lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-28 00:21:48 +03:00
Code Activity

Merge pull request #5573 from superna9999/5176-5177-5178-5179-tsl-record-hmac

Browse Source 
TLS record HMAC
This commit is contained in:
Manuel Pégourié-Gonnard
2022-03-21 11:36:44 +01:00
committed by GitHub
parent 706f6bae27 0ab7a232b5
commit f4042f076b
8 changed files with 477 additions and 1625 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
library/constant_time.c
View File

@ -437,6 +437,126 @@ void mbedtls_ct_memcpy_offset( unsigned char *dest,
}
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(PSA_WANT_ALG_SHA_384)
#define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH( PSA_ALG_SHA_384 )
#elif defined(PSA_WANT_ALG_SHA_256)
#define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH( PSA_ALG_SHA_256 )
#else /* See check_config.h */
#define MAX_HASH_BLOCK_LENGTH PSA_HASH_BLOCK_LENGTH( PSA_ALG_SHA_1 )
#endif
int mbedtls_ct_hmac( mbedtls_svc_key_id_t key,
psa_algorithm_t mac_alg,
const unsigned char *add_data,
size_t add_data_len,
const unsigned char *data,
size_t data_len_secret,
size_t min_data_len,
size_t max_data_len,
unsigned char *output )
{
/*
* This function breaks the HMAC abstraction and uses psa_hash_clone()
* extension in order to get constant-flow behaviour.
*
* HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
* concatenation, and okey/ikey are the XOR of the key with some fixed bit
* patterns (see RFC 2104, sec. 2).
*
* We'll first compute ikey/okey, then inner_hash = HASH(ikey + msg) by
* hashing up to minlen, then cloning the context, and for each byte up
* to maxlen finishing up the hash computation, keeping only the
* correct result.
*
* Then we only need to compute HASH(okey + inner_hash) and we're done.
*/
psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH( mac_alg );
const size_t block_size = PSA_HASH_BLOCK_LENGTH( hash_alg );
unsigned char key_buf[MAX_HASH_BLOCK_LENGTH];
const size_t hash_size = PSA_HASH_LENGTH( hash_alg );
psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
size_t hash_length;
unsigned char aux_out[PSA_HASH_MAX_SIZE];
psa_hash_operation_t aux_operation = PSA_HASH_OPERATION_INIT;
size_t offset;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t mac_key_length;
size_t i;
#define PSA_CHK( func_call ) \
do { \
status = (func_call); \
if( status != PSA_SUCCESS ) \
goto cleanup; \
} while( 0 )
/* Export MAC key
* We assume key length is always exactly the output size
* which is never more than the block size, thus we use block_size
* as the key buffer size.
*/
PSA_CHK( psa_export_key( key, key_buf, block_size, &mac_key_length ) );
/* Calculate ikey */
for( i = 0; i < mac_key_length; i++ )
key_buf[i] = (unsigned char)( key_buf[i] ^ 0x36 );
for(; i < block_size; ++i )
key_buf[i] = 0x36;
PSA_CHK( psa_hash_setup( &operation, hash_alg ) );
/* Now compute inner_hash = HASH(ikey + msg) */
PSA_CHK( psa_hash_update( &operation, key_buf, block_size ) );
PSA_CHK( psa_hash_update( &operation, add_data, add_data_len ) );
PSA_CHK( psa_hash_update( &operation, data, min_data_len ) );
/* For each possible length, compute the hash up to that point */
for( offset = min_data_len; offset <= max_data_len; offset++ )
{
PSA_CHK( psa_hash_clone( &operation, &aux_operation ) );
PSA_CHK( psa_hash_finish( &aux_operation, aux_out,
PSA_HASH_MAX_SIZE, &hash_length ) );
/* Keep only the correct inner_hash in the output buffer */
mbedtls_ct_memcpy_if_eq( output, aux_out, hash_size,
offset, data_len_secret );
if( offset < max_data_len )
PSA_CHK( psa_hash_update( &operation, data + offset, 1 ) );
}
/* Abort current operation to prepare for final operation */
PSA_CHK( psa_hash_abort( &operation ) );
/* Calculate okey */
for( i = 0; i < mac_key_length; i++ )
key_buf[i] = (unsigned char)( ( key_buf[i] ^ 0x36 ) ^ 0x5C );
for(; i < block_size; ++i )
key_buf[i] = 0x5C;
/* Now compute HASH(okey + inner_hash) */
PSA_CHK( psa_hash_setup( &operation, hash_alg ) );
PSA_CHK( psa_hash_update( &operation, key_buf, block_size ) );
PSA_CHK( psa_hash_update( &operation, output, hash_size ) );
PSA_CHK( psa_hash_finish( &operation, output, hash_size, &hash_length ) );
#undef PSA_CHK
cleanup:
mbedtls_platform_zeroize( key_buf, MAX_HASH_BLOCK_LENGTH );
mbedtls_platform_zeroize( aux_out, PSA_HASH_MAX_SIZE );
psa_hash_abort( &operation );
psa_hash_abort( &aux_operation );
return( psa_ssl_status_to_mbedtls( status ) );
}
#undef MAX_HASH_BLOCK_LENGTH
#else
int mbedtls_ct_hmac( mbedtls_md_context_t *ctx,
const unsigned char *add_data,
size_t add_data_len,
@ -520,6 +640,7 @@ cleanup:
mbedtls_md_free( &aux );
return( ret );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */

12
library/constant_time_internal.h
View File

@ -276,6 +276,17 @@ void mbedtls_ct_memcpy_offset( unsigned char *dest,
* \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
* The hardware accelerator failed.
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int mbedtls_ct_hmac( mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const unsigned char *add_data,
size_t add_data_len,
const unsigned char *data,
size_t data_len_secret,
size_t min_data_len,
size_t max_data_len,
unsigned char *output );
#else
int mbedtls_ct_hmac( mbedtls_md_context_t *ctx,
const unsigned char *add_data,
size_t add_data_len,
@ -284,6 +295,7 @@ int mbedtls_ct_hmac( mbedtls_md_context_t *ctx,
size_t min_data_len,
size_t max_data_len,
unsigned char *output );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */

6
library/ssl_misc.h
View File

@ -954,8 +954,14 @@ struct mbedtls_ssl_transform
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
#else
mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
int encrypt_then_mac; /*!< flag for EtM activation */

106
library/ssl_msg.c
View File

@ -673,11 +673,35 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t sign_mac_length = 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
transform->minor_ver,
transform->taglen );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_sign_setup( &operation, transform->psa_mac_enc,
transform->psa_mac_alg );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_disabled;
status = psa_mac_update( &operation, add_data, add_data_len );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_disabled;
status = psa_mac_update( &operation, data, rec->data_len );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_disabled;
status = psa_mac_sign_finish( &operation, mac, MBEDTLS_SSL_MAC_ADD,
&sign_mac_length );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_disabled;
#else
ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
add_data_len );
if( ret != 0 )
@ -691,6 +715,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc );
if( ret != 0 )
goto hmac_failed_etm_disabled;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
memcpy( data + rec->data_len, mac, transform->maclen );
#endif
@ -704,6 +729,12 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
hmac_failed_etm_disabled:
mbedtls_platform_zeroize( mac, transform->maclen );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = psa_ssl_status_to_mbedtls( status );
status = psa_mac_abort( &operation );
if( ret == 0 && status != PSA_SUCCESS )
ret = psa_ssl_status_to_mbedtls( status );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_hmac_xxx", ret );
@ -998,6 +1029,10 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
if( auth_done == 0 )
{
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
size_t sign_mac_length = 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/*
* MAC(MAC_write_key, seq_num +
@ -1021,6 +1056,25 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
add_data_len );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_sign_setup( &operation, transform->psa_mac_enc,
transform->psa_mac_alg );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_enabled;
status = psa_mac_update( &operation, add_data, add_data_len );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_enabled;
status = psa_mac_update( &operation, data, rec->data_len );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_enabled;
status = psa_mac_sign_finish( &operation, mac, MBEDTLS_SSL_MAC_ADD,
&sign_mac_length );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_enabled;
#else
ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
add_data_len );
@ -1036,6 +1090,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc );
if( ret != 0 )
goto hmac_failed_etm_enabled;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
memcpy( data + rec->data_len, mac, transform->maclen );
@ -1045,6 +1100,12 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
hmac_failed_etm_enabled:
mbedtls_platform_zeroize( mac, transform->maclen );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = psa_ssl_status_to_mbedtls( status );
status = psa_mac_abort( &operation );
if( ret == 0 && status != PSA_SUCCESS )
ret = psa_ssl_status_to_mbedtls( status );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "HMAC calculation failed", ret );
@ -1331,7 +1392,11 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
#else
unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
@ -1353,6 +1418,26 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
/* Calculate expected MAC. */
MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
add_data_len );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_mac_verify_setup( &operation, transform->psa_mac_dec,
transform->psa_mac_alg );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_enabled;
status = psa_mac_update( &operation, add_data, add_data_len );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_enabled;
status = psa_mac_update( &operation, data, rec->data_len );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_enabled;
/* Compare expected MAC with MAC at the end of the record. */
status = psa_mac_verify_finish( &operation, data + rec->data_len,
transform->maclen );
if( status != PSA_SUCCESS )
goto hmac_failed_etm_enabled;
#else
ret = mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
add_data_len );
if( ret != 0 )
@ -1381,10 +1466,18 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
ret = MBEDTLS_ERR_SSL_INVALID_MAC;
goto hmac_failed_etm_enabled;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
auth_done++;
hmac_failed_etm_enabled:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = psa_ssl_status_to_mbedtls( status );
status = psa_mac_abort( &operation );
if( ret == 0 && status != PSA_SUCCESS )
ret = psa_ssl_status_to_mbedtls( status );
#else
mbedtls_platform_zeroize( mac_expect, transform->maclen );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( ret != 0 )
{
if( ret != MBEDTLS_ERR_SSL_INVALID_MAC )
@ -1621,10 +1714,18 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
const size_t max_len = rec->data_len + padlen;
const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ret = mbedtls_ct_hmac( transform->psa_mac_dec,
transform->psa_mac_alg,
add_data, add_data_len,
data, rec->data_len, min_len, max_len,
mac_expect );
#else
ret = mbedtls_ct_hmac( &transform->md_ctx_dec,
add_data, add_data_len,
data, rec->data_len, min_len, max_len,
mac_expect );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ct_hmac", ret );
@ -5612,8 +5713,13 @@ void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key( transform->psa_mac_enc );
psa_destroy_key( transform->psa_mac_dec );
#else
mbedtls_md_free( &transform->md_ctx_enc );
mbedtls_md_free( &transform->md_ctx_dec );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif
mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );

84
library/ssl_tls.c
View File

@ -610,9 +610,14 @@ void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform )
#endif
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
#else
mbedtls_md_init( &transform->md_ctx_enc );
mbedtls_md_init( &transform->md_ctx_dec );
#endif
#endif
}
void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
@ -7196,6 +7201,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM ||
mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CBC )
{
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
/* Initialize HMAC contexts */
if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
@ -7203,6 +7209,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
goto end;
}
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
/* Get MAC length */
mac_key_len = mbedtls_md_get_size( md_info );
@ -7310,23 +7317,6 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
goto end;
}
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
/* For HMAC-based ciphersuites, initialize the HMAC transforms.
For AEAD-based ciphersuites, there is nothing to do here. */
if( mac_key_len != 0 )
{
ret = mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
if( ret != 0 )
goto end;
ret = mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
if( ret != 0 )
goto end;
}
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
((void) mac_dec);
((void) mac_enc);
if( ssl != NULL && ssl->f_export_keys != NULL )
{
ssl->f_export_keys( ssl->p_export_keys,
@ -7431,6 +7421,66 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
/* For HMAC-based ciphersuites, initialize the HMAC transforms.
For AEAD-based ciphersuites, there is nothing to do here. */
if( mac_key_len != 0 )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
if( alg == 0 )
{
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_md_type_to_psa", ret );
goto end;
}
transform->psa_mac_alg = PSA_ALG_HMAC( alg );
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE );
psa_set_key_algorithm( &attributes, PSA_ALG_HMAC( alg ) );
psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC );
if( ( status = psa_import_key( &attributes,
mac_enc, mac_key_len,
&transform->psa_mac_enc ) ) != PSA_SUCCESS )
{
ret = psa_ssl_status_to_mbedtls( status );
MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_mac_key", ret );
goto end;
}
if( ( transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER ||
transform->psa_alg == PSA_ALG_CBC_NO_PADDING ) &&
transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
/* mbedtls_ct_hmac() requires the key to be exportable */
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
PSA_KEY_USAGE_VERIFY_HASH );
else
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
if( ( status = psa_import_key( &attributes,
mac_dec, mac_key_len,
&transform->psa_mac_dec ) ) != PSA_SUCCESS )
{
ret = psa_ssl_status_to_mbedtls( status );
MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_mac_key", ret );
goto end;
}
#else
ret = mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
if( ret != 0 )
goto end;
ret = mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
if( ret != 0 )
goto end;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
((void) mac_dec);
((void) mac_enc);
end:
mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
return( ret );