(MBEDTLS_USE_PSA_CRYPTO) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) unsigned char *p = ssl->handshake->premaster; unsigned char *end = p + sizeof( ssl->handshake->premaster ); +#else + (void)ssl; + (void)key_ex; +#endif /* !MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ +#if !defined(MBEDTLS_USE_PSA_CRYPTO) const unsigned char *psk = NULL; size_t psk_len = 0; int psk_ret = mbedtls_ssl_get_psk( ssl, &psk, &psk_len ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) - (void) key_ex; -#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ - if( psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ) { /* @@ -5600,6 +5602,7 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch } else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) { @@ -5618,14 +5621,6 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch p += 2 + len; MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); - - /* For opaque PSK fill premaster with the the shared secret without PSK. */ - if( psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "skip PMS generation for opaque DHE-PSK" ) ); - return( 0 ); - } } else #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ @@ -5657,6 +5652,7 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } +#if !defined(MBEDTLS_USE_PSA_CRYPTO) /* opaque psk<0..2^16-1>; */ if( end - p < 2 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -5671,6 +5667,7 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch p += psk_len; ssl->handshake->pmslen = p - ssl->handshake->premaster; +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ return( 0 ); } From 80f6f32495ebc18ecc31e358918431f872420c90 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 3 May 2022 17:56:38 +0200 Subject: [PATCH 8/9] Make mbedtls_ssl_psk_derive_premaster() only for when MBEDTLS_USE_PSA_CRYPTO is not selected Signed-off-by: Neil Armstrong --- library/ssl_misc.h | 2 ++ library/ssl_tls.c | 20 +++++--------------- library/ssl_tls12_client.c | 37 +++++++++++++++++++++++++------------ library/ssl_tls12_server.c | 19 +++++++++++++++++++ 4 files changed, 51 insertions(+), 27 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index b9f456fc74..b0424bff0f 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1307,8 +1307,10 @@ void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl, size_t msg_len ); #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ); +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2) int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ); #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index dd8ebeb340..f2a3e1a3f5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5530,18 +5530,12 @@ void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SHA384_C */ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ) { -#if !defined(MBEDTLS_USE_PSA_CRYPTO) || \ - defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) unsigned char *p = ssl->handshake->premaster; unsigned char *end = p + sizeof( ssl->handshake->premaster ); -#else - (void)ssl; - (void)key_ex; -#endif /* !MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ -#if !defined(MBEDTLS_USE_PSA_CRYPTO) const unsigned char *psk = NULL; size_t psk_len = 0; int psk_ret = mbedtls_ssl_get_psk( ssl, &psk, &psk_len ); @@ -5602,7 +5596,6 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch } else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) { @@ -5624,8 +5617,7 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch } else #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ -#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -5646,13 +5638,12 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch MBEDTLS_DEBUG_ECDH_Z ); } else -#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#if !defined(MBEDTLS_USE_PSA_CRYPTO) /* opaque psk<0..2^16-1>; */ if( end - p < 2 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -5667,11 +5658,10 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch p += psk_len; ssl->handshake->pmslen = p - ssl->handshake->premaster; -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) static int ssl_write_hello_request( mbedtls_ssl_context *ssl ); diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index e15444218d..a22d97f7bd 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -3126,6 +3126,25 @@ ecdh_calc_secret: MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); return( ret ); } + +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char *pms = ssl->handshake->premaster; + unsigned char *pms_end = pms + sizeof( ssl->handshake->premaster ); + size_t pms_len; + + /* Write length only when we know the actual value */ + if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, + pms + 2, pms_end - ( pms + 2 ), &pms_len, + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); + return( ret ); + } + MBEDTLS_PUT_UINT16_BE( pms_len, pms, 0 ); + pms += 2 + pms_len; + + MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); +#endif } else #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ @@ -3157,21 +3176,15 @@ ecdh_calc_secret: return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) - if( ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_PSK && - ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_RSA_PSK ) -#endif /* MBEDTLS_USE_PSA_CRYPTO && - MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ +#if !defined(MBEDTLS_USE_PSA_CRYPTO) + if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, + ciphersuite_info->key_exchange ) ) != 0 ) { - if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, - ciphersuite_info->key_exchange ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); - return( ret ); - } + return( ret ); } +#endif /* !MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 0c8f0f5ee1..29cbe750d1 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4053,12 +4053,31 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char *pms = ssl->handshake->premaster; + unsigned char *pms_end = pms + sizeof( ssl->handshake->premaster ); + size_t pms_len; + + /* Write length only when we know the actual value */ + if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, + pms + 2, pms_end - ( pms + 2 ), &pms_len, + ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); + return( ret ); + } + MBEDTLS_PUT_UINT16_BE( pms_len, pms, 0 ); + pms += 2 + pms_len; + + MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); +#else if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, ciphersuite_info->key_exchange ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ From 8ecd66884f5ab06fc6e6f84f291c14689e517a7c Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 5 May 2022 11:40:35 +0200 Subject: [PATCH 9/9] Keep raw PSK when set via mbedtls_ssl_conf_psk() and feed as input_bytes Signed-off-by: Neil Armstrong --- include/mbedtls/ssl.h | 4 +--- library/ssl_tls.c | 49 +++++++------------------------------- library/ssl_tls12_client.c | 4 ++-- library/ssl_tls12_server.c | 4 ++-- 4 files changed, 13 insertions(+), 48 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2ff2a0e615..c8c1219651 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1427,8 +1427,7 @@ struct mbedtls_ssl_config * If either no PSK or a raw PSK have been * configured, this has value \c 0. */ - uint8_t MBEDTLS_PRIVATE(psk_opaque_is_internal); -#else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *MBEDTLS_PRIVATE(psk); /*!< The raw pre-shared key. This field should * only be set via mbedtls_ssl_conf_psk(). * If either no PSK or an opaque PSK @@ -1438,7 +1437,6 @@ struct mbedtls_ssl_config * mbedtls_ssl_conf_psk(). * Its value is non-zero if and only if * \c psk is not \c NULL. */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *MBEDTLS_PRIVATE(psk_identity); /*!< The PSK identity for PSK negotiation. * This field should only be set via diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f2a3e1a3f5..99b7d04d91 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1527,10 +1527,9 @@ static int ssl_conf_psk_is_configured( mbedtls_ssl_config const *conf ) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) return( 1 ); -#else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( conf->psk != NULL ) return( 1 ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ return( 0 ); } @@ -1541,16 +1540,11 @@ static void ssl_conf_remove_psk( mbedtls_ssl_config *conf ) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) { - /* The maintenance of the external PSK key slot is the + /* The maintenance of the PSK key slot is the * user's responsibility. */ - if( conf->psk_opaque_is_internal ) - { - psa_destroy_key( conf->psk_opaque ); - conf->psk_opaque_is_internal = 0; - } conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; } -#else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( conf->psk != NULL ) { mbedtls_platform_zeroize( conf->psk, conf->psk_len ); @@ -1559,7 +1553,6 @@ static void ssl_conf_remove_psk( mbedtls_ssl_config *conf ) conf->psk = NULL; conf->psk_len = 0; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Remove reference to PSK identity, if any. */ if( conf->psk_identity != NULL ) @@ -1601,11 +1594,6 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, const unsigned char *psk_identity, size_t psk_identity_len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_key_attributes_t key_attributes = psa_key_attributes_init(); - psa_status_t status; - mbedtls_svc_key_id_t key; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* We currently only support one PSK, raw or opaque. */ if( ssl_conf_psk_is_configured( conf ) ) @@ -1619,23 +1607,6 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, if( psk_len > MBEDTLS_PSK_MAX_LEN ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); - psa_set_key_algorithm( &key_attributes, - PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256) ); - psa_set_key_enrollment_algorithm( &key_attributes, - PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384) ); - psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE ); - - status = psa_import_key( &key_attributes, psk, psk_len, &key ); - if( status != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - - /* Allow calling psa_destroy_key() on config psk remove/free */ - conf->psk_opaque_is_internal = 1; - ret = mbedtls_ssl_conf_psk_opaque( conf, key, - psk_identity, psk_identity_len ); -#else if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); conf->psk_len = psk_len; @@ -1645,7 +1616,6 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len ); if( ret != 0 ) ssl_conf_remove_psk( conf ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ return( ret ); } @@ -4498,14 +4468,9 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) { - if( conf->psk_opaque_is_internal ) - { - psa_destroy_key( conf->psk_opaque ); - conf->psk_opaque_is_internal = 0; - } conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; } -#else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( conf->psk != NULL ) { mbedtls_platform_zeroize( conf->psk, conf->psk_len ); @@ -4513,7 +4478,6 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf ) conf->psk = NULL; conf->psk_len = 0; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( conf->psk_identity != NULL ) { @@ -4895,6 +4859,7 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation, mbedtls_svc_key_id_t key, psa_algorithm_t alg, + const unsigned char* raw_psk, size_t raw_psk_length, const unsigned char* seed, size_t seed_length, const unsigned char* label, size_t label_length, const unsigned char* other_secret, @@ -4928,7 +4893,7 @@ static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* de { status = psa_key_derivation_input_bytes( derivation, PSA_KEY_DERIVATION_INPUT_SECRET, - NULL, 0 ); + raw_psk, raw_psk_length ); } else { @@ -4994,6 +4959,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, status = setup_psa_key_derivation( &derivation, master_key, alg, + NULL, 0, random, rlen, (unsigned char const *) label, (size_t) strlen( label ), @@ -5298,6 +5264,7 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, } status = setup_psa_key_derivation( &derivation, psk, alg, + ssl->conf->psk, ssl->conf->psk_len, seed, seed_len, (unsigned char const *) lbl, (size_t) strlen( lbl ), diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index a22d97f7bd..095db8f816 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -65,10 +65,10 @@ int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) return( 1 ); -#else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( conf->psk != NULL && conf->psk_len != 0 ) return( 1 ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ return( 0 ); } diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 29cbe750d1..a1505d16a1 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -164,10 +164,10 @@ static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf ) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) return( 1 ); -#else +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if( conf->psk != NULL && conf->psk_len != 0 ) return( 1 ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ return( 0 ); }