lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-08 17:42:09 +03:00
Code Activity

Merge updates from upstream development branch into check-names-rewrite

Browse Source 
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
This commit is contained in:
Yuto Takano
2021-09-24 18:02:56 +01:00
parent fc1e9ffcb2 9e4c020ca5
commit c3a6f63c99
93 changed files with 6756 additions and 2370 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.travis.yml
View File

@@ -14,6 +14,8 @@ jobs:
- graphviz
- gcc-arm-none-eabi
- libnewlib-arm-none-eabi
- gcc-arm-linux-gnueabi
- libc6-dev-armel-cross
language: python # Needed to get pip for Python 3
python: 3.5 # version from Ubuntu 16.04
install:
@@ -22,7 +24,7 @@ jobs:
- tests/scripts/all.sh -k 'check_*'
- tests/scripts/all.sh -k test_default_out_of_box
- tests/scripts/all.sh -k test_ref_configs
- tests/scripts/all.sh -k build_arm_none_eabi_gcc_arm5vte build_arm_none_eabi_gcc_m0plus
- tests/scripts/all.sh -k build_arm_linux_gnueabi_gcc_arm5vte build_arm_none_eabi_gcc_m0plus
- name: full configuration
script:

2
CMakeLists.txt
View File

@@ -330,7 +330,7 @@ install(
DESTINATION "cmake"
FILE "MbedTLSTargets.cmake")
if(CMAKE_VERSION VERSION_GREATER 3.14)
if(CMAKE_VERSION VERSION_GREATER 3.15 OR CMAKE_VERSION VERSION_EQUAL 3.15)
# Do not export the package by default
cmake_policy(SET CMP0090 NEW)

8
ChangeLog.d/chunked_ccm.txt Normal file
View File

@@ -0,0 +1,8 @@
Changes
* Implement multi-part CCM API.
The multi-part functions: mbedtls_ccm_starts(), mbedtls_ccm_set_lengths(),
mbedtls_ccm_update_ad(), mbedtls_ccm_update(), mbedtls_ccm_finish()
were introduced in mbedTLS 3.0 release, however their implementation was
postponed until now.
Implemented functions support chunked data input for both CCM and CCM*
algorithms.

5
ChangeLog.d/do-not-use-obsolete-header.txt Normal file
View File

@@ -0,0 +1,5 @@
Bugfix
* Don't use the obsolete header path sys/fcntl.h in unit tests.
These header files cause compilation errors in musl.
Fixes #4969.

4
ChangeLog.d/muladdc-amd64-memory.txt Normal file
View File

@@ -0,0 +1,4 @@
Bugfix
* Fix missing constraints on x86_64 assembly code for bignum multiplication
that broke some bignum operations with (at least) Clang 12.
Fixes #4116, #4786, #4917.

2
ChangeLog.d/psa_cipher_update_ecp.txt Normal file
View File

@@ -0,0 +1,2 @@
Bugfix
* Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.

3
ChangeLog.d/tls_ext_cid-config.txt Normal file
View File

@@ -0,0 +1,3 @@
Features
* The identifier of the CID TLS extension can be configured by defining
MBEDTLS_TLS_EXT_CID at compile time.

20
include/mbedtls/ccm.h
View File

@@ -76,7 +76,27 @@ extern "C" {
*/
typedef struct mbedtls_ccm_context
{
unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working buffer */
unsigned char MBEDTLS_PRIVATE(ctr)[16]; /*!< The counter buffer */
mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */
size_t MBEDTLS_PRIVATE(plaintext_len); /*!< Total plaintext length */
size_t MBEDTLS_PRIVATE(add_len); /*!< Total authentication data length */
size_t MBEDTLS_PRIVATE(tag_len); /*!< Total tag length */
size_t MBEDTLS_PRIVATE(processed); /*!< Track how many bytes of input data
were processed (chunked input).
Used independently for both auth data
and plaintext/ciphertext.
This variable is set to zero after
auth data input is finished. */
unsigned char MBEDTLS_PRIVATE(q); /*!< The Q working value */
unsigned char MBEDTLS_PRIVATE(mode); /*!< The operation to perform:
#MBEDTLS_CCM_ENCRYPT or
#MBEDTLS_CCM_DECRYPT or
#MBEDTLS_CCM_STAR_ENCRYPT or
#MBEDTLS_CCM_STAR_DECRYPT. */
int MBEDTLS_PRIVATE(state); /*!< Working value holding context's
state. Used for chunked data
input */
}
mbedtls_ccm_context;

11
include/mbedtls/mbedtls_config.h
View File

@@ -3194,6 +3194,17 @@
//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
/** \def MBEDTLS_TLS_EXT_CID
*
* At the time of writing, the CID extension has not been assigned its
* final value. Set this configuration option to make Mbed TLS use a
* different value.
*
* A future minor revision of Mbed TLS may change the default value of
* this option to match evolving standards and usage.
*/
//#define MBEDTLS_TLS_EXT_CID 254
/**
* Complete list of ciphersuites to use, in order of preference.
*

265
include/mbedtls/ssl.h
View File

@@ -169,6 +169,66 @@
/** Invalid value in SSL config */
#define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80
/*
* TLS 1.3 NamedGroup values
*
* From RF 8446
* enum {
* // Elliptic Curve Groups (ECDHE)
* secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
* x25519(0x001D), x448(0x001E),
* // Finite Field Groups (DHE)
* ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
* ffdhe6144(0x0103), ffdhe8192(0x0104),
* // Reserved Code Points
* ffdhe_private_use(0x01FC..0x01FF),
* ecdhe_private_use(0xFE00..0xFEFF),
* (0xFFFF)
* } NamedGroup;
*
*/
/* Elliptic Curve Groups (ECDHE) */
#define MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP256R1 0x0017
#define MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP384R1 0x0018
#define MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP521R1 0x0019
#define MBEDTLS_SSL_TLS13_NAMED_GROUP_X25519 0x001D
#define MBEDTLS_SSL_TLS13_NAMED_GROUP_X448 0x001E
/* Finite Field Groups (DHE) */
#define MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE2048 0x0100
#define MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE3072 0x0101
#define MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE4096 0x0102
#define MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE6144 0x0103
#define MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE8192 0x0104
/*
* TLS 1.3 Key Exchange Modes
*
* Mbed TLS internal identifiers for use with the SSL configuration API
* mbedtls_ssl_conf_tls13_key_exchange_modes().
*/
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ( 1u << 0 ) /*!< Pure-PSK TLS 1.3 key exchange,
* encompassing both externally agreed PSKs
* as well as resumption PSKs. */
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ( 1u << 1 ) /*!< Pure-Ephemeral TLS 1.3 key exchanges,
* including for example ECDHE and DHE
* key exchanges. */
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ( 1u << 2 ) /*!< PSK-Ephemeral TLS 1.3 key exchanges,
* using both a PSK and an ephemeral
* key exchange. */
/* Convenience macros for sets of key exchanges. */
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL \
( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK | \
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL | \
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) /*!< All TLS 1.3 key exchanges */
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL \
( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK | \
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All PSK-based TLS 1.3 key exchanges */
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL \
( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL | \
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All ephemeral TLS 1.3 key exchanges */
/*
* Various constants
*/
@@ -337,6 +397,41 @@
#define MBEDTLS_SSL_SIG_RSA 1
#define MBEDTLS_SSL_SIG_ECDSA 3
/*
* TLS 1.3 signature algorithms
* RFC 8446, Section 4.2.2
*/
/* RSASSA-PKCS1-v1_5 algorithms */
#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA256 0x0401
#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA384 0x0501
#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA512 0x0601
/* ECDSA algorithms */
#define MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256 0x0403
#define MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384 0x0503
#define MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512 0x0603
/* RSASSA-PSS algorithms with public key OID rsaEncryption */
#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256 0x0804
#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA384 0x0805
#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA512 0x0806
/* EdDSA algorithms */
#define MBEDTLS_TLS13_SIG_ED25519 0x0807
#define MBEDTLS_TLS13_SIG_ED448 0x0808
/* RSASSA-PSS algorithms with public key OID RSASSA-PSS */
#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA256 0x0809
#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA384 0x080A
#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA512 0x080B
/* LEGACY ALGORITHMS */
#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA1 0x0201
#define MBEDTLS_TLS13_SIG_ECDSA_SHA1 0x0203
#define MBEDTLS_TLS13_SIG_NONE 0x0
/*
* Client Certificate Types
* RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
@@ -408,25 +503,48 @@
#define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH 1
#define MBEDTLS_TLS_EXT_TRUNCATED_HMAC 4
#define MBEDTLS_TLS_EXT_STATUS_REQUEST 5 /* RFC 6066 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES 10
#define MBEDTLS_TLS_EXT_SUPPORTED_GROUPS 10 /* RFC 8422,7919 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS 11
#define MBEDTLS_TLS_EXT_SIG_ALG 13
#define MBEDTLS_TLS_EXT_SIG_ALG 13 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_USE_SRTP 14
#define MBEDTLS_TLS_EXT_HEARTBEAT 15 /* RFC 6520 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_ALPN 16
#define MBEDTLS_TLS_EXT_SCT 18 /* RFC 6962 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_CLI_CERT_TYPE 19 /* RFC 7250 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_SERV_CERT_TYPE 20 /* RFC 7250 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_PADDING 21 /* RFC 7685 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC 22 /* 0x16 */
#define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET 0x0017 /* 23 */
#define MBEDTLS_TLS_EXT_SESSION_TICKET 35
#define MBEDTLS_TLS_EXT_PRE_SHARED_KEY 41 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_EARLY_DATA 42 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS 43 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_COOKIE 44 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES 45 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_CERT_AUTH 47 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_OID_FILTERS 48 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH 49 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_SIG_ALG_CERT 50 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_KEY_SHARE 51 /* RFC 8446 TLS 1.3 */
/* The value of the CID extension is still TBD as of
* draft-ietf-tls-dtls-connection-id-05
* (https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) */
* (https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05).
*
* A future minor revision of Mbed TLS may change the default value of
* this option to match evolving standards and usage.
*/
#if !defined(MBEDTLS_TLS_EXT_CID)
#define MBEDTLS_TLS_EXT_CID 254 /* TBD */
#endif
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */
@@ -503,6 +621,9 @@ typedef enum
MBEDTLS_SSL_HANDSHAKE_OVER,
MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET,
MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT,
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
MBEDTLS_SSL_ENCRYPTED_EXTENSIONS,
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
}
mbedtls_ssl_states;
@@ -537,10 +658,11 @@ typedef int mbedtls_ssl_send_t( void *ctx,
* \param buf Buffer to write the received data to
* \param len Length of the receive buffer
*
* \return The callback must return the number of bytes received,
* or a non-zero error code.
* If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_READ
* \returns If data has been received, the positive number of bytes received.
* \returns \c 0 if the connection has been closed.
* \returns If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_READ
* must be returned when the operation would block.
* \returns Another negative error code on other kinds of failures.
*
* \note The callback may receive fewer bytes than the length of the
* buffer. It must always return the number of bytes actually
@@ -560,7 +682,7 @@ typedef int mbedtls_ssl_recv_t( void *ctx,
* \param ctx Context for the receive callback (typically a file descriptor)
* \param buf Buffer to write the received data to
* \param len Length of the receive buffer
* \param timeout Maximum nomber of millisecondes to wait for data
* \param timeout Maximum number of milliseconds to wait for data
* 0 means no timeout (potentially waiting forever)
*
* \return The callback must return the number of bytes received,
@@ -1069,6 +1191,11 @@ struct mbedtls_ssl_config
/** Allowed ciphersuites for (D)TLS 1.2 (0-terminated) */
const int *MBEDTLS_PRIVATE(ciphersuite_list);
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/** Allowed TLS 1.3 key exchange modes. */
int MBEDTLS_PRIVATE(tls13_kex_modes);
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/** Callback for printing debug output */
void (*MBEDTLS_PRIVATE(f_dbg))(void *, int, const char *, int, const char *);
void *MBEDTLS_PRIVATE(p_dbg); /*!< context for the debug function */
@@ -1147,6 +1274,10 @@ struct mbedtls_ssl_config
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
const int *MBEDTLS_PRIVATE(sig_hashes); /*!< allowed signature hashes */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
const uint16_t *MBEDTLS_PRIVATE(tls13_sig_algs); /*!< allowed signature algorithms for TLS 1.3 */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif
#if defined(MBEDTLS_ECP_C)
@@ -1328,10 +1459,24 @@ struct mbedtls_ssl_context
/*
* Record layer transformations
*/
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_in); /*!< current transform params (in) */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_out); /*!< current transform params (in) */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform); /*!< negotiated transform params */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_negotiate); /*!< transform params in negotiation */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_in); /*!< current transform params (in)
* This is always a reference,
* never an owning pointer. */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_out); /*!< current transform params (out)
* This is always a reference,
* never an owning pointer. */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform); /*!< negotiated transform params
* This pointer owns the transform
* it references. */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_negotiate); /*!< transform params in negotiation
* This pointer owns the transform
* it references. */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/*! The application data transform in TLS 1.3.
* This pointer owns the transform it references. */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_application);
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/*
* Timers
@@ -2519,24 +2664,94 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
/**
* \brief Set the list of allowed ciphersuites and the preference
* order. First in the list has the highest preference.
* (Overrides all version-specific lists)
*
* The ciphersuites array is not copied, and must remain
* valid for the lifetime of the ssl_config.
* For TLS 1.2, the notion of ciphersuite determines both
* the key exchange mechanism and the suite of symmetric
* algorithms to be used during and after the handshake.
*
* Note: By default, the server chooses its preferred
* For TLS 1.3 (in development), the notion of ciphersuite
* only determines the suite of symmetric algorithms to be
* used during and after the handshake, while key exchange
* mechanisms are configured separately.
*
* In Mbed TLS, ciphersuites for both TLS 1.2 and TLS 1.3
* are configured via this function. For users of TLS 1.3,
* there will be separate API for the configuration of key
* exchange mechanisms.
*
* The list of ciphersuites passed to this function may
* contain a mixture of TLS 1.2 and TLS 1.3 ciphersuite
* identifiers. This is useful if negotiation of TLS 1.3
* should be attempted, but a fallback to TLS 1.2 would
* be tolerated.
*
* \note By default, the server chooses its preferred
* ciphersuite among those that the client supports. If
* mbedtls_ssl_conf_preference_order() is called to prefer
* the client's preferences, the server instead chooses
* the client's preferred ciphersuite among those that
* the server supports.
*
* \param conf SSL configuration
* \param ciphersuites 0-terminated list of allowed ciphersuites
* \warning The ciphersuites array \p ciphersuites is not copied.
* It must remain valid for the lifetime of the SSL
* configuration \p conf.
*
* \param conf The SSL configuration to modify.
* \param ciphersuites A 0-terminated list of IANA identifiers of supported
* ciphersuites, accessible through \c MBEDTLS_TLS_XXX
* and \c MBEDTLS_TLS1_3_XXX macros defined in
* ssl_ciphersuites.h.
*/
void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
const int *ciphersuites );
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/**
* \brief Set the supported key exchange modes for TLS 1.3 connections.
*
* In contrast to TLS 1.2, the ciphersuite concept in TLS 1.3 does not
* include the choice of key exchange mechanism. It is therefore not
* covered by the API mbedtls_ssl_conf_ciphersuites(). See the
* documentation of mbedtls_ssl_conf_ciphersuites() for more
* information on the ciphersuite concept in TLS 1.2 and TLS 1.3.
*
* The present function is specific to TLS 1.3 and allows users to
* configure the set of supported key exchange mechanisms in TLS 1.3.
*
* \param conf The SSL configuration the change should apply to.
* \param kex_modes A bitwise combination of one or more of the following:
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK
* This flag enables pure-PSK key exchanges.
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL
* This flag enables combined PSK-ephemeral key exchanges.
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL
* This flag enables pure-ephemeral key exchanges.
* For convenience, the following pre-defined macros are
* available for combinations of the above:
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL
* Includes all of pure-PSK, PSK-ephemeral and pure-ephemeral.
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL
* Includes both pure-PSK and combined PSK-ephemeral
* key exchanges, but excludes pure-ephemeral key exchanges.
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL
* Includes both pure-ephemeral and combined PSK-ephemeral
* key exchanges.
*
* \note If a PSK-based key exchange mode shall be supported, applications
* must also use the APIs mbedtls_ssl_conf_psk() or
* mbedtls_ssl_conf_psk_cb() or mbedtls_ssl_conf_psk_opaque()
* to configure the PSKs to be used.
*
* \note If a pure-ephemeral key exchange mode shall be supported,
* server-side applications must also provide a certificate via
* mbedtls_ssl_conf_own_cert().
*
*/
void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config* conf,
const int kex_modes );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0
#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 1
@@ -2991,6 +3206,20 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
*/
void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
const int *hashes );
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/**
* \brief Configure allowed signature algorithms for use in TLS 1.3
*
* \param conf The SSL configuration to use.
* \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms,
* terminated by \c MBEDTLS_TLS13_SIG_NONE. The list must remain
* available throughout the lifetime of the conf object. Supported
* values are available as \c MBEDTLS_TLS13_SIG_XXXX
*/
void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf,
const uint16_t* sig_algs );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_X509_CRT_PARSE_C)

7
include/mbedtls/ssl_ciphersuites.h
View File

@@ -256,6 +256,13 @@ extern "C" {
#define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE /**< TLS 1.2 */
/* RFC 8446, Appendix B.4 */
#define MBEDTLS_TLS1_3_AES_128_GCM_SHA256 0x1301 /**< TLS 1.3 */
#define MBEDTLS_TLS1_3_AES_256_GCM_SHA384 0x1302 /**< TLS 1.3 */
#define MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256 0x1303 /**< TLS 1.3 */
#define MBEDTLS_TLS1_3_AES_128_CCM_SHA256 0x1304 /**< TLS 1.3 */
#define MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256 0x1305 /**< TLS 1.3 */
/* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange.
* Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below
*/

3
library/CMakeLists.txt
View File

@@ -104,6 +104,9 @@ set(src_tls
ssl_ticket.c
ssl_tls.c
ssl_tls13_keys.c
ssl_tls13_server.c
ssl_tls13_client.c
ssl_tls13_generic.c
)
if(CMAKE_COMPILER_IS_GNUCC)

3
library/Makefile
View File

@@ -167,6 +167,9 @@ OBJS_TLS= \
ssl_ticket.o \
ssl_tls.o \
ssl_tls13_keys.o \
ssl_tls13_client.o \
ssl_tls13_server.o \
ssl_tls13_generic.o \
# This line is intentionally left blank
.SILENT:

278
library/aes.c
View File

@@ -57,29 +57,6 @@
#define AES_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond )
/*
* 32-bit integer manipulation macros (little endian)
*/
#ifndef GET_UINT32_LE
#define GET_UINT32_LE(n,b,i) \
{ \
(n) = ( (uint32_t) (b)[(i) ] ) \
| ( (uint32_t) (b)[(i) + 1] << 8 ) \
| ( (uint32_t) (b)[(i) + 2] << 16 ) \
| ( (uint32_t) (b)[(i) + 3] << 24 ); \
}
#endif
#ifndef PUT_UINT32_LE
#define PUT_UINT32_LE(n,b,i) \
{ \
(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
}
#endif
#if defined(MBEDTLS_PADLOCK_C) && \
( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
static int aes_padlock_ace = -1;
@@ -409,7 +386,7 @@ static void aes_gen_tables( void )
{
pow[i] = x;
log[x] = i;
x = ( x ^ XTIME( x ) ) & 0xFF;
x = MBEDTLS_BYTE_0( x ^ XTIME( x ) );
}
/*
@@ -418,7 +395,7 @@ static void aes_gen_tables( void )
for( i = 0, x = 1; i < 10; i++ )
{
RCON[i] = (uint32_t) x;
x = XTIME( x ) & 0xFF;
x = MBEDTLS_BYTE_0( XTIME( x ) );
}
/*
@@ -431,10 +408,10 @@ static void aes_gen_tables( void )
{
x = pow[255 - log[i]];
y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
y = x; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
x ^= y ^ 0x63;
FSb[i] = (unsigned char) x;
@@ -447,8 +424,8 @@ static void aes_gen_tables( void )
for( i = 0; i < 256; i++ )
{
x = FSb[i];
y = XTIME( x ) & 0xFF;
z = ( y ^ x ) & 0xFF;
y = MBEDTLS_BYTE_0( XTIME( x ) );
z = MBEDTLS_BYTE_0( y ^ x );
FT0[i] = ( (uint32_t) y ) ^
( (uint32_t) x << 8 ) ^
@@ -590,7 +567,7 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
for( i = 0; i < ( keybits >> 5 ); i++ )
{
GET_UINT32_LE( RK[i], key, i << 2 );
RK[i] = MBEDTLS_GET_UINT32_LE( key, i << 2 );
}
switch( ctx->nr )
@@ -600,10 +577,10 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
for( i = 0; i < 10; i++, RK += 4 )
{
RK[4] = RK[0] ^ RCON[i] ^
( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[3] ) ] ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[3] ) ] << 8 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[3] ) ] << 16 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[3] ) ] << 24 );
RK[5] = RK[1] ^ RK[4];
RK[6] = RK[2] ^ RK[5];
@@ -616,10 +593,10 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
for( i = 0; i < 8; i++, RK += 6 )
{
RK[6] = RK[0] ^ RCON[i] ^
( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[5] ) ] ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[5] ) ] << 8 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[5] ) ] << 16 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[5] ) ] << 24 );
RK[7] = RK[1] ^ RK[6];
RK[8] = RK[2] ^ RK[7];
@@ -634,20 +611,20 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
for( i = 0; i < 7; i++, RK += 8 )
{
RK[8] = RK[0] ^ RCON[i] ^
( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[7] ) ] ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[7] ) ] << 8 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[7] ) ] << 16 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[7] ) ] << 24 );
RK[9] = RK[1] ^ RK[8];
RK[10] = RK[2] ^ RK[9];
RK[11] = RK[3] ^ RK[10];
RK[12] = RK[4] ^
( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[11] ) ] ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[11] ) ] << 8 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[11] ) ] << 16 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[11] ) ] << 24 );
RK[13] = RK[5] ^ RK[12];
RK[14] = RK[6] ^ RK[13];
@@ -713,10 +690,10 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
{
for( j = 0; j < 4; j++, SK++ )
{
*RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
*RK++ = AES_RT0( FSb[ MBEDTLS_BYTE_0( *SK ) ] ) ^
AES_RT1( FSb[ MBEDTLS_BYTE_1( *SK ) ] ) ^
AES_RT2( FSb[ MBEDTLS_BYTE_2( *SK ) ] ) ^
AES_RT3( FSb[ MBEDTLS_BYTE_3( *SK ) ] );
}
}
@@ -812,49 +789,49 @@ int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
do \
{ \
(X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
(X0) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
AES_FT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
AES_FT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
AES_FT3( MBEDTLS_BYTE_3( Y3 ) ); \
\
(X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
(X1) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
AES_FT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
AES_FT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
AES_FT3( MBEDTLS_BYTE_3( Y0 ) ); \
\
(X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
(X2) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
AES_FT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
AES_FT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
AES_FT3( MBEDTLS_BYTE_3( Y1 ) ); \
\
(X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
(X3) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
AES_FT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
AES_FT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
AES_FT3( MBEDTLS_BYTE_3( Y2 ) ); \
} while( 0 )
#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
do \
{ \
(X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
(X0) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
AES_RT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
AES_RT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
AES_RT3( MBEDTLS_BYTE_3( Y1 ) ); \
\
(X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
(X1) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
AES_RT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
AES_RT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
AES_RT3( MBEDTLS_BYTE_3( Y2 ) ); \
\
(X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
(X2) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
AES_RT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
AES_RT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
AES_RT3( MBEDTLS_BYTE_3( Y3 ) ); \
\
(X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
(X3) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
AES_RT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
AES_RT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
AES_RT3( MBEDTLS_BYTE_3( Y0 ) ); \
} while( 0 )
/*
@@ -873,10 +850,10 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
uint32_t Y[4];
} t;
GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
{
@@ -887,33 +864,33 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
t.X[0] = *RK++ ^ \
( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^
( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
t.X[1] = *RK++ ^ \
( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^
( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
t.X[2] = *RK++ ^ \
( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^
( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
t.X[3] = *RK++ ^ \
( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^
( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
PUT_UINT32_LE( t.X[0], output, 0 );
PUT_UINT32_LE( t.X[1], output, 4 );
PUT_UINT32_LE( t.X[2], output, 8 );
PUT_UINT32_LE( t.X[3], output, 12 );
MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
mbedtls_platform_zeroize( &t, sizeof( t ) );
@@ -937,10 +914,10 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
uint32_t Y[4];
} t;
GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
{
@@ -951,33 +928,33 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
t.X[0] = *RK++ ^ \
( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^
( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
t.X[1] = *RK++ ^ \
( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^
( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
t.X[2] = *RK++ ^ \
( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^
( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
t.X[3] = *RK++ ^ \
( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^
( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
PUT_UINT32_LE( t.X[0], output, 0 );
PUT_UINT32_LE( t.X[1], output, 4 );
PUT_UINT32_LE( t.X[2], output, 8 );
PUT_UINT32_LE( t.X[3], output, 12 );
MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
mbedtls_platform_zeroize( &t, sizeof( t ) );
@@ -1097,35 +1074,6 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
#if defined(MBEDTLS_CIPHER_MODE_XTS)
/* Endianess with 64 bits values */
#ifndef GET_UINT64_LE
#define GET_UINT64_LE(n,b,i) \
{ \
(n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
| ( (uint64_t) (b)[(i) + 6] << 48 ) \
| ( (uint64_t) (b)[(i) + 5] << 40 ) \
| ( (uint64_t) (b)[(i) + 4] << 32 ) \
| ( (uint64_t) (b)[(i) + 3] << 24 ) \
| ( (uint64_t) (b)[(i) + 2] << 16 ) \
| ( (uint64_t) (b)[(i) + 1] << 8 ) \
| ( (uint64_t) (b)[(i) ] ); \
}
#endif
#ifndef PUT_UINT64_LE
#define PUT_UINT64_LE(n,b,i) \
{ \
(b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
(b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
(b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
(b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
(b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
(b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
(b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
(b)[(i) ] = (unsigned char) ( (n) ); \
}
#endif
typedef unsigned char mbedtls_be128[16];
/*
@@ -1141,14 +1089,14 @@ static void mbedtls_gf128mul_x_ble( unsigned char r[16],
{
uint64_t a, b, ra, rb;
GET_UINT64_LE( a, x, 0 );
GET_UINT64_LE( b, x, 8 );
a = MBEDTLS_GET_UINT64_LE( x, 0 );
b = MBEDTLS_GET_UINT64_LE( x, 8 );
ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
rb = ( a >> 63 ) | ( b << 1 );
PUT_UINT64_LE( ra, r, 0 );
PUT_UINT64_LE( rb, r, 8 );
MBEDTLS_PUT_UINT64_LE( ra, r, 0 );
MBEDTLS_PUT_UINT64_LE( rb, r, 8 );
}
/*

90
library/aria.c
View File

@@ -55,29 +55,6 @@
#define ARIA_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond )
/*
* 32-bit integer manipulation macros (little endian)
*/
#ifndef GET_UINT32_LE
#define GET_UINT32_LE( n, b, i ) \
{ \
(n) = ( (uint32_t) (b)[(i) ] ) \
| ( (uint32_t) (b)[(i) + 1] << 8 ) \
| ( (uint32_t) (b)[(i) + 2] << 16 ) \
| ( (uint32_t) (b)[(i) + 3] << 24 ); \
}
#endif
#ifndef PUT_UINT32_LE
#define PUT_UINT32_LE( n, b, i ) \
{ \
(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
}
#endif
/*
* modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
*
@@ -235,22 +212,22 @@ static inline void aria_sl( uint32_t *a, uint32_t *b,
const uint8_t sa[256], const uint8_t sb[256],
const uint8_t sc[256], const uint8_t sd[256] )
{
*a = ( (uint32_t) sa[ *a & 0xFF] ) ^
(((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
(((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
(((uint32_t) sd[ *a >> 24 ]) << 24);
*b = ( (uint32_t) sa[ *b & 0xFF] ) ^
(((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
(((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
(((uint32_t) sd[ *b >> 24 ]) << 24);
*c = ( (uint32_t) sa[ *c & 0xFF] ) ^
(((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
(((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
(((uint32_t) sd[ *c >> 24 ]) << 24);
*d = ( (uint32_t) sa[ *d & 0xFF] ) ^
(((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
(((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
(((uint32_t) sd[ *d >> 24 ]) << 24);
*a = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *a ) ] ) ^
(((uint32_t) sb[ MBEDTLS_BYTE_1( *a ) ]) << 8) ^
(((uint32_t) sc[ MBEDTLS_BYTE_2( *a ) ]) << 16) ^
(((uint32_t) sd[ MBEDTLS_BYTE_3( *a ) ]) << 24);
*b = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *b ) ] ) ^
(((uint32_t) sb[ MBEDTLS_BYTE_1( *b ) ]) << 8) ^
(((uint32_t) sc[ MBEDTLS_BYTE_2( *b ) ]) << 16) ^
(((uint32_t) sd[ MBEDTLS_BYTE_3( *b ) ]) << 24);
*c = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *c ) ] ) ^
(((uint32_t) sb[ MBEDTLS_BYTE_1( *c ) ]) << 8) ^
(((uint32_t) sc[ MBEDTLS_BYTE_2( *c ) ]) << 16) ^
(((uint32_t) sd[ MBEDTLS_BYTE_3( *c ) ]) << 24);
*d = ( (uint32_t) sa[ MBEDTLS_BYTE_0( *d ) ] ) ^
(((uint32_t) sb[ MBEDTLS_BYTE_1( *d ) ]) << 8) ^
(((uint32_t) sc[ MBEDTLS_BYTE_2( *d ) ]) << 16) ^
(((uint32_t) sd[ MBEDTLS_BYTE_3( *d ) ]) << 24);
}
/*
@@ -408,7 +385,8 @@ static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
* Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
*
* We chose to store bytes into 32-bit words in little-endian format (see
* GET/PUT_UINT32_LE) so we need to reverse bytes here.
* MBEDTLS_GET_UINT32_LE / MBEDTLS_PUT_UINT32_LE ) so we need to reverse
* bytes here.
*/
static void aria_rot128( uint32_t r[4], const uint32_t a[4],
const uint32_t b[4], uint8_t n )
@@ -456,21 +434,21 @@ int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
/* Copy key to W0 (and potential remainder to W1) */
GET_UINT32_LE( w[0][0], key, 0 );
GET_UINT32_LE( w[0][1], key, 4 );
GET_UINT32_LE( w[0][2], key, 8 );
GET_UINT32_LE( w[0][3], key, 12 );
w[0][0] = MBEDTLS_GET_UINT32_LE( key, 0 );
w[0][1] = MBEDTLS_GET_UINT32_LE( key, 4 );
w[0][2] = MBEDTLS_GET_UINT32_LE( key, 8 );
w[0][3] = MBEDTLS_GET_UINT32_LE( key, 12 );
memset( w[1], 0, 16 );
if( keybits >= 192 )
{
GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
GET_UINT32_LE( w[1][1], key, 20 );
w[1][0] = MBEDTLS_GET_UINT32_LE( key, 16 ); // 192 bit key
w[1][1] = MBEDTLS_GET_UINT32_LE( key, 20 );
}
if( keybits == 256 )
{
GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
GET_UINT32_LE( w[1][3], key, 28 );
w[1][2] = MBEDTLS_GET_UINT32_LE( key, 24 ); // 256 bit key
w[1][3] = MBEDTLS_GET_UINT32_LE( key, 28 );
}
i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
@@ -547,10 +525,10 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
ARIA_VALIDATE_RET( input != NULL );
ARIA_VALIDATE_RET( output != NULL );
GET_UINT32_LE( a, input, 0 );
GET_UINT32_LE( b, input, 4 );
GET_UINT32_LE( c, input, 8 );
GET_UINT32_LE( d, input, 12 );
a = MBEDTLS_GET_UINT32_LE( input, 0 );
b = MBEDTLS_GET_UINT32_LE( input, 4 );
c = MBEDTLS_GET_UINT32_LE( input, 8 );
d = MBEDTLS_GET_UINT32_LE( input, 12 );
i = 0;
while( 1 )
@@ -582,10 +560,10 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
c ^= ctx->rk[i][2];
d ^= ctx->rk[i][3];
PUT_UINT32_LE( a, output, 0 );
PUT_UINT32_LE( b, output, 4 );
PUT_UINT32_LE( c, output, 8 );
PUT_UINT32_LE( d, output, 12 );
MBEDTLS_PUT_UINT32_LE( a, output, 0 );
MBEDTLS_PUT_UINT32_LE( b, output, 4 );
MBEDTLS_PUT_UINT32_LE( c, output, 8 );
MBEDTLS_PUT_UINT32_LE( d, output, 12 );
return( 0 );
}

18
library/asn1write.c
View File

@@ -60,8 +60,8 @@ int mbedtls_asn1_write_len( unsigned char **p, const unsigned char *start, size_
if( *p - start < 3 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
*--(*p) = ( len ) & 0xFF;
*--(*p) = ( len >> 8 ) & 0xFF;
*--(*p) = MBEDTLS_BYTE_0( len );
*--(*p) = MBEDTLS_BYTE_1( len );
*--(*p) = 0x82;
return( 3 );
}
@@ -71,9 +71,9 @@ int mbedtls_asn1_write_len( unsigned char **p, const unsigned char *start, size_
if( *p - start < 4 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
*--(*p) = ( len ) & 0xFF;
*--(*p) = ( len >> 8 ) & 0xFF;
*--(*p) = ( len >> 16 ) & 0xFF;
*--(*p) = MBEDTLS_BYTE_0( len );
*--(*p) = MBEDTLS_BYTE_1( len );
*--(*p) = MBEDTLS_BYTE_2( len );
*--(*p) = 0x83;
return( 4 );
}
@@ -85,10 +85,10 @@ int mbedtls_asn1_write_len( unsigned char **p, const unsigned char *start, size_
if( *p - start < 5 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
*--(*p) = ( len ) & 0xFF;
*--(*p) = ( len >> 8 ) & 0xFF;
*--(*p) = ( len >> 16 ) & 0xFF;
*--(*p) = ( len >> 24 ) & 0xFF;
*--(*p) = MBEDTLS_BYTE_0( len );
*--(*p) = MBEDTLS_BYTE_1( len );
*--(*p) = MBEDTLS_BYTE_2( len );
*--(*p) = MBEDTLS_BYTE_3( len );
*--(*p) = 0x84;
return( 5 );
}

6
library/base64.c
View File

@@ -319,9 +319,9 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
if( ++n == 4 )
{
n = 0;
if( j > 0 ) *p++ = (unsigned char)( x >> 16 );
if( j > 1 ) *p++ = (unsigned char)( x >> 8 );
if( j > 2 ) *p++ = (unsigned char)( x );
if( j > 0 ) *p++ = MBEDTLS_BYTE_2( x );
if( j > 1 ) *p++ = MBEDTLS_BYTE_1( x );
if( j > 2 ) *p++ = MBEDTLS_BYTE_0( x );
}
}

4
library/bn_mul.h
View File

@@ -225,8 +225,8 @@
"addq $8, %%rdi\n"
#define MULADDC_STOP \
: "+c" (c), "+D" (d), "+S" (s) \
: "b" (b) \
: "+c" (c), "+D" (d), "+S" (s), "+m" (*(uint64_t (*)[16]) d) \
: "b" (b), "m" (*(const uint64_t (*)[16]) s) \
: "rax", "rdx", "r8" \
);

61
library/camellia.c
View File

@@ -49,29 +49,6 @@
#define CAMELLIA_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond )
/*
* 32-bit integer manipulation macros (big endian)
*/
#ifndef GET_UINT32_BE
#define GET_UINT32_BE(n,b,i) \
{ \
(n) = ( (uint32_t) (b)[(i) ] << 24 ) \
| ( (uint32_t) (b)[(i) + 1] << 16 ) \
| ( (uint32_t) (b)[(i) + 2] << 8 ) \
| ( (uint32_t) (b)[(i) + 3] ); \
}
#endif
#ifndef PUT_UINT32_BE
#define PUT_UINT32_BE(n,b,i) \
{ \
(b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
(b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
(b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
(b)[(i) + 3] = (unsigned char) ( (n) ); \
}
#endif
static const unsigned char SIGMA_CHARS[6][8] =
{
{ 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
@@ -301,14 +278,14 @@ static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
I0 = x[0] ^ k[0];
I1 = x[1] ^ k[1];
I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) |
((uint32_t) SBOX4((I0 ) & 0xFF) );
I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) |
((uint32_t) SBOX1((I1 ) & 0xFF) );
I0 = ((uint32_t) SBOX1( MBEDTLS_BYTE_3( I0 )) << 24) |
((uint32_t) SBOX2( MBEDTLS_BYTE_2( I0 )) << 16) |
((uint32_t) SBOX3( MBEDTLS_BYTE_1( I0 )) << 8) |
((uint32_t) SBOX4( MBEDTLS_BYTE_0( I0 )) );
I1 = ((uint32_t) SBOX2( MBEDTLS_BYTE_3( I1 )) << 24) |
((uint32_t) SBOX3( MBEDTLS_BYTE_2( I1 )) << 16) |
((uint32_t) SBOX4( MBEDTLS_BYTE_1( I1 )) << 8) |
((uint32_t) SBOX1( MBEDTLS_BYTE_0( I1 )) );
I0 ^= (I1 << 8) | (I1 >> 24);
I1 ^= (I0 << 16) | (I0 >> 16);
@@ -376,8 +353,8 @@ int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
* Prepare SIGMA values
*/
for( i = 0; i < 6; i++ ) {
GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
SIGMA[i][0] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 0 );
SIGMA[i][1] = MBEDTLS_GET_UINT32_BE( SIGMA_CHARS[i], 4 );
}
/*
@@ -388,7 +365,7 @@ int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
/* Store KL, KR */
for( i = 0; i < 8; i++ )
GET_UINT32_BE( KC[i], t, i * 4 );
KC[i] = MBEDTLS_GET_UINT32_BE( t, i * 4 );
/* Generate KA */
for( i = 0; i < 4; ++i )
@@ -514,10 +491,10 @@ int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
NR = ctx->nr;
RK = ctx->rk;
GET_UINT32_BE( X[0], input, 0 );
GET_UINT32_BE( X[1], input, 4 );
GET_UINT32_BE( X[2], input, 8 );
GET_UINT32_BE( X[3], input, 12 );
X[0] = MBEDTLS_GET_UINT32_BE( input, 0 );
X[1] = MBEDTLS_GET_UINT32_BE( input, 4 );
X[2] = MBEDTLS_GET_UINT32_BE( input, 8 );
X[3] = MBEDTLS_GET_UINT32_BE( input, 12 );
X[0] ^= *RK++;
X[1] ^= *RK++;
@@ -552,10 +529,10 @@ int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
X[0] ^= *RK++;
X[1] ^= *RK++;
PUT_UINT32_BE( X[2], output, 0 );
PUT_UINT32_BE( X[3], output, 4 );
PUT_UINT32_BE( X[0], output, 8 );
PUT_UINT32_BE( X[1], output, 12 );
MBEDTLS_PUT_UINT32_BE( X[2], output, 0 );
MBEDTLS_PUT_UINT32_BE( X[3], output, 4 );
MBEDTLS_PUT_UINT32_BE( X[0], output, 8 );
MBEDTLS_PUT_UINT32_BE( X[1], output, 12 );
return( 0 );
}

578
library/ccm.c
View File

@@ -36,31 +36,23 @@
#include <string.h>
#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
#include <stdio.h>
#define mbedtls_printf printf
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
#endif /* MBEDTLS_PLATFORM_C */
#if !defined(MBEDTLS_CCM_ALT)
#define CCM_VALIDATE_RET( cond ) \
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT )
#define CCM_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond )
#define CCM_ENCRYPT 0
#define CCM_DECRYPT 1
/*
* Initialize context
*/
void mbedtls_ccm_init( mbedtls_ccm_context *ctx )
{
CCM_VALIDATE( ctx != NULL );
memset( ctx, 0, sizeof( mbedtls_ccm_context ) );
}
@@ -72,9 +64,6 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const mbedtls_cipher_info_t *cipher_info;
CCM_VALIDATE_RET( ctx != NULL );
CCM_VALIDATE_RET( key != NULL );
cipher_info = mbedtls_cipher_info_from_values( cipher, keybits,
MBEDTLS_MODE_ECB );
if( cipher_info == NULL )
@@ -108,82 +97,67 @@ void mbedtls_ccm_free( mbedtls_ccm_context *ctx )
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) );
}
/*
* Macros for common operations.
* Results in smaller compiled code than static inline functions.
*/
/*
* Update the CBC-MAC state in y using a block in b
* (Always using b as the source helps the compiler optimise a bit better.)
*/
#define UPDATE_CBC_MAC \
for( i = 0; i < 16; i++ ) \
y[i] ^= b[i]; \
\
if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \
return( ret );
#define CCM_STATE__CLEAR 0
#define CCM_STATE__STARTED (1 << 0)
#define CCM_STATE__LENGHTS_SET (1 << 1)
#define CCM_STATE__AUTH_DATA_STARTED (1 << 2)
#define CCM_STATE__AUTH_DATA_FINISHED (1 << 3)
#define CCM_STATE__ERROR (1 << 4)
/*
* Encrypt or decrypt a partial block with CTR
* Warning: using b for temporary storage! src and dst must not be b!
* This avoids allocating one more 16 bytes buffer while allowing src == dst.
*/
#define CTR_CRYPT( dst, src, len ) \
do \
{ \
if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr, \
16, b, &olen ) ) != 0 ) \
{ \
return( ret ); \
} \
\
for( i = 0; i < (len); i++ ) \
(dst)[i] = (src)[i] ^ b[i]; \
} while( 0 )
static int mbedtls_ccm_crypt( mbedtls_ccm_context *ctx,
size_t offset, size_t use_len,
const unsigned char *input,
unsigned char *output )
{
size_t i;
size_t olen = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char tmp_buf[16] = {0};
/*
* Authenticated encryption or decryption
*/
static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
unsigned char *tag, size_t tag_len )
if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->ctr, 16, tmp_buf,
&olen ) ) != 0 )
{
ctx->state |= CCM_STATE__ERROR;
mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
return ret;
}
for( i = 0; i < use_len; i++ )
output[i] = input[i] ^ tmp_buf[offset + i];
mbedtls_platform_zeroize(tmp_buf, sizeof(tmp_buf));
return ret;
}
static void mbedtls_ccm_clear_state(mbedtls_ccm_context *ctx) {
ctx->state = CCM_STATE__CLEAR;
memset( ctx->y, 0, 16);
memset( ctx->ctr, 0, 16);
}
static int ccm_calculate_first_block_if_ready(mbedtls_ccm_context *ctx)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char i;
unsigned char q;
size_t len_left, olen;
unsigned char b[16];
unsigned char y[16];
unsigned char ctr[16];
const unsigned char *src;
unsigned char *dst;
/*
* Check length requirements: SP800-38C A.1
* Additional requirement: a < 2^16 - 2^8 to simplify the code.
* 'length' checked later (when writing it to the first block)
*
* Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
/* length calulcation can be done only after both
* mbedtls_ccm_starts() and mbedtls_ccm_set_lengths() have been executed
*/
if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
if( !(ctx->state & CCM_STATE__STARTED) || !(ctx->state & CCM_STATE__LENGHTS_SET) )
return 0;
/* Also implies q is within bounds */
if( iv_len < 7 || iv_len > 13 )
if( ctx->tag_len == 0 && \
( ctx->mode == MBEDTLS_CCM_ENCRYPT || ctx->mode == MBEDTLS_CCM_DECRYPT ) )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
if( add_len >= 0xFF00 )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
q = 16 - 1 - (unsigned char) iv_len;
/*
* First block B_0:
* First block:
* 0 .. 0 flags
* 1 .. iv_len nonce (aka iv)
* 1 .. iv_len nonce (aka iv) - set by: mbedtls_ccm_starts()
* iv_len+1 .. 15 length
*
* With flags as (bits):
@@ -192,57 +166,40 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
* 5 .. 3 (t - 2) / 2
* 2 .. 0 q - 1
*/
b[0] = 0;
b[0] |= ( add_len > 0 ) << 6;
b[0] |= ( ( tag_len - 2 ) / 2 ) << 3;
b[0] |= q - 1;
ctx->y[0] |= ( ctx->add_len > 0 ) << 6;
ctx->y[0] |= ( ( ctx->tag_len - 2 ) / 2 ) << 3;
ctx->y[0] |= ctx->q - 1;
memcpy( b + 1, iv, iv_len );
for( i = 0, len_left = length; i < q; i++, len_left >>= 8 )
b[15-i] = (unsigned char)( len_left & 0xFF );
for( i = 0, len_left = ctx->plaintext_len; i < ctx->q; i++, len_left >>= 8 )
ctx->y[15-i] = MBEDTLS_BYTE_0( len_left );
if( len_left > 0 )
{
ctx->state |= CCM_STATE__ERROR;
return( MBEDTLS_ERR_CCM_BAD_INPUT );
}
/* Start CBC-MAC with first block*/
if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 )
{
ctx->state |= CCM_STATE__ERROR;
return( ret );
}
return (0);
}
int mbedtls_ccm_starts( mbedtls_ccm_context *ctx,
int mode,
const unsigned char *iv,
size_t iv_len )
{
/* Also implies q is within bounds */
if( iv_len < 7 || iv_len > 13 )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
/* Start CBC-MAC with first block */
memset( y, 0, 16 );
UPDATE_CBC_MAC;
/*
* If there is additional data, update CBC-MAC with
* add_len, add, 0 (padding to a block boundary)
*/
if( add_len > 0 )
{
size_t use_len;
len_left = add_len;
src = add;
memset( b, 0, 16 );
b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF );
b[1] = (unsigned char)( ( add_len ) & 0xFF );
use_len = len_left < 16 - 2 ? len_left : 16 - 2;
memcpy( b + 2, src, use_len );
len_left -= use_len;
src += use_len;
UPDATE_CBC_MAC;
while( len_left > 0 )
{
use_len = len_left > 16 ? 16 : len_left;
memset( b, 0, 16 );
memcpy( b, src, use_len );
UPDATE_CBC_MAC;
len_left -= use_len;
src += use_len;
}
}
ctx->mode = mode;
ctx->q = 16 - 1 - (unsigned char) iv_len;
/*
* Prepare counter block for encryption:
@@ -254,62 +211,290 @@ static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
* 7 .. 3 0
* 2 .. 0 q - 1
*/
ctr[0] = q - 1;
memcpy( ctr + 1, iv, iv_len );
memset( ctr + 1 + iv_len, 0, q );
ctr[15] = 1;
memset( ctx->ctr, 0, 16);
ctx->ctr[0] = ctx->q - 1;
memcpy( ctx->ctr + 1, iv, iv_len );
memset( ctx->ctr + 1 + iv_len, 0, ctx->q );
ctx->ctr[15] = 1;
/*
* Authenticate and {en,de}crypt the message.
* See ccm_calculate_first_block_if_ready() for block layout description
*/
memcpy( ctx->y + 1, iv, iv_len );
ctx->state |= CCM_STATE__STARTED;
return ccm_calculate_first_block_if_ready(ctx);
}
int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx,
size_t total_ad_len,
size_t plaintext_len,
size_t tag_len )
{
/*
* Check length requirements: SP800-38C A.1
* Additional requirement: a < 2^16 - 2^8 to simplify the code.
* 'length' checked later (when writing it to the first block)
*
* The only difference between encryption and decryption is
* the respective order of authentication and {en,de}cryption.
* Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
*/
len_left = length;
src = input;
dst = output;
if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
while( len_left > 0 )
{
size_t use_len = len_left > 16 ? 16 : len_left;
if( total_ad_len >= 0xFF00 )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
if( mode == CCM_ENCRYPT )
ctx->plaintext_len = plaintext_len;
ctx->add_len = total_ad_len;
ctx->tag_len = tag_len;
ctx->processed = 0;
ctx->state |= CCM_STATE__LENGHTS_SET;
return ccm_calculate_first_block_if_ready(ctx);
}
int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx,
const unsigned char *add,
size_t add_len )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char i;
size_t olen, use_len, offset;
if( ctx->state & CCM_STATE__ERROR )
{
memset( b, 0, 16 );
memcpy( b, src, use_len );
UPDATE_CBC_MAC;
return MBEDTLS_ERR_CCM_BAD_INPUT;
}
CTR_CRYPT( dst, src, use_len );
if( mode == CCM_DECRYPT )
if( add_len > 0 )
{
memset( b, 0, 16 );
memcpy( b, dst, use_len );
UPDATE_CBC_MAC;
if( ctx->state & CCM_STATE__AUTH_DATA_FINISHED )
{
return MBEDTLS_ERR_CCM_BAD_INPUT;
}
dst += use_len;
src += use_len;
len_left -= use_len;
if( !(ctx->state & CCM_STATE__AUTH_DATA_STARTED) )
{
if ( add_len > ctx->add_len )
{
return MBEDTLS_ERR_CCM_BAD_INPUT;
}
/*
* Increment counter.
* No need to check for overflow thanks to the length check above.
ctx->y[0] ^= (unsigned char)( ( ctx->add_len >> 8 ) & 0xFF );
ctx->y[1] ^= (unsigned char)( ( ctx->add_len ) & 0xFF );
ctx->state |= CCM_STATE__AUTH_DATA_STARTED;
}
else if ( ctx->processed + add_len > ctx->add_len )
{
return MBEDTLS_ERR_CCM_BAD_INPUT;
}
while( add_len > 0 )
{
offset = (ctx->processed + 2) % 16; /* account for y[0] and y[1]
* holding total auth data length */
use_len = 16 - offset;
if( use_len > add_len )
use_len = add_len;
for( i = 0; i < use_len; i++ )
ctx->y[i + offset] ^= add[i];
ctx->processed += use_len;
add_len -= use_len;
add += use_len;
if( use_len + offset == 16 || ctx->processed == ctx->add_len )
{
if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 )
{
ctx->state |= CCM_STATE__ERROR;
return( ret );
}
}
}
if( ctx->processed == ctx->add_len )
{
ctx->state |= CCM_STATE__AUTH_DATA_FINISHED;
ctx->processed = 0; // prepare for mbedtls_ccm_update()
}
}
return (0);
}
int mbedtls_ccm_update( mbedtls_ccm_context *ctx,
const unsigned char *input, size_t input_len,
unsigned char *output, size_t output_size,
size_t *output_len )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char i;
size_t use_len, offset, olen;
unsigned char local_output[16];
if( ctx->state & CCM_STATE__ERROR )
{
return MBEDTLS_ERR_CCM_BAD_INPUT;
}
if( ctx->processed + input_len > ctx->plaintext_len )
{
return MBEDTLS_ERR_CCM_BAD_INPUT;
}
if( output_size < input_len )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
*output_len = input_len;
ret = 0;
while ( input_len > 0 )
{
offset = ctx->processed % 16;
use_len = 16 - offset;
if( use_len > input_len )
use_len = input_len;
ctx->processed += use_len;
if( ctx->mode == MBEDTLS_CCM_ENCRYPT || \
ctx->mode == MBEDTLS_CCM_STAR_ENCRYPT )
{
for( i = 0; i < use_len; i++ )
ctx->y[i + offset] ^= input[i];
if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len )
{
if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 )
{
ctx->state |= CCM_STATE__ERROR;
goto exit;
}
}
ret = mbedtls_ccm_crypt( ctx, offset, use_len, input, output );
if( ret != 0 )
goto exit;
}
if( ctx->mode == MBEDTLS_CCM_DECRYPT || \
ctx->mode == MBEDTLS_CCM_STAR_DECRYPT )
{
/* Since output may be in shared memory, we cannot be sure that
* it will contain what we wrote to it. Therefore, we should avoid using
* it as input to any operations.
* Write decrypted data to local_output to avoid using output variable as
* input in the XOR operation for Y.
*/
for( i = 0; i < q; i++ )
if( ++ctr[15-i] != 0 )
ret = mbedtls_ccm_crypt( ctx, offset, use_len, input, local_output );
if( ret != 0 )
goto exit;
for( i = 0; i < use_len; i++ )
ctx->y[i + offset] ^= local_output[i];
memcpy( output, local_output, use_len );
mbedtls_platform_zeroize( local_output, 16 );
if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len )
{
if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->y, &olen ) ) != 0 )
{
ctx->state |= CCM_STATE__ERROR;
goto exit;
}
}
}
if( use_len + offset == 16 || ctx->processed == ctx->plaintext_len )
{
for( i = 0; i < ctx->q; i++ )
if( ++(ctx->ctr)[15-i] != 0 )
break;
}
input_len -= use_len;
input += use_len;
output += use_len;
}
exit:
mbedtls_platform_zeroize( local_output, 16 );
return ret;
}
int mbedtls_ccm_finish( mbedtls_ccm_context *ctx,
unsigned char *tag, size_t tag_len )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char i;
if( ctx->state & CCM_STATE__ERROR )
{
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
if( ctx->add_len > 0 && !( ctx->state & CCM_STATE__AUTH_DATA_FINISHED ) )
{
return MBEDTLS_ERR_CCM_BAD_INPUT;
}
if( ctx->plaintext_len > 0 && ctx->processed != ctx->plaintext_len )
{
return MBEDTLS_ERR_CCM_BAD_INPUT;
}
/*
* Authentication: reset counter and crypt/mask internal tag
*/
for( i = 0; i < q; i++ )
ctr[15-i] = 0;
for( i = 0; i < ctx->q; i++ )
ctx->ctr[15-i] = 0;
CTR_CRYPT( y, y, 16 );
memcpy( tag, y, tag_len );
ret = mbedtls_ccm_crypt( ctx, 0, 16, ctx->y, ctx->y );
if( ret != 0 )
return ret;
if( tag != NULL )
memcpy( tag, ctx->y, tag_len );
mbedtls_ccm_clear_state(ctx);
return( 0 );
}
/*
* Authenticated encryption or decryption
*/
static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
unsigned char *tag, size_t tag_len )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t olen;
if( ( ret = mbedtls_ccm_starts( ctx, mode, iv, iv_len ) ) != 0 )
return( ret );
if( ( ret = mbedtls_ccm_set_lengths( ctx, add_len, length, tag_len ) ) != 0 )
return( ret );
if( ( ret = mbedtls_ccm_update_ad( ctx, add, add_len ) ) != 0 )
return( ret );
if( ( ret = mbedtls_ccm_update( ctx, input, length,
output, length, &olen ) ) != 0 )
return( ret );
if( ( ret = mbedtls_ccm_finish( ctx, tag, tag_len ) ) != 0 )
return( ret );
return( 0 );
}
@@ -323,13 +508,7 @@ int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
const unsigned char *input, unsigned char *output,
unsigned char *tag, size_t tag_len )
{
CCM_VALIDATE_RET( ctx != NULL );
CCM_VALIDATE_RET( iv != NULL );
CCM_VALIDATE_RET( add_len == 0 || add != NULL );
CCM_VALIDATE_RET( length == 0 || input != NULL );
CCM_VALIDATE_RET( length == 0 || output != NULL );
CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len,
return( ccm_auth_crypt( ctx, MBEDTLS_CCM_STAR_ENCRYPT, length, iv, iv_len,
add, add_len, input, output, tag, tag_len ) );
}
@@ -339,23 +518,31 @@ int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
const unsigned char *input, unsigned char *output,
unsigned char *tag, size_t tag_len )
{
CCM_VALIDATE_RET( ctx != NULL );
CCM_VALIDATE_RET( iv != NULL );
CCM_VALIDATE_RET( add_len == 0 || add != NULL );
CCM_VALIDATE_RET( length == 0 || input != NULL );
CCM_VALIDATE_RET( length == 0 || output != NULL );
CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
if( tag_len == 0 )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
return( mbedtls_ccm_star_encrypt_and_tag( ctx, length, iv, iv_len, add,
add_len, input, output, tag, tag_len ) );
return( ccm_auth_crypt( ctx, MBEDTLS_CCM_ENCRYPT, length, iv, iv_len,
add, add_len, input, output, tag, tag_len ) );
}
/*
* Authenticated decryption
*/
int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
static int mbedtls_ccm_compare_tags(const unsigned char *tag1, const unsigned char *tag2, size_t tag_len)
{
unsigned char i;
int diff;
/* Check tag in "constant-time" */
for( diff = 0, i = 0; i < tag_len; i++ )
diff |= tag1[i] ^ tag2[i];
if( diff != 0 )
{
return( MBEDTLS_ERR_CCM_AUTH_FAILED );
}
return( 0 );
}
static int ccm_auth_decrypt( mbedtls_ccm_context *ctx, int mode, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
@@ -363,54 +550,43 @@ int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char check_tag[16];
unsigned char i;
int diff;
CCM_VALIDATE_RET( ctx != NULL );
CCM_VALIDATE_RET( iv != NULL );
CCM_VALIDATE_RET( add_len == 0 || add != NULL );
CCM_VALIDATE_RET( length == 0 || input != NULL );
CCM_VALIDATE_RET( length == 0 || output != NULL );
CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length,
if( ( ret = ccm_auth_crypt( ctx, mode, length,
iv, iv_len, add, add_len,
input, output, check_tag, tag_len ) ) != 0 )
{
return( ret );
}
/* Check tag in "constant-time" */
for( diff = 0, i = 0; i < tag_len; i++ )
diff |= tag[i] ^ check_tag[i];
if( diff != 0 )
if( ( ret = mbedtls_ccm_compare_tags( tag, check_tag, tag_len ) ) != 0 )
{
mbedtls_platform_zeroize( output, length );
return( MBEDTLS_ERR_CCM_AUTH_FAILED );
return( ret );
}
return( 0 );
}
int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
const unsigned char *tag, size_t tag_len )
{
return ccm_auth_decrypt( ctx, MBEDTLS_CCM_STAR_DECRYPT, length,
iv, iv_len, add, add_len,
input, output, tag, tag_len );
}
int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
const unsigned char *iv, size_t iv_len,
const unsigned char *add, size_t add_len,
const unsigned char *input, unsigned char *output,
const unsigned char *tag, size_t tag_len )
{
CCM_VALIDATE_RET( ctx != NULL );
CCM_VALIDATE_RET( iv != NULL );
CCM_VALIDATE_RET( add_len == 0 || add != NULL );
CCM_VALIDATE_RET( length == 0 || input != NULL );
CCM_VALIDATE_RET( length == 0 || output != NULL );
CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
if( tag_len == 0 )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
return( mbedtls_ccm_star_auth_decrypt( ctx, length, iv, iv_len, add,
add_len, input, output, tag, tag_len ) );
return ccm_auth_decrypt( ctx, MBEDTLS_CCM_DECRYPT, length,
iv, iv_len, add, add_len,
input, output, tag, tag_len );
}
#endif /* !MBEDTLS_CCM_ALT */

34
library/chacha20.c
View File

@@ -54,13 +54,6 @@
#define CHACHA20_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond )
#define BYTES_TO_U32_LE( data, offset ) \
( (uint32_t) (data)[offset] \
| (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 ) \
| (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 ) \
| (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 ) \
)
#define ROTL32( value, amount ) \
( (uint32_t) ( (value) << (amount) ) | ( (value) >> ( 32 - (amount) ) ) )
@@ -171,10 +164,7 @@ static void chacha20_block( const uint32_t initial_state[16],
{
size_t offset = i * 4U;
keystream[offset ] = (unsigned char)( working_state[i] );
keystream[offset + 1U] = (unsigned char)( working_state[i] >> 8 );
keystream[offset + 2U] = (unsigned char)( working_state[i] >> 16 );
keystream[offset + 3U] = (unsigned char)( working_state[i] >> 24 );
MBEDTLS_PUT_UINT32_LE(working_state[i], keystream, offset);
}
mbedtls_platform_zeroize( working_state, sizeof( working_state ) );
@@ -212,14 +202,14 @@ int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
ctx->state[3] = 0x6b206574;
/* Set key */
ctx->state[4] = BYTES_TO_U32_LE( key, 0 );
ctx->state[5] = BYTES_TO_U32_LE( key, 4 );
ctx->state[6] = BYTES_TO_U32_LE( key, 8 );
ctx->state[7] = BYTES_TO_U32_LE( key, 12 );
ctx->state[8] = BYTES_TO_U32_LE( key, 16 );
ctx->state[9] = BYTES_TO_U32_LE( key, 20 );
ctx->state[10] = BYTES_TO_U32_LE( key, 24 );
ctx->state[11] = BYTES_TO_U32_LE( key, 28 );
ctx->state[4] = MBEDTLS_GET_UINT32_LE( key, 0 );
ctx->state[5] = MBEDTLS_GET_UINT32_LE( key, 4 );
ctx->state[6] = MBEDTLS_GET_UINT32_LE( key, 8 );
ctx->state[7] = MBEDTLS_GET_UINT32_LE( key, 12 );
ctx->state[8] = MBEDTLS_GET_UINT32_LE( key, 16 );
ctx->state[9] = MBEDTLS_GET_UINT32_LE( key, 20 );
ctx->state[10] = MBEDTLS_GET_UINT32_LE( key, 24 );
ctx->state[11] = MBEDTLS_GET_UINT32_LE( key, 28 );
return( 0 );
}
@@ -235,9 +225,9 @@ int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
ctx->state[12] = counter;
/* Nonce */
ctx->state[13] = BYTES_TO_U32_LE( nonce, 0 );
ctx->state[14] = BYTES_TO_U32_LE( nonce, 4 );
ctx->state[15] = BYTES_TO_U32_LE( nonce, 8 );
ctx->state[13] = MBEDTLS_GET_UINT32_LE( nonce, 0 );
ctx->state[14] = MBEDTLS_GET_UINT32_LE( nonce, 4 );
ctx->state[15] = MBEDTLS_GET_UINT32_LE( nonce, 8 );
mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );

18
library/chachapoly.c
View File

@@ -263,22 +263,8 @@ int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
/* The lengths of the AAD and ciphertext are processed by
* Poly1305 as the final 128-bit block, encoded as little-endian integers.
*/
len_block[ 0] = (unsigned char)( ctx->aad_len );
len_block[ 1] = (unsigned char)( ctx->aad_len >> 8 );
len_block[ 2] = (unsigned char)( ctx->aad_len >> 16 );
len_block[ 3] = (unsigned char)( ctx->aad_len >> 24 );
len_block[ 4] = (unsigned char)( ctx->aad_len >> 32 );
len_block[ 5] = (unsigned char)( ctx->aad_len >> 40 );
len_block[ 6] = (unsigned char)( ctx->aad_len >> 48 );
len_block[ 7] = (unsigned char)( ctx->aad_len >> 56 );
len_block[ 8] = (unsigned char)( ctx->ciphertext_len );
len_block[ 9] = (unsigned char)( ctx->ciphertext_len >> 8 );
len_block[10] = (unsigned char)( ctx->ciphertext_len >> 16 );
len_block[11] = (unsigned char)( ctx->ciphertext_len >> 24 );
len_block[12] = (unsigned char)( ctx->ciphertext_len >> 32 );
len_block[13] = (unsigned char)( ctx->ciphertext_len >> 40 );
len_block[14] = (unsigned char)( ctx->ciphertext_len >> 48 );
len_block[15] = (unsigned char)( ctx->ciphertext_len >> 56 );
MBEDTLS_PUT_UINT64_LE(ctx->aad_len, len_block, 0);
MBEDTLS_PUT_UINT64_LE(ctx->ciphertext_len, len_block, 8);
ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, len_block, 16U );
if( ret != 0 )

252
library/common.h
View File

@@ -25,6 +25,8 @@
#include "mbedtls/build_info.h"
#include <stdint.h>
/** Helper to define a function as static except when building invasive tests.
*
* If a function is only used inside its own source file and should be
@@ -66,4 +68,254 @@ extern void (*mbedtls_test_hook_test_fail)( const char * test, int line, const c
*/
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
/** Byte Reading Macros
*
* Given a multi-byte integer \p x, MBEDTLS_BYTE_n retrieves the n-th
* byte from x, where byte 0 is the least significant byte.
*/
#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) )
#define MBEDTLS_BYTE_1( x ) ( (uint8_t) ( ( ( x ) >> 8 ) & 0xff ) )
#define MBEDTLS_BYTE_2( x ) ( (uint8_t) ( ( ( x ) >> 16 ) & 0xff ) )
#define MBEDTLS_BYTE_3( x ) ( (uint8_t) ( ( ( x ) >> 24 ) & 0xff ) )
#define MBEDTLS_BYTE_4( x ) ( (uint8_t) ( ( ( x ) >> 32 ) & 0xff ) )
#define MBEDTLS_BYTE_5( x ) ( (uint8_t) ( ( ( x ) >> 40 ) & 0xff ) )
#define MBEDTLS_BYTE_6( x ) ( (uint8_t) ( ( ( x ) >> 48 ) & 0xff ) )
#define MBEDTLS_BYTE_7( x ) ( (uint8_t) ( ( ( x ) >> 56 ) & 0xff ) )
/**
* Get the unsigned 32 bits integer corresponding to four bytes in
* big-endian order (MSB first).
*
* \param data Base address of the memory to get the four bytes from.
* \param offset Offset from \p base of the first and most significant
* byte of the four bytes to build the 32 bits unsigned
* integer from.
*/
#ifndef MBEDTLS_GET_UINT32_BE
#define MBEDTLS_GET_UINT32_BE( data , offset ) \
( \
( (uint32_t) ( data )[( offset ) ] << 24 ) \
| ( (uint32_t) ( data )[( offset ) + 1] << 16 ) \
| ( (uint32_t) ( data )[( offset ) + 2] << 8 ) \
| ( (uint32_t) ( data )[( offset ) + 3] ) \
)
#endif
/**
* Put in memory a 32 bits unsigned integer in big-endian order.
*
* \param n 32 bits unsigned integer to put in memory.
* \param data Base address of the memory where to put the 32
* bits unsigned integer in.
* \param offset Offset from \p base where to put the most significant
* byte of the 32 bits unsigned integer \p n.
*/
#ifndef MBEDTLS_PUT_UINT32_BE
#define MBEDTLS_PUT_UINT32_BE( n, data, offset ) \
{ \
( data )[( offset ) ] = MBEDTLS_BYTE_3( n ); \
( data )[( offset ) + 1] = MBEDTLS_BYTE_2( n ); \
( data )[( offset ) + 2] = MBEDTLS_BYTE_1( n ); \
( data )[( offset ) + 3] = MBEDTLS_BYTE_0( n ); \
}
#endif
/**
* Get the unsigned 32 bits integer corresponding to four bytes in
* little-endian order (LSB first).
*
* \param data Base address of the memory to get the four bytes from.
* \param offset Offset from \p base of the first and least significant
* byte of the four bytes to build the 32 bits unsigned
* integer from.
*/
#ifndef MBEDTLS_GET_UINT32_LE
#define MBEDTLS_GET_UINT32_LE( data, offset ) \
( \
( (uint32_t) ( data )[( offset ) ] ) \
| ( (uint32_t) ( data )[( offset ) + 1] << 8 ) \
| ( (uint32_t) ( data )[( offset ) + 2] << 16 ) \
| ( (uint32_t) ( data )[( offset ) + 3] << 24 ) \
)
#endif
/**
* Put in memory a 32 bits unsigned integer in little-endian order.
*
* \param n 32 bits unsigned integer to put in memory.
* \param data Base address of the memory where to put the 32
* bits unsigned integer in.
* \param offset Offset from \p base where to put the least significant
* byte of the 32 bits unsigned integer \p n.
*/
#ifndef MBEDTLS_PUT_UINT32_LE
#define MBEDTLS_PUT_UINT32_LE( n, data, offset ) \
{ \
( data )[( offset ) ] = MBEDTLS_BYTE_0( n ); \
( data )[( offset ) + 1] = MBEDTLS_BYTE_1( n ); \
( data )[( offset ) + 2] = MBEDTLS_BYTE_2( n ); \
( data )[( offset ) + 3] = MBEDTLS_BYTE_3( n ); \
}
#endif
/**
* Get the unsigned 16 bits integer corresponding to two bytes in
* little-endian order (LSB first).
*
* \param data Base address of the memory to get the two bytes from.
* \param offset Offset from \p base of the first and least significant
* byte of the two bytes to build the 16 bits unsigned
* integer from.
*/
#ifndef MBEDTLS_GET_UINT16_LE
#define MBEDTLS_GET_UINT16_LE( data, offset ) \
( \
( (uint16_t) ( data )[( offset ) ] ) \
| ( (uint16_t) ( data )[( offset ) + 1] << 8 ) \
)
#endif
/**
* Put in memory a 16 bits unsigned integer in little-endian order.
*
* \param n 16 bits unsigned integer to put in memory.
* \param data Base address of the memory where to put the 16
* bits unsigned integer in.
* \param offset Offset from \p base where to put the least significant
* byte of the 16 bits unsigned integer \p n.
*/
#ifndef MBEDTLS_PUT_UINT16_LE
#define MBEDTLS_PUT_UINT16_LE( n, data, offset ) \
{ \
( data )[( offset ) ] = MBEDTLS_BYTE_0( n ); \
( data )[( offset ) + 1] = MBEDTLS_BYTE_1( n ); \
}
#endif
/**
* Get the unsigned 16 bits integer corresponding to two bytes in
* big-endian order (MSB first).
*
* \param data Base address of the memory to get the two bytes from.
* \param offset Offset from \p base of the first and most significant
* byte of the two bytes to build the 16 bits unsigned
* integer from.
*/
#ifndef MBEDTLS_GET_UINT16_BE
#define MBEDTLS_GET_UINT16_BE( data, offset ) \
( \
( (uint16_t) ( data )[( offset ) ] << 8 ) \
| ( (uint16_t) ( data )[( offset ) + 1] ) \
)
#endif
/**
* Put in memory a 16 bits unsigned integer in big-endian order.
*
* \param n 16 bits unsigned integer to put in memory.
* \param data Base address of the memory where to put the 16
* bits unsigned integer in.
* \param offset Offset from \p base where to put the most significant
* byte of the 16 bits unsigned integer \p n.
*/
#ifndef MBEDTLS_PUT_UINT16_BE
#define MBEDTLS_PUT_UINT16_BE( n, data, offset ) \
{ \
( data )[( offset ) ] = MBEDTLS_BYTE_1( n ); \
( data )[( offset ) + 1] = MBEDTLS_BYTE_0( n ); \
}
#endif
/**
* Get the unsigned 64 bits integer corresponding to eight bytes in
* big-endian order (MSB first).
*
* \param data Base address of the memory to get the eight bytes from.
* \param offset Offset from \p base of the first and most significant
* byte of the eight bytes to build the 64 bits unsigned
* integer from.
*/
#ifndef MBEDTLS_GET_UINT64_BE
#define MBEDTLS_GET_UINT64_BE( data, offset ) \
( \
( (uint64_t) ( data )[( offset ) ] << 56 ) \
| ( (uint64_t) ( data )[( offset ) + 1] << 48 ) \
| ( (uint64_t) ( data )[( offset ) + 2] << 40 ) \
| ( (uint64_t) ( data )[( offset ) + 3] << 32 ) \
| ( (uint64_t) ( data )[( offset ) + 4] << 24 ) \
| ( (uint64_t) ( data )[( offset ) + 5] << 16 ) \
| ( (uint64_t) ( data )[( offset ) + 6] << 8 ) \
| ( (uint64_t) ( data )[( offset ) + 7] ) \
)
#endif
/**
* Put in memory a 64 bits unsigned integer in big-endian order.
*
* \param n 64 bits unsigned integer to put in memory.
* \param data Base address of the memory where to put the 64
* bits unsigned integer in.
* \param offset Offset from \p base where to put the most significant
* byte of the 64 bits unsigned integer \p n.
*/
#ifndef MBEDTLS_PUT_UINT64_BE
#define MBEDTLS_PUT_UINT64_BE( n, data, offset ) \
{ \
( data )[( offset ) ] = MBEDTLS_BYTE_7( n ); \
( data )[( offset ) + 1] = MBEDTLS_BYTE_6( n ); \
( data )[( offset ) + 2] = MBEDTLS_BYTE_5( n ); \
( data )[( offset ) + 3] = MBEDTLS_BYTE_4( n ); \
( data )[( offset ) + 4] = MBEDTLS_BYTE_3( n ); \
( data )[( offset ) + 5] = MBEDTLS_BYTE_2( n ); \
( data )[( offset ) + 6] = MBEDTLS_BYTE_1( n ); \
( data )[( offset ) + 7] = MBEDTLS_BYTE_0( n ); \
}
#endif
/**
* Get the unsigned 64 bits integer corresponding to eight bytes in
* little-endian order (LSB first).
*
* \param data Base address of the memory to get the eight bytes from.
* \param offset Offset from \p base of the first and least significant
* byte of the eight bytes to build the 64 bits unsigned
* integer from.
*/
#ifndef MBEDTLS_GET_UINT64_LE
#define MBEDTLS_GET_UINT64_LE( data, offset ) \
( \
( (uint64_t) ( data )[( offset ) + 7] << 56 ) \
| ( (uint64_t) ( data )[( offset ) + 6] << 48 ) \
| ( (uint64_t) ( data )[( offset ) + 5] << 40 ) \
| ( (uint64_t) ( data )[( offset ) + 4] << 32 ) \
| ( (uint64_t) ( data )[( offset ) + 3] << 24 ) \
| ( (uint64_t) ( data )[( offset ) + 2] << 16 ) \
| ( (uint64_t) ( data )[( offset ) + 1] << 8 ) \
| ( (uint64_t) ( data )[( offset ) ] ) \
)
#endif
/**
* Put in memory a 64 bits unsigned integer in little-endian order.
*
* \param n 64 bits unsigned integer to put in memory.
* \param data Base address of the memory where to put the 64
* bits unsigned integer in.
* \param offset Offset from \p base where to put the least significant
* byte of the 64 bits unsigned integer \p n.
*/
#ifndef MBEDTLS_PUT_UINT64_LE
#define MBEDTLS_PUT_UINT64_LE( n, data, offset ) \
{ \
( data )[( offset ) ] = MBEDTLS_BYTE_0( n ); \
( data )[( offset ) + 1] = MBEDTLS_BYTE_1( n ); \
( data )[( offset ) + 2] = MBEDTLS_BYTE_2( n ); \
( data )[( offset ) + 3] = MBEDTLS_BYTE_3( n ); \
( data )[( offset ) + 4] = MBEDTLS_BYTE_4( n ); \
( data )[( offset ) + 5] = MBEDTLS_BYTE_5( n ); \
( data )[( offset ) + 6] = MBEDTLS_BYTE_6( n ); \
( data )[( offset ) + 7] = MBEDTLS_BYTE_7( n ); \
}
#endif
#endif /* MBEDTLS_LIBRARY_COMMON_H */

7
library/ctr_drbg.c
View File

@@ -152,11 +152,8 @@ static int block_cipher_df( unsigned char *output,
* (Total is padded to a multiple of 16-bytes with zeroes)
*/
p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
*p++ = ( data_len >> 24 ) & 0xff;
*p++ = ( data_len >> 16 ) & 0xff;
*p++ = ( data_len >> 8 ) & 0xff;
*p++ = ( data_len ) & 0xff;
p += 3;
MBEDTLS_PUT_UINT32_BE( data_len, p, 0);
p += 4 + 3;
*p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
memcpy( p, data, data_len );
p[data_len] = 0x80;

43
library/des.c
View File

@@ -43,29 +43,6 @@
#if !defined(MBEDTLS_DES_ALT)
/*
* 32-bit integer manipulation macros (big endian)
*/
#ifndef GET_UINT32_BE
#define GET_UINT32_BE(n,b,i) \
{ \
(n) = ( (uint32_t) (b)[(i) ] << 24 ) \
| ( (uint32_t) (b)[(i) + 1] << 16 ) \
| ( (uint32_t) (b)[(i) + 2] << 8 ) \
| ( (uint32_t) (b)[(i) + 3] ); \
}
#endif
#ifndef PUT_UINT32_BE
#define PUT_UINT32_BE(n,b,i) \
{ \
(b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
(b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
(b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
(b)[(i) + 3] = (unsigned char) ( (n) ); \
}
#endif
/*
* Expanded DES S-boxes
*/
@@ -423,8 +400,8 @@ void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KE
int i;
uint32_t X, Y, T;
GET_UINT32_BE( X, key, 0 );
GET_UINT32_BE( Y, key, 4 );
X = MBEDTLS_GET_UINT32_BE( key, 0 );
Y = MBEDTLS_GET_UINT32_BE( key, 4 );
/*
* Permuted Choice 1
@@ -633,8 +610,8 @@ int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
SK = ctx->sk;
GET_UINT32_BE( X, input, 0 );
GET_UINT32_BE( Y, input, 4 );
X = MBEDTLS_GET_UINT32_BE( input, 0 );
Y = MBEDTLS_GET_UINT32_BE( input, 4 );
DES_IP( X, Y );
@@ -646,8 +623,8 @@ int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
DES_FP( Y, X );
PUT_UINT32_BE( Y, output, 0 );
PUT_UINT32_BE( X, output, 4 );
MBEDTLS_PUT_UINT32_BE( Y, output, 0 );
MBEDTLS_PUT_UINT32_BE( X, output, 4 );
return( 0 );
}
@@ -720,8 +697,8 @@ int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
SK = ctx->sk;
GET_UINT32_BE( X, input, 0 );
GET_UINT32_BE( Y, input, 4 );
X = MBEDTLS_GET_UINT32_BE( input, 0 );
Y = MBEDTLS_GET_UINT32_BE( input, 4 );
DES_IP( X, Y );
@@ -745,8 +722,8 @@ int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
DES_FP( Y, X );
PUT_UINT32_BE( Y, output, 0 );
PUT_UINT32_BE( X, output, 4 );
MBEDTLS_PUT_UINT32_BE( Y, output, 0 );
MBEDTLS_PUT_UINT32_BE( X, output, 4 );
return( 0 );
}

4
library/dhm.c
View File

@@ -270,8 +270,8 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( ( X ), \
p + 2, \
( n ) ) ); \
*p++ = (unsigned char)( ( n ) >> 8 ); \
*p++ = (unsigned char)( ( n ) ); \
*p++ = MBEDTLS_BYTE_1( n ); \
*p++ = MBEDTLS_BYTE_0( n ); \
p += ( n ); \
} while( 0 )

82
library/ecdh.c
View File

@@ -32,6 +32,8 @@
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
#include "ecdh_misc.h"
#include <string.h>
/* Parameter validation macros based on platform_util.h */
@@ -726,4 +728,84 @@ int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
#endif
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
static int ecdh_tls13_make_params_internal( mbedtls_ecdh_context_mbed *ctx,
size_t *olen, int point_format, unsigned char *buf, size_t blen,
int ( *f_rng )( void *, unsigned char *, size_t), void *p_rng )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if( ctx->grp.pbits == 0 )
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q,
f_rng, p_rng ) ) != 0 )
return( ret );
ret = mbedtls_ecp_point_write_binary( &ctx->grp, &ctx->Q, point_format,
olen, buf, blen );
if( ret != 0 )
return( ret );
return( 0 );
}
int mbedtls_ecdh_tls13_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
unsigned char *buf, size_t blen,
int ( *f_rng )( void *, unsigned char *, size_t ),
void *p_rng )
{
ECDH_VALIDATE_RET( ctx != NULL );
ECDH_VALIDATE_RET( olen != NULL );
ECDH_VALIDATE_RET( buf != NULL );
ECDH_VALIDATE_RET( f_rng != NULL );
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( ctx-> restart_enabled )
return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
#endif
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
return( ecdh_tls13_make_params_internal( ctx, olen, ctx->point_format,
buf, blen, f_rng, p_rng ) );
#else
switch( ctx->var )
{
#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
case MBEDTLS_ECDH_VARIANT_EVEREST:
return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
#endif
case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
return( ecdh_tls13_make_params_internal( &ctx->ctx.mbed_ecdh, olen,
ctx->point_format, buf, blen,
f_rng, p_rng ) );
default:
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
#endif
}
/*
* Setup context without Everest
*/
int mbedtls_ecdh_setup_no_everest( mbedtls_ecdh_context *ctx,
mbedtls_ecp_group_id grp_id )
{
ECDH_VALIDATE_RET( ctx != NULL );
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
return( ecdh_setup_internal( ctx, grp_id ) );
#else
ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
ctx->grp_id = grp_id;
ecdh_init_internal( &ctx->ctx.mbed_ecdh );
return( ecdh_setup_internal( &ctx->ctx.mbed_ecdh, grp_id ) );
#endif
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif /* MBEDTLS_ECDH_C */

51
library/ecdh_misc.h Normal file
View File

@@ -0,0 +1,51 @@
/**
* \file ecdh_misc.h
*
* \brief Internal functions shared by the ECDH module
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 ( the "License" ); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#if !defined(MBEDTLS_ECDH_MISC_H)
#define MBEDTLS_ECDH_MISC_H
#include "mbedtls/ecdh.h"
#include "mbedtls/ecp.h"
#if defined(MBEDTLS_ECDH_C)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/*
* Setup context without Everest
*/
int mbedtls_ecdh_setup_no_everest( mbedtls_ecdh_context *ctx,
mbedtls_ecp_group_id grp_id );
/*
* TLS 1.3 version of mbedtls_ecdh_make_params in ecdh.h
*/
int mbedtls_ecdh_tls13_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
unsigned char *buf, size_t blen,
int ( *f_rng )( void *, unsigned char *, size_t ),
void *p_rng );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif /* MBEDTLS_ECDH_C */
#endif /* !MBEDTLS_ECDH_MISC_H */

13
library/ecjpake.c
View File

@@ -180,10 +180,7 @@ static int ecjpake_write_len_point( unsigned char **p,
if( ret != 0 )
return( ret );
(*p)[0] = (unsigned char)( ( len >> 24 ) & 0xFF );
(*p)[1] = (unsigned char)( ( len >> 16 ) & 0xFF );
(*p)[2] = (unsigned char)( ( len >> 8 ) & 0xFF );
(*p)[3] = (unsigned char)( ( len ) & 0xFF );
MBEDTLS_PUT_UINT32_BE( len, *p, 0 );
*p += 4 + len;
@@ -223,10 +220,8 @@ static int ecjpake_hash( const mbedtls_md_info_t *md_info,
if( end - p < 4 )
return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
*p++ = (unsigned char)( ( id_len >> 24 ) & 0xFF );
*p++ = (unsigned char)( ( id_len >> 16 ) & 0xFF );
*p++ = (unsigned char)( ( id_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( id_len ) & 0xFF );
MBEDTLS_PUT_UINT32_BE( id_len, p, 0 );
p += 4;
if( end < p || (size_t)( end - p ) < id_len )
return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
@@ -366,7 +361,7 @@ static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info,
goto cleanup;
}
*(*p)++ = (unsigned char)( len & 0xFF );
*(*p)++ = MBEDTLS_BYTE_0( len );
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, *p, len ) ); /* r */
*p += len;

3
library/ecp.c
View File

@@ -1012,8 +1012,7 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
/*
* Next two bytes are the namedcurve value
*/
buf[0] = curve_info->tls_id >> 8;
buf[1] = curve_info->tls_id & 0xFF;
MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, buf, 0 );
return( 0 );
}

57
library/gcm.c
View File

@@ -58,29 +58,6 @@
#define GCM_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond )
/*
* 32-bit integer manipulation macros (big endian)
*/
#ifndef GET_UINT32_BE
#define GET_UINT32_BE(n,b,i) \
{ \
(n) = ( (uint32_t) (b)[(i) ] << 24 ) \
| ( (uint32_t) (b)[(i) + 1] << 16 ) \
| ( (uint32_t) (b)[(i) + 2] << 8 ) \
| ( (uint32_t) (b)[(i) + 3] ); \
}
#endif
#ifndef PUT_UINT32_BE
#define PUT_UINT32_BE(n,b,i) \
{ \
(b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
(b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
(b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
(b)[(i) + 3] = (unsigned char) ( (n) ); \
}
#endif
/*
* Initialize a context
*/
@@ -111,12 +88,12 @@ static int gcm_gen_table( mbedtls_gcm_context *ctx )
return( ret );
/* pack h as two 64-bits ints, big-endian */
GET_UINT32_BE( hi, h, 0 );
GET_UINT32_BE( lo, h, 4 );
hi = MBEDTLS_GET_UINT32_BE( h, 0 );
lo = MBEDTLS_GET_UINT32_BE( h, 4 );
vh = (uint64_t) hi << 32 | lo;
GET_UINT32_BE( hi, h, 8 );
GET_UINT32_BE( lo, h, 12 );
hi = MBEDTLS_GET_UINT32_BE( h, 8 );
lo = MBEDTLS_GET_UINT32_BE( h, 12 );
vl = (uint64_t) hi << 32 | lo;
/* 8 = 1000 corresponds to 1 in GF(2^128) */
@@ -223,10 +200,10 @@ static void gcm_mult( mbedtls_gcm_context *ctx, const unsigned char x[16],
if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) ) {
unsigned char h[16];
PUT_UINT32_BE( ctx->HH[8] >> 32, h, 0 );
PUT_UINT32_BE( ctx->HH[8], h, 4 );
PUT_UINT32_BE( ctx->HL[8] >> 32, h, 8 );
PUT_UINT32_BE( ctx->HL[8], h, 12 );
MBEDTLS_PUT_UINT32_BE( ctx->HH[8] >> 32, h, 0 );
MBEDTLS_PUT_UINT32_BE( ctx->HH[8], h, 4 );
MBEDTLS_PUT_UINT32_BE( ctx->HL[8] >> 32, h, 8 );
MBEDTLS_PUT_UINT32_BE( ctx->HL[8], h, 12 );
mbedtls_aesni_gcm_mult( output, x, h );
return;
@@ -262,10 +239,10 @@ static void gcm_mult( mbedtls_gcm_context *ctx, const unsigned char x[16],
zl ^= ctx->HL[hi];
}
PUT_UINT32_BE( zh >> 32, output, 0 );
PUT_UINT32_BE( zh, output, 4 );
PUT_UINT32_BE( zl >> 32, output, 8 );
PUT_UINT32_BE( zl, output, 12 );
MBEDTLS_PUT_UINT32_BE( zh >> 32, output, 0 );
MBEDTLS_PUT_UINT32_BE( zh, output, 4 );
MBEDTLS_PUT_UINT32_BE( zl >> 32, output, 8 );
MBEDTLS_PUT_UINT32_BE( zl, output, 12 );
}
int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
@@ -301,7 +278,7 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
else
{
memset( work_buf, 0x00, 16 );
PUT_UINT32_BE( iv_len * 8, work_buf, 12 );
MBEDTLS_PUT_UINT32_BE( iv_len * 8, work_buf, 12 );
p = iv;
while( iv_len > 0 )
@@ -569,10 +546,10 @@ int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
{
memset( work_buf, 0x00, 16 );
PUT_UINT32_BE( ( orig_add_len >> 32 ), work_buf, 0 );
PUT_UINT32_BE( ( orig_add_len ), work_buf, 4 );
PUT_UINT32_BE( ( orig_len >> 32 ), work_buf, 8 );
PUT_UINT32_BE( ( orig_len ), work_buf, 12 );
MBEDTLS_PUT_UINT32_BE( ( orig_add_len >> 32 ), work_buf, 0 );
MBEDTLS_PUT_UINT32_BE( ( orig_add_len ), work_buf, 4 );
MBEDTLS_PUT_UINT32_BE( ( orig_len >> 32 ), work_buf, 8 );
MBEDTLS_PUT_UINT32_BE( ( orig_len ), work_buf, 12 );
for( i = 0; i < 16; i++ )
ctx->buf[i] ^= work_buf[i];

67
library/md5.c
View File

@@ -43,29 +43,6 @@
#if !defined(MBEDTLS_MD5_ALT)
/*
* 32-bit integer manipulation macros (little endian)
*/
#ifndef GET_UINT32_LE
#define GET_UINT32_LE(n,b,i) \
{ \
(n) = ( (uint32_t) (b)[(i) ] ) \
| ( (uint32_t) (b)[(i) + 1] << 8 ) \
| ( (uint32_t) (b)[(i) + 2] << 16 ) \
| ( (uint32_t) (b)[(i) + 3] << 24 ); \
}
#endif
#ifndef PUT_UINT32_LE
#define PUT_UINT32_LE(n,b,i) \
{ \
(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
}
#endif
void mbedtls_md5_init( mbedtls_md5_context *ctx )
{
memset( ctx, 0, sizeof( mbedtls_md5_context ) );
@@ -110,22 +87,22 @@ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
uint32_t X[16], A, B, C, D;
} local;
GET_UINT32_LE( local.X[ 0], data, 0 );
GET_UINT32_LE( local.X[ 1], data, 4 );
GET_UINT32_LE( local.X[ 2], data, 8 );
GET_UINT32_LE( local.X[ 3], data, 12 );
GET_UINT32_LE( local.X[ 4], data, 16 );
GET_UINT32_LE( local.X[ 5], data, 20 );
GET_UINT32_LE( local.X[ 6], data, 24 );
GET_UINT32_LE( local.X[ 7], data, 28 );
GET_UINT32_LE( local.X[ 8], data, 32 );
GET_UINT32_LE( local.X[ 9], data, 36 );
GET_UINT32_LE( local.X[10], data, 40 );
GET_UINT32_LE( local.X[11], data, 44 );
GET_UINT32_LE( local.X[12], data, 48 );
GET_UINT32_LE( local.X[13], data, 52 );
GET_UINT32_LE( local.X[14], data, 56 );
GET_UINT32_LE( local.X[15], data, 60 );
local.X[ 0] = MBEDTLS_GET_UINT32_LE( data, 0 );
local.X[ 1] = MBEDTLS_GET_UINT32_LE( data, 4 );
local.X[ 2] = MBEDTLS_GET_UINT32_LE( data, 8 );
local.X[ 3] = MBEDTLS_GET_UINT32_LE( data, 12 );
local.X[ 4] = MBEDTLS_GET_UINT32_LE( data, 16 );
local.X[ 5] = MBEDTLS_GET_UINT32_LE( data, 20 );
local.X[ 6] = MBEDTLS_GET_UINT32_LE( data, 24 );
local.X[ 7] = MBEDTLS_GET_UINT32_LE( data, 28 );
local.X[ 8] = MBEDTLS_GET_UINT32_LE( data, 32 );
local.X[ 9] = MBEDTLS_GET_UINT32_LE( data, 36 );
local.X[10] = MBEDTLS_GET_UINT32_LE( data, 40 );
local.X[11] = MBEDTLS_GET_UINT32_LE( data, 44 );
local.X[12] = MBEDTLS_GET_UINT32_LE( data, 48 );
local.X[13] = MBEDTLS_GET_UINT32_LE( data, 52 );
local.X[14] = MBEDTLS_GET_UINT32_LE( data, 56 );
local.X[15] = MBEDTLS_GET_UINT32_LE( data, 60 );
#define S(x,n) \
( ( (x) << (n) ) | ( ( (x) & 0xFFFFFFFF) >> ( 32 - (n) ) ) )
@@ -330,8 +307,8 @@ int mbedtls_md5_finish( mbedtls_md5_context *ctx,
| ( ctx->total[1] << 3 );
low = ( ctx->total[0] << 3 );
PUT_UINT32_LE( low, ctx->buffer, 56 );
PUT_UINT32_LE( high, ctx->buffer, 60 );
MBEDTLS_PUT_UINT32_LE( low, ctx->buffer, 56 );
MBEDTLS_PUT_UINT32_LE( high, ctx->buffer, 60 );
if( ( ret = mbedtls_internal_md5_process( ctx, ctx->buffer ) ) != 0 )
return( ret );
@@ -339,10 +316,10 @@ int mbedtls_md5_finish( mbedtls_md5_context *ctx,
/*
* Output final state
*/
PUT_UINT32_LE( ctx->state[0], output, 0 );
PUT_UINT32_LE( ctx->state[1], output, 4 );
PUT_UINT32_LE( ctx->state[2], output, 8 );
PUT_UINT32_LE( ctx->state[3], output, 12 );
MBEDTLS_PUT_UINT32_LE( ctx->state[0], output, 0 );
MBEDTLS_PUT_UINT32_LE( ctx->state[1], output, 4 );
MBEDTLS_PUT_UINT32_LE( ctx->state[2], output, 8 );
MBEDTLS_PUT_UINT32_LE( ctx->state[3], output, 12 );
return( 0 );
}

24
library/nist_kw.c
View File

@@ -77,26 +77,6 @@ static const unsigned char NIST_KW_ICV1[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
/*! The 32-bit default integrity check value (ICV) for KWP mode. */
static const unsigned char NIST_KW_ICV2[] = {0xA6, 0x59, 0x59, 0xA6};
#ifndef GET_UINT32_BE
#define GET_UINT32_BE(n,b,i) \
do { \
(n) = ( (uint32_t) (b)[(i) ] << 24 ) \
| ( (uint32_t) (b)[(i) + 1] << 16 ) \
| ( (uint32_t) (b)[(i) + 2] << 8 ) \
| ( (uint32_t) (b)[(i) + 3] ); \
} while( 0 )
#endif
#ifndef PUT_UINT32_BE
#define PUT_UINT32_BE(n,b,i) \
do { \
(b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
(b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
(b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
(b)[(i) + 3] = (unsigned char) ( (n) ); \
} while( 0 )
#endif
/*
* Initialize context
*/
@@ -243,7 +223,7 @@ int mbedtls_nist_kw_wrap( mbedtls_nist_kw_context *ctx,
}
memcpy( output, NIST_KW_ICV2, KW_SEMIBLOCK_LENGTH / 2 );
PUT_UINT32_BE( ( in_len & 0xffffffff ), output,
MBEDTLS_PUT_UINT32_BE( ( in_len & 0xffffffff ), output,
KW_SEMIBLOCK_LENGTH / 2 );
memcpy( output + KW_SEMIBLOCK_LENGTH, input, in_len );
@@ -474,7 +454,7 @@ int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx,
ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
}
GET_UINT32_BE( Plen, A, KW_SEMIBLOCK_LENGTH / 2 );
Plen = MBEDTLS_GET_UINT32_BE( A, KW_SEMIBLOCK_LENGTH / 2 );
/*
* Plen is the length of the plaintext, when the input is valid.

8
library/pkcs12.c
View File

@@ -285,8 +285,8 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen,
for( i = v; i > 0; i-- )
{
j = salt_block[i - 1] + hash_block[i - 1] + c;
c = (unsigned char) (j >> 8);
salt_block[i - 1] = j & 0xFF;
c = MBEDTLS_BYTE_1( j );
salt_block[i - 1] = MBEDTLS_BYTE_0( j );
}
// pwd_block += B
@@ -294,8 +294,8 @@ int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen,
for( i = v; i > 0; i-- )
{
j = pwd_block[i - 1] + hash_block[i - 1] + c;
c = (unsigned char) (j >> 8);
pwd_block[i - 1] = j & 0xFF;
c = MBEDTLS_BYTE_1( j );
pwd_block[i - 1] = MBEDTLS_BYTE_0( j );
}
}

4
library/pkparse.c
View File

@@ -1370,8 +1370,8 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
}
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
if( ( ret = pk_parse_key_pkcs8_unencrypted_der(
pk, key, keylen, f_rng, p_rng ) ) == 0 )
ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen, f_rng, p_rng );
if( ret == 0 )
{
return( 0 );
}

51
library/poly1305.c
View File

@@ -52,13 +52,6 @@
#define POLY1305_BLOCK_SIZE_BYTES ( 16U )
#define BYTES_TO_U32_LE( data, offset ) \
( (uint32_t) (data)[offset] \
| (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 ) \
| (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 ) \
| (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 ) \
)
/*
* Our implementation is tuned for 32-bit platforms with a 64-bit multiplier.
* However we provided an alternative for platforms without such a multiplier.
@@ -129,10 +122,10 @@ static void poly1305_process( mbedtls_poly1305_context *ctx,
for( i = 0U; i < nblocks; i++ )
{
/* The input block is treated as a 128-bit little-endian integer */
d0 = BYTES_TO_U32_LE( input, offset + 0 );
d1 = BYTES_TO_U32_LE( input, offset + 4 );
d2 = BYTES_TO_U32_LE( input, offset + 8 );
d3 = BYTES_TO_U32_LE( input, offset + 12 );
d0 = MBEDTLS_GET_UINT32_LE( input, offset + 0 );
d1 = MBEDTLS_GET_UINT32_LE( input, offset + 4 );
d2 = MBEDTLS_GET_UINT32_LE( input, offset + 8 );
d3 = MBEDTLS_GET_UINT32_LE( input, offset + 12 );
/* Compute: acc += (padded) block as a 130-bit integer */
d0 += (uint64_t) acc0;
@@ -257,22 +250,10 @@ static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx,
acc3 += ctx->s[3] + (uint32_t) ( d >> 32U );
/* Compute MAC (128 least significant bits of the accumulator) */
mac[ 0] = (unsigned char)( acc0 );
mac[ 1] = (unsigned char)( acc0 >> 8 );
mac[ 2] = (unsigned char)( acc0 >> 16 );
mac[ 3] = (unsigned char)( acc0 >> 24 );
mac[ 4] = (unsigned char)( acc1 );
mac[ 5] = (unsigned char)( acc1 >> 8 );
mac[ 6] = (unsigned char)( acc1 >> 16 );
mac[ 7] = (unsigned char)( acc1 >> 24 );
mac[ 8] = (unsigned char)( acc2 );
mac[ 9] = (unsigned char)( acc2 >> 8 );
mac[10] = (unsigned char)( acc2 >> 16 );
mac[11] = (unsigned char)( acc2 >> 24 );
mac[12] = (unsigned char)( acc3 );
mac[13] = (unsigned char)( acc3 >> 8 );
mac[14] = (unsigned char)( acc3 >> 16 );
mac[15] = (unsigned char)( acc3 >> 24 );
MBEDTLS_PUT_UINT32_LE( acc0, mac, 0 );
MBEDTLS_PUT_UINT32_LE( acc1, mac, 4 );
MBEDTLS_PUT_UINT32_LE( acc2, mac, 8 );
MBEDTLS_PUT_UINT32_LE( acc3, mac, 12 );
}
void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx )
@@ -297,15 +278,15 @@ int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
POLY1305_VALIDATE_RET( key != NULL );
/* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
ctx->r[0] = BYTES_TO_U32_LE( key, 0 ) & 0x0FFFFFFFU;
ctx->r[1] = BYTES_TO_U32_LE( key, 4 ) & 0x0FFFFFFCU;
ctx->r[2] = BYTES_TO_U32_LE( key, 8 ) & 0x0FFFFFFCU;
ctx->r[3] = BYTES_TO_U32_LE( key, 12 ) & 0x0FFFFFFCU;
ctx->r[0] = MBEDTLS_GET_UINT32_LE( key, 0 ) & 0x0FFFFFFFU;
ctx->r[1] = MBEDTLS_GET_UINT32_LE( key, 4 ) & 0x0FFFFFFCU;
ctx->r[2] = MBEDTLS_GET_UINT32_LE( key, 8 ) & 0x0FFFFFFCU;
ctx->r[3] = MBEDTLS_GET_UINT32_LE( key, 12 ) & 0x0FFFFFFCU;
ctx->s[0] = BYTES_TO_U32_LE( key, 16 );
ctx->s[1] = BYTES_TO_U32_LE( key, 20 );
ctx->s[2] = BYTES_TO_U32_LE( key, 24 );
ctx->s[3] = BYTES_TO_U32_LE( key, 28 );
ctx->s[0] = MBEDTLS_GET_UINT32_LE( key, 16 );
ctx->s[1] = MBEDTLS_GET_UINT32_LE( key, 20 );
ctx->s[2] = MBEDTLS_GET_UINT32_LE( key, 24 );
ctx->s[3] = MBEDTLS_GET_UINT32_LE( key, 28 );
/* Initial accumulator state */
ctx->acc[0] = 0U;

188
library/psa_crypto.c
View File

@@ -322,13 +322,6 @@ psa_status_t mbedtls_to_psa_error( int ret )
/* Key management */
/****************************************************************/
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
static inline int psa_key_slot_is_external( const psa_key_slot_t *slot )
{
return( psa_key_lifetime_is_external( slot->attr.lifetime ) );
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
/* For now the MBEDTLS_PSA_ACCEL_ guards are also used here since the
* current test driver in key_management.c is using this function
* when accelerators are used for ECC key pair and public key.
@@ -437,7 +430,7 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) ||
* defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) */
static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type,
size_t bits )
{
/* Check that the bit size is acceptable for the key type */
@@ -565,16 +558,8 @@ psa_status_t psa_import_key_into_slot(
{
*bits = PSA_BYTES_TO_BITS( data_length );
/* Ensure that the bytes-to-bits conversion hasn't overflown. */
if( data_length > SIZE_MAX / 8 )
return( PSA_ERROR_NOT_SUPPORTED );
/* Enforce a size limit, and in particular ensure that the bit
* size fits in its representation type. */
if( ( *bits ) > PSA_MAX_KEY_BITS )
return( PSA_ERROR_NOT_SUPPORTED );
status = validate_unstructured_key_bit_size( type, *bits );
status = psa_validate_unstructured_key_bit_size( attributes->core.type,
*bits );
if( status != PSA_SUCCESS )
return( status );
@@ -944,16 +929,16 @@ error:
/** Get a key slot containing a transparent key and lock it.
*
* A transparent key is a key for which the key material is directly
* available, as opposed to a key in a secure element.
* available, as opposed to a key in a secure element and/or to be used
* by a secure element.
*
* This is a temporary function to use instead of
* psa_get_and_lock_key_slot_with_policy() until secure element support is
* fully implemented.
* This is a temporary function that may be used instead of
* psa_get_and_lock_key_slot_with_policy() when there is no opaque key support
* for a cryptographic operation.
*
* On success, the returned key slot is locked. It is the responsibility of the
* caller to unlock the key slot when it does not access it anymore.
*/
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
mbedtls_svc_key_id_t key,
psa_key_slot_t **p_slot,
@@ -965,7 +950,7 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
if( status != PSA_SUCCESS )
return( status );
if( psa_key_slot_is_external( *p_slot ) )
if( psa_key_lifetime_is_external( (*p_slot)->attr.lifetime ) )
{
psa_unlock_key_slot( *p_slot );
*p_slot = NULL;
@@ -974,11 +959,6 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
return( PSA_SUCCESS );
}
#else /* MBEDTLS_PSA_CRYPTO_SE_C */
/* With no secure element support, all keys are transparent. */
#define psa_get_and_lock_transparent_key_slot_with_policy( key, p_slot, usage, alg ) \
psa_get_and_lock_key_slot_with_policy( key, p_slot, usage, alg )
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
{
@@ -1206,7 +1186,7 @@ psa_status_t psa_get_key_attributes( mbedtls_svc_key_id_t key,
MBEDTLS_PSA_KA_MASK_DUAL_USE );
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( psa_key_slot_is_external( slot ) )
if( psa_get_se_driver_entry( slot->attr.lifetime ) != NULL )
psa_set_key_slot_number( attributes,
psa_key_slot_get_slot_number( slot ) );
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
@@ -1217,14 +1197,11 @@ psa_status_t psa_get_key_attributes( mbedtls_svc_key_id_t key,
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
case PSA_KEY_TYPE_RSA_KEY_PAIR:
case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
/* TODO: reporting the public exponent for opaque keys
* is not yet implemented.
* https://github.com/ARMmbed/mbed-crypto/issues/216
*/
if( psa_key_slot_is_external( slot ) )
break;
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
if( ! psa_key_lifetime_is_external( slot->attr.lifetime ) )
{
mbedtls_rsa_context *rsa = NULL;
@@ -1906,6 +1883,7 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
psa_key_slot_t *slot = NULL;
psa_se_drv_table_entry_t *driver = NULL;
size_t bits;
size_t storage_size = data_length;
*key = MBEDTLS_SVC_KEY_ID_INIT;
@@ -1915,18 +1893,29 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
if( data_length == 0 )
return( PSA_ERROR_INVALID_ARGUMENT );
/* Ensure that the bytes-to-bits conversion cannot overflow. */
if( data_length > SIZE_MAX / 8 )
return( PSA_ERROR_NOT_SUPPORTED );
status = psa_start_key_creation( PSA_KEY_CREATION_IMPORT, attributes,
&slot, &driver );
if( status != PSA_SUCCESS )
goto exit;
/* In the case of a transparent key or an opaque key stored in local
* storage (thus not in the case of generating a key in a secure element
* or cryptoprocessor with storage), we have to allocate a buffer to
* hold the generated key material. */
* storage ( thus not in the case of importing a key in a secure element
* with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
* buffer to hold the imported key material. */
if( slot->key.data == NULL )
{
status = psa_allocate_buffer_to_slot( slot, data_length );
if( psa_key_lifetime_is_external( attributes->core.lifetime ) )
{
status = psa_driver_wrapper_get_key_buffer_size_from_key_data(
attributes, data, data_length, &storage_size );
if( status != PSA_SUCCESS )
goto exit;
}
status = psa_allocate_buffer_to_slot( slot, storage_size );
if( status != PSA_SUCCESS )
goto exit;
}
@@ -1948,6 +1937,13 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
goto exit;
}
/* Enforce a size limit, and in particular ensure that the bit
* size fits in its representation type.*/
if( bits > PSA_MAX_KEY_BITS )
{
status = PSA_ERROR_NOT_SUPPORTED;
goto exit;
}
status = psa_validate_optional_attributes( slot, attributes );
if( status != PSA_SUCCESS )
goto exit;
@@ -1995,21 +1991,6 @@ exit:
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
static psa_status_t psa_copy_key_material( const psa_key_slot_t *source,
psa_key_slot_t *target )
{
psa_status_t status = psa_copy_key_material_into_slot( target,
source->key.data,
source->key.bytes );
if( status != PSA_SUCCESS )
return( status );
target->attr.type = source->attr.type;
target->attr.bits = source->attr.bits;
return( PSA_SUCCESS );
}
psa_status_t psa_copy_key( mbedtls_svc_key_id_t source_key,
const psa_key_attributes_t *specified_attributes,
mbedtls_svc_key_id_t *target_key )
@@ -2020,10 +2001,11 @@ psa_status_t psa_copy_key( mbedtls_svc_key_id_t source_key,
psa_key_slot_t *target_slot = NULL;
psa_key_attributes_t actual_attributes = *specified_attributes;
psa_se_drv_table_entry_t *driver = NULL;
size_t storage_size = 0;
*target_key = MBEDTLS_SVC_KEY_ID_INIT;
status = psa_get_and_lock_transparent_key_slot_with_policy(
status = psa_get_and_lock_key_slot_with_policy(
source_key, &source_slot, PSA_KEY_USAGE_COPY, 0 );
if( status != PSA_SUCCESS )
goto exit;
@@ -2033,6 +2015,15 @@ psa_status_t psa_copy_key( mbedtls_svc_key_id_t source_key,
if( status != PSA_SUCCESS )
goto exit;
/* The target key type and number of bits have been validated by
* psa_validate_optional_attributes() to be either equal to zero or
* equal to the ones of the source key. So it is safe to inherit
* them from the source key now."
* */
actual_attributes.core.bits = source_slot->attr.bits;
actual_attributes.core.type = source_slot->attr.type;
status = psa_restrict_key_policy( source_slot->attr.type,
&actual_attributes.core.policy,
&source_slot->attr.policy );
@@ -2043,31 +2034,53 @@ psa_status_t psa_copy_key( mbedtls_svc_key_id_t source_key,
&target_slot, &driver );
if( status != PSA_SUCCESS )
goto exit;
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( driver != NULL )
if( PSA_KEY_LIFETIME_GET_LOCATION( target_slot->attr.lifetime ) !=
PSA_KEY_LIFETIME_GET_LOCATION( source_slot->attr.lifetime ) )
{
/* Copying to a secure element is not implemented yet. */
/*
* If the source and target keys are stored in different locations,
* the source key would need to be exported as plaintext and re-imported
* in the other location. This has security implications which have not
* been fully mapped. For now, this can be achieved through
* appropriate API invocations from the application, if needed.
* */
status = PSA_ERROR_NOT_SUPPORTED;
goto exit;
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
/*
* When the source and target keys are within the same location,
* - For transparent keys it is a blind copy without any driver invocation,
* - For opaque keys this translates to an invocation of the drivers'
* copy_key entry point through the dispatch layer.
* */
if( psa_key_lifetime_is_external( actual_attributes.core.lifetime ) )
{
/*
* Copying through an opaque driver is not implemented yet, consider
* a lifetime with an external location as an invalid parameter for
* now.
*/
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = psa_copy_key_material( source_slot, target_slot );
status = psa_driver_wrapper_get_key_buffer_size( &actual_attributes,
&storage_size );
if( status != PSA_SUCCESS )
goto exit;
status = psa_allocate_buffer_to_slot( target_slot, storage_size );
if( status != PSA_SUCCESS )
goto exit;
status = psa_driver_wrapper_copy_key( &actual_attributes,
source_slot->key.data,
source_slot->key.bytes,
target_slot->key.data,
target_slot->key.bytes,
&target_slot->key.bytes );
if( status != PSA_SUCCESS )
goto exit;
}
else
{
status = psa_copy_key_material_into_slot( target_slot,
source_slot->key.data,
source_slot->key.bytes );
if( status != PSA_SUCCESS )
goto exit;
}
status = psa_finish_key_creation( target_slot, driver, target_key );
exit:
if( status != PSA_SUCCESS )
@@ -2329,7 +2342,7 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
status = psa_get_and_lock_key_slot_with_policy(
key,
&slot,
is_sign ? PSA_KEY_USAGE_SIGN_HASH : PSA_KEY_USAGE_VERIFY_HASH,
is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
alg );
if( status != PSA_SUCCESS )
goto exit;
@@ -2514,8 +2527,9 @@ static psa_status_t psa_mac_compute_internal( mbedtls_svc_key_id_t key,
uint8_t operation_mac_size = 0;
status = psa_get_and_lock_key_slot_with_policy(
key, &slot,
is_sign ? PSA_KEY_USAGE_SIGN_HASH : PSA_KEY_USAGE_VERIFY_HASH,
key,
&slot,
is_sign ? PSA_KEY_USAGE_SIGN_MESSAGE : PSA_KEY_USAGE_VERIFY_MESSAGE,
alg );
if( status != PSA_SUCCESS )
goto exit;
@@ -4156,6 +4170,7 @@ static psa_status_t psa_generate_derived_key_internal(
{
uint8_t *data = NULL;
size_t bytes = PSA_BITS_TO_BYTES( bits );
size_t storage_size = bytes;
psa_status_t status;
if( ! key_type_is_raw_bytes( slot->attr.type ) )
@@ -4174,15 +4189,22 @@ static psa_status_t psa_generate_derived_key_internal(
psa_des_set_key_parity( data, bytes );
#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */
status = psa_allocate_buffer_to_slot( slot, bytes );
if( status != PSA_SUCCESS )
goto exit;
slot->attr.bits = (psa_key_bits_t) bits;
psa_key_attributes_t attributes = {
.core = slot->attr
};
if( psa_key_lifetime_is_external( attributes.core.lifetime ) )
{
status = psa_driver_wrapper_get_key_buffer_size( &attributes,
&storage_size );
if( status != PSA_SUCCESS )
goto exit;
}
status = psa_allocate_buffer_to_slot( slot, storage_size );
if( status != PSA_SUCCESS )
goto exit;
status = psa_driver_wrapper_import_key( &attributes,
data, bytes,
slot->key.data,
@@ -4506,8 +4528,8 @@ static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
* uint16 with the value N, and the PSK itself.
*/
*cur++ = ( data_length >> 8 ) & 0xff;
*cur++ = ( data_length >> 0 ) & 0xff;
*cur++ = MBEDTLS_BYTE_1( data_length );
*cur++ = MBEDTLS_BYTE_0( data_length );
memset( cur, 0, data_length );
cur += data_length;
*cur++ = pms[0];
@@ -5061,7 +5083,7 @@ static psa_status_t psa_validate_key_type_and_size_for_key_generation(
if( key_type_is_raw_bytes( type ) )
{
status = validate_unstructured_key_bit_size( type, bits );
status = psa_validate_unstructured_key_bit_size( type, bits );
if( status != PSA_SUCCESS )
return( status );
}
@@ -5171,9 +5193,9 @@ psa_status_t psa_generate_key( const psa_key_attributes_t *attributes,
goto exit;
/* In the case of a transparent key or an opaque key stored in local
* storage (thus not in the case of generating a key in a secure element
* or cryptoprocessor with storage), we have to allocate a buffer to
* hold the generated key material. */
* storage ( thus not in the case of generating a key in a secure element
* with storage ( MBEDTLS_PSA_CRYPTO_SE_C ) ),we have to allocate a
* buffer to hold the generated key material. */
if( slot->key.data == NULL )
{
if ( PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ) ==

31
library/psa_crypto_cipher.c
View File

@@ -255,16 +255,34 @@ static psa_status_t cipher_set_iv( mbedtls_psa_cipher_operation_t *operation,
iv, iv_length ) ) );
}
/* Process input for which the algorithm is set to ECB mode. This requires
* manual processing, since the PSA API is defined as being able to process
* arbitrary-length calls to psa_cipher_update() with ECB mode, but the
* underlying mbedtls_cipher_update only takes full blocks. */
/** Process input for which the algorithm is set to ECB mode.
*
* This requires manual processing, since the PSA API is defined as being
* able to process arbitrary-length calls to psa_cipher_update() with ECB mode,
* but the underlying mbedtls_cipher_update only takes full blocks.
*
* \param ctx The mbedtls cipher context to use. It must have been
* set up for ECB.
* \param[in] input The input plaintext or ciphertext to process.
* \param input_length The number of bytes to process from \p input.
* This does not need to be aligned to a block boundary.
* If there is a partial block at the end of the input,
* it is stored in \p ctx for future processing.
* \param output The buffer where the output is written. It must be
* at least `BS * floor((p + input_length) / BS)` bytes
* long, where `p` is the number of bytes in the
* unprocessed partial block in \p ctx (with
* `0 <= p <= BS - 1`) and `BS` is the block size.
* \param output_length On success, the number of bytes written to \p output.
* \c 0 on error.
*
* \return #PSA_SUCCESS or an error from a hardware accelerator
*/
static psa_status_t psa_cipher_update_ecb(
mbedtls_cipher_context_t *ctx,
const uint8_t *input,
size_t input_length,
uint8_t *output,
size_t output_size,
size_t *output_length )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
@@ -304,7 +322,6 @@ static psa_status_t psa_cipher_update_ecb(
goto exit;
output += internal_output_length;
output_size -= internal_output_length;
*output_length += internal_output_length;
ctx->unprocessed_len = 0;
}
@@ -325,7 +342,6 @@ static psa_status_t psa_cipher_update_ecb(
input += block_size;
output += internal_output_length;
output_size -= internal_output_length;
*output_length += internal_output_length;
}
@@ -380,7 +396,6 @@ static psa_status_t cipher_update( mbedtls_psa_cipher_operation_t *operation,
input,
input_length,
output,
output_size,
output_length );
}
else

19
library/psa_crypto_core.h
View File

@@ -528,4 +528,23 @@ psa_status_t psa_verify_hash_builtin(
psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
const uint8_t *signature, size_t signature_length );
/**
* \brief Validate the key bit size for unstructured keys.
*
* \note Check that the bit size is acceptable for a given key type for
* unstructured keys.
*
* \param[in] type The key type
* \param[in] bits The number of bits of the key
*
* \retval #PSA_SUCCESS
* The key type and size are valid.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The size in bits of the key is not valid.
* \retval #PSA_ERROR_NOT_SUPPORTED
* The type and/or the size in bits of the key or the combination of
* the two is not supported.
*/
psa_status_t psa_validate_unstructured_key_bit_size( psa_key_type_t type,
size_t bits );
#endif /* PSA_CRYPTO_CORE_H */

110
library/psa_crypto_driver_wrappers.c
View File

@@ -380,8 +380,49 @@ psa_status_t psa_driver_wrapper_verify_hash(
}
}
/** Calculate the key buffer size required to store the key material of a key
* associated with an opaque driver from input key data.
*
* \param[in] attributes The key attributes
* \param[in] data The input key data.
* \param[in] data_length The input data length.
* \param[out] key_buffer_size Minimum buffer size to contain the key material.
*
* \retval #PSA_SUCCESS
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \retval #PSA_ERROR_NOT_SUPPORTED
*/
psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data(
const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
size_t *key_buffer_size )
{
psa_key_location_t location =
PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
psa_key_type_t key_type = attributes->core.type;
*key_buffer_size = 0;
switch( location )
{
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
*key_buffer_size = mbedtls_test_opaque_size_function( key_type,
PSA_BYTES_TO_BITS( data_length ) );
return( ( *key_buffer_size != 0 ) ?
PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED );
#endif /* PSA_CRYPTO_DRIVER_TEST */
default:
(void)key_type;
(void)data;
(void)data_length;
return( PSA_ERROR_INVALID_ARGUMENT );
}
}
/** Get the key buffer size required to store the key material of a key
* associated with an opaque driver without storage.
* associated with an opaque driver.
*
* \param[in] attributes The key attributes.
* \param[out] key_buffer_size Minimum buffer size to contain the key material
@@ -389,11 +430,11 @@ psa_status_t psa_driver_wrapper_verify_hash(
* \retval #PSA_SUCCESS
* The minimum size for a buffer to contain the key material has been
* returned successfully.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The size in bits of the key is not valid.
* \retval #PSA_ERROR_NOT_SUPPORTED
* The type and/or the size in bits of the key or the combination of
* the two is not supported.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The key is declared with a lifetime not known to us.
*/
psa_status_t psa_driver_wrapper_get_key_buffer_size(
const psa_key_attributes_t *attributes,
@@ -418,7 +459,8 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(
return( PSA_SUCCESS );
}
#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
*key_buffer_size = mbedtls_test_size_function( key_type, key_bits );
*key_buffer_size = mbedtls_test_opaque_size_function( key_type,
key_bits );
return( ( *key_buffer_size != 0 ) ?
PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -426,7 +468,7 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(
default:
(void)key_type;
(void)key_bits;
return( PSA_ERROR_NOT_SUPPORTED );
return( PSA_ERROR_INVALID_ARGUMENT );
}
}
@@ -566,10 +608,18 @@ psa_status_t psa_driver_wrapper_import_key(
data, data_length,
key_buffer, key_buffer_size,
key_buffer_length, bits ) );
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
return( mbedtls_test_opaque_import_key(
attributes,
data, data_length,
key_buffer, key_buffer_size,
key_buffer_length, bits ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
default:
/* Importing a key with external storage in not yet supported.
* Return in error indicating that the lifetime is not valid. */
(void)status;
return( PSA_ERROR_INVALID_ARGUMENT );
}
@@ -733,6 +783,50 @@ psa_status_t psa_driver_wrapper_get_builtin_key(
}
}
psa_status_t psa_driver_wrapper_copy_key(
psa_key_attributes_t *attributes,
const uint8_t *source_key, size_t source_key_length,
uint8_t *target_key_buffer, size_t target_key_buffer_size,
size_t *target_key_buffer_length )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_location_t location =
PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
const psa_drv_se_t *drv;
psa_drv_se_context_t *drv_context;
if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) )
{
/* Copying to a secure element is not implemented yet. */
return( PSA_ERROR_NOT_SUPPORTED );
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
switch( location )
{
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
return( mbedtls_test_opaque_copy_key( attributes, source_key,
source_key_length,
target_key_buffer,
target_key_buffer_size,
target_key_buffer_length) );
#endif /* PSA_CRYPTO_DRIVER_TEST */
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
default:
(void)source_key;
(void)source_key_length;
(void)target_key_buffer;
(void)target_key_buffer_size;
(void)target_key_buffer_length;
status = PSA_ERROR_INVALID_ARGUMENT;
}
return( status );
}
/*
* Cipher functions
*/

11
library/psa_crypto_driver_wrappers.h
View File

@@ -85,6 +85,12 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(
const psa_key_attributes_t *attributes,
size_t *key_buffer_size );
psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data(
const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
size_t *key_buffer_size );
psa_status_t psa_driver_wrapper_generate_key(
const psa_key_attributes_t *attributes,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length );
@@ -94,6 +100,11 @@ psa_status_t psa_driver_wrapper_get_builtin_key(
psa_key_attributes_t *attributes,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length );
psa_status_t psa_driver_wrapper_copy_key(
psa_key_attributes_t *attributes,
const uint8_t *source_key, size_t source_key_length,
uint8_t *target_key_buffer, size_t target_key_buffer_size,
size_t *target_key_buffer_length );
/*
* Cipher functions
*/

4
library/psa_crypto_ecp.c
View File

@@ -572,7 +572,7 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash(
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
psa_status_t mbedtls_transparent_test_driver_ecp_import_key(
psa_status_t mbedtls_test_driver_ecp_import_key(
const psa_key_attributes_t *attributes,
const uint8_t *data, size_t data_length,
uint8_t *key_buffer, size_t key_buffer_size,
@@ -583,7 +583,7 @@ psa_status_t mbedtls_transparent_test_driver_ecp_import_key(
key_buffer_length, bits ) );
}
psa_status_t mbedtls_transparent_test_driver_ecp_export_public_key(
psa_status_t mbedtls_test_driver_ecp_export_public_key(
const psa_key_attributes_t *attributes,
const uint8_t *key_buffer, size_t key_buffer_size,
uint8_t *data, size_t data_size, size_t *data_length )

4
library/psa_crypto_ecp.h
View File

@@ -224,13 +224,13 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash(
#if defined(PSA_CRYPTO_DRIVER_TEST)
psa_status_t mbedtls_transparent_test_driver_ecp_import_key(
psa_status_t mbedtls_test_driver_ecp_import_key(
const psa_key_attributes_t *attributes,
const uint8_t *data, size_t data_length,
uint8_t *key_buffer, size_t key_buffer_size,
size_t *key_buffer_length, size_t *bits );
psa_status_t mbedtls_transparent_test_driver_ecp_export_public_key(
psa_status_t mbedtls_test_driver_ecp_export_public_key(
const psa_key_attributes_t *attributes,
const uint8_t *key_buffer, size_t key_buffer_size,
uint8_t *data, size_t data_size, size_t *data_length );

4
library/psa_crypto_rsa.c
View File

@@ -611,7 +611,7 @@ psa_status_t mbedtls_psa_rsa_verify_hash(
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
psa_status_t mbedtls_transparent_test_driver_rsa_import_key(
psa_status_t mbedtls_test_driver_rsa_import_key(
const psa_key_attributes_t *attributes,
const uint8_t *data, size_t data_length,
uint8_t *key_buffer, size_t key_buffer_size,
@@ -622,7 +622,7 @@ psa_status_t mbedtls_transparent_test_driver_rsa_import_key(
key_buffer_length, bits ) );
}
psa_status_t mbedtls_transparent_test_driver_rsa_export_public_key(
psa_status_t mbedtls_test_driver_rsa_export_public_key(
const psa_key_attributes_t *attributes,
const uint8_t *key_buffer, size_t key_buffer_size,
uint8_t *data, size_t data_size, size_t *data_length )

4
library/psa_crypto_rsa.h
View File

@@ -218,13 +218,13 @@ psa_status_t mbedtls_psa_rsa_verify_hash(
#if defined(PSA_CRYPTO_DRIVER_TEST)
psa_status_t mbedtls_transparent_test_driver_rsa_import_key(
psa_status_t mbedtls_test_driver_rsa_import_key(
const psa_key_attributes_t *attributes,
const uint8_t *data, size_t data_length,
uint8_t *key_buffer, size_t key_buffer_size,
size_t *key_buffer_length, size_t *bits );
psa_status_t mbedtls_transparent_test_driver_rsa_export_public_key(
psa_status_t mbedtls_test_driver_rsa_export_public_key(
const psa_key_attributes_t *attributes,
const uint8_t *key_buffer, size_t key_buffer_size,
uint8_t *data, size_t data_size, size_t *data_length );

7
library/psa_crypto_slot_management.c
View File

@@ -479,7 +479,8 @@ psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime )
psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle )
{
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \
defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
psa_status_t status;
psa_key_slot_t *slot;
@@ -497,11 +498,11 @@ psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle )
return( psa_unlock_key_slot( slot ) );
#else /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
(void) key;
*handle = PSA_KEY_HANDLE_INIT;
return( PSA_ERROR_NOT_SUPPORTED );
#endif /* !defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
}
psa_status_t psa_close_key( psa_key_handle_t handle )

74
library/psa_crypto_storage.c
View File

@@ -230,48 +230,6 @@ static psa_status_t psa_crypto_storage_get_data_length(
return( PSA_SUCCESS );
}
/*
* 32-bit integer manipulation macros (little endian)
*/
#ifndef GET_UINT32_LE
#define GET_UINT32_LE( n, b, i ) \
{ \
(n) = ( (uint32_t) (b)[(i) ] ) \
| ( (uint32_t) (b)[(i) + 1] << 8 ) \
| ( (uint32_t) (b)[(i) + 2] << 16 ) \
| ( (uint32_t) (b)[(i) + 3] << 24 ); \
}
#endif
#ifndef PUT_UINT32_LE
#define PUT_UINT32_LE( n, b, i ) \
{ \
(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
}
#endif
/*
* 16-bit integer manipulation macros (little endian)
*/
#ifndef GET_UINT16_LE
#define GET_UINT16_LE( n, b, i ) \
{ \
(n) = ( (uint16_t) (b)[(i) ] ) \
| ( (uint16_t) (b)[(i) + 1] << 8 ); \
}
#endif
#ifndef PUT_UINT16_LE
#define PUT_UINT16_LE( n, b, i ) \
{ \
(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
}
#endif
/**
* Persistent key storage magic header.
*/
@@ -298,14 +256,14 @@ void psa_format_key_data_for_storage( const uint8_t *data,
(psa_persistent_key_storage_format *) storage_data;
memcpy( storage_format->magic, PSA_KEY_STORAGE_MAGIC_HEADER, PSA_KEY_STORAGE_MAGIC_HEADER_LENGTH );
PUT_UINT32_LE( 0, storage_format->version, 0 );
PUT_UINT32_LE( attr->lifetime, storage_format->lifetime, 0 );
PUT_UINT16_LE( (uint16_t) attr->type, storage_format->type, 0 );
PUT_UINT16_LE( (uint16_t) attr->bits, storage_format->bits, 0 );
PUT_UINT32_LE( attr->policy.usage, storage_format->policy, 0 );
PUT_UINT32_LE( attr->policy.alg, storage_format->policy, sizeof( uint32_t ) );
PUT_UINT32_LE( attr->policy.alg2, storage_format->policy, 2 * sizeof( uint32_t ) );
PUT_UINT32_LE( data_length, storage_format->data_len, 0 );
MBEDTLS_PUT_UINT32_LE( 0, storage_format->version, 0 );
MBEDTLS_PUT_UINT32_LE( attr->lifetime, storage_format->lifetime, 0 );
MBEDTLS_PUT_UINT16_LE( (uint16_t) attr->type, storage_format->type, 0 );
MBEDTLS_PUT_UINT16_LE( (uint16_t) attr->bits, storage_format->bits, 0 );
MBEDTLS_PUT_UINT32_LE( attr->policy.usage, storage_format->policy, 0 );
MBEDTLS_PUT_UINT32_LE( attr->policy.alg, storage_format->policy, sizeof( uint32_t ) );
MBEDTLS_PUT_UINT32_LE( attr->policy.alg2, storage_format->policy, 2 * sizeof( uint32_t ) );
MBEDTLS_PUT_UINT32_LE( data_length, storage_format->data_len, 0 );
memcpy( storage_format->key_data, data, data_length );
}
@@ -335,11 +293,11 @@ psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
if( status != PSA_SUCCESS )
return( status );
GET_UINT32_LE( version, storage_format->version, 0 );
version = MBEDTLS_GET_UINT32_LE( storage_format->version, 0 );
if( version != 0 )
return( PSA_ERROR_DATA_INVALID );
GET_UINT32_LE( *key_data_length, storage_format->data_len, 0 );
*key_data_length = MBEDTLS_GET_UINT32_LE( storage_format->data_len, 0 );
if( *key_data_length > ( storage_data_length - sizeof(*storage_format) ) ||
*key_data_length > PSA_CRYPTO_MAX_STORAGE_SIZE )
return( PSA_ERROR_DATA_INVALID );
@@ -356,12 +314,12 @@ psa_status_t psa_parse_key_data_from_storage( const uint8_t *storage_data,
memcpy( *key_data, storage_format->key_data, *key_data_length );
}
GET_UINT32_LE( attr->lifetime, storage_format->lifetime, 0 );
GET_UINT16_LE( attr->type, storage_format->type, 0 );
GET_UINT16_LE( attr->bits, storage_format->bits, 0 );
GET_UINT32_LE( attr->policy.usage, storage_format->policy, 0 );
GET_UINT32_LE( attr->policy.alg, storage_format->policy, sizeof( uint32_t ) );
GET_UINT32_LE( attr->policy.alg2, storage_format->policy, 2 * sizeof( uint32_t ) );
attr->lifetime = MBEDTLS_GET_UINT32_LE( storage_format->lifetime, 0 );
attr->type = MBEDTLS_GET_UINT16_LE( storage_format->type, 0 );
attr->bits = MBEDTLS_GET_UINT16_LE( storage_format->bits, 0 );
attr->policy.usage = MBEDTLS_GET_UINT32_LE( storage_format->policy, 0 );
attr->policy.alg = MBEDTLS_GET_UINT32_LE( storage_format->policy, sizeof( uint32_t ) );
attr->policy.alg2 = MBEDTLS_GET_UINT32_LE( storage_format->policy, 2 * sizeof( uint32_t ) );
return( PSA_SUCCESS );
}

10
library/psa_its_file.c
View File

@@ -191,14 +191,8 @@ psa_status_t psa_its_set( psa_storage_uid_t uid,
size_t n;
memcpy( header.magic, PSA_ITS_MAGIC_STRING, PSA_ITS_MAGIC_LENGTH );
header.size[0] = data_length & 0xff;
header.size[1] = ( data_length >> 8 ) & 0xff;
header.size[2] = ( data_length >> 16 ) & 0xff;
header.size[3] = ( data_length >> 24 ) & 0xff;
header.flags[0] = create_flags & 0xff;
header.flags[1] = ( create_flags >> 8 ) & 0xff;
header.flags[2] = ( create_flags >> 16 ) & 0xff;
header.flags[3] = ( create_flags >> 24 ) & 0xff;
MBEDTLS_PUT_UINT32_LE( data_length, header.size, 0 );
MBEDTLS_PUT_UINT32_LE( create_flags, header.flags, 0 );
psa_its_fill_filename( uid, filename );
stream = fopen( PSA_ITS_STORAGE_TEMP, "wb" );

69
library/ripemd160.c
View File

@@ -44,29 +44,6 @@
#if !defined(MBEDTLS_RIPEMD160_ALT)
/*
* 32-bit integer manipulation macros (little endian)
*/
#ifndef GET_UINT32_LE
#define GET_UINT32_LE(n,b,i) \
{ \
(n) = ( (uint32_t) (b)[(i) ] ) \
| ( (uint32_t) (b)[(i) + 1] << 8 ) \
| ( (uint32_t) (b)[(i) + 2] << 16 ) \
| ( (uint32_t) (b)[(i) + 3] << 24 ); \
}
#endif
#ifndef PUT_UINT32_LE
#define PUT_UINT32_LE(n,b,i) \
{ \
(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
}
#endif
void mbedtls_ripemd160_init( mbedtls_ripemd160_context *ctx )
{
memset( ctx, 0, sizeof( mbedtls_ripemd160_context ) );
@@ -115,22 +92,22 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16];
} local;
GET_UINT32_LE( local.X[ 0], data, 0 );
GET_UINT32_LE( local.X[ 1], data, 4 );
GET_UINT32_LE( local.X[ 2], data, 8 );
GET_UINT32_LE( local.X[ 3], data, 12 );
GET_UINT32_LE( local.X[ 4], data, 16 );
GET_UINT32_LE( local.X[ 5], data, 20 );
GET_UINT32_LE( local.X[ 6], data, 24 );
GET_UINT32_LE( local.X[ 7], data, 28 );
GET_UINT32_LE( local.X[ 8], data, 32 );
GET_UINT32_LE( local.X[ 9], data, 36 );
GET_UINT32_LE( local.X[10], data, 40 );
GET_UINT32_LE( local.X[11], data, 44 );
GET_UINT32_LE( local.X[12], data, 48 );
GET_UINT32_LE( local.X[13], data, 52 );
GET_UINT32_LE( local.X[14], data, 56 );
GET_UINT32_LE( local.X[15], data, 60 );
local.X[ 0] = MBEDTLS_GET_UINT32_LE( data, 0 );
local.X[ 1] = MBEDTLS_GET_UINT32_LE( data, 4 );
local.X[ 2] = MBEDTLS_GET_UINT32_LE( data, 8 );
local.X[ 3] = MBEDTLS_GET_UINT32_LE( data, 12 );
local.X[ 4] = MBEDTLS_GET_UINT32_LE( data, 16 );
local.X[ 5] = MBEDTLS_GET_UINT32_LE( data, 20 );
local.X[ 6] = MBEDTLS_GET_UINT32_LE( data, 24 );
local.X[ 7] = MBEDTLS_GET_UINT32_LE( data, 28 );
local.X[ 8] = MBEDTLS_GET_UINT32_LE( data, 32 );
local.X[ 9] = MBEDTLS_GET_UINT32_LE( data, 36 );
local.X[10] = MBEDTLS_GET_UINT32_LE( data, 40 );
local.X[11] = MBEDTLS_GET_UINT32_LE( data, 44 );
local.X[12] = MBEDTLS_GET_UINT32_LE( data, 48 );
local.X[13] = MBEDTLS_GET_UINT32_LE( data, 52 );
local.X[14] = MBEDTLS_GET_UINT32_LE( data, 56 );
local.X[15] = MBEDTLS_GET_UINT32_LE( data, 60 );
local.A = local.Ap = ctx->state[0];
local.B = local.Bp = ctx->state[1];
@@ -377,8 +354,8 @@ int mbedtls_ripemd160_finish( mbedtls_ripemd160_context *ctx,
| ( ctx->total[1] << 3 );
low = ( ctx->total[0] << 3 );
PUT_UINT32_LE( low, msglen, 0 );
PUT_UINT32_LE( high, msglen, 4 );
MBEDTLS_PUT_UINT32_LE( low, msglen, 0 );
MBEDTLS_PUT_UINT32_LE( high, msglen, 4 );
last = ctx->total[0] & 0x3F;
padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
@@ -391,11 +368,11 @@ int mbedtls_ripemd160_finish( mbedtls_ripemd160_context *ctx,
if( ret != 0 )
return( ret );
PUT_UINT32_LE( ctx->state[0], output, 0 );
PUT_UINT32_LE( ctx->state[1], output, 4 );
PUT_UINT32_LE( ctx->state[2], output, 8 );
PUT_UINT32_LE( ctx->state[3], output, 12 );
PUT_UINT32_LE( ctx->state[4], output, 16 );
MBEDTLS_PUT_UINT32_LE( ctx->state[0], output, 0 );
MBEDTLS_PUT_UINT32_LE( ctx->state[1], output, 4 );
MBEDTLS_PUT_UINT32_LE( ctx->state[2], output, 8 );
MBEDTLS_PUT_UINT32_LE( ctx->state[3], output, 12 );
MBEDTLS_PUT_UINT32_LE( ctx->state[4], output, 16 );
return( 0 );
}

69
library/sha1.c
View File

@@ -48,29 +48,6 @@
#if !defined(MBEDTLS_SHA1_ALT)
/*
* 32-bit integer manipulation macros (big endian)
*/
#ifndef GET_UINT32_BE
#define GET_UINT32_BE(n,b,i) \
{ \
(n) = ( (uint32_t) (b)[(i) ] << 24 ) \
| ( (uint32_t) (b)[(i) + 1] << 16 ) \
| ( (uint32_t) (b)[(i) + 2] << 8 ) \
| ( (uint32_t) (b)[(i) + 3] ); \
}
#endif
#ifndef PUT_UINT32_BE
#define PUT_UINT32_BE(n,b,i) \
{ \
(b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
(b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
(b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
(b)[(i) + 3] = (unsigned char) ( (n) ); \
}
#endif
void mbedtls_sha1_init( mbedtls_sha1_context *ctx )
{
SHA1_VALIDATE( ctx != NULL );
@@ -126,22 +103,22 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
SHA1_VALIDATE_RET( ctx != NULL );
SHA1_VALIDATE_RET( (const unsigned char *)data != NULL );
GET_UINT32_BE( local.W[ 0], data, 0 );
GET_UINT32_BE( local.W[ 1], data, 4 );
GET_UINT32_BE( local.W[ 2], data, 8 );
GET_UINT32_BE( local.W[ 3], data, 12 );
GET_UINT32_BE( local.W[ 4], data, 16 );
GET_UINT32_BE( local.W[ 5], data, 20 );
GET_UINT32_BE( local.W[ 6], data, 24 );
GET_UINT32_BE( local.W[ 7], data, 28 );
GET_UINT32_BE( local.W[ 8], data, 32 );
GET_UINT32_BE( local.W[ 9], data, 36 );
GET_UINT32_BE( local.W[10], data, 40 );
GET_UINT32_BE( local.W[11], data, 44 );
GET_UINT32_BE( local.W[12], data, 48 );
GET_UINT32_BE( local.W[13], data, 52 );
GET_UINT32_BE( local.W[14], data, 56 );
GET_UINT32_BE( local.W[15], data, 60 );
local.W[ 0] = MBEDTLS_GET_UINT32_BE( data, 0 );
local.W[ 1] = MBEDTLS_GET_UINT32_BE( data, 4 );
local.W[ 2] = MBEDTLS_GET_UINT32_BE( data, 8 );
local.W[ 3] = MBEDTLS_GET_UINT32_BE( data, 12 );
local.W[ 4] = MBEDTLS_GET_UINT32_BE( data, 16 );
local.W[ 5] = MBEDTLS_GET_UINT32_BE( data, 20 );
local.W[ 6] = MBEDTLS_GET_UINT32_BE( data, 24 );
local.W[ 7] = MBEDTLS_GET_UINT32_BE( data, 28 );
local.W[ 8] = MBEDTLS_GET_UINT32_BE( data, 32 );
local.W[ 9] = MBEDTLS_GET_UINT32_BE( data, 36 );
local.W[10] = MBEDTLS_GET_UINT32_BE( data, 40 );
local.W[11] = MBEDTLS_GET_UINT32_BE( data, 44 );
local.W[12] = MBEDTLS_GET_UINT32_BE( data, 48 );
local.W[13] = MBEDTLS_GET_UINT32_BE( data, 52 );
local.W[14] = MBEDTLS_GET_UINT32_BE( data, 56 );
local.W[15] = MBEDTLS_GET_UINT32_BE( data, 60 );
#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
@@ -385,8 +362,8 @@ int mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
| ( ctx->total[1] << 3 );
low = ( ctx->total[0] << 3 );
PUT_UINT32_BE( high, ctx->buffer, 56 );
PUT_UINT32_BE( low, ctx->buffer, 60 );
MBEDTLS_PUT_UINT32_BE( high, ctx->buffer, 56 );
MBEDTLS_PUT_UINT32_BE( low, ctx->buffer, 60 );
if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
return( ret );
@@ -394,11 +371,11 @@ int mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
/*
* Output final state
*/
PUT_UINT32_BE( ctx->state[0], output, 0 );
PUT_UINT32_BE( ctx->state[1], output, 4 );
PUT_UINT32_BE( ctx->state[2], output, 8 );
PUT_UINT32_BE( ctx->state[3], output, 12 );
PUT_UINT32_BE( ctx->state[4], output, 16 );
MBEDTLS_PUT_UINT32_BE( ctx->state[0], output, 0 );
MBEDTLS_PUT_UINT32_BE( ctx->state[1], output, 4 );
MBEDTLS_PUT_UINT32_BE( ctx->state[2], output, 8 );
MBEDTLS_PUT_UINT32_BE( ctx->state[3], output, 12 );
MBEDTLS_PUT_UINT32_BE( ctx->state[4], output, 16 );
return( 0 );
}

47
library/sha256.c
View File

@@ -50,29 +50,6 @@
#if !defined(MBEDTLS_SHA256_ALT)
/*
* 32-bit integer manipulation macros (big endian)
*/
#ifndef GET_UINT32_BE
#define GET_UINT32_BE(n,b,i) \
do { \
(n) = ( (uint32_t) (b)[(i) ] << 24 ) \
| ( (uint32_t) (b)[(i) + 1] << 16 ) \
| ( (uint32_t) (b)[(i) + 2] << 8 ) \
| ( (uint32_t) (b)[(i) + 3] ); \
} while( 0 )
#endif
#ifndef PUT_UINT32_BE
#define PUT_UINT32_BE(n,b,i) \
do { \
(b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
(b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
(b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
(b)[(i) + 3] = (unsigned char) ( (n) ); \
} while( 0 )
#endif
void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
{
SHA256_VALIDATE( ctx != NULL );
@@ -213,7 +190,7 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
for( i = 0; i < 64; i++ )
{
if( i < 16 )
GET_UINT32_BE( local.W[i], data, 4 * i );
local.W[i] = MBEDTLS_GET_UINT32_BE( data, 4 * i );
else
R( i );
@@ -228,7 +205,7 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
}
#else /* MBEDTLS_SHA256_SMALLER */
for( i = 0; i < 16; i++ )
GET_UINT32_BE( local.W[i], data, 4 * i );
local.W[i] = MBEDTLS_GET_UINT32_BE( data, 4 * i );
for( i = 0; i < 16; i += 8 )
{
@@ -378,8 +355,8 @@ int mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
| ( ctx->total[1] << 3 );
low = ( ctx->total[0] << 3 );
PUT_UINT32_BE( high, ctx->buffer, 56 );
PUT_UINT32_BE( low, ctx->buffer, 60 );
MBEDTLS_PUT_UINT32_BE( high, ctx->buffer, 56 );
MBEDTLS_PUT_UINT32_BE( low, ctx->buffer, 60 );
if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
return( ret );
@@ -387,18 +364,18 @@ int mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
/*
* Output final state
*/
PUT_UINT32_BE( ctx->state[0], output, 0 );
PUT_UINT32_BE( ctx->state[1], output, 4 );
PUT_UINT32_BE( ctx->state[2], output, 8 );
PUT_UINT32_BE( ctx->state[3], output, 12 );
PUT_UINT32_BE( ctx->state[4], output, 16 );
PUT_UINT32_BE( ctx->state[5], output, 20 );
PUT_UINT32_BE( ctx->state[6], output, 24 );
MBEDTLS_PUT_UINT32_BE( ctx->state[0], output, 0 );
MBEDTLS_PUT_UINT32_BE( ctx->state[1], output, 4 );
MBEDTLS_PUT_UINT32_BE( ctx->state[2], output, 8 );
MBEDTLS_PUT_UINT32_BE( ctx->state[3], output, 12 );
MBEDTLS_PUT_UINT32_BE( ctx->state[4], output, 16 );
MBEDTLS_PUT_UINT32_BE( ctx->state[5], output, 20 );
MBEDTLS_PUT_UINT32_BE( ctx->state[6], output, 24 );
#if defined(MBEDTLS_SHA224_C)
if( ctx->is224 == 0 )
#endif
PUT_UINT32_BE( ctx->state[7], output, 28 );
MBEDTLS_PUT_UINT32_BE( ctx->state[7], output, 28 );
return( 0 );
}

39
library/sha512.c
View File

@@ -56,44 +56,13 @@
#if !defined(MBEDTLS_SHA512_ALT)
/*
* 64-bit integer manipulation macros (big endian)
*/
#ifndef GET_UINT64_BE
#define GET_UINT64_BE(n,b,i) \
{ \
(n) = ( (uint64_t) (b)[(i) ] << 56 ) \
| ( (uint64_t) (b)[(i) + 1] << 48 ) \
| ( (uint64_t) (b)[(i) + 2] << 40 ) \
| ( (uint64_t) (b)[(i) + 3] << 32 ) \
| ( (uint64_t) (b)[(i) + 4] << 24 ) \
| ( (uint64_t) (b)[(i) + 5] << 16 ) \
| ( (uint64_t) (b)[(i) + 6] << 8 ) \
| ( (uint64_t) (b)[(i) + 7] ); \
}
#endif /* GET_UINT64_BE */
#ifndef PUT_UINT64_BE
#define PUT_UINT64_BE(n,b,i) \
{ \
(b)[(i) ] = (unsigned char) ( (n) >> 56 ); \
(b)[(i) + 1] = (unsigned char) ( (n) >> 48 ); \
(b)[(i) + 2] = (unsigned char) ( (n) >> 40 ); \
(b)[(i) + 3] = (unsigned char) ( (n) >> 32 ); \
(b)[(i) + 4] = (unsigned char) ( (n) >> 24 ); \
(b)[(i) + 5] = (unsigned char) ( (n) >> 16 ); \
(b)[(i) + 6] = (unsigned char) ( (n) >> 8 ); \
(b)[(i) + 7] = (unsigned char) ( (n) ); \
}
#endif /* PUT_UINT64_BE */
#if defined(MBEDTLS_SHA512_SMALLER)
static void sha512_put_uint64_be( uint64_t n, unsigned char *b, uint8_t i )
{
PUT_UINT64_BE(n, b, i);
MBEDTLS_PUT_UINT64_BE(n, b, i);
}
#else
#define sha512_put_uint64_be PUT_UINT64_BE
#define sha512_put_uint64_be MBEDTLS_PUT_UINT64_BE
#endif /* MBEDTLS_SHA512_SMALLER */
void mbedtls_sha512_init( mbedtls_sha512_context *ctx )
@@ -261,7 +230,7 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
{
if( i < 16 )
{
GET_UINT64_BE( local.W[i], data, i << 3 );
local.W[i] = MBEDTLS_GET_UINT64_BE( data, i << 3 );
}
else
{
@@ -281,7 +250,7 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
#else /* MBEDTLS_SHA512_SMALLER */
for( i = 0; i < 16; i++ )
{
GET_UINT64_BE( local.W[i], data, i << 3 );
local.W[i] = MBEDTLS_GET_UINT64_BE( data, i << 3 );
}
for( ; i < 80; i++ )

55
library/ssl_ciphersuites.c
View File

@@ -52,6 +52,15 @@ static const int ciphersuite_preference[] =
#if defined(MBEDTLS_SSL_CIPHERSUITES)
MBEDTLS_SSL_CIPHERSUITES,
#else
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/* TLS 1.3 ciphersuites */
MBEDTLS_TLS1_3_AES_128_GCM_SHA256,
MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS1_3_AES_128_CCM_SHA256,
MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256,
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/* Chacha-Poly ephemeral suites */
MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
@@ -283,6 +292,52 @@ static const int ciphersuite_preference[] =
static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
#if defined(MBEDTLS_AES_C)
#if defined(MBEDTLS_GCM_C)
#if defined(MBEDTLS_SHA384_C)
{ MBEDTLS_TLS1_3_AES_256_GCM_SHA384, "TLS1-3-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384,
MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4,
0 },
#endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA256_C)
{ MBEDTLS_TLS1_3_AES_128_GCM_SHA256, "TLS1-3-AES-128-GCM-SHA256",
MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256,
MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4,
0 },
#endif /* MBEDTLS_SHA256_C */
#endif /* MBEDTLS_GCM_C */
#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_SHA256_C)
{ MBEDTLS_TLS1_3_AES_128_CCM_SHA256, "TLS1-3-AES-128-CCM-SHA256",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256,
MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4,
0 },
{ MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256, "TLS1-3-AES-128-CCM-8-SHA256",
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256,
MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4,
MBEDTLS_CIPHERSUITE_SHORT_TAG },
#endif /* MBEDTLS_SHA256_C && MBEDTLS_CCM_C */
#endif /* MBEDTLS_AES_C */
#if defined(MBEDTLS_CHACHAPOLY_C) && defined(MBEDTLS_SHA256_C)
{ MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,
"TLS1-3-CHACHA20-POLY1305-SHA256",
MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
MBEDTLS_KEY_EXCHANGE_NONE, /* Key exchange not part of ciphersuite in TLS 1.3 */
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4,
0 },
#endif /* MBEDTLS_CHACHAPOLY_C && MBEDTLS_SHA256_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_CHACHAPOLY_C) && \
defined(MBEDTLS_SHA256_C) && \
defined(MBEDTLS_SSL_PROTO_TLS1_2)

182
library/ssl_cli.c
View File

@@ -136,18 +136,19 @@ static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
* } ServerNameList;
*
*/
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SERVERNAME, p, 0 );
p += 2;
*p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( (hostname_len + 5) ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( hostname_len + 5, p, 0 );
p += 2;
*p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( (hostname_len + 3) ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( hostname_len + 3, p, 0 );
p += 2;
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
*p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( hostname_len ) & 0xFF );
*p++ = MBEDTLS_BYTE_0( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME );
MBEDTLS_PUT_UINT16_BE( hostname_len, p, 0 );
p += 2;
memcpy( p, ssl->hostname, hostname_len );
@@ -181,14 +182,12 @@ static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
/*
* Secure renegotiation
*/
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 )
& 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO )
& 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0 );
p += 2;
*p++ = 0x00;
*p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
*p++ = ssl->verify_data_len & 0xFF;
*p++ = MBEDTLS_BYTE_0( ssl->verify_data_len + 1 );
*p++ = MBEDTLS_BYTE_0( ssl->verify_data_len );
memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
@@ -283,14 +282,14 @@ static int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
* SignatureAndHashAlgorithm
* supported_signature_algorithms<2..2^16-2>;
*/
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SIG_ALG, p, 0 );
p += 2;
*p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ( sig_alg_len + 2 ) ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( sig_alg_len + 2, p, 0 );
p += 2;
*p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( sig_alg_len, p, 0 );
p += 2;
*olen = 6 + sig_alg_len;
@@ -354,20 +353,18 @@ static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
grp_id++ )
{
info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_1( info->tls_id );
elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_0( info->tls_id );
}
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 )
& 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES )
& 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES, p, 0 );
p += 2;
*p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( elliptic_curve_len + 2, p, 0 );
p += 2;
*p++ = (unsigned char)( ( ( elliptic_curve_len ) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( elliptic_curve_len, p, 0 );
p += 2;
*olen = 6 + elliptic_curve_len;
@@ -388,10 +385,8 @@ static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
( "client hello, adding supported_point_formats extension" ) );
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 )
& 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS )
& 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0 );
p += 2;
*p++ = 0x00;
*p++ = 2;
@@ -427,8 +422,8 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0 );
p += 2;
/*
* We may need to send ClientHello multiple times for Hello verification.
@@ -470,8 +465,8 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
}
*p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( kkpp_len, p, 0 );
p += 2;
*olen = kkpp_len + 4;
@@ -510,11 +505,11 @@ static int ssl_write_cid_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_PTR( p, end, (unsigned)( ssl->own_cid_len + 5 ) );
/* Add extension ID + size */
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_CID, p, 0 );
p += 2;
ext_len = (size_t) ssl->own_cid_len + 1;
*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ext_len ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 );
p += 2;
*p++ = (uint8_t) ssl->own_cid_len;
memcpy( p, ssl->own_cid, ssl->own_cid_len );
@@ -543,10 +538,8 @@ static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 )
& 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH )
& 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0 );
p += 2;
*p++ = 0x00;
*p++ = 1;
@@ -577,8 +570,8 @@ static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0 );
p += 2;
*p++ = 0x00;
*p++ = 0x00;
@@ -607,10 +600,8 @@ static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 )
& 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET )
& 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0 );
p += 2;
*p++ = 0x00;
*p++ = 0x00;
@@ -641,11 +632,11 @@ static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
/* The addition is safe here since the ticket length is 16 bit. */
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + tlen );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0 );
p += 2;
*p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( tlen ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( tlen, p, 0 );
p += 2;
*olen = 4;
@@ -685,8 +676,8 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + alpnlen );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ALPN, p, 0 );
p += 2;
/*
* opaque ProtocolName<1..2^8-1>;
@@ -713,12 +704,10 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
*olen = p - buf;
/* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( *olen - 6, buf, 4 );
/* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( *olen - 4, buf, 2 );
return( 0 );
}
@@ -770,12 +759,11 @@ static int ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, ext_len + 4 );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_USE_SRTP, p, 0 );
p += 2;
*p++ = (unsigned char)( ( ( ext_len & 0xFF00 ) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ext_len & 0xFF );
MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 );
p += 2;
/* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
/* micro-optimization:
@@ -786,8 +774,7 @@ static int ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
* >> 8 ) & 0xFF );
*/
*p++ = 0;
*p++ = (unsigned char)( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
& 0xFF );
*p++ = MBEDTLS_BYTE_0( 2 * ssl->conf->dtls_srtp_profile_list_len );
for( protection_profiles_index=0;
protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
@@ -799,8 +786,8 @@ static int ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x",
profile_value ) );
*p++ = ( ( profile_value >> 8 ) & 0xFF );
*p++ = ( profile_value & 0xFF );
MBEDTLS_PUT_UINT16_BE( profile_value, p, 0 );
p += 2;
}
else
{
@@ -868,10 +855,8 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_HAVE_TIME)
t = mbedtls_time( NULL );
*p++ = (unsigned char)( t >> 24 );
*p++ = (unsigned char)( t >> 16 );
*p++ = (unsigned char)( t >> 8 );
*p++ = (unsigned char)( t );
MBEDTLS_PUT_UINT32_BE( t, p, 0 );
p += 4;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
(long long) t ) );
@@ -1154,8 +1139,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
n++;
*p++ = (unsigned char)( ciphersuites[i] >> 8 );
*p++ = (unsigned char)( ciphersuites[i] );
MBEDTLS_PUT_UINT16_BE( ciphersuites[i], p, 0 );
p += 2;
}
MBEDTLS_SSL_DEBUG_MSG( 3,
@@ -1170,8 +1155,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
*p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
*p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0 );
p += 2;
n++;
}
@@ -1334,9 +1319,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
{
/* No need to check for space here, because the extension
* writing functions already took care of that. */
*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ext_len ) & 0xFF );
p += ext_len;
MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 );
p += 2 + ext_len;
}
ssl->out_msglen = p - buf;
@@ -2756,8 +2740,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( len_bytes == 2 )
{
ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
ssl->out_msg[offset+1] = (unsigned char)( *olen );
MBEDTLS_PUT_UINT16_BE( *olen, ssl->out_msg, offset );
*olen += 2;
}
#endif
@@ -3514,8 +3497,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
*/
content_len = mbedtls_dhm_get_len( &ssl->handshake->dhm_ctx );
ssl->out_msg[4] = (unsigned char)( content_len >> 8 );
ssl->out_msg[5] = (unsigned char)( content_len );
MBEDTLS_PUT_UINT16_BE( content_len, ssl->out_msg, 4 );
header_len = 6;
ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
@@ -3730,8 +3712,8 @@ ecdh_calc_secret:
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 );
ssl->out_msg[header_len++] = (unsigned char)( content_len );
ssl->out_msg[header_len++] = MBEDTLS_BYTE_1( content_len );
ssl->out_msg[header_len++] = MBEDTLS_BYTE_0( content_len );
memcpy( ssl->out_msg + header_len,
ssl->conf->psk_identity,
@@ -3782,8 +3764,8 @@ ecdh_calc_secret:
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
ssl->out_msg[header_len++] = (unsigned char)( content_len >> 8 );
ssl->out_msg[header_len++] = (unsigned char)( content_len );
ssl->out_msg[header_len++] = MBEDTLS_BYTE_1( content_len );
ssl->out_msg[header_len++] = MBEDTLS_BYTE_0( content_len );
ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
(int) mbedtls_dhm_get_len( &ssl->handshake->dhm_ctx ),
@@ -4065,8 +4047,7 @@ sign:
return( ret );
}
ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
ssl->out_msg[5 + offset] = (unsigned char)( n );
MBEDTLS_PUT_UINT16_BE( n, ssl->out_msg, offset + 4 );
ssl->out_msglen = 6 + n + offset;
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
@@ -4210,23 +4191,8 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
{
int ret = 0;
if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
return( ret );
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
{
if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
return( ret );
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
/* Change state now, so that it is right in mbedtls_ssl_read_record(), used
* by DTLS for dropping out-of-sequence ChangeCipherSpec records */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)

5
library/ssl_cookie.c
View File

@@ -165,10 +165,7 @@ int mbedtls_ssl_cookie_write( void *p_ctx,
t = ctx->serial++;
#endif
(*p)[0] = (unsigned char)( t >> 24 );
(*p)[1] = (unsigned char)( t >> 16 );
(*p)[2] = (unsigned char)( t >> 8 );
(*p)[3] = (unsigned char)( t );
MBEDTLS_PUT_UINT32_BE(t, *p, 0);
*p += 4;
#if defined(MBEDTLS_THREADING_C)

251
library/ssl_misc.h
View File

@@ -102,6 +102,61 @@
#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
#define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
/*
* Mask of TLS 1.3 handshake extensions used in extensions_present
* of mbedtls_ssl_handshake_params.
*/
#define MBEDTLS_SSL_EXT_NONE 0
#define MBEDTLS_SSL_EXT_SERVERNAME ( 1 << 0 )
#define MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ( 1 << 1 )
#define MBEDTLS_SSL_EXT_STATUS_REQUEST ( 1 << 2 )
#define MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ( 1 << 3 )
#define MBEDTLS_SSL_EXT_SIG_ALG ( 1 << 4 )
#define MBEDTLS_SSL_EXT_USE_SRTP ( 1 << 5 )
#define MBEDTLS_SSL_EXT_HEARTBEAT ( 1 << 6 )
#define MBEDTLS_SSL_EXT_ALPN ( 1 << 7 )
#define MBEDTLS_SSL_EXT_SCT ( 1 << 8 )
#define MBEDTLS_SSL_EXT_CLI_CERT_TYPE ( 1 << 9 )
#define MBEDTLS_SSL_EXT_SERV_CERT_TYPE ( 1 << 10 )
#define MBEDTLS_SSL_EXT_PADDING ( 1 << 11 )
#define MBEDTLS_SSL_EXT_PRE_SHARED_KEY ( 1 << 12 )
#define MBEDTLS_SSL_EXT_EARLY_DATA ( 1 << 13 )
#define MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ( 1 << 14 )
#define MBEDTLS_SSL_EXT_COOKIE ( 1 << 15 )
#define MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ( 1 << 16 )
#define MBEDTLS_SSL_EXT_CERT_AUTH ( 1 << 17 )
#define MBEDTLS_SSL_EXT_OID_FILTERS ( 1 << 18 )
#define MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ( 1 << 19 )
#define MBEDTLS_SSL_EXT_SIG_ALG_CERT ( 1 << 20 )
#define MBEDTLS_SSL_EXT_KEY_SHARE ( 1 << 21 )
/*
* Helper macros for function call with return check.
*/
/*
* Exit when return non-zero value
*/
#define MBEDTLS_SSL_PROC_CHK( f ) \
do { \
ret = ( f ); \
if( ret != 0 ) \
{ \
goto cleanup; \
} \
} while( 0 )
/*
* Exit when return negative value
*/
#define MBEDTLS_SSL_PROC_CHK_NEG( f ) \
do { \
ret = ( f ); \
if( ret < 0 ) \
{ \
goto cleanup; \
} \
} while( 0 )
/*
* DTLS retransmission states, see RFC 6347 4.2.4
*
@@ -562,6 +617,13 @@ struct mbedtls_ssl_handshake_params
uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages.
* Those pointers own the transforms they reference. */
mbedtls_ssl_transform *transform_handshake;
mbedtls_ssl_transform *transform_earlydata;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/*
* Checksum contexts
*/
@@ -587,6 +649,16 @@ struct mbedtls_ssl_handshake_params
void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
mbedtls_ssl_tls_prf_cb *tls_prf;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
uint16_t offered_group_id; /* The NamedGroup value for the group
* that is being used for ephemeral
* key exchange.
*
* On the client: Defaults to the first
* entry in the client's group list,
* but can be overwritten by the HRR. */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
size_t pmslen; /*!< premaster length */
@@ -599,6 +671,11 @@ struct mbedtls_ssl_handshake_params
int max_major_ver; /*!< max. major version client*/
int max_minor_ver; /*!< max. minor version client*/
int cli_exts; /*!< client extension presence*/
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
int extensions_present; /*!< extension presence; Each bitfield
represents an extension and defined
as \c MBEDTLS_SSL_EXT_XXX */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
int new_session_ticket; /*!< use NewSessionTicket? */
@@ -740,7 +817,8 @@ struct mbedtls_ssl_transform
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
/* We need the Hello random bytes in order to re-derive keys from the
* Master Secret and other session info, see ssl_populate_transform() */
* Master Secret and other session info,
* see ssl_tls12_populate_transform() */
unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */
#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
};
@@ -881,6 +959,21 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/**
* \brief TLS 1.3 client side state machine entry
*
* \param ssl SSL context
*/
int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl );
/**
* \brief TLS 1.3 server side state machine entry
*
* \param ssl SSL context
*/
int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl );
#endif
int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
@@ -971,7 +1064,13 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
unsigned update_hs_digest );
int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
int update_checksum );
static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
{
return( mbedtls_ssl_write_handshake_msg_ext( ssl, 1 /* update checksum */ ) );
}
int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
@@ -1259,4 +1358,152 @@ void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl );
void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/*
* Helper functions around key exchange modes.
*/
static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
int kex_mode_mask )
{
return( ( ssl->conf->tls13_kex_modes & kex_mode_mask ) != 0 );
}
static inline int mbedtls_ssl_conf_tls13_psk_enabled( mbedtls_ssl_context *ssl )
{
return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ) );
}
static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( mbedtls_ssl_context *ssl )
{
return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
}
static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
{
return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) );
}
static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
{
return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
}
static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
{
return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/**
* ssl utils functions for checking configuration.
*/
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf )
{
if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 &&
conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
{
return( 1 );
}
return( 0 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf )
{
if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
return( 1 );
}
return( 0 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf )
{
if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
{
return( 1 );
}
return( 0 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL*/
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/*
* Helper functions for NamedGroup.
*/
static inline int mbedtls_ssl_tls13_named_group_is_ecdhe( uint16_t named_group )
{
return( named_group == MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP256R1 ||
named_group == MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP384R1 ||
named_group == MBEDTLS_SSL_TLS13_NAMED_GROUP_SECP521R1 ||
named_group == MBEDTLS_SSL_TLS13_NAMED_GROUP_X25519 ||
named_group == MBEDTLS_SSL_TLS13_NAMED_GROUP_X448 );
}
static inline int mbedtls_ssl_tls13_named_group_is_dhe( uint16_t named_group )
{
return( named_group >= MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE2048 &&
named_group <= MBEDTLS_SSL_TLS13_NAMED_GROUP_FFDHE8192 );
}
static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl,
mbedtls_ssl_states state )
{
ssl->state = ( int ) state;
}
/*
* Write TLS 1.3 handshake message header
*/
int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
unsigned hs_type,
unsigned char **buf,
size_t *buflen );
/*
* Write TLS 1.3 handshake message tail
*/
int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
size_t buf_len,
size_t msg_len );
/*
* Update checksum with handshake header
*/
void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
unsigned hs_type,
size_t total_hs_len );
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*
* Write TLS 1.3 Signature Algorithm extension
*/
int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *olen);
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif /* ssl_misc.h */

95
library/ssl_msg.c
View File

@@ -384,7 +384,8 @@ static int ssl_parse_inner_plaintext( unsigned char const *content,
static void ssl_extract_add_data_from_record( unsigned char* add_data,
size_t *add_data_len,
mbedtls_record *rec,
unsigned minor_ver )
unsigned minor_ver,
size_t taglen )
{
/* Quoting RFC 5246 (TLS 1.2):
*
@@ -403,15 +404,37 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data,
*
* For TLS 1.3, the record sequence number is dropped from the AAD
* and encoded within the nonce of the AEAD operation instead.
* Moreover, the additional data involves the length of the TLS
* ciphertext, not the TLS plaintext as in earlier versions.
* Quoting RFC 8446 (TLS 1.3):
*
* additional_data = TLSCiphertext.opaque_type ||
* TLSCiphertext.legacy_record_version ||
* TLSCiphertext.length
*
* We pass the tag length to this function in order to compute the
* ciphertext length from the inner plaintext length rec->data_len via
*
* TLSCiphertext.length = TLSInnerPlaintext.length + taglen.
*
*/
unsigned char *cur = add_data;
size_t ad_len_field = rec->data_len;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
if( minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 )
if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
{
/* In TLS 1.3, the AAD contains the length of the TLSCiphertext,
* which differs from the length of the TLSInnerPlaintext
* by the length of the authentication tag. */
ad_len_field += taglen;
}
else
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
{
((void) minor_ver);
((void) taglen);
memcpy( cur, rec->ctr, sizeof( rec->ctr ) );
cur += sizeof( rec->ctr );
}
@@ -431,15 +454,13 @@ static void ssl_extract_add_data_from_record( unsigned char* add_data,
*cur = rec->cid_len;
cur++;
cur[0] = ( rec->data_len >> 8 ) & 0xFF;
cur[1] = ( rec->data_len >> 0 ) & 0xFF;
MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 );
cur += 2;
}
else
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
{
cur[0] = ( rec->data_len >> 8 ) & 0xFF;
cur[1] = ( rec->data_len >> 0 ) & 0xFF;
MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 );
cur += 2;
}
@@ -646,7 +667,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver );
transform->minor_ver,
transform->taglen );
mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
add_data_len );
@@ -743,7 +765,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
* This depends on the TLS version.
*/
ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver );
transform->minor_ver,
transform->taglen );
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
iv, transform->ivlen );
@@ -897,7 +920,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
}
ssl_extract_add_data_from_record( add_data, &add_data_len,
rec, transform->minor_ver );
rec, transform->minor_ver,
transform->taglen );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
@@ -1304,7 +1328,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
* This depends on the TLS version.
*/
ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver );
transform->minor_ver,
transform->taglen );
MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
add_data, add_data_len );
@@ -1414,7 +1439,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
* Further, we still know that data_len > minlen */
rec->data_len -= transform->maclen;
ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver );
transform->minor_ver,
transform->taglen );
/* Calculate expected MAC. */
MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
@@ -1606,7 +1632,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
*/
rec->data_len -= transform->maclen;
ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver );
transform->minor_ver,
transform->taglen );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
/*
@@ -2226,13 +2253,13 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
* Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
memcpy( ssl->out_msg, cur->p, 6 );
ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
ssl->out_msg[8] = ( ( frag_off ) & 0xff );
ssl->out_msg[6] = MBEDTLS_BYTE_2( frag_off );
ssl->out_msg[7] = MBEDTLS_BYTE_1( frag_off );
ssl->out_msg[8] = MBEDTLS_BYTE_0( frag_off );
ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
ssl->out_msg[ 9] = MBEDTLS_BYTE_2( cur_hs_frag_len );
ssl->out_msg[10] = MBEDTLS_BYTE_1( cur_hs_frag_len );
ssl->out_msg[11] = MBEDTLS_BYTE_0( cur_hs_frag_len );
MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
@@ -2360,7 +2387,8 @@ void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
* (including handshake headers but excluding record headers)
* - ssl->out_msg: the record contents (handshake headers + content)
*/
int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
int update_checksum )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const size_t hs_len = ssl->out_msglen - 4;
@@ -2421,9 +2449,9 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
*/
if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
{
ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );
ssl->out_msg[3] = (unsigned char)( hs_len );
ssl->out_msg[1] = MBEDTLS_BYTE_2( hs_len );
ssl->out_msg[2] = MBEDTLS_BYTE_1( hs_len );
ssl->out_msg[3] = MBEDTLS_BYTE_0( hs_len );
/*
* DTLS has additional fields in the Handshake layer,
@@ -2451,8 +2479,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
/* Write message_seq and update it, except for HelloRequest */
if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
{
ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
MBEDTLS_PUT_UINT16_BE( ssl->handshake->out_msg_seq, ssl->out_msg, 4 );
++( ssl->handshake->out_msg_seq );
}
else
@@ -2469,7 +2496,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
#endif /* MBEDTLS_SSL_PROTO_DTLS */
/* Update running hashes of handshake messages seen */
if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST && update_checksum != 0 )
ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
}
@@ -2536,8 +2563,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
ssl->conf->transport, ssl->out_hdr + 1 );
memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
ssl->out_len[0] = (unsigned char)( len >> 8 );
ssl->out_len[1] = (unsigned char)( len );
MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0);
if( ssl->transform_out != NULL )
{
@@ -2577,8 +2603,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
memcpy( ssl->out_cid, rec.cid, rec.cid_len );
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
ssl->out_msglen = len = rec.data_len;
ssl->out_len[0] = (unsigned char)( rec.data_len >> 8 );
ssl->out_len[1] = (unsigned char)( rec.data_len );
MBEDTLS_PUT_UINT16_BE( rec.data_len, ssl->out_len, 0 );
}
protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl );
@@ -3150,12 +3175,11 @@ static int ssl_check_dtls_clihlo_cookie(
/* Go back and fill length fields */
obuf[27] = (unsigned char)( *olen - 28 );
obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
obuf[14] = obuf[22] = MBEDTLS_BYTE_2( *olen - 25 );
obuf[15] = obuf[23] = MBEDTLS_BYTE_1( *olen - 25 );
obuf[16] = obuf[24] = MBEDTLS_BYTE_0( *olen - 25 );
obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
obuf[12] = (unsigned char)( ( *olen - 13 ) );
MBEDTLS_PUT_UINT16_BE( *olen - 13, obuf, 11 );
return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
}
@@ -4535,8 +4559,7 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
ssl->in_hdr[0] = rec.type;
ssl->in_msg = rec.buf + rec.data_offset;
ssl->in_msglen = rec.data_len;
ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 );
ssl->in_len[1] = (unsigned char)( rec.data_len );
MBEDTLS_PUT_UINT16_BE( rec.data_len, ssl->in_len, 0 );
return( 0 );
}

127
library/ssl_srv.c
View File

@@ -1848,8 +1848,7 @@ read_record_header:
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
for( i = 0; ciphersuites[i] != 0; i++ )
{
if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
if( MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i] )
continue;
got_common_suite = 1;
@@ -1865,8 +1864,7 @@ read_record_header:
for( i = 0; ciphersuites[i] != 0; i++ )
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
{
if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
if( MBEDTLS_GET_UINT16_BE(p, 0) != ciphersuites[i] )
continue;
got_common_suite = 1;
@@ -1970,12 +1968,11 @@ static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
* opaque cid<0..2^8-1>;
* } ConnectionId;
*/
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_CID, p, 0 );
p += 2;
ext_len = (size_t) ssl->own_cid_len + 1;
*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ext_len ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 );
p += 2;
*p++ = (uint8_t) ssl->own_cid_len;
memcpy( p, ssl->own_cid, ssl->own_cid_len );
@@ -2016,8 +2013,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0 );
p += 2;
*p++ = 0x00;
*p++ = 0x00;
@@ -2042,8 +2039,8 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
"extension" ) );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0 );
p += 2;
*p++ = 0x00;
*p++ = 0x00;
@@ -2067,8 +2064,8 @@ static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0 );
p += 2;
*p++ = 0x00;
*p++ = 0x00;
@@ -2091,8 +2088,8 @@ static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0 );
p += 2;
#if defined(MBEDTLS_SSL_RENEGOTIATION)
if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
@@ -2132,8 +2129,8 @@ static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0 );
p += 2;
*p++ = 0x00;
*p++ = 1;
@@ -2162,8 +2159,8 @@ static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0 );
p += 2;
*p++ = 0x00;
*p++ = 2;
@@ -2200,8 +2197,8 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
return;
}
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0 );
p += 2;
ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
p + 2, end - p - 2, &kkpp_len,
@@ -2212,8 +2209,8 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
return;
}
*p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( kkpp_len, p, 0 );
p += 2;
*olen = kkpp_len + 4;
}
@@ -2238,18 +2235,15 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
* 6 . 6 protocol name length
* 7 . 7+n protocol name
*/
buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ALPN, buf, 0);
*olen = 7 + strlen( ssl->alpn_chosen );
buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( *olen - 4, buf, 2 );
buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
buf[5] = (unsigned char)( ( ( *olen - 6 ) ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( *olen - 6, buf, 4 );
buf[6] = (unsigned char)( ( ( *olen - 7 ) ) & 0xFF );
buf[6] = MBEDTLS_BYTE_0( *olen - 7 );
memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
}
@@ -2294,15 +2288,13 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
}
/* extension */
buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP ) & 0xFF );
MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, buf, 0 );
/*
* total length 5 and mki value: only one profile(2 bytes)
* and length(2 bytes) and srtp_mki )
*/
ext_len = 5 + mki_len;
buf[2] = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
buf[3] = (unsigned char)( ext_len & 0xFF );
MBEDTLS_PUT_UINT16_BE( ext_len, buf, 2 );
/* protection profile length: 2 */
buf[4] = 0x00;
@@ -2311,8 +2303,7 @@ static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
ssl->dtls_srtp_info.chosen_dtls_srtp_profile );
if( profile_value != MBEDTLS_TLS_SRTP_UNSET )
{
buf[6] = (unsigned char)( ( profile_value >> 8 ) & 0xFF );
buf[7] = (unsigned char)( profile_value & 0xFF );
MBEDTLS_PUT_UINT16_BE( profile_value, buf, 6 );
}
else
{
@@ -2494,10 +2485,8 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_HAVE_TIME)
t = mbedtls_time( NULL );
*p++ = (unsigned char)( t >> 24 );
*p++ = (unsigned char)( t >> 16 );
*p++ = (unsigned char)( t >> 8 );
*p++ = (unsigned char)( t );
MBEDTLS_PUT_UINT32_BE( t, p, 0 );
p += 4;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
(long long) t ) );
@@ -2578,9 +2567,9 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
ssl->handshake->resume ? "a" : "no" ) );
*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
*p++ = (unsigned char)( ssl->session_negotiate->compression );
MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 );
p += 2;
*p++ = MBEDTLS_BYTE_0( ssl->session_negotiate->compression );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
@@ -2648,9 +2637,8 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
if( ext_len > 0 )
{
*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ext_len ) & 0xFF );
p += ext_len;
MBEDTLS_PUT_UINT16_BE( ext_len, p, 0 );
p += 2 + ext_len;
}
ssl->out_msglen = p - buf;
@@ -2785,8 +2773,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
#endif
}
p[0] = (unsigned char)( sa_len >> 8 );
p[1] = (unsigned char)( sa_len );
MBEDTLS_PUT_UINT16_BE( sa_len, p, 0 );
sa_len += 2;
p += sa_len;
}
@@ -2826,8 +2813,8 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
break;
}
*p++ = (unsigned char)( dn_size >> 8 );
*p++ = (unsigned char)( dn_size );
MBEDTLS_PUT_UINT16_BE( dn_size, p, 0 );
p += 2;
memcpy( p, crt->subject_raw.p, dn_size );
p += dn_size;
@@ -2841,8 +2828,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
ssl->out_msglen = p - buf;
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size >> 8 );
ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size );
MBEDTLS_PUT_UINT16_BE( total_dn_size, ssl->out_msg, 4 + ct_len + sa_len );
ret = mbedtls_ssl_write_handshake_msg( ssl );
@@ -3320,8 +3306,8 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
if( signature_len != 0 )
{
ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len );
ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_1( signature_len );
ssl->out_msg[ssl->out_msglen++] = MBEDTLS_BYTE_0( signature_len );
MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
ssl->out_msg + ssl->out_msglen,
@@ -3478,8 +3464,8 @@ static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
*p++ != ( ( len ) & 0xFF ) )
if( *p++ != MBEDTLS_BYTE_1( len ) ||
*p++ != MBEDTLS_BYTE_0( len ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
@@ -4223,14 +4209,8 @@ static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
tlen = 0;
}
ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
ssl->out_msg[6] = ( lifetime >> 8 ) & 0xFF;
ssl->out_msg[7] = ( lifetime ) & 0xFF;
ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
ssl->out_msg[9] = (unsigned char)( ( tlen ) & 0xFF );
MBEDTLS_PUT_UINT32_BE( lifetime, ssl->out_msg, 4 );
MBEDTLS_PUT_UINT16_BE( tlen, ssl->out_msg, 8 );
ssl->out_msglen = 10 + tlen;
/*
@@ -4258,23 +4238,8 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
{
int ret = 0;
if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
return( ret );
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
{
if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
return( ret );
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
switch( ssl->state )
{
case MBEDTLS_SSL_HELLO_REQUEST:

3
library/ssl_ticket.c
View File

@@ -245,8 +245,7 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
{
goto cleanup;
}
state_len_bytes[0] = ( clear_len >> 8 ) & 0xff;
state_len_bytes[1] = ( clear_len ) & 0xff;
MBEDTLS_PUT_UINT16_BE( clear_len, state_len_bytes, 0 );
/* Encrypt and authenticate */
if( ( ret = mbedtls_cipher_auth_encrypt_ext( &key->ctx,

459
library/ssl_tls.c
View File

@@ -664,14 +664,14 @@ typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
* - MBEDTLS_SSL_EXPORT_KEYS: ssl->conf->{f,p}_export_keys
* - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
*/
static int ssl_populate_transform( mbedtls_ssl_transform *transform,
static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
int ciphersuite,
const unsigned char master[48],
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
int encrypt_then_mac,
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
MBEDTLS_SSL_SOME_SUITES_USE_MAC */
ssl_tls_prf_t tls_prf,
const unsigned char randbytes[64],
int minor_ver,
@@ -713,6 +713,15 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
memcpy( transform->randbytes, randbytes, sizeof( transform->randbytes ) );
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
{
/* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
* generation separate. This should never happen. */
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/*
* Get various info structures
*/
@@ -805,19 +814,10 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
* sequence number).
*/
transform->ivlen = 12;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
{
transform->fixed_ivlen = 12;
}
else
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
{
if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
transform->fixed_ivlen = 12;
else
transform->fixed_ivlen = 4;
}
/* Minimum length of encrypted record */
explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
@@ -1327,14 +1327,14 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
}
/* Populate transform structure */
ret = ssl_populate_transform( ssl->transform_negotiate,
ret = ssl_tls12_populate_transform( ssl->transform_negotiate,
ssl->session_negotiate->ciphersuite,
ssl->session_negotiate->master,
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl->session_negotiate->encrypt_then_mac,
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
MBEDTLS_SSL_SOME_SUITES_USE_MAC */
ssl->handshake->tls_prf,
ssl->handshake->randbytes,
ssl->minor_ver,
@@ -1342,7 +1342,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
ssl );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_populate_transform", ret );
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls12_populate_transform", ret );
return( ret );
}
@@ -1487,8 +1487,8 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
if( end - p < 2 )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
*(p++) = (unsigned char)( psk_len >> 8 );
*(p++) = (unsigned char)( psk_len );
MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 );
p += 2;
if( end < p || (size_t)( end - p ) < psk_len )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@@ -1528,9 +1528,8 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
return( ret );
}
*(p++) = (unsigned char)( len >> 8 );
*(p++) = (unsigned char)( len );
p += len;
MBEDTLS_PUT_UINT16_BE( len, p, 0 );
p += 2 + len;
MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
}
@@ -1550,9 +1549,8 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
return( ret );
}
*(p++) = (unsigned char)( zlen >> 8 );
*(p++) = (unsigned char)( zlen );
p += zlen;
MBEDTLS_PUT_UINT16_BE( zlen, p, 0 );
p += 2 + zlen;
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Z );
@@ -1568,8 +1566,8 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
if( end - p < 2 )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
*(p++) = (unsigned char)( psk_len >> 8 );
*(p++) = (unsigned char)( psk_len );
MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 );
p += 2;
if( end < p || (size_t)( end - p ) < psk_len )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@@ -1746,17 +1744,17 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
ssl->out_msg[i ] = (unsigned char)( n >> 16 );
ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
ssl->out_msg[i + 2] = (unsigned char)( n );
ssl->out_msg[i ] = MBEDTLS_BYTE_2( n );
ssl->out_msg[i + 1] = MBEDTLS_BYTE_1( n );
ssl->out_msg[i + 2] = MBEDTLS_BYTE_0( n );
i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
i += n; crt = crt->next;
}
ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
ssl->out_msg[4] = MBEDTLS_BYTE_2( i - 7 );
ssl->out_msg[5] = MBEDTLS_BYTE_1( i - 7 );
ssl->out_msg[6] = MBEDTLS_BYTE_0( i - 7 );
ssl->out_msglen = i;
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
@@ -3142,6 +3140,53 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
}
static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
{
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported" ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) );
return( 0 );
}
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls12 only." ) );
return( 0 );
}
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
#endif
MBEDTLS_SSL_DEBUG_MSG( 1, ( "The SSL configuration is invalid." ) );
return( MBEDTLS_ERR_SSL_BAD_CONFIG );
}
static int ssl_conf_check(const mbedtls_ssl_context *ssl)
{
int ret;
ret = ssl_conf_version_check( ssl );
if( ret != 0 )
return( ret );
/* Space for further checks */
return( 0 );
}
/*
* Setup an SSL context
*/
@@ -3155,6 +3200,9 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
ssl->conf = conf;
if( ( ret = ssl_conf_check( ssl ) ) != 0 )
return( ret );
/*
* Prepare base structures
*/
@@ -3230,9 +3278,9 @@ error:
* If partial is non-zero, keep data in the input buffer and client ID.
* (Use when a DTLS client reconnects from the same port.)
*/
int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
static void ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
int partial )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len = ssl->in_buf_len;
size_t out_buf_len = ssl->out_buf_len;
@@ -3241,16 +3289,65 @@ int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
#endif
#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || \
!defined(MBEDTLS_SSL_SRV_C)
((void) partial);
#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
partial = 0;
#endif
ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
/* Cancel any possibly running timer */
mbedtls_ssl_set_timer( ssl, 0 );
mbedtls_ssl_reset_in_out_pointers( ssl );
/* Reset incoming message parsing */
ssl->in_offt = NULL;
ssl->nb_zero = 0;
ssl->in_msgtype = 0;
ssl->in_msglen = 0;
ssl->in_hslen = 0;
ssl->keep_current_message = 0;
ssl->transform_in = NULL;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
ssl->next_record_offset = 0;
ssl->in_epoch = 0;
#endif
/* Keep current datagram if partial == 1 */
if( partial == 0 )
{
ssl->in_left = 0;
memset( ssl->in_buf, 0, in_buf_len );
}
/* Reset outgoing message writing */
ssl->out_msgtype = 0;
ssl->out_msglen = 0;
ssl->out_left = 0;
memset( ssl->out_buf, 0, out_buf_len );
memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
ssl->transform_out = NULL;
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
mbedtls_ssl_dtls_replay_reset( ssl );
#endif
if( ssl->transform )
{
mbedtls_ssl_transform_free( ssl->transform );
mbedtls_free( ssl->transform );
ssl->transform = NULL;
}
}
int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
ssl_session_reset_msg_layer( ssl, partial );
/* Reset renegotiation state */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
ssl->renego_records_seen = 0;
@@ -3261,53 +3358,8 @@ int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
#endif
ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
ssl->in_offt = NULL;
mbedtls_ssl_reset_in_out_pointers( ssl );
ssl->in_msgtype = 0;
ssl->in_msglen = 0;
#if defined(MBEDTLS_SSL_PROTO_DTLS)
ssl->next_record_offset = 0;
ssl->in_epoch = 0;
#endif
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
mbedtls_ssl_dtls_replay_reset( ssl );
#endif
ssl->in_hslen = 0;
ssl->nb_zero = 0;
ssl->keep_current_message = 0;
ssl->out_msgtype = 0;
ssl->out_msglen = 0;
ssl->out_left = 0;
memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
ssl->transform_in = NULL;
ssl->transform_out = NULL;
ssl->session_in = NULL;
ssl->session_out = NULL;
memset( ssl->out_buf, 0, out_buf_len );
#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
if( partial == 0 )
#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
{
ssl->in_left = 0;
memset( ssl->in_buf, 0, in_buf_len );
}
if( ssl->transform )
{
mbedtls_ssl_transform_free( ssl->transform );
mbedtls_free( ssl->transform );
ssl->transform = NULL;
}
if( ssl->session )
{
mbedtls_ssl_session_free( ssl->session );
@@ -3498,6 +3550,14 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
conf->ciphersuite_list = ciphersuites;
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config *conf,
const int kex_modes )
{
conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
const mbedtls_x509_crt_profile *profile )
@@ -3883,6 +3943,15 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
{
conf->sig_hashes = hashes;
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/* Configure allowed signature algorithms for use in TLS 1.3 */
void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf,
const uint16_t* sig_algs )
{
conf->tls13_sig_algs = sig_algs;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECP_C)
@@ -4519,8 +4588,8 @@ static unsigned char ssl_serialized_session_header[] = {
MBEDTLS_VERSION_MAJOR,
MBEDTLS_VERSION_MINOR,
MBEDTLS_VERSION_PATCH,
( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 8 ) & 0xFF,
( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 0 ) & 0xFF,
MBEDTLS_BYTE_1( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
MBEDTLS_BYTE_0( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
};
/*
@@ -4601,14 +4670,8 @@ static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
{
start = (uint64_t) session->start;
*p++ = (unsigned char)( ( start >> 56 ) & 0xFF );
*p++ = (unsigned char)( ( start >> 48 ) & 0xFF );
*p++ = (unsigned char)( ( start >> 40 ) & 0xFF );
*p++ = (unsigned char)( ( start >> 32 ) & 0xFF );
*p++ = (unsigned char)( ( start >> 24 ) & 0xFF );
*p++ = (unsigned char)( ( start >> 16 ) & 0xFF );
*p++ = (unsigned char)( ( start >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( start ) & 0xFF );
MBEDTLS_PUT_UINT64_BE( start, p, 0 );
p += 8;
}
#endif /* MBEDTLS_HAVE_TIME */
@@ -4624,22 +4687,20 @@ static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
if( used <= buf_len )
{
*p++ = (unsigned char)( ( session->ciphersuite >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( session->ciphersuite ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( session->ciphersuite, p, 0 );
p += 2;
*p++ = (unsigned char)( session->compression & 0xFF );
*p++ = MBEDTLS_BYTE_0( session->compression );
*p++ = (unsigned char)( session->id_len & 0xFF );
*p++ = MBEDTLS_BYTE_0( session->id_len );
memcpy( p, session->id, 32 );
p += 32;
memcpy( p, session->master, 48 );
p += 48;
*p++ = (unsigned char)( ( session->verify_result >> 24 ) & 0xFF );
*p++ = (unsigned char)( ( session->verify_result >> 16 ) & 0xFF );
*p++ = (unsigned char)( ( session->verify_result >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( session->verify_result ) & 0xFF );
MBEDTLS_PUT_UINT32_BE( session->verify_result, p, 0 );
p += 4;
}
/*
@@ -4656,9 +4717,9 @@ static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
if( used <= buf_len )
{
*p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF );
*p++ = (unsigned char)( ( cert_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( cert_len ) & 0xFF );
*p++ = MBEDTLS_BYTE_2( cert_len );
*p++ = MBEDTLS_BYTE_1( cert_len );
*p++ = MBEDTLS_BYTE_0( cert_len );
if( session->peer_cert != NULL )
{
@@ -4699,9 +4760,9 @@ static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
if( used <= buf_len )
{
*p++ = (unsigned char)( ( session->ticket_len >> 16 ) & 0xFF );
*p++ = (unsigned char)( ( session->ticket_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( session->ticket_len ) & 0xFF );
*p++ = MBEDTLS_BYTE_2( session->ticket_len );
*p++ = MBEDTLS_BYTE_1( session->ticket_len );
*p++ = MBEDTLS_BYTE_0( session->ticket_len );
if( session->ticket != NULL )
{
@@ -4709,10 +4770,8 @@ static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
p += session->ticket_len;
}
*p++ = (unsigned char)( ( session->ticket_lifetime >> 24 ) & 0xFF );
*p++ = (unsigned char)( ( session->ticket_lifetime >> 16 ) & 0xFF );
*p++ = (unsigned char)( ( session->ticket_lifetime >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( session->ticket_lifetime ) & 0xFF );
MBEDTLS_PUT_UINT32_BE( session->ticket_lifetime, p, 0 );
p += 4;
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
@@ -4730,7 +4789,7 @@ static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
used += 1;
if( used <= buf_len )
*p++ = (unsigned char)( ( session->encrypt_then_mac ) & 0xFF );
*p++ = MBEDTLS_BYTE_0( session->encrypt_then_mac );
#endif
return( used );
@@ -5076,20 +5135,68 @@ int mbedtls_ssl_session_load( mbedtls_ssl_session *session,
/*
* Perform a single step of the SSL handshake
*/
static int ssl_prepare_handshake_step( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
return( ret );
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
{
if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
return( ret );
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
return( ret );
}
int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if( ssl == NULL || ssl->conf == NULL )
if( ssl == NULL ||
ssl->conf == NULL ||
ssl->handshake == NULL ||
ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
{
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
ret = ssl_prepare_handshake_step( ssl );
if( ret != 0 )
return( ret );
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
ret = mbedtls_ssl_tls13_handshake_client_step( ssl );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
ret = mbedtls_ssl_handshake_client_step( ssl );
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
}
#endif
#if defined(MBEDTLS_SSL_SRV_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
ret = mbedtls_ssl_tls13_handshake_server_step( ssl );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
ret = mbedtls_ssl_handshake_server_step( ssl );
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
}
#endif
return( ret );
@@ -5393,6 +5500,13 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
handle_buffer_resizing( ssl, 1, mbedtls_ssl_get_input_buflen( ssl ),
mbedtls_ssl_get_output_buflen( ssl ) );
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
mbedtls_free( handshake->transform_earlydata );
mbedtls_free( handshake->transform_handshake );
handshake->transform_earlydata = NULL;
handshake->transform_handshake = NULL;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
}
void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
@@ -5450,11 +5564,11 @@ static unsigned char ssl_serialized_context_header[] = {
MBEDTLS_VERSION_MAJOR,
MBEDTLS_VERSION_MINOR,
MBEDTLS_VERSION_PATCH,
( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 8 ) & 0xFF,
( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG >> 0 ) & 0xFF,
( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 16 ) & 0xFF,
( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 8 ) & 0xFF,
( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG >> 0 ) & 0xFF,
MBEDTLS_BYTE_1( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
MBEDTLS_BYTE_0( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
MBEDTLS_BYTE_2( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
MBEDTLS_BYTE_1( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
MBEDTLS_BYTE_0( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
};
/*
@@ -5595,10 +5709,8 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
used += 4 + session_len;
if( used <= buf_len )
{
*p++ = (unsigned char)( ( session_len >> 24 ) & 0xFF );
*p++ = (unsigned char)( ( session_len >> 16 ) & 0xFF );
*p++ = (unsigned char)( ( session_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( session_len ) & 0xFF );
MBEDTLS_PUT_UINT32_BE( session_len, p, 0 );
p += 4;
ret = ssl_session_save( ssl->session, 1,
p, session_len, &session_len );
@@ -5639,33 +5751,19 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
used += 4;
if( used <= buf_len )
{
*p++ = (unsigned char)( ( ssl->badmac_seen >> 24 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->badmac_seen >> 16 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->badmac_seen >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->badmac_seen ) & 0xFF );
MBEDTLS_PUT_UINT32_BE( ssl->badmac_seen, p, 0 );
p += 4;
}
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
used += 16;
if( used <= buf_len )
{
*p++ = (unsigned char)( ( ssl->in_window_top >> 56 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window_top >> 48 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window_top >> 40 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window_top >> 32 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window_top >> 24 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window_top >> 16 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window_top >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window_top ) & 0xFF );
MBEDTLS_PUT_UINT64_BE( ssl->in_window_top, p, 0 );
p += 8;
*p++ = (unsigned char)( ( ssl->in_window >> 56 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window >> 48 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window >> 40 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window >> 32 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window >> 24 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window >> 16 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->in_window ) & 0xFF );
MBEDTLS_PUT_UINT64_BE( ssl->in_window, p, 0 );
p += 8;
}
#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
@@ -5688,8 +5786,8 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
used += 2;
if( used <= buf_len )
{
*p++ = (unsigned char)( ( ssl->mtu >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ssl->mtu ) & 0xFF );
MBEDTLS_PUT_UINT16_BE( ssl->mtu, p, 0 );
p += 2;
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
@@ -5853,14 +5951,14 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
ret = ssl_populate_transform( ssl->transform,
ret = ssl_tls12_populate_transform( ssl->transform,
ssl->session->ciphersuite,
ssl->session->master,
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
ssl->session->encrypt_then_mac,
#endif
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
MBEDTLS_SSL_SOME_SUITES_USE_MAC */
ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
p, /* currently pointing to randbytes */
MBEDTLS_SSL_MINOR_VERSION_3, /* (D)TLS 1.2 is forced */
@@ -6091,6 +6189,11 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
mbedtls_free( ssl->session_negotiate );
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
mbedtls_ssl_transform_free( ssl->transform_application );
mbedtls_free( ssl->transform_application );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
if( ssl->session )
{
mbedtls_ssl_session_free( ssl->session );
@@ -6191,6 +6294,37 @@ static int ssl_preset_suiteb_hashes[] = {
MBEDTLS_MD_SHA384,
MBEDTLS_MD_NONE
};
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
static uint16_t ssl_preset_default_sig_algs[] = {
/* ECDSA algorithms */
#if defined(MBEDTLS_ECDSA_C)
#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256,
#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384,
#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512,
#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#endif /* MBEDTLS_ECDSA_C */
MBEDTLS_TLS13_SIG_NONE
};
static uint16_t ssl_preset_suiteb_sig_algs[] = {
/* ECDSA algorithms */
#if defined(MBEDTLS_ECDSA_C)
#if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256,
#endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384,
#endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
#endif /* MBEDTLS_ECDSA_C */
MBEDTLS_TLS13_SIG_NONE
};
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif
#if defined(MBEDTLS_ECP_C)
@@ -6283,6 +6417,13 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
}
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/*
* Allow all TLS 1.3 key exchange modes by default.
*/
conf->tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/*
* Preset-specific defaults
*/
@@ -6305,6 +6446,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
conf->sig_hashes = ssl_preset_suiteb_hashes;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
conf->tls13_sig_algs = ssl_preset_suiteb_sig_algs;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif
#if defined(MBEDTLS_ECP_C)
@@ -6339,7 +6483,10 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
conf->sig_hashes = ssl_preset_default_hashes;
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
conf->tls13_sig_algs = ssl_preset_default_sig_algs;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECP_C)
conf->curve_list = ssl_preset_default_curves;

772
library/ssl_tls13_client.c Normal file
View File

@@ -0,0 +1,772 @@
/*
* TLS 1.3 client-side functions
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS ( https://tls.mbed.org )
*/
#include "common.h"
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
#if defined(MBEDTLS_SSL_CLI_C)
#include <string.h>
#include "mbedtls/debug.h"
#include "mbedtls/error.h"
#include "ssl_misc.h"
#include "ecdh_misc.h"
#define CLIENT_HELLO_RANDOM_LEN 32
/* Write extensions */
/*
* ssl_tls13_write_supported_versions_ext():
*
* struct {
* ProtocolVersion versions<2..254>;
* } SupportedVersions;
*/
static int ssl_tls13_write_supported_versions_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *olen )
{
unsigned char *p = buf;
*olen = 0;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported versions extension" ) );
/* Check if we have space to write the extension:
* - extension_type (2 bytes)
* - extension_data_length (2 bytes)
* - versions_length (1 byte )
* - versions (2 bytes)
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 7 );
/* Write extension_type */
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, p, 0 );
/* Write extension_data_length */
MBEDTLS_PUT_UINT16_BE( 3, p, 2 );
p += 4;
/* Length of versions */
*p++ = 0x2;
/* Write values of supported versions.
*
* They are defined by the configuration.
*
* Currently, only one version is advertised.
*/
mbedtls_ssl_write_version( ssl->conf->max_major_ver,
ssl->conf->max_minor_ver,
ssl->conf->transport, p );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "supported version: [%d:%d]",
ssl->conf->max_major_ver,
ssl->conf->max_minor_ver ) );
*olen = 7;
return( 0 );
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*
* Functions for writing supported_groups extension.
*
* Stucture of supported_groups:
* enum {
* secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
* x25519(0x001D), x448(0x001E),
* ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
* ffdhe6144(0x0103), ffdhe8192(0x0104),
* ffdhe_private_use(0x01FC..0x01FF),
* ecdhe_private_use(0xFE00..0xFEFF),
* (0xFFFF)
* } NamedGroup;
* struct {
* NamedGroup named_group_list<2..2^16-1>;
* } NamedGroupList;
*/
#if defined(MBEDTLS_ECDH_C)
/*
* In versions of TLS prior to TLS 1.3, this extension was named
* 'elliptic_curves' and only contained elliptic curve groups.
*/
static int ssl_tls13_write_named_group_list_ecdhe( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *olen )
{
unsigned char *p = buf;
*olen = 0;
if( ssl->conf->curve_list == NULL )
return( MBEDTLS_ERR_SSL_BAD_CONFIG );
for ( const mbedtls_ecp_group_id *grp_id = ssl->conf->curve_list;
*grp_id != MBEDTLS_ECP_DP_NONE;
grp_id++ )
{
const mbedtls_ecp_curve_info *info;
info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
if( info == NULL )
continue;
if( !mbedtls_ssl_tls13_named_group_is_ecdhe( info->tls_id ) )
continue;
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2);
MBEDTLS_PUT_UINT16_BE( info->tls_id, p, 0 );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "NamedGroup: %s ( %x )",
mbedtls_ecp_curve_info_from_tls_id( info->tls_id )->name,
info->tls_id ) );
}
*olen = p - buf;
return( 0 );
}
#else
static int ssl_tls13_write_named_group_list_ecdhe( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *olen )
{
((void) ssl);
((void) buf);
((void) end);
*olen = 0;
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
#endif /* MBEDTLS_ECDH_C */
static int ssl_tls13_write_named_group_list_dhe( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *olen )
{
((void) ssl);
((void) buf);
((void) end);
*olen = 0;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "write_named_group_dhe is not implemented" ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
static int ssl_tls13_write_supported_groups_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *olen )
{
unsigned char *p = buf ;
unsigned char *named_group_list_ptr; /* Start of named_group_list */
size_t named_group_list_len; /* Length of named_group_list */
size_t output_len = 0;
int ret_ecdhe, ret_dhe;
*olen = 0;
if( !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
return( 0 );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_groups extension" ) );
/* Check if we have space for header and length fields:
* - extension_type (2 bytes)
* - extension_data_length (2 bytes)
* - named_group_list_length (2 bytes)
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
p += 6;
named_group_list_ptr = p;
ret_ecdhe = ssl_tls13_write_named_group_list_ecdhe( ssl, p, end, &output_len );
if( ret_ecdhe != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_named_group_list_ecdhe", ret_ecdhe );
}
p += output_len;
ret_dhe = ssl_tls13_write_named_group_list_dhe( ssl, p, end, &output_len );
if( ret_dhe != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_named_group_list_dhe", ret_dhe );
}
p += output_len;
/* Both ECDHE and DHE failed. */
if( ret_ecdhe != 0 && ret_dhe != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Both ECDHE and DHE groups are fail. " ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
/* Length of named_group_list*/
named_group_list_len = p - named_group_list_ptr;
if( named_group_list_len == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "No group available." ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
/* Write extension_type */
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, buf, 0 );
/* Write extension_data_length */
MBEDTLS_PUT_UINT16_BE( named_group_list_len + 2, buf, 2 );
/* Write length of named_group_list */
MBEDTLS_PUT_UINT16_BE( named_group_list_len, buf, 4 );
MBEDTLS_SSL_DEBUG_BUF( 3, "Supported groups extension", buf + 4, named_group_list_len + 2 );
*olen = p - buf;
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SUPPORTED_GROUPS;
return( 0 );
}
/*
* Functions for writing key_share extension.
*/
#if defined(MBEDTLS_ECDH_C)
static int ssl_tls13_generate_and_write_ecdh_key_exchange(
mbedtls_ssl_context *ssl,
uint16_t named_group,
unsigned char *buf,
unsigned char *end,
size_t *olen )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_tls_id( named_group );
if( curve_info == NULL )
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "offer curve %s", curve_info->name ) );
if( ( ret = mbedtls_ecdh_setup_no_everest( &ssl->handshake->ecdh_ctx,
curve_info->grp_id ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_setup_no_everest", ret );
return( ret );
}
ret = mbedtls_ecdh_tls13_make_params( &ssl->handshake->ecdh_ctx, olen,
buf, end - buf,
ssl->conf->f_rng, ssl->conf->p_rng );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_tls13_make_params", ret );
return( ret );
}
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
MBEDTLS_DEBUG_ECDH_Q );
return( 0 );
}
#endif /* MBEDTLS_ECDH_C */
static int ssl_tls13_get_default_group_id( mbedtls_ssl_context *ssl,
uint16_t *group_id )
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
#if defined(MBEDTLS_ECDH_C)
/* Pick first available ECDHE group compatible with TLS 1.3 */
if( ssl->conf->curve_list == NULL )
return( MBEDTLS_ERR_SSL_BAD_CONFIG );
for ( const mbedtls_ecp_group_id *grp_id = ssl->conf->curve_list;
*grp_id != MBEDTLS_ECP_DP_NONE;
grp_id++ )
{
const mbedtls_ecp_curve_info *info;
info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
if( info != NULL &&
mbedtls_ssl_tls13_named_group_is_ecdhe( info->tls_id ) )
{
*group_id = info->tls_id;
return( 0 );
}
}
#else
((void) ssl);
((void) group_id);
#endif /* MBEDTLS_ECDH_C */
/*
* Add DHE named groups here.
* Pick first available DHE group compatible with TLS 1.3
*/
return( ret );
}
/*
* ssl_tls13_write_key_share_ext
*
* Structure of key_share extension in ClientHello:
*
* struct {
* NamedGroup group;
* opaque key_exchange<1..2^16-1>;
* } KeyShareEntry;
* struct {
* KeyShareEntry client_shares<0..2^16-1>;
* } KeyShareClientHello;
*/
static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *olen )
{
unsigned char *p = buf;
unsigned char *client_shares_ptr; /* Start of client_shares */
size_t client_shares_len; /* Length of client_shares */
uint16_t group_id;
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
*olen = 0;
if( !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
return( 0 );
/* Check if we have space for header and length fields:
* - extension_type (2 bytes)
* - extension_data_length (2 bytes)
* - client_shares_length (2 bytes)
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
p += 6;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello: adding key share extension" ) );
/* HRR could already have requested something else. */
group_id = ssl->handshake->offered_group_id;
if( !mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) &&
!mbedtls_ssl_tls13_named_group_is_dhe( group_id ) )
{
MBEDTLS_SSL_PROC_CHK( ssl_tls13_get_default_group_id( ssl,
&group_id ) );
}
/*
* Dispatch to type-specific key generation function.
*
* So far, we're only supporting ECDHE. With the introduction
* of PQC KEMs, we'll want to have multiple branches, one per
* type of KEM, and dispatch to the corresponding crypto. And
* only one key share entry is allowed.
*/
client_shares_ptr = p;
#if defined(MBEDTLS_ECDH_C)
if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
{
/* Pointer to group */
unsigned char *group_ptr = p;
/* Length of key_exchange */
size_t key_exchange_len;
/* Check there is space for header of KeyShareEntry
* - group (2 bytes)
* - key_exchange_length (2 bytes)
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
p += 4;
ret = ssl_tls13_generate_and_write_ecdh_key_exchange( ssl, group_id,
p, end,
&key_exchange_len );
p += key_exchange_len;
if( ret != 0 )
return( ret );
/* Write group */
MBEDTLS_PUT_UINT16_BE( group_id, group_ptr, 0 );
/* Write key_exchange_length */
MBEDTLS_PUT_UINT16_BE( key_exchange_len, group_ptr, 2 );
}
else
#endif /* MBEDTLS_ECDH_C */
if( 0 /* other KEMs? */ )
{
/* Do something */
}
else
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
/* Length of client_shares */
client_shares_len = p - client_shares_ptr;
if( client_shares_len == 0)
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "No key share defined." ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
/* Write extension_type */
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 );
/* Write extension_data_length */
MBEDTLS_PUT_UINT16_BE( client_shares_len + 2, buf, 2 );
/* Write client_shares_length */
MBEDTLS_PUT_UINT16_BE( client_shares_len, buf, 4 );
/* Update offered_group_id field */
ssl->handshake->offered_group_id = group_id;
/* Output the total length of key_share extension. */
*olen = p - buf;
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, key_share extension", buf, *olen );
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_KEY_SHARE;
cleanup:
return( ret );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/* Write cipher_suites
* CipherSuite cipher_suites<2..2^16-2>;
*/
static int ssl_tls13_write_client_hello_cipher_suites(
mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *olen )
{
unsigned char *p = buf;
const int *ciphersuite_list;
unsigned char *cipher_suites_ptr; /* Start of the cipher_suites list */
size_t cipher_suites_len;
*olen = 0 ;
/*
* Ciphersuite list
*
* This is a list of the symmetric cipher options supported by
* the client, specifically the record protection algorithm
* ( including secret key length ) and a hash to be used with
* HKDF, in descending order of client preference.
*/
ciphersuite_list = ssl->conf->ciphersuite_list;
/* Check there is space for the cipher suite list length (2 bytes). */
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
p += 2;
/* Write cipher_suites */
cipher_suites_ptr = p;
for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
{
int cipher_suite = ciphersuite_list[i];
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
if( ciphersuite_info == NULL )
continue;
if( !( MBEDTLS_SSL_MINOR_VERSION_4 >= ciphersuite_info->min_minor_ver &&
MBEDTLS_SSL_MINOR_VERSION_4 <= ciphersuite_info->max_minor_ver ) )
continue;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x, %s",
(unsigned int) cipher_suite,
ciphersuite_info->name ) );
/* Check there is space for the cipher suite identifier (2 bytes). */
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
MBEDTLS_PUT_UINT16_BE( cipher_suite, p, 0 );
p += 2;
}
/* Write the cipher_suites length in number of bytes */
cipher_suites_len = p - cipher_suites_ptr;
MBEDTLS_PUT_UINT16_BE( cipher_suites_len, buf, 0 );
MBEDTLS_SSL_DEBUG_MSG( 3,
( "client hello, got %" MBEDTLS_PRINTF_SIZET " cipher suites",
cipher_suites_len/2 ) );
/* Output the total length of cipher_suites field. */
*olen = p - buf;
return( 0 );
}
/*
* Structure of ClientHello message:
*
* struct {
* ProtocolVersion legacy_version = 0x0303; // TLS v1.2
* Random random;
* opaque legacy_session_id<0..32>;
* CipherSuite cipher_suites<2..2^16-2>;
* opaque legacy_compression_methods<1..2^8-1>;
* Extension extensions<8..2^16-1>;
* } ClientHello;
*/
static int ssl_tls13_write_client_hello_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *olen )
{
int ret;
unsigned char *extensions_len_ptr; /* Pointer to extensions length */
size_t output_len; /* Length of buffer used by function */
size_t extensions_len; /* Length of the list of extensions*/
/* Buffer management */
unsigned char *p = buf;
*olen = 0;
/* No validation needed here. It has been done by ssl_conf_check() */
ssl->major_ver = ssl->conf->min_major_ver;
ssl->minor_ver = ssl->conf->min_minor_ver;
/*
* Write legacy_version
* ProtocolVersion legacy_version = 0x0303; // TLS v1.2
*
* For TLS 1.3 we use the legacy version number {0x03, 0x03}
* instead of the true version number.
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
MBEDTLS_PUT_UINT16_BE( 0x0303, p, 0 );
p += 2;
/* Write the random bytes ( random ).*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, CLIENT_HELLO_RANDOM_LEN );
memcpy( p, ssl->handshake->randbytes, CLIENT_HELLO_RANDOM_LEN );
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes",
p, CLIENT_HELLO_RANDOM_LEN );
p += CLIENT_HELLO_RANDOM_LEN;
/*
* Write legacy_session_id
*
* Versions of TLS before TLS 1.3 supported a "session resumption" feature
* which has been merged with pre-shared keys in this version. A client
* which has a cached session ID set by a pre-TLS 1.3 server SHOULD set
* this field to that value. In compatibility mode, this field MUST be
* non-empty, so a client not offering a pre-TLS 1.3 session MUST generate
* a new 32-byte value. This value need not be random but SHOULD be
* unpredictable to avoid implementations fixating on a specific value
* ( also known as ossification ). Otherwise, it MUST be set as a zero-length
* vector ( i.e., a zero-valued single byte length field ).
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
*p++ = 0; /* session id length set to zero */
/* Write cipher_suites */
ret = ssl_tls13_write_client_hello_cipher_suites( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
/* Write legacy_compression_methods
*
* For every TLS 1.3 ClientHello, this vector MUST contain exactly
* one byte set to zero, which corresponds to the 'null' compression
* method in prior versions of TLS.
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
*p++ = 1;
*p++ = MBEDTLS_SSL_COMPRESS_NULL;
/* Write extensions */
/* Keeping track of the included extensions */
ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
/* First write extensions, then the total length */
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
extensions_len_ptr = p;
p += 2;
/* Write supported_versions extension
*
* Supported Versions Extension is mandatory with TLS 1.3.
*/
ret = ssl_tls13_write_supported_versions_ext( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/* Write supported_groups extension
*
* It is REQUIRED for ECDHE cipher_suites.
*/
ret = ssl_tls13_write_supported_groups_ext( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
/* Write key_share extension
*
* We need to send the key shares under three conditions:
* 1) A certificate-based ciphersuite is being offered. In this case
* supported_groups and supported_signature extensions have been
* successfully added.
* 2) A PSK-based ciphersuite with ECDHE is offered. In this case the
* psk_key_exchange_modes has been added as the last extension.
* 3) Or, in case all ciphers are supported ( which includes #1 and #2
* from above )
*/
ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
/* Write signature_algorithms extension
*
* It is REQUIRED for certificate authenticated cipher_suites.
*/
ret = mbedtls_ssl_tls13_write_sig_alg_ext( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/* Add more extensions here */
/* Write the length of the list of extensions. */
extensions_len = p - extensions_len_ptr - 2;
MBEDTLS_PUT_UINT16_BE( extensions_len, extensions_len_ptr, 0 );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %" MBEDTLS_PRINTF_SIZET ,
extensions_len ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", extensions_len_ptr, extensions_len );
*olen = p - buf;
return( 0 );
}
static int ssl_tls13_finalize_client_hello( mbedtls_ssl_context *ssl )
{
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_HELLO );
return( 0 );
}
static int ssl_tls13_prepare_client_hello( mbedtls_ssl_context *ssl )
{
int ret;
if( ssl->conf->f_rng == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided" ) );
return( MBEDTLS_ERR_SSL_NO_RNG );
}
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng,
ssl->handshake->randbytes,
CLIENT_HELLO_RANDOM_LEN ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
return( ret );
}
return( 0 );
}
/*
* Write ClientHello handshake message.
*/
static int ssl_tls13_write_client_hello( mbedtls_ssl_context *ssl )
{
int ret = 0;
unsigned char *buf;
size_t buf_len, msg_len;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_client_hello( ssl ) );
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg(
ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
&buf, &buf_len ) );
MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_client_hello_body( ssl, buf,
buf + buf_len,
&msg_len ) );
mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl,
MBEDTLS_SSL_HS_CLIENT_HELLO,
msg_len );
ssl->handshake->update_checksum( ssl, buf, msg_len );
MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_client_hello( ssl ) );
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl,
buf_len,
msg_len ) );
cleanup:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
return ret;
}
int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
{
int ret = 0;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
switch( ssl->state )
{
/*
* ssl->state is initialized as HELLO_REQUEST. It is the same
* as CLIENT_HELLO state.
*/
case MBEDTLS_SSL_HELLO_REQUEST:
case MBEDTLS_SSL_CLIENT_HELLO:
ret = ssl_tls13_write_client_hello( ssl );
break;
case MBEDTLS_SSL_SERVER_HELLO:
// Stop here : we haven't finished whole flow
ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS );
break;
default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
return( ret );
}
#endif /* MBEDTLS_SSL_CLI_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */

173
library/ssl_tls13_generic.c Normal file
View File

@@ -0,0 +1,173 @@
/*
* TLS 1.3 functionality shared between client and server
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "common.h"
#if defined(MBEDTLS_SSL_TLS_C)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
#include "mbedtls/error.h"
#include "mbedtls/debug.h"
#include "ssl_misc.h"
int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
unsigned hs_type,
unsigned char **buf,
size_t *buf_len )
{
/*
* Reserve 4 bytes for hanshake header. ( Section 4,RFC 8446 )
* ...
* HandshakeType msg_type;
* uint24 length;
* ...
*/
*buf = ssl->out_msg + 4;
*buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = hs_type;
return( 0 );
}
int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
size_t buf_len,
size_t msg_len )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t msg_len_with_header;
((void) buf_len);
/* Add reserved 4 bytes for handshake header */
msg_len_with_header = msg_len + 4;
ssl->out_msglen = msg_len_with_header;
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0 ) );
cleanup:
return( ret );
}
void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
unsigned hs_type,
size_t total_hs_len )
{
unsigned char hs_hdr[4];
/* Build HS header for checksum update. */
hs_hdr[0] = MBEDTLS_BYTE_0( hs_type );
hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len );
hs_hdr[2] = MBEDTLS_BYTE_1( total_hs_len );
hs_hdr[3] = MBEDTLS_BYTE_0( total_hs_len );
ssl->handshake->update_checksum( ssl, hs_hdr, sizeof( hs_hdr ) );
}
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/*
* mbedtls_ssl_tls13_write_sig_alg_ext( )
*
* enum {
* ....
* ecdsa_secp256r1_sha256( 0x0403 ),
* ecdsa_secp384r1_sha384( 0x0503 ),
* ecdsa_secp521r1_sha512( 0x0603 ),
* ....
* } SignatureScheme;
*
* struct {
* SignatureScheme supported_signature_algorithms<2..2^16-2>;
* } SignatureSchemeList;
*
* Only if we handle at least one key exchange that needs signatures.
*/
int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
size_t *olen )
{
unsigned char *p = buf;
unsigned char *supported_sig_alg_ptr; /* Start of supported_signature_algorithms */
size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
*olen = 0;
/* Skip the extension on the client if all allowed key exchanges
* are PSK-based. */
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
!mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
{
return( 0 );
}
#endif /* MBEDTLS_SSL_CLI_C */
MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding signature_algorithms extension" ) );
/* Check if we have space for header and length field:
* - extension_type (2 bytes)
* - extension_data_length (2 bytes)
* - supported_signature_algorithms_length (2 bytes)
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
p += 6;
/*
* Write supported_signature_algorithms
*/
supported_sig_alg_ptr = p;
for( const uint16_t *sig_alg = ssl->conf->tls13_sig_algs;
*sig_alg != MBEDTLS_TLS13_SIG_NONE; sig_alg++ )
{
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) );
}
/* Length of supported_signature_algorithms */
supported_sig_alg_len = p - supported_sig_alg_ptr;
if( supported_sig_alg_len == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "No signature algorithms defined." ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
/* Write extension_type */
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SIG_ALG, buf, 0 );
/* Write extension_data_length */
MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len + 2, buf, 2 );
/* Write length of supported_signature_algorithms */
MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len, buf, 4 );
/* Output the total length of signature algorithms extension. */
*olen = p - buf;
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif /* MBEDTLS_SSL_TLS_C */

127
library/ssl_tls13_keys.c
View File

@@ -113,17 +113,17 @@ static void ssl_tls1_3_hkdf_encode_label(
#endif
*p++ = 0;
*p++ = (unsigned char)( ( desired_length >> 0 ) & 0xFF );
*p++ = MBEDTLS_BYTE_0( desired_length );
/* Add label incl. prefix */
*p++ = (unsigned char)( total_label_len & 0xFF );
*p++ = MBEDTLS_BYTE_0( total_label_len );
memcpy( p, tls1_3_label_prefix, sizeof(tls1_3_label_prefix) );
p += sizeof(tls1_3_label_prefix);
memcpy( p, label, llen );
p += llen;
/* Add context value */
*p++ = (unsigned char)( clen & 0xFF );
*p++ = MBEDTLS_BYTE_0( clen );
if( clen != 0 )
memcpy( p, ctx, clen );
@@ -699,4 +699,125 @@ exit:
return( ret );
}
int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
int endpoint,
int ciphersuite,
mbedtls_ssl_key_set const *traffic_keys,
mbedtls_ssl_context *ssl /* DEBUG ONLY */ )
{
int ret;
mbedtls_cipher_info_t const *cipher_info;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
unsigned char const *key_enc;
unsigned char const *iv_enc;
unsigned char const *key_dec;
unsigned char const *iv_dec;
#if !defined(MBEDTLS_DEBUG_C)
ssl = NULL; /* make sure we don't use it except for those cases */
(void) ssl;
#endif
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
if( ciphersuite_info == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
ciphersuite ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
if( cipher_info == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
ciphersuite_info->cipher ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
/*
* Setup cipher contexts in target transform
*/
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
cipher_info ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
return( ret );
}
if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
cipher_info ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
return( ret );
}
#if defined(MBEDTLS_SSL_SRV_C)
if( endpoint == MBEDTLS_SSL_IS_SERVER )
{
key_enc = traffic_keys->server_write_key;
key_dec = traffic_keys->client_write_key;
iv_enc = traffic_keys->server_write_iv;
iv_dec = traffic_keys->client_write_iv;
}
else
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_CLI_C)
if( endpoint == MBEDTLS_SSL_IS_CLIENT )
{
key_enc = traffic_keys->client_write_key;
key_dec = traffic_keys->server_write_key;
iv_enc = traffic_keys->client_write_iv;
iv_dec = traffic_keys->server_write_iv;
}
else
#endif /* MBEDTLS_SSL_CLI_C */
{
/* should not happen */
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
memcpy( transform->iv_enc, iv_enc, traffic_keys->iv_len );
memcpy( transform->iv_dec, iv_dec, traffic_keys->iv_len );
if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc,
key_enc, cipher_info->key_bitlen,
MBEDTLS_ENCRYPT ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
return( ret );
}
if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec,
key_dec, cipher_info->key_bitlen,
MBEDTLS_DECRYPT ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
return( ret );
}
/*
* Setup other fields in SSL transform
*/
if( ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) != 0 )
transform->taglen = 8;
else
transform->taglen = 16;
transform->ivlen = traffic_keys->iv_len;
transform->maclen = 0;
transform->fixed_ivlen = transform->ivlen;
transform->minor_ver = MBEDTLS_SSL_MINOR_VERSION_4;
/* We add the true record content type (1 Byte) to the plaintext and
* then pad to the configured granularity. The mimimum length of the
* type-extended and padded plaintext is therefore the padding
* granularity. */
transform->minlen =
transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
return( 0 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */

33
library/ssl_tls13_keys.h
View File

@@ -498,4 +498,37 @@ int mbedtls_ssl_tls1_3_create_psk_binder( mbedtls_ssl_context *ssl,
unsigned char const *transcript,
unsigned char *result );
/**
* \bref Setup an SSL transform structure representing the
* record protection mechanism used by TLS 1.3
*
* \param transform The SSL transform structure to be created. This must have
* been initialized through mbedtls_ssl_transform_init() and
* not used in any other way prior to calling this function.
* In particular, this function does not clean up the
* transform structure prior to installing the new keys.
* \param endpoint Indicates whether the transform is for the client
* (value #MBEDTLS_SSL_IS_CLIENT) or the server
* (value #MBEDTLS_SSL_IS_SERVER).
* \param ciphersuite The numerical identifier for the ciphersuite to use.
* This must be one of the identifiers listed in
* ssl_ciphersuites.h.
* \param traffic_keys The key material to use. No reference is stored in
* the SSL transform being generated, and the caller
* should destroy the key material afterwards.
* \param ssl (Debug-only) The SSL context to use for debug output
* in case of failure. This parameter is only needed if
* #MBEDTLS_DEBUG_C is set, and is ignored otherwise.
*
* \return \c 0 on success. In this case, \p transform is ready to
* be used with mbedtls_ssl_transform_decrypt() and
* mbedtls_ssl_transform_encrypt().
* \return A negative error code on failure.
*/
int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
int endpoint,
int ciphersuite,
mbedtls_ssl_key_set const *traffic_keys,
mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */

31
tests/include/test/drivers/size.h → library/ssl_tls13_server.c
View File

@@ -1,7 +1,7 @@
/*
* Test driver for context size functions
*/
/* Copyright The Mbed TLS Contributors
* TLS 1.3 server-side functions
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -15,19 +15,22 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
*/
#ifndef PSA_CRYPTO_TEST_DRIVERS_SIZE_H
#define PSA_CRYPTO_TEST_DRIVERS_SIZE_H
#include "common.h"
#include "mbedtls/build_info.h"
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
#if defined(PSA_CRYPTO_DRIVER_TEST)
#include <psa/crypto_driver_common.h>
#if defined(MBEDTLS_SSL_SRV_C)
size_t mbedtls_test_size_function(
const psa_key_type_t key_type,
const size_t key_bits );
#include "ssl_misc.h"
#endif /* PSA_CRYPTO_DRIVER_TEST */
#endif /* PSA_CRYPTO_TEST_DRIVERS_SIZE_H */
int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
{
((void) ssl);
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
#endif /* MBEDTLS_SSL_SRV_C */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */

3
library/x509write_crt.c
View File

@@ -251,8 +251,7 @@ int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
c = buf + 5;
ku[0] = (unsigned char)( key_usage );
ku[1] = (unsigned char)( key_usage >> 8 );
MBEDTLS_PUT_UINT16_LE( key_usage, ku, 0 );
ret = mbedtls_asn1_write_named_bitstring( &c, buf, ku, 9 );
if( ret < 0 )

1
programs/.gitignore vendored
View File

@@ -56,6 +56,7 @@ ssl/ssl_server
ssl/ssl_server2
test/benchmark
test/cpp_dummy_build
test/cpp_dummy_build.cpp
test/ecp-bench
test/query_compile_time_config
test/selftest

7
programs/Makefile
View File

@@ -335,6 +335,10 @@ test/benchmark$(EXEXT): test/benchmark.c $(DEP)
echo " CC test/benchmark.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/benchmark.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/cpp_dummy_build.cpp: test/generate_cpp_dummy_build.sh
echo " Gen test/cpp_dummy_build.cpp"
test/generate_cpp_dummy_build.sh
test/cpp_dummy_build$(EXEXT): test/cpp_dummy_build.cpp $(DEP)
echo " CXX test/cpp_dummy_build.cpp"
$(CXX) $(LOCAL_CXXFLAGS) $(CXXFLAGS) test/cpp_dummy_build.cpp $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
@@ -395,10 +399,11 @@ clean:
ifndef WINDOWS
rm -f $(EXES)
-rm -f ssl/ssl_pthread_server$(EXEXT)
-rm -f test/cpp_dummy_build$(EXEXT)
-rm -f test/cpp_dummy_build.cpp test/cpp_dummy_build$(EXEXT)
else
if exist *.o del /Q /F *.o
if exist *.exe del /Q /F *.exe
if exist test\cpp_dummy_build.cpp del /Q /F test\cpp_dummy_build.cpp
endif
$(MAKE) -C fuzz clean

222
programs/ssl/ssl_client2.c
View File

@@ -65,6 +65,7 @@ int main( void )
#define DFL_ECJPAKE_PW NULL
#define DFL_EC_MAX_OPS -1
#define DFL_FORCE_CIPHER 0
#define DFL_TLS13_KEX_MODES MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL
#define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED
#define DFL_ALLOW_LEGACY -2
#define DFL_RENEGOTIATE 0
@@ -88,6 +89,7 @@ int main( void )
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
#define DFL_ALPN_STRING NULL
#define DFL_CURVES NULL
#define DFL_SIG_ALGS NULL
#define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM
#define DFL_HS_TO_MIN 0
#define DFL_HS_TO_MAX 0
@@ -269,6 +271,15 @@ int main( void )
#define USAGE_CURVES ""
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#define USAGE_SIG_ALGS \
" sig_algs=a,b,c,d default: \"default\" (library default)\n" \
" example: \"ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384\"\n"
#else
#define USAGE_SIG_ALGS ""
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#define USAGE_DTLS \
" dtls=%%d default: 0 (TLS)\n" \
@@ -335,6 +346,14 @@ int main( void )
#define USAGE_SERIALIZATION ""
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
#define USAGE_TLS13_KEY_EXCHANGE_MODES \
" tls13_kex_modes=%%s default: all\n" \
" options: psk, psk_ephemeral, ephemeral, ephemeral_all, psk_all, all\n"
#else
#define USAGE_TLS13_KEY_EXCHANGE_MODES ""
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/* USAGE is arbitrarily split to stay under the portable string literal
* length limit: 4095 bytes in C99. */
#define USAGE1 \
@@ -393,16 +412,25 @@ int main( void )
USAGE_ETM \
USAGE_REPRODUCIBLE \
USAGE_CURVES \
USAGE_SIG_ALGS \
USAGE_DHMLEN \
"\n"
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
#define TLS1_3_VERSION_OPTIONS ", tls1_3"
#else /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#define TLS1_3_VERSION_OPTIONS ""
#endif /* !MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#define USAGE4 \
" allow_sha1=%%d default: 0\n" \
" min_version=%%s default: (library default: tls1_2)\n" \
" max_version=%%s default: (library default: tls1_2)\n" \
" force_version=%%s default: \"\" (none)\n" \
" options: tls1_2, dtls1_2\n" \
"\n" \
" force_ciphersuite=<name> default: all enabled\n"\
" options: tls1_2, dtls1_2" TLS1_3_VERSION_OPTIONS \
"\n\n" \
" force_ciphersuite=<name> default: all enabled\n" \
USAGE_TLS13_KEY_EXCHANGE_MODES \
" query_config=<name> return 0 if the specified\n" \
" configuration macro is defined and 1\n" \
" otherwise. The expansion of the macro\n" \
@@ -412,7 +440,7 @@ int main( void )
#define ALPN_LIST_SIZE 10
#define CURVE_LIST_SIZE 20
#define SIG_ALG_LIST_SIZE 5
/*
* global options
@@ -446,6 +474,9 @@ struct options
const char *ecjpake_pw; /* the EC J-PAKE password */
int ec_max_ops; /* EC consecutive operations limit */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
int renegotiation; /* enable / disable renegotiation */
int allow_legacy; /* allow legacy renegotiation */
int renegotiate; /* attempt renegotiation? */
@@ -465,6 +496,7 @@ struct options
int reconnect_hard; /* unexpectedly reconnect from the same port */
int tickets; /* enable / disable session tickets */
const char *curves; /* list of supported elliptic curves */
const char *sig_algs; /* supported TLS 1.3 signature algorithms */
const char *alpn_string; /* ALPN supported protocols */
int transport; /* TLS or DTLS? */
uint32_t hs_to_min; /* Initial value of DTLS handshake timer */
@@ -624,6 +656,12 @@ int main( int argc, char *argv[] )
mbedtls_net_context server_fd;
io_ctx_t io_ctx;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
uint16_t sig_alg_list[SIG_ALG_LIST_SIZE];
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
unsigned char buf[MAX_REQUEST_SIZE + 1];
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
@@ -807,6 +845,9 @@ int main( int argc, char *argv[] )
opt.ecjpake_pw = DFL_ECJPAKE_PW;
opt.ec_max_ops = DFL_EC_MAX_OPS;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
opt.tls13_kex_modes = DFL_TLS13_KEX_MODES;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY;
opt.renegotiate = DFL_RENEGOTIATE;
@@ -826,6 +867,7 @@ int main( int argc, char *argv[] )
opt.tickets = DFL_TICKETS;
opt.alpn_string = DFL_ALPN_STRING;
opt.curves = DFL_CURVES;
opt.sig_algs = DFL_SIG_ALGS;
opt.transport = DFL_TRANSPORT;
opt.hs_to_min = DFL_HS_TO_MIN;
opt.hs_to_max = DFL_HS_TO_MAX;
@@ -1056,6 +1098,12 @@ int main( int argc, char *argv[] )
}
else if( strcmp( p, "curves" ) == 0 )
opt.curves = q;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
else if( strcmp( p, "sig_algs" ) == 0 )
opt.sig_algs = q;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
else if( strcmp( p, "etm" ) == 0 )
{
switch( atoi( q ) )
@@ -1065,11 +1113,33 @@ int main( int argc, char *argv[] )
default: goto usage;
}
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
else if( strcmp( p, "tls13_kex_modes" ) == 0 )
{
if( strcmp( q, "psk" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK;
else if( strcmp(q, "psk_ephemeral" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
else if( strcmp(q, "ephemeral" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL;
else if( strcmp(q, "ephemeral_all" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL;
else if( strcmp( q, "psk_all" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL;
else if( strcmp( q, "all" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL;
else goto usage;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
else if( strcmp( p, "min_version" ) == 0 )
{
if( strcmp( q, "tls1_2" ) == 0 ||
strcmp( q, "dtls1_2" ) == 0 )
opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
else if( strcmp( q, "tls1_3" ) == 0 )
opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
else
goto usage;
}
@@ -1078,6 +1148,10 @@ int main( int argc, char *argv[] )
if( strcmp( q, "tls1_2" ) == 0 ||
strcmp( q, "dtls1_2" ) == 0 )
opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
else if( strcmp( q, "tls1_3" ) == 0 )
opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
else
goto usage;
}
@@ -1103,6 +1177,13 @@ int main( int argc, char *argv[] )
opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3;
opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM;
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
else if( strcmp( q, "tls1_3" ) == 0 )
{
opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4;
opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
else
goto usage;
}
@@ -1428,6 +1509,60 @@ int main( int argc, char *argv[] )
}
#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
if( opt.sig_algs != NULL )
{
p = (char *) opt.sig_algs;
i = 0;
/* Leave room for a final MBEDTLS_TLS13_SIG_NONE in signature algorithm list (sig_alg_list). */
while( i < SIG_ALG_LIST_SIZE - 1 && *p != '\0' )
{
q = p;
/* Terminate the current string */
while( *p != ',' && *p != '\0' )
p++;
if( *p == ',' )
*p++ = '\0';
if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256;
}
else if( strcmp( q, "ecdsa_secp384r1_sha384" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384;
}
else if( strcmp( q, "ecdsa_secp521r1_sha512" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512;
}
else
{
mbedtls_printf( "unknown signature algorithm %s\n", q );
mbedtls_printf( "supported signature algorithms: " );
mbedtls_printf( "ecdsa_secp256r1_sha256 " );
mbedtls_printf( "ecdsa_secp384r1_sha384 " );
mbedtls_printf( "ecdsa_secp521r1_sha512 " );
mbedtls_printf( "\n" );
goto exit;
}
}
if( i == ( SIG_ALG_LIST_SIZE - 1 ) && *p != '\0' )
{
mbedtls_printf( "signature algorithm list too long, maximum %d",
SIG_ALG_LIST_SIZE - 1 );
goto exit;
}
sig_alg_list[i] = MBEDTLS_TLS13_SIG_NONE;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
{
@@ -1570,41 +1705,7 @@ int main( int argc, char *argv[] )
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/*
* 2. Start the connection
*/
if( opt.server_addr == NULL)
opt.server_addr = opt.server_name;
mbedtls_printf( " . Connecting to %s/%s/%s...",
opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp",
opt.server_addr, opt.server_port );
fflush( stdout );
if( ( ret = mbedtls_net_connect( &server_fd,
opt.server_addr, opt.server_port,
opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_net_connect returned -0x%x\n\n",
(unsigned int) -ret );
goto exit;
}
if( opt.nbio > 0 )
ret = mbedtls_net_set_nonblock( &server_fd );
else
ret = mbedtls_net_set_block( &server_fd );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n",
(unsigned int) -ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 3. Setup stuff
* 2. Setup stuff
*/
mbedtls_printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
@@ -1760,6 +1861,10 @@ int main( int argc, char *argv[] )
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
mbedtls_ssl_conf_tls13_key_exchange_modes( &conf, opt.tls13_kex_modes );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
#if defined(MBEDTLS_SSL_RENEGOTIATION)
@@ -1797,6 +1902,11 @@ int main( int argc, char *argv[] )
}
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
if( opt.sig_algs != NULL )
mbedtls_ssl_conf_sig_algs( &conf, sig_alg_list );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.psk_opaque != 0 )
@@ -1956,6 +2066,40 @@ int main( int argc, char *argv[] )
mbedtls_printf( " ok\n" );
/*
* 3. Start the connection
*/
if( opt.server_addr == NULL)
opt.server_addr = opt.server_name;
mbedtls_printf( " . Connecting to %s/%s/%s...",
opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp",
opt.server_addr, opt.server_port );
fflush( stdout );
if( ( ret = mbedtls_net_connect( &server_fd,
opt.server_addr, opt.server_port,
opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_net_connect returned -0x%x\n\n",
(unsigned int) -ret );
goto exit;
}
if( opt.nbio > 0 )
ret = mbedtls_net_set_nonblock( &server_fd );
else
ret = mbedtls_net_set_block( &server_fd );
if( ret != 0 )
{
mbedtls_printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n",
(unsigned int) -ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 4. Handshake
*/

190
programs/ssl/ssl_server2.c
View File

@@ -95,6 +95,7 @@ int main( void )
#define DFL_ECJPAKE_PW NULL
#define DFL_PSK_LIST NULL
#define DFL_FORCE_CIPHER 0
#define DFL_TLS13_KEX_MODES MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL
#define DFL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION_DISABLED
#define DFL_ALLOW_LEGACY -2
#define DFL_RENEGOTIATE 0
@@ -119,6 +120,7 @@ int main( void )
#define DFL_SNI NULL
#define DFL_ALPN_STRING NULL
#define DFL_CURVES NULL
#define DFL_SIG_ALGS NULL
#define DFL_DHM_FILE NULL
#define DFL_TRANSPORT MBEDTLS_SSL_TRANSPORT_STREAM
#define DFL_COOKIES 1
@@ -418,6 +420,15 @@ int main( void )
#define USAGE_CURVES ""
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
#define USAGE_SIG_ALGS \
" sig_algs=a,b,c,d default: \"default\" (library default)\n" \
" example: \"ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384\"\n"
#else
#define USAGE_SIG_ALGS ""
#endif
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
#define USAGE_SERIALIZATION \
" serialize=%%d default: 0 (do not serialize/deserialize)\n" \
@@ -432,6 +443,15 @@ int main( void )
#define USAGE_SERIALIZATION ""
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
#define USAGE_TLS13_KEY_EXCHANGE_MODES \
" tls13_kex_modes=%%s default: all\n" \
" options: psk, psk_ephemeral, ephemeral, ephemeral_all, psk_all, all\n"
#else
#define USAGE_TLS13_KEY_EXCHANGE_MODES ""
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/* USAGE is arbitrarily split to stay under the portable string literal
* length limit: 4095 bytes in C99. */
#define USAGE1 \
@@ -484,7 +504,15 @@ int main( void )
USAGE_EMS \
USAGE_ETM \
USAGE_CURVES \
USAGE_SIG_ALGS \
"\n"
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
#define TLS1_3_VERSION_OPTIONS ", tls1_3"
#else /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#define TLS1_3_VERSION_OPTIONS ""
#endif /* !MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#define USAGE4 \
USAGE_SSL_ASYNC \
USAGE_SNI \
@@ -492,9 +520,10 @@ int main( void )
" min_version=%%s default: (library default: tls1_2)\n" \
" max_version=%%s default: (library default: tls1_2)\n" \
" force_version=%%s default: \"\" (none)\n" \
" options: tls1_2, dtls1_2\n" \
"\n" \
" options: tls1_2, dtls1_2" TLS1_3_VERSION_OPTIONS \
"\n\n" \
" force_ciphersuite=<name> default: all enabled\n" \
USAGE_TLS13_KEY_EXCHANGE_MODES \
" query_config=<name> return 0 if the specified\n" \
" configuration macro is defined and 1\n" \
" otherwise. The expansion of the macro\n" \
@@ -504,6 +533,7 @@ int main( void )
#define ALPN_LIST_SIZE 10
#define CURVE_LIST_SIZE 20
#define SIG_ALG_LIST_SIZE 5
#define PUT_UINT64_BE(out_be,in_le,i) \
{ \
@@ -557,6 +587,9 @@ struct options
char *psk_list; /* list of PSK id/key pairs for callback */
const char *ecjpake_pw; /* the EC J-PAKE password */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
int renegotiation; /* enable / disable renegotiation */
int allow_legacy; /* allow legacy renegotiation */
int renegotiate; /* attempt renegotiation? */
@@ -576,6 +609,7 @@ struct options
int cache_timeout; /* expiration delay of session cache entries */
char *sni; /* string describing sni information */
const char *curves; /* list of supported elliptic curves */
const char *sig_algs; /* supported TLS 1.3 signature algorithms */
const char *alpn_string; /* ALPN supported protocols */
const char *dhm_file; /* the file with the DH parameters */
int extended_ms; /* allow negotiation of extended MS? */
@@ -1319,6 +1353,12 @@ int main( int argc, char *argv[] )
size_t context_buf_len = 0;
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
uint16_t sig_alg_list[SIG_ALG_LIST_SIZE];
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
int i;
char *p, *q;
const int *list;
@@ -1471,6 +1511,9 @@ int main( int argc, char *argv[] )
opt.psk_list = DFL_PSK_LIST;
opt.ecjpake_pw = DFL_ECJPAKE_PW;
opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
opt.tls13_kex_modes = DFL_TLS13_KEX_MODES;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
opt.renegotiation = DFL_RENEGOTIATION;
opt.allow_legacy = DFL_ALLOW_LEGACY;
opt.renegotiate = DFL_RENEGOTIATE;
@@ -1491,6 +1534,7 @@ int main( int argc, char *argv[] )
opt.sni = DFL_SNI;
opt.alpn_string = DFL_ALPN_STRING;
opt.curves = DFL_CURVES;
opt.sig_algs = DFL_SIG_ALGS;
opt.dhm_file = DFL_DHM_FILE;
opt.transport = DFL_TRANSPORT;
opt.cookies = DFL_COOKIES;
@@ -1658,6 +1702,12 @@ int main( int argc, char *argv[] )
}
else if( strcmp( p, "curves" ) == 0 )
opt.curves = q;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
else if( strcmp( p, "sig_algs" ) == 0 )
opt.sig_algs = q;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL && && \
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
else if( strcmp( p, "renegotiation" ) == 0 )
{
opt.renegotiation = (atoi( q )) ?
@@ -1707,11 +1757,34 @@ int main( int argc, char *argv[] )
if( opt.exchanges < 0 )
goto usage;
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
else if( strcmp( p, "tls13_kex_modes" ) == 0 )
{
if( strcmp( q, "psk" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK;
else if( strcmp(q, "psk_ephemeral" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
else if( strcmp(q, "ephemeral" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL;
else if( strcmp(q, "ephemeral_all" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL;
else if( strcmp( q, "psk_all" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL;
else if( strcmp( q, "all" ) == 0 )
opt.tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL;
else goto usage;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
else if( strcmp( p, "min_version" ) == 0 )
{
if( strcmp( q, "tls1_2" ) == 0 ||
strcmp( q, "dtls1_2" ) == 0 )
opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
else if( strcmp( q, "tls1_3" ) == 0 )
opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
else
goto usage;
}
@@ -1720,6 +1793,10 @@ int main( int argc, char *argv[] )
if( strcmp( q, "tls1_2" ) == 0 ||
strcmp( q, "dtls1_2" ) == 0 )
opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
else if( strcmp( q, "tls1_3" ) == 0 )
opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
else
goto usage;
}
@@ -1745,6 +1822,13 @@ int main( int argc, char *argv[] )
opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3;
opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM;
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
else if( strcmp( q, "tls1_3" ) == 0 )
{
opt.min_version = MBEDTLS_SSL_MINOR_VERSION_4;
opt.max_version = MBEDTLS_SSL_MINOR_VERSION_4;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
else
goto usage;
}
@@ -2150,6 +2234,60 @@ int main( int argc, char *argv[] )
}
#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
if( opt.sig_algs != NULL )
{
p = (char *) opt.sig_algs;
i = 0;
/* Leave room for a final MBEDTLS_TLS13_SIG_NONE in signature algorithm list (sig_alg_list). */
while( i < SIG_ALG_LIST_SIZE - 1 && *p != '\0' )
{
q = p;
/* Terminate the current string */
while( *p != ',' && *p != '\0' )
p++;
if( *p == ',' )
*p++ = '\0';
if( strcmp( q, "ecdsa_secp256r1_sha256" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256;
}
else if( strcmp( q, "ecdsa_secp384r1_sha384" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384;
}
else if( strcmp( q, "ecdsa_secp521r1_sha512" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512;
}
else
{
mbedtls_printf( "unknown signature algorithm %s\n", q );
mbedtls_printf( "supported signature algorithms: " );
mbedtls_printf( "ecdsa_secp256r1_sha256 " );
mbedtls_printf( "ecdsa_secp384r1_sha384 " );
mbedtls_printf( "ecdsa_secp521r1_sha512 " );
mbedtls_printf( "\n" );
goto exit;
}
}
if( i == ( SIG_ALG_LIST_SIZE - 1 ) && *p != '\0' )
{
mbedtls_printf( "signature algorithm list too long, maximum %d",
SIG_ALG_LIST_SIZE - 1 );
goto exit;
}
sig_alg_list[i] = MBEDTLS_TLS13_SIG_NONE;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_ALPN)
if( opt.alpn_string != NULL )
{
@@ -2376,26 +2514,7 @@ int main( int argc, char *argv[] )
#endif /* SNI_OPTION */
/*
* 2. Setup the listening TCP socket
*/
mbedtls_printf( " . Bind on %s://%s:%s/ ...",
opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp",
opt.server_addr ? opt.server_addr : "*",
opt.server_port );
fflush( stdout );
if( ( ret = mbedtls_net_bind( &listen_fd, opt.server_addr, opt.server_port,
opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_net_bind returned -0x%x\n\n", (unsigned int) -ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* 3. Setup stuff
* 2. Setup stuff
*/
mbedtls_printf( " . Setting up the SSL/TLS structure..." );
fflush( stdout );
@@ -2607,6 +2726,10 @@ int main( int argc, char *argv[] )
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
mbedtls_ssl_conf_tls13_key_exchange_modes( &conf, opt.tls13_kex_modes );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
#if defined(MBEDTLS_SSL_RENEGOTIATION)
@@ -2747,6 +2870,11 @@ int main( int argc, char *argv[] )
}
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
if( opt.sig_algs != NULL )
mbedtls_ssl_conf_sig_algs( &conf, sig_alg_list );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if( strlen( opt.psk ) != 0 && strlen( opt.psk_identity ) != 0 )
@@ -2889,6 +3017,24 @@ int main( int argc, char *argv[] )
mbedtls_printf( " ok\n" );
/*
* 3. Setup the listening TCP socket
*/
mbedtls_printf( " . Bind on %s://%s:%s/ ...",
opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp",
opt.server_addr ? opt.server_addr : "*",
opt.server_port );
fflush( stdout );
if( ( ret = mbedtls_net_bind( &listen_fd, opt.server_addr, opt.server_port,
opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_net_bind returned -0x%x\n\n", (unsigned int) -ret );
goto exit;
}
mbedtls_printf( " ok\n" );
reset:
#if !defined(_WIN32)
if( received_sigterm )

12
programs/test/CMakeLists.txt
View File

@@ -14,7 +14,17 @@ set(executables_mbedcrypto
)
if(TEST_CPP)
list(APPEND executables_mbedcrypto cpp_dummy_build)
set(cpp_dummy_build_cpp "${CMAKE_CURRENT_BINARY_DIR}/cpp_dummy_build.cpp")
set(generate_cpp_dummy_build "${CMAKE_CURRENT_SOURCE_DIR}/generate_cpp_dummy_build.sh")
add_custom_command(
OUTPUT "${cpp_dummy_build_cpp}"
COMMAND "${generate_cpp_dummy_build}" "${cpp_dummy_build_cpp}"
DEPENDS "${generate_cpp_dummy_build}"
WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
)
add_executable(cpp_dummy_build "${cpp_dummy_build_cpp}")
target_include_directories(cpp_dummy_build PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../include)
target_link_libraries(cpp_dummy_build ${mbedcrypto_target})
endif()
foreach(exe IN LISTS executables_libs executables_mbedcrypto)

98
programs/test/cpp_dummy_build.cpp
View File

@@ -1,98 +0,0 @@
/*
* This program is a dummy C++ program to ensure Mbed TLS library header files
* can be included and built with a C++ compiler.
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "mbedtls/build_info.h"
#include "mbedtls/aes.h"
#include "mbedtls/aria.h"
#include "mbedtls/asn1.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/base64.h"
#include "mbedtls/bignum.h"
#include "mbedtls/camellia.h"
#include "mbedtls/ccm.h"
#include "mbedtls/chacha20.h"
#include "mbedtls/chachapoly.h"
#include "mbedtls/check_config.h"
#include "mbedtls/cipher.h"
#include "mbedtls/cmac.h"
#include "mbedtls/config_psa.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/debug.h"
#include "mbedtls/des.h"
#include "mbedtls/dhm.h"
#include "mbedtls/ecdh.h"
#include "mbedtls/ecdsa.h"
#include "mbedtls/ecjpake.h"
#include "mbedtls/ecp.h"
#include "mbedtls/entropy.h"
#include "mbedtls/error.h"
#include "mbedtls/gcm.h"
#include "mbedtls/hkdf.h"
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/md.h"
#include "mbedtls/md5.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/nist_kw.h"
#include "mbedtls/oid.h"
#include "mbedtls/pem.h"
#include "mbedtls/pk.h"
#include "mbedtls/pkcs12.h"
#include "mbedtls/pkcs5.h"
#include "mbedtls/platform_time.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/poly1305.h"
#include "mbedtls/psa_util.h"
#include "mbedtls/ripemd160.h"
#include "mbedtls/rsa.h"
#include "mbedtls/sha1.h"
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
#include "mbedtls/ssl.h"
#include "mbedtls/ssl_cache.h"
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/ssl_cookie.h"
#include "mbedtls/ssl_ticket.h"
#include "mbedtls/threading.h"
#include "mbedtls/timing.h"
#include "mbedtls/version.h"
#include "mbedtls/x509.h"
#include "mbedtls/x509_crl.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_csr.h"
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#include "mbedtls/memory_buffer_alloc.h"
#endif
#include "psa/crypto.h"
#include "psa/crypto_se_driver.h"
int main()
{
mbedtls_platform_context *ctx = NULL;
mbedtls_platform_setup(ctx);
mbedtls_printf("CPP Build test\n");
mbedtls_platform_teardown(ctx);
}

99
programs/test/generate_cpp_dummy_build.sh Executable file
View File

@@ -0,0 +1,99 @@
#!/bin/sh
DEFAULT_OUTPUT_FILE=programs/test/cpp_dummy_build.cpp
if [ "$1" = "--help" ]; then
cat <<EOF
Usage: $0 [OUTPUT]
Generate a C++ dummy build program that includes all the headers.
OUTPUT defaults to "programs/test/cpp_dummy_build.cpp".
Run this program from the root of an Mbed TLS directory tree or from
its "programs" or "programs/test" subdirectory.
EOF
exit
fi
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
# Ensure a reproducible order for *.h
export LC_ALL=C
print_cpp () {
cat <<'EOF'
/* Automatically generated file. Do not edit.
*
* This program is a dummy C++ program to ensure Mbed TLS library header files
* can be included and built with a C++ compiler.
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "mbedtls/build_info.h"
EOF
for header in include/mbedtls/*.h include/psa/*.h; do
case ${header#include/} in
mbedtls/mbedtls_config.h) :;; # not meant for direct inclusion
psa/crypto_config.h) :;; # not meant for direct inclusion
# Some of the psa/crypto_*.h headers are not meant to be included
# directly. They do have include guards that make them no-ops if
# psa/crypto.h has been included before. Since psa/crypto.h comes
# before psa/crypto_*.h in the wildcard enumeration, we don't need
# to skip those headers.
*) echo "#include \"${header#include/}\"";;
esac
done
cat <<'EOF'
int main()
{
mbedtls_platform_context *ctx = NULL;
mbedtls_platform_setup(ctx);
mbedtls_printf("CPP Build test passed\n");
mbedtls_platform_teardown(ctx);
}
EOF
}
if [ -d include/mbedtls ]; then
:
elif [ -d ../include/mbedtls ]; then
cd ..
elif [ -d ../../include/mbedtls ]; then
cd ../..
else
echo >&2 "This script must be run from an Mbed TLS source tree."
exit 3
fi
print_cpp >"${1:-$DEFAULT_OUTPUT_FILE}"

12
scripts/bump_version.sh
View File

@@ -24,6 +24,8 @@
# [ -v | --verbose ] [ -h | --help ]
#
set -e
VERSION=""
SOVERSION=""
@@ -79,6 +81,10 @@ then
exit 1
fi
[ $VERBOSE ] && echo "Bumping VERSION in CMakeLists.txt"
sed -e "s/ VERSION [0-9.]\{1,\}/ VERSION $VERSION/g" < CMakeLists.txt > tmp
mv tmp CMakeLists.txt
[ $VERBOSE ] && echo "Bumping VERSION in library/CMakeLists.txt"
sed -e "s/ VERSION [0-9.]\{1,\}/ VERSION $VERSION/g" < library/CMakeLists.txt > tmp
mv tmp library/CMakeLists.txt
@@ -116,10 +122,10 @@ then
mv tmp library/Makefile
fi
[ $VERBOSE ] && echo "Bumping VERSION in include/mbedtls/version.h"
[ $VERBOSE ] && echo "Bumping VERSION in include/mbedtls/build_info.h"
read MAJOR MINOR PATCH <<<$(IFS="."; echo $VERSION)
VERSION_NR="$( printf "0x%02X%02X%02X00" $MAJOR $MINOR $PATCH )"
cat include/mbedtls/version.h | \
cat include/mbedtls/build_info.h | \
sed -e "s/_VERSION_MAJOR .\{1,\}/_VERSION_MAJOR $MAJOR/" | \
sed -e "s/_VERSION_MINOR .\{1,\}/_VERSION_MINOR $MINOR/" | \
sed -e "s/_VERSION_PATCH .\{1,\}/_VERSION_PATCH $PATCH/" | \
@@ -127,7 +133,7 @@ cat include/mbedtls/version.h | \
sed -e "s/_VERSION_STRING .\{1,\}/_VERSION_STRING \"$VERSION\"/" | \
sed -e "s/_VERSION_STRING_FULL .\{1,\}/_VERSION_STRING_FULL \"mbed TLS $VERSION\"/" \
> tmp
mv tmp include/mbedtls/version.h
mv tmp include/mbedtls/build_info.h
[ $VERBOSE ] && echo "Bumping version in tests/suites/test_suite_version.data"
sed -e "s/version:\".\{1,\}/version:\"$VERSION\"/g" < tests/suites/test_suite_version.data > tmp

4
tests/compat-in-docker.sh
View File

@@ -42,13 +42,13 @@ esac
case "${GNUTLS_CLI:-default}" in
"legacy") export GNUTLS_CLI="/usr/local/gnutls-3.3.8/bin/gnutls-cli";;
"next") export GNUTLS_CLI="/usr/local/gnutls-3.6.5/bin/gnutls-cli";;
"next") export GNUTLS_CLI="/usr/local/gnutls-3.7.2/bin/gnutls-cli";;
*) ;;
esac
case "${GNUTLS_SERV:-default}" in
"legacy") export GNUTLS_SERV="/usr/local/gnutls-3.3.8/bin/gnutls-serv";;
"next") export GNUTLS_SERV="/usr/local/gnutls-3.6.5/bin/gnutls-serv";;
"next") export GNUTLS_SERV="/usr/local/gnutls-3.7.2/bin/gnutls-serv";;
*) ;;
esac

18
tests/docker/bionic/Dockerfile
View File

@@ -137,29 +137,29 @@ RUN cd /tmp \
ENV GNUTLS_CLI=/usr/local/gnutls-3.4.10/bin/gnutls-cli
ENV GNUTLS_SERV=/usr/local/gnutls-3.4.10/bin/gnutls-serv
# Build libnettle 3.4 (needed by gnutls next)
# Build libnettle 3.7.3 (needed by gnutls next)
RUN cd /tmp \
&& wget https://ftp.gnu.org/gnu/nettle/nettle-3.4.1.tar.gz -qO- | tar xz \
&& cd nettle-3.4.1 \
&& wget https://ftp.gnu.org/gnu/nettle/nettle-3.7.3.tar.gz -qO- | tar xz \
&& cd nettle-3.7.3 \
&& ./configure --disable-documentation \
&& make ${MAKEFLAGS_PARALLEL} \
&& make install \
&& /sbin/ldconfig \
&& rm -rf /tmp/nettle*
# Build gnutls next (3.6.5)
# Build gnutls next (3.7.2)
RUN cd /tmp \
&& wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.5.tar.xz -qO- | tar xJ \
&& cd gnutls-3.6.5 \
&& ./configure --prefix=/usr/local/gnutls-3.6.5 --exec_prefix=/usr/local/gnutls-3.6.5 \
&& wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.2.tar.xz -qO- | tar xJ \
&& cd gnutls-3.7.2 \
&& ./configure --prefix=/usr/local/gnutls-3.7.2 --exec_prefix=/usr/local/gnutls-3.7.2 \
--with-included-libtasn1 --with-included-unistring --without-p11-kit \
--disable-shared --disable-guile --disable-doc \
&& make ${MAKEFLAGS_PARALLEL} \
&& make install \
&& rm -rf /tmp/gnutls*
ENV GNUTLS_NEXT_CLI=/usr/local/gnutls-3.6.5/bin/gnutls-cli
ENV GNUTLS_NEXT_SERV=/usr/local/gnutls-3.6.5/bin/gnutls-serv
ENV GNUTLS_NEXT_CLI=/usr/local/gnutls-3.7.2/bin/gnutls-cli
ENV GNUTLS_NEXT_SERV=/usr/local/gnutls-3.7.2/bin/gnutls-serv
RUN pip3 install --no-cache-dir \
mbed-host-tests \

32
tests/include/test/drivers/key_management.h
View File

@@ -49,6 +49,20 @@ static inline mbedtls_test_driver_key_management_hooks_t
return( v );
}
/*
* In order to convert the plain text keys to Opaque, the size of the key is
* padded up by PSA_CRYPTO_TEST_DRIVER_OPAQUE_PAD_PREFIX_SIZE in addition to
* xor mangling the key. The pad prefix needs to be accounted for while
* sizing for the key.
*/
#define PSA_CRYPTO_TEST_DRIVER_OPAQUE_PAD_PREFIX 0xBEEFED00U
#define PSA_CRYPTO_TEST_DRIVER_OPAQUE_PAD_PREFIX_SIZE sizeof( \
PSA_CRYPTO_TEST_DRIVER_OPAQUE_PAD_PREFIX )
size_t mbedtls_test_opaque_size_function(
const psa_key_type_t key_type,
const size_t key_bits );
extern mbedtls_test_driver_key_management_hooks_t
mbedtls_test_driver_key_management_hooks;
@@ -84,10 +98,28 @@ psa_status_t mbedtls_test_transparent_import_key(
size_t *key_buffer_length,
size_t *bits);
psa_status_t mbedtls_test_opaque_import_key(
const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
uint8_t *key_buffer,
size_t key_buffer_size,
size_t *key_buffer_length,
size_t *bits);
psa_status_t mbedtls_test_opaque_get_builtin_key(
psa_drv_slot_number_t slot_number,
psa_key_attributes_t *attributes,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length );
psa_status_t mbedtls_test_opaque_copy_key(
psa_key_attributes_t *attributes,
const uint8_t *source_key,
size_t source_key_length,
uint8_t *target_key_buffer,
size_t target_key_buffer_size,
size_t *target_key_buffer_length);
#endif /* PSA_CRYPTO_DRIVER_TEST */
#endif /* PSA_CRYPTO_TEST_DRIVERS_KEY_MANAGEMENT_H */

1
tests/include/test/drivers/test_driver.h
View File

@@ -28,6 +28,5 @@
#include "test/drivers/mac.h"
#include "test/drivers/key_management.h"
#include "test/drivers/signature.h"
#include "test/drivers/size.h"
#endif /* PSA_CRYPTO_TEST_DRIVER_H */

667
tests/scripts/all.sh
View File

File diff suppressed because it is too large Load Diff

19
tests/scripts/check-generated-files.sh
View File

@@ -23,12 +23,13 @@ set -eu
if [ $# -ne 0 ] && [ "$1" = "--help" ]; then
cat <<EOF
$0 [-u]
$0 [-l | -u]
This script checks that all generated file are up-to-date. If some aren't, by
default the scripts reports it and exits in error; with the -u option, it just
updates them instead.
-u Update the files rather than return an error for out-of-date files.
-l List generated files, but do not update them.
EOF
exit
fi
@@ -39,10 +40,13 @@ if [ -d library -a -d include -a -d tests ]; then :; else
fi
UPDATE=
if [ $# -ne 0 ] && [ "$1" = "-u" ]; then
shift
UPDATE='y'
fi
LIST=
while getopts lu OPTLET; do
case $OPTLET in
l) LIST=1;;
u) UPDATE=1;;
esac
done
# check SCRIPT FILENAME[...]
# check SCRIPT DIRECTORY
@@ -58,6 +62,11 @@ check()
SCRIPT=$1
shift
if [ -n "$LIST" ]; then
printf '%s\n' "$@"
return
fi
directory=
if [ -d "$1" ]; then
directory="$1"

271
tests/src/drivers/test_driver_key_management.c
View File

@@ -56,6 +56,103 @@ const uint8_t mbedtls_test_driver_ecdsa_pubkey[65] =
0xbc, 0x25, 0x16, 0xc3, 0xd2, 0x70, 0x2d, 0x79,
0x2f, 0x13, 0x1a, 0x92, 0x20, 0x95, 0xfd, 0x6c };
/*
* This macro returns the base size for the key context when SE does not
* support storage. It is the size of the metadata that gets added to the
* wrapped key. In its test functionality the metadata is just some padded
* prefixing to the key.
*/
#define TEST_DRIVER_KEY_CONTEXT_BASE_SIZE \
PSA_CRYPTO_TEST_DRIVER_OPAQUE_PAD_PREFIX_SIZE
size_t mbedtls_test_opaque_size_function(
const psa_key_type_t key_type,
const size_t key_bits )
{
size_t key_buffer_size = 0;
key_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE( key_type, key_bits );
if( key_buffer_size == 0 )
return( 0 );
/* Include spacing for base size overhead over the key size
* */
key_buffer_size += TEST_DRIVER_KEY_CONTEXT_BASE_SIZE;
return( key_buffer_size );
}
static size_t mbedtls_test_opaque_get_base_size()
{
return TEST_DRIVER_KEY_CONTEXT_BASE_SIZE;
}
/*
* The wrap function mbedtls_test_opaque_wrap_key pads and wraps the
* clear key. It expects the clear and wrap buffers to be passed in.
* key_length is the size of the clear key to be wrapped.
* wrapped_key_buffer_size is the size of the output buffer wrap_key.
* The argument wrapped_key_buffer_length is filled with the wrapped
* key_size on success.
* */
static psa_status_t mbedtls_test_opaque_wrap_key(
const uint8_t *key,
size_t key_length,
uint8_t *wrapped_key_buffer,
size_t wrapped_key_buffer_size,
size_t *wrapped_key_buffer_length )
{
size_t opaque_key_base_size = mbedtls_test_opaque_get_base_size();
uint64_t prefix = PSA_CRYPTO_TEST_DRIVER_OPAQUE_PAD_PREFIX;
if( key_length + opaque_key_base_size > wrapped_key_buffer_size )
return( PSA_ERROR_BUFFER_TOO_SMALL );
/* Write in the opaque pad prefix */
memcpy( wrapped_key_buffer, &prefix, opaque_key_base_size );
wrapped_key_buffer += opaque_key_base_size;
*wrapped_key_buffer_length = key_length + opaque_key_base_size;
while( key_length-- )
wrapped_key_buffer[key_length] = key[key_length] ^ 0xFF;
return( PSA_SUCCESS );
}
/*
* The unwrap function mbedtls_test_opaque_unwrap_key removes a pad prefix
* and unwraps the wrapped key. It expects the clear and wrap buffers to be
* passed in.
* wrapped_key_length is the size of the wrapped key,
* key_buffer_size is the size of the output buffer clear_key.
* The argument key_buffer_length is filled with the unwrapped(clear)
* key_size on success.
* */
static psa_status_t mbedtls_test_opaque_unwrap_key(
const uint8_t *wrapped_key,
size_t wrapped_key_length,
uint8_t *key_buffer,
size_t key_buffer_size,
size_t *key_buffer_length)
{
/* Remove the pad prefix from the wrapped key */
size_t opaque_key_base_size = mbedtls_test_opaque_get_base_size();
size_t clear_key_size;
/* Check for underflow */
if( wrapped_key_length < opaque_key_base_size )
return( PSA_ERROR_DATA_CORRUPT );
clear_key_size = wrapped_key_length - opaque_key_base_size;
wrapped_key += opaque_key_base_size;
if( clear_key_size > key_buffer_size )
return( PSA_ERROR_BUFFER_TOO_SMALL );
*key_buffer_length = clear_key_size;
while( clear_key_size-- )
key_buffer[clear_key_size] = wrapped_key[clear_key_size] ^ 0xFF;
return( PSA_SUCCESS );
}
psa_status_t mbedtls_test_transparent_generate_key(
const psa_key_attributes_t *attributes,
uint8_t *key, size_t key_size, size_t *key_length )
@@ -131,7 +228,7 @@ psa_status_t mbedtls_test_transparent_import_key(
defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_ECC( type ) )
{
status = mbedtls_transparent_test_driver_ecp_import_key(
status = mbedtls_test_driver_ecp_import_key(
attributes,
data, data_length,
key_buffer, key_buffer_size,
@@ -143,7 +240,7 @@ psa_status_t mbedtls_test_transparent_import_key(
defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_RSA( type ) )
{
status = mbedtls_transparent_test_driver_rsa_import_key(
status = mbedtls_test_driver_rsa_import_key(
attributes,
data, data_length,
key_buffer, key_buffer_size,
@@ -165,17 +262,90 @@ psa_status_t mbedtls_test_transparent_import_key(
return( status );
}
psa_status_t mbedtls_test_opaque_import_key(
const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
uint8_t *key_buffer,
size_t key_buffer_size,
size_t *key_buffer_length,
size_t *bits)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_type_t type = psa_get_key_type( attributes );
/* This buffer will be used as an intermediate placeholder for
* the clear key till we wrap it */
uint8_t *key_buffer_temp;
key_buffer_temp = mbedtls_calloc( 1, key_buffer_size );
if( key_buffer_temp == NULL )
return( PSA_ERROR_INSUFFICIENT_MEMORY );
if( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) )
{
*bits = PSA_BYTES_TO_BITS( data_length );
status = psa_validate_unstructured_key_bit_size( type,
*bits );
if( status != PSA_SUCCESS )
goto exit;
if( data_length > key_buffer_size )
return( PSA_ERROR_BUFFER_TOO_SMALL );
/* Copy the key material accounting for opaque key padding. */
memcpy( key_buffer_temp, data, data_length );
*key_buffer_length = data_length;
}
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
else if( PSA_KEY_TYPE_IS_ECC( type ) )
{
status = mbedtls_test_driver_ecp_import_key(
attributes,
data, data_length,
key_buffer_temp,
key_buffer_size,
key_buffer_length, bits );
if( status != PSA_SUCCESS )
goto exit;
}
else
#endif
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_RSA( type ) )
{
status = mbedtls_test_driver_rsa_import_key(
attributes,
data, data_length,
key_buffer_temp,
key_buffer_size,
key_buffer_length, bits );
if( status != PSA_SUCCESS )
goto exit;
}
else
#endif
{
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
status = mbedtls_test_opaque_wrap_key( key_buffer_temp, *key_buffer_length,
key_buffer, key_buffer_size, key_buffer_length );
exit:
mbedtls_free( key_buffer_temp );
return( status );
}
psa_status_t mbedtls_test_opaque_export_key(
const psa_key_attributes_t *attributes,
const uint8_t *key, size_t key_length,
uint8_t *data, size_t data_size, size_t *data_length )
{
if( key_length != sizeof( psa_drv_slot_number_t ) )
if( key_length == sizeof( psa_drv_slot_number_t ) )
{
/* Test driver does not support generic opaque key handling yet. */
return( PSA_ERROR_NOT_SUPPORTED );
}
/* Assume this is a builtin key based on the key material length. */
psa_drv_slot_number_t slot_number = *( ( psa_drv_slot_number_t* ) key );
@@ -228,6 +398,24 @@ psa_status_t mbedtls_test_opaque_export_key(
default:
return( PSA_ERROR_DOES_NOT_EXIST );
}
}
else
{
/* This buffer will be used as an intermediate placeholder for
* the opaque key till we unwrap the key into key_buffer */
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_type_t type = psa_get_key_type( attributes );
if( PSA_KEY_TYPE_IS_UNSTRUCTURED( type ) ||
PSA_KEY_TYPE_IS_RSA( type ) ||
PSA_KEY_TYPE_IS_ECC( type ) )
{
status = mbedtls_test_opaque_unwrap_key( key, key_length,
data, data_size, data_length );
return( status );
}
}
return( PSA_ERROR_NOT_SUPPORTED );
}
psa_status_t mbedtls_test_transparent_export_public_key(
@@ -258,7 +446,7 @@ psa_status_t mbedtls_test_transparent_export_public_key(
defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_ECC( key_type ) )
{
status = mbedtls_transparent_test_driver_ecp_export_public_key(
status = mbedtls_test_driver_ecp_export_public_key(
attributes,
key_buffer, key_buffer_size,
data, data_size, data_length );
@@ -269,7 +457,7 @@ psa_status_t mbedtls_test_transparent_export_public_key(
defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_RSA( key_type ) )
{
status = mbedtls_transparent_test_driver_rsa_export_public_key(
status = mbedtls_test_driver_rsa_export_public_key(
attributes,
key_buffer, key_buffer_size,
data, data_size, data_length );
@@ -293,8 +481,49 @@ psa_status_t mbedtls_test_opaque_export_public_key(
{
if( key_length != sizeof( psa_drv_slot_number_t ) )
{
/* Test driver does not support generic opaque key handling yet. */
return( PSA_ERROR_NOT_SUPPORTED );
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_type_t key_type = psa_get_key_type( attributes );
uint8_t *key_buffer_temp;
key_buffer_temp = mbedtls_calloc( 1, key_length );
if( key_buffer_temp == NULL )
return( PSA_ERROR_INSUFFICIENT_MEMORY );
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_ECC( key_type ) )
{
status = mbedtls_test_opaque_unwrap_key( key, key_length,
key_buffer_temp, key_length, data_length );
if( status == PSA_SUCCESS )
status = mbedtls_test_driver_ecp_export_public_key(
attributes,
key_buffer_temp, *data_length,
data, data_size, data_length );
}
else
#endif
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
if( PSA_KEY_TYPE_IS_RSA( key_type ) )
{
status = mbedtls_test_opaque_unwrap_key( key, key_length,
key_buffer_temp, key_length, data_length );
if( status == PSA_SUCCESS )
status = mbedtls_test_driver_rsa_export_public_key(
attributes,
key_buffer_temp, *data_length,
data, data_size, data_length );
}
else
#endif
{
status = PSA_ERROR_NOT_SUPPORTED;
(void)key;
(void)key_type;
}
mbedtls_free( key_buffer_temp );
return( status );
}
/* Assume this is a builtin key based on the key material length. */
@@ -385,4 +614,24 @@ psa_status_t mbedtls_test_opaque_get_builtin_key(
}
}
psa_status_t mbedtls_test_opaque_copy_key(
psa_key_attributes_t *attributes,
const uint8_t *source_key, size_t source_key_length,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
{
/* This is a case where the opaque test driver emulates an SE without storage.
* With that all key context is stored in the wrapped buffer.
* So no additional house keeping is necessary to reference count the
* copied keys. This could change when the opaque test driver is extended
* to support SE with storage, or to emulate an SE without storage but
* still holding some slot references */
if( source_key_length > key_buffer_size )
return( PSA_ERROR_BUFFER_TOO_SMALL );
memcpy( key_buffer, source_key, source_key_length );
*key_buffer_length = source_key_length;
(void)attributes;
return( PSA_SUCCESS );
}
#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */

97
tests/src/drivers/test_driver_size.c
View File

@@ -1,97 +0,0 @@
/*
* Test driver for retrieving key context size.
* Only used by opaque drivers.
*/
/* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <test/helpers.h>
#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST)
#include "test/drivers/size.h"
#include "psa/crypto.h"
typedef struct {
unsigned int context;
} test_driver_key_context_t;
/*
* This macro returns the base size for the key context. It is the size of the
* driver specific information stored in each key context.
*/
#define TEST_DRIVER_KEY_CONTEXT_BASE_SIZE sizeof( test_driver_key_context_t )
/*
* Number of bytes included in every key context for a key pair.
*
* This pair size is for an ECC 256-bit private/public key pair.
* Based on this value, the size of the private key can be derived by
* subtracting the public key size below from this one.
*/
#define TEST_DRIVER_KEY_CONTEXT_KEY_PAIR_SIZE 65
/*
* Number of bytes included in every key context for a public key.
*
* For ECC public keys, it needs 257 bits so 33 bytes.
*/
#define TEST_DRIVER_KEY_CONTEXT_PUBLIC_KEY_SIZE 33
/*
* Every key context for a symmetric key includes this many times the key size.
*/
#define TEST_DRIVER_KEY_CONTEXT_SYMMETRIC_FACTOR 0
/*
* If this is true for a key pair, the key context includes space for the public key.
* If this is false, no additional space is added for the public key.
*
* For this instance, store the public key with the private one.
*/
#define TEST_DRIVER_KEY_CONTEXT_STORE_PUBLIC_KEY 1
size_t mbedtls_test_size_function(
const psa_key_type_t key_type,
const size_t key_bits )
{
size_t key_buffer_size = 0;
if( PSA_KEY_TYPE_IS_KEY_PAIR( key_type ) )
{
int public_key_overhead =
( ( TEST_DRIVER_KEY_CONTEXT_STORE_PUBLIC_KEY == 1 )
? PSA_EXPORT_KEY_OUTPUT_SIZE( key_type, key_bits ) : 0 );
key_buffer_size = TEST_DRIVER_KEY_CONTEXT_BASE_SIZE +
TEST_DRIVER_KEY_CONTEXT_PUBLIC_KEY_SIZE +
public_key_overhead;
}
else if( PSA_KEY_TYPE_IS_PUBLIC_KEY( key_type ) )
{
key_buffer_size = TEST_DRIVER_KEY_CONTEXT_BASE_SIZE +
TEST_DRIVER_KEY_CONTEXT_PUBLIC_KEY_SIZE;
}
else if ( !PSA_KEY_TYPE_IS_KEY_PAIR( key_type ) &&
!PSA_KEY_TYPE_IS_PUBLIC_KEY ( key_type ) )
{
key_buffer_size = TEST_DRIVER_KEY_CONTEXT_BASE_SIZE +
( TEST_DRIVER_KEY_CONTEXT_SYMMETRIC_FACTOR *
( ( key_bits + 7 ) / 8 ) );
}
return( key_buffer_size );
}
#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */

4
tests/ssl-opt-in-docker.sh
View File

@@ -42,13 +42,13 @@ esac
case "${GNUTLS_CLI:-default}" in
"legacy") export GNUTLS_CLI="/usr/local/gnutls-3.3.8/bin/gnutls-cli";;
"next") export GNUTLS_CLI="/usr/local/gnutls-3.6.5/bin/gnutls-cli";;
"next") export GNUTLS_CLI="/usr/local/gnutls-3.7.2/bin/gnutls-cli";;
*) ;;
esac
case "${GNUTLS_SERV:-default}" in
"legacy") export GNUTLS_SERV="/usr/local/gnutls-3.3.8/bin/gnutls-serv";;
"next") export GNUTLS_SERV="/usr/local/gnutls-3.6.5/bin/gnutls-serv";;
"next") export GNUTLS_SERV="/usr/local/gnutls-3.7.2/bin/gnutls-serv";;
*) ;;
esac

206
tests/ssl-opt.sh
View File

@@ -77,6 +77,14 @@ else
O_LEGACY_CLI=false
fi
if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
else
O_NEXT_SRV=false
O_NEXT_CLI=false
fi
if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
else
@@ -346,6 +354,95 @@ requires_openssl_legacy() {
fi
}
requires_openssl_next() {
if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then
if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then
OPENSSL_NEXT_AVAILABLE="YES"
else
OPENSSL_NEXT_AVAILABLE="NO"
fi
fi
if [ "$OPENSSL_NEXT_AVAILABLE" = "NO" ]; then
SKIP_NEXT="YES"
fi
}
# skip next test if tls1_3 is not available
requires_openssl_tls1_3() {
requires_openssl_next
if [ "$OPENSSL_NEXT_AVAILABLE" = "NO" ]; then
OPENSSL_TLS1_3_AVAILABLE="NO"
fi
if [ -z "${OPENSSL_TLS1_3_AVAILABLE:-}" ]; then
if $OPENSSL_NEXT s_client -help 2>&1 | grep tls1_3 >/dev/null
then
OPENSSL_TLS1_3_AVAILABLE="YES"
else
OPENSSL_TLS1_3_AVAILABLE="NO"
fi
fi
if [ "$OPENSSL_TLS1_3_AVAILABLE" = "NO" ]; then
SKIP_NEXT="YES"
fi
}
# skip next test if tls1_3 is not available
requires_gnutls_tls1_3() {
requires_gnutls_next
if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
GNUTLS_TLS1_3_AVAILABLE="NO"
fi
if [ -z "${GNUTLS_TLS1_3_AVAILABLE:-}" ]; then
if $GNUTLS_NEXT_CLI -l 2>&1 | grep VERS-TLS1.3 >/dev/null
then
GNUTLS_TLS1_3_AVAILABLE="YES"
else
GNUTLS_TLS1_3_AVAILABLE="NO"
fi
fi
if [ "$GNUTLS_TLS1_3_AVAILABLE" = "NO" ]; then
SKIP_NEXT="YES"
fi
}
# Check %NO_TICKETS option
requires_gnutls_next_no_ticket() {
requires_gnutls_next
if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
GNUTLS_NO_TICKETS_AVAILABLE="NO"
fi
if [ -z "${GNUTLS_NO_TICKETS_AVAILABLE:-}" ]; then
if $GNUTLS_NEXT_CLI --priority-list 2>&1 | grep NO_TICKETS >/dev/null
then
GNUTLS_NO_TICKETS_AVAILABLE="YES"
else
GNUTLS_NO_TICKETS_AVAILABLE="NO"
fi
fi
if [ "$GNUTLS_NO_TICKETS_AVAILABLE" = "NO" ]; then
SKIP_NEXT="YES"
fi
}
# Check %DISABLE_TLS13_COMPAT_MODE option
requires_gnutls_next_disable_tls13_compat() {
requires_gnutls_next
if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
GNUTLS_DISABLE_TLS13_COMPAT_MODE_AVAILABLE="NO"
fi
if [ -z "${GNUTLS_DISABLE_TLS13_COMPAT_MODE_AVAILABLE:-}" ]; then
if $GNUTLS_NEXT_CLI --priority-list 2>&1 | grep DISABLE_TLS13_COMPAT_MODE >/dev/null
then
GNUTLS_DISABLE_TLS13_COMPAT_MODE_AVAILABLE="YES"
else
GNUTLS_DISABLE_TLS13_COMPAT_MODE_AVAILABLE="NO"
fi
fi
if [ "$GNUTLS_DISABLE_TLS13_COMPAT_MODE_AVAILABLE" = "NO" ]; then
SKIP_NEXT="YES"
fi
}
# skip next test if IPv6 isn't available on this host
requires_ipv6() {
if [ -z "${HAS_IPV6:-}" ]; then
@@ -693,6 +790,11 @@ find_in_both() {
fi
}
SKIP_HANDSHAKE_CHECK="NO"
skip_handshake_stage_check() {
SKIP_HANDSHAKE_CHECK="YES"
}
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
# Options: -s pattern pattern that must be present in server output
# -c pattern pattern that must be present in client output
@@ -855,6 +957,8 @@ run_test() {
# (useful to avoid tests with only negative assertions and non-zero
# expected client exit to incorrectly succeed in case of catastrophic
# failure)
if [ "X$SKIP_HANDSHAKE_CHECK" != "XYES" ]
then
if is_polar "$SRV_CMD"; then
if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
else
@@ -869,7 +973,9 @@ run_test() {
return
fi
fi
fi
SKIP_HANDSHAKE_CHECK="NO"
# Check server exit code (only for Mbed TLS: GnuTLS and OpenSSL don't
# exit with status 0 when interrupted by a signal, and we don't really
# care anyway), in case e.g. the server reports a memory leak.
@@ -1216,6 +1322,11 @@ if [ -n "${OPENSSL_LEGACY:-}" ]; then
O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT"
fi
if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
O_NEXT_CLI="$O_NEXT_CLI -connect localhost:+SRV_PORT"
fi
if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
fi
@@ -1444,6 +1555,40 @@ run_test "SHA-256 allowed by default in client certificate" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
0
# Dummy TLS 1.3 test
# Currently only checking that passing TLS 1.3 key exchange modes to
# ssl_client2/ssl_server2 example programs works.
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
run_test "TLS 1.3, key exchange mode parameter passing: PSK only" \
"$P_SRV tls13_kex_modes=psk" \
"$P_CLI tls13_kex_modes=psk" \
0
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
run_test "TLS 1.3, key exchange mode parameter passing: PSK-ephemeral only" \
"$P_SRV tls13_kex_modes=psk_ephemeral" \
"$P_CLI tls13_kex_modes=psk_ephemeral" \
0
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
run_test "TLS 1.3, key exchange mode parameter passing: Pure-ephemeral only" \
"$P_SRV tls13_kex_modes=ephemeral" \
"$P_CLI tls13_kex_modes=ephemeral" \
0
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
run_test "TLS 1.3, key exchange mode parameter passing: All ephemeral" \
"$P_SRV tls13_kex_modes=ephemeral_all" \
"$P_CLI tls13_kex_modes=ephemeral_all" \
0
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
run_test "TLS 1.3, key exchange mode parameter passing: All PSK" \
"$P_SRV tls13_kex_modes=psk_all" \
"$P_CLI tls13_kex_modes=psk_all" \
0
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
run_test "TLS 1.3, key exchange mode parameter passing: All" \
"$P_SRV tls13_kex_modes=all" \
"$P_CLI tls13_kex_modes=all" \
0
# Tests for datagram packing
run_test "DTLS: multiple records in same datagram, client and server" \
"$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
@@ -8478,6 +8623,67 @@ run_test "export keys functionality" \
-c "EAP-TLS IV is:" \
-s "EAP-TLS IV is:"
# openssl feature tests: check if tls1.3 exists.
requires_openssl_tls1_3
run_test "TLS1.3: Test openssl tls1_3 feature" \
"$O_NEXT_SRV -tls1_3 -msg" \
"$O_NEXT_CLI -tls1_3 -msg" \
0 \
-c "TLS 1.3" \
-s "TLS 1.3"
# gnutls feature tests: check if TLS 1.3 is supported as well as the NO_TICKETS and DISABLE_TLS13_COMPAT_MODE options.
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
requires_gnutls_next_disable_tls13_compat
run_test "TLS1.3: Test gnutls tls1_3 feature" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \
"$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
0 \
-s "Version: TLS1.3" \
-c "Version: TLS1.3"
# TLS1.3 test cases
# TODO: remove or rewrite this test case if #4832 is resolved.
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
skip_handshake_stage_check
run_test "TLS1.3: Not supported version check: tls1_2 and tls1_3" \
"$P_SRV debug_level=1 min_version=tls1_2 max_version=tls1_3" \
"$P_CLI debug_level=1 min_version=tls1_2 max_version=tls1_3" \
1 \
-s "SSL - The requested feature is not available" \
-c "SSL - The requested feature is not available" \
-s "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" \
-c "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
run_test "TLS1.3: handshake dispatch test: tls1_3 only" \
"$P_SRV min_version=tls1_3 max_version=tls1_3" \
"$P_CLI min_version=tls1_3 max_version=tls1_3" \
1 \
-s "SSL - The requested feature is not available" \
-c "SSL - The requested feature is not available"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
run_test "TLS1.3: Test client hello msg work - openssl" \
"$O_NEXT_SRV -tls1_3 -msg" \
"$P_CLI min_version=tls1_3 max_version=tls1_3" \
1 \
-c "SSL - The requested feature is not available" \
-s "ServerHello"
requires_gnutls_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
run_test "TLS1.3: Test client hello msg work - gnutls" \
"$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --debug=4" \
"$P_CLI min_version=tls1_3 max_version=tls1_3" \
1 \
-c "SSL - The requested feature is not available" \
-s "SERVER HELLO was queued"
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_MEMORY_DEBUG
requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C

227
tests/suites/test_suite_ccm.data
View File

@@ -174,6 +174,10 @@ CCM encrypt and tag RFC 3610 #24
depends_on:MBEDTLS_AES_C
mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"D7828D13B2B0BDC325A76236DF93CC6B":"ABF21C0B02FEB88F856DF4A37381BCE3CC128517D4":"008D493B30AE8B3C9696766CFA":"6E37A6EF546D955D34AB6059":"F32905B88A641B04B9C9FFB58CC390900F3DA12AB16DCE9E82EFA16DA62059"
CCM encrypt and tag AES-128 (P=0, N=13, A=0, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
CCM encrypt and tag NIST VTT AES-128 #1 (P=24, N=13, A=32, T=4)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_AES:"43b1a6bc8d0d22d6d1ca95c18593cca5":"a2b381c7d1545c408fe29817a21dc435a154c87256346b05":"9882578e750b9682c6ca7f8f86":"2084f3861c9ad0ccee7c63a7e05aece5db8b34bd8724cc06b4ca99a7f9c4914f":"cc69ed76985e0ed4c8365a72775e5a19bfccc71aeb116c85a8c74677"
@@ -1517,3 +1521,226 @@ mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FD
CCM-Camellia encrypt and tag RFC 5528 #24
depends_on:MBEDTLS_CAMELLIA_C
mbedtls_ccm_encrypt_and_tag:MBEDTLS_CIPHER_ID_CAMELLIA:"D75C2778078CA93D971F96FDE720F4CD":"9DC9EDAE2FF5DF8636E8C6DE0EED55F7867E33337D":"003B8FD8D3A937B160B6A31C1C":"A4D499F78419728C19178B0C":"4B198156393B0F7796086AAFB454F8C3F034CCA966945F1FCEA7E11BEE6A2F"
CCM encrypt, skip ad AES-128 (P=0, N=13, A=0, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
CCM* encrypt, skip ad AES-128 (P=0, N=13, A=0, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
CCM decrypt, skip ad AES-128 (P=0, N=13, A=0, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
CCM* decrypt, skip ad AES-128 (P=0, N=13, A=0, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
CCM encrypt, skip ad NIST VADT AES-128 (P=24, N=13, A=0, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":"1123301219c70599b7c373ad4b3ad67b"
CCM* encrypt, skip ad NIST VADT AES-128 (P=24, N=13, A=0, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d24a3d3dde8c84830280cb87abad0bb3":"7c86135ed9c2a515aaae0e9a208133897269220f30870006":"f1100035bb24a8d26004e0e24b":"1faeb0ee2ca2cd52f0aa3966578344f24e69b742c4ab37ab":"1123301219c70599b7c373ad4b3ad67b"
CCM decrypt, skip ad NIST DVPT AES-192 (P=24, N=7, A=0, T=4)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22":"ddc93a54"
CCM* decrypt, skip ad NIST DVPT AES-192 (P=24, N=7, A=0, T=4)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"19ebfde2d5468ba0a3031bde629b11fd4094afcb205393fa":"411986d04d6463100bff03f7d0bde7ea2c3488784378138c":"5a8aa485c316e9":"3796cf51b8726652a4204733b8fbb047cf00fb91a9837e22":"ddc93a54"
CCM encrypt, skip update AES-128 (P=0, N=13, A=0, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
CCM decrypt, skip update AES-128 (P=0, N=13, A=0, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
CCM* encrypt, skip update AES-128 (P=0, N=13, A=0, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
CCM* decrypt, skip update AES-128 (P=0, N=13, A=0, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af":"":"eba8347baa6d61f87b67c2dd7c6d2053"
CCM encrypt, skip update NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"2ebf60f0969013a54a3dedb19d20f6c8":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880"
CCM* encrypt, skip update NIST VPT AES-128 #1 (P=0, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"2ebf60f0969013a54a3dedb19d20f6c8":"1de8c5e21f9db33123ff870add":"e1de6c6119d7db471136285d10b47a450221b16978569190ef6a22b055295603":"0ead29ef205fbb86d11abe5ed704b880"
CCM decrypt, skip update NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"867b0d87cf6e0f718200a97b4f6d5ad5"
CCM* decrypt, skip update NIST DVPT AES-256 #23 (P=0, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_skip_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"8c5cf3457ff22228c39c051c4e05ed4093657eb303f859a9d4b0f8be0127d88a":"a544218dadd3c10583db49cf39":"3c0e2815d37d844f7ac240ba9d6e3a0b2a86f706e885959e09a1005e024f6907":"867b0d87cf6e0f718200a97b4f6d5ad5"
CCM encrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM encrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM encrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM encrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM encrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM encrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM encrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM encrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM decrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM decrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM decrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM decrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM decrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16))
depends_on:MBEDTLS_AES_C
mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM decrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16))
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM decrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM decrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM* encrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM* encrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM* encrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM* encrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM* encrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM* encrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM* encrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM* encrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM* decrypt, overflow ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_overflow_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM* decrypt, incomplete ad NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_ad:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM* decrypt, full ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_full_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM* decrypt, incomplete ad and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_ad_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"a6f73242f2f227350c0277e4e72cdaa6"
CCM* decrypt, overflow update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_overflow_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM* decrypt, incomplete update NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_update:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM* decrypt, full update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_full_update_and_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM* decrypt, incomplete update and overflow NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_incomplete_update_overflow:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM encrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98"
CCM decrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98"
CCM* encrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98"
CCM* decrypt, instant finish NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98"
CCM encrypt, instant finish AES-128 (P=0, N=13, A=0, T=16)
mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af"
CCM decrypt, instant finish AES-128 (P=0, N=13, A=0, T=16)
mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af"
CCM* encrypt, instant finish AES-128 (P=0, N=13, A=0, T=16)
mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_ENCRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af"
CCM* decrypt, instant finish AES-128 (P=0, N=13, A=0, T=16)
mbedtls_ccm_instant_finish:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_STAR_DECRYPT:"54caf96ef6d448734700aadab50faf7a":"a3803e752ae849c910d8da36af"
CCM pass unexpected auth data, NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
mbedtls_ccm_unexpected_ad::MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"
CCM encrypt, unexpected ciphertext/plaintext data, NIST VPT AES-128 #14 (P=13, N=13, A=32, T=16)
depends_on:MBEDTLS_AES_C
mbedtls_ccm_unexpected_text:MBEDTLS_CIPHER_ID_AES:MBEDTLS_CCM_ENCRYPT:"d32088d50df9aba14d9022c870a0cb85":"4b10788c1a03bca656f04f1f98":"e16c69861efc206e85aab1255e":"0eff7d7bcceb873c3203a8df74f4e91b04bd607ec11202f96cfeb99f5bcdb7aa"

671
tests/suites/test_suite_ccm.function
View File

@@ -1,5 +1,64 @@
/* BEGIN_HEADER */
#include "mbedtls/ccm.h"
/* Use the multipart interface to process the encrypted data in two parts
* and check that the output matches the expected output.
* The context must have been set up with the key. */
static int check_multipart( mbedtls_ccm_context *ctx,
int mode,
const data_t *iv,
const data_t *add,
const data_t *input,
const data_t *expected_output,
const data_t *tag,
size_t n1,
size_t n1_add)
{
int ok = 0;
uint8_t *output = NULL;
size_t n2 = input->len - n1;
size_t n2_add = add->len - n1_add;
size_t olen;
/* Sanity checks on the test data */
TEST_ASSERT( n1 <= input->len );
TEST_ASSERT( n1_add <= add->len );
TEST_EQUAL( input->len, expected_output->len );
TEST_EQUAL( 0, mbedtls_ccm_starts( ctx, mode, iv->x, iv->len ) );
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( ctx, add->len, input->len, tag->len ) );
TEST_EQUAL( 0, mbedtls_ccm_update_ad( ctx, add->x, n1_add) );
TEST_EQUAL( 0, mbedtls_ccm_update_ad( ctx, add->x + n1_add, n2_add ) );
/* Allocate a tight buffer for each update call. This way, if the function
* tries to write beyond the advertised required buffer size, this will
* count as an overflow for memory sanitizers and static checkers. */
ASSERT_ALLOC( output, n1 );
olen = 0xdeadbeef;
TEST_EQUAL( 0, mbedtls_ccm_update( ctx, input->x, n1, output, n1, &olen ) );
TEST_EQUAL( n1, olen );
ASSERT_COMPARE( output, olen, expected_output->x, n1 );
mbedtls_free( output );
output = NULL;
ASSERT_ALLOC( output, n2 );
olen = 0xdeadbeef;
TEST_EQUAL( 0, mbedtls_ccm_update( ctx, input->x + n1, n2, output, n2, &olen ) );
TEST_EQUAL( n2, olen );
ASSERT_COMPARE( output, olen, expected_output->x + n1, n2 );
mbedtls_free( output );
output = NULL;
ASSERT_ALLOC( output, tag->len );
TEST_EQUAL( 0, mbedtls_ccm_finish( ctx, output, tag->len ) );
ASSERT_COMPARE( output, tag->len, tag->x, tag->len );
mbedtls_free( output );
output = NULL;
ok = 1;
exit:
mbedtls_free( output );
return( ok );
}
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -122,71 +181,115 @@ void mbedtls_ccm_encrypt_and_tag( int cipher_id, data_t * key,
data_t * add, data_t * result )
{
mbedtls_ccm_context ctx;
size_t tag_len;
uint8_t * msg_n_tag = (uint8_t *)malloc( result->len + 2 );
size_t n1, n1_add;
uint8_t* io_msg_buf = NULL;
uint8_t* tag_buf = NULL;
const size_t expected_tag_len = result->len - msg->len;
const uint8_t* expected_tag = result->x + msg->len;
/* Prepare input/output message buffer */
ASSERT_ALLOC( io_msg_buf, msg->len );
if( msg->len != 0 )
memcpy( io_msg_buf, msg->x, msg->len );
/* Prepare tag buffer */
ASSERT_ALLOC( tag_buf, expected_tag_len );
mbedtls_ccm_init( &ctx );
memset( msg_n_tag, 0, result->len + 2 );
memcpy( msg_n_tag, msg->x, msg->len );
tag_len = result->len - msg->len;
TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ) == 0 );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
/* Test with input == output */
TEST_ASSERT( mbedtls_ccm_encrypt_and_tag( &ctx, msg->len, iv->x, iv->len, add->x, add->len,
msg_n_tag, msg_n_tag, msg_n_tag + msg->len, tag_len ) == 0 );
TEST_EQUAL( mbedtls_ccm_encrypt_and_tag( &ctx, msg->len, iv->x, iv->len, add->x, add->len,
io_msg_buf, io_msg_buf, tag_buf, expected_tag_len ), 0);
TEST_ASSERT( memcmp( msg_n_tag, result->x, result->len ) == 0 );
ASSERT_COMPARE( io_msg_buf, msg->len, result->x, msg->len );
ASSERT_COMPARE( tag_buf, expected_tag_len, expected_tag, expected_tag_len );
/* Check we didn't write past the end */
TEST_ASSERT( msg_n_tag[result->len] == 0 && msg_n_tag[result->len + 1] == 0 );
/* Prepare data_t structures for multipart testing */
const data_t encrypted_expected = { .x = result->x,
.len = msg->len };
const data_t tag_expected = { .x = (uint8_t*) expected_tag, /* cast to conform with data_t x type */
.len = expected_tag_len };
for( n1 = 0; n1 <= msg->len; n1 += 1 )
{
for( n1_add = 0; n1_add <= add->len; n1_add += 1 )
{
mbedtls_test_set_step( n1 * 10000 + n1_add );
if( !check_multipart( &ctx, MBEDTLS_CCM_ENCRYPT,
iv, add, msg,
&encrypted_expected,
&tag_expected,
n1, n1_add ) )
goto exit;
}
}
exit:
mbedtls_ccm_free( &ctx );
free( msg_n_tag );
mbedtls_free( io_msg_buf );
mbedtls_free( tag_buf );
}
/* END_CASE */
/* BEGIN_CASE */
void mbedtls_ccm_auth_decrypt( int cipher_id, data_t * key,
data_t * msg, data_t * iv,
data_t * add, int tag_len, int result,
data_t * add, int expected_tag_len, int result,
data_t * expected_msg )
{
unsigned char tag[16];
mbedtls_ccm_context ctx;
size_t n1, n1_add;
const size_t expected_msg_len = msg->len - expected_tag_len;
const uint8_t* expected_tag = msg->x + expected_msg_len;
/* Prepare input/output message buffer */
uint8_t* io_msg_buf = NULL;
ASSERT_ALLOC( io_msg_buf, expected_msg_len );
if( expected_msg_len )
memcpy( io_msg_buf, msg->x, expected_msg_len );
mbedtls_ccm_init( &ctx );
memset( tag, 0x00, sizeof( tag ) );
msg->len -= tag_len;
memcpy( tag, msg->x + msg->len, tag_len );
TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ) == 0 );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
/* Test with input == output */
TEST_ASSERT( mbedtls_ccm_auth_decrypt( &ctx, msg->len, iv->x, iv->len, add->x, add->len,
msg->x, msg->x, msg->x + msg->len, tag_len ) == result );
TEST_EQUAL( mbedtls_ccm_auth_decrypt( &ctx, expected_msg_len, iv->x, iv->len, add->x, add->len,
io_msg_buf, io_msg_buf, expected_tag, expected_tag_len ), result );
if( result == 0 )
{
TEST_ASSERT( memcmp( msg->x, expected_msg->x, expected_msg->len ) == 0 );
ASSERT_COMPARE( io_msg_buf, expected_msg_len, expected_msg->x, expected_msg_len );
/* Prepare data_t structures for multipart testing */
const data_t encrypted = { .x = msg->x,
.len = expected_msg_len };
const data_t tag_expected = { .x = (uint8_t*) expected_tag,
.len = expected_tag_len };
for( n1 = 0; n1 <= expected_msg_len; n1 += 1 )
{
for( n1_add = 0; n1_add <= add->len; n1_add += 1 )
{
mbedtls_test_set_step( n1 * 10000 + n1_add );
if( !check_multipart( &ctx, MBEDTLS_CCM_DECRYPT,
iv, add, &encrypted,
expected_msg,
&tag_expected,
n1, n1_add ) )
goto exit;
}
}
}
else
{
size_t i;
for( i = 0; i < msg->len; i++ )
TEST_ASSERT( msg->x[i] == 0 );
for( i = 0; i < expected_msg_len; i++ )
TEST_EQUAL( io_msg_buf[i], 0 );
}
/* Check we didn't write past the end (where the original tag is) */
TEST_ASSERT( memcmp( msg->x + msg->len, tag, tag_len ) == 0 );
exit:
mbedtls_free(io_msg_buf);
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
@@ -199,20 +302,32 @@ void mbedtls_ccm_star_encrypt_and_tag( int cipher_id,
data_t *expected_result, int output_ret )
{
unsigned char iv[13];
unsigned char result[50];
mbedtls_ccm_context ctx;
size_t iv_len, tag_len;
int ret;
size_t iv_len, expected_tag_len;
size_t n1, n1_add;
uint8_t* io_msg_buf = NULL;
uint8_t* tag_buf = NULL;
mbedtls_ccm_init( &ctx );
memset( result, 0x00, sizeof( result ) );
const uint8_t* expected_tag = expected_result->x + msg->len;
/* Calculate tag length */
if( sec_level % 4 == 0)
tag_len = 0;
expected_tag_len = 0;
else
tag_len = 1 << ( sec_level % 4 + 1);
expected_tag_len = 1 << ( sec_level % 4 + 1);
/* Prepare input/output message buffer */
ASSERT_ALLOC( io_msg_buf, msg->len );
if( msg->len )
memcpy( io_msg_buf, msg->x, msg->len );
/* Prepare tag buffer */
if( expected_tag_len == 0 )
ASSERT_ALLOC( tag_buf, 16 );
else
ASSERT_ALLOC( tag_buf, expected_tag_len );
/* Calculate iv */
TEST_ASSERT( source_address->len == 8 );
TEST_ASSERT( frame_counter->len == 4 );
memcpy( iv, source_address->x, source_address->len );
@@ -220,24 +335,46 @@ void mbedtls_ccm_star_encrypt_and_tag( int cipher_id,
iv[source_address->len + frame_counter->len] = sec_level;
iv_len = sizeof( iv );
TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id,
key->x, key->len * 8 ) == 0 );
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id,
key->x, key->len * 8 ), 0 );
/* Test with input == output */
TEST_EQUAL( mbedtls_ccm_star_encrypt_and_tag( &ctx, msg->len, iv, iv_len,
add->x, add->len, io_msg_buf,
io_msg_buf, tag_buf, expected_tag_len), output_ret );
ret = mbedtls_ccm_star_encrypt_and_tag( &ctx, msg->len, iv, iv_len,
add->x, add->len, msg->x,
result, result + msg->len, tag_len );
ASSERT_COMPARE( io_msg_buf, msg->len, expected_result->x, msg->len );
ASSERT_COMPARE( tag_buf, expected_tag_len, expected_tag, expected_tag_len );
TEST_ASSERT( ret == output_ret );
if( output_ret == 0 )
{
const data_t iv_data = { .x = iv,
.len = iv_len };
TEST_ASSERT( memcmp( result,
expected_result->x, expected_result->len ) == 0 );
const data_t encrypted_expected = { .x = expected_result->x,
.len = msg->len };
const data_t tag_expected = { .x = (uint8_t*)expected_tag,
.len = expected_tag_len };
/* Check we didn't write past the end */
TEST_ASSERT( result[expected_result->len] == 0 &&
result[expected_result->len + 1] == 0 );
for( n1 = 0; n1 <= msg->len; n1 += 1 )
{
for( n1_add = 0; n1_add <= add->len; n1_add += 1 )
{
mbedtls_test_set_step( n1 * 10000 + n1_add );
if( !check_multipart( &ctx, MBEDTLS_CCM_STAR_ENCRYPT,
&iv_data, add, msg,
&encrypted_expected,
&tag_expected,
n1, n1_add ) )
goto exit;
}
}
}
exit:
mbedtls_ccm_free( &ctx );
mbedtls_free( io_msg_buf );
mbedtls_free( tag_buf );
}
/* END_CASE */
@@ -249,21 +386,27 @@ void mbedtls_ccm_star_auth_decrypt( int cipher_id,
data_t *expected_result, int output_ret )
{
unsigned char iv[13];
unsigned char result[50];
mbedtls_ccm_context ctx;
size_t iv_len, tag_len;
int ret;
mbedtls_ccm_init( &ctx );
memset( iv, 0x00, sizeof( iv ) );
memset( result, '+', sizeof( result ) );
size_t iv_len, expected_tag_len;
size_t n1, n1_add;
/* Calculate tag length */
if( sec_level % 4 == 0)
tag_len = 0;
expected_tag_len = 0;
else
tag_len = 1 << ( sec_level % 4 + 1);
expected_tag_len = 1 << ( sec_level % 4 + 1);
const size_t expected_msg_len = msg->len - expected_tag_len;
const uint8_t* expected_tag = msg->x + expected_msg_len;
/* Prepare input/output message buffer */
uint8_t* io_msg_buf = NULL;
ASSERT_ALLOC( io_msg_buf, expected_msg_len );
if( expected_msg_len )
memcpy( io_msg_buf, msg->x, expected_msg_len );
/* Calculate iv */
memset( iv, 0x00, sizeof( iv ) );
TEST_ASSERT( source_address->len == 8 );
TEST_ASSERT( frame_counter->len == 4 );
memcpy( iv, source_address->x, source_address->len );
@@ -271,23 +414,405 @@ void mbedtls_ccm_star_auth_decrypt( int cipher_id,
iv[source_address->len + frame_counter->len] = sec_level;
iv_len = sizeof( iv );
mbedtls_ccm_init( &ctx );
TEST_ASSERT( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ) == 0 );
/* Test with input == output */
TEST_EQUAL( mbedtls_ccm_star_auth_decrypt( &ctx, expected_msg_len, iv, iv_len,
add->x, add->len, io_msg_buf, io_msg_buf,
expected_tag, expected_tag_len ), output_ret );
ret = mbedtls_ccm_star_auth_decrypt( &ctx, msg->len - tag_len, iv, iv_len,
add->x, add->len, msg->x, result,
msg->x + msg->len - tag_len, tag_len );
ASSERT_COMPARE( io_msg_buf, expected_msg_len, expected_result->x, expected_msg_len );
TEST_ASSERT( ret == output_ret );
if( output_ret == 0 )
{
const data_t iv_data = { .x = iv,
.len = iv_len };
TEST_ASSERT( memcmp( result, expected_result->x,
expected_result->len ) == 0 );
const data_t encrypted = { .x = msg->x,
.len = expected_msg_len} ;
/* Check we didn't write past the end (where the original tag is) */
TEST_ASSERT( ( msg->len + 2 ) <= sizeof( result ) );
TEST_EQUAL( result[msg->len], '+' );
TEST_EQUAL( result[msg->len + 1], '+' );
const data_t tag_expected = { .x = (uint8_t*) expected_tag,
.len = expected_tag_len };
for( n1 = 0; n1 <= expected_msg_len; n1 += 1 )
{
for( n1_add = 0; n1_add <= add->len; n1_add += 1 )
{
mbedtls_test_set_step( n1 * 10000 + n1_add );
if( !check_multipart( &ctx, MBEDTLS_CCM_STAR_DECRYPT,
&iv_data, add, &encrypted,
expected_result,
&tag_expected,
n1, n1_add ) )
goto exit;
}
}
}
exit:
mbedtls_ccm_free( &ctx );
mbedtls_free( io_msg_buf );
}
/* END_CASE */
/* Skip auth data, provide full text */
/* BEGIN_CASE */
void mbedtls_ccm_skip_ad( int cipher_id, int mode,
data_t * key, data_t * msg, data_t * iv,
data_t * result, data_t * tag )
{
mbedtls_ccm_context ctx;
uint8_t *output = NULL;
size_t olen;
/* Sanity checks on the test data */
TEST_EQUAL( msg->len, result->len );
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, 0, msg->len, tag->len ) );
ASSERT_ALLOC( output, result->len );
olen = 0xdeadbeef;
TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg->x, msg->len, output, result->len, &olen ) );
TEST_EQUAL( result->len, olen );
ASSERT_COMPARE( output, olen, result->x, result->len );
mbedtls_free( output );
output = NULL;
ASSERT_ALLOC( output, tag->len );
TEST_EQUAL( 0, mbedtls_ccm_finish( &ctx, output, tag->len ) );
ASSERT_COMPARE( output, tag->len, tag->x, tag->len );
mbedtls_free( output );
output = NULL;
exit:
mbedtls_free( output );
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Provide auth data, skip full text */
/* BEGIN_CASE */
void mbedtls_ccm_skip_update( int cipher_id, int mode,
data_t * key, data_t * iv, data_t* add,
data_t * tag )
{
mbedtls_ccm_context ctx;
uint8_t *output = NULL;
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 0, tag->len ) );
TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) );
ASSERT_ALLOC( output, tag->len );
TEST_EQUAL( 0, mbedtls_ccm_finish( &ctx, output, tag->len ) );
ASSERT_COMPARE( output, tag->len, tag->x, tag->len );
mbedtls_free( output );
output = NULL;
exit:
mbedtls_free( output );
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Provide too much auth data */
/* BEGIN_CASE */
void mbedtls_ccm_overflow_ad( int cipher_id, int mode,
data_t * key, data_t * iv,
data_t * add )
{
mbedtls_ccm_context ctx;
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
// use hardcoded values for msg length and tag length. They are not a part of this test
// subtract 1 from configured auth data length to provoke an overflow
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len - 1, 16, 16 ) );
TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad( &ctx, add->x, add->len) );
exit:
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Provide unexpected auth data */
/* BEGIN_CASE */
void mbedtls_ccm_unexpected_ad( int cipher_id, int mode,
data_t * key, data_t * iv,
data_t * add )
{
mbedtls_ccm_context ctx;
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
// use hardcoded values for msg length and tag length. They are not a part of this test
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, 0, 16, 16 ) );
TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad( &ctx, add->x, add->len) );
exit:
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Provide unexpected plaintext/ciphertext data */
/* BEGIN_CASE */
void mbedtls_ccm_unexpected_text( int cipher_id, int mode,
data_t * key, data_t * msg, data_t * iv,
data_t * add )
{
mbedtls_ccm_context ctx;
uint8_t *output = NULL;
size_t olen;
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
// use hardcoded value for tag length. It is not a part of this test
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 0, 16 ) );
TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) );
ASSERT_ALLOC( output, msg->len );
olen = 0xdeadbeef;
TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update( &ctx, msg->x, msg->len, output, msg->len, &olen ) );
exit:
mbedtls_free( output );
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Provide incomplete auth data and finish */
/* BEGIN_CASE */
void mbedtls_ccm_incomplete_ad( int cipher_id, int mode,
data_t * key, data_t * iv, data_t* add )
{
mbedtls_ccm_context ctx;
uint8_t *output = NULL;
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
// use hardcoded values for msg length and tag length. They are not a part of this test
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 0, 16 ) );
TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len - 1) );
ASSERT_ALLOC( output, 16 );
TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish( &ctx, output, 16 ) );
exit:
mbedtls_free( output );
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Provide complete auth data on first update_ad.
* Provide unexpected auth data on second update_ad */
/* BEGIN_CASE */
void mbedtls_ccm_full_ad_and_overflow( int cipher_id, int mode,
data_t * key, data_t * iv,
data_t * add )
{
mbedtls_ccm_context ctx;
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
// use hardcoded values for msg length and tag length. They are not a part of this test
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 16, 16 ) );
// pass full auth data
TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) );
// pass 1 extra byte
TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad( &ctx, add->x, 1) );
exit:
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Provide incomplete auth data on first update_ad.
* Provide too much auth data on second update_ad */
/* BEGIN_CASE */
void mbedtls_ccm_incomplete_ad_and_overflow( int cipher_id, int mode,
data_t * key, data_t * iv,
data_t * add )
{
mbedtls_ccm_context ctx;
uint8_t add_second_buffer[2];
add_second_buffer[0] = add->x[ add->len - 1 ];
add_second_buffer[1] = 0xAB; // some magic value
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
// use hardcoded values for msg length and tag length. They are not a part of this test
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, 16, 16 ) );
// pass incomplete auth data
TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len - 1) );
// pass 2 extra bytes (1 missing byte from previous incomplete pass, and 1 unexpected byte)
TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_update_ad( &ctx, add_second_buffer, 2) );
exit:
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Provide too much plaintext/ciphertext */
/* BEGIN_CASE */
void mbedtls_ccm_overflow_update( int cipher_id, int mode,
data_t * key, data_t * msg, data_t * iv,
data_t * add )
{
mbedtls_ccm_context ctx;
uint8_t *output = NULL;
size_t olen;
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
// use hardcoded value for tag length. It is a not a part of this test
// subtract 1 from configured msg length to provoke an overflow
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, msg->len - 1, 16 ) );
TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) );
ASSERT_ALLOC( output, msg->len );
TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, \
mbedtls_ccm_update( &ctx, msg->x, msg->len, output, msg->len, &olen ) );
exit:
mbedtls_free( output );
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Provide incomplete plaintext/ciphertext and finish */
/* BEGIN_CASE */
void mbedtls_ccm_incomplete_update( int cipher_id, int mode,
data_t * key, data_t * msg, data_t * iv,
data_t * add )
{
mbedtls_ccm_context ctx;
uint8_t *output = NULL;
size_t olen;
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
// use hardcoded value for tag length. It is not a part of this test
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, msg->len, 16 ) );
TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) );
ASSERT_ALLOC( output, msg->len );
olen = 0xdeadbeef;
TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg->x, msg->len - 1, output, msg->len, &olen ) );
mbedtls_free( output );
output = NULL;
ASSERT_ALLOC( output, 16 );
TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish( &ctx, output, 16 ) );
exit:
mbedtls_free( output );
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Provide full plaintext/ciphertext of first update
* Provide unexpected plaintext/ciphertext on second update */
/* BEGIN_CASE */
void mbedtls_ccm_full_update_and_overflow( int cipher_id, int mode,
data_t * key, data_t * msg, data_t * iv,
data_t * add )
{
mbedtls_ccm_context ctx;
uint8_t *output = NULL;
size_t olen;
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
// use hardcoded value for tag length. It is a not a part of this test
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, msg->len, 16 ) );
TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) );
ASSERT_ALLOC( output, msg->len );
// pass full text
TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg->x, msg->len, output, msg->len, &olen ) );
// pass 1 extra byte
TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, \
mbedtls_ccm_update( &ctx, msg->x, 1, output, 1, &olen ) );
exit:
mbedtls_free( output );
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Provide incomplete plaintext/ciphertext of first update
* Provide too much plaintext/ciphertext on second update */
/* BEGIN_CASE */
void mbedtls_ccm_incomplete_update_overflow( int cipher_id, int mode,
data_t * key, data_t * msg, data_t * iv,
data_t * add )
{
mbedtls_ccm_context ctx;
uint8_t *output = NULL;
size_t olen;
uint8_t msg_second_buffer[2];
msg_second_buffer[0] = msg->x[ msg->len - 1 ];
msg_second_buffer[1] = 0xAB; // some magic value
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
// use hardcoded value for tag length. It is a not a part of this test
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, add->len, msg->len, 16 ) );
TEST_EQUAL( 0, mbedtls_ccm_update_ad( &ctx, add->x, add->len) );
ASSERT_ALLOC( output, msg->len + 1 );
// pass incomplete text
TEST_EQUAL( 0, mbedtls_ccm_update( &ctx, msg->x, msg->len - 1, output, msg->len + 1, &olen ) );
// pass 2 extra bytes (1 missing byte from previous incomplete pass, and 1 unexpected byte)
TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, \
mbedtls_ccm_update( &ctx, msg_second_buffer, 2, output + msg->len - 1, 2, &olen ) );
exit:
mbedtls_free( output );
mbedtls_ccm_free( &ctx );
}
/* END_CASE */
/* Finish without passing any auth data or plaintext/ciphertext input */
/* BEGIN_CASE */
void mbedtls_ccm_instant_finish( int cipher_id, int mode,
data_t * key, data_t * iv )
{
mbedtls_ccm_context ctx;
uint8_t *output = NULL;
mbedtls_ccm_init( &ctx );
TEST_EQUAL( mbedtls_ccm_setkey( &ctx, cipher_id, key->x, key->len * 8 ), 0 );
TEST_EQUAL( 0, mbedtls_ccm_starts( &ctx, mode, iv->x, iv->len ) );
// use hardcoded values for add length, msg length and tag length.
// They are not a part of this test
TEST_EQUAL( 0, mbedtls_ccm_set_lengths( &ctx, 16, 16, 16 ) );
ASSERT_ALLOC( output, 16 );
TEST_EQUAL( MBEDTLS_ERR_CCM_BAD_INPUT, mbedtls_ccm_finish( &ctx, output, 16 ) );
exit:
mbedtls_free( output );
mbedtls_ccm_free( &ctx );
}
/* END_CASE */

39
tests/suites/test_suite_debug.function
View File

@@ -60,10 +60,16 @@ void debug_print_msg_threshold( int threshold, int level, char * file,
memset( buffer.buf, 0, 2000 );
buffer.ptr = buffer.buf;
mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT );
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
mbedtls_debug_set_threshold( threshold );
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
mbedtls_debug_print_msg( &ssl, level, file, line,
"Text message, 2 == %d", 2 );
@@ -89,10 +95,15 @@ void mbedtls_debug_print_ret( char * file, int line, char * text, int value,
memset( buffer.buf, 0, 2000 );
buffer.ptr = buffer.buf;
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT );
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
mbedtls_debug_print_ret( &ssl, 0, file, line, text, value);
TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 );
@@ -116,11 +127,15 @@ void mbedtls_debug_print_buf( char * file, int line, char * text,
memset( buffer.buf, 0, 2000 );
buffer.ptr = buffer.buf;
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT );
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
mbedtls_debug_print_buf( &ssl, 0, file, line, text, data->x, data->len );
TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 );
@@ -146,10 +161,15 @@ void mbedtls_debug_print_crt( char * crt_file, char * file, int line,
memset( buffer.buf, 0, 2000 );
buffer.ptr = buffer.buf;
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT );
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
mbedtls_debug_print_crt( &ssl, 0, file, line, prefix, &crt);
@@ -177,12 +197,17 @@ void mbedtls_debug_print_mpi( int radix, char * value, char * file, int line,
memset( buffer.buf, 0, 2000 );
buffer.ptr = buffer.buf;
mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT );
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
TEST_ASSERT( mbedtls_test_read_mpi( &val, radix, value ) == 0 );
mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer);
mbedtls_debug_print_mpi( &ssl, 0, file, line, prefix, &val);
TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 );

2
tests/suites/test_suite_net.function
View File

@@ -9,11 +9,11 @@
#endif
#if defined(MBEDTLS_PLATFORM_IS_UNIXLIKE)
#include <sys/fcntl.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#endif

652
tests/suites/test_suite_psa_crypto.data
View File

File diff suppressed because it is too large Load Diff

63
tests/suites/test_suite_psa_crypto.function
View File

@@ -15,6 +15,12 @@
#include "test/asn1_helpers.h"
#include "test/psa_crypto_helpers.h"
#include "test/psa_exercise_key.h"
#if defined(PSA_CRYPTO_DRIVER_TEST)
#include "test/drivers/test_driver.h"
#define TEST_DRIVER_LOCATION PSA_CRYPTO_TEST_DRIVER_LOCATION
#else
#define TEST_DRIVER_LOCATION 0x7fffff
#endif
/* If this comes up, it's a bug in the test code or in the test data. */
#define UNUSED 0xdeadbeef
@@ -484,6 +490,7 @@ exit:
void import_export( data_t *data,
int type_arg,
int usage_arg, int alg_arg,
int lifetime_arg,
int expected_bits,
int export_size_delta,
int expected_export_status_arg,
@@ -494,6 +501,7 @@ void import_export( data_t *data,
psa_algorithm_t alg = alg_arg;
psa_status_t expected_export_status = expected_export_status_arg;
psa_status_t status;
psa_key_lifetime_t lifetime = lifetime_arg;
unsigned char *exported = NULL;
unsigned char *reexported = NULL;
size_t export_size;
@@ -508,6 +516,7 @@ void import_export( data_t *data,
ASSERT_ALLOC( reexported, export_size );
PSA_ASSERT( psa_crypto_init( ) );
psa_set_key_lifetime( &attributes, lifetime );
psa_set_key_usage_flags( &attributes, usage_arg );
psa_set_key_algorithm( &attributes, alg );
psa_set_key_type( &attributes, type );
@@ -543,8 +552,11 @@ void import_export( data_t *data,
* this validates the canonical representations. For canonical inputs,
* this doesn't directly validate the implementation, but it still helps
* by cross-validating the test data with the sanity check code. */
if( !psa_key_lifetime_is_external( lifetime ) )
{
if( ! mbedtls_test_psa_exercise_key( key, usage_arg, 0 ) )
goto exit;
}
if( canonical_input )
ASSERT_COMPARE( data->x, data->len, exported, exported_length );
@@ -577,7 +589,7 @@ exit:
* thus reset them as required.
*/
psa_reset_key_attributes( &got_attributes );
psa_destroy_key( key ) ;
mbedtls_free( exported );
mbedtls_free( reexported );
PSA_DONE( );
@@ -588,6 +600,7 @@ exit:
void import_export_public_key( data_t *data,
int type_arg,
int alg_arg,
int lifetime_arg,
int export_size_delta,
int expected_export_status_arg,
data_t *expected_public_key )
@@ -597,6 +610,7 @@ void import_export_public_key( data_t *data,
psa_algorithm_t alg = alg_arg;
psa_status_t expected_export_status = expected_export_status_arg;
psa_status_t status;
psa_key_lifetime_t lifetime = lifetime_arg;
unsigned char *exported = NULL;
size_t export_size = expected_public_key->len + export_size_delta;
size_t exported_length = INVALID_EXPORT_LENGTH;
@@ -604,6 +618,7 @@ void import_export_public_key( data_t *data,
PSA_ASSERT( psa_crypto_init( ) );
psa_set_key_lifetime( &attributes, lifetime );
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT );
psa_set_key_algorithm( &attributes, alg );
psa_set_key_type( &attributes, type );
@@ -632,7 +647,6 @@ void import_export_public_key( data_t *data,
ASSERT_COMPARE( expected_public_key->x, expected_public_key->len,
exported, exported_length );
}
exit:
/*
* Key attributes may have been returned by psa_get_key_attributes()
@@ -792,7 +806,8 @@ void mac_key_policy( int policy_usage_arg,
int key_type_arg,
data_t *key_data,
int exercise_alg_arg,
int expected_status_arg )
int expected_status_sign_arg,
int expected_status_verify_arg )
{
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -802,7 +817,8 @@ void mac_key_policy( int policy_usage_arg,
psa_algorithm_t exercise_alg = exercise_alg_arg;
psa_key_usage_t policy_usage = policy_usage_arg;
psa_status_t status;
psa_status_t expected_status = expected_status_arg;
psa_status_t expected_status_sign = expected_status_sign_arg;
psa_status_t expected_status_verify = expected_status_verify_arg;
unsigned char mac[PSA_MAC_MAX_SIZE];
PSA_ASSERT( psa_crypto_init( ) );
@@ -818,19 +834,30 @@ void mac_key_policy( int policy_usage_arg,
mbedtls_test_update_key_usage_flags( policy_usage ) );
status = psa_mac_sign_setup( &operation, key, exercise_alg );
if( ( policy_usage & PSA_KEY_USAGE_SIGN_HASH ) == 0 )
TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED );
TEST_EQUAL( status, expected_status_sign );
/* Calculate the MAC, one-shot case. */
uint8_t input[128] = {0};
size_t mac_len;
TEST_EQUAL( psa_mac_compute( key, exercise_alg,
input, 128,
mac, PSA_MAC_MAX_SIZE, &mac_len ),
expected_status_sign );
/* Verify correct MAC, one-shot case. */
status = psa_mac_verify( key, exercise_alg, input, 128,
mac, mac_len );
if( expected_status_sign != PSA_SUCCESS && expected_status_verify == PSA_SUCCESS )
TEST_EQUAL( status, PSA_ERROR_INVALID_SIGNATURE );
else
TEST_EQUAL( status, expected_status );
TEST_EQUAL( status, expected_status_verify );
psa_mac_abort( &operation );
memset( mac, 0, sizeof( mac ) );
status = psa_mac_verify_setup( &operation, key, exercise_alg );
if( ( policy_usage & PSA_KEY_USAGE_VERIFY_HASH ) == 0 )
TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED );
else
TEST_EQUAL( status, expected_status );
TEST_EQUAL( status, expected_status_verify );
exit:
psa_mac_abort( &operation );
@@ -1281,10 +1308,12 @@ exit:
/* BEGIN_CASE */
void copy_success( int source_usage_arg,
int source_alg_arg, int source_alg2_arg,
unsigned int source_lifetime_arg,
int type_arg, data_t *material,
int copy_attributes,
int target_usage_arg,
int target_alg_arg, int target_alg2_arg,
unsigned int target_lifetime_arg,
int expected_usage_arg,
int expected_alg_arg, int expected_alg2_arg )
{
@@ -1293,6 +1322,8 @@ void copy_success( int source_usage_arg,
psa_key_usage_t expected_usage = expected_usage_arg;
psa_algorithm_t expected_alg = expected_alg_arg;
psa_algorithm_t expected_alg2 = expected_alg2_arg;
psa_key_lifetime_t source_lifetime = source_lifetime_arg;
psa_key_lifetime_t target_lifetime = target_lifetime_arg;
mbedtls_svc_key_id_t source_key = MBEDTLS_SVC_KEY_ID_INIT;
mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT;
uint8_t *export_buffer = NULL;
@@ -1304,6 +1335,7 @@ void copy_success( int source_usage_arg,
psa_set_key_algorithm( &source_attributes, source_alg_arg );
psa_set_key_enrollment_algorithm( &source_attributes, source_alg2_arg );
psa_set_key_type( &source_attributes, type_arg );
psa_set_key_lifetime( &source_attributes, source_lifetime);
PSA_ASSERT( psa_import_key( &source_attributes,
material->x, material->len,
&source_key ) );
@@ -1313,9 +1345,8 @@ void copy_success( int source_usage_arg,
if( copy_attributes )
{
target_attributes = source_attributes;
/* Set volatile lifetime to reset the key identifier to 0. */
psa_set_key_lifetime( &target_attributes, PSA_KEY_LIFETIME_VOLATILE );
}
psa_set_key_lifetime( &target_attributes, target_lifetime);
if( target_usage_arg != -1 )
psa_set_key_usage_flags( &target_attributes, target_usage_arg );
@@ -1324,6 +1355,7 @@ void copy_success( int source_usage_arg,
if( target_alg2_arg != -1 )
psa_set_key_enrollment_algorithm( &target_attributes, target_alg2_arg );
/* Copy the key. */
PSA_ASSERT( psa_copy_key( source_key,
&target_attributes, &target_key ) );
@@ -1351,10 +1383,13 @@ void copy_success( int source_usage_arg,
export_buffer, length );
}
if( !psa_key_lifetime_is_external( target_lifetime ) )
{
if( ! mbedtls_test_psa_exercise_key( target_key, expected_usage, expected_alg ) )
goto exit;
if( ! mbedtls_test_psa_exercise_key( target_key, expected_usage, expected_alg2 ) )
goto exit;
}
PSA_ASSERT( psa_destroy_key( target_key ) );
@@ -1374,6 +1409,7 @@ exit:
/* BEGIN_CASE */
void copy_fail( int source_usage_arg,
int source_alg_arg, int source_alg2_arg,
int source_lifetime_arg,
int type_arg, data_t *material,
int target_type_arg, int target_bits_arg,
int target_usage_arg,
@@ -1394,6 +1430,7 @@ void copy_fail( int source_usage_arg,
psa_set_key_algorithm( &source_attributes, source_alg_arg );
psa_set_key_enrollment_algorithm( &source_attributes, source_alg2_arg );
psa_set_key_type( &source_attributes, type_arg );
psa_set_key_lifetime( &source_attributes, source_lifetime_arg );
PSA_ASSERT( psa_import_key( &source_attributes,
material->x, material->len,
&source_key ) );

2
tests/suites/test_suite_psa_crypto_slot_management.data
View File

@@ -160,7 +160,7 @@ depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C
create_fail:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_ID_USER_MAX + 1:PSA_ERROR_INVALID_ARGUMENT
Open not supported
depends_on:!MBEDTLS_PSA_CRYPTO_STORAGE_C
depends_on:!MBEDTLS_PSA_CRYPTO_STORAGE_C:!MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
open_fail:1:PSA_ERROR_NOT_SUPPORTED
Create not supported

56
tests/suites/test_suite_ssl.data
View File

@@ -6021,6 +6021,62 @@ SSL TLS 1.3 Key schedule: Handshake secrets derivation helper
# Vector from RFC 8448
ssl_tls1_3_derive_handshake_secrets:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f":"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803"
SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1
# - Server App Key: 0b6d22c8ff68097ea871c672073773bf
# - Server App IV: 1b13dd9f8d8f17091d34b349
# - Client App Key: 49134b95328f279f0183860589ac6707
# - Client App IV: bc4dd5f7b98acff85466261d
# - App data payload: 70696e67
# - Complete record: 1703030015c74061535eb12f5f25a781957874742ab7fb305dd5
# - Padding used: No (== granularity 1)
ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5"
SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2
# - Server App Key: 0b6d22c8ff68097ea871c672073773bf
# - Server App IV: 1b13dd9f8d8f17091d34b349
# - Client App Key: 49134b95328f279f0183860589ac6707
# - Client App IV: bc4dd5f7b98acff85466261d
# - App data payload: 706f6e67
# - Complete record: 1703030015370e5f168afa7fb16b663ecdfca3dbb81931a90ca7
# - Padding used: No (== granularity 1)
ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7"
SSL TLS 1.3 Record Encryption RFC 8448 Example #1
# Application Data record sent by Client in 1-RTT example of RFC 8448, Section 3
# - Server App Key: 9f 02 28 3b 6c 9c 07 ef c2 6b b9 f2 ac 92 e3 56
# - Server App IV: cf 78 2b 88 dd 83 54 9a ad f1 e9 84
# - Client App Key: 17 42 2d da 59 6e d5 d9 ac d8 90 e3 c6 3f 50 51
# - Client App IV: 5b 78 92 3d ee 08 57 90 33 e5 23 d9
# - App data payload: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
# 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
# 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
# 30 31
# - Complete record: 17 03 03 00 43 a2 3f 70 54 b6 2c 94 d0 af fa fe
# 82 28 ba 55 cb ef ac ea 42 f9 14 aa 66 bc ab 3f
# 2b 98 19 a8 a5 b4 6b 39 5b d5 4a 9a 20 44 1e 2b
# 62 97 4e 1f 5a 62 92 a2 97 70 14 bd 1e 3d ea e6
# 3a ee bb 21 69 49 15 e4
# - Padding used: No (== granularity 1)
ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4"
SSL TLS 1.3 Record Encryption RFC 8448 Example #2
# Application Data record sent by Server in 1-RTT example of RFC 8448, Section 3
# - Server App Key: 9f 02 28 3b 6c 9c 07 ef c2 6b b9 f2 ac 92 e3 56
# - Server App IV: cf 78 2b 88 dd 83 54 9a ad f1 e9 84
# - Client App Key: 17 42 2d da 59 6e d5 d9 ac d8 90 e3 c6 3f 50 51
# - Client App IV: 5b 78 92 3d ee 08 57 90 33 e5 23 d9
# - App data payload: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
# 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
# 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
# 30 31
# - Complete record: 17 03 03 00 43 2e 93 7e 11 ef 4a c7 40 e5 38 ad
# 36 00 5f c4 a4 69 32 fc 32 25 d0 5f 82 aa 1b 36
# e3 0e fa f9 7d 90 e6 df fc 60 2d cb 50 1a 59 a8
# fc c4 9c 4b f2 e5 f0 a2 1c 00 47 c2 ab f3 32 54
# 0d d0 32 e1 67 c2 95 5d
# - Padding used: No (== granularity 1)
ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d"
SSL TLS 1.3 Key schedule: Application secrets derivation helper
# Vector from RFC 8448
ssl_tls1_3_derive_application_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1":"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691":"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4"

98
tests/suites/test_suite_ssl.function
View File

@@ -3944,6 +3944,104 @@ void ssl_tls1_3_create_psk_binder( int hash_alg,
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
void ssl_tls1_3_record_protection( int ciphersuite,
int endpoint,
int ctr,
int padding_used,
data_t *server_write_key,
data_t *server_write_iv,
data_t *client_write_key,
data_t *client_write_iv,
data_t *plaintext,
data_t *ciphertext )
{
mbedtls_ssl_key_set keys;
mbedtls_ssl_transform transform_send;
mbedtls_ssl_transform transform_recv;
mbedtls_record rec;
unsigned char *buf = NULL;
size_t buf_len;
int other_endpoint;
TEST_ASSERT( endpoint == MBEDTLS_SSL_IS_CLIENT ||
endpoint == MBEDTLS_SSL_IS_SERVER );
if( endpoint == MBEDTLS_SSL_IS_SERVER )
other_endpoint = MBEDTLS_SSL_IS_CLIENT;
if( endpoint == MBEDTLS_SSL_IS_CLIENT )
other_endpoint = MBEDTLS_SSL_IS_SERVER;
TEST_ASSERT( server_write_key->len == client_write_key->len );
TEST_ASSERT( server_write_iv->len == client_write_iv->len );
memcpy( keys.client_write_key,
client_write_key->x, client_write_key->len );
memcpy( keys.client_write_iv,
client_write_iv->x, client_write_iv->len );
memcpy( keys.server_write_key,
server_write_key->x, server_write_key->len );
memcpy( keys.server_write_iv,
server_write_iv->x, server_write_iv->len );
keys.key_len = server_write_key->len;
keys.iv_len = server_write_iv->len;
mbedtls_ssl_transform_init( &transform_recv );
mbedtls_ssl_transform_init( &transform_send );
TEST_ASSERT( mbedtls_ssl_tls13_populate_transform(
&transform_send, endpoint,
ciphersuite, &keys, NULL ) == 0 );
TEST_ASSERT( mbedtls_ssl_tls13_populate_transform(
&transform_recv, other_endpoint,
ciphersuite, &keys, NULL ) == 0 );
/* Make sure we have enough space in the buffer even if
* we use more padding than the KAT. */
buf_len = ciphertext->len + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
ASSERT_ALLOC( buf, buf_len );
rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
/* TLS 1.3 uses the version identifier from TLS 1.2 on the wire. */
mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_TRANSPORT_STREAM,
rec.ver );
/* Copy plaintext into record structure */
rec.buf = buf;
rec.buf_len = buf_len;
rec.data_offset = 0;
TEST_ASSERT( plaintext->len <= ciphertext->len );
memcpy( rec.buf + rec.data_offset, plaintext->x, plaintext->len );
rec.data_len = plaintext->len;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
rec.cid_len = 0;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
memset( &rec.ctr[0], 0, 8 );
rec.ctr[7] = ctr;
TEST_ASSERT( mbedtls_ssl_encrypt_buf( NULL, &transform_send, &rec,
NULL, NULL ) == 0 );
if( padding_used == MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY )
{
ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len,
ciphertext->x, ciphertext->len );
}
TEST_ASSERT( mbedtls_ssl_decrypt_buf( NULL, &transform_recv, &rec ) == 0 );
ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len,
plaintext->x, plaintext->len );
mbedtls_free( buf );
mbedtls_ssl_transform_free( &transform_send );
mbedtls_ssl_transform_free( &transform_recv );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
void ssl_tls1_3_key_evolution( int hash_alg,
data_t *secret,